Added KEY_WRAPPING flag that allows a key to be used for wrapping other keys.

Only superuser can enable this flag. Prevent short keys to wrap longer ones. Added initial stuff
for supporting wrapping of private and public keys.

2 files changed, 217 insertions, 6 deletions

diff --git a/examples/ncr.c b/examples/ncr.c
index 9a75a99..5169a14 100644
--- a/examples/ncr.c
+++ b/examples/ncr.c
@@ -208,7 +208,7 @@ test_ncr_key(int cfd)
 static int
 test_ncr_wrap_key(int cfd)
 {
-	int i;
+	int i, ret;
 	ncr_key_t key, key2;
 	struct ncr_key_data_st keydata;
 	struct ncr_key_wrap_st kwrap;
@@ -234,7 +234,7 @@ test_ncr_wrap_key(int cfd)
 	keydata.key_id_size = 2;
 	keydata.type = NCR_KEY_TYPE_SECRET;
 	keydata.algorithm = NCR_ALG_AES_CBC;
-	keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+	keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
 	
 	keydata.key = key;
 	keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
@@ -279,12 +279,20 @@ test_ncr_wrap_key(int cfd)
 	kwrap.io = data;
 	kwrap.io_size = sizeof(data);
 
-	if (ioctl(cfd, NCRIO_KEY_WRAP, &kwrap)) {
+	ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+	
+	if (geteuid() == 0 && ret) {
 		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
 		perror("ioctl(NCRIO_KEY_WRAP)");
 		return 1;
 	}
 	
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
 	data_size = kwrap.io_size;
 
 	if (kwrap.io_size != 24 || memcmp(data,
@@ -298,9 +306,6 @@ test_ncr_wrap_key(int cfd)
 		return 1;
 	}
 
-
-
-
 	/* test unwrapping */
 	fprintf(stdout, "\tKey Unwrap test...\n");
 
@@ -360,7 +365,94 @@ test_ncr_wrap_key(int cfd)
 #endif
 
 	return 0;
+}
+
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key2(int cfd)
+{
+	int ret;
+	ncr_key_t key, key2;
+	struct ncr_key_data_st keydata;
+	struct ncr_key_wrap_st kwrap;
+	uint8_t data[WRAPPED_KEY_DATA_SIZE];
+
+	/* test 1: generate a key in userspace import it
+	 * to kernel via data and export it.
+	 */
+
+	fprintf(stdout, "\tKey Wrap test II...\n");
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* convert it to key */
+	if (ioctl(cfd, NCRIO_KEY_INIT, &key)) {
+		perror("ioctl(NCRIO_KEY_INIT)");
+		return 1;
+	}
+
+	keydata.key_id[0] = 'a';
+	keydata.key_id[2] = 'b';
+	keydata.key_id_size = 2;
+	keydata.type = NCR_KEY_TYPE_SECRET;
+	keydata.algorithm = NCR_ALG_AES_CBC;
+	keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
+	
+	keydata.key = key;
+	keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
+	keydata.idata_size = 16;
+
+	if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		perror("ioctl(NCRIO_KEY_IMPORT)");
+		return 1;
+	}
+
+
+	/* convert it to key */
+	if (ioctl(cfd, NCRIO_KEY_INIT, &key2)) {
+		perror("ioctl(NCRIO_KEY_INIT)");
+		return 1;
+	}
 
+	keydata.key_id[0] = 'b';
+	keydata.key_id[2] = 'a';
+	keydata.key_id_size = 2;
+	keydata.type = NCR_KEY_TYPE_SECRET;
+	keydata.algorithm = NCR_ALG_AES_CBC;
+	keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+	
+	keydata.key = key2;
+	keydata.idata = "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF";
+	keydata.idata_size = 32;
+
+	if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		perror("ioctl(NCRIO_KEY_IMPORT)");
+		return 1;
+	}
+
+	/* now try wrapping key2 using key */
+	memset(&kwrap, 0, sizeof(kwrap));
+	kwrap.algorithm = NCR_WALG_AES_RFC3394;
+	kwrap.keytowrap = key2;
+	kwrap.key = key;
+	kwrap.io = data;
+	kwrap.io_size = sizeof(data);
+
+	ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+	if (!ret) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		/* wrapping shouldn't have been allowed */
+		return 1;
+	}
+	
+	return 0;
 }
 
 static int
@@ -939,6 +1031,9 @@ main()
 	if (test_ncr_wrap_key(fd))
 		return 1;
 
