SYS-OSS/FRET-qemu
4
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Misc crypto subsystem fixes

Browse Source 
* Improve error message for large files when creating LUKS volumes
 * Expand crypto hash benchmark coverage
 * Misc code refactoring with no functional change
 -----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAl7nTuUACgkQvobrtBUQ
 T9+XaBAAmltHevHpxxBFVRl0PsTNAYxjD33MwGRfU4/sCmgZ/7xkSnQo+nQSYy3j
 eOjKOPfKRoRA4lcCkUYiLHiJfRgQ4W5C8TCToUIW938bUUjKbxZ28woMZJpkts6T
 m+A1Uy8dknZcMN/xVYL45vx1+L1S12l9XjJsFJkYNvNsMF3/fcV3t5oNJFEEKDLe
 nPCrZHpMV/2afVX85YA9cDHYQe7rZXX+g+BDLBKg5bo2VylOTasGZ4PHeOqeLVCR
 0LzkYFS5MZJpgthyxifgchkYuW46+zEP+B9RrpIWDNme9Wl85lhi75FIcbYriBC4
 eFNN+y5An4Bk9w+SbSh0EhGuORJia+WnkzGLJ/lB1ezMXkYDpa9lOG8pYSRcvHIu
 xsBobwhBrsHIViJvxbHLlugHN89YihiMa2bYcVCaNaxj452JbmfvxKf4YjAuTk1Z
 dwYjwD49CsPSyEzl73YOnf+p3ibi3q+WlvMqp4cgfh81ZJQwnISeDAxKIBYtY9oQ
 PLBV6qoSYdiT4F9T0Ib1WZxqSRQRDQt05xCWHCNTv/QePI7u9NMa9DyO1UhpMbh0
 FSPfsjtauiG6qLBfxerQ/XqnX6epg1yod887vcwQjctPmO8KDThz7UfgkWsaco02
 czyA5WbdT/An1oiPSIlCnYLUqjnuPhteTxh/rQkTo2CrLabFx08=
 =ifSb
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/berrange/tags/qcrypto-next-pull-request' into staging

Misc crypto subsystem fixes

* Improve error message for large files when creating LUKS volumes
* Expand crypto hash benchmark coverage
* Misc code refactoring with no functional change

# gpg: Signature made Mon 15 Jun 2020 11:35:17 BST
# gpg:                using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full]
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>" [full]
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange/tags/qcrypto-next-pull-request:
  crypto: Remove use of GCRYPT_VERSION macro.
  test-crypto-secret: add 'secret_keyring' object tests.
  crypto/linux_keyring: add 'secret_keyring' secret object.
  crypto/secret: move main logic from 'secret' to 'secret_common'.
  crypto: add "none" random provider

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2020-06-15 16:36:34 +01:00
commit 53550e81e2
12 changed files with 966 additions and 359 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

80
configure vendored
View File

@ -509,6 +509,8 @@ libpmem=""
default_devices="yes" default_devices="yes"
plugins="no" plugins="no"
fuzzing="no" fuzzing="no"
rng_none="no"
secret_keyring=""
supported_cpu="no" supported_cpu="no"
supported_os="no" supported_os="no"
@ -1601,6 +1603,14 @@ for opt do
;; ;;
--gdb=*) gdb_bin="$optarg" --gdb=*) gdb_bin="$optarg"
;; ;;
--enable-rng-none) rng_none=yes
;;
--disable-rng-none) rng_none=no
;;
--enable-keyring) secret_keyring="yes"
;;
--disable-keyring) secret_keyring="no"
;;
*) *)
echo "ERROR: unknown option $opt" echo "ERROR: unknown option $opt"
echo "Try '$0 --help' for more information" echo "Try '$0 --help' for more information"
@ -1898,6 +1908,7 @@ disabled with --disable-FEATURE, default is enabled if available:
debug-mutex mutex debugging support debug-mutex mutex debugging support
libpmem libpmem support libpmem libpmem support
xkbcommon xkbcommon support xkbcommon xkbcommon support
rng-none dummy RNG, avoid using /dev/(u)random and getrandom()
NOTE: The object files are built at the place where configure is launched NOTE: The object files are built at the place where configure is launched
EOF EOF
@ -6284,6 +6295,62 @@ case "$slirp" in
;; ;;
esac esac
##########################################
# check for usable __NR_keyctl syscall
if test "$linux" = "yes" ; then
have_keyring=no
cat > $TMPC << EOF
#include <errno.h>
#include <asm/unistd.h>
#include <linux/keyctl.h>
#include <unistd.h>
int main(void) {
return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0);
}
EOF
if compile_prog "" "" ; then
have_keyring=yes
fi
fi
if test "$secret_keyring" != "no"
then
if test "$have_keyring" == "yes"
then
secret_keyring=yes
else
if test "$secret_keyring" = "yes"
then
error_exit "syscall __NR_keyctl requested, \
but not implemented on your system"
else
secret_keyring=no
fi
fi
fi
##########################################
# check for usable keyutils.h
if test "$linux" = "yes" ; then
have_keyutils=no
cat > $TMPC << EOF
#include <errno.h>
#include <asm/unistd.h>
#include <unistd.h>
#include <sys/types.h>
#include <keyutils.h>
int main(void) {
return request_key("user", NULL, NULL, 0);
}
EOF
if compile_prog "" "-lkeyutils"; then
have_keyutils=yes
fi
fi
########################################## ##########################################
# End of CC checks # End of CC checks
@ -6767,6 +6834,8 @@ echo "default devices $default_devices"
echo "plugin support $plugins" echo "plugin support $plugins"
echo "fuzzing support $fuzzing" echo "fuzzing support $fuzzing"
echo "gdb $gdb_bin" echo "gdb $gdb_bin"
echo "rng-none $rng_none"
echo "Linux keyring $secret_keyring"
if test "$supported_cpu" = "no"; then if test "$supported_cpu" = "no"; then
echo echo
@ -7652,6 +7721,13 @@ if test -n "$gdb_bin" ; then
echo "HAVE_GDB_BIN=$gdb_bin" >> $config_host_mak echo "HAVE_GDB_BIN=$gdb_bin" >> $config_host_mak
fi fi
if test "$secret_keyring" = "yes" ; then
echo "CONFIG_SECRET_KEYRING=y" >> $config_host_mak
if test "$have_keyutils" = "yes" ; then
echo "CONFIG_TEST_SECRET_KEYRING=y" >> $config_host_mak
fi
fi
if test "$tcg_interpreter" = "yes"; then if test "$tcg_interpreter" = "yes"; then
QEMU_INCLUDES="-iquote \$(SRC_PATH)/tcg/tci $QEMU_INCLUDES" QEMU_INCLUDES="-iquote \$(SRC_PATH)/tcg/tci $QEMU_INCLUDES"
elif test "$ARCH" = "sparc64" ; then elif test "$ARCH" = "sparc64" ; then
@ -7744,6 +7820,10 @@ if test "$edk2_blobs" = "yes" ; then
echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak
fi fi
if test "$rng_none" = "yes"; then
echo "CONFIG_RNG_NONE=y" >> $config_host_mak
fi
# use included Linux headers # use included Linux headers
if test "$linux" = "yes" ; then if test "$linux" = "yes" ; then
mkdir -p linux-headers mkdir -p linux-headers

