Skip to content

Commit

Permalink
address review comments
Browse files Browse the repository at this point in the history
  • Loading branch information
TJ-91 committed Oct 28, 2024
1 parent 374cebc commit 9f1138e
Show file tree
Hide file tree
Showing 3 changed files with 31 additions and 32 deletions.
2 changes: 1 addition & 1 deletion include/rnp/rnp.h
Original file line number Diff line number Diff line change
Expand Up @@ -104,7 +104,7 @@ typedef uint32_t rnp_result_t;
* Flags for default key selection.
*/
#define RNP_KEY_SUBKEYS_ONLY (1U << 0)
#if defined(RNP_EXPERIMENTAL_CRYPTO_REFRESH)
#if defined(RNP_EXPERIMENTAL_PQC)
#define RNP_KEY_PREFER_PQC_ENC_SUBKEY (1U << 1)
#endif

Expand Down
2 changes: 1 addition & 1 deletion src/librepgp/stream-ctx.h
Original file line number Diff line number Diff line change
Expand Up @@ -111,7 +111,7 @@ typedef struct rnp_ctx_t {
#if defined(ENABLE_CRYPTO_REFRESH)
bool enable_pkesk_v6{}; /* allows pkesk v6 if list of recipients is suitable */
#endif
#if defined(ENABLE_CRYPTO_REFRESH)
#if defined(ENABLE_PQC)
bool pref_pqc_enc_subkey{}; /* prefer to encrypt to PQC subkey */
#endif
std::list<pgp_key_t *> recipients{}; /* recipients of the encrypted message */
Expand Down
59 changes: 29 additions & 30 deletions src/tests/cli_tests.py
Original file line number Diff line number Diff line change
Expand Up @@ -328,11 +328,11 @@ def rnp_genkey_rsa(userid, bits=2048, pswd=PASSWORD):
if ret != 0:
raise_err('rsa key generation failed', err)

def rnp_genkey_pqc(userid, algo_cli_nr, algo_param = None, pswd=PASSWORD):
def rnp_genkey_pqc(userid, algo_cli_nr, homedir, algo_param = None, pswd=PASSWORD):
algo_pipe = str(algo_cli_nr)
if algo_param:
algo_pipe += "\n" + str(algo_param)
ret, out, err = run_proc(RNPK, ['--homedir', RNPDIR, '--password', pswd,
ret, out, err = run_proc(RNPK, ['--homedir', homedir, '--password', pswd,
'--notty', '--userid', userid, '--generate-key', '--expert'], algo_pipe)
#os.close(algo_pipe)
if ret != 0:
Expand Down Expand Up @@ -383,8 +383,10 @@ def rnp_encrypt_file_ex(src, dst, recipients=None, passwords=None, aead=None, ci
raise_err('rnp encryption failed with ' + cipher, err)

def rnp_encrypt_and_sign_file(src, dst, recipients, encrpswd, signers, signpswd,
aead=None, cipher=None, z=None, armor=False):
params = ['--homedir', RNPDIR, '--sign', '--encrypt', src, '--output', dst]
aead=None, cipher=None, z=None, armor=False, homedir=None):
if not homedir:
homedir = RNPDIR
params = ['--homedir', homedir, '--sign', '--encrypt', src, '--output', dst]
pipe = pswd_pipe('\n'.join(encrpswd + signpswd))
params[2:2] = ['--pass-fd', str(pipe)]

Expand All @@ -409,10 +411,12 @@ def rnp_encrypt_and_sign_file(src, dst, recipients, encrpswd, signers, signpswd,
if ret != 0:
raise_err('rnp encrypt-and-sign failed', err)

def rnp_decrypt_file(src, dst, password = PASSWORD):
def rnp_decrypt_file(src, dst, password = PASSWORD, homedir = None):
if not homedir:
homedir = RNPDIR
pipe = pswd_pipe(password)
ret, out, err = run_proc(
RNP, ['--homedir', RNPDIR, '--pass-fd', str(pipe), '--decrypt', src, '--output', dst])
RNP, ['--homedir', homedir, '--pass-fd', str(pipe), '--decrypt', src, '--output', dst])
os.close(pipe)
if ret != 0:
raise_err('rnp decryption failed', out + err)
Expand Down Expand Up @@ -4536,7 +4540,7 @@ def test_encryption_multiple_recipients(self):
gpg_decrypt_file(dst, dec, pswd)
gpg_agent_clear_cache()
remove_files(dec)
rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5))
rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5))
remove_files(dec)

# Decrypt file with each of the passwords (with gpg only first password is checked)
Expand All @@ -4550,7 +4554,7 @@ def test_encryption_multiple_recipients(self):
gpg_decrypt_file(dst, dec, pswd)
gpg_agent_clear_cache()
remove_files(dec)
rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5))
rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5))
remove_files(dec)

remove_files(dst, dec)
Expand Down Expand Up @@ -4600,12 +4604,12 @@ def test_encryption_and_signing(self):
gpg_decrypt_file(dst, dec, pswd)
gpg_agent_clear_cache()
remove_files(dec)
rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5))
rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5))
remove_files(dec)

# GPG decrypts only with first password, see T3795
if first_pass and try_gpg:
gpg_decrypt_file(dst, dec, PASSWORDS[0])
gpg_decrypt_file(dst, dec, password=PASSWORDS[0])
gpg_agent_clear_cache()
remove_files(dec)

