[v1,41/41] SUNRPC: Add encryption self-tests

Message ID	167362354712.8960.13059050669153981213.stgit@bazille.1015granger.net (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-nfs-owner@vger.kernel.org> Subject: [PATCH v1 41/41] SUNRPC: Add encryption self-tests From: Chuck Lever <cel@kernel.org> To: linux-nfs@vger.kernel.org Cc: dhowells@redhat.com, simo@redhat.com Date: Fri, 13 Jan 2023 10:25:47 -0500 Message-ID: <167362354712.8960.13059050669153981213.stgit@bazille.1015granger.net> In-Reply-To: <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net> References: <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net> User-Agent: StGit/1.5 MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Precedence: bulk
Series	RPCSEC GSS krb5 enhancements \| expand [v1,00/41] RPCSEC GSS krb5 enhancements [v1,01/41] SUNRPC: Add header ifdefs to linux/sunrpc/gss_krb5.h [v1,02/41] SUNRPC: Remove .blocksize field from struct gss_krb5_enctype [v1,03/41] SUNRPC: Remove .conflen field from struct gss_krb5_enctype [v1,04/41] SUNRPC: Improve Kerberos confounder generation [v1,05/41] SUNRPC: Obscure Kerberos session key [v1,06/41] SUNRPC: Refactor set-up for aux_cipher [v1,07/41] SUNRPC: Obscure Kerberos encryption keys [v1,08/41] SUNRPC: Obscure Kerberos signing keys [v1,09/41] SUNRPC: Obscure Kerberos integrity keys [v1,10/41] SUNRPC: Refactor the GSS-API Per Message calls in the Kerberos mechanism [v1,11/41] SUNRPC: Remove another switch on ctx->enctype [v1,12/41] SUNRPC: Add /proc/net/rpc/gss_krb5_enctypes file [v1,13/41] NFSD: Replace /proc/fs/nfsd/supported_krb5_enctypes with a symlink [v1,14/41] SUNRPC: Replace KRB5_SUPPORTED_ENCTYPES macro [v1,15/41] SUNRPC: Enable rpcsec_gss_krb5.ko to be built without CRYPTO_DES [v1,16/41] SUNRPC: Remove ->encrypt and ->decrypt methods from struct gss_krb5_enctype [v1,17/41] SUNRPC: Rename .encrypt_v2 and .decrypt_v2 methods [v1,18/41] SUNRPC: Hoist KDF into struct gss_krb5_enctype [v1,19/41] SUNRPC: Clean up cipher set up for v1 encryption types [v1,20/41] SUNRPC: Parametrize the key length passed to context_v2_alloc_cipher() [v1,21/41] SUNRPC: Add new subkey length fields [v1,22/41] SUNRPC: Refactor CBC with CTS into helpers [v1,23/41] SUNRPC: Add gk5e definitions for RFC 8009 encryption types [v1,24/41] SUNRPC: Add KDF-HMAC-SHA2 [v1,25/41] SUNRPC: Add RFC 8009 encryption and decryption functions [v1,26/41] SUNRPC: Advertise support for RFC 8009 encryption types [v1,27/41] SUNRPC: Support the Camellia enctypes [v1,28/41] SUNRPC: Add KDF_FEEDBACK_CMAC [v1,29/41] SUNRPC: Advertise support for the Camellia encryption types [v1,30/41] SUNRPC: Move remaining internal definitions to gss_krb5_internal.h [v1,31/41] SUNRPC: Add KUnit tests for rpcsec_krb5.ko [v1,32/41] SUNRPC: Export get_gss_krb5_enctype() [v1,33/41] SUNRPC: Add KUnit tests RFC 3961 Key Derivation [v1,34/41] SUNRPC: Add Kunit tests for RFC 3962-defined encryption/decryption [v1,35/41] SUNRPC: Add KDF KUnit tests for the RFC 6803 encryption types [v1,36/41] SUNRPC: Add checksum KUnit tests for the RFC 6803 encryption types [v1,37/41] SUNRPC: Add encryption KUnit tests for the RFC 6803 encryption types [v1,38/41] SUNRPC: Add KDF-HMAC-SHA2 Kunit tests [v1,39/41] SUNRPC: Add RFC 8009 checksum KUnit tests [v1,40/41] SUNRPC: Add RFC 8009 encryption KUnit tests [v1,41/41] SUNRPC: Add encryption self-tests

Message ID

167362354712.8960.13059050669153981213.stgit@bazille.1015granger.net (mailing list archive)

State

New, archived

Headers

Subject: [PATCH v1 41/41] SUNRPC: Add encryption self-tests
From: Chuck Lever <cel@kernel.org>
To: linux-nfs@vger.kernel.org
Cc: dhowells@redhat.com, simo@redhat.com
Date: Fri, 13 Jan 2023 10:25:47 -0500
Message-ID: 
 <167362354712.8960.13059050669153981213.stgit@bazille.1015granger.net>
In-Reply-To: 
 <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net>
References: 
 <167362164696.8960.16701168753472560115.stgit@bazille.1015granger.net>
User-Agent: StGit/1.5
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
Precedence: bulk

Series

RPCSEC GSS krb5 enhancements | expand

Commit Message

Chuck Lever Jan. 13, 2023, 3:25 p.m. UTC

From: Chuck Lever <chuck.lever@oracle.com>

With the KUnit infrastructure recently added, we are free to define
other unit tests particular to our implementation. As an example,
I've added a self-test that encrypts then decrypts a string, and
checks the result.