5
crypto/Makefile.objs
View File

@ -18,7 +18,9 @@ crypto-obj-y += tlscredsanon.o
crypto-obj-y += tlscredspsk.o crypto-obj-y += tlscredspsk.o
crypto-obj-y += tlscredsx509.o crypto-obj-y += tlscredsx509.o
crypto-obj-y += tlssession.o crypto-obj-y += tlssession.o
crypto-obj-y += secret_common.o
crypto-obj-y += secret.o crypto-obj-y += secret.o
crypto-obj-$(CONFIG_SECRET_KEYRING) += secret_keyring.o
crypto-obj-y += pbkdf.o crypto-obj-y += pbkdf.o
crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
@ -35,5 +37,6 @@ crypto-obj-y += block-luks.o
util-obj-$(CONFIG_GCRYPT) += random-gcrypt.o util-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
util-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o util-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,$(CONFIG_RNG_NONE))) += random-none.o
util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,$(if $(CONFIG_RNG_NONE),n,y))) += random-platform.o
util-obj-y += aes.o init.o util-obj-y += aes.o init.o

2
crypto/init.c
View File

@ -122,7 +122,7 @@ int qcrypto_init(Error **errp)
#endif #endif
#ifdef CONFIG_GCRYPT #ifdef CONFIG_GCRYPT
if (!gcry_check_version(GCRYPT_VERSION)) { if (!gcry_check_version(NULL)) {
error_setg(errp, "Unable to initialize gcrypt"); error_setg(errp, "Unable to initialize gcrypt");
return -1; return -1;
} }

38
crypto/random-none.c Normal file
View File

@ -0,0 +1,38 @@
/*
* QEMU Crypto "none" random number provider
*
* Copyright (c) 2020 Marek Marczykowski-Górecki
* <marmarek@invisiblethingslab.com>
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#include "qemu/osdep.h"
#include "crypto/random.h"
#include "qapi/error.h"
int qcrypto_random_init(Error **errp)
{
return 0;
}
int qcrypto_random_bytes(void *buf,
size_t buflen,
Error **errp)
{
error_setg(errp, "Random bytes not available with \"none\" rng");
return -1;
}

