From 21337b00e6146e99e16c4210b0b4819cdcdaa046 Mon Sep 17 00:00:00 2001 From: Denys Date: Tue, 24 Sep 2024 00:22:18 +0300 Subject: [PATCH] Fix broken tests(time-machine) --- src/rnp/fficli.cpp | 35 +++++++++++++++++++++++ src/tests/cli_tests.py | 4 +-- src/tests/ffi-enc.cpp | 59 ++++++++++++++++++++++++++++++++++++++- src/tests/generatekey.cpp | 21 ++++++++++++++ 4 files changed, 116 insertions(+), 3 deletions(-) diff --git a/src/rnp/fficli.cpp b/src/rnp/fficli.cpp index c63896c89f..6ba0955b5b 100644 --- a/src/rnp/fficli.cpp +++ b/src/rnp/fficli.cpp @@ -662,6 +662,41 @@ cli_rnp_t::init(const rnp_cfg &cfg) RNP_SECURITY_DEFAULT); } + if (cfg_.has(CFG_ALLOW_OLD_CIPHERS)) { + auto now = time(NULL); + uint64_t from = 0; + uint32_t level = 0; + rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "CAST5", now, NULL, &from, &level); + rnp_add_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "CAST5", + RNP_SECURITY_OVERRIDE, + from, + RNP_SECURITY_DEFAULT); + rnp_get_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "TRIPLEDES", now, NULL, &from, &level); + rnp_add_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "TRIPLEDES", + RNP_SECURITY_OVERRIDE, + from, + RNP_SECURITY_DEFAULT); + rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "IDEA", now, NULL, &from, &level); + rnp_add_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "IDEA", + RNP_SECURITY_OVERRIDE, + from, + RNP_SECURITY_DEFAULT); + rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", now, NULL, &from, &level); + rnp_add_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "BLOWFISH", + RNP_SECURITY_OVERRIDE, + from, + RNP_SECURITY_DEFAULT); + } + // by default use stdin password provider if (rnp_ffi_set_pass_provider(ffi, ffi_pass_callback_stdin, this)) { goto done; diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py index 0bf79eadc6..549e234517 100755 --- a/src/tests/cli_tests.py +++ b/src/tests/cli_tests.py @@ -354,7 +354,7 @@ def rnp_params_insert_aead(params, pos, aead): def rnp_encrypt_file_ex(src, dst, recipients=None, passwords=None, aead=None, cipher=None, z=None, armor=False, s2k_iter=False, s2k_msec=False): - params = ['--homedir', RNPDIR, src, '--output', dst] + params = ['--homedir', RNPDIR, src, '--output', dst, '--allow-old-ciphers'] # Recipients. None disables PK encryption, [] to use default key. Otherwise list of ids. if recipients != None: params[2:2] = ['--encrypt'] @@ -3117,7 +3117,7 @@ def test_alg_aliases(self): self.assertRegex(out,r'(?s)^.*Symmetric-key encrypted session key packet.*symmetric algorithm: 7 \(AES-128\).*$') remove_files(enc) # Encrypt file using the 3DES instead of tripledes - ret, _, err = run_proc(RNP, ['-c', src, '--cipher', '3DES', '--password', 'password']) + ret, _, err = run_proc(RNP, ['-c', src, '--cipher', '3DES', '--password', 'password', "--allow-old-ciphers"]) self.assertEqual(ret, 0) self.assertNotRegex(err, r'(?s)^.*Warning, unsupported encryption algorithm: 3DES.*$') self.assertNotRegex(err, r'(?s)^.*Unsupported encryption algorithm: 3DES.*$') diff --git a/src/tests/ffi-enc.cpp b/src/tests/ffi-enc.cpp index 4c4bf26331..48d6fedd98 100644 --- a/src/tests/ffi-enc.cpp +++ b/src/tests/ffi-enc.cpp @@ -178,6 +178,17 @@ TEST_F(rnp_tests, test_ffi_encrypt_pass) assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass1", "WRONG", 0, NULL)); assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass1", NULL, 0, "WRONG")); assert_rnp_success(rnp_op_encrypt_add_password(op, "pass1", NULL, 0, NULL)); + + // Allow insecure ciphers + if (blowfish_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } + if (cast5_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } + // add password if (!sm2_enabled() && !twofish_enabled()) { assert_rnp_failure(rnp_op_encrypt_add_password(op, "pass2", "SM3", 12345, "TWOFISH")); @@ -624,6 +635,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_pk) key = NULL; // set the data encryption cipher if (cast5_enabled()) { + if (cast5_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5")); } else { assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5")); @@ -712,15 +727,49 @@ TEST_F(rnp_tests, test_ffi_select_deprecated_ciphers) uint32_t flags = 0; uint64_t from = 0; uint32_t level = 0; + if (cast5_enabled()) { + assert_rnp_success(rnp_get_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "CAST5", + CAST5_3DES_IDEA_BLOWFISH_FROM + 1, + &flags, + &from, + &level)); + assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM); + assert_int_equal(level, RNP_SECURITY_INSECURE); + } + assert_rnp_success(rnp_get_security_rule(ffi, RNP_FEATURE_SYMM_ALG, - "CAST5", + "TRIPLEDES", CAST5_3DES_IDEA_BLOWFISH_FROM + 1, &flags, &from, &level)); assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM); assert_int_equal(level, RNP_SECURITY_INSECURE); + if (idea_enabled()) { + assert_rnp_success(rnp_get_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "IDEA", + CAST5_3DES_IDEA_BLOWFISH_FROM + 1, + &flags, + &from, + &level)); + assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM); + assert_int_equal(level, RNP_SECURITY_INSECURE); + } + if (blowfish_enabled()) { + assert_rnp_success(rnp_get_security_rule(ffi, + RNP_FEATURE_SYMM_ALG, + "BLOWFISH", + CAST5_3DES_IDEA_BLOWFISH_FROM + 1, + &flags, + &from, + &level)); + assert_int_equal(from, CAST5_3DES_IDEA_BLOWFISH_FROM); + assert_int_equal(level, RNP_SECURITY_INSECURE); + } ffi->context.set_time(CAST5_3DES_IDEA_BLOWFISH_FROM + 1); // set the data encryption cipher @@ -1249,6 +1298,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_pk_key_provider) key = NULL; // set the data encryption cipher if (cast5_enabled()) { + if (cast5_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, NULL)); + } assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5")); } else { assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5")); @@ -1358,6 +1411,10 @@ TEST_F(rnp_tests, test_ffi_encrypt_and_sign) key = NULL; // set the data encryption cipher if (cast5_enabled()) { + if (cast5_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, NULL)); + } assert_rnp_success(rnp_op_encrypt_set_cipher(op, "CAST5")); } else { assert_rnp_failure(rnp_op_encrypt_set_cipher(op, "CAST5")); diff --git a/src/tests/generatekey.cpp b/src/tests/generatekey.cpp index e220fc924d..cfc89a9d1a 100644 --- a/src/tests/generatekey.cpp +++ b/src/tests/generatekey.cpp @@ -242,6 +242,26 @@ cipher_supported(const std::string &cipher) return true; } +static void +enable_insecure_ciphers(rnp_ffi_t ffi) +{ + // Allow insecure ciphers + if (cast5_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "CAST5", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "TRIPLEDES", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + if (idea_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "IDEA", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } + if (blowfish_enabled()) { + assert_rnp_success(rnp_remove_security_rule( + ffi, RNP_FEATURE_SYMM_ALG, "BLOWFISH", 0, RNP_SECURITY_REMOVE_ALL, 0, nullptr)); + } +} + TEST_F(rnp_tests, rnpkeys_generatekey_testEncryption) { const char *cipherAlg[] = { @@ -264,6 +284,7 @@ TEST_F(rnp_tests, rnpkeys_generatekey_testEncryption) for (unsigned int armored = 0; armored <= 1; ++armored) { /* Set up rnp and encrypt the dataa */ assert_true(setup_cli_rnp_common(&rnp, RNP_KEYSTORE_GPG, NULL, NULL)); + enable_insecure_ciphers(rnp.ffi); /* Load keyring */ assert_true(rnp.load_keyrings(false)); size_t seccount = 0;