From 86e6adf47e614178d09d5e63033df7f65747490f Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Thu, 3 Aug 2017 21:35:20 +0900
Subject: [PATCH] Fix factory-reset for admin-less mode.

Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 ChangeLog     | 4 ++++
 src/openpgp.c | 7 ++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 2813c84..299bc32 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2017-08-03  NIIBE Yutaka  <gniibe@fsij.org>
+
+	* src/openpgp.c (cmd_terminate_df): Fix for admin-less mode.
+
 2017-08-03  Jeremy Drake <jeremydrake+gnuk@eacceleration.com>
 
 	* regnual/regnual.c (main): Allow compile time
diff --git a/src/openpgp.c b/src/openpgp.c
index 4e19802..1fdd01a 100644
--- a/src/openpgp.c
+++ b/src/openpgp.c
@@ -1335,6 +1335,8 @@ cmd_activate_file (void)
 static void
 cmd_terminate_df (void)
 {
+  const uint8_t *ks_pw3;
+
   uint8_t p1 = P1 (apdu);
   uint8_t p2 = P2 (apdu);
 
@@ -1356,8 +1358,11 @@ cmd_terminate_df (void)
       return;
     }
 
+  ks_pw3 = gpg_do_read_simple (NR_DO_KEYSTRING_PW3);
 
-  if (!ac_check_status (AC_ADMIN_AUTHORIZED) && !gpg_pw_locked (PW_ERR_PW3))
+  if (!ac_check_status (AC_ADMIN_AUTHORIZED)
+      && !((ks_pw3 && gpg_pw_locked (PW_ERR_PW3))
+	   || (ks_pw3 == NULL && gpg_pw_locked (PW_ERR_PW1))))
     {
       /* Only allow the case admin authorized, or, admin pass is locked.  */
       GPG_SECURITY_FAILURE();