From db7054a5a1119b014b9311cfaa9d6cd79ecb1bbb Mon Sep 17 00:00:00 2001
From: David Woodhouse <dwmw2@infradead.org>
Date: Thu, 3 Jan 2019 21:39:08 +0000
Subject: [PATCH] Encrypt digests being signed with IBM TSS2.

The digest itself will end up on the wire. But the computed hash including
the secrets should probably be obsecured. For the TPM that's an input
parameter, which it must decrypt. Hence TPMA_SESSION_DECRYPT.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
---
 gnutls_tpm2_ibm.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/gnutls_tpm2_ibm.c b/gnutls_tpm2_ibm.c
index 1077c694..0ad8607a 100644
--- a/gnutls_tpm2_ibm.c
+++ b/gnutls_tpm2_ibm.c
@@ -354,7 +354,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 			 (COMMAND_PARAMETERS *)&in,
 			 NULL,
 			 TPM_CC_RSA_Decrypt,
-			 authHandle, pass, 0,
+			 authHandle, pass, TPMA_SESSION_DECRYPT,
 			 TPM_RH_NULL, NULL, 0);
 	if (rc == KEY_AUTH_FAILED) {
 		free_pass(&pass);
@@ -441,7 +441,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
 			 (COMMAND_PARAMETERS *)&in,
 			 NULL,
 			 TPM_CC_Sign,
-			 authHandle, pass, 0,
+			 authHandle, pass, TPMA_SESSION_DECRYPT,
 			 TPM_RH_NULL, NULL, 0);
 	if (rc == KEY_AUTH_FAILED) {
 		free_pass(&pass);
-- 
2.50.1