Tested-by: Scott Mayhew <smayhew@redhat.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---
 net/sunrpc/auth_gss/gss_krb5_crypto.c   |   20 ++++-
 net/sunrpc/auth_gss/gss_krb5_internal.h |    3 +
 net/sunrpc/auth_gss/gss_krb5_test.c     |  124 +++++++++++++++++++++++++++++++
 3 files changed, 142 insertions(+), 5 deletions(-)

diff --git a/net/sunrpc/auth_gss/gss_krb5_crypto.c b/net/sunrpc/auth_gss/gss_krb5_crypto.c
index e37d341a761b..14c21c2e03dc 100644
--- a/net/sunrpc/auth_gss/gss_krb5_crypto.c
+++ b/net/sunrpc/auth_gss/gss_krb5_crypto.c
@@ -708,10 +708,21 @@  int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
 }
 EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_encrypt);
 
-static int
-krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
-		     struct crypto_sync_skcipher *cbc_tfm,
-		     u32 offset, struct xdr_buf *buf)
+/**
+ * krb5_cbc_cts_decrypt - decrypt in CBC mode with CTS
+ * @cts_tfm: CBC cipher with CTS
+ * @cbc_tfm: base CBC cipher
+ * @offset: starting byte offset for plaintext
+ * @buf: OUT: output buffer
+ *
+ * Return values:
+ *   %0: decryption successful
+ *   negative errno: decryption could not be completed
+ */
+VISIBLE_IF_KUNIT
+int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
+			 struct crypto_sync_skcipher *cbc_tfm,
+			 u32 offset, struct xdr_buf *buf)
 {
 	u32 blocksize, nblocks, cbcbytes;
 	struct decryptor_desc desc;
@@ -747,6 +758,7 @@  krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
 	/* Remaining plaintext is handled with CBC-CTS. */
 	return gss_krb5_cts_crypt(cts_tfm, buf, cbcbytes, desc.iv, NULL, 0);
 }
+EXPORT_SYMBOL_IF_KUNIT(krb5_cbc_cts_decrypt);
 
 u32
 gss_krb5_aes_encrypt(struct krb5_ctx *kctx, u32 offset,
diff --git a/net/sunrpc/auth_gss/gss_krb5_internal.h b/net/sunrpc/auth_gss/gss_krb5_internal.h
index bcc8992e274a..957aa4e38e9a 100644
--- a/net/sunrpc/auth_gss/gss_krb5_internal.h
+++ b/net/sunrpc/auth_gss/gss_krb5_internal.h
@@ -224,6 +224,9 @@  int krb5_cbc_cts_encrypt(struct crypto_sync_skcipher *cts_tfm,
 			 struct crypto_sync_skcipher *cbc_tfm, u32 offset,
 			 struct xdr_buf *buf, struct page **pages,
 			 u8 *iv, unsigned int ivsize);
+int krb5_cbc_cts_decrypt(struct crypto_sync_skcipher *cts_tfm,
+			 struct crypto_sync_skcipher *cbc_tfm,
+			 u32 offset, struct xdr_buf *buf);
 u32 krb5_etm_checksum(struct crypto_sync_skcipher *cipher,
 		      struct crypto_ahash *tfm, const struct xdr_buf *body,
 		      int body_offset, struct xdr_netobj *cksumout);
diff --git a/net/sunrpc/auth_gss/gss_krb5_test.c b/net/sunrpc/auth_gss/gss_krb5_test.c
index fe3e4b81221a..c287ce15c419 100644
--- a/net/sunrpc/auth_gss/gss_krb5_test.c
+++ b/net/sunrpc/auth_gss/gss_krb5_test.c
@@ -1909,10 +1909,132 @@  static struct kunit_suite rfc8009_suite = {
 	.test_cases		= rfc8009_test_cases,
 };
 
