From cc8289826ab5c744c350e5e547865710c1e1faa9 Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Fri, 12 Oct 2018 10:34:33 -0700
Subject: [PATCH] tpm2-esys: Check parent NODA flag and demand password if
 needed

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 gnutls_tpm2_esys.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/gnutls_tpm2_esys.c b/gnutls_tpm2_esys.c
index ca09c919..149c7d03 100644
--- a/gnutls_tpm2_esys.c
+++ b/gnutls_tpm2_esys.c
@@ -236,6 +236,18 @@ static int init_tpm2_key(ESYS_CONTEXT **ctx, ESYS_TR *keyHandle,
 				     vpninfo->tpm2->parent, r);
 			goto error;
 		}
+		/* If we don't already have a password, check the NODA flag on the parent
+		 * and demand one if DA protection is enabled (since that strongly implies
+		 * there is a non-empty password). */
+		if (!vpninfo->tpm2->ownerauth.size) {
+			TPM2B_PUBLIC *pub = NULL;
+
+			r = Esys_ReadPublic(*ctx, parentHandle, ESYS_TR_NONE, ESYS_TR_NONE, ESYS_TR_NONE,
+					    &pub, NULL, NULL);
+			if (!r && !(pub->publicArea.objectAttributes & TPMA_OBJECT_NODA))
+				vpninfo->tpm2->need_ownerauth = 1;
+			free(pub);
+		}
 	reauth:
 		if (vpninfo->tpm2->need_ownerauth) {
 			char *pass = NULL;
-- 
2.49.0