From f65f9caac78f4ab34770d13f8b45ef41d1ff707d Mon Sep 17 00:00:00 2001 From: Justus Winter Date: Thu, 9 Sep 2021 14:06:15 +0200 Subject: openpgp: Skip tests if a required algorithm is not supported. --- openpgp/src/cert.rs | 10 +++++ openpgp/src/cert/builder.rs | 4 +- openpgp/src/packet/key.rs | 86 ++++++++++++++++++++++++++++------------- openpgp/src/packet/pkesk.rs | 51 ++++++++++++++++++++++++ openpgp/src/packet/signature.rs | 16 ++++++++ 5 files changed, 139 insertions(+), 28 deletions(-) diff --git a/openpgp/src/cert.rs b/openpgp/src/cert.rs index 686821d6..1da3390e 100644 --- a/openpgp/src/cert.rs +++ b/openpgp/src/cert.rs @@ -5503,6 +5503,11 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= CipherSuite::P521, CipherSuite::RSA2k ] { + if cs.is_supported().is_err() { + eprintln!("Skipping {:?} because it is not supported.", cs); + continue; + } + let (alice, _) = CertBuilder::new() .set_cipher_suite(*cs) .add_userid("alice@foo.com") @@ -5672,6 +5677,11 @@ Pu1xwz57O4zo1VYf6TqHJzVC3OMvMUM2hhdecMUe5x6GorNaj6g= #[test] fn canonicalize_with_v3_sig() -> Result<()> { + if ! crate::types::PublicKeyAlgorithm::DSA.is_supported() { + eprintln!("Skipping because DSA is not supported"); + return Ok(()); + } + // This test relies on being able to validate SHA-1 // signatures. The standard policy rejects SHA-1. So, use a // custom policy. diff --git a/openpgp/src/cert/builder.rs b/openpgp/src/cert/builder.rs index eee275eb..0ceb0579 100644 --- a/openpgp/src/cert/builder.rs +++ b/openpgp/src/cert/builder.rs @@ -1649,7 +1649,9 @@ mod tests { fn all_ciphersuites() { use self::CipherSuite::*; - for cs in vec![Cv25519, RSA3k, P256, P384, P521, RSA2k, RSA4k] { + for cs in vec![Cv25519, RSA3k, P256, P384, P521, RSA2k, RSA4k] + .into_iter().filter(|cs| cs.is_supported().is_ok()) + { assert!(CertBuilder::new() .set_cipher_suite(cs) .generate().is_ok()); diff --git a/openpgp/src/packet/key.rs b/openpgp/src/packet/key.rs index a8770b7d..ccff1487 100644 --- a/openpgp/src/packet/key.rs +++ b/openpgp/src/packet/key.rs @@ -1765,12 +1765,22 @@ mod tests { use crate::types::Curve::*; for curve in vec![NistP256, NistP384, NistP521, Ed25519] { + if ! curve.is_supported() { + eprintln!("Skipping unsupported {}", curve); + continue; + } + let key: Key4<_, key::UnspecifiedRole> = Key4::generate_ecc(true, curve.clone())?; check(key)?; } for bits in vec![2048, 3072] { + if ! PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + eprintln!("Skipping unsupported RSA"); + continue; + } + let key: Key4<_, key::UnspecifiedRole> = Key4::generate_rsa(bits)?; check(key)?; @@ -1784,6 +1794,11 @@ mod tests { use crate::types::Curve::*; for curve in vec![NistP256, NistP384, NistP521] { + if ! curve.is_supported() { + eprintln!("Skipping unsupported {}", curve); + continue; + } + let sign_key : Key4<_, key::UnspecifiedRole> = Key4::generate_ecc(true, curve.clone()).unwrap(); let enc_key : Key4<_, key::UnspecifiedRole> @@ -1796,6 +1811,11 @@ mod tests { } for bits in vec![1024, 2048, 3072, 4096] { + if ! PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + eprintln!("Skipping unsupported RSA"); + continue; + } + let key : Key4<_, key::UnspecifiedRole> = Key4::generate_rsa(bits).unwrap(); let clone = key.clone(); @@ -1809,13 +1829,18 @@ mod tests { let keys = vec![NistP256, NistP384, NistP521].into_iter().flat_map(|cv| { + if ! cv.is_supported() { + eprintln!