From b97c5eea745ef7b143d0a20a32e956835844ba8c Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Tue, 11 May 2021 13:42:52 +0100
Subject: [PATCH] tss2-esys: Don't try password for TPM2 keys with emptyauth
 set

The auth-certificate test always sets --key-password=password, and when
a TPM2 key has 'emptyauth' the IBM TSS code was trying the empty auth
first, as it should. But the Esys code was always trying the password,
and then prompting the user; the user had to just press enter.

Try empty auth first if the key says so.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 gnutls_tpm2_esys.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index 5ae7390d..f462222f 100644
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -364,7 +364,7 @@ static int auth_tpm2_key(struct openconnect_info *vpninfo, struct cert_info *cer
 {
 	TSS2_RC r;
 
-	if (certinfo->tpm2->need_userauth || certinfo->password) {
+	if (certinfo->tpm2->need_userauth) {
 		char *pass = NULL;
 
 		if (certinfo->password) {
-- 
2.50.1