summaryrefslogtreecommitdiffstats
path: root/examples
diff options
context:
space:
mode:
Diffstat (limited to 'examples')
-rw-r--r--examples/ncr.c107
-rw-r--r--examples/pk.c116
2 files changed, 217 insertions, 6 deletions
diff --git a/examples/ncr.c b/examples/ncr.c
index 9a75a99..5169a14 100644
--- a/examples/ncr.c
+++ b/examples/ncr.c
@@ -208,7 +208,7 @@ test_ncr_key(int cfd)
static int
test_ncr_wrap_key(int cfd)
{
- int i;
+ int i, ret;
ncr_key_t key, key2;
struct ncr_key_data_st keydata;
struct ncr_key_wrap_st kwrap;
@@ -234,7 +234,7 @@ test_ncr_wrap_key(int cfd)
keydata.key_id_size = 2;
keydata.type = NCR_KEY_TYPE_SECRET;
keydata.algorithm = NCR_ALG_AES_CBC;
- keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+ keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
keydata.key = key;
keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
@@ -279,12 +279,20 @@ test_ncr_wrap_key(int cfd)
kwrap.io = data;
kwrap.io_size = sizeof(data);
- if (ioctl(cfd, NCRIO_KEY_WRAP, &kwrap)) {
+ ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+
+ if (geteuid() == 0 && ret) {
fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
perror("ioctl(NCRIO_KEY_WRAP)");
return 1;
}
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
data_size = kwrap.io_size;
if (kwrap.io_size != 24 || memcmp(data,
@@ -298,9 +306,6 @@ test_ncr_wrap_key(int cfd)
return 1;
}
-
-
-
/* test unwrapping */
fprintf(stdout, "\tKey Unwrap test...\n");
@@ -360,7 +365,94 @@ test_ncr_wrap_key(int cfd)
#endif
return 0;
+}
+
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key2(int cfd)
+{
+ int ret;
+ ncr_key_t key, key2;
+ struct ncr_key_data_st keydata;
+ struct ncr_key_wrap_st kwrap;
+ uint8_t data[WRAPPED_KEY_DATA_SIZE];
+
+ /* test 1: generate a key in userspace import it
+ * to kernel via data and export it.
+ */
+
+ fprintf(stdout, "\tKey Wrap test II...\n");
+
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
+ /* convert it to key */
+ if (ioctl(cfd, NCRIO_KEY_INIT, &key)) {
+ perror("ioctl(NCRIO_KEY_INIT)");
+ return 1;
+ }
+
+ keydata.key_id[0] = 'a';
+ keydata.key_id[2] = 'b';
+ keydata.key_id_size = 2;
+ keydata.type = NCR_KEY_TYPE_SECRET;
+ keydata.algorithm = NCR_ALG_AES_CBC;
+ keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
+
+ keydata.key = key;
+ keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
+ keydata.idata_size = 16;
+
+ if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_IMPORT)");
+ return 1;
+ }
+
+
+ /* convert it to key */
+ if (ioctl(cfd, NCRIO_KEY_INIT, &key2)) {
+ perror("ioctl(NCRIO_KEY_INIT)");
+ return 1;
+ }
+ keydata.key_id[0] = 'b';
+ keydata.key_id[2] = 'a';
+ keydata.key_id_size = 2;
+ keydata.type = NCR_KEY_TYPE_SECRET;
+ keydata.algorithm = NCR_ALG_AES_CBC;
+ keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+
+ keydata.key = key2;
+ keydata.idata = "\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF\x00\x11\x22\x33\x44\x55\x66\x77\x88\x99\xAA\xBB\xCC\xDD\xEE\xFF";
+ keydata.idata_size = 32;
+
+ if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_IMPORT)");
+ return 1;
+ }
+
+ /* now try wrapping key2 using key */
+ memset(&kwrap, 0, sizeof(kwrap));
+ kwrap.algorithm = NCR_WALG_AES_RFC3394;
+ kwrap.keytowrap = key2;
+ kwrap.key = key;
+ kwrap.io = data;
+ kwrap.io_size = sizeof(data);
+
+ ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+ if (!ret) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ /* wrapping shouldn't have been allowed */
+ return 1;
+ }
+
+ return 0;
}
static int
@@ -939,6 +1031,9 @@ main()
if (test_ncr_wrap_key(fd))
return 1;
