Allow parsing of permanent handles for TPM2 parents

These need to be returned in 5 bytes because they have the top
bit set and would otherwise be interpreted as negative.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 618fdd1819b4b6e76a87fac94a95dc4c9ba29800..e6ed14fb8fc6165e13fe420e1c8463a0e9f12a85 100644 (file)
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -207,22 +207,31 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
            !strcmp(value_buf, "TRUE"))
                emptyauth = 1;
 
-       memset(value_buf, 0, 4);
-       value_buflen = 4;
+       memset(value_buf, 0, 5);
+       value_buflen = 5;
        err = asn1_read_value(tpmkey, "parent", value_buf, &value_buflen);
        if (err == ASN1_ELEMENT_NOT_FOUND)
                parent = 0x40000001; // RH_OWNER
        else if (err != ASN1_SUCCESS) {
+       badparent:
                vpn_progress(vpninfo, PRG_ERR,
                             _("Failed to parse TPM2 key parent: %s\n"),
                             asn1_strerror(err));
                goto out_tpmkey;
        } else {
-               int i;
+               int i = 0;
                parent = 0;
 
-               for (i = 0; i < value_buflen; i++)
-                       parent |= value_buf[value_buflen - i - 1] << (8 * i);
+               if (value_buflen == 5) {
+                       if (value_buf[0])
+                               goto badparent;
+                       /* Skip the leading zero */
+                       i++;
+               }
+               for ( ; i < value_buflen; i++) {
+                       parent <<= 8;
+                       parent |= value_buf[i];
+               }
        }
 
        if (decode_data(asn1_find_node(tpmkey, "pubkey"), &pubdata) < 0) {