tpm2-esys: Check parent NODA flag and demand password if needed

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index ca09c919a989a4f421d9487e58e0451cfdd7b2be..149c7d03b43225855d0dc4e546f35cc474f04882 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -236,6 +236,18 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                                     vpninfo->tpm2->parent, r);
                        goto error;
                }
+               /* If we don't already have a password, check the NODA flag on the parent
+                * and demand one if DA protection is enabled (since that strongly implies
+                * there is a non-empty password). */
+               if (!vpninfo->tpm2->ownerauth.size) {
+                       TPM2B_PUBLIC *pub = NULL;
+
+                       r = Esys_ReadPublic(*ctx, parentHandle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+                                           &pub, NULL, NULL);
+                       if (!r && !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA))
+                               vpninfo->tpm2->need_ownerauth = 1;
+                       free(pub);
+               }
        reauth:
                if (vpninfo->tpm2->need_ownerauth) {
                        char *pass = NULL;