s390/pkey: fix PKEY_TYPE_EP11_AES handling in PKEY_VERIFYKEY2 IOCTL

Commit 'fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC
private keys")' introduced a new PKEY_TYPE_EP11_AES type for the
PKEY_VERIFYKEY2 IOCTL to verify keyblobs of this type. Unfortunately,
all PKEY_VERIFYKEY2 IOCTL requests with keyblobs of this type return
with an error (-EINVAL). Fix PKEY_TYPE_EP11_AES handling in
PKEY_VERIFYKEY2 IOCTL, so that userspace can verify keyblobs of this
type.

Fixes: fa6999e326fe ("s390/pkey: support CCA and EP11 secure ECC private keys")
Signed-off-by: Holger Dengler <dengler@linux.ibm.com>
Reviewed-by: Ingo Franzki <ifranzki@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>

diff --git a/drivers/s390/crypto/pkey_api.c b/drivers/s390/crypto/pkey_api.c
index 75d7f0d5f14ef7cc55437ea0fa9ffa998ce91781..8d6f35ccc561d6cb1c1bfcefe61e0a8e164d4f1c 100644 (file)
--- a/drivers/s390/crypto/pkey_api.c
+++ b/drivers/s390/crypto/pkey_api.c
@@ -912,7 +912,8 @@ static int pkey_verifykey2(const u8 *key, size_t keylen,
                        *ksize = kb->head.bitlen;
 
                rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
-                                   ZCRYPT_CEX7, EP11_API_V, kb->wkvp);
+                                   ZCRYPT_CEX7, EP11_API_V,
+                                   ep11_kb_wkvp(key, keylen));
                if (rc)
                        goto out;
 
@@ -922,6 +923,30 @@ static int pkey_verifykey2(const u8 *key, size_t keylen,
                *cardnr = ((struct pkey_apqn *)_apqns)->card;
                *domain = ((struct pkey_apqn *)_apqns)->domain;
 
+       } else if (hdr->type == TOKTYPE_NON_CCA &&
+                  hdr->version == TOKVER_EP11_AES_WITH_HEADER) {
+               struct ep11kblob_header *kh = (struct ep11kblob_header *)key;
+
+               rc = ep11_check_aes_key_with_hdr(debug_info, 3,
+                                                key, keylen, 1);
+               if (rc)
+                       goto out;
+               if (ktype)
+                       *ktype = PKEY_TYPE_EP11_AES;
+               if (ksize)
+                       *ksize = kh->bitlen;
+
+               rc = ep11_findcard2(&_apqns, &_nr_apqns, *cardnr, *domain,
+                                   ZCRYPT_CEX7, EP11_API_V,
+                                   ep11_kb_wkvp(key, keylen));
+               if (rc)
+                       goto out;
+
+               if (flags)
+                       *flags = PKEY_FLAGS_MATCH_CUR_MKVP;
+
+               *cardnr = ((struct pkey_apqn *)_apqns)->card;
+               *domain = ((struct pkey_apqn *)_apqns)->domain;
        } else {
                rc = -EINVAL;
        }