Fix re-prompting for empty parent key password with TCG TSS2

It's odd, but persistent keys can be generated with empty password yet
still without the NODA flag.

It's OK to prompt the user for the (empty) password in that case, but
not to do it more than once, after already authenticating successfully
the first time.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 7bc43a3f992b0b2772b46648e7e59336f16c184a..2a0abff0586b2e1000c117032d60fb2e38828ef1 100644 (file)
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -66,6 +66,7 @@ struct oc_tpm2_ctx {
        TPM2B_DIGEST ownerauth;
        unsigned int need_userauth:1;
        unsigned int need_ownerauth:1;
+       unsigned int did_ownerauth:1;
        unsigned int legacy_srk:1;
        unsigned int parent;
 };
@@ -274,10 +275,11 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                                     vpninfo->tpm2->parent, r);
                        goto error;
                }
-               /* If we don't already have a password, check the NODA flag on the parent
-                * and demand one if DA protection is enabled (since that strongly implies
-                * there is a non-empty password). */
-               if (!vpninfo->tpm2->ownerauth.size) {
+               /* If we don't already have a password (and haven't already authenticated
+                * successfully), check the NODA flag on the parent and demand one if DA
+                * protection is enabled (since that strongly implies there is a non-empty
+                * password). */
+               if (!vpninfo->tpm2->did_ownerauth && !vpninfo->tpm2->ownerauth.size) {
                        TPM2B_PUBLIC *pub = NULL;
 
                        r = Esys_ReadPublic(*ctx, parentHandle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
@@ -322,6 +324,7 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
                             r);
                goto error;
        }
+       vpninfo->tpm2->did_ownerauth = 1;
 
        if (parent_is_generated(vpninfo->tpm2->parent)) {
                r = Esys_FlushContext(*ctx, parentHandle);