+	if (test_ncr_wrap_key2(fd))
+		return 1;
+
 	if (test_ncr_store_wrap_key(fd))
 		return 1;
 
diff --git a/examples/pk.c b/examples/pk.c
index 3102a3b..5f7c72a 100644
--- a/examples/pk.c
+++ b/examples/pk.c
@@ -524,6 +524,119 @@ struct ncr_key_derivation_params_st kderive;
 	return 0;
 }
 
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key3(int cfd)
+{
+	int ret, i;
+	ncr_key_t key;
+	struct ncr_key_data_st keydata;
+	struct ncr_key_wrap_st kwrap;
+	struct ncr_key_generate_st kgen;
+	ncr_key_t pubkey, privkey;
+	uint8_t data[DATA_SIZE];
+	/* only the first two should be allowed to be wrapped */
+	const int sizes[] = {1024, 3248, 5200};
+
+	fprintf(stdout, "Tests on key wrapping: ");
+	fflush(stdout);
+
+	/* convert it to key */
+	if (ioctl(cfd, NCRIO_KEY_INIT, &privkey)) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		perror("ioctl(NCRIO_KEY_INIT)");
+		return 1;
+	}
+
+	if (ioctl(cfd, NCRIO_KEY_INIT, &pubkey)) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		perror("ioctl(NCRIO_KEY_INIT)");
+		return 1;
+	}
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* make a wrapping key */
+	if (ioctl(cfd, NCRIO_KEY_INIT, &key)) {
+		perror("ioctl(NCRIO_KEY_INIT)");
+		return 1;
+	}
+
+	keydata.key_id[0] = 'a';
+	keydata.key_id[2] = 'b';
+	keydata.key_id_size = 2;
+	keydata.type = NCR_KEY_TYPE_SECRET;
+	keydata.algorithm = NCR_ALG_AES_CBC;
+	keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
+	
+	keydata.key = key;
+	keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
+	keydata.idata_size = 16;
+
+	if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+		fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+		perror("ioctl(NCRIO_KEY_IMPORT)");
+		return 1;
+	}
+	
+	for (i=0;i<sizeof(sizes)/sizeof(sizes[0]);i++) {
+		memset(&kgen, 0, sizeof(kgen));
+		kgen.desc = privkey;
+		kgen.desc2 = pubkey;
+		kgen.params.algorithm = NCR_ALG_RSA;
+		kgen.params.keyflags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+		kgen.params.params.rsa.bits = sizes[i];
+
+		if (ioctl(cfd, NCRIO_KEY_GENERATE_PAIR, &kgen)) {
+			fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+			perror("ioctl(NCRIO_KEY_GENERATE_PAIR)");
+			return 1;
+		}
+
+		/* now try wrapping key2 using key */
+		memset(&kwrap, 0, sizeof(kwrap));
+		kwrap.algorithm = NCR_WALG_AES_RFC5649;
+		kwrap.keytowrap = pubkey;
+		kwrap.key = key;
+		kwrap.io = data;
+		kwrap.io_size = sizeof(data);
+
+		ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+		if (ret) {
+			fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+			/* wrapping of public key should have been allowed! */
+			return 1;
+		}
+
+		/* now try wrapping private using key */
+		memset(&kwrap, 0, sizeof(kwrap));
+		kwrap.algorithm = NCR_WALG_AES_RFC5649;
+		kwrap.keytowrap = privkey;
+		kwrap.key = key;
+		kwrap.io = data;
+		kwrap.io_size = sizeof(data);
+
+		ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+		if (ret && i != 2) {
+			fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+			/* wrapping should have been allowed */
+			return 1;
+		} else if (ret == 0 && i == 2) {
+			fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+			/* wrapping shouldn't have been allowed */
+			return 1;
+		}			
+	}
+	
+	fprintf(stdout, " Success\n");
+	return 0;
+}
+
 #define RSA_ENCRYPT_SIZE 32
 
 static int rsa_key_encrypt(int cfd, ncr_key_t privkey, ncr_key_t pubkey, int oaep)
@@ -961,6 +1074,9 @@ main()
 
 	if (test_ncr_dsa(fd))
 		return 1;
+		
+	if (test_ncr_wrap_key3(fd))
+		return 1;
 
 	/* Close the original descriptor */
 	if (close(fd)) {