linux-integrity.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH v3] syscalls/keyctl09: test encrypted keys with provided decrypted data.
@ 2022-02-22 18:10 Yael Tzur
  2022-02-23 14:42 ` [LTP] " Cyril Hrubis
  0 siblings, 1 reply; 2+ messages in thread
From: Yael Tzur @ 2022-02-22 18:10 UTC (permalink / raw)
  To: ltp; +Cc: zohar, pvorel, linux-integrity, Yael Tzur

Test that encrypted keys can be instantiated using hex-ascii
encoded user-provided decrypted data.
(https://lore.kernel.org/lkml/20220215141953.1557009-1-yaelt@google.com/).

Signed-off-by: Yael Tzur <yaelt@google.com>
---

Notes:
    v -> v2: added key revocation and made styling changes.
    
    v2 -> v3: updated per latest kernel patch version.

 runtest/syscalls                            |  1 +
 testcases/kernel/syscalls/keyctl/.gitignore |  1 +
 testcases/kernel/syscalls/keyctl/keyctl09.c | 55 +++++++++++++++++++++
 3 files changed, 57 insertions(+)
 create mode 100644 testcases/kernel/syscalls/keyctl/keyctl09.c

diff --git a/runtest/syscalls b/runtest/syscalls
index bcf3d56c9..ccea1ddbd 100644
--- a/runtest/syscalls
+++ b/runtest/syscalls
@@ -643,6 +643,7 @@ keyctl05 keyctl05
 keyctl06 keyctl06
 keyctl07 keyctl07
 keyctl08 keyctl08
+keyctl09 keyctl09
 
 kcmp01 kcmp01
 kcmp02 kcmp02
diff --git a/testcases/kernel/syscalls/keyctl/.gitignore b/testcases/kernel/syscalls/keyctl/.gitignore
index 3544ac79c..f9948c176 100644
--- a/testcases/kernel/syscalls/keyctl/.gitignore
+++ b/testcases/kernel/syscalls/keyctl/.gitignore
@@ -6,3 +6,4 @@
 /keyctl06
 /keyctl07
 /keyctl08
+/keyctl09
diff --git a/testcases/kernel/syscalls/keyctl/keyctl09.c b/testcases/kernel/syscalls/keyctl/keyctl09.c
new file mode 100644
index 000000000..5d90a6a8d
--- /dev/null
+++ b/testcases/kernel/syscalls/keyctl/keyctl09.c
@@ -0,0 +1,55 @@
+// SPDX-License-Identifier: GPL-2.0-or-later
+/*
+ * Copyright (c) 2022 Google, Inc.
+ */
+
+/*\
+ * [Description]
+ * Test that encrypted keys can be instantiated using user-provided decrypted
+ * data that is hex-ascii encoded.
+ */
+
+#include "tst_test.h"
+#include "lapi/keyctl.h"
+
+#define ENCRYPTED_KEY_1_PAYLOAD	"new enc32 user:masterkey 32 abcdefABCDEF1234567890aaaaaaaaaa"
+#define ENCRYPTED_KEY_2_PAYLOAD	"new enc32 user:masterkey 32 plaintext123@123!123@123!123@123"
+
+static void do_test(void)
+{
+	key_serial_t masterkey;
+	key_serial_t encryptedkey1;
+	key_serial_t encryptedkey2;
+	char buffer[128];
+
+	masterkey = add_key("user", "user:masterkey", "foo", 3,
+			    KEY_SPEC_PROCESS_KEYRING);
+	if (masterkey == -1)
+		tst_brk(TBROK | TERRNO, "Failed to add user key");
+
+	encryptedkey1 = add_key("encrypted", "ltptestkey1", ENCRYPTED_KEY_1_PAYLOAD,
+				60, KEY_SPEC_PROCESS_KEYRING);
+	if (encryptedkey1 == -1)
+		tst_brk(TFAIL, "Failed to instantiate encrypted key using payload decrypted data");
+
+	TEST(keyctl(KEYCTL_READ, encryptedkey1, buffer, sizeof(buffer)));
+	if (TST_RET < 0)
+		tst_brk(TFAIL, "KEYCTL_READ failed for encryptedkey1");
+
+	encryptedkey2 = add_key("encrypted", "ltptestkey2", ENCRYPTED_KEY_2_PAYLOAD,
+				60, KEY_SPEC_PROCESS_KEYRING);
+	if (encryptedkey2 != -1)
+		tst_brk(TFAIL, "Instantiation of encrypted key using non hex-encoded decrypted data unexpectedly succeeded");
+
+	tst_res(TPASS, "Encrypted keys were instantiated with decrypted data as expected");
+
+	keyctl(KEYCTL_CLEAR, KEY_SPEC_PROCESS_KEYRING);
+}
+
+static struct tst_test test = {
+	.test_all = do_test,
+	.needs_kconfigs = (const char *[]) {
+		"CONFIG_USER_DECRYPTED_DATA=y",
+		NULL
+	}
+};
-- 
2.35.1.473.g83b2b277ed-goog