("Skipping unsupported {}", cv); + return Vec::new(); + } + let sign_key : Key4 = Key4::generate_ecc(true, cv.clone()).unwrap(); let enc_key = Key4::generate_ecc(false, cv).unwrap(); vec![sign_key, enc_key] - }).chain(vec![1024, 2048, 3072, 4096].into_iter().map(|b| { - Key4::generate_rsa(b).unwrap() + }).chain(vec![1024, 2048, 3072, 4096].into_iter().filter_map(|b| { + Key4::generate_rsa(b).ok() })); for key in keys { @@ -1859,11 +1884,12 @@ mod tests { use crate::crypto::SessionKey; use crate::types::Curve::*; - let keys = vec![NistP256, NistP384, NistP521].into_iter().map(|cv| { - Key4::generate_ecc(false, cv).unwrap() - }).chain(vec![1024, 2048, 3072, 4096].into_iter().map(|b| { - Key4::generate_rsa(b).unwrap() - })); + let keys = vec![NistP256, NistP384, NistP521].into_iter() + .filter_map(|cv| { + Key4::generate_ecc(false, cv).ok() + }).chain(vec![1024, 2048, 3072, 4096].into_iter().filter_map(|b| { + Key4::generate_rsa(b).ok() + })); for key in keys.into_iter() { let key: Key = key.into(); @@ -1889,13 +1915,12 @@ mod tests { fn secret_encryption_roundtrip() { use crate::types::Curve::*; - let keys = vec![NistP256, NistP384, NistP521].into_iter().map(|cv| { - let k : Key4 - = Key4::generate_ecc(false, cv).unwrap(); - k - }).chain(vec![1024, 2048, 3072, 4096].into_iter().map(|b| { - Key4::generate_rsa(b).unwrap() - })); + let keys = vec![NistP256, NistP384, NistP521].into_iter() + .filter_map(|cv| -> Option> { + Key4::generate_ecc(false, cv).ok() + }).chain(vec![1024, 2048, 3072, 4096].into_iter().filter_map(|b| { + Key4::generate_rsa(b).ok() + })); for key in keys { assert!(! key.secret().is_encrypted()); @@ -2134,19 +2159,26 @@ FwPoSAbbsLkNS/iNN2MDGAVYvezYn2QZ #[test] fn encrypt_huge_plaintext() -> Result<()> { let sk = crate::crypto::SessionKey::new(256); - let rsa2k: Key = - Key4::generate_rsa(2048)?.into(); - assert!(matches!( - rsa2k.encrypt(&sk).unwrap_err().downcast().unwrap(), - crate::Error::InvalidArgument(_) - )); - - let cv25519: Key = - Key4::generate_ecc(false, Curve::Cv25519)?.into(); - assert!(matches!( - cv25519.encrypt(&sk).unwrap_err().downcast().unwrap(), - crate::Error::InvalidArgument(_) - )); + + if PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + let rsa2k: Key = + Key4::generate_rsa(2048)?.into(); + assert!(matches!( + rsa2k.encrypt(&sk).unwrap_err().downcast().unwrap(), + crate::Error::InvalidArgument(_) + )); + } + + if PublicKeyAlgorithm::ECDH.is_supported() + && Curve::Cv25519.is_supported() + { + let cv25519: Key = + Key4::generate_ecc(false, Curve::Cv25519)?.into(); + assert!(matches!( + cv25519.encrypt(&sk).unwrap_err().downcast().unwrap(), + crate::Error::InvalidArgument(_) + )); + } Ok(()) } diff --git a/openpgp/src/packet/pkesk.rs b/openpgp/src/packet/pkesk.rs index 7f21639c..40e7bc37 100644 --- a/openpgp/src/packet/pkesk.rs +++ b/openpgp/src/packet/pkesk.rs @@ -221,6 +221,7 @@ mod tests { use crate::Packet; use crate::parse::Parse; use crate::serialize::MarshalInto; + use crate::types::Curve; quickcheck! { fn roundtrip(p: PKESK3) -> bool { @@ -232,6 +233,11 @@ mod tests { #[test] fn decrypt_rsa() { + if ! PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let cert = Cert::from_bytes( crate::tests::key("testy-private.pgp")).unwrap(); let pile = PacketPile::from_bytes( @@ -257,6 +263,14 @@ mod tests { #[test] fn decrypt_ecdh_cv25519() { + if ! (PublicKeyAlgorithm::EdDSA.is_supported() + && Curve::Ed25519.is_supported() + && PublicKeyAlgorithm::ECDH.is_supported() + && Curve::Cv25519.is_supported()) { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let cert = Cert::from_bytes( crate::tests::key("testy-new-private.pgp")).unwrap(); let