+ if (test_ncr_wrap_key2(fd))
+ return 1;
+
if (test_ncr_store_wrap_key(fd))
return 1;
diff --git a/examples/pk.c b/examples/pk.c
index 3102a3b..5f7c72a 100644
--- a/examples/pk.c
+++ b/examples/pk.c
@@ -524,6 +524,119 @@ struct ncr_key_derivation_params_st kderive;
return 0;
}
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key3(int cfd)
+{
+ int ret, i;
+ ncr_key_t key;
+ struct ncr_key_data_st keydata;
+ struct ncr_key_wrap_st kwrap;
+ struct ncr_key_generate_st kgen;
+ ncr_key_t pubkey, privkey;
+ uint8_t data[DATA_SIZE];
+ /* only the first two should be allowed to be wrapped */
+ const int sizes[] = {1024, 3248, 5200};
+
+ fprintf(stdout, "Tests on key wrapping: ");
+ fflush(stdout);
+
+ /* convert it to key */
+ if (ioctl(cfd, NCRIO_KEY_INIT, &privkey)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_INIT)");
+ return 1;
+ }
+
+ if (ioctl(cfd, NCRIO_KEY_INIT, &pubkey)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_INIT)");
+ return 1;
+ }
+
+ if (geteuid() != 0) {
+ /* cannot test further */
+ fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+ return 0;
+ }
+
+ /* make a wrapping key */
+ if (ioctl(cfd, NCRIO_KEY_INIT, &key)) {
+ perror("ioctl(NCRIO_KEY_INIT)");
+ return 1;
+ }
+
+ keydata.key_id[0] = 'a';
+ keydata.key_id[2] = 'b';
+ keydata.key_id_size = 2;
+ keydata.type = NCR_KEY_TYPE_SECRET;
+ keydata.algorithm = NCR_ALG_AES_CBC;
+ keydata.flags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING;
+
+ keydata.key = key;
+ keydata.idata = "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F";
+ keydata.idata_size = 16;
+
+ if (ioctl(cfd, NCRIO_KEY_IMPORT, &keydata)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_IMPORT)");
+ return 1;
+ }
+
+ for (i=0;i<sizeof(sizes)/sizeof(sizes[0]);i++) {
+ memset(&kgen, 0, sizeof(kgen));
+ kgen.desc = privkey;
+ kgen.desc2 = pubkey;
+ kgen.params.algorithm = NCR_ALG_RSA;
+ kgen.params.keyflags = NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE;
+ kgen.params.params.rsa.bits = sizes[i];
+
+ if (ioctl(cfd, NCRIO_KEY_GENERATE_PAIR, &kgen)) {
+ fprintf(stderr, "Error: %s:%d\n", __func__, __LINE__);
+ perror("ioctl(NCRIO_KEY_GENERATE_PAIR)");
+ return 1;
+ }
+
+ /* now try wrapping key2 using key */
+ memset(&kwrap, 0, sizeof(kwrap));
+ kwrap.algorithm = NCR_WALG_AES_RFC5649;
+ kwrap.keytowrap = pubkey;
+ kwrap.key = key;
+ kwrap.io = data;
+ kwrap.io_size = sizeof(data);
+
+ ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+ if (ret) {
+ fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+ /* wrapping of public key should have been allowed! */
+ return 1;
+ }
+
+ /* now try wrapping private using key */
+ memset(&kwrap, 0, sizeof(kwrap));
+ kwrap.algorithm = NCR_WALG_AES_RFC5649;
+ kwrap.keytowrap = privkey;
+ kwrap.key = key;
+ kwrap.io = data;
+ kwrap.io_size = sizeof(data);
+
+ ret = ioctl(cfd, NCRIO_KEY_WRAP, &kwrap);
+ if (ret && i != 2) {
+ fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+ /* wrapping should have been allowed */
+ return 1;
+ } else if (ret == 0 && i == 2) {
+ fprintf(stderr, "Error[%d-%d]: %s:%d\n", i, sizes[i], __func__, __LINE__);
+ /* wrapping shouldn't have been allowed */
+ return 1;
+ }
+ }
+
+ fprintf(stdout, " Success\n");
+ return 0;
+}
+
#define RSA_ENCRYPT_SIZE 32
static int rsa_key_encrypt(int cfd, ncr_key_t privkey, ncr_key_t pubkey, int oaep)
@@ -961,6 +1074,9 @@ main()
if (test_ncr_dsa(fd))
return 1;
+
+ if (test_ncr_wrap_key3(fd))
+ return 1;
/* Close the original descriptor */
if (close(fd)) {
generated by cgit (git 2.34.1) at 2026-01-08 03:01:34 +0000