forked from pool/s390-tools
9d48c28fee
- Added s390-tools-sles15sp2-zkey-Fix-display-of-XTS-attribute-for-validate-comma.patch (bsc#1163002). - Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-CCA-AESCIPHER.patch (bsc#1163570). - Re-categorized s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch from an IBM patch to a SUSE-maintained patch. (bsc#1162840) - sign the stage3.bin bootloader stage (bsc#1163524) - Added s390-tools-sles15sp1-zdev-Also-include-the-ctc-driver-in-the-initrd.patch (bsc#1160373). - Added s390-tools-sles15sp1-11-zdev-Do-not-call-zipl-on-initrd-update.patch (bsc#1162840). - Added s390-tools-sles15sp2-zkey-Fix-listing-of-keys-on-file-systems-reporting-D.patch (bsc#1162996). - Added s390-tools-sles15sp2-zkey-Fix-display-of-clear-key-size-for-XTS-keys.patch (bsc#1163003). OBS-URL: https://build.opensuse.org/request/show/777411 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=88
49 lines
2.2 KiB
Diff
49 lines
2.2 KiB
Diff
Subject: [PATCH] [BZ 183875] zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
|
From: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
|
|
Description: zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
|
Symptom: The 'zkey list' command shows bogus values for the
|
|
keys 'Clear key size' for keys of type CCA-AESCIPHER.
|
|
Problem: Secure keys of type CCA-AESCIPHER are variable length,
|
|
dependent on the effective key size (e.g. 128, 192, or 256
|
|
bits). However, the key blob stored is padded to a fixed
|
|
length, so that all key blobs of type CCA-AESCIPHER are
|
|
the same size, regardless of the effective key bit size.
|
|
To code to display the clear key bitsize does not correctly
|
|
handle the padding and may treat a non-XTS key like an XTS
|
|
key and thus reads past the end of the key blob. This
|
|
results in bogus values reported as clear key size.
|
|
This bug has been introduced with feature SEC1717 "Cipher
|
|
key support" with commit ddde3f354f35 ("zkey: Introduce th
|
|
CCA-AESCIPHER key type").
|
|
Solution: Correct the handling of key of type CCA-AESCIPHER.
|
|
Reproduction: Generate a key of type CCA-AESCIPHER and then run
|
|
'zkey list'.
|
|
Upstream-ID: 49cbaba302f002aa7f148631a76fc21a3069bc25
|
|
Problem-ID: 183875
|
|
|
|
Upstream-Description:
|
|
|
|
zkey: Fix display of clear key size for CCA-AESCIPHER keys
|
|
|
|
Fixes: ddde3f354f35 ("zkey: Introduce the CCA-AESCIPHER key type")
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
|
|
|
|
|
|
Signed-off-by: Ingo Franzki <ifranzki@linux.ibm.com>
|
|
--- a/zkey/pkey.c
|
|
+++ b/zkey/pkey.c
|
|
@@ -1600,9 +1600,9 @@ int get_key_bit_size(const u8 *key, size
|
|
*bitsize = cipherkey->pl - 384;
|
|
else
|
|
*bitsize = 0; /* Unknown */
|
|
- if (key_size > cipherkey->length) {
|
|
+ if (key_size == 2 * AESCIPHER_KEY_SIZE) {
|
|
cipherkey = (struct aescipherkeytoken *)(key +
|
|
- cipherkey->length);
|
|
+ AESCIPHER_KEY_SIZE);
|
|
if (cipherkey->pfv == 0x00) /* V0 payload */
|
|
*bitsize += cipherkey->pl - 384;
|
|
}
|