0001
0002
0003
0004
0005
0006
0007
0008
0009 #define KMSG_COMPONENT "zcrypt"
0010 #define pr_fmt(fmt) KMSG_COMPONENT ": " fmt
0011
0012 #include <linux/init.h>
0013 #include <linux/module.h>
0014 #include <linux/slab.h>
0015 #include <linux/random.h>
0016 #include <asm/zcrypt.h>
0017 #include <asm/pkey.h>
0018 #include <crypto/aes.h>
0019
0020 #include "ap_bus.h"
0021 #include "zcrypt_api.h"
0022 #include "zcrypt_debug.h"
0023 #include "zcrypt_msgtype6.h"
0024 #include "zcrypt_ep11misc.h"
0025 #include "zcrypt_ccamisc.h"
0026
0027 #define DEBUG_DBG(...) ZCRYPT_DBF(DBF_DEBUG, ##__VA_ARGS__)
0028 #define DEBUG_INFO(...) ZCRYPT_DBF(DBF_INFO, ##__VA_ARGS__)
0029 #define DEBUG_WARN(...) ZCRYPT_DBF(DBF_WARN, ##__VA_ARGS__)
0030 #define DEBUG_ERR(...) ZCRYPT_DBF(DBF_ERR, ##__VA_ARGS__)
0031
0032
0033 static const u8 def_iv[16] = { 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77,
0034 0x88, 0x99, 0xaa, 0xbb, 0xcc, 0xdd, 0xee, 0xff };
0035
0036
0037 struct card_list_entry {
0038 struct list_head list;
0039 u16 cardnr;
0040 struct ep11_card_info info;
0041 };
0042 static LIST_HEAD(card_list);
0043 static DEFINE_SPINLOCK(card_list_lock);
0044
0045 static int card_cache_fetch(u16 cardnr, struct ep11_card_info *ci)
0046 {
0047 int rc = -ENOENT;
0048 struct card_list_entry *ptr;
0049
0050 spin_lock_bh(&card_list_lock);
0051 list_for_each_entry(ptr, &card_list, list) {
0052 if (ptr->cardnr == cardnr) {
0053 memcpy(ci, &ptr->info, sizeof(*ci));
0054 rc = 0;
0055 break;
0056 }
0057 }
0058 spin_unlock_bh(&card_list_lock);
0059
0060 return rc;
0061 }
0062
0063 static void card_cache_update(u16 cardnr, const struct ep11_card_info *ci)
0064 {
0065 int found = 0;
0066 struct card_list_entry *ptr;
0067
0068 spin_lock_bh(&card_list_lock);
0069 list_for_each_entry(ptr, &card_list, list) {
0070 if (ptr->cardnr == cardnr) {
0071 memcpy(&ptr->info, ci, sizeof(*ci));
0072 found = 1;
0073 break;
0074 }
0075 }
0076 if (!found) {
0077 ptr = kmalloc(sizeof(*ptr), GFP_ATOMIC);
0078 if (!ptr) {
0079 spin_unlock_bh(&card_list_lock);
0080 return;
0081 }
0082 ptr->cardnr = cardnr;
0083 memcpy(&ptr->info, ci, sizeof(*ci));
0084 list_add(&ptr->list, &card_list);
0085 }
0086 spin_unlock_bh(&card_list_lock);
0087 }
0088
0089 static void card_cache_scrub(u16 cardnr)
0090 {
0091 struct card_list_entry *ptr;
0092
0093 spin_lock_bh(&card_list_lock);
0094 list_for_each_entry(ptr, &card_list, list) {
0095 if (ptr->cardnr == cardnr) {
0096 list_del(&ptr->list);
0097 kfree(ptr);
0098 break;
0099 }
0100 }
0101 spin_unlock_bh(&card_list_lock);
0102 }
0103
0104 static void __exit card_cache_free(void)
0105 {
0106 struct card_list_entry *ptr, *pnext;
0107
0108 spin_lock_bh(&card_list_lock);
0109 list_for_each_entry_safe(ptr, pnext, &card_list, list) {
0110 list_del(&ptr->list);
0111 kfree(ptr);
0112 }
0113 spin_unlock_bh(&card_list_lock);
0114 }
0115
0116
0117
0118
0119 int ep11_check_aes_key_with_hdr(debug_info_t *dbg, int dbflvl,
0120 const u8 *key, size_t keylen, int checkcpacfexp)
0121 {
0122 struct ep11kblob_header *hdr = (struct ep11kblob_header *)key;
0123 struct ep11keyblob *kb = (struct ep11keyblob *)(key + sizeof(*hdr));
0124
0125 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
0126
0127 if (keylen < sizeof(*hdr) + sizeof(*kb)) {
0128 DBF("%s key check failed, keylen %zu < %zu\n",
0129 __func__, keylen, sizeof(*hdr) + sizeof(*kb));
0130 return -EINVAL;
0131 }
0132
0133 if (hdr->type != TOKTYPE_NON_CCA) {
0134 if (dbg)
0135 DBF("%s key check failed, type 0x%02x != 0x%02x\n",
0136 __func__, (int)hdr->type, TOKTYPE_NON_CCA);
0137 return -EINVAL;
0138 }
0139 if (hdr->hver != 0x00) {
0140 if (dbg)
0141 DBF("%s key check failed, header version 0x%02x != 0x00\n",
0142 __func__, (int)hdr->hver);
0143 return -EINVAL;
0144 }
0145 if (hdr->version != TOKVER_EP11_AES_WITH_HEADER) {
0146 if (dbg)
0147 DBF("%s key check failed, version 0x%02x != 0x%02x\n",
0148 __func__, (int)hdr->version, TOKVER_EP11_AES_WITH_HEADER);
0149 return -EINVAL;
0150 }
0151 if (hdr->len > keylen) {
0152 if (dbg)
0153 DBF("%s key check failed, header len %d keylen %zu mismatch\n",
0154 __func__, (int)hdr->len, keylen);
0155 return -EINVAL;
0156 }
0157 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) {
0158 if (dbg)
0159 DBF("%s key check failed, header len %d < %zu\n",
0160 __func__, (int)hdr->len, sizeof(*hdr) + sizeof(*kb));
0161 return -EINVAL;
0162 }
0163
0164 if (kb->version != EP11_STRUCT_MAGIC) {
0165 if (dbg)
0166 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n",
0167 __func__, (int)kb->version, EP11_STRUCT_MAGIC);
0168 return -EINVAL;
0169 }
0170 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) {
