summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--examples/ncr_lib.c54
-rw-r--r--examples/pk_lib.c88
-rw-r--r--userspace/ncrypto.h2
-rw-r--r--userspace/ncrypto_key.c5
4 files changed, 145 insertions, 4 deletions
diff --git a/examples/ncr_lib.c b/examples/ncr_lib.c
index 29a7fbe..90f7463 100644
--- a/examples/ncr_lib.c
+++ b/examples/ncr_lib.c
@@ -138,7 +138,18 @@ test_ncr_wrap_key(void)
fprintf(stdout, "\tKey Wrap test...\n");
DIAGNOSTIC_CALL(ncr_key_init, &key);
/* import into a key */
- DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+ output_size = ncr_key_import(key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+ if (geteuid() == 0 && output_size) {
+ DIAGNOSTIC_ERROR("ioctl(NCRIO_KEY_IMPORT)");
+ return 1;
+ }
+
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
DIAGNOSTIC_CALL(ncr_key_init, &key2);
/* import into a key2 */
DIAGNOSTIC_CALL(ncr_key_import, key2, DKEY, 16, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
@@ -156,7 +167,7 @@ test_ncr_wrap_key(void)
/* create empty key2 */
DIAGNOSTIC_CALL(ncr_key_init, &key2);
- DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size);
+ DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, 0);
/* now export the unwrapped */
#if 0
/* this cannot be performed like that, because unwrap
@@ -170,6 +181,43 @@ test_ncr_wrap_key(void)
return 0;
}
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key2(void)
+{
+ ncr_key_t key, key2;
+ uint8_t data[WRAPPED_KEY_DATA_SIZE];
+ ssize_t output_size;
+
+ /* test 1: generate a key in userspace import it
+ * to kernel via data and export it.
+ */
+
+ fprintf(stdout, "\tKey Wrap test II...\n");
+
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
+ /* convert it to key */
+ DIAGNOSTIC_CALL(ncr_key_init, &key);
+ DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+ /* convert it to key */
+ DIAGNOSTIC_CALL(ncr_key_init, &key2);
+ DIAGNOSTIC_CALL(ncr_key_import, key2, "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 32, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+ /* now try wrapping key2 using key */
+ if (!ncr_key_wrap(key, NCR_WALG_AES_RFC3394, NULL, key2, data,
+ sizeof(data))) {
+ DIAGNOSTIC_ERROR("Wrapping unexpectedly allowed\n");
+ return 1;
+ }
+
+ return 0;
+}
+
static int
test_ncr_store_wrap_key(void)
{
@@ -462,6 +510,8 @@ main()
return 1;
if (test_ncr_wrap_key())
return 1;
+ if (test_ncr_wrap_key2())
+ return 1;
if (test_ncr_store_wrap_key())
return 1;
/* Close the original descriptor */
diff --git a/examples/pk_lib.c b/examples/pk_lib.c
index b184b78..39c1c3e 100644
--- a/examples/pk_lib.c
+++ b/examples/pk_lib.c
@@ -9,6 +9,7 @@
#include <string.h>
#include <sys/types.h>
#include <stdlib.h>
+#include <unistd.h>
#include <ncrypto.h>
#include <gnutls/gnutls.h>
@@ -452,6 +453,90 @@ ssize_t output_size;
return 0;
}
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key3(void)
+{
+ int i;
+ ncr_key_t key;
+ size_t data_size;
+ ncr_key_generate_params_t kgen;
+ ncr_key_t pubkey, privkey;
+ uint8_t data[DATA_SIZE];
+ /* only the first two should be allowed to be wrapped.
+ * the latter shouldn't because it has security level larger
+ * then 128 bits (the size of the wrapping key).
