Skip to content

Commit c4a9f05

Browse files
chuckleverchucklever
committed
SUNRPC: Add encryption self-tests
With the KUnit infrastructure recently added, we are free to define other unit tests particular to our implementation. As an example, I've added a self-test that encrypts then decrypts a string, and checks the result. Tested-by: Scott Mayhew <[email protected]> Reviewed-by: Simo Sorce <[email protected]> Signed-off-by: Chuck Lever <[email protected]>
1 parent 4d2d15c commit c4a9f05

File tree

3 files changed

+142
-5
lines changed

3 files changed

+142
-5
lines changed

net/sunrpc/auth_gss/gss_krb5_crypto.c

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -713,10 +713,21 @@ int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
713713
}
714714
EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_encrypt);
715715

716-
static int
717-
krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
718-
struct crypto_sync_skcipher *cbc_tfm,
719-
u32 offset, struct xdr_buf *buf)
716+
/**
717+
* krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS
718+
* @cts_tfm: CBC cipher with CTS
719+
* @cbc_tfm: base CBC cipher
720+
* @offset: starting byte offset for plaintext
721+
* @buf: OUT: output buffer
722+
*
723+
* Return values:
724+
* %0: decryption successful
725+
* negative errno: decryption could not be completed
726+
*/
727+
VISIBLE_IF_KUNIT
728+
int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
729+
struct crypto_sync_skcipher *cbc_tfm,
730+
u32 offset, struct xdr_buf *buf)
720731
{
721732
u32 blocksize, nblocks, cbcbytes;
722733
struct decryptor_desc desc;
@@ -752,6 +763,7 @@ krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
752763
/* Remaining plaintext is handled with CBC-CTS. */
753764
return gss_krb5_cts_crypt(cts_tfm, buf, cbcbytes, desc.iv, NULL, 0);
754765
}
766+
EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt);
755767

756768
u32
757769
gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,

net/sunrpc/auth_gss/gss_krb5_internal.h

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -221,6 +221,9 @@ int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
221221
struct crypto_sync_skcipher *cbc_tfm, u32 offset,
222222
struct xdr_buf *buf, struct page **pages,
223223
u8 *iv, unsigned int ivsize);
224+
int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
225+
struct crypto_sync_skcipher *cbc_tfm,
226+
u32 offset, struct xdr_buf *buf);
224227
u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
225228
struct crypto_ahash *tfm, const struct xdr_buf *body,
226229
int body_offset, struct xdr_netobj *cksumout);

net/sunrpc/auth_gss/gss_krb5_test.c

Lines changed: 123 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1909,10 +1909,132 @@ static struct kunit_suite rfc8009_suite = {
19091909
.test_cases = rfc8009_test_cases,
19101910
};
19111911