0171 if (dbg)
0172 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n",
0173 __func__);
0174 return -EINVAL;
0175 }
0176
0177 #undef DBF
0178
0179 return 0;
0180 }
0181 EXPORT_SYMBOL(ep11_check_aes_key_with_hdr);
0182
0183
0184
0185
0186 int ep11_check_ecc_key_with_hdr(debug_info_t *dbg, int dbflvl,
0187 const u8 *key, size_t keylen, int checkcpacfexp)
0188 {
0189 struct ep11kblob_header *hdr = (struct ep11kblob_header *)key;
0190 struct ep11keyblob *kb = (struct ep11keyblob *)(key + sizeof(*hdr));
0191
0192 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
0193
0194 if (keylen < sizeof(*hdr) + sizeof(*kb)) {
0195 DBF("%s key check failed, keylen %zu < %zu\n",
0196 __func__, keylen, sizeof(*hdr) + sizeof(*kb));
0197 return -EINVAL;
0198 }
0199
0200 if (hdr->type != TOKTYPE_NON_CCA) {
0201 if (dbg)
0202 DBF("%s key check failed, type 0x%02x != 0x%02x\n",
0203 __func__, (int)hdr->type, TOKTYPE_NON_CCA);
0204 return -EINVAL;
0205 }
0206 if (hdr->hver != 0x00) {
0207 if (dbg)
0208 DBF("%s key check failed, header version 0x%02x != 0x00\n",
0209 __func__, (int)hdr->hver);
0210 return -EINVAL;
0211 }
0212 if (hdr->version != TOKVER_EP11_ECC_WITH_HEADER) {
0213 if (dbg)
0214 DBF("%s key check failed, version 0x%02x != 0x%02x\n",
0215 __func__, (int)hdr->version, TOKVER_EP11_ECC_WITH_HEADER);
0216 return -EINVAL;
0217 }
0218 if (hdr->len > keylen) {
0219 if (dbg)
0220 DBF("%s key check failed, header len %d keylen %zu mismatch\n",
0221 __func__, (int)hdr->len, keylen);
0222 return -EINVAL;
0223 }
0224 if (hdr->len < sizeof(*hdr) + sizeof(*kb)) {
0225 if (dbg)
0226 DBF("%s key check failed, header len %d < %zu\n",
0227 __func__, (int)hdr->len, sizeof(*hdr) + sizeof(*kb));
0228 return -EINVAL;
0229 }
0230
0231 if (kb->version != EP11_STRUCT_MAGIC) {
0232 if (dbg)
0233 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n",
0234 __func__, (int)kb->version, EP11_STRUCT_MAGIC);
0235 return -EINVAL;
0236 }
0237 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) {
0238 if (dbg)
0239 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n",
0240 __func__);
0241 return -EINVAL;
0242 }
0243
0244 #undef DBF
0245
0246 return 0;
0247 }
0248 EXPORT_SYMBOL(ep11_check_ecc_key_with_hdr);
0249
0250
0251
0252
0253
0254 int ep11_check_aes_key(debug_info_t *dbg, int dbflvl,
0255 const u8 *key, size_t keylen, int checkcpacfexp)
0256 {
0257 struct ep11keyblob *kb = (struct ep11keyblob *)key;
0258
0259 #define DBF(...) debug_sprintf_event(dbg, dbflvl, ##__VA_ARGS__)
0260
0261 if (keylen < sizeof(*kb)) {
0262 DBF("%s key check failed, keylen %zu < %zu\n",
0263 __func__, keylen, sizeof(*kb));
0264 return -EINVAL;
0265 }
0266
0267 if (kb->head.type != TOKTYPE_NON_CCA) {
0268 if (dbg)
0269 DBF("%s key check failed, type 0x%02x != 0x%02x\n",
0270 __func__, (int)kb->head.type, TOKTYPE_NON_CCA);
0271 return -EINVAL;
0272 }
0273 if (kb->head.version != TOKVER_EP11_AES) {
0274 if (dbg)
0275 DBF("%s key check failed, version 0x%02x != 0x%02x\n",
0276 __func__, (int)kb->head.version, TOKVER_EP11_AES);
0277 return -EINVAL;
0278 }
0279 if (kb->head.len > keylen) {
0280 if (dbg)
0281 DBF("%s key check failed, header len %d keylen %zu mismatch\n",
0282 __func__, (int)kb->head.len, keylen);
0283 return -EINVAL;
0284 }
0285 if (kb->head.len < sizeof(*kb)) {
0286 if (dbg)
0287 DBF("%s key check failed, header len %d < %zu\n",
0288 __func__, (int)kb->head.len, sizeof(*kb));
0289 return -EINVAL;
0290 }
0291
0292 if (kb->version != EP11_STRUCT_MAGIC) {
0293 if (dbg)
0294 DBF("%s key check failed, blob magic 0x%04x != 0x%04x\n",
0295 __func__, (int)kb->version, EP11_STRUCT_MAGIC);
0296 return -EINVAL;
0297 }
0298 if (checkcpacfexp && !(kb->attr & EP11_BLOB_PKEY_EXTRACTABLE)) {
0299 if (dbg)
0300 DBF("%s key check failed, PKEY_EXTRACTABLE is off\n",
0301 __func__);
0302 return -EINVAL;
0303 }
0304
0305 #undef DBF
0306
0307 return 0;
0308 }
0309 EXPORT_SYMBOL(ep11_check_aes_key);
0310
0311
0312
0313
0314 static inline struct ep11_cprb *alloc_cprb(size_t payload_len)
0315 {
0316 size_t len = sizeof(struct ep11_cprb) + payload_len;
0317 struct ep11_cprb *cprb;
0318
0319 cprb = kzalloc(len, GFP_KERNEL);
0320 if (!cprb)
0321 return NULL;
0322
0323 cprb->cprb_len = sizeof(struct ep11_cprb);
0324 cprb->cprb_ver_id = 0x04;
0325 memcpy(cprb->func_id, "T4", 2);
0326 cprb->ret_code = 0xFFFFFFFF;
0327 cprb->payload_len = payload_len;
0328
0329 return cprb;
0330 }
0331
0332
0333
0334
0335
0336
0337 #define ASN1TAGLEN(x) (2 + (x) + ((x) > 127 ? 1 : 0) + ((x) > 255 ? 1 : 0))
0338
0339 static int asn1tag_write(u8 *ptr, u8 tag, const u8 *pvalue, u16 valuelen)
0340 {
0341 ptr[0] = tag;
0342 if (valuelen > 255) {