Expand All @@ -4615,7 +4619,7 @@ def test_encryption_and_signing(self):
gpg_decrypt_file(dst, dec, pswd)
gpg_agent_clear_cache()
remove_files(dec)
rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5))
rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5))
remove_files(dec)

remove_files(dst, dec)
Expand All @@ -4637,12 +4641,11 @@ def verify_pqc_algo_ui_nb_to_algo_ui_str(self, stdout: str, algo_ui_exp_strs) ->
if not found_this_entry:
raise RuntimeError("did not match the expected UI choice for algorithm: " + expected_line)

""" zzz_ prefix makes it the last test. This is a workaround against a gnupg import error with the
pqc keys in other member function tests that would otherwise follow this one.
"""
def test_zzz_encryption_and_signing_pqc(self):
def test_encryption_and_signing_pqc(self):
if not RNP_PQC:
return
RNPDIR_PQC = RNPDIR + 'PQC'
os.mkdir(RNPDIR_PQC, 0o700)
algo_ui_exp_strs = [ "(24) Ed25519Legacy + Curve25519Legacy + (ML-KEM-768 + X25519)",
"(25) (ML-DSA-65 + Ed25519) + (ML-KEM-768 + X25519)",
"(27) (ML-DSA-65 + ECDSA-NIST-P-256) + (ML-KEM-768 + ECDH-NIST-P-256)",
Expand All @@ -4667,15 +4670,11 @@ def test_zzz_encryption_and_signing_pqc(self):
# Generate multiple keys and import to GnuPG
verified_algo_nums = False
for uid, algo, param, passwd in zip(USERIDS, ALGO, ALGO_PARAM, passwds):
stdout = rnp_genkey_pqc(uid, algo, param, passwd)
stdout = rnp_genkey_pqc(uid, algo, RNPDIR_PQC, param, passwd)
if not verified_algo_nums:
self.verify_pqc_algo_ui_nb_to_algo_ui_str(stdout, algo_ui_exp_strs)
verified_algo_nums = True

#gpg_import_pubring()
#gpg_import_secring()


src, dst, dec = reg_workfiles('cleartext', '.txt', '.rnp', '.dec')
# Generate random file of required size
random_text(src, 65500)
Expand All @@ -4689,14 +4688,14 @@ def test_zzz_encryption_and_signing_pqc(self):
signerpws = [passwds[i]]

rnp_encrypt_and_sign_file(src, dst, recipients, passwords, signers,
signerpws, aead=[aead_list[i]])
signerpws, aead=[aead_list[i]], homedir=RNPDIR_PQC)
# Decrypt file with each of the keys, we have different password for each key
rnp_decrypt_file(dst, dec, passwds[i])
remove_files(dec)

rnp_decrypt_file(dst, dec, password=passwds[i], homedir=RNPDIR_PQC)
remove_files(dst, dec)

clear_workfiles()
shutil.rmtree(RNPDIR_PQC, ignore_errors=True)

remove_files(dst, dec)

def test_encryption_weird_userids_special_1(self):
uid = WEIRD_USERID_SPECIAL_CHARS
Expand All @@ -4707,7 +4706,7 @@ def test_encryption_weird_userids_special_1(self):
dst, dec = reg_workfiles('weird_userids_special_1', '.rnp', '.dec')
rnp_encrypt_file_ex(src, dst, [uid], None, None)
# Decrypt
rnp_decrypt_file(dst, dec, pswd)
rnp_decrypt_file(dst, dec, password=pswd)
compare_files(src, dec, RNP_DATA_DIFFERS)
clear_workfiles()

Expand All @@ -4724,7 +4723,7 @@ def test_encryption_weird_userids_special_2(self):
# Decrypt file with each of the passwords
for pswd in KEYPASS:
multiple_pass_attempts = (pswd + '\n') * len(KEYPASS)
rnp_decrypt_file(dst, dec, multiple_pass_attempts)
rnp_decrypt_file(dst, dec, password=multiple_pass_attempts)
compare_files(src, dec, RNP_DATA_DIFFERS)
remove_files(dec)
# Cleanup
Expand All @@ -4750,7 +4749,7 @@ def test_encryption_weird_userids_unicode(self):
# Decrypt file with each of the passwords
for pswd in KEYPASS:
multiple_pass_attempts = (pswd + '\n') * len(KEYPASS)
rnp_decrypt_file(dst, dec, multiple_pass_attempts)
rnp_decrypt_file(dst, dec, password=multiple_pass_attempts)
compare_files(src, dec, RNP_DATA_DIFFERS)
remove_files(dec)
# Cleanup
Expand Down Expand Up @@ -4812,7 +4811,7 @@ def test_encryption_x25519(self):
ret, out, _ = run_proc(RNP, ['--homedir', RNPDIR, '-es', '-r', 'eddsa_25519', '-u',
'eddsa_25519', '--password', PASSWORD, src, '--output', dst, '--armor'])
# Decrypt and verify with RNP
rnp_decrypt_file(dst, dec, 'password')
rnp_decrypt_file(dst, dec, password='password')
self.assertEqual(file_text(src), file_text(dec))
remove_files(dec)
# Decrypt and verify with GPG
Expand All @@ -4824,7 +4823,7 @@ def test_encryption_x25519(self):
'-u', 'eddsa_25519', '--output', dst, '-es', src])
self.assertEqual(ret, 0)
# Decrypt and verify with RNP
rnp_decrypt_file(dst, dec, 'password')
rnp_decrypt_file(dst, dec, password='password')
self.assertEqual(file_text(src), file_text(dec))
# Encrypt/decrypt using the p256 key, making sure message is not displayed
key = data_path('test_stream_key_load/ecc-p256-sec.asc')
Expand Down

0 comments on commit 9f1138e

Please sign in to comment.