From cae368dde8571a165dfba201e6ec0b5c182e66a4 Mon Sep 17 00:00:00 2001
From: Miloslav Trmač <mitr@redhat.com>
Date: Tue, 24 Aug 2010 22:06:04 +0200
Subject: Port key wrapping tests to *_lib.c

---
 examples/pk_lib.c | 88 +++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 88 insertions(+)

(limited to 'examples/pk_lib.c')

diff --git a/examples/pk_lib.c b/examples/pk_lib.c
index b184b78..39c1c3e 100644
--- a/examples/pk_lib.c
+++ b/examples/pk_lib.c
@@ -9,6 +9,7 @@
 #include <string.h>
 #include <sys/types.h>
 #include <stdlib.h>
+#include <unistd.h>
 
 #include <ncrypto.h>
 #include <gnutls/gnutls.h>
@@ -452,6 +453,90 @@ ssize_t output_size;
 	return 0;
 }
 
+/* check whether wrapping of long keys is not allowed with
+ * shorted wrapping keys */
+static int
+test_ncr_wrap_key3(void)
+{
+	int i;
+	ncr_key_t key;
+	size_t data_size;
+	ncr_key_generate_params_t kgen;
+	ncr_key_t pubkey, privkey;
+	uint8_t data[DATA_SIZE];
+	/* only the first two should be allowed to be wrapped.
+	 * the latter shouldn't because it has security level larger
+	 * then 128 bits (the size of the wrapping key).
+	 */
+	const int sizes[] = {1024, 3248, 5200};
+	ssize_t output_size;
+
+	fprintf(stdout, "Tests on key wrapping (might take long): ");
+	fflush(stdout);
+
+	/* convert it to key */
+	DIAGNOSTIC_CALL(ncr_key_init, &privkey);
+	DIAGNOSTIC_CALL(ncr_key_init, &pubkey);
+
+	if (geteuid() != 0) {
+		/* cannot test further */
+		fprintf(stdout, "\t(Wrapping test not completed. Run as root)\n");
+		return 0;
+	}
+
+	/* make a wrapping key */
+	DIAGNOSTIC_CALL(ncr_key_init, &key);
+	DIAGNOSTIC_CALL(ncr_key_import, key, "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B\x0C\x0D\x0E\x0F", 16, "ab", 2, NCR_ALG_AES_CBC, NCR_KEY_TYPE_SECRET, NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPING);
+
+	for (i=0;i<sizeof(sizes)/sizeof(sizes[0]);i++) {
+
+		fprintf(stdout, ".");
+		fflush(stdout);
+
+		DIAGNOSTIC_CALL(ncr_key_generate_params_init, &kgen);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_algorithm, kgen,
+				NCR_ALG_RSA);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_keyflags, kgen,
+				NCR_KEY_FLAG_EXPORTABLE|NCR_KEY_FLAG_WRAPPABLE);
+		DIAGNOSTIC_CALL(ncr_key_generate_params_set_rsa_bits, kgen,
+				sizes[i]);
+		DIAGNOSTIC_CALL(ncr_key_generate_pair, privkey, pubkey, kgen);
+
+		/* now try wrapping key2 using key */
+		DIAGNOSTIC_CALL(ncr_key_wrap, key, NCR_WALG_AES_RFC5649, NULL,
+				pubkey, data, sizeof(data));
+
+		/* now try wrapping private using key */
+		output_size = ncr_key_wrap(key, NCR_WALG_AES_RFC5649, NULL,
+					   privkey, data, sizeof(data));
+		if (output_size < 0 && i != 2) {
+			DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+			/* wrapping should have been allowed */
+			return 1;
+		} else if (output_size >= 0 && i == 2) {
+			DIAGNOSTIC_ERROR("[%d-%d]\n", i, sizes[i]);
+			/* wrapping shouldn't have been allowed */
+			return 1;
+		}
+
+		if (output_size >= 0) {
+			data_size = output_size;
+
+			/* try unwrapping */
+			DIAGNOSTIC_CALL(ncr_key_unwrap, key,
+					NCR_WALG_AES_RFC5649, NULL, privkey,
+					data, data_size, NCR_ALG_RSA,
+					NCR_KEY_TYPE_PRIVATE, 0);
+		}
+		fprintf(stdout, "*");
+		fflush(stdout);
+
+	}
+
+	fprintf(stdout, " Success\n");
+	return 0;
+}
+
 #define RSA_ENCRYPT_SIZE 32
 
 static int rsa_key_encrypt(ncr_key_t privkey, ncr_key_t pubkey, int oaep)
@@ -734,6 +819,9 @@ main()
 	if (test_ncr_dsa())
 		return 1;
 
+	if (test_ncr_wrap_key3())
+		return 1;
+
 	/* Close the original descriptor */
 	ncr_global_deinit();
 
-- 
cgit