Patch "s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL" has been added to the 6.5-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Fri, 8 Sep 2023 17:39:11 -0400

This is a note to let you know that I've just added the patch titled

    s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL

to the 6.5-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     s390-pkey-fix-pkey_type_ep11_aes-handling-in-pkey_ve.patch
and it can be found in the queue-6.5 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit cb5ad9134cb43efa82d53e5d5c15e59d603c9373
Author: Holger Dengler <dengler@xxxxxxxxxxxxx>
Date:   Tue Jul 25 13:05:36 2023 +0200

    s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL
    
    [ Upstream commit 745742dbca11a1b63684ec7032a81aaedcf51fb0 ]
    
    Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC
    private keys")' introduced a new PKEY_TYPE_EP11_AES type for the
    PKEY_VERIFYKEY2 IOCTL to verify keyblobs of this type. Unfortunately,
    all PKEY_VERIFYKEY2 IOCTL requests with keyblobs of this type return
    with an error (-EINVAL). Fix PKEY_TYPE_EP11_AES handling in
    PKEY_VERIFYKEY2 IOCTL, so that userspace can verify keyblobs of this
    type.
    
    Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys")
    Signed-off-by: Holger Dengler <dengler@xxxxxxxxxxxxx>
    Reviewed-by: Ingo Franzki <ifranzki@xxxxxxxxxxxxx>
    Signed-off-by: Heiko Carstens <hca@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 75d7f0d5f14ef..8d6f35ccc561d 100644
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -912,7 +912,8 @@ static int pkey_verifykey2(const u8 *key, size_t keylen,
 			*ksize = kb->head.bitlen;
 
 		rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
-				    ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
+				    ZCRYPT_CEX7, EP11_API_V,
+				    ep11_kb_wkvp(key, keylen));
 		if (rc)
 			goto out;
 
@@ -922,6 +923,30 @@ static int pkey_verifykey2(const u8 *key, size_t keylen,
 		*cardnr = ((struct pkey_apqn *)_apqns)->card;
 		*domain = ((struct pkey_apqn *)_apqns)->domain;
 
+	} else if (hdr->type == TOKTYPE_NON_CCA &&
+		   hdr->version == TOKVER_EP11_AES_WITH_HEADER) {
+		struct ep11kblob_header *kh = (struct ep11kblob_header *)key;
+
+		rc = ep11_check_aes_key_with_hdr(debug_info, 3,
+						 key, keylen, 1);
+		if (rc)
+			goto out;
+		if (ktype)
+			*ktype = PKEY_TYPE_EP11_AES;
+		if (ksize)
+			*ksize = kh->bitlen;
+
+		rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
+				    ZCRYPT_CEX7, EP11_API_V,
+				    ep11_kb_wkvp(key, keylen));
+		if (rc)
+			goto out;
+
+		if (flags)
+			*flags = PKEY_FLAGS_MATCH_CUR_MKVP;
+
+		*cardnr = ((struct pkey_apqn *)_apqns)->card;
+		*domain = ((struct pkey_apqn *)_apqns)->domain;
 	} else {
 		rc = -EINVAL;
 	}