0343 ptr[1] = 0x82;
0344 *((u16 *)(ptr + 2)) = valuelen;
0345 memcpy(ptr + 4, pvalue, valuelen);
0346 return 4 + valuelen;
0347 }
0348 if (valuelen > 127) {
0349 ptr[1] = 0x81;
0350 ptr[2] = (u8)valuelen;
0351 memcpy(ptr + 3, pvalue, valuelen);
0352 return 3 + valuelen;
0353 }
0354 ptr[1] = (u8)valuelen;
0355 memcpy(ptr + 2, pvalue, valuelen);
0356 return 2 + valuelen;
0357 }
0358
0359
0360 struct pl_head {
0361 u8 tag;
0362 u8 lenfmt;
0363 u16 len;
0364 u8 func_tag;
0365 u8 func_len;
0366 u32 func;
0367 u8 dom_tag;
0368 u8 dom_len;
0369 u32 dom;
0370 } __packed;
0371
0372
0373 static inline void prep_head(struct pl_head *h,
0374 size_t pl_size, int api, int func)
0375 {
0376 h->tag = 0x30;
0377 h->lenfmt = 0x82;
0378 h->len = pl_size - 4;
0379 h->func_tag = 0x04;
0380 h->func_len = sizeof(u32);
0381 h->func = (api << 16) + func;
0382 h->dom_tag = 0x04;
0383 h->dom_len = sizeof(u32);
0384 }
0385
0386
0387 static inline void prep_urb(struct ep11_urb *u,
0388 struct ep11_target_dev *t, int nt,
0389 struct ep11_cprb *req, size_t req_len,
0390 struct ep11_cprb *rep, size_t rep_len)
0391 {
0392 u->targets = (u8 __user *)t;
0393 u->targets_num = nt;
0394 u->req = (u8 __user *)req;
0395 u->req_len = req_len;
0396 u->resp = (u8 __user *)rep;
0397 u->resp_len = rep_len;
0398 }
0399
0400
0401 static int check_reply_pl(const u8 *pl, const char *func)
0402 {
0403 int len;
0404 u32 ret;
0405
0406
0407 if (*pl++ != 0x30) {
0408 DEBUG_ERR("%s reply start tag mismatch\n", func);
0409 return -EIO;
0410 }
0411
0412
0413 if (*pl < 127) {
0414 len = *pl;
0415 pl++;
0416 } else if (*pl == 0x81) {
0417 pl++;
0418 len = *pl;
0419 pl++;
0420 } else if (*pl == 0x82) {
0421 pl++;
0422 len = *((u16 *)pl);
0423 pl += 2;
0424 } else {
0425 DEBUG_ERR("%s reply start tag lenfmt mismatch 0x%02hhx\n",
0426 func, *pl);
0427 return -EIO;
0428 }
0429
0430
0431 if (len < 3 * 6) {
0432 DEBUG_ERR("%s reply length %d too small\n", func, len);
0433 return -EIO;
0434 }
0435
0436
0437 if (pl[0] != 0x04 || pl[1] != 0x04) {
0438 DEBUG_ERR("%s function tag or length mismatch\n", func);
0439 return -EIO;
0440 }
0441 pl += 6;
0442
0443
0444 if (pl[0] != 0x04 || pl[1] != 0x04) {
0445 DEBUG_ERR("%s dom tag or length mismatch\n", func);
0446 return -EIO;
0447 }
0448 pl += 6;
0449
0450
0451 if (pl[0] != 0x04 || pl[1] != 0x04) {
0452 DEBUG_ERR("%s return value tag or length mismatch\n", func);
0453 return -EIO;
0454 }
0455 pl += 2;
0456 ret = *((u32 *)pl);
0457 if (ret != 0) {
0458 DEBUG_ERR("%s return value 0x%04x != 0\n", func, ret);
0459 return -EIO;
0460 }
0461
0462 return 0;
0463 }
0464
0465
0466
0467
0468 static int ep11_query_info(u16 cardnr, u16 domain, u32 query_type,
0469 size_t buflen, u8 *buf)
0470 {
0471 struct ep11_info_req_pl {
0472 struct pl_head head;
0473 u8 query_type_tag;
0474 u8 query_type_len;
0475 u32 query_type;
0476 u8 query_subtype_tag;
0477 u8 query_subtype_len;
0478 u32 query_subtype;
0479 } __packed * req_pl;
0480 struct ep11_info_rep_pl {
0481 struct pl_head head;
0482 u8 rc_tag;
0483 u8 rc_len;
0484 u32 rc;
0485 u8 data_tag;
0486 u8 data_lenfmt;
0487 u16 data_len;
0488 } __packed * rep_pl;
0489 struct ep11_cprb *req = NULL, *rep = NULL;
0490 struct ep11_target_dev target;
0491 struct ep11_urb *urb = NULL;
0492 int api = 1, rc = -ENOMEM;
0493
0494
0495 req = alloc_cprb(sizeof(struct ep11_info_req_pl));
0496 if (!req)
0497 goto out;
0498 req_pl = (struct ep11_info_req_pl *)(((u8 *)req) + sizeof(*req));
0499 prep_head(&req_pl->head, sizeof(*req_pl), api, 38);
0500 req_pl->query_type_tag = 0x04;
0501 req_pl->query_type_len = sizeof(u32);
0502 req_pl->query_type = query_type;
0503 req_pl->query_subtype_tag = 0x04;
0504 req_pl->query_subtype_len = sizeof(u32);
0505
0506
0507 rep = alloc_cprb(sizeof(struct ep11_info_rep_pl) + buflen);
0508 if (!rep)
0509 goto out;
0510 rep_pl = (struct ep11_info_rep_pl *)(((u8 *)rep) + sizeof(*rep));
0511
0512
0513 urb = kmalloc(sizeof(*urb), GFP_KERNEL);
0514 if (!urb)
0515 goto out;
0516 target.ap_id = cardnr;
0517 target.dom_id = domain;
0518 prep_urb(urb, &target, 1,
0519 req, sizeof(*req) + sizeof(*req_pl),
0520 rep, sizeof(*rep) + sizeof(*rep_pl) + buflen);
0521
0522 rc = zcrypt_send_ep11_cprb(urb);
0523 if (rc) {
0524 DEBUG_ERR(
0525 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
0526 __func__, (int)cardnr, (int)domain, rc);
0527 goto out;
0528 }
0529
0530 rc = check_reply_pl((u8 *)rep_pl, __func__);
0531 if (rc)
0532 goto out;
0533 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
0534 DEBUG_ERR("%s unknown reply data format\n", __func__);
0535 rc = -EIO;
0536 goto out;
0537 }
0538 if (rep_pl->data_len > buflen) {
