Accepting request 1140565 from security:privacy

fix build after SHA-1 cutoff date OBS-URL: https://build.opensuse.org/request/show/1140565 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/rnp?expand=0&rev=13
2024-01-22 19:31:59 +00:00 · 2024-01-22 19:31:59 +00:00 · c733f85d67
commit c733f85d67
parent c1b9e9500a 986d00ffbd
3 changed files with 111 additions and 2 deletions
--- a/rnp-v0.17.0-test-SHA1-cutoff.patch
+++ b/rnp-v0.17.0-test-SHA1-cutoff.patch
@ -0,0 +1,103 @@
+From eb1f10b003c2addf8098a764b823696d48b62c01 Mon Sep 17 00:00:00 2001
+From: Nickolay Olshevsky <o.nickolay@gmail.com>
+Date: Fri, 19 Jan 2024 16:05:32 +0200
+Subject: [PATCH] Update tests to match SHA1 cutoff date for key signatures.
+
+---
+ src/tests/cli_tests.py       | 10 +++++-----
+ src/tests/ffi.cpp            | 26 +++++++++++++++++---------
+ src/tests/key-add-userid.cpp |  2 ++
+ 3 files changed, 24 insertions(+), 14 deletions(-)
+
+diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py
+index bde7faf9d..634c88504 100755
+--- a/src/tests/cli_tests.py
+++ b/src/tests/cli_tests.py
+@@ -4862,12 +4862,16 @@ def do_test_encrypt(self, sign_key_size, enc_key_size):
+         self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
+         self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
+         # DSA 1024 key uses SHA-1 as hash but verification would succeed till 2024
+        if sign_key_size == 1024:
+            return
+         self._encrypt_decrypt(self.gpg, self.rnp)
+ 
+     def do_test_decrypt(self, sign_key_size, enc_key_size):
+         pfx = EncryptElgamal.key_pfx(sign_key_size, enc_key_size)
+         self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
+         self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
+        if sign_key_size == 1024:
+            return
+         self._encrypt_decrypt(self.rnp, self.gpg)
+ 
+     def test_encrypt_P1024_1024(self): self.do_test_encrypt(1024, 1024)
+@@ -4878,11 +4882,7 @@ def test_decrypt_P1024_1024(self): self.do_test_decrypt(1024, 1024)
+     def test_decrypt_P2048_2048(self): self.do_test_decrypt(2048, 2048)
+     def test_decrypt_P1234_1234(self): self.do_test_decrypt(1234, 1234)
+ 
+-    def test_generate_elgamal_key1024_in_gpg_and_encrypt(self):
+-        cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1024, 1024, self.gpg.userid)
+-        self.operation_key_gencmd = cmd
+-        # Will not fail till 2024 since 1024-bit DSA key uses SHA-1 as hash.
+-        self._encrypt_decrypt(self.gpg, self.rnp)
+    # 1024-bit key generation test was removed since it uses SHA1, which is not allowed for key signatures since Jan 19, 2024.
