Closed jirutka closed 2 years ago
@jirutka Thanks for spotting this!
@jirutka are you packaging RNP for Alpine Linux? Not related to this issue, just curious :)
Nice
~Note: this happens with -DCRYPTO_BACKEND=openssl
, but with -DCRYPTO_BACKEND=botan
tests pass.~
Note: this happens with -DCRYPTO_BACKEND=botan
, but with -DCRYPTO_BACKEND=openssl
tests pass.
Nope, I’m building it with the botan
backend, not openssl
.
Sorry, my bad, I've stated the opposite of what I observed :)
Summary: How about we relax the tests in this case?
From the build system interface perspective, ENABLE_SM2 really means "ensure that SM2/SM3/SM4 works" (at the time of compilation, linkage and testing). The tests in question make assertions that if !ENABLE_SM2, then any related functionality certainly fails. Obviously that's not the same. I also think we don't have to live up to these tests' expectations. As far as I'm aware it's not a real product spec requirement that such functionality fails in such case. It's definitely useful to run some tests on SMx functionality when it wasn't requested to be enabled, but I'd suggest to make the assertions less specific and more obviously useful, such as "doesn't crash". Insisting that the tested program throws an exception when it happens to be able to run successfully is not obviously useful to me.
As is evident from the report, sometimes the functionality just works despite ENABLE_SM2=OFF, so the missing code to make the program "fail as expected" is of "policy" nature, not "mechanism". The codebase has a few pieces of code to enforce this policy, but it's not great to maintain it and having more code like that is not something I'm looking forward to.
Surely ENABLE_SM2
build-time configuration switch has a purpose, but its usage in the source code can be reduced to merely guarding e.g. library calls which may result in linkage errors, or the code which may dereference NULL if the dependency doesn't implement SMx, or like that. In a word, let's use this configuration option in the source code to serve really useful invariants, such as "doesn't crash".
Turns out quite some distros (Arch, Gentoo) enable SM2 in openssl and it seems botan has it enabled by default (and in Alpine Linux too?).
While I am not a fan of adding code dedicated to blocking functionality which otherwise might just work, but I explored this direction just for understanding.
With hash_test_success
, it is sufficient to replicate the same explicit block as what is there for openssl:
--- a/src/lib/crypto/hash.cpp
+++ b/src/lib/crypto/hash.cpp
@@ -68,6 +68,13 @@ Hash::Hash(pgp_hash_alg_t alg)
throw rnp_exception(RNP_ERROR_BAD_PARAMETERS);
}
+#if !defined(ENABLE_SM2)
+if (alg == PGP_HASH_SM3) {
+ RNP_LOG("SM3 hash is not available.");
+ throw rnp_exception(RNP_ERROR_BAD_PARAMETERS);
+}
+#endif
+
auto hash_fn = Botan::HashFunction::create(name);
if (!hash_fn) {
RNP_LOG("Error creating hash object for '%s'", name);
With test_stream_verify_no_key
, i still looking where would be the "right" place to put the block.
@andrey-utkin Thanks for investigating this. test_stream_verify_no_key
should be fixed with this patch as well, as source of problem is SM3 hash algo usage in S2K. To avoid such problems in future we should also:
test_stream_verify_no_key should be fixed with this patch as well.
test_stream_verify_no_key is not fixed by the same patch according to my results.
@andrey-utkin Ah, forgot that RNP uses Botan's S2K code directly. Please see the funtion pgp_s2k_derive_key()
from s2k.cpp
Fixed via #1850
Description
test_stream_verify_no_key
andhash_test_success
fail when building withENABLE_SM2=OFF
.Steps to Reproduce
Expected Behavior
The tests should pass.
Actual Behavior
Environment: