several fixes

fix Botan deprecation in kyber code fix build system remove comments reverse ifdefs and config.h inclusion in rnp.h fix false positive in CodeQL
pqc-thunderbird · Sep 7, 2023 · 54daacd · 54daacd
1 parent 3e2aac2
commit 54daacd
Show file tree

Hide file tree

Showing 6 changed files with 20 additions and 25 deletions.
diff --git a/include/rnp/rnp.h b/include/rnp/rnp.h
@@ -30,7 +30,6 @@
 #include <stddef.h>
 #include <stdint.h>
 #include <stdio.h>
-#include "config.h"
 
 #if defined(__cplusplus)
 extern "C" {
@@ -1177,7 +1176,6 @@ RNP_API rnp_result_t rnp_op_generate_clear_pref_ciphers(rnp_op_generate_t op);
 RNP_API rnp_result_t rnp_op_generate_set_pref_keyserver(rnp_op_generate_t op,
                                                         const char *      keyserver);
 
-#if defined(ENABLE_CRYPTO_REFRESH)
 /** Set the generated key version to v6.
  * NOTE: This is an experimantal feature and this function can be replaced (or removed) at any
  * time.
@@ -1186,9 +1184,7 @@ RNP_API rnp_result_t rnp_op_generate_set_pref_keyserver(rnp_op_generate_t op,
  * @return RNP_SUCCESS or error code if failed.
  */
 RNP_API rnp_result_t rnp_op_generate_set_v6_key(rnp_op_generate_t op);
-#endif
 
-#if defined(ENABLE_PQC)
 /** Set the SPHINCS+ parameter set
  * NOTE: This is an experimantal feature and this function can be replaced (or removed) at any
  * time.
@@ -1204,7 +1200,6 @@ RNP_API rnp_result_t rnp_op_generate_set_v6_key(rnp_op_generate_t op);
  */
 RNP_API rnp_result_t rnp_op_generate_set_sphincsplus_param(rnp_op_generate_t op,
                                                            const char *      param);
-#endif
 
 /** Execute the prepared key or subkey generation operation.
  *  Note: if you set protection algorithm, then you need to specify ffi password provider to
@@ -3010,7 +3005,6 @@ RNP_API rnp_result_t rnp_op_encrypt_create(rnp_op_encrypt_t *op,
  */
 RNP_API rnp_result_t rnp_op_encrypt_add_recipient(rnp_op_encrypt_t op, rnp_key_handle_t key);
 
-#if defined(ENABLE_CRYPTO_REFRESH)
 /**
  * @brief Enables the creation of PKESK v6 (instead of v3) which results in the use of SEIPDv2.
  * The actually created version depends on the capabilities of the list of recipients.
@@ -3021,7 +3015,6 @@ RNP_API rnp_result_t rnp_op_encrypt_add_recipient(rnp_op_encrypt_t op, rnp_key_h
  * @return RNP_SUCCESS or errorcode if failed.
  */
 RNP_API rnp_result_t rnp_op_encrypt_enable_pkesk_v6(rnp_op_encrypt_t op);
-#endif
 
 /**
  * @brief Add signature to encrypting context, so data will be encrypted and signed.
@@ -3419,11 +3412,8 @@ RNP_API const char *rnp_backend_version();
 #define RNP_ALGNAME_ECDH "ECDH"
 #define RNP_ALGNAME_ECDSA "ECDSA"
 #define RNP_ALGNAME_EDDSA "EDDSA"
-#if defined(ENABLE_CRYPTO_REFRESH)
 #define RNP_ALGNAME_ED25519 "ED25519"
 #define RNP_ALGNAME_X25519 "X25519"
-#endif
-#if defined(ENABLE_PQC)
 #define RNP_ALGNAME_KYBER768_X25519 "KYBER768_X25519"
 #define RNP_ALGNAME_KYBER1024_X448 "KYBER1024_X448"
 #define RNP_ALGNAME_KYBER768_P256 "KYBER768_P256"
@@ -3438,7 +3428,6 @@ RNP_API const char *rnp_backend_version();
 #define RNP_ALGNAME_DILITHIUM5_BP384 "DILITHIUM5_BP384"
 #define RNP_ALGNAME_SPHINCSPLUS_SHA2 "SPHINCSPLUS_SHA2"
 #define RNP_ALGNAME_SPHINCSPLUS_SHAKE "SPHINCSPLUS_SHAKE"
-#endif
 #define RNP_ALGNAME_IDEA "IDEA"
 #define RNP_ALGNAME_TRIPLEDES "TRIPLEDES"
 #define RNP_ALGNAME_CAST5 "CAST5"

diff --git a/src/lib/crypto/kyber.cpp b/src/lib/crypto/kyber.cpp
@@ -93,8 +93,8 @@ pgp_kyber_public_key_t::encapsulate(rnp::RNG *rng)
     // encryption of the payload data
     kem_enc.encrypt(encap_key,
                     data_encryption_key,
-                    key_share_size_from_kyber_param(kyber_mode_),
-                    *rng->obj());
+                    *rng->obj(),
+                    key_share_size_from_kyber_param(kyber_mode_));
     kyber_encap_result_t result;
     result.ciphertext.insert(
       result.ciphertext.end(), encap_key.data(), encap_key.data() + encap_key.size());

diff --git a/src/lib/rnp.cpp b/src/lib/rnp.cpp
@@ -2575,19 +2575,21 @@ try {
 }
 FFI_GUARD
 
