1 files changed, 52 insertions, 2 deletions

diff --git a/examples/ncr_lib.c b/examples/ncr_lib.c
index 29a7fbe..90f7463 100644
--- a/examples/ncr_lib.c
+++ b/examples/ncr_lib.c
@@ -138,7 +138,18 @@ test_ncr_wrap_key(void)
 	fprintf(stdout, "\tKey Wrap test...\n");
 	DIAGNOSTIC_CALL(ncr_key_init, &key);
 	/* import into a key */
-	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+	output_size = ncr_key_import(key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+	if (geteuid() == 0 && output_size) {
+		DIAGNOSTIC_ERROR("ioctl(NCRIO_KEY_IMPORT)");
+		return 1;
+	}
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
 	DIAGNOSTIC_CALL(ncr_key_init, &key2);
 	/* import into a key2 */
 	DIAGNOSTIC_CALL(ncr_key_import, key2, DKEY, 16, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
@@ -156,7 +167,7 @@ test_ncr_wrap_key(void)
 
 	/* create empty key2 */
 	DIAGNOSTIC_CALL(ncr_key_init, &key2);
-	DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size);
+	DIAGNOSTIC_CALL(ncr_key_unwrap, key, NCR_WALG_AES_RFC3394, NULL, key2, data, data_size, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, 0);
 	/* now export the unwrapped */
 #if 0
 	/* this cannot be performed like that, because unwrap
@@ -170,6 +181,43 @@ test_ncr_wrap_key(void)
 	return 0;
 }
 
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key2(void)
+{
+	ncr_key_t key, key2;
+	uint8_t data[WRAPPED_KEY_DATA_SIZE];
+	ssize_t output_size;
+
+	/* test 1: generate a key in userspace import it
+	 * to kernel via data and export it.
+	 */
+
+	fprintf(stdout, "\tKey Wrap test II...\n");
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key);
+	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key2);
+	DIAGNOSTIC_CALL(ncr_key_import, key2, "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF", 32, "ba", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+	/* now try wrapping key2 using key */
+	if (!ncr_key_wrap(key, NCR_WALG_AES_RFC3394, NULL, key2, data,
+			  sizeof(data))) {
+		DIAGNOSTIC_ERROR("Wrapping unexpectedly allowed\n");
+		return 1;
+	}
+
+	return 0;
+}
+
 static int
 test_ncr_store_wrap_key(void)
 {
@@ -462,6 +510,8 @@ main()
 		return 1;
 	if (test_ncr_wrap_key())
 		return 1;
+	if (test_ncr_wrap_key2())
+		return 1;
 	if (test_ncr_store_wrap_key())
 		return 1;
 	/* Close the original descriptor */