Fix broken tests(time-machine)

rnpgp · Nov 19, 2024 · 21337b0 · 21337b0
1 parent d9cb460
commit 21337b0
Show file tree

Hide file tree

Showing 4 changed files with 116 additions and 3 deletions.
diff --git a/src/rnp/fficli.cpp b/src/rnp/fficli.cpp
@@ -662,6 +662,41 @@ cli_rnp_t::init(const rnp_cfg &cfg)
                               RNP_SECURITY_DEFAULT);
     }
 
+    if (cfg_.has(CFG_ALLOW_OLD_CIPHERS)) {
+        auto     now = time(NULL);
+        uint64_t from = 0;
+        uint32_t level = 0;
+        rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "CAST5", now, NULL, &from, &level);
+        rnp_add_security_rule(ffi,
+                              RNP_FEATURE_SYMM_ALG,
+                              "CAST5",
+                              RNP_SECURITY_OVERRIDE,
+                              from,
+                              RNP_SECURITY_DEFAULT);
+        rnp_get_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "TRIPLEDES", now, NULL, &from, &level);
+        rnp_add_security_rule(ffi,
+                              RNP_FEATURE_SYMM_ALG,
+                              "TRIPLEDES",
+                              RNP_SECURITY_OVERRIDE,
+                              from,
+                              RNP_SECURITY_DEFAULT);
+        rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "IDEA", now, NULL, &from, &level);
+        rnp_add_security_rule(ffi,
+                              RNP_FEATURE_SYMM_ALG,
+                              "IDEA",
+                              RNP_SECURITY_OVERRIDE,
+                              from,
+                              RNP_SECURITY_DEFAULT);
+        rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", now, NULL, &from, &level);
+        rnp_add_security_rule(ffi,
+                              RNP_FEATURE_SYMM_ALG,
+                              "BLOWFISH",
+                              RNP_SECURITY_OVERRIDE,
+                              from,
+                              RNP_SECURITY_DEFAULT);
+    }
+
     // by default use stdin password provider
     if (rnp_ffi_set_pass_provider(ffi, ffi_pass_callback_stdin, this)) {
         goto done;

diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py
@@ -354,7 +354,7 @@ def rnp_params_insert_aead(params, pos, aead):
 
 def rnp_encrypt_file_ex(src, dst, recipients=None, passwords=None, aead=None, cipher=None,
                         z=None, armor=False, s2k_iter=False, s2k_msec=False):
-    params = ['--homedir', RNPDIR, src, '--output', dst]
+    params = ['--homedir', RNPDIR, src, '--output', dst, '--allow-old-ciphers']
     # Recipients. None disables PK encryption, [] to use default key. Otherwise list of ids.
     if recipients != None:
         params[2:2] = ['--encrypt']
@@ -3117,7 +3117,7 @@ def test_alg_aliases(self):
         self.assertRegex(out,r'(?s)^.*Symmetric-key encrypted session key packet.*symmetric algorithm: 7 \(AES-128\).*$')
         remove_files(enc)
         # Encrypt file using the 3DES instead of tripledes
-        ret, _, err = run_proc(RNP, ['-c', src, '--cipher', '3DES', '--password', 'password'])
+        ret, _, err = run_proc(RNP, ['-c', src, '--cipher', '3DES', '--password', 'password', "--allow-old-ciphers"])
         self.assertEqual(ret, 0)
         self.assertNotRegex(err, r'(?s)^.*Warning, unsupported encryption algorithm: 3DES.*$')
         self.assertNotRegex(err, r'(?s)^.*Unsupported encryption algorithm: 3DES.*$')