0539 DEBUG_ERR("%s mismatch between reply data len and buffer len\n",
0540 __func__);
0541 rc = -ENOSPC;
0542 goto out;
0543 }
0544
0545 memcpy(buf, ((u8 *)rep_pl) + sizeof(*rep_pl), rep_pl->data_len);
0546
0547 out:
0548 kfree(req);
0549 kfree(rep);
0550 kfree(urb);
0551 return rc;
0552 }
0553
0554
0555
0556
0557 int ep11_get_card_info(u16 card, struct ep11_card_info *info, int verify)
0558 {
0559 int rc;
0560 struct ep11_module_query_info {
0561 u32 API_ord_nr;
0562 u32 firmware_id;
0563 u8 FW_major_vers;
0564 u8 FW_minor_vers;
0565 u8 CSP_major_vers;
0566 u8 CSP_minor_vers;
0567 u8 fwid[32];
0568 u8 xcp_config_hash[32];
0569 u8 CSP_config_hash[32];
0570 u8 serial[16];
0571 u8 module_date_time[16];
0572 u64 op_mode;
0573 u32 PKCS11_flags;
0574 u32 ext_flags;
0575 u32 domains;
0576 u32 sym_state_bytes;
0577 u32 digest_state_bytes;
0578 u32 pin_blob_bytes;
0579 u32 SPKI_bytes;
0580 u32 priv_key_blob_bytes;
0581 u32 sym_blob_bytes;
0582 u32 max_payload_bytes;
0583 u32 CP_profile_bytes;
0584 u32 max_CP_index;
0585 } __packed * pmqi = NULL;
0586
0587 rc = card_cache_fetch(card, info);
0588 if (rc || verify) {
0589 pmqi = kmalloc(sizeof(*pmqi), GFP_KERNEL);
0590 if (!pmqi)
0591 return -ENOMEM;
0592 rc = ep11_query_info(card, AUTOSEL_DOM,
0593 0x01 ,
0594 sizeof(*pmqi), (u8 *)pmqi);
0595 if (rc) {
0596 if (rc == -ENODEV)
0597 card_cache_scrub(card);
0598 goto out;
0599 }
0600 memset(info, 0, sizeof(*info));
0601 info->API_ord_nr = pmqi->API_ord_nr;
0602 info->FW_version =
0603 (pmqi->FW_major_vers << 8) + pmqi->FW_minor_vers;
0604 memcpy(info->serial, pmqi->serial, sizeof(info->serial));
0605 info->op_mode = pmqi->op_mode;
0606 card_cache_update(card, info);
0607 }
0608
0609 out:
0610 kfree(pmqi);
0611 return rc;
0612 }
0613 EXPORT_SYMBOL(ep11_get_card_info);
0614
0615
0616
0617
0618 int ep11_get_domain_info(u16 card, u16 domain, struct ep11_domain_info *info)
0619 {
0620 int rc;
0621 struct ep11_domain_query_info {
0622 u32 dom_index;
0623 u8 cur_WK_VP[32];
0624 u8 new_WK_VP[32];
0625 u32 dom_flags;
0626 u64 op_mode;
0627 } __packed * p_dom_info;
0628
0629 p_dom_info = kmalloc(sizeof(*p_dom_info), GFP_KERNEL);
0630 if (!p_dom_info)
0631 return -ENOMEM;
0632
0633 rc = ep11_query_info(card, domain, 0x03 ,
0634 sizeof(*p_dom_info), (u8 *)p_dom_info);
0635 if (rc)
0636 goto out;
0637
0638 memset(info, 0, sizeof(*info));
0639 info->cur_wk_state = '0';
0640 info->new_wk_state = '0';
0641 if (p_dom_info->dom_flags & 0x10 ) {
0642 if (p_dom_info->dom_flags & 0x02 ) {
0643 info->cur_wk_state = '1';
0644 memcpy(info->cur_wkvp, p_dom_info->cur_WK_VP, 32);
0645 }
0646 if (p_dom_info->dom_flags & 0x04 ||
0647 p_dom_info->dom_flags & 0x08 ) {
0648 info->new_wk_state =
0649 p_dom_info->dom_flags & 0x08 ? '2' : '1';
0650 memcpy(info->new_wkvp, p_dom_info->new_WK_VP, 32);
0651 }
0652 }
0653 info->op_mode = p_dom_info->op_mode;
0654
0655 out:
0656 kfree(p_dom_info);
0657 return rc;
0658 }
0659 EXPORT_SYMBOL(ep11_get_domain_info);
0660
0661
0662
0663
0664
0665 #define KEY_ATTR_DEFAULTS 0x00200c00
0666
0667 int ep11_genaeskey(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
0668 u8 *keybuf, size_t *keybufsize)
0669 {
0670 struct keygen_req_pl {
0671 struct pl_head head;
0672 u8 var_tag;
0673 u8 var_len;
0674 u32 var;
0675 u8 keybytes_tag;
0676 u8 keybytes_len;
0677 u32 keybytes;
0678 u8 mech_tag;
0679 u8 mech_len;
0680 u32 mech;
0681 u8 attr_tag;
0682 u8 attr_len;
0683 u32 attr_header;
0684 u32 attr_bool_mask;
0685 u32 attr_bool_bits;
0686 u32 attr_val_len_type;
0687 u32 attr_val_len_value;
0688 u8 pin_tag;
0689 u8 pin_len;
0690 } __packed * req_pl;
0691 struct keygen_rep_pl {
0692 struct pl_head head;
0693 u8 rc_tag;
0694 u8 rc_len;
0695 u32 rc;
0696 u8 data_tag;
0697 u8 data_lenfmt;
0698 u16 data_len;
0699 u8 data[512];
0700 } __packed * rep_pl;
0701 struct ep11_cprb *req = NULL, *rep = NULL;
0702 struct ep11_target_dev target;
0703 struct ep11_urb *urb = NULL;
0704 struct ep11keyblob *kb;
0705 int api, rc = -ENOMEM;
0706
0707 switch (keybitsize) {
0708 case 128:
0709 case 192:
0710 case 256:
0711 break;
0712 default:
0713 DEBUG_ERR(
0714 "%s unknown/unsupported keybitsize %d\n",
0715 __func__, keybitsize);
0716 rc = -EINVAL;
0717 goto out;
0718 }
0719
0720
0721 req = alloc_cprb(sizeof(struct keygen_req_pl));
0722 if (!req)
0723 goto out;
0724 req_pl = (struct keygen_req_pl *)(((u8 *)req) + sizeof(*req));
0725 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1;
0726 prep_head(&req_pl->head, sizeof(*req_pl), api, 21);
0727 req_pl->var_tag = 0x04;
0728 req_pl->var_len = sizeof(u32);
0729 req_pl->keybytes_tag = 0x04;
0730 req_pl->keybytes_len = sizeof(u32);
