From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 11 May 2021 12:42:52 +0000 (+0100)
Subject: tss2-esys: Don't try password for TPM2 keys with emptyauth set
X-Git-Tag: v8.20~203
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=b97c5eea745ef7b143d0a20a32e956835844ba8c;p=users%2Fdwmw2%2Fopenconnect.git

tss2-esys: Don't try password for TPM2 keys with emptyauth set

The auth-certificate test always sets --key-password=password, and when
a TPM2 key has 'emptyauth' the IBM TSS code was trying the empty auth
first, as it should. But the Esys code was always trying the password,
and then prompting the user; the user had to just press enter.

Try empty auth first if the key says so.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 5ae7390d..f462222f 100644
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -364,7 +364,7 @@ static int auth_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *cer
 {
 	TSS2_RC r;
 
-	if (certinfo->tpm2->need_userauth || certinfo->password) {
+	if (certinfo->tpm2->need_userauth) {
 		char *pass = NULL;
 
 		if (certinfo->password) {