+ 
+     def test_generate_elgamal_key1536_in_gpg_and_encrypt(self):
+         cmd = EncryptElgamal.GPG_GENERATE_DSA_ELGAMAL_PATTERN.format(1536, 1536, self.gpg.userid)
+diff --git a/src/tests/ffi.cpp b/src/tests/ffi.cpp
+index 8f1694d9f..07b778f00 100644
+--- a/src/tests/ffi.cpp
+++ b/src/tests/ffi.cpp
+@@ -5976,11 +5976,16 @@ TEST_F(rnp_tests, test_ffi_security_profile)
+     assert_int_equal(flags, 0);
+     /* SHA1 - now, data verify disabled, key sig verify is enabled */
+     flags = 0;
+-    assert_rnp_success(rnp_get_security_rule(
+-      ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
+-    assert_int_equal(from, SHA1_DATA_FROM);
+    auto now = time(NULL);
+    bool sha1_cutoff = now > SHA1_KEY_FROM;
+    /* This would pick default rule closer to the date independent on usage */
+    assert_rnp_success(
+      rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
+    auto expect_from = sha1_cutoff ? SHA1_KEY_FROM : SHA1_DATA_FROM;
+    auto expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : RNP_SECURITY_VERIFY_DATA;
+    assert_int_equal(from, expect_from);
+     assert_int_equal(level, RNP_SECURITY_INSECURE);
+-    assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
+    assert_int_equal(flags, expect_usage);
+     flags = 0;
+     assert_rnp_success(rnp_get_security_rule(
+       ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_DATA_FROM - 1, &flags, &from, &level));
+@@ -5993,11 +5998,14 @@ TEST_F(rnp_tests, test_ffi_security_profile)
+     assert_int_equal(level, RNP_SECURITY_INSECURE);
+     assert_int_equal(flags, RNP_SECURITY_VERIFY_DATA);
+     flags = RNP_SECURITY_VERIFY_KEY;
+-    assert_rnp_success(rnp_get_security_rule(
+-      ffi, RNP_FEATURE_HASH_ALG, "SHA1", time(NULL), &flags, &from, &level));
+-    assert_int_equal(from, 0);
+-    assert_int_equal(level, RNP_SECURITY_DEFAULT);
+-    assert_int_equal(flags, 0);
+    assert_rnp_success(
+      rnp_get_security_rule(ffi, RNP_FEATURE_HASH_ALG, "SHA1", now, &flags, &from, &level));
+    expect_from = sha1_cutoff ? SHA1_KEY_FROM : 0;
+    auto expect_level = sha1_cutoff ? RNP_SECURITY_INSECURE : RNP_SECURITY_DEFAULT;
+    expect_usage = sha1_cutoff ? RNP_SECURITY_VERIFY_KEY : 0;
+    assert_int_equal(from, expect_from);
+    assert_int_equal(level, expect_level);
+    assert_int_equal(flags, expect_usage);
+     flags = RNP_SECURITY_VERIFY_KEY;
+     assert_rnp_success(rnp_get_security_rule(
+       ffi, RNP_FEATURE_HASH_ALG, "SHA1", SHA1_KEY_FROM + 5, &flags, &from, &level));
+diff --git a/src/tests/key-add-userid.cpp b/src/tests/key-add-userid.cpp
+index 5c2a4f71d..edd420573 100644
+--- a/src/tests/key-add-userid.cpp
+++ b/src/tests/key-add-userid.cpp
+@@ -68,6 +68,8 @@ TEST_F(rnp_tests, test_key_add_userid)
+     selfsig0.key_flags = 0x2;
+     selfsig0.key_expiration = base_expiry;
+     selfsig0.primary = false;
+    auto curtime = global_ctx.time();
+    global_ctx.set_time(curtime > SHA1_KEY_FROM ? SHA1_KEY_FROM - 100 : 0);
+     key->add_uid_cert(selfsig0, PGP_HASH_SHA1, global_ctx);
+     // attempt to add sha1-signed uid and make sure it succeeds now and fails after the cutoff
+     // date in 2024
--- a/rnp.changes
+++ b/rnp.changes
@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Sat Jan 20 09:52:21 UTC 2024 - Andreas Stieger <andreas.stieger@gmx.de>
+
+- fix build after SHA-1 cutoff date
+  add rnp-v0.17.0-test-SHA1-cutoff.patch
+
 -------------------------------------------------------------------
 Mon Jun 26 20:21:55 UTC 2023 - Andreas Stieger <Andreas.Stieger@gmx.de>

--- a/rnp.spec
+++ b/rnp.spec
@ -1,8 +1,7 @@
 #
 # spec file for package rnp
 #
-# Copyright (c) 2023 SUSE LLC
-# Copyright (c) 2023 Andreas Stieger <Andreas.Stieger@gmx.de>
+# Copyright (c) 2024 Andreas Stieger <Andreas.Stieger@gmx.de>
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -30,6 +29,7 @@ Source3:        https://www.rnpgp.org/openpgp_keys/31AF5A24D861EFCB7CB79A1924900
 Patch0:         rnp-v0.17.0-disable-static.patch
 Patch2:         rnp-v0.17.0-system-sexp.patch
 Patch3:         rnp-v0.17.0-tests.patch
+Patch4:         rnp-v0.17.0-test-SHA1-cutoff.patch
 BuildRequires:  cmake >= 3.18
 BuildRequires:  gcc-c++
 BuildRequires:  gpg2 >= 2.2