347
crypto/secret.c
View File

@ -20,16 +20,14 @@
#include "qemu/osdep.h" #include "qemu/osdep.h"
#include "crypto/secret.h" #include "crypto/secret.h"
#include "crypto/cipher.h"
#include "qapi/error.h" #include "qapi/error.h"
#include "qom/object_interfaces.h" #include "qom/object_interfaces.h"
#include "qemu/base64.h"
#include "qemu/module.h" #include "qemu/module.h"
#include "trace.h" #include "trace.h"
static void static void
qcrypto_secret_load_data(QCryptoSecret *secret, qcrypto_secret_load_data(QCryptoSecretCommon *sec_common,
uint8_t **output, uint8_t **output,
size_t *outputlen, size_t *outputlen,
Error **errp) Error **errp)
@ -38,6 +36,8 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
size_t length = 0; size_t length = 0;
GError *gerr = NULL; GError *gerr = NULL;
QCryptoSecret *secret = QCRYPTO_SECRET(sec_common);
*output = NULL; *output = NULL;
*outputlen = 0; *outputlen = 0;
@ -65,198 +65,6 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
} }
static void qcrypto_secret_decrypt(QCryptoSecret *secret,
const uint8_t *input,
size_t inputlen,
uint8_t **output,
size_t *outputlen,
Error **errp)
{
g_autofree uint8_t *key = NULL;
g_autofree uint8_t *ciphertext = NULL;
g_autofree uint8_t *iv = NULL;
size_t keylen, ciphertextlen, ivlen;
g_autoptr(QCryptoCipher) aes = NULL;
g_autofree uint8_t *plaintext = NULL;
*output = NULL;
*outputlen = 0;
if (qcrypto_secret_lookup(secret->keyid,
&key, &keylen,
errp) < 0) {
return;
}
if (keylen != 32) {
error_setg(errp, "Key should be 32 bytes in length");
return;
}
if (!secret->iv) {
error_setg(errp, "IV is required to decrypt secret");
return;
}
iv = qbase64_decode(secret->iv, -1, &ivlen, errp);
if (!iv) {
return;
}
if (ivlen != 16) {
error_setg(errp, "IV should be 16 bytes in length not %zu",
ivlen);
return;
}
aes = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_256,
QCRYPTO_CIPHER_MODE_CBC,
key, keylen,
errp);
if (!aes) {
return;
}
if (qcrypto_cipher_setiv(aes, iv, ivlen, errp) < 0) {
return;
}
if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
ciphertext = qbase64_decode((const gchar*)input,
inputlen,
&ciphertextlen,
errp);
if (!ciphertext) {
return;
}
plaintext = g_new0(uint8_t, ciphertextlen + 1);
} else {
ciphertextlen = inputlen;
plaintext = g_new0(uint8_t, inputlen + 1);
}
if (qcrypto_cipher_decrypt(aes,
ciphertext ? ciphertext : input,
plaintext,
ciphertextlen,
errp) < 0) {
return;
}
if (plaintext[ciphertextlen - 1] > 16 ||
plaintext[ciphertextlen - 1] > ciphertextlen) {
error_setg(errp, "Incorrect number of padding bytes (%d) "
"found on decrypted data",
(int)plaintext[ciphertextlen - 1]);
return;
}
/* Even though plaintext may contain arbitrary NUL
* ensure it is explicitly NUL terminated.
*/
ciphertextlen -= plaintext[ciphertextlen - 1];
plaintext[ciphertextlen] = '\0';
*output = g_steal_pointer(&plaintext);
*outputlen = ciphertextlen;
}
static void qcrypto_secret_decode(const uint8_t *input,
size_t inputlen,
uint8_t **output,
size_t *outputlen,
Error **errp)
{
*output = qbase64_decode((const gchar*)input,
inputlen,
outputlen,
errp);
}
static void
qcrypto_secret_prop_set_loaded(Object *obj,
bool value,
Error **errp)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
if (value) {
Error *local_err = NULL;
uint8_t *input = NULL;
size_t inputlen = 0;
uint8_t *output = NULL;
size_t outputlen = 0;
qcrypto_secret_load_data(secret, &input, &inputlen, &local_err);
if (local_err) {
error_propagate(errp, local_err);
return;
}
if (secret->keyid) {
qcrypto_secret_decrypt(secret, input, inputlen,
&output, &outputlen, &local_err);
g_free(input);
if (local_err) {
error_propagate(errp, local_err);
return;
}
input = output;
inputlen = outputlen;
} else {
if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
qcrypto_secret_decode(input, inputlen,
&output, &outputlen, &local_err);
g_free(input);
if (local_err) {
error_propagate(errp, local_err);
return;
}
input = output;
inputlen = outputlen;
}
}
secret->rawdata = input;
secret->rawlen = inputlen;
} else {
g_free(secret->rawdata);
secret->rawdata = NULL;
secret->rawlen = 0;
}
}
static bool
qcrypto_secret_prop_get_loaded(Object *obj,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
return secret->rawdata != NULL;
}
static void
qcrypto_secret_prop_set_format(Object *obj,
int value,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecret *creds = QCRYPTO_SECRET(obj);
creds->format = value;
}
static int
qcrypto_secret_prop_get_format(Object *obj,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecret *creds = QCRYPTO_SECRET(obj);
