Commit 745742db authored by Holger Dengler's avatar Holger Dengler Committed by Heiko Carstens
Browse files

s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL 



Commit 'fa6999e3 ("s390/pkey: support CCA and EP11 secure ECC
private keys")' introduced a new PKEY_TYPE_EP11_AES type for the
PKEY_VERIFYKEY2 IOCTL to verify keyblobs of this type. Unfortunately,
all PKEY_VERIFYKEY2 IOCTL requests with keyblobs of this type return
with an error (-EINVAL). Fix PKEY_TYPE_EP11_AES handling in
PKEY_VERIFYKEY2 IOCTL, so that userspace can verify keyblobs of this
type.

Fixes: fa6999e3 ("s390/pkey: support CCA and EP11 secure ECC private keys")
Signed-off-by: default avatarHolger Dengler <dengler@linux.ibm.com>
Reviewed-by: default avatarIngo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: default avatarHeiko Carstens <hca@linux.ibm.com>
parent d1fdfb0b

drivers/s390/crypto/pkey_api.c

+26 −1
Original line number Diff line number Diff line
@@ -912,7 +912,8 @@ static int pkey_verifykey2(const u8 *key, size_t keylen, 
			*ksize = kb->head.bitlen;



		rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,

				    ZCRYPT_CEX7, EP11_API_V, kb->wkvp);

				    ZCRYPT_CEX7, EP11_API_V,

				    ep11_kb_wkvp(key, keylen));

		if (rc)

			goto out;
@@ -922,6 +923,30 @@ static int pkey_verifykey2(const u8 *key, size_t keylen, 
		*cardnr = ((struct pkey_apqn *)_apqns)->card;

		*domain = ((struct pkey_apqn *)_apqns)->domain;



	} else if (hdr->type == TOKTYPE_NON_CCA &&

		   hdr->version == TOKVER_EP11_AES_WITH_HEADER) {

		struct ep11kblob_header *kh = (struct ep11kblob_header *)key;



		rc = ep11_check_aes_key_with_hdr(debug_info, 3,

						 key, keylen, 1);

		if (rc)

			goto out;

		if (ktype)

			*ktype = PKEY_TYPE_EP11_AES;

		if (ksize)

			*ksize = kh->bitlen;



		rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,

				    ZCRYPT_CEX7, EP11_API_V,

				    ep11_kb_wkvp(key, keylen));

		if (rc)

			goto out;



		if (flags)

			*flags = PKEY_FLAGS_MATCH_CUR_MKVP;



		*cardnr = ((struct pkey_apqn *)_apqns)->card;

		*domain = ((struct pkey_apqn *)_apqns)->domain;

	} else {

		rc = -EINVAL;

	}