^ permalink raw reply related	[flat|nested] 2+ messages in thread
* Re: [LTP] [PATCH v3] syscalls/keyctl09: test encrypted keys with provided decrypted data.
  2022-02-22 18:10 [PATCH v3] syscalls/keyctl09: test encrypted keys with provided decrypted data Yael Tzur
@ 2022-02-23 14:42 ` Cyril Hrubis
  0 siblings, 0 replies; 2+ messages in thread
From: Cyril Hrubis @ 2022-02-23 14:42 UTC (permalink / raw)
  To: Yael Tzur; +Cc: ltp, linux-integrity

Hi!
> +static void do_test(void)
> +{
> +	key_serial_t masterkey;
> +	key_serial_t encryptedkey1;
> +	key_serial_t encryptedkey2;
> +	char buffer[128];
> +
> +	masterkey = add_key("user", "user:masterkey", "foo", 3,
> +			    KEY_SPEC_PROCESS_KEYRING);
> +	if (masterkey == -1)
> +		tst_brk(TBROK | TERRNO, "Failed to add user key");
> +
> +	encryptedkey1 = add_key("encrypted", "ltptestkey1", ENCRYPTED_KEY_1_PAYLOAD,
> +				60, KEY_SPEC_PROCESS_KEYRING);
> +	if (encryptedkey1 == -1)
> +		tst_brk(TFAIL, "Failed to instantiate encrypted key using payload decrypted data");

I guess that we should print errno (by adding the | TERRNO to the TFAIL)
here as well.

Also we can make the message shorter since the FAIL part is printed by
the library because of the TFAIL flag. So maybe something as:

	tst_brk(TFAIL | TERRNO, "instatiation of encrypted key with decrypted payload");

Which would print message as:

	foo.c:XX: TFAIL: instatiation of encrypted key with decrypted payload: ENOMEM (12)

Or even better use the LTP TST_EXP_*() macros which will generate most
of the code for you.

Assuming the return value from add_key() on success is >= 0 we can do:

	TST_EXP_POSITIVE(add_key("encrypted", "ltptestkey1",
	                         ENCRYPTED_KEY_1_PAYLOAD,
			         60, KEY_SPEC_PROCESS_KEYRING));

	if (!TST_PASS)
		return;

The TST_EXP_POSITIVE() has optional printf-like parameters if you want
to customize the message, so if you want to keep the original message
you can do:

	TST_EXP_POSITIVE(add_key(...),
	                 "instatiation of encrypted key with decrypted payload");

And the return value from add_key is stored in TST_RET.

> +	TEST(keyctl(KEYCTL_READ, encryptedkey1, buffer, sizeof(buffer)));
> +	if (TST_RET < 0)
> +		tst_brk(TFAIL, "KEYCTL_READ failed for encryptedkey1");

And here as well.

> +	encryptedkey2 = add_key("encrypted", "ltptestkey2", ENCRYPTED_KEY_2_PAYLOAD,
> +				60, KEY_SPEC_PROCESS_KEYRING);
> +	if (encryptedkey2 != -1)
> +		tst_brk(TFAIL, "Instantiation of encrypted key using non hex-encoded decrypted data unexpectedly succeeded");

We should check that the errno was set correctly here as well. We do
have a TST_EXP_FAIL() macro for this. If this is supposed to end with
EINVAL it can be simply done as:

	TST_EXP_FAIL2(add_key("encrypted", "ltptestkey2",
	              ENCRYPTED_KEY_2_PAYLOAD, 60,
		      KEY_SPEC_PROCESS_KEYRING), EINVAL);

And you can pass a printf-like parameters to this macro as well to
customize the message.

> +	tst_res(TPASS, "Encrypted keys were instantiated with decrypted data as expected");
> +
> +	keyctl(KEYCTL_CLEAR, KEY_SPEC_PROCESS_KEYRING);
> +}
> +
> +static struct tst_test test = {
> +	.test_all = do_test,
> +	.needs_kconfigs = (const char *[]) {
> +		"CONFIG_USER_DECRYPTED_DATA=y",
> +		NULL
> +	}
> +};

-- 
Cyril Hrubis
chrubis@suse.cz

^ permalink raw reply	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2022-02-23 14:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-02-22 18:10 [PATCH v3] syscalls/keyctl09: test encrypted keys with provided decrypted data Yael Tzur
2022-02-23 14:42 ` [LTP] " Cyril Hrubis

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).