Skip to content

Commit

Permalink
Encrypt digests being signed with IBM TSS2.
Browse files Browse the repository at this point in the history 
The digest itself will end up on the wire. But the computed hash including
the secrets should probably be obsecured. For the TPM that's an input
parameter, which it must decrypt. Hence TPMA_SESSION_DECRYPT.

Signed-off-by: David Woodhouse <dwmw2@infradead.org>
  • Loading branch information
@dwmw2
dwmw2 committed Jan 3, 2019
1 parent 04bcebb commit db7054a
Showing 1 changed file with 2 additions and 2 deletions.
4 changes: 2 additions & 2 deletions gnutls_tpm2_ibm.c
View file
Expand Up @@ -354,7 +354,7 @@ int tpm2_rsa_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
(COMMAND_PARAMETERS *)&in,
NULL,
TPM_CC_RSA_Decrypt,
authHandle, pass, 0,
authHandle, pass, TPMA_SESSION_DECRYPT,
TPM_RH_NULL, NULL, 0);
if (rc == KEY_AUTH_FAILED) {
free_pass(&pass);
Expand Down Expand Up @@ -441,7 +441,7 @@ int tpm2_ec_sign_hash_fn(gnutls_privkey_t key, gnutls_sign_algorithm_t algo,
(COMMAND_PARAMETERS *)&in,
NULL,
TPM_CC_Sign,
authHandle, pass, 0,
authHandle, pass, TPMA_SESSION_DECRYPT,
TPM_RH_NULL, NULL, 0);
if (rc == KEY_AUTH_FAILED) {
free_pass(&pass);
Expand Down

0 comments on commit db7054a

Please sign in to comment.