return creds->format;
}
static void static void
qcrypto_secret_prop_set_data(Object *obj, qcrypto_secret_prop_set_data(Object *obj,
const char *value, const char *value,
@ -299,48 +107,6 @@ qcrypto_secret_prop_get_file(Object *obj,
} }
static void
qcrypto_secret_prop_set_iv(Object *obj,
const char *value,
Error **errp)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
g_free(secret->iv);
secret->iv = g_strdup(value);
}
static char *
qcrypto_secret_prop_get_iv(Object *obj,
Error **errp)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
return g_strdup(secret->iv);
}
static void
qcrypto_secret_prop_set_keyid(Object *obj,
const char *value,
Error **errp)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
g_free(secret->keyid);
secret->keyid = g_strdup(value);
}
static char *
qcrypto_secret_prop_get_keyid(Object *obj,
Error **errp)
{
QCryptoSecret *secret = QCRYPTO_SECRET(obj);
return g_strdup(secret->keyid);
}
static void static void
qcrypto_secret_complete(UserCreatable *uc, Error **errp) qcrypto_secret_complete(UserCreatable *uc, Error **errp)
{ {
@ -353,129 +119,30 @@ qcrypto_secret_finalize(Object *obj)
{ {
QCryptoSecret *secret = QCRYPTO_SECRET(obj); QCryptoSecret *secret = QCRYPTO_SECRET(obj);
g_free(secret->iv);
g_free(secret->file); g_free(secret->file);
g_free(secret->keyid);
g_free(secret->rawdata);
g_free(secret->data); g_free(secret->data);
} }
static void static void
qcrypto_secret_class_init(ObjectClass *oc, void *data) qcrypto_secret_class_init(ObjectClass *oc, void *data)
{ {
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc); QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_load_data;
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
ucc->complete = qcrypto_secret_complete; ucc->complete = qcrypto_secret_complete;
object_class_property_add_bool(oc, "loaded",
qcrypto_secret_prop_get_loaded,
qcrypto_secret_prop_set_loaded);
object_class_property_add_enum(oc, "format",
"QCryptoSecretFormat",
&QCryptoSecretFormat_lookup,
qcrypto_secret_prop_get_format,
qcrypto_secret_prop_set_format);
object_class_property_add_str(oc, "data", object_class_property_add_str(oc, "data",
qcrypto_secret_prop_get_data, qcrypto_secret_prop_get_data,
qcrypto_secret_prop_set_data); qcrypto_secret_prop_set_data);
object_class_property_add_str(oc, "file", object_class_property_add_str(oc, "file",
qcrypto_secret_prop_get_file, qcrypto_secret_prop_get_file,
qcrypto_secret_prop_set_file); qcrypto_secret_prop_set_file);
object_class_property_add_str(oc, "keyid",
qcrypto_secret_prop_get_keyid,
qcrypto_secret_prop_set_keyid);
object_class_property_add_str(oc, "iv",
qcrypto_secret_prop_get_iv,
qcrypto_secret_prop_set_iv);
}
int qcrypto_secret_lookup(const char *secretid,
uint8_t **data,
size_t *datalen,
Error **errp)
{
Object *obj;
QCryptoSecret *secret;
obj = object_resolve_path_component(
object_get_objects_root(), secretid);
if (!obj) {
error_setg(errp, "No secret with id '%s'", secretid);
return -1;
}
secret = (QCryptoSecret *)
object_dynamic_cast(obj,
TYPE_QCRYPTO_SECRET);
if (!secret) {
error_setg(errp, "Object with id '%s' is not a secret",
secretid);
return -1;
}
if (!secret->rawdata) {
error_setg(errp, "Secret with id '%s' has no data",
secretid);
return -1;
}
*data = g_new0(uint8_t, secret->rawlen + 1);
memcpy(*data, secret->rawdata, secret->rawlen);
(*data)[secret->rawlen] = '\0';
*datalen = secret->rawlen;
return 0;
}
char *qcrypto_secret_lookup_as_utf8(const char *secretid,
Error **errp)
{
uint8_t *data;
size_t datalen;
if (qcrypto_secret_lookup(secretid,
&data,
&datalen,
errp) < 0) {
return NULL;
}
if (!g_utf8_validate((const gchar*)data, datalen, NULL)) {
error_setg(errp,
"Data from secret %s is not valid UTF-8",
secretid);
g_free(data);
return NULL;
}
return (char *)data;
}
char *qcrypto_secret_lookup_as_base64(const char *secretid,
Error **errp)
{
uint8_t *data;
size_t datalen;
char *ret;
if (qcrypto_secret_lookup(secretid,
&data,
&datalen,
errp) < 0) {
return NULL;
}
ret = g_base64_encode(data, datalen);
g_free(data);
return ret;
} }
static const TypeInfo qcrypto_secret_info = { static const TypeInfo qcrypto_secret_info = {
.parent = TYPE_OBJECT, .parent = TYPE_QCRYPTO_SECRET_COMMON,
.name = TYPE_QCRYPTO_SECRET, .name = TYPE_QCRYPTO_SECRET,
.instance_size = sizeof(QCryptoSecret), .instance_size = sizeof(QCryptoSecret),
.instance_finalize = qcrypto_secret_finalize, .instance_finalize = qcrypto_secret_finalize,