0731 req_pl->keybytes = keybitsize / 8;
0732 req_pl->mech_tag = 0x04;
0733 req_pl->mech_len = sizeof(u32);
0734 req_pl->mech = 0x00001080;
0735 req_pl->attr_tag = 0x04;
0736 req_pl->attr_len = 5 * sizeof(u32);
0737 req_pl->attr_header = 0x10010000;
0738 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
0739 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
0740 req_pl->attr_val_len_type = 0x00000161;
0741 req_pl->attr_val_len_value = keybitsize / 8;
0742 req_pl->pin_tag = 0x04;
0743
0744
0745 rep = alloc_cprb(sizeof(struct keygen_rep_pl));
0746 if (!rep)
0747 goto out;
0748 rep_pl = (struct keygen_rep_pl *)(((u8 *)rep) + sizeof(*rep));
0749
0750
0751 urb = kmalloc(sizeof(*urb), GFP_KERNEL);
0752 if (!urb)
0753 goto out;
0754 target.ap_id = card;
0755 target.dom_id = domain;
0756 prep_urb(urb, &target, 1,
0757 req, sizeof(*req) + sizeof(*req_pl),
0758 rep, sizeof(*rep) + sizeof(*rep_pl));
0759
0760 rc = zcrypt_send_ep11_cprb(urb);
0761 if (rc) {
0762 DEBUG_ERR(
0763 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
0764 __func__, (int)card, (int)domain, rc);
0765 goto out;
0766 }
0767
0768 rc = check_reply_pl((u8 *)rep_pl, __func__);
0769 if (rc)
0770 goto out;
0771 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
0772 DEBUG_ERR("%s unknown reply data format\n", __func__);
0773 rc = -EIO;
0774 goto out;
0775 }
0776 if (rep_pl->data_len > *keybufsize) {
0777 DEBUG_ERR("%s mismatch reply data len / key buffer len\n",
0778 __func__);
0779 rc = -ENOSPC;
0780 goto out;
0781 }
0782
0783
0784 memcpy(keybuf, rep_pl->data, rep_pl->data_len);
0785 *keybufsize = rep_pl->data_len;
0786 kb = (struct ep11keyblob *)keybuf;
0787 kb->head.type = TOKTYPE_NON_CCA;
0788 kb->head.len = rep_pl->data_len;
0789 kb->head.version = TOKVER_EP11_AES;
0790 kb->head.keybitlen = keybitsize;
0791
0792 out:
0793 kfree(req);
0794 kfree(rep);
0795 kfree(urb);
0796 return rc;
0797 }
0798 EXPORT_SYMBOL(ep11_genaeskey);
0799
0800 static int ep11_cryptsingle(u16 card, u16 domain,
0801 u16 mode, u32 mech, const u8 *iv,
0802 const u8 *key, size_t keysize,
0803 const u8 *inbuf, size_t inbufsize,
0804 u8 *outbuf, size_t *outbufsize)
0805 {
0806 struct crypt_req_pl {
0807 struct pl_head head;
0808 u8 var_tag;
0809 u8 var_len;
0810 u32 var;
0811 u8 mech_tag;
0812 u8 mech_len;
0813 u32 mech;
0814
0815
0816
0817
0818
0819 } __packed * req_pl;
0820 struct crypt_rep_pl {
0821 struct pl_head head;
0822 u8 rc_tag;
0823 u8 rc_len;
0824 u32 rc;
0825 u8 data_tag;
0826 u8 data_lenfmt;
0827
0828 } __packed * rep_pl;
0829 struct ep11_cprb *req = NULL, *rep = NULL;
0830 struct ep11_target_dev target;
0831 struct ep11_urb *urb = NULL;
0832 size_t req_pl_size, rep_pl_size;
0833 int n, api = 1, rc = -ENOMEM;
0834 u8 *p;
0835
0836
0837 if (keysize > 0xFFFF || inbufsize > 0xFFFF)
0838 return -EINVAL;
0839
0840
0841 req_pl_size = sizeof(struct crypt_req_pl) + (iv ? 16 : 0)
0842 + ASN1TAGLEN(keysize) + ASN1TAGLEN(inbufsize);
0843 req = alloc_cprb(req_pl_size);
0844 if (!req)
0845 goto out;
0846 req_pl = (struct crypt_req_pl *)(((u8 *)req) + sizeof(*req));
0847 prep_head(&req_pl->head, req_pl_size, api, (mode ? 20 : 19));
0848 req_pl->var_tag = 0x04;
0849 req_pl->var_len = sizeof(u32);
0850
0851 req_pl->mech_tag = 0x04;
0852 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
0853 req_pl->mech = (mech ? mech : 0x00001085);
0854 p = ((u8 *)req_pl) + sizeof(*req_pl);
0855 if (iv) {
0856 memcpy(p, iv, 16);
0857 p += 16;
0858 }
0859
0860 p += asn1tag_write(p, 0x04, key, keysize);
0861 p += asn1tag_write(p, 0x04, inbuf, inbufsize);
0862
0863
0864 rep_pl_size = sizeof(struct crypt_rep_pl) + ASN1TAGLEN(inbufsize + 32);
0865 rep = alloc_cprb(rep_pl_size);
0866 if (!rep)
0867 goto out;
0868 rep_pl = (struct crypt_rep_pl *)(((u8 *)rep) + sizeof(*rep));
0869
0870
0871 urb = kmalloc(sizeof(*urb), GFP_KERNEL);
0872 if (!urb)
0873 goto out;
0874 target.ap_id = card;
0875 target.dom_id = domain;
0876 prep_urb(urb, &target, 1,
0877 req, sizeof(*req) + req_pl_size,
0878 rep, sizeof(*rep) + rep_pl_size);
0879
0880 rc = zcrypt_send_ep11_cprb(urb);
0881 if (rc) {
0882 DEBUG_ERR(
0883 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
0884 __func__, (int)card, (int)domain, rc);
0885 goto out;
0886 }
0887
0888 rc = check_reply_pl((u8 *)rep_pl, __func__);
0889 if (rc)
0890 goto out;
0891 if (rep_pl->data_tag != 0x04) {
0892 DEBUG_ERR("%s unknown reply data format\n", __func__);
0893 rc = -EIO;
0894 goto out;
0895 }
0896 p = ((u8 *)rep_pl) + sizeof(*rep_pl);
0897 if (rep_pl->data_lenfmt <= 127) {
0898 n = rep_pl->data_lenfmt;
0899 } else if (rep_pl->data_lenfmt == 0x81) {
0900 n = *p++;
0901 } else if (rep_pl->data_lenfmt == 0x82) {