diff --git a/src/tests/ffi-enc.cpp b/src/tests/ffi-enc.cpp
@@ -178,6 +178,17 @@ TEST_F(rnp_tests, test_ffi_encrypt_pass)
     assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass1", "WRONG", 0, NULL));
     assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass1", NULL, 0, "WRONG"));
     assert_rnp_success(rnp_op_encrypt_add_password(op, "pass1", NULL, 0, NULL));
+
+    // Allow insecure ciphers
+    if (blowfish_enabled()) {
+        assert_rnp_success(rnp_remove_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    }
+    if (cast5_enabled()) {
+        assert_rnp_success(rnp_remove_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    }
+
     // add password
     if (!sm2_enabled() && !twofish_enabled()) {
         assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass2", "SM3", 12345, "TWOFISH"));
@@ -624,6 +635,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_pk)
     key = NULL;
     // set the data encryption cipher
     if (cast5_enabled()) {
+        if (cast5_enabled()) {
+            assert_rnp_success(rnp_remove_security_rule(
+              ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+        }
         assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5"));
     } else {
         assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5"));
@@ -712,15 +727,49 @@ TEST_F(rnp_tests, test_ffi_select_deprecated_ciphers)
     uint32_t flags = 0;
     uint64_t from = 0;
     uint32_t level = 0;
+    if (cast5_enabled()) {
+        assert_rnp_success(rnp_get_security_rule(ffi,
+                                                 RNP_FEATURE_SYMM_ALG,
+                                                 "CAST5",
+                                                 CAST5_3DES_IDEA_BLOWFISH_FROM + 1,
+                                                 &flags,
+                                                 &from,
+                                                 &level));
+        assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM);
+        assert_int_equal(level, RNP_SECURITY_INSECURE);
+    }
+
     assert_rnp_success(rnp_get_security_rule(ffi,
                                              RNP_FEATURE_SYMM_ALG,
-                                             "CAST5",
+                                             "TRIPLEDES",
                                              CAST5_3DES_IDEA_BLOWFISH_FROM + 1,
                                              &flags,
                                              &from,
                                              &level));
     assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM);
     assert_int_equal(level, RNP_SECURITY_INSECURE);
+    if (idea_enabled()) {
+        assert_rnp_success(rnp_get_security_rule(ffi,
+                                                 RNP_FEATURE_SYMM_ALG,
+                                                 "IDEA",
+                                                 CAST5_3DES_IDEA_BLOWFISH_FROM + 1,
+                                                 &flags,
+                                                 &from,
+                                                 &level));
+        assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM);
+        assert_int_equal(level, RNP_SECURITY_INSECURE);
+    }
+    if (blowfish_enabled()) {
+        assert_rnp_success(rnp_get_security_rule(ffi,
+                                                 RNP_FEATURE_SYMM_ALG,
+                                                 "BLOWFISH",
+                                                 CAST5_3DES_IDEA_BLOWFISH_FROM + 1,
+                                                 &flags,
+                                                 &from,
+                                                 &level));
+        assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM);
+        assert_int_equal(level, RNP_SECURITY_INSECURE);
+    }
 
     ffi->context.set_time(CAST5_3DES_IDEA_BLOWFISH_FROM + 1);
     // set the data encryption cipher
@@ -1249,6 +1298,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_pk_key_provider)
     key = NULL;
     // set the data encryption cipher
     if (cast5_enabled()) {
+        if (cast5_enabled()) {
+            assert_rnp_success(rnp_remove_security_rule(
+              ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, NULL));
+        }
         assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5"));
     } else {
         assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5"));
@@ -1358,6 +1411,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_and_sign)
     key = NULL;
     // set the data encryption cipher
     if (cast5_enabled()) {
+        if (cast5_enabled()) {
+            assert_rnp_success(rnp_remove_security_rule(
+              ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, NULL));
+        }
         assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5"));
     } else {
         assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5"));

diff --git a/src/tests/generatekey.cpp b/src/tests/generatekey.cpp
@@ -242,6 +242,26 @@ cipher_supported(const std::string &cipher)
     return true;
 }
 
+static void
+enable_insecure_ciphers(rnp_ffi_t ffi)
+{
+    // Allow insecure ciphers
+    if (cast5_enabled()) {
+        assert_rnp_success(rnp_remove_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    }
+    assert_rnp_success(rnp_remove_security_rule(
+      ffi, RNP_FEATURE_SYMM_ALG, "TRIPLEDES", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    if (idea_enabled()) {
+        assert_rnp_success(rnp_remove_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "IDEA", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    }
+    if (blowfish_enabled()) {
+        assert_rnp_success(rnp_remove_security_rule(
+          ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr));
+    }
+}
+
 TEST_F(rnp_tests, rnpkeys_generatekey_testEncryption)
 {
     const char *cipherAlg[] = {
@@ -264,6 +284,7 @@ TEST_F(rnp_tests, rnpkeys_generatekey_testEncryption)
         for (unsigned int armored = 0; armored <= 1; ++armored) {
             /* Set up rnp and encrypt the dataa */
             assert_true(setup_cli_rnp_common(&rnp, RNP_KEYSTORE_GPG, NULL, NULL));
+            enable_insecure_ciphers(rnp.ffi);
             /* Load keyring */
             assert_true(rnp.load_keyrings(false));
             size_t seccount = 0;