Port key wrapping tests to *_lib.c

author: Miloslav Trmač <mitr@redhat.com> 2010-08-24 22:06:04 +0200
committer: Miloslav Trmač <mitr@redhat.com> 2010-08-24 22:09:04 +0200
commit: cae368dde8571a165dfba201e6ec0b5c182e66a4 (patch)
tree: a3672514a118be6716835b2b6bbaed25d7ad152a
parent: 99887dbcfffe481d19991a50811046ead8d12572 (diff)
download: cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.tar.gz
cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.tar.xz
cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.zip
4 files changed, 145 insertions, 4 deletions
diff --git a/examples/ncr_lib.c b/examples/ncr_lib.c
index 29a7fbe..90f7463 100644
--- a/examples/ncr_lib.c
+++ b/examples/ncr_lib.c
@@ -138,7 +138,18 @@ test_ncr_wrap_key(void)
 	fprintf(stdout, "\tKey Wrap test...\n");
 	DIAGNOSTIC_CALL(ncr_key_init, &key);
 	/* import into a key */
-	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+	output_size = ncr_key_import(key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+	if (geteuid() == 0 && output_size) {
+		DIAGNOSTIC_ERROR("ioctl(NCRIO_KEY_IMPORT)");
+		return 1;
+	}
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
 	DIAGNOSTIC_CALL(ncr_key_init, &key2);
 	/* import into a key2 */
 	DIAGNOSTIC_CALL(ncr_key_import, key2, DKEY, 16, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
@@ -156,7 +167,7 @@ test_ncr_wrap_key(void)
 
 	/* create empty key2 */
 	DIAGNOSTIC_CALL(ncr_key_init, &key2);
-	DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size);
+	DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, 0);
 	/* now export the unwrapped */
 #if 0
 	/* this cannot be performed like that, because unwrap
@@ -170,6 +181,43 @@ test_ncr_wrap_key(void)
 	return 0;
 }
 
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key2(void)
+{
+	ncr_key_t key, key2;
+	uint8_t data[WRAPPED_KEY_DATA_SIZE];
+	ssize_t output_size;
+
+	/* test 1: generate a key in userspace import it
+	 * to kernel via data and export it.
+	 */
+
+	fprintf(stdout, "\tKey Wrap test II...\n");
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key);
+	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key2);
+	DIAGNOSTIC_CALL(ncr_key_import, key2, "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 32, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+	/* now try wrapping key2 using key */
+	if (!ncr_key_wrap(key, NCR_WALG_AES_RFC3394, NULL, key2, data,
+			  sizeof(data))) {
+		DIAGNOSTIC_ERROR("Wrapping unexpectedly allowed\n");
+		return 1;
+	}
+
+	return 0;
+}
+
 static int
 test_ncr_store_wrap_key(void)
 {
@@ -462,6 +510,8 @@ main()
 		return 1;
 	if (test_ncr_wrap_key())
 		return 1;
+	if (test_ncr_wrap_key2())
+		return 1;
 	if (test_ncr_store_wrap_key())
 		return 1;
 	/* Close the original descriptor */
diff --git a/examples/pk_lib.c b/examples/pk_lib.c
index b184b78..39c1c3e 100644
--- a/examples/pk_lib.c
+++ b/examples/pk_lib.c
@@ -9,6 +9,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <stdlib.h>
+#include <unistd.h>
 
 #include <ncrypto.h>
 #include <gnutls/gnutls.h>
@@ -452,6 +453,90 @@ ssize_t output_size;
 	return 0;
 }
 