403
crypto/secret_common.c Normal file
View File

@ -0,0 +1,403 @@
/*
* QEMU crypto secret support
*
* Copyright (c) 2015 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#include "qemu/osdep.h"
#include "crypto/secret_common.h"
#include "crypto/cipher.h"
#include "qapi/error.h"
#include "qom/object_interfaces.h"
#include "qemu/base64.h"
#include "qemu/module.h"
#include "trace.h"
static void qcrypto_secret_decrypt(QCryptoSecretCommon *secret,
const uint8_t *input,
size_t inputlen,
uint8_t **output,
size_t *outputlen,
Error **errp)
{
g_autofree uint8_t *iv = NULL;
g_autofree uint8_t *key = NULL;
g_autofree uint8_t *ciphertext = NULL;
size_t keylen, ciphertextlen, ivlen;
g_autoptr(QCryptoCipher) aes = NULL;
g_autofree uint8_t *plaintext = NULL;
*output = NULL;
*outputlen = 0;
if (qcrypto_secret_lookup(secret->keyid,
&key, &keylen,
errp) < 0) {
return;
}
if (keylen != 32) {
error_setg(errp, "Key should be 32 bytes in length");
return;
}
if (!secret->iv) {
error_setg(errp, "IV is required to decrypt secret");
return;
}
iv = qbase64_decode(secret->iv, -1, &ivlen, errp);
if (!iv) {
return;
}
if (ivlen != 16) {
error_setg(errp, "IV should be 16 bytes in length not %zu",
ivlen);
return;
}
aes = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_256,
QCRYPTO_CIPHER_MODE_CBC,
key, keylen,
errp);
if (!aes) {
return;
}
if (qcrypto_cipher_setiv(aes, iv, ivlen, errp) < 0) {
return;
}
if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
ciphertext = qbase64_decode((const gchar *)input,
inputlen,
&ciphertextlen,
errp);
if (!ciphertext) {
return;
}
plaintext = g_new0(uint8_t, ciphertextlen + 1);
} else {
ciphertextlen = inputlen;
plaintext = g_new0(uint8_t, inputlen + 1);
}
if (qcrypto_cipher_decrypt(aes,
ciphertext ? ciphertext : input,
plaintext,
ciphertextlen,
errp) < 0) {
return;
}
if (plaintext[ciphertextlen - 1] > 16 ||
plaintext[ciphertextlen - 1] > ciphertextlen) {
error_setg(errp, "Incorrect number of padding bytes (%d) "
"found on decrypted data",
(int)plaintext[ciphertextlen - 1]);
return;
}
/*
* Even though plaintext may contain arbitrary NUL
* ensure it is explicitly NUL terminated.
*/
ciphertextlen -= plaintext[ciphertextlen - 1];
plaintext[ciphertextlen] = '\0';
*output = g_steal_pointer(&plaintext);
*outputlen = ciphertextlen;
}
static void qcrypto_secret_decode(const uint8_t *input,
size_t inputlen,
uint8_t **output,
size_t *outputlen,
Error **errp)
{
*output = qbase64_decode((const gchar *)input,
inputlen,
outputlen,
errp);
}
static void
qcrypto_secret_prop_set_loaded(Object *obj,
bool value,
Error **errp)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
QCryptoSecretCommonClass *sec_class
= QCRYPTO_SECRET_COMMON_GET_CLASS(obj);
if (value) {
Error *local_err = NULL;
uint8_t *input = NULL;
size_t inputlen = 0;
uint8_t *output = NULL;
size_t outputlen = 0;
if (sec_class->load_data) {
sec_class->load_data(secret, &input, &inputlen, &local_err);
if (local_err) {
error_propagate(errp, local_err);
return;
}
} else {
error_setg(errp, "%s provides no 'load_data' method'",
object_get_typename(obj));
return;
}
if (secret->keyid) {
qcrypto_secret_decrypt(secret, input, inputlen,
&output, &outputlen, &local_err);
g_free(input);
if (local_err) {
error_propagate(errp, local_err);
return;
}
input = output;
inputlen = outputlen;
} else {
if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
qcrypto_secret_decode(input, inputlen,
&output, &outputlen, &local_err);
g_free(input);
if (local_err) {
error_propagate(errp, local_err);
return;
}
input = output;
inputlen = outputlen;
}
}
secret->rawdata = input;
secret->rawlen = inputlen;
} else {
g_free(secret->rawdata);
secret->rawlen = 0;
}
}
static bool
qcrypto_secret_prop_get_loaded(Object *obj,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
return secret->rawdata != NULL;
}
static void
qcrypto_secret_prop_set_format(Object *obj,
int value,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecretCommon *creds = QCRYPTO_SECRET_COMMON(obj);
creds->format = value;
}
static int
qcrypto_secret_prop_get_format(Object *obj,
Error **errp G_GNUC_UNUSED)
{
QCryptoSecretCommon *creds = QCRYPTO_SECRET_COMMON(obj);
return creds->format;
}
static void
qcrypto_secret_prop_set_iv(Object *obj,
const char *value,
Error **errp)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
g_free(secret->iv);
secret->iv = g_strdup(value);
}
static char *
qcrypto_secret_prop_get_iv(Object *obj,
Error **errp)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
return g_strdup(secret->iv);
}
static void
qcrypto_secret_prop_set_keyid(Object *obj,
const char *value,
Error **errp)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
g_free(secret->keyid);
secret->keyid = g_strdup(value);
}
static char *
qcrypto_secret_prop_get_keyid(Object *obj,
Error **errp)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
return g_strdup(secret->keyid);
}
static void
qcrypto_secret_finalize(Object *obj)
{
QCryptoSecretCommon *secret = QCRYPTO_SECRET_COMMON(obj);
g_free(secret->iv);
g_free(secret->keyid);
g_free(secret->rawdata);
}
static void
qcrypto_secret_class_init(ObjectClass *oc, void *data)
{
object_class_property_add_bool(oc, "loaded",
qcrypto_secret_prop_get_loaded,
qcrypto_secret_prop_set_loaded);
object_class_property_add_enum(oc, "format",
"QCryptoSecretFormat",
&QCryptoSecretFormat_lookup,
qcrypto_secret_prop_get_format,
qcrypto_secret_prop_set_format);
object_class_property_add_str(oc, "keyid",
qcrypto_secret_prop_get_keyid,
qcrypto_secret_prop_set_keyid);
object_class_property_add_str(oc, "iv",
qcrypto_secret_prop_get_iv,
qcrypto_secret_prop_set_iv);
}
int qcrypto_secret_lookup(const char *secretid,
uint8_t **data,
size_t *datalen,
Error **errp)
{
Object *obj;
QCryptoSecretCommon *secret;
obj = object_resolve_path_component(
object_get_objects_root(), secretid);
if (!obj) {
error_setg(errp, "No secret with id '%s'", secretid);
return -1;
}
secret = (QCryptoSecretCommon *)
object_dynamic_cast(obj,
TYPE_QCRYPTO_SECRET_COMMON);
if (!secret) {
error_setg(errp, "Object with id '%s' is not a secret",
secretid);
return -1;
}
if (!secret->rawdata) {
error_setg(errp, "Secret with id '%s' has no data",
secretid);
return -1;
}
*data = g_new0(uint8_t, secret->rawlen + 1);
memcpy(*data, secret->rawdata, secret->rawlen);
(*data)[secret->rawlen] = '\0';
*datalen = secret->rawlen;
return 0;
}
char *qcrypto_secret_lookup_as_utf8(const char *secretid,
Error **errp)
{
uint8_t *data;
size_t datalen;
if (qcrypto_secret_lookup(secretid,
&data,
&datalen,
errp) < 0) {
return NULL;
}
if (!g_utf8_validate((const gchar *)data, datalen, NULL)) {
error_setg(errp,
"Data from secret %s is not valid UTF-8",
secretid);
g_free(data);
return NULL;
}
return (char *)data;
}
char *qcrypto_secret_lookup_as_base64(const char *secretid,
Error **errp)
{
uint8_t *data;
size_t datalen;
char *ret;
if (qcrypto_secret_lookup(secretid,
&data,
&datalen,
errp) < 0) {
return NULL;
}
ret = g_base64_encode(data, datalen);
g_free(data);
return ret;
}
static const TypeInfo qcrypto_secret_info = {
.parent = TYPE_OBJECT,
.name = TYPE_QCRYPTO_SECRET_COMMON,
.instance_size = sizeof(QCryptoSecretCommon),
.instance_finalize = qcrypto_secret_finalize,
.class_size = sizeof(QCryptoSecretCommonClass),
.class_init = qcrypto_secret_class_init,
.abstract = true,
};
static void
qcrypto_secret_register_types(void)
{
type_register_static(&qcrypto_secret_info);
}
type_init(qcrypto_secret_register_types);