0902 n = *((u16 *)p);
0903 p += 2;
0904 } else {
0905 DEBUG_ERR("%s unknown reply data length format 0x%02hhx\n",
0906 __func__, rep_pl->data_lenfmt);
0907 rc = -EIO;
0908 goto out;
0909 }
0910 if (n > *outbufsize) {
0911 DEBUG_ERR("%s mismatch reply data len %d / output buffer %zu\n",
0912 __func__, n, *outbufsize);
0913 rc = -ENOSPC;
0914 goto out;
0915 }
0916
0917 memcpy(outbuf, p, n);
0918 *outbufsize = n;
0919
0920 out:
0921 kfree(req);
0922 kfree(rep);
0923 kfree(urb);
0924 return rc;
0925 }
0926
0927 static int ep11_unwrapkey(u16 card, u16 domain,
0928 const u8 *kek, size_t keksize,
0929 const u8 *enckey, size_t enckeysize,
0930 u32 mech, const u8 *iv,
0931 u32 keybitsize, u32 keygenflags,
0932 u8 *keybuf, size_t *keybufsize)
0933 {
0934 struct uw_req_pl {
0935 struct pl_head head;
0936 u8 attr_tag;
0937 u8 attr_len;
0938 u32 attr_header;
0939 u32 attr_bool_mask;
0940 u32 attr_bool_bits;
0941 u32 attr_key_type;
0942 u32 attr_key_type_value;
0943 u32 attr_val_len;
0944 u32 attr_val_len_value;
0945 u8 mech_tag;
0946 u8 mech_len;
0947 u32 mech;
0948
0949
0950
0951
0952
0953
0954
0955 } __packed * req_pl;
0956 struct uw_rep_pl {
0957 struct pl_head head;
0958 u8 rc_tag;
0959 u8 rc_len;
0960 u32 rc;
0961 u8 data_tag;
0962 u8 data_lenfmt;
0963 u16 data_len;
0964 u8 data[512];
0965 } __packed * rep_pl;
0966 struct ep11_cprb *req = NULL, *rep = NULL;
0967 struct ep11_target_dev target;
0968 struct ep11_urb *urb = NULL;
0969 struct ep11keyblob *kb;
0970 size_t req_pl_size;
0971 int api, rc = -ENOMEM;
0972 u8 *p;
0973
0974
0975 req_pl_size = sizeof(struct uw_req_pl) + (iv ? 16 : 0)
0976 + ASN1TAGLEN(keksize) + 4 + ASN1TAGLEN(enckeysize);
0977 req = alloc_cprb(req_pl_size);
0978 if (!req)
0979 goto out;
0980 req_pl = (struct uw_req_pl *)(((u8 *)req) + sizeof(*req));
0981 api = (!keygenflags || keygenflags & 0x00200000) ? 4 : 1;
0982 prep_head(&req_pl->head, req_pl_size, api, 34);
0983 req_pl->attr_tag = 0x04;
0984 req_pl->attr_len = 7 * sizeof(u32);
0985 req_pl->attr_header = 0x10020000;
0986 req_pl->attr_bool_mask = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
0987 req_pl->attr_bool_bits = keygenflags ? keygenflags : KEY_ATTR_DEFAULTS;
0988 req_pl->attr_key_type = 0x00000100;
0989 req_pl->attr_key_type_value = 0x0000001f;
0990 req_pl->attr_val_len = 0x00000161;
0991 req_pl->attr_val_len_value = keybitsize / 8;
0992
0993 req_pl->mech_tag = 0x04;
0994 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
0995 req_pl->mech = (mech ? mech : 0x00001085);
0996 p = ((u8 *)req_pl) + sizeof(*req_pl);
0997 if (iv) {
0998 memcpy(p, iv, 16);
0999 p += 16;
1000 }
1001
1002 p += asn1tag_write(p, 0x04, kek, keksize);
1003
1004 *p++ = 0x04;
1005 *p++ = 0;
1006
1007 *p++ = 0x04;
1008 *p++ = 0;
1009
1010 p += asn1tag_write(p, 0x04, enckey, enckeysize);
1011
1012
1013 rep = alloc_cprb(sizeof(struct uw_rep_pl));
1014 if (!rep)
1015 goto out;
1016 rep_pl = (struct uw_rep_pl *)(((u8 *)rep) + sizeof(*rep));
1017
1018
1019 urb = kmalloc(sizeof(*urb), GFP_KERNEL);
1020 if (!urb)
1021 goto out;
1022 target.ap_id = card;
1023 target.dom_id = domain;
1024 prep_urb(urb, &target, 1,
1025 req, sizeof(*req) + req_pl_size,
1026 rep, sizeof(*rep) + sizeof(*rep_pl));
1027
1028 rc = zcrypt_send_ep11_cprb(urb);
1029 if (rc) {
1030 DEBUG_ERR(
1031 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
1032 __func__, (int)card, (int)domain, rc);
1033 goto out;
1034 }
1035
1036 rc = check_reply_pl((u8 *)rep_pl, __func__);
1037 if (rc)
1038 goto out;
1039 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
1040 DEBUG_ERR("%s unknown reply data format\n", __func__);
1041 rc = -EIO;
1042 goto out;
1043 }
1044 if (rep_pl->data_len > *keybufsize) {
1045 DEBUG_ERR("%s mismatch reply data len / key buffer len\n",
1046 __func__);
1047 rc = -ENOSPC;
1048 goto out;
1049 }
1050
1051
1052 memcpy(keybuf, rep_pl->data, rep_pl->data_len);
1053 *keybufsize = rep_pl->data_len;
1054 kb = (struct ep11keyblob *)keybuf;
1055 kb->head.type = TOKTYPE_NON_CCA;
1056 kb->head.len = rep_pl->data_len;
1057 kb->head.version = TOKVER_EP11_AES;
1058 kb->head.keybitlen = keybitsize;
1059
1060 out:
1061 kfree(req);
1062 kfree(rep);
1063 kfree(urb);
1064 return rc;
1065 }
1066
1067 static int ep11_wrapkey(u16 card, u16 domain,
1068 const u8 *key, size_t keysize,
1069 u32 mech, const u8 *iv,
1070 u8 *databuf, size_t *datasize)
1071 {
1072 struct wk_req_pl {
1073 struct pl_head head;
1074 u8 var_tag;
1075 u8 var_len;
1076 u32 var;
1077 u8 mech_tag;
1078 u8 mech_len;
1079 u32 mech;
1080
1081
1082
1083
1084
1085
1086 } __packed * req_pl;
1087 struct wk_rep_pl {
1088 struct pl_head head;
1089 u8 rc_tag;
1090 u8 rc_len;
1091 u32 rc;
