From 9f1138e2e28ad2fcf68890a82819c8f50cd74c6a Mon Sep 17 00:00:00 2001 From: Johannes Roth Date: Mon, 28 Oct 2024 11:50:59 +0100 Subject: [PATCH] address review comments --- include/rnp/rnp.h | 2 +- src/librepgp/stream-ctx.h | 2 +- src/tests/cli_tests.py | 59 +++++++++++++++++++-------------------- 3 files changed, 31 insertions(+), 32 deletions(-) diff --git a/include/rnp/rnp.h b/include/rnp/rnp.h index b69b33dae..d2d7930d8 100644 --- a/include/rnp/rnp.h +++ b/include/rnp/rnp.h @@ -104,7 +104,7 @@ typedef uint32_t rnp_result_t; * Flags for default key selection. */ #define RNP_KEY_SUBKEYS_ONLY (1U << 0) -#if defined(RNP_EXPERIMENTAL_CRYPTO_REFRESH) +#if defined(RNP_EXPERIMENTAL_PQC) #define RNP_KEY_PREFER_PQC_ENC_SUBKEY (1U << 1) #endif diff --git a/src/librepgp/stream-ctx.h b/src/librepgp/stream-ctx.h index bc1c7a367..fa140c313 100644 --- a/src/librepgp/stream-ctx.h +++ b/src/librepgp/stream-ctx.h @@ -111,7 +111,7 @@ typedef struct rnp_ctx_t { #if defined(ENABLE_CRYPTO_REFRESH) bool enable_pkesk_v6{}; /* allows pkesk v6 if list of recipients is suitable */ #endif -#if defined(ENABLE_CRYPTO_REFRESH) +#if defined(ENABLE_PQC) bool pref_pqc_enc_subkey{}; /* prefer to encrypt to PQC subkey */ #endif std::list recipients{}; /* recipients of the encrypted message */ diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py index ec14ce87e..dbe0928eb 100755 --- a/src/tests/cli_tests.py +++ b/src/tests/cli_tests.py @@ -328,11 +328,11 @@ def rnp_genkey_rsa(userid, bits=2048, pswd=PASSWORD): if ret != 0: raise_err('rsa key generation failed', err) -def rnp_genkey_pqc(userid, algo_cli_nr, algo_param = None, pswd=PASSWORD): +def rnp_genkey_pqc(userid, algo_cli_nr, homedir, algo_param = None, pswd=PASSWORD): algo_pipe = str(algo_cli_nr) if algo_param: algo_pipe += "\n" + str(algo_param) - ret, out, err = run_proc(RNPK, ['--homedir', RNPDIR, '--password', pswd, + ret, out, err = run_proc(RNPK, ['--homedir', homedir, '--password', pswd, '--notty', '--userid', userid, '--generate-key', '--expert'], algo_pipe) #os.close(algo_pipe) if ret != 0: @@ -383,8 +383,10 @@ def rnp_encrypt_file_ex(src, dst, recipients=None, passwords=None, aead=None, ci raise_err('rnp encryption failed with ' + cipher, err) def rnp_encrypt_and_sign_file(src, dst, recipients, encrpswd, signers, signpswd, - aead=None, cipher=None, z=None, armor=False): - params = ['--homedir', RNPDIR, '--sign', '--encrypt', src, '--output', dst] + aead=None, cipher=None, z=None, armor=False, homedir=None): + if not homedir: + homedir = RNPDIR + params = ['--homedir', homedir, '--sign', '--encrypt', src, '--output', dst] pipe = pswd_pipe('\n'.join(encrpswd + signpswd)) params[2:2] = ['--pass-fd', str(pipe)] @@ -409,10 +411,12 @@ def rnp_encrypt_and_sign_file(src, dst, recipients, encrpswd, signers, signpswd, if ret != 0: raise_err('rnp encrypt-and-sign failed', err) -def rnp_decrypt_file(src, dst, password = PASSWORD): +def rnp_decrypt_file(src, dst, password = PASSWORD, homedir = None): + if not homedir: + homedir = RNPDIR pipe = pswd_pipe(password) ret, out, err = run_proc( - RNP, ['--homedir', RNPDIR, '--pass-fd', str(pipe), '--decrypt', src, '--output', dst]) + RNP, ['--homedir', homedir, '--pass-fd', str(pipe), '--decrypt', src, '--output', dst]) os.close(pipe) if ret != 0: raise_err('rnp decryption failed', out + err) @@ -4536,7 +4540,7 @@ def test_encryption_multiple_recipients(self): gpg_decrypt_file(dst, dec, pswd) gpg_agent_clear_cache() remove_files(dec) - rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5)) + rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5)) remove_files(dec) # Decrypt file with each of the passwords (with gpg only first password is checked) @@ -4550,7 +4554,7 @@ def test_encryption_multiple_recipients(self): gpg_decrypt_file(dst, dec, pswd) gpg_agent_clear_cache() remove_files(dec) - rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5)) + rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5)) remove_files(dec) remove_files(dst, dec) @@ -4600,12 +4604,12 @@ def test_encryption_and_signing(self): gpg_decrypt_file(dst, dec, pswd) gpg_agent_clear_cache() remove_files(dec) - rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5)) + rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5)) remove_files(dec) # GPG decrypts only with first password, see T3795 if first_pass and try_gpg: - gpg_decrypt_file(dst, dec, PASSWORDS[0]) + gpg_decrypt_file(dst, dec, password=PASSWORDS[0]) gpg_agent_clear_cache() remove_files(dec) @@ -4615,7 +4619,7 @@ def test_encryption_and_signing(self): gpg_decrypt_file(dst, dec, pswd) gpg_agent_clear_cache() remove_files(dec) - rnp_decrypt_file(dst, dec, '\n'.join([pswd] * 5)) + rnp_decrypt_file(dst, dec, password='\n'.join([pswd] * 5)) remove_files(dec) remove_files(dst, dec) @@ -4637,12 +4641,11 @@ def verify_pqc_algo_ui_nb_to_algo_ui_str(self, stdout: str, algo_ui_exp_strs) -> if not found_this_entry: raise RuntimeError("did not match the expected UI choice for algorithm: " + expected_line) - """ zzz_ prefix makes it the last test. This is a workaround against a gnupg import error with the - pqc keys in other member function tests that would otherwise follow this one. - """ - def test_zzz_encryption_and_signing_pqc(self): + def test_encryption_and_signing_pqc(self): if not RNP_PQC: return + RNPDIR_PQC = RNPDIR + 'PQC' + os.mkdir(RNPDIR_PQC, 0o700) algo_ui_exp_strs = [ "(24) Ed25519Legacy + Curve25519Legacy + (ML-KEM-768 + X25519)", "(25) (ML-DSA-65 + Ed25519) + (ML-KEM-768 + X25519)", "(27) (ML-DSA-65 + ECDSA-NIST-P-256) + (ML-KEM-768 + ECDH-NIST-P-256)", @@ -4667,15 +4670,11 @@ def test_zzz_encryption_and_signing_pqc(self): # Generate multiple keys and import to GnuPG verified_algo_nums = False for uid, algo, param, passwd in zip(USERIDS, ALGO, ALGO_PARAM, passwds): - stdout = rnp_genkey_pqc(uid, algo, param, passwd) + stdout = rnp_genkey_pqc(uid, algo, RNPDIR_PQC, param, passwd) if not verified_algo_nums: self.verify_pqc_algo_ui_nb_to_algo_ui_str(stdout, algo_ui_exp_strs) verified_algo_nums = True - #gpg_import_pubring() - #gpg_import_secring() - - src, dst, dec = reg_workfiles('cleartext', '.txt', '.rnp', '.dec') # Generate random file of required size random_text(src, 65500) @@ -4689,14 +4688,14 @@ def test_zzz_encryption_and_signing_pqc(self): signerpws = [passwds[i]] rnp_encrypt_and_sign_file(src, dst, recipients, passwords, signers, - signerpws, aead=[aead_list[i]]) + signerpws, aead=[aead_list[i]], homedir=RNPDIR_PQC) # Decrypt file with each of the keys, we have different password for each key - rnp_decrypt_file(dst, dec, passwds[i]) - remove_files(dec) - + rnp_decrypt_file(dst, dec, password=passwds[i], homedir=RNPDIR_PQC) + remove_files(dst, dec) + clear_workfiles() + shutil.rmtree(RNPDIR_PQC, ignore_errors=True) - remove_files(dst, dec) def test_encryption_weird_userids_special_1(self): uid = WEIRD_USERID_SPECIAL_CHARS @@ -4707,7 +4706,7 @@ def test_encryption_weird_userids_special_1(self): dst, dec = reg_workfiles('weird_userids_special_1', '.rnp', '.dec') rnp_encrypt_file_ex(src, dst, [uid], None, None) # Decrypt - rnp_decrypt_file(dst, dec, pswd) + rnp_decrypt_file(dst, dec, password=pswd) compare_files(src, dec, RNP_DATA_DIFFERS) clear_workfiles() @@ -4724,7 +4723,7 @@ def test_encryption_weird_userids_special_2(self): # Decrypt file with each of the passwords for pswd in KEYPASS: multiple_pass_attempts = (pswd + '\n') * len(KEYPASS) - rnp_decrypt_file(dst, dec, multiple_pass_attempts) + rnp_decrypt_file(dst, dec, password=multiple_pass_attempts) compare_files(src, dec, RNP_DATA_DIFFERS) remove_files(dec) # Cleanup @@ -4750,7 +4749,7 @@ def test_encryption_weird_userids_unicode(self): # Decrypt file with each of the passwords for pswd in KEYPASS: multiple_pass_attempts = (pswd + '\n') * len(KEYPASS) - rnp_decrypt_file(dst, dec, multiple_pass_attempts) + rnp_decrypt_file(dst, dec, password=multiple_pass_attempts) compare_files(src, dec, RNP_DATA_DIFFERS) remove_files(dec) # Cleanup @@ -4812,7 +4811,7 @@ def test_encryption_x25519(self): ret, out, _ = run_proc(RNP, ['--homedir', RNPDIR, '-es', '-r', 'eddsa_25519', '-u', 'eddsa_25519', '--password', PASSWORD, src, '--output', dst, '--armor']) # Decrypt and verify with RNP - rnp_decrypt_file(dst, dec, 'password') + rnp_decrypt_file(dst, dec, password='password') self.assertEqual(file_text(src), file_text(dec)) remove_files(dec) # Decrypt and verify with GPG @@ -4824,7 +4823,7 @@ def test_encryption_x25519(self): '-u', 'eddsa_25519', '--output', dst, '-es', src]) self.assertEqual(ret, 0) # Decrypt and verify with RNP - rnp_decrypt_file(dst, dec, 'password') + rnp_decrypt_file(dst, dec, password='password') self.assertEqual(file_text(src), file_text(dec)) # Encrypt/decrypt using the p256 key, making sure message is not displayed key = data_path('test_stream_key_load/ecc-p256-sec.asc')