148
crypto/secret_keyring.c Normal file
View File

@ -0,0 +1,148 @@
/*
* QEMU crypto secret support
*
* Copyright 2020 Yandex N.V.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#include "qemu/osdep.h"
#include <asm/unistd.h>
#include <linux/keyctl.h>
#include "qapi/error.h"
#include "qom/object_interfaces.h"
#include "trace.h"
#include "crypto/secret_keyring.h"
static inline
long keyctl_read(int32_t key, uint8_t *buffer, size_t buflen)
{
return syscall(__NR_keyctl, KEYCTL_READ, key, buffer, buflen, 0);
}
static void
qcrypto_secret_keyring_load_data(QCryptoSecretCommon *sec_common,
uint8_t **output,
size_t *outputlen,
Error **errp)
{
QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(sec_common);
uint8_t *buffer = NULL;
long retcode;
*output = NULL;
*outputlen = 0;
if (!secret->serial) {
error_setg(errp, "'serial' parameter must be provided");
return;
}
retcode = keyctl_read(secret->serial, NULL, 0);
if (retcode <= 0) {
goto keyctl_error;
}
buffer = g_new0(uint8_t, retcode);
retcode = keyctl_read(secret->serial, buffer, retcode);
if (retcode < 0) {
g_free(buffer);
goto keyctl_error;
}
*outputlen = retcode;
*output = buffer;
return;
keyctl_error:
error_setg_errno(errp, errno,
"Unable to read serial key %08x",
secret->serial);
}
static void
qcrypto_secret_prop_set_key(Object *obj, Visitor *v,
const char *name, void *opaque,
Error **errp)
{
QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(obj);
int32_t value;
visit_type_int32(v, name, &value, errp);
if (!value) {
error_setg(errp, "'serial' should not be equal to 0");
}
secret->serial = value;
}
static void
qcrypto_secret_prop_get_key(Object *obj, Visitor *v,
const char *name, void *opaque,
Error **errp)
{
QCryptoSecretKeyring *secret = QCRYPTO_SECRET_KEYRING(obj);
int32_t value = secret->serial;
visit_type_int32(v, name, &value, errp);
}
static void
qcrypto_secret_keyring_complete(UserCreatable *uc, Error **errp)
{
object_property_set_bool(OBJECT(uc), true, "loaded", errp);
}
static void
qcrypto_secret_keyring_class_init(ObjectClass *oc, void *data)
{
QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
sic->load_data = qcrypto_secret_keyring_load_data;
UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
ucc->complete = qcrypto_secret_keyring_complete;
object_class_property_add(oc, "serial", "int32_t",
qcrypto_secret_prop_get_key,
qcrypto_secret_prop_set_key,
NULL, NULL);
}
static const TypeInfo qcrypto_secret_info = {
.parent = TYPE_QCRYPTO_SECRET_COMMON,
.name = TYPE_QCRYPTO_SECRET_KEYRING,
.instance_size = sizeof(QCryptoSecretKeyring),
.class_size = sizeof(QCryptoSecretKeyringClass),
.class_init = qcrypto_secret_keyring_class_init,
.interfaces = (InterfaceInfo[]) {
{ TYPE_USER_CREATABLE },
{ }
}
};
static void
qcrypto_secret_register_types(void)
{
type_register_static(&qcrypto_secret_info);
}
type_init(qcrypto_secret_register_types);

20
include/crypto/secret.h
View File

@ -23,6 +23,7 @@
#include "qapi/qapi-types-crypto.h" #include "qapi/qapi-types-crypto.h"
#include "qom/object.h" #include "qom/object.h"
#include "crypto/secret_common.h"
#define TYPE_QCRYPTO_SECRET "secret" #define TYPE_QCRYPTO_SECRET "secret"
#define QCRYPTO_SECRET(obj) \ #define QCRYPTO_SECRET(obj) \
@ -119,29 +120,14 @@ typedef struct QCryptoSecretClass QCryptoSecretClass;
*/ */
struct QCryptoSecret { struct QCryptoSecret {
Object parent_obj; QCryptoSecretCommon parent_obj;
uint8_t *rawdata;
size_t rawlen;
QCryptoSecretFormat format;
char *data; char *data;
char *file; char *file;
char *keyid;
char *iv;
}; };
struct QCryptoSecretClass { struct QCryptoSecretClass {
ObjectClass parent_class; QCryptoSecretCommonClass parent_class;
}; };
extern int qcrypto_secret_lookup(const char *secretid,
uint8_t **data,
size_t *datalen,
Error **errp);
extern char *qcrypto_secret_lookup_as_utf8(const char *secretid,
Error **errp);
extern char *qcrypto_secret_lookup_as_base64(const char *secretid,
Error **errp);
#endif /* QCRYPTO_SECRET_H */ #endif /* QCRYPTO_SECRET_H */

