From: David Woodhouse <dwmw2@infradead.org>
Date: Thu, 3 Jan 2019 21:39:08 +0000 (+0000)
Subject: Encrypt digests being signed with IBM TSS2.
X-Git-Tag: v8.00~14
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=db7054a5a1119b014b9311cfaa9d6cd79ecb1bbb;p=users%2Fdwmw2%2Fopenconnect.git

Encrypt digests being signed with IBM TSS2.

The digest itself will end up on the wire. But the computed hash including
the secrets should probably be obsecured. For the TPM that's an input
parameter, which it must decrypt. Hence TPMA_SESSION_DECRYPT.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---

diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index 1077c694..0ad8607a 100644
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -354,7 +354,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 			 (COMMAND_PARAMETERS *)&in,
 			 NULL,
 			 TPM_CC_RSA_Decrypt,
-			 authHandle, pass, 0,
+			 authHandle, pass, TPMA_SESSION_DECRYPT,
 			 TPM_RH_NULL, NULL, 0);
 	if (rc == KEY_AUTH_FAILED) {
 		free_pass(&pass);
@@ -441,7 +441,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 			 (COMMAND_PARAMETERS *)&in,
 			 NULL,
 			 TPM_CC_Sign,
-			 authHandle, pass, 0,
+			 authHandle, pass, TPMA_SESSION_DECRYPT,
 			 TPM_RH_NULL, NULL, 0);
 	if (rc == KEY_AUTH_FAILED) {
 		free_pass(&pass);