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key3(void)
+{
+	int i;
+	ncr_key_t key;
+	size_t data_size;
+	ncr_key_generate_params_t kgen;
+	ncr_key_t pubkey, privkey;
+	uint8_t data[DATA_SIZE];
+	/* only the first two should be allowed to be wrapped.
+	 * the latter shouldn't because it has security level larger
+	 * then 128 bits (the size of the wrapping key).
+	 */
+	const int sizes[] = {1024, 3248, 5200};
+	ssize_t output_size;
+
+	fprintf(stdout, "Tests on key wrapping (might take long): ");
+	fflush(stdout);
+
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &privkey);
+	DIAGNOSTIC_CALL(ncr_key_init, &pubkey);
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* make a wrapping key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key);
+	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+
+	for (i=0;i<sizeof(sizes)/sizeof(sizes[0]);i++) {
+
+		fprintf(stdout, ".");
+		fflush(stdout);
+
+		DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen,
+				NCR_ALG_RSA);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen,
+				NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_rsa_bits, kgen,
+				sizes[i]);
+		DIAGNOSTIC_CALL(ncr_key_generate_pair, privkey, pubkey, kgen);
+
+		/* now try wrapping key2 using key */
+		DIAGNOSTIC_CALL(ncr_key_wrap, key, NCR_WALG_AES_RFC5649, NULL,
+				pubkey, data, sizeof(data));
+
+		/* now try wrapping private using key */
+		output_size = ncr_key_wrap(key, NCR_WALG_AES_RFC5649, NULL,
+					   privkey, data, sizeof(data));
+		if (output_size < 0 && i != 2) {
+			DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+			/* wrapping should have been allowed */
+			return 1;
+		} else if (output_size >= 0 && i == 2) {
+			DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+			/* wrapping shouldn't have been allowed */
+			return 1;
+		}
+
+		if (output_size >= 0) {
+			data_size = output_size;
+
+			/* try unwrapping */
+			DIAGNOSTIC_CALL(ncr_key_unwrap, key,
+					NCR_WALG_AES_RFC5649, NULL, privkey,
+					data, data_size, NCR_ALG_RSA,
+					NCR_KEY_TYPE_PRIVATE, 0);
+		}
+		fprintf(stdout, "*");
+		fflush(stdout);
+
+	}
+
+	fprintf(stdout, " Success\n");
+	return 0;
+}
+
 #define RSA_ENCRYPT_SIZE 32
 
 static int rsa_key_encrypt(ncr_key_t privkey, ncr_key_t pubkey, int oaep)
@@ -734,6 +819,9 @@ main()
 	if (test_ncr_dsa())
 		return 1;
 
+	if (test_ncr_wrap_key3())
+		return 1;
+
 	/* Close the original descriptor */
 	ncr_global_deinit();
 
diff --git a/userspace/ncrypto.h b/userspace/ncrypto.h
index 5bcb4a7..c000761 100644
--- a/userspace/ncrypto.h
+++ b/userspace/ncrypto.h
@@ -66,7 +66,7 @@ int ncr_key_get_id(ncr_key_t key, void *id, size_t *id_size);
 int ncr_key_export(ncr_key_t key, void *idata, size_t idata_size);
 int ncr_key_import(ncr_key_t key, void *idata, size_t idata_size, void *id, size_t id_size, ncr_algorithm_t algorithm, unsigned int type, unsigned int flags);
 int ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size);
-int ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size);
+int ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size, ncr_algorithm_t wrapped_algorithm, unsigned int wrapped_type, unsigned int wrapped_flags);
 int ncr_key_storage_wrap(ncr_key_t keytowrap, void *idata, size_t idata_size);
 int ncr_key_storage_unwrap(ncr_key_t keytowrap, void *idata, size_t idata_size);
 int ncr_key_deinit(ncr_key_t key);
diff --git a/userspace/ncrypto_key.c b/userspace/ncrypto_key.c
index 66bbc96..ee3c4e4 100644
--- a/userspace/ncrypto_key.c
+++ b/userspace/ncrypto_key.c
@@ -288,7 +288,7 @@ ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t par
 }
 
 int
-ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size)
+ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size, ncr_algorithm_t wrapped_algorithm, unsigned int wrapped_type, unsigned int wrapped_flags)
 {
 	struct ncr_key_wrap_st io;
 	memset(&io, 0, sizeof(io));
@@ -305,6 +305,9 @@ ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t p
         io.keytowrap = keytowrap;
         io.io = idata;
         io.io_size = idata_size;
+	io.wrapped_key_algorithm = wrapped_algorithm;
+	io.wrapped_key_type = wrapped_type;
+	io.wrapped_key_flags = wrapped_flags;
 
 	if (__ncr_file_descriptor < 0) {
 		errno = EBADF;
author	Miloslav Trmač <mitr@redhat.com>	2010-08-24 22:06:04 +0200
committer	Miloslav Trmač <mitr@redhat.com>	2010-08-24 22:09:04 +0200
commit	cae368dde8571a165dfba201e6ec0b5c182e66a4 (patch)
tree	a3672514a118be6716835b2b6bbaed25d7ad152a
parent	99887dbcfffe481d19991a50811046ead8d12572 (diff)
download	cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.tar.gz cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.tar.xz cryptodev-linux-cae368dde8571a165dfba201e6ec0b5c182e66a4.zip