68
include/crypto/secret_common.h Normal file
View File

@ -0,0 +1,68 @@
/*
* QEMU crypto secret support
*
* Copyright (c) 2015 Red Hat, Inc.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef QCRYPTO_SECRET_COMMON_H
#define QCRYPTO_SECRET_COMMON_H
#include "qapi/qapi-types-crypto.h"
#include "qom/object.h"
#define TYPE_QCRYPTO_SECRET_COMMON "secret_common"
#define QCRYPTO_SECRET_COMMON(obj) \
OBJECT_CHECK(QCryptoSecretCommon, (obj), TYPE_QCRYPTO_SECRET_COMMON)
#define QCRYPTO_SECRET_COMMON_CLASS(class) \
OBJECT_CLASS_CHECK(QCryptoSecretCommonClass, \
(class), TYPE_QCRYPTO_SECRET_COMMON)
#define QCRYPTO_SECRET_COMMON_GET_CLASS(obj) \
OBJECT_GET_CLASS(QCryptoSecretCommonClass, \
(obj), TYPE_QCRYPTO_SECRET_COMMON)
typedef struct QCryptoSecretCommon QCryptoSecretCommon;
typedef struct QCryptoSecretCommonClass QCryptoSecretCommonClass;
struct QCryptoSecretCommon {
Object parent_obj;
uint8_t *rawdata;
size_t rawlen;
QCryptoSecretFormat format;
char *keyid;
char *iv;
};
struct QCryptoSecretCommonClass {
ObjectClass parent_class;
void (*load_data)(QCryptoSecretCommon *secret,
uint8_t **output,
size_t *outputlen,
Error **errp);
};
extern int qcrypto_secret_lookup(const char *secretid,
uint8_t **data,
size_t *datalen,
Error **errp);
extern char *qcrypto_secret_lookup_as_utf8(const char *secretid,
Error **errp);
extern char *qcrypto_secret_lookup_as_base64(const char *secretid,
Error **errp);
#endif /* QCRYPTO_SECRET_COMMON_H */

52
include/crypto/secret_keyring.h Normal file
View File

@ -0,0 +1,52 @@
/*
* QEMU crypto secret support
*
* Copyright 2020 Yandex N.V.
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef QCRYPTO_SECRET_KEYRING_H
#define QCRYPTO_SECRET_KEYRING_H
#include "qapi/qapi-types-crypto.h"
#include "qom/object.h"
#include "crypto/secret_common.h"
#define TYPE_QCRYPTO_SECRET_KEYRING "secret_keyring"
#define QCRYPTO_SECRET_KEYRING(obj) \
OBJECT_CHECK(QCryptoSecretKeyring, (obj), \
TYPE_QCRYPTO_SECRET_KEYRING)
#define QCRYPTO_SECRET_KEYRING_CLASS(class) \
OBJECT_CLASS_CHECK(QCryptoSecretKeyringClass, \
(class), TYPE_QCRYPTO_SECRET_KEYRING)
#define QCRYPTO_SECRET_KEYRING_GET_CLASS(class) \
OBJECT_GET_CLASS(QCryptoSecretKeyringClass, \
(class), TYPE_QCRYPTO_SECRET_KEYRING)
typedef struct QCryptoSecretKeyring QCryptoSecretKeyring;
typedef struct QCryptoSecretKeyringClass QCryptoSecretKeyringClass;
typedef struct QCryptoSecretKeyring {
QCryptoSecretCommon parent;
int32_t serial;
} QCryptoSecretKeyring;
typedef struct QCryptoSecretKeyringClass {
QCryptoSecretCommonClass parent;
} QCryptoSecretKeyringClass;
#endif /* QCRYPTO_SECRET_KEYRING_H */

4
tests/Makefile.include
View File

@ -540,6 +540,10 @@ tests/benchmark-crypto-cipher$(EXESUF): tests/benchmark-crypto-cipher.o $(test-c
tests/test-crypto-secret$(EXESUF): tests/test-crypto-secret.o $(test-crypto-obj-y) tests/test-crypto-secret$(EXESUF): tests/test-crypto-secret.o $(test-crypto-obj-y)
tests/test-crypto-xts$(EXESUF): tests/test-crypto-xts.o $(test-crypto-obj-y) tests/test-crypto-xts$(EXESUF): tests/test-crypto-xts.o $(test-crypto-obj-y)
ifeq ($(CONFIG_TEST_SECRET_KEYRING),y)
tests/test-crypto-secret.o-libs := -lkeyutils
endif
tests/crypto-tls-x509-helpers.o-cflags := $(TASN1_CFLAGS) tests/crypto-tls-x509-helpers.o-cflags := $(TASN1_CFLAGS)
tests/crypto-tls-x509-helpers.o-libs := $(TASN1_LIBS) tests/crypto-tls-x509-helpers.o-libs := $(TASN1_LIBS)
tests/pkix_asn1_tab.o-cflags := $(TASN1_CFLAGS) tests/pkix_asn1_tab.o-cflags := $(TASN1_CFLAGS)

