* test_secret_seckey_bad_key_access_right() is not working yet. We don't know yet if this due a bag in the Linux kernel or whether it's normal syscall behavior. We've requested information from kernel maintainer.
Signed-off-by: Alexey Krasikov <alex-krasi...@yandex-team.ru> --- tests/test-crypto-secret.c | 138 +++++++++++++++++++++++++++++++++++++ 1 file changed, 138 insertions(+) diff --git a/tests/test-crypto-secret.c b/tests/test-crypto-secret.c index 13fc6c4c75..6b17fe3a81 100644 --- a/tests/test-crypto-secret.c +++ b/tests/test-crypto-secret.c @@ -22,8 +22,10 @@ #include "crypto/init.h" #include "crypto/secret.h" +#include "crypto/linux_keyring.h" #include "qapi/error.h" #include "qemu/module.h" +#include <keyutils.h> static void test_secret_direct(void) { @@ -125,6 +127,132 @@ static void test_secret_indirect_emptyfile(void) } +#define DESCRIPTION "qemu_test_secret" +#define PAYLOAD "Test Payload" + + +static void test_secret_seckey_good(void) +{ + char key_str[16]; + Object *sec; + key_serial_t key = add_key("user", DESCRIPTION, PAYLOAD, + strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING); + + g_assert(key >= 0); + + snprintf(key_str, sizeof(key_str), "0x%08x", key); + sec = object_new_with_props( + TYPE_QCRYPTO_SECRET_LINUX_KEYRING, + object_get_objects_root(), + "sec0", + &error_abort, + "serial", key_str, + NULL); + + assert(0 <= keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING)); + char *pw = qcrypto_secret_lookup_as_utf8("sec0", + &error_abort); + g_assert_cmpstr(pw, ==, PAYLOAD); + + object_unparent(sec); + g_free(pw); +} + + +static void test_secret_seckey_revoked_key(void) +{ + char key_str[16]; + Object *sec; + key_serial_t key = add_key("user", DESCRIPTION, PAYLOAD, + strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING); + g_assert(key >= 0); + g_assert_false(keyctl_revoke(key)); + + snprintf(key_str, sizeof(key_str), "0x%08x", key); + sec = object_new_with_props( + TYPE_QCRYPTO_SECRET_LINUX_KEYRING, + object_get_objects_root(), + "sec0", + NULL, + "serial", key_str, + NULL); + + g_assert(errno == EKEYREVOKED); + g_assert(sec == NULL); + + keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING); +} + + +static void test_secret_seckey_expired_key(void) +{ + char key_str[16]; + Object *sec; + key_serial_t key = add_key("user", DESCRIPTION, PAYLOAD, + strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING); + g_assert(key >= 0); + g_assert_false(keyctl_set_timeout(key, 1)); + sleep(1); + + snprintf(key_str, sizeof(key_str), "0x%08x", key); + sec = object_new_with_props( + TYPE_QCRYPTO_SECRET_LINUX_KEYRING, + object_get_objects_root(), + "sec0", + NULL, + "serial", key_str, + NULL); + + g_assert(errno == EKEYEXPIRED); + g_assert(sec == NULL); + + keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING); +} + + +static void test_secret_seckey_bad_serial_key(void) +{ + Object *sec; + + sec = object_new_with_props( + TYPE_QCRYPTO_SECRET, + object_get_objects_root(), + "sec0", + NULL, + "serial", "1", + NULL); + + g_assert(errno == ENOKEY); + g_assert(sec == NULL); +} + + +static void test_secret_seckey_bad_key_access_right(void) +{ + char key_str[16]; + Object *sec; + key_serial_t key = add_key("user", DESCRIPTION, PAYLOAD, + strlen(PAYLOAD), KEY_SPEC_PROCESS_KEYRING); + g_assert(key >= 0); + g_assert_false(keyctl_setperm(key, KEY_POS_ALL & (~KEY_POS_READ))); + + snprintf(key_str, sizeof(key_str), "0x%08x", key); + + sec = object_new_with_props( + TYPE_QCRYPTO_SECRET_LINUX_KEYRING, + object_get_objects_root(), + "sec0", + NULL, + "serial", key_str, + NULL); + + g_assert(errno == EACCES); + g_assert(sec == NULL); + + keyctl_unlink(key, KEY_SPEC_PROCESS_KEYRING); +} + + static void test_secret_noconv_base64_good(void) { Object *sec = object_new_with_props( @@ -425,6 +553,16 @@ int main(int argc, char **argv) test_secret_indirect_badfile); g_test_add_func("/crypto/secret/indirect/emptyfile", test_secret_indirect_emptyfile); + g_test_add_func("/crypto/secret/seckey/good", + test_secret_seckey_good); + g_test_add_func("/crypto/secret/seckey/revoked_key", + test_secret_seckey_revoked_key); + g_test_add_func("/crypto/secret/seckey/expired_key", + test_secret_seckey_expired_key); + g_test_add_func("/crypto/secret/seckey/bad_serial_key", + test_secret_seckey_bad_serial_key); + g_test_add_func("/crypto/secret/seckey/bad_key_access_right", + test_secret_seckey_bad_key_access_right); g_test_add_func("/crypto/secret/noconv/base64/good", test_secret_noconv_base64_good); -- 2.17.1