s390-tools/s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch

Subject: [PATCH] [BZ 197605] libseckey: Fix re-enciphering of EP11 secure key
From: Ingo Franzki <ifranzki@linux.ibm.com>

Description:   zkey: Fix re-enciphering of EP11 identity key of KMIP plugin 
Symptom:       When re-enciphering the identity key and/or wrapping key of the
               zkey KMIP plugin via 'zkey kms reencipher', the operation 
               completes without an error, but the secure keys are left 
               un-reenciphered. A subsequent connection attempt with the KMIP
               server will fail because the identity key is no longer valid.
Problem:       The re-enciphered secure key is not copied back into the
               key token buffer. Also, the the public key part, i.e. the MACed
               SubjectPublicKeyInfo (SPKI) structure must also be re-
               enciphered (i.e. re-MACed), since the MAC is calculated with
               the EP11 master key.
Solution:      Copy the re-enciphered secure key back into the key toke
               buffer, and also re-encipher the public key part.
Reproduction:  Perform a master key change on the EP11 APQNs used with the
               KMIP plugin.
Upstream-ID:   4e2ebe0370d9fb036b7554d5ac5df4418dbe0397
Problem-ID:    197605

Upstream-Description:

              libseckey: Fix re-enciphering of EP11 secure key

              The re-enciphering of EP11 asymmetric secure keys does not work.
              First, the result of the re-encipher operation of the private key
              part must be copied back into the user supplied key token buffer.
              Second, the public key part, i.e. the MACed SubjectPublicKeyInfo
              (SPKI) structure must also be re-enciphered (i.e. re-MACed), since
              the MAC is calculated with the EP11 master key.

              Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
              Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>


Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
---
 libseckey/sk_ep11.c |   53 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

--- a/libseckey/sk_ep11.c
+++ b/libseckey/sk_ep11.c
@@ -1549,6 +1549,59 @@ int SK_EP11_reencipher_key(const struct
 		return -EIO;
 	}
 
+	memcpy(blob, lrb.payload, lrb.pllen);
+
+	/* re-encipher MACed SPKI */
+	rb.domain = domain;
+	lrb.domain = domain;
+
+	resp_len = sizeof(resp);
+	req_len = ep11.dll_xcpa_cmdblock(req, sizeof(req), XCP_ADM_REENCRYPT,
+					 &rb, NULL, key_token + hdr->len,
+					 key_token_length - hdr->len);
+	if (req_len < 0) {
+		sk_debug(debug, "Failed to build XCP command block");
+		return -EIO;
+	}
+
+	rv = ep11.dll_m_admin(resp, &resp_len, NULL, NULL, req, req_len, NULL,
+			      0, ep11_lib->target);
+	if (rv != CKR_OK || resp_len == 0) {
+		sk_debug(debug, "Command XCP_ADM_REENCRYPT failed. "
+			 "rc = 0x%lx, resp_len = %ld", rv, resp_len);
+		return -EIO;
+	}
+
+	rc = ep11.dll_xcpa_internal_rv(resp, resp_len, &lrb, &rv);
+	if (rc != 0) {
+		sk_debug(debug, "Failed to parse response. rc = %d", rc);
+		return -EIO;
+	}
+
+	if (rv != CKR_OK) {
+		sk_debug(debug, "Failed to re-encrypt the EP11 secure key. "
+			 "rc = 0x%lx", rv);
+		switch (rv) {
+		case CKR_IBM_WKID_MISMATCH:
+			sk_debug(debug, "The EP11 secure key is currently "
+				 "encrypted under a different master that does "
+				 "not match the master key in the CURRENT "
+				 "master key register of APQN %02X.%04X",
+				 card, domain);
+			break;
+		}
+		return -EIO;
+	}
+
+	if (key_token_length - hdr->len != lrb.pllen) {
+		sk_debug(debug, "Re-encrypted EP11 secure key size has "
+			 "changed: org-len: %lu, new-len: %lu",
+			 hdr->len - sizeof(*hdr), lrb.pllen);
+		return -EIO;
+	}
+
+	memcpy(key_token + hdr->len, lrb.payload, lrb.pllen);
+
 	return 0;
 }