pile = PacketPile::from_bytes( @@ -282,6 +296,13 @@ mod tests { #[test] fn decrypt_ecdh_nistp256() { + if ! (PublicKeyAlgorithm::ECDSA.is_supported() + && PublicKeyAlgorithm::ECDH.is_supported() + && Curve::NistP256.is_supported()) { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let cert = Cert::from_bytes( crate::tests::key("testy-nistp256-private.pgp")).unwrap(); let pile = PacketPile::from_bytes( @@ -307,6 +328,13 @@ mod tests { #[test] fn decrypt_ecdh_nistp384() { + if ! (PublicKeyAlgorithm::ECDSA.is_supported() + && PublicKeyAlgorithm::ECDH.is_supported() + && Curve::NistP384.is_supported()) { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let cert = Cert::from_bytes( crate::tests::key("testy-nistp384-private.pgp")).unwrap(); let pile = PacketPile::from_bytes( @@ -332,6 +360,13 @@ mod tests { #[test] fn decrypt_ecdh_nistp521() { + if ! (PublicKeyAlgorithm::ECDSA.is_supported() + && PublicKeyAlgorithm::ECDH.is_supported() + && Curve::NistP521.is_supported()) { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let cert = Cert::from_bytes( crate::tests::key("testy-nistp521-private.pgp")).unwrap(); let pile = PacketPile::from_bytes( @@ -358,6 +393,12 @@ mod tests { #[test] fn decrypt_with_short_cv25519_secret_key() { + if ! (PublicKeyAlgorithm::ECDH.is_supported() + && Curve::Cv25519.is_supported()) { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + use super::PKESK3; use crate::crypto::SessionKey; use crate::{HashAlgorithm, SymmetricAlgorithm}; @@ -399,6 +440,11 @@ mod tests { /// See CVE-2021-3580. #[test] fn cve_2021_3580_ciphertext_too_long() -> Result<()> { + if ! PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + eprintln!("Skipping test, algorithm is not supported."); + return Ok(()); + } + // Get (any) 2k RSA key. let cert = Cert::from_bytes( crate::tests::key("testy-private.pgp"))?; @@ -435,6 +481,11 @@ joc0YUVyhUBVFf4B0zVZRUfqZyJtJ07Sl5xppI12U1HQCTjn7Fp8BHMPKuBotYzv /// See CVE-2021-3580. #[test] fn cve_2021_3580_zero_ciphertext() -> Result<()> { + if ! PublicKeyAlgorithm::RSAEncryptSign.is_supported() { + eprintln!("Skipping test, algorithm is not supported."); + return Ok(()); + } + // Get (any) 2k RSA key. let cert = Cert::from_bytes( crate::tests::key("testy-private.pgp"))?; diff --git a/openpgp/src/packet/signature.rs b/openpgp/src/packet/signature.rs index 9178f76f..ef5f4b8d 100644 --- a/openpgp/src/packet/signature.rs +++ b/openpgp/src/packet/signature.rs @@ -3243,6 +3243,11 @@ mod test { let cert = Cert::from_bytes(crate::tests::key(test.key)).unwrap(); + if ! cert.keys().all(|k| k.pk_algo().is_supported()) { + eprintln!("Skipping because one algorithm is not supported"); + continue; + } + let mut good = 0; let mut ppr = PacketParser::from_bytes( crate::tests::message(test.data)).unwrap(); @@ -3310,6 +3315,12 @@ mod test { "emmelie-dorothea-dina-samantha-awina-ed25519-private.pgp", ] { let cert = Cert::from_bytes(crate::tests::key(key)).unwrap(); + + if ! cert.primary_key().pk_algo().is_supported() { + eprintln!("Skipping because we don't support the algo"); + continue; + } + let mut pair = cert.primary_key().key().clone() .parts_into_secret().unwrap() .into_keypair() @@ -3477,6 +3488,11 @@ mod test { #[test] fn timestamp_signature() { + if ! PublicKeyAlgorithm::DSA.is_supported() { + eprintln!("Skipping test, algorithm is not supported."); + return; + } + let alpha = Cert::from_bytes(crate::tests::file( "contrib/gnupg/keys/alpha.pgp")).unwrap(); let p = Packet::from_bytes(crate::tests::file( -- cgit v1.2.3