1092 u8 data_tag;
1093 u8 data_lenfmt;
1094 u16 data_len;
1095 u8 data[1024];
1096 } __packed * rep_pl;
1097 struct ep11_cprb *req = NULL, *rep = NULL;
1098 struct ep11_target_dev target;
1099 struct ep11_urb *urb = NULL;
1100 struct ep11keyblob *kb;
1101 size_t req_pl_size;
1102 int api, rc = -ENOMEM;
1103 bool has_header = false;
1104 u8 *p;
1105
1106
1107 kb = (struct ep11keyblob *)key;
1108 if (kb->head.type == TOKTYPE_NON_CCA &&
1109 kb->head.version == TOKVER_EP11_AES) {
1110 has_header = true;
1111 keysize = min_t(size_t, kb->head.len, keysize);
1112 }
1113
1114
1115 req_pl_size = sizeof(struct wk_req_pl) + (iv ? 16 : 0)
1116 + ASN1TAGLEN(keysize) + 4;
1117 req = alloc_cprb(req_pl_size);
1118 if (!req)
1119 goto out;
1120 if (!mech || mech == 0x80060001)
1121 req->flags |= 0x20;
1122 req_pl = (struct wk_req_pl *)(((u8 *)req) + sizeof(*req));
1123 api = (!mech || mech == 0x80060001) ? 4 : 1;
1124 prep_head(&req_pl->head, req_pl_size, api, 33);
1125 req_pl->var_tag = 0x04;
1126 req_pl->var_len = sizeof(u32);
1127
1128 req_pl->mech_tag = 0x04;
1129 req_pl->mech_len = sizeof(u32) + (iv ? 16 : 0);
1130 req_pl->mech = (mech ? mech : 0x80060001);
1131 p = ((u8 *)req_pl) + sizeof(*req_pl);
1132 if (iv) {
1133 memcpy(p, iv, 16);
1134 p += 16;
1135 }
1136
1137 p += asn1tag_write(p, 0x04, key, keysize);
1138
1139 if (has_header) {
1140 kb = (struct ep11keyblob *)(p - keysize);
1141 memset(&kb->head, 0, sizeof(kb->head));
1142 }
1143
1144 *p++ = 0x04;
1145 *p++ = 0;
1146
1147 *p++ = 0x04;
1148 *p++ = 0;
1149
1150
1151 rep = alloc_cprb(sizeof(struct wk_rep_pl));
1152 if (!rep)
1153 goto out;
1154 rep_pl = (struct wk_rep_pl *)(((u8 *)rep) + sizeof(*rep));
1155
1156
1157 urb = kmalloc(sizeof(*urb), GFP_KERNEL);
1158 if (!urb)
1159 goto out;
1160 target.ap_id = card;
1161 target.dom_id = domain;
1162 prep_urb(urb, &target, 1,
1163 req, sizeof(*req) + req_pl_size,
1164 rep, sizeof(*rep) + sizeof(*rep_pl));
1165
1166 rc = zcrypt_send_ep11_cprb(urb);
1167 if (rc) {
1168 DEBUG_ERR(
1169 "%s zcrypt_send_ep11_cprb(card=%d dom=%d) failed, rc=%d\n",
1170 __func__, (int)card, (int)domain, rc);
1171 goto out;
1172 }
1173
1174 rc = check_reply_pl((u8 *)rep_pl, __func__);
1175 if (rc)
1176 goto out;
1177 if (rep_pl->data_tag != 0x04 || rep_pl->data_lenfmt != 0x82) {
1178 DEBUG_ERR("%s unknown reply data format\n", __func__);
1179 rc = -EIO;
1180 goto out;
1181 }
1182 if (rep_pl->data_len > *datasize) {
1183 DEBUG_ERR("%s mismatch reply data len / data buffer len\n",
1184 __func__);
1185 rc = -ENOSPC;
1186 goto out;
1187 }
1188
1189
1190 memcpy(databuf, rep_pl->data, rep_pl->data_len);
1191 *datasize = rep_pl->data_len;
1192
1193 out:
1194 kfree(req);
1195 kfree(rep);
1196 kfree(urb);
1197 return rc;
1198 }
1199
1200 int ep11_clr2keyblob(u16 card, u16 domain, u32 keybitsize, u32 keygenflags,
1201 const u8 *clrkey, u8 *keybuf, size_t *keybufsize)
1202 {
1203 int rc;
1204 struct ep11keyblob *kb;
1205 u8 encbuf[64], *kek = NULL;
1206 size_t clrkeylen, keklen, encbuflen = sizeof(encbuf);
1207
1208 if (keybitsize == 128 || keybitsize == 192 || keybitsize == 256) {
1209 clrkeylen = keybitsize / 8;
1210 } else {
1211 DEBUG_ERR(
1212 "%s unknown/unsupported keybitsize %d\n",
1213 __func__, keybitsize);
1214 return -EINVAL;
1215 }
1216
1217
1218 keklen = MAXEP11AESKEYBLOBSIZE;
1219 kek = kmalloc(keklen, GFP_ATOMIC);
1220 if (!kek) {
1221 rc = -ENOMEM;
1222 goto out;
1223 }
1224
1225
1226 rc = ep11_genaeskey(card, domain, 256,
1227 0x00006c00,
1228 kek, &keklen);
1229 if (rc) {
1230 DEBUG_ERR(
1231 "%s generate kek key failed, rc=%d\n",
1232 __func__, rc);
1233 goto out;
1234 }
1235 kb = (struct ep11keyblob *)kek;
1236 memset(&kb->head, 0, sizeof(kb->head));
1237
1238
1239 rc = ep11_cryptsingle(card, domain, 0, 0, def_iv, kek, keklen,
1240 clrkey, clrkeylen, encbuf, &encbuflen);
1241 if (rc) {
1242 DEBUG_ERR(
1243 "%s encrypting key value with kek key failed, rc=%d\n",
1244 __func__, rc);
1245 goto out;
1246 }
1247
1248
1249 rc = ep11_unwrapkey(card, domain, kek, keklen,
1250 encbuf, encbuflen, 0, def_iv,
1251 keybitsize, 0, keybuf, keybufsize);
1252 if (rc) {
1253 DEBUG_ERR(
1254 "%s importing key value as new key failed,, rc=%d\n",
1255 __func__, rc);
1256 goto out;
1257 }
1258
1259 out:
1260 kfree(kek);
1261 return rc;
1262 }
1263 EXPORT_SYMBOL(ep11_clr2keyblob);
1264
1265 int ep11_kblob2protkey(u16 card, u16 dom, const u8 *keyblob, size_t keybloblen,
1266 u8 *protkey, u32 *protkeylen, u32 *protkeytype)
1267 {
1268 int rc = -EIO;
1269 u8 *wkbuf = NULL;
1270 size_t wkbuflen, keylen;
1271 struct wk_info {
1272 u16 version;
1273 u8 res1[16];
1274 u32 pkeytype;
1275 u32 pkeybitsize;