+/*
+ * Encryption self-tests
+ */
+
+DEFINE_STR_XDR_NETOBJ(encrypt_selftest_plaintext,
+		      "This is the plaintext for the encryption self-test.");
+
+static const struct gss_krb5_test_param encrypt_selftest_params[] = {
+	{
+		.desc			= "aes128-cts-hmac-sha1-96 encryption self-test",
+		.enctype		= ENCTYPE_AES128_CTS_HMAC_SHA1_96,
+		.Ke			= &rfc3962_encryption_key,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+	{
+		.desc			= "aes256-cts-hmac-sha1-96 encryption self-test",
+		.enctype		= ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+		.Ke			= &rfc3962_encryption_key,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+	{
+		.desc			= "camellia128-cts-cmac encryption self-test",
+		.enctype		= ENCTYPE_CAMELLIA128_CTS_CMAC,
+		.Ke			= &camellia128_cts_cmac_Ke,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+	{
+		.desc			= "camellia256-cts-cmac encryption self-test",
+		.enctype		= ENCTYPE_CAMELLIA256_CTS_CMAC,
+		.Ke			= &camellia256_cts_cmac_Ke,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+	{
+		.desc			= "aes128-cts-hmac-sha256-128 encryption self-test",
+		.enctype		= ENCTYPE_AES128_CTS_HMAC_SHA256_128,
+		.Ke			= &aes128_cts_hmac_sha256_128_Ke,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+	{
+		.desc			= "aes256-cts-hmac-sha384-192 encryption self-test",
+		.enctype		= ENCTYPE_AES256_CTS_HMAC_SHA384_192,
+		.Ke			= &aes256_cts_hmac_sha384_192_Ke,
+		.plaintext		= &encrypt_selftest_plaintext,
+	},
+};
+
+/* Creates the function encrypt_selftest_gen_params */
+KUNIT_ARRAY_PARAM(encrypt_selftest, encrypt_selftest_params,
+		  gss_krb5_get_desc);
+
+/*
+ * Encrypt and decrypt plaintext, and ensure the input plaintext
+ * matches the output plaintext. A confounder is not added in this
+ * case.
+ */
+static void encrypt_selftest_case(struct kunit *test)
+{
+	const struct gss_krb5_test_param *param = test->param_value;
+	struct crypto_sync_skcipher *cts_tfm, *cbc_tfm;
+	const struct gss_krb5_enctype *gk5e;
+	struct xdr_buf buf;
+	void *text;
+	int err;
+
+	/* Arrange */
+	gk5e = gss_krb5_lookup_enctype(param->enctype);
+	KUNIT_ASSERT_NOT_NULL(test, gk5e);
+
+	cbc_tfm = crypto_alloc_sync_skcipher(gk5e->aux_cipher, 0, 0);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cbc_tfm);
+	err = crypto_sync_skcipher_setkey(cbc_tfm, param->Ke->data, param->Ke->len);
+	KUNIT_ASSERT_EQ(test, err, 0);
+
+	cts_tfm = crypto_alloc_sync_skcipher(gk5e->encrypt_name, 0, 0);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, cts_tfm);
+	err = crypto_sync_skcipher_setkey(cts_tfm, param->Ke->data, param->Ke->len);
+	KUNIT_ASSERT_EQ(test, err, 0);
+
+	text = kunit_kzalloc(test, roundup(param->plaintext->len,
+					   crypto_sync_skcipher_blocksize(cbc_tfm)),
+			     GFP_KERNEL);
+	KUNIT_ASSERT_NOT_ERR_OR_NULL(test, text);
+
+	memcpy(text, param->plaintext->data, param->plaintext->len);
+	memset(&buf, 0, sizeof(buf));
+	buf.head[0].iov_base = text;
+	buf.head[0].iov_len = param->plaintext->len;
+	buf.len = buf.head[0].iov_len;
+
+	/* Act */
+	err = krb5_cbc_cts_encrypt(cts_tfm, cbc_tfm, 0, &buf, NULL, NULL, 0);
+	KUNIT_ASSERT_EQ(test, err, 0);
+	err = krb5_cbc_cts_decrypt(cts_tfm, cbc_tfm, 0, &buf);
+	KUNIT_ASSERT_EQ(test, err, 0);
+
+	/* Assert */
+	KUNIT_EXPECT_EQ_MSG(test,
+			    param->plaintext->len, buf.len,
+			    "length mismatch");
+	KUNIT_EXPECT_EQ_MSG(test,
+			    memcmp(param->plaintext->data,
+				   buf.head[0].iov_base, buf.len), 0,
+			    "plaintext mismatch");
+
+	crypto_free_sync_skcipher(cts_tfm);
+	crypto_free_sync_skcipher(cbc_tfm);
+}
+
+static struct kunit_case encryption_test_cases[] = {
+	{
+		.name			= "Encryption self-tests",
+		.run_case		= encrypt_selftest_case,
+		.generate_params	= encrypt_selftest_gen_params,
+	},
+};
+
+static struct kunit_suite encryption_test_suite = {
+	.name			= "Encryption test suite",
+	.test_cases		= encryption_test_cases,
+};
+
 kunit_test_suites(&rfc3961_suite,
 		  &rfc3962_suite,
 		  &rfc6803_suite,
-		  &rfc8009_suite);
+		  &rfc8009_suite,
+		  &encryption_test_suite);
 
 MODULE_DESCRIPTION("Test RPCSEC GSS Kerberos 5 functions");
 MODULE_LICENSE("GPL");

[v1,41/41] SUNRPC: Add encryption self-tests

Commit Message

Patch