-#if defined(ENABLE_CRYPTO_REFRESH)
 rnp_result_t
 rnp_op_encrypt_enable_pkesk_v6(rnp_op_encrypt_t op)
 try {
+#if defined(ENABLE_CRYPTO_REFRESH)
     if (!op) {
         return RNP_ERROR_NULL_POINTER;
     }
 
     op->rnpctx.enable_pkesk_v6 = true;
     return RNP_SUCCESS;
+#else
+    return RNP_ERROR_NOT_IMPLEMENTED;
+#endif
 }
 FFI_GUARD
-#endif
 
 rnp_result_t
 rnp_op_encrypt_add_signature(rnp_op_encrypt_t         op,
@@ -5688,23 +5690,25 @@ try {
 }
 FFI_GUARD
 
-#if defined(ENABLE_CRYPTO_REFRESH)
 rnp_result_t
 rnp_op_generate_set_v6_key(rnp_op_generate_t op)
 try {
+#if defined(ENABLE_CRYPTO_REFRESH)
     if (!op) {
         return RNP_ERROR_NULL_POINTER;
     }
     op->pgp_version = PGP_V6;
     return RNP_SUCCESS;
+#else
+    return RNP_ERROR_NOT_IMPLEMENTED;
+#endif
 }
 FFI_GUARD
-#endif
 
-#if defined(ENABLE_PQC)
 rnp_result_t
 rnp_op_generate_set_sphincsplus_param(rnp_op_generate_t op, const char *param_cstr)
 try {
+#if defined(ENABLE_PQC)
     if (!op) {
         return RNP_ERROR_NULL_POINTER;
     }
@@ -5730,9 +5734,11 @@ try {
 
     op->crypto.sphincsplus.param = param;
     return RNP_SUCCESS;
+#else
+    return RNP_ERROR_NOT_IMPLEMENTED;
+#endif
 }
 FFI_GUARD
-#endif
 
 rnp_result_t
 rnp_op_generate_execute(rnp_op_generate_t op)

diff --git a/src/librepgp/stream-write.cpp b/src/librepgp/stream-write.cpp
@@ -120,6 +120,7 @@ typedef struct pgp_dest_encrypted_param_t {
         case rnp::AuthType::None:
             return false;
         }
+        throw rnp::rnp_exception(RNP_ERROR_GENERIC);
     };
 
 #ifdef ENABLE_CRYPTO_REFRESH

diff --git a/src/tests/CMakeLists.txt b/src/tests/CMakeLists.txt
@@ -134,7 +134,6 @@ set(RNP_TEST_SOURCES
   user-prefs.cpp
   utils-hex2bin.cpp
   utils-rnpcfg.cpp
-  pqc.cpp
   exdsa_ecdhkem.cpp
   issues/1030.cpp
   issues/1115.cpp
@@ -153,7 +152,11 @@ set(RNP_TEST_SOURCES
 if(ENABLE_CRYPTO_REFRESH)
   list(APPEND RNP_TEST_SOURCES 
     hkdf.cpp)
-endif() 
+endif()
+if(ENABLE_PQC)
+  list(APPEND RNP_TEST_SOURCES 
+    pqc.cpp)
+endif()
 
 add_executable(rnp_tests ${RNP_TEST_SOURCES})
 

diff --git a/src/tests/ffi-enc.cpp b/src/tests/ffi-enc.cpp
@@ -768,10 +768,6 @@ TEST_F(rnp_tests, test_ffi_encrypt_pk_with_v6_key)
 
     assert_true(import_all_keys(ffi, "data/test_v6_valid_data/transferable_seckey_v6.asc"));
 
-    // RNP_LOG_HEX("key id", ffi->secring->keys.front().keyid().data(),
-    // ffi->secring->keys.front().keyid().size()); RNP_LOG_HEX("key id",
-    // ffi->secring->keys.back().keyid().data(), ffi->secring->keys.back().keyid().size());
-
     std::vector<std::string> ciphers = {"AES128", "AES192", "AES256"};
     std::vector<std::string> aead_modes = {"None", "EAX", "OCB"};
     std::vector<bool>        enable_pkeskv6_modes = {true, false};