+ */
+ const int sizes[] = {1024, 3248, 5200};
+ ssize_t output_size;
+
+ fprintf(stdout, "Tests on key wrapping (might take long): ");
+ fflush(stdout);
+
+ /* convert it to key */
+ DIAGNOSTIC_CALL(ncr_key_init, &privkey);
+ DIAGNOSTIC_CALL(ncr_key_init, &pubkey);
+
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
+ /* make a wrapping key */
+ DIAGNOSTIC_CALL(ncr_key_init, &key);
+ DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+
+ for (i=0;i<sizeof(sizes)/sizeof(sizes[0]);i++) {
+
+ fprintf(stdout, ".");
+ fflush(stdout);
+
+ DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen);
+ DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen,
+ NCR_ALG_RSA);
+ DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen,
+ NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+ DIAGNOSTIC_CALL(ncr_key_generate_params_set_rsa_bits, kgen,
+ sizes[i]);
+ DIAGNOSTIC_CALL(ncr_key_generate_pair, privkey, pubkey, kgen);
+
+ /* now try wrapping key2 using key */
+ DIAGNOSTIC_CALL(ncr_key_wrap, key, NCR_WALG_AES_RFC5649, NULL,
+ pubkey, data, sizeof(data));
+
+ /* now try wrapping private using key */
+ output_size = ncr_key_wrap(key, NCR_WALG_AES_RFC5649, NULL,
+ privkey, data, sizeof(data));
+ if (output_size < 0 && i != 2) {
+ DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+ /* wrapping should have been allowed */
+ return 1;
+ } else if (output_size >= 0 && i == 2) {
+ DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+ /* wrapping shouldn't have been allowed */
+ return 1;
+ }
+
+ if (output_size >= 0) {
+ data_size = output_size;
+
+ /* try unwrapping */
+ DIAGNOSTIC_CALL(ncr_key_unwrap, key,
+ NCR_WALG_AES_RFC5649, NULL, privkey,
+ data, data_size, NCR_ALG_RSA,
+ NCR_KEY_TYPE_PRIVATE, 0);
+ }
+ fprintf(stdout, "*");
+ fflush(stdout);
+
+ }
+
+ fprintf(stdout, " Success\n");
+ return 0;
+}
+
#define RSA_ENCRYPT_SIZE 32
static int rsa_key_encrypt(ncr_key_t privkey, ncr_key_t pubkey, int oaep)
@@ -734,6 +819,9 @@ main()
if (test_ncr_dsa())
return 1;
+ if (test_ncr_wrap_key3())
+ return 1;
+
/* Close the original descriptor */
ncr_global_deinit();
diff --git a/userspace/ncrypto.h b/userspace/ncrypto.h
index 5bcb4a7..c000761 100644
--- a/userspace/ncrypto.h
+++ b/userspace/ncrypto.h
@@ -66,7 +66,7 @@ int ncr_key_get_id(ncr_key_t key, void *id, size_t *id_size);
int ncr_key_export(ncr_key_t key, void *idata, size_t idata_size);
int ncr_key_import(ncr_key_t key, void *idata, size_t idata_size, void *id, size_t id_size, ncr_algorithm_t algorithm, unsigned int type, unsigned int flags);
int ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size);
-int ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size);
+int ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size, ncr_algorithm_t wrapped_algorithm, unsigned int wrapped_type, unsigned int wrapped_flags);
int ncr_key_storage_wrap(ncr_key_t keytowrap, void *idata, size_t idata_size);
int ncr_key_storage_unwrap(ncr_key_t keytowrap, void *idata, size_t idata_size);
int ncr_key_deinit(ncr_key_t key);
diff --git a/userspace/ncrypto_key.c b/userspace/ncrypto_key.c
index 66bbc96..ee3c4e4 100644
--- a/userspace/ncrypto_key.c
+++ b/userspace/ncrypto_key.c
@@ -288,7 +288,7 @@ ncr_key_wrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t par
}
int
-ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size)
+ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t params, ncr_key_t keytowrap, void *idata, size_t idata_size, ncr_algorithm_t wrapped_algorithm, unsigned int wrapped_type, unsigned int wrapped_flags)
{
struct ncr_key_wrap_st io;
memset(&io, 0, sizeof(io));
@@ -305,6 +305,9 @@ ncr_key_unwrap(ncr_key_t key, ncr_wrap_algorithm_t algorithm, ncr_key_params_t p
io.keytowrap = keytowrap;
io.io = idata;
io.io_size = idata_size;
+ io.wrapped_key_algorithm = wrapped_algorithm;
+ io.wrapped_key_type = wrapped_type;
+ io.wrapped_key_flags = wrapped_flags;
if (__ncr_file_descriptor < 0) {
errno = EBADF;
generated by cgit (git 2.34.1) at 2025-07-04 19:29:00 +0000