Fix TPM2 emptyauth handling

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2.c b/gnutls_tpm2.c
index 6669451dd1f9db6adafcad9d967ff611b83c5694..d2f2749f5280dbb6ac796450698ab1a626908466 100644 (file)
--- a/gnutls_tpm2.c
+++ b/gnutls_tpm2.c
@@ -119,7 +119,7 @@ int load_tpm2_key(struct openconnect_info *vpninfo, gnutls_datum_t *fdata,
        }
 
        value_buflen = sizeof(value_buf);
-       if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) ||
+       if (!asn1_read_value(tpmkey, "emptyAuth", value_buf, &value_buflen) &&
            !strcmp(value_buf, "TRUE"))
                emptyauth = 1;
 

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 79da6189fe88e606b5eff95487df9e1fdea3d56c..d498936579275eb6edc72a2983aa303f273f54f6 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -418,7 +418,7 @@ static int tpm2_ec_sign_fn(gnutls_privkey_t key, void *_vpninfo,
                      &tsig);
        if (r == 0x9a2) {
                vpn_progress(vpninfo, PRG_DEBUG,
-                            _("TPM2 Esys_RSA_Decrypt auth failed\n"));
+                            _("TPM2 Esys_Sign auth failed\n"));
                vpninfo->tpm2->need_userauth = 1;
                goto reauth;
        }
@@ -491,12 +491,6 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
                return -EINVAL;
        };
 
-       if (!emptyauth) {
-               vpn_progress(vpninfo, PRG_ERR,
-                            _("Cannot use TPM2 key with authentication\n"));
-               return -EINVAL;
-       }
-
        vpninfo->tpm2 = calloc(1, sizeof(*vpninfo->tpm2));
        if (!vpninfo->tpm2)
                return -ENOMEM;
@@ -521,6 +515,8 @@ int install_tpm2_key(struct openconnect_info *vpninfo, gnutls_privkey_t *pkey, g
                goto err_out;
        }
 
+       vpninfo->tpm2->need_userauth = !emptyauth;
+
        gnutls_privkey_init(pkey);
 
        switch(vpninfo->tpm2->pub.publicArea.type) {