1276 u64 pkeysize;
1277 u8 res2[8];
1278 u8 pkey[0];
1279 } __packed * wki;
1280 const u8 *key;
1281 struct ep11kblob_header *hdr;
1282
1283
1284 hdr = (struct ep11kblob_header *)keyblob;
1285 if (hdr->type == TOKTYPE_NON_CCA &&
1286 (hdr->version == TOKVER_EP11_AES_WITH_HEADER ||
1287 hdr->version == TOKVER_EP11_ECC_WITH_HEADER) &&
1288 is_ep11_keyblob(keyblob + sizeof(struct ep11kblob_header))) {
1289
1290 key = keyblob + sizeof(struct ep11kblob_header);
1291 keylen = hdr->len - sizeof(struct ep11kblob_header);
1292 } else if (hdr->type == TOKTYPE_NON_CCA &&
1293 hdr->version == TOKVER_EP11_AES &&
1294 is_ep11_keyblob(keyblob)) {
1295
1296 key = keyblob;
1297 keylen = hdr->len;
1298 } else if (is_ep11_keyblob(keyblob)) {
1299
1300 key = keyblob;
1301 keylen = keybloblen;
1302 } else {
1303 return -EINVAL;
1304 }
1305
1306
1307 wkbuflen = (keylen + AES_BLOCK_SIZE) & (~(AES_BLOCK_SIZE - 1));
1308 wkbuf = kmalloc(wkbuflen, GFP_ATOMIC);
1309 if (!wkbuf)
1310 return -ENOMEM;
1311
1312
1313 rc = ep11_wrapkey(card, dom, key, keylen,
1314 0, def_iv, wkbuf, &wkbuflen);
1315 if (rc) {
1316 DEBUG_ERR(
1317 "%s rewrapping ep11 key to pkey failed, rc=%d\n",
1318 __func__, rc);
1319 goto out;
1320 }
1321 wki = (struct wk_info *)wkbuf;
1322
1323
1324 if (wki->version != 1 || wki->pkeytype < 1 || wki->pkeytype > 5) {
1325 DEBUG_ERR("%s wk info version %d or pkeytype %d mismatch.\n",
1326 __func__, (int)wki->version, (int)wki->pkeytype);
1327 rc = -EIO;
1328 goto out;
1329 }
1330
1331
1332 switch (wki->pkeytype) {
1333 case 1:
1334 switch (wki->pkeysize) {
1335 case 16 + 32:
1336
1337 if (protkeytype)
1338 *protkeytype = PKEY_KEYTYPE_AES_128;
1339 break;
1340 case 24 + 32:
1341
1342 if (protkeytype)
1343 *protkeytype = PKEY_KEYTYPE_AES_192;
1344 break;
1345 case 32 + 32:
1346
1347 if (protkeytype)
1348 *protkeytype = PKEY_KEYTYPE_AES_256;
1349 break;
1350 default:
1351 DEBUG_ERR("%s unknown/unsupported AES pkeysize %d\n",
1352 __func__, (int)wki->pkeysize);
1353 rc = -EIO;
1354 goto out;
1355 }
1356 break;
1357 case 3:
1358 case 4:
1359 case 5:
1360 if (protkeytype)
1361 *protkeytype = PKEY_KEYTYPE_ECC;
1362 break;
1363 case 2:
1364 default:
1365 DEBUG_ERR("%s unknown/unsupported key type %d\n",
1366 __func__, (int)wki->pkeytype);
1367 rc = -EIO;
1368 goto out;
1369 }
1370
1371
1372 if (wki->pkeysize > *protkeylen) {
1373 DEBUG_ERR("%s wk info pkeysize %llu > protkeysize %u\n",
1374 __func__, wki->pkeysize, *protkeylen);
1375 rc = -EINVAL;
1376 goto out;
1377 }
1378 memcpy(protkey, wki->pkey, wki->pkeysize);
1379 *protkeylen = wki->pkeysize;
1380
1381 out:
1382 kfree(wkbuf);
1383 return rc;
1384 }
1385 EXPORT_SYMBOL(ep11_kblob2protkey);
1386
1387 int ep11_findcard2(u32 **apqns, u32 *nr_apqns, u16 cardnr, u16 domain,
1388 int minhwtype, int minapi, const u8 *wkvp)
1389 {
1390 struct zcrypt_device_status_ext *device_status;
1391 u32 *_apqns = NULL, _nr_apqns = 0;
1392 int i, card, dom, rc = -ENOMEM;
1393 struct ep11_domain_info edi;
1394 struct ep11_card_info eci;
1395
1396
1397 device_status = kvmalloc_array(MAX_ZDEV_ENTRIES_EXT,
1398 sizeof(struct zcrypt_device_status_ext),
1399 GFP_KERNEL);
1400 if (!device_status)
1401 return -ENOMEM;
1402 zcrypt_device_status_mask_ext(device_status);
1403
1404
1405 _apqns = kmalloc_array(256, sizeof(u32), GFP_KERNEL);
1406 if (!_apqns) {
1407 kvfree(device_status);
1408 return -ENOMEM;
1409 }
1410
1411
1412 for (i = 0; i < MAX_ZDEV_ENTRIES_EXT; i++) {
1413 card = AP_QID_CARD(device_status[i].qid);
1414 dom = AP_QID_QUEUE(device_status[i].qid);
1415
1416 if (!device_status[i].online)
1417 continue;
1418
1419 if (!(device_status[i].functions & 0x01))
1420 continue;
1421
1422 if (cardnr != 0xFFFF && card != cardnr)
1423 continue;
1424
1425 if (domain != 0xFFFF && dom != domain)
1426 continue;
1427
1428 if (minhwtype && device_status[i].hwtype < minhwtype)
1429 continue;
1430
1431 if (minapi > 0) {
1432 if (ep11_get_card_info(card, &eci, 0))
1433 continue;
1434 if (minapi > eci.API_ord_nr)
1435 continue;
1436 }
1437
1438 if (wkvp) {
1439 if (ep11_get_domain_info(card, dom, &edi))
1440 continue;
1441 if (edi.cur_wk_state != '1')
1442 continue;
1443 if (memcmp(wkvp, edi.cur_wkvp, 16))
1444 continue;
1445 }
1446
1447 if (_nr_apqns < 256)
1448 _apqns[_nr_apqns++] = (((u16)card) << 16) | ((u16)dom);
1449 }
1450
1451
1452 if (!_nr_apqns) {
1453 kfree(_apqns);
1454 rc = -ENODEV;
1455 } else {
1456
1457 *apqns = _apqns;
1458 *nr_apqns = _nr_apqns;
1459 rc = 0;
1460 }
1461
1462 kvfree(device_status);
1463 return rc;
1464 }
1465 EXPORT_SYMBOL(ep11_findcard2);
1466
1467 void __exit zcrypt_ep11misc_exit(void)
1468 {
1469 card_cache_free();
1470 }