1912+
/*
1913+
* Encryption self-tests
1914+
*/
1915+
1916+
DEFINE_STR_XDR_NETOBJ(encrypt_selftest_plaintext,
1917+
"This is the plaintext for the encryption self-test.");
1918+
1919+
static const struct gss_krb5_test_param encrypt_selftest_params[] = {
1920+
{
1921+
.desc = "aes128-cts-hmac-sha1-96 encryption self-test",
1922+
.enctype = ENCTYPE_AES128_CTS_HMAC_SHA1_96,
1923+
.Ke = &rfc3962_encryption_key,
1924+
.plaintext = &encrypt_selftest_plaintext,
1925+
},
1926+
{
1927+
.desc = "aes256-cts-hmac-sha1-96 encryption self-test",
1928+
.enctype = ENCTYPE_AES256_CTS_HMAC_SHA1_96,
1929+
.Ke = &rfc3962_encryption_key,
1930+
.plaintext = &encrypt_selftest_plaintext,
1931+
},
1932+
{
1933+
.desc = "camellia128-cts-cmac encryption self-test",
1934+
.enctype = ENCTYPE_CAMELLIA128_CTS_CMAC,
1935+
.Ke = &camellia128_cts_cmac_Ke,
1936+
.plaintext = &encrypt_selftest_plaintext,
1937+
},
1938+
{
1939+
.desc = "camellia256-cts-cmac encryption self-test",
1940+
.enctype = ENCTYPE_CAMELLIA256_CTS_CMAC,
1941+
.Ke = &camellia256_cts_cmac_Ke,
1942+
.plaintext = &encrypt_selftest_plaintext,
1943+
},
1944+
{
1945+
.desc = "aes128-cts-hmac-sha256-128 encryption self-test",
1946+
.enctype = ENCTYPE_AES128_CTS_HMAC_SHA256_128,
1947+
.Ke = &aes128_cts_hmac_sha256_128_Ke,
1948+
.plaintext = &encrypt_selftest_plaintext,
1949+
},
1950+
{
1951+
.desc = "aes256-cts-hmac-sha384-192 encryption self-test",
1952+
.enctype = ENCTYPE_AES256_CTS_HMAC_SHA384_192,
1953+
.Ke = &aes256_cts_hmac_sha384_192_Ke,
1954+
.plaintext = &encrypt_selftest_plaintext,
1955+
},
1956+
};
1957+
1958+
/* Creates the function encrypt_selftest_gen_params */
1959+
KUNIT_ARRAY_PARAM(encrypt_selftest, encrypt_selftest_params,
1960+
gss_krb5_get_desc);
1961+
1962+
/*
1963+
* Encrypt and decrypt plaintext, and ensure the input plaintext
1964+
* matches the output plaintext. A confounder is not added in this
1965+
* case.
1966+
*/
1967+
static void encrypt_selftest_case(struct kunit *test)
1968+
{
1969+
const struct gss_krb5_test_param *param = test->param_value;
1970+
struct crypto_sync_skcipher *cts_tfm, *cbc_tfm;
1971+
const struct gss_krb5_enctype *gk5e;
1972+
struct xdr_buf buf;
1973+
void *text;
1974+
int err;
1975+
1976+
/* Arrange */
1977+
gk5e = gss_krb5_lookup_enctype(param->enctype);
1978+
KUNIT_ASSERT_NOT_NULL(test, gk5e);
1979+
1980+
cbc_tfm = crypto_alloc_sync_skcipher(gk5e->aux_cipher, 0, 0);
1981+
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cbc_tfm);
1982+
err = crypto_sync_skcipher_setkey(cbc_tfm, param->Ke->data, param->Ke->len);
1983+
KUNIT_ASSERT_EQ(test, err, 0);
1984+
1985+
cts_tfm = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
1986+
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cts_tfm);
1987+
err = crypto_sync_skcipher_setkey(cts_tfm, param->Ke->data, param->Ke->len);
1988+
KUNIT_ASSERT_EQ(test, err, 0);
1989+
1990+
text = kunit_kzalloc(test, roundup(param->plaintext->len,
1991+
crypto_sync_skcipher_blocksize(cbc_tfm)),
1992+
GFP_KERNEL);
1993+
KUNIT_ASSERT_NOT_ERR_OR_NULL(test, text);
1994+
1995+
memcpy(text, param->plaintext->data, param->plaintext->len);
1996+
memset(&buf, 0, sizeof(buf));
1997+
buf.head[0].iov_base = text;
1998+
buf.head[0].iov_len = param->plaintext->len;
1999+
buf.len = buf.head[0].iov_len;
2000+
2001+
/* Act */
2002+
err = krb5_cbc_cts_encrypt(cts_tfm, cbc_tfm, 0, &buf, NULL, NULL, 0);
2003+
KUNIT_ASSERT_EQ(test, err, 0);
2004+
err = krb5_cbc_cts_decrypt(cts_tfm, cbc_tfm, 0, &buf);
2005+
KUNIT_ASSERT_EQ(test, err, 0);
2006+
2007+
/* Assert */
2008+
KUNIT_EXPECT_EQ_MSG(test,
2009+
param->plaintext->len, buf.len,
2010+
"length mismatch");
2011+
KUNIT_EXPECT_EQ_MSG(test,
2012+
memcmp(param->plaintext->data,
2013+
buf.head[0].iov_base, buf.len), 0,
2014+
"plaintext mismatch");
2015+
2016+
crypto_free_sync_skcipher(cts_tfm);
2017+
crypto_free_sync_skcipher(cbc_tfm);
2018+
}
2019+
2020+
static struct kunit_case encryption_test_cases[] = {
2021+
{
2022+
.name = "Encryption self-tests",
2023+
.run_case = encrypt_selftest_case,
2024+
.generate_params = encrypt_selftest_gen_params,
2025+
},
2026+
};
2027+
2028+
static struct kunit_suite encryption_test_suite = {
2029+
.name = "Encryption test suite",
2030+
.test_cases = encryption_test_cases,
2031+
};
2032+
19122033
kunit_test_suites(&rfc3961_suite,
19132034
&rfc3962_suite,
19142035
&rfc6803_suite,
1915-
&rfc8009_suite);
2036+
&rfc8009_suite,
2037+
&encryption_test_suite);
19162038

19172039
MODULE_DESCRIPTION("Test RPCSEC GSS Kerberos 5 functions");
19182040
MODULE_LICENSE("GPL");

0 commit comments

Comments
 (0)