158
tests/test-crypto-secret.c
View File

@ -24,6 +24,10 @@
#include "crypto/secret.h" #include "crypto/secret.h"
#include "qapi/error.h" #include "qapi/error.h"
#include "qemu/module.h" #include "qemu/module.h"
#ifdef CONFIG_TEST_SECRET_KEYRING
#include "crypto/secret_keyring.h"
#include <keyutils.h>
#endif
static void test_secret_direct(void) static void test_secret_direct(void)
{ {
@ -124,6 +128,147 @@ static void test_secret_indirect_emptyfile(void)
g_free(fname); g_free(fname);
} }
#ifdef CONFIG_TEST_SECRET_KEYRING
#define DESCRIPTION "qemu_test_secret"
#define PAYLOAD "Test Payload"
static void test_secret_keyring_good(void)
{
char key_str[16];
Object *sec;
int32_t key = add_key("user", DESCRIPTION, PAYLOAD,
strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING);
g_assert(key >= 0);
snprintf(key_str, sizeof(key_str), "0x%08x", key);
sec = object_new_with_props(
TYPE_QCRYPTO_SECRET_KEYRING,
object_get_objects_root(),
"sec0",
&error_abort,
"serial", key_str,
NULL);
assert(0 <= keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING));
char *pw = qcrypto_secret_lookup_as_utf8("sec0",
&error_abort);
g_assert_cmpstr(pw, ==, PAYLOAD);
object_unparent(sec);
g_free(pw);
}
static void test_secret_keyring_revoked_key(void)
{
char key_str[16];
Object *sec;
int32_t key = add_key("user", DESCRIPTION, PAYLOAD,
strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING);
g_assert(key >= 0);
g_assert_false(keyctl_revoke(key));
snprintf(key_str, sizeof(key_str), "0x%08x", key);
sec = object_new_with_props(
TYPE_QCRYPTO_SECRET_KEYRING,
object_get_objects_root(),
"sec0",
NULL,
"serial", key_str,
NULL);
g_assert(errno == EKEYREVOKED);
g_assert(sec == NULL);
keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING);
}
static void test_secret_keyring_expired_key(void)
{
char key_str[16];
Object *sec;
int32_t key = add_key("user", DESCRIPTION, PAYLOAD,
strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING);
g_assert(key >= 0);
g_assert_false(keyctl_set_timeout(key, 1));
sleep(1);
snprintf(key_str, sizeof(key_str), "0x%08x", key);
sec = object_new_with_props(
TYPE_QCRYPTO_SECRET_KEYRING,
object_get_objects_root(),
"sec0",
NULL,
"serial", key_str,
NULL);
g_assert(errno == EKEYEXPIRED);
g_assert(sec == NULL);
keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING);
}
static void test_secret_keyring_bad_serial_key(void)
{
Object *sec;
sec = object_new_with_props(
TYPE_QCRYPTO_SECRET_KEYRING,
object_get_objects_root(),
"sec0",
NULL,
"serial", "1",
NULL);
g_assert(errno == ENOKEY);
g_assert(sec == NULL);
}
/*
* TODO
* test_secret_keyring_bad_key_access_right() is not working yet.
* We don't know yet if this due a bug in the Linux kernel or
* whether it's normal syscall behavior.
* We've requested information from kernel maintainers.
* See: <https://www.spinics.net/lists/keyrings/index.html>
* Thread: 'security/keys: remove possessor verify after key permission check'
*/
static void test_secret_keyring_bad_key_access_right(void)
{
char key_str[16];
Object *sec;
g_test_skip("TODO: Need responce from Linux kernel maintainers");
return;
int32_t key = add_key("user", DESCRIPTION, PAYLOAD,
strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING);
g_assert(key >= 0);
g_assert_false(keyctl_setperm(key, KEY_POS_ALL & (~KEY_POS_READ)));
snprintf(key_str, sizeof(key_str), "0x%08x", key);
sec = object_new_with_props(
TYPE_QCRYPTO_SECRET_KEYRING,
object_get_objects_root(),
"sec0",
NULL,
"serial", key_str,
NULL);
g_assert(errno == EACCES);
g_assert(sec == NULL);
keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING);
}
#endif /* CONFIG_TEST_SECRET_KEYRING */
static void test_secret_noconv_base64_good(void) static void test_secret_noconv_base64_good(void)
{ {
@ -426,6 +571,19 @@ int main(int argc, char **argv)
g_test_add_func("/crypto/secret/indirect/emptyfile", g_test_add_func("/crypto/secret/indirect/emptyfile",
test_secret_indirect_emptyfile); test_secret_indirect_emptyfile);
#ifdef CONFIG_TEST_SECRET_KEYRING
g_test_add_func("/crypto/secret/keyring/good",
test_secret_keyring_good);
g_test_add_func("/crypto/secret/keyring/revoked_key",
test_secret_keyring_revoked_key);
g_test_add_func("/crypto/secret/keyring/expired_key",
test_secret_keyring_expired_key);
g_test_add_func("/crypto/secret/keyring/bad_serial_key",
test_secret_keyring_bad_serial_key);
g_test_add_func("/crypto/secret/keyring/bad_key_access_right",
test_secret_keyring_bad_key_access_right);
#endif /* CONFIG_TEST_SECRET_KEYRING */
g_test_add_func("/crypto/secret/noconv/base64/good", g_test_add_func("/crypto/secret/noconv/base64/good",
test_secret_noconv_base64_good); test_secret_noconv_base64_good);
g_test_add_func("/crypto/secret/noconv/base64/bad", g_test_add_func("/crypto/secret/noconv/base64/bad",