tss2-esys: Don't try password for TPM2 keys with emptyauth set

The auth-certificate test always sets --key-password=password, and when
a TPM2 key has 'emptyauth' the IBM TSS code was trying the empty auth
first, as it should. But the Esys code was always trying the password,
and then prompting the user; the user had to just press enter.

Try empty auth first if the key says so.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 5ae7390dd005d003f3785e875ee985f37975bc96..f462222fe9e1315e39116dec14a833d5670d700c 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -364,7 +364,7 @@ static int auth_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *cer
 {
        TSS2_RC r;
 
-       if (certinfo->tpm2->need_userauth || certinfo->password) {
+       if (certinfo->tpm2->need_userauth) {
                char *pass = NULL;
 
                if (certinfo->password) {