mirror of
https://gitlab.kit.edu/kit/scc/sys/mail/exim-encrypt-dlfunc.git
synced 2025-12-06 06:23:56 +01:00
Code cleanup & more tests
This commit is contained in:
heiko.reese
@ -14,6 +14,7 @@ stages:
|
||||
.code-coverage:
|
||||
stage: build
|
||||
script:
|
||||
- "export PATH=/usr/local/sbin:/usr/local/bin:${PATH}"
|
||||
- meson build -Db_coverage=true
|
||||
- cd build
|
||||
- ninja
|
||||
|
||||
@ -73,7 +73,7 @@ for i in "${images[@]}"; do
|
||||
vim; \
|
||||
rm -rf /var/lib/apt/lists/*;'
|
||||
buildah run "$ctr" /bin/sh -c \
|
||||
'pip3 install meson ninja; \
|
||||
'pip3 install --upgrade meson ninja; \
|
||||
rm -rf ~/.cache/pip/*;'
|
||||
TARGET="${REGISTRY}/${BASENAME}-${name}:${TAG}"
|
||||
IMAGEID=$(buildah commit --format docker "$ctr" "${IMAGENAME}")
|
||||
|
||||
@ -4,36 +4,38 @@
|
||||
#include <ctype.h>
|
||||
#include <sodium.h>
|
||||
|
||||
bool key_contains_zero(unsigned char *key, unsigned int keylen)
|
||||
{
|
||||
bool has_zero = false;
|
||||
for (unsigned int i = 0; i < keylen; i++) {
|
||||
if (key[i] == 0) {
|
||||
has_zero = true;
|
||||
}
|
||||
}
|
||||
return has_zero;
|
||||
}
|
||||
//void
|
||||
//dump_key_as_c_code(FILE * f, const char *name, unsigned char *key,
|
||||
// unsigned int keylen)
|
||||
//{
|
||||
// fprintf(f, "const unsigned char %s[] = { ", name);
|
||||
// for (unsigned int i = 0; i < keylen; i++) {
|
||||
// fprintf(f, "0x%02x", key[i]);
|
||||
// if (i < keylen - 1) {
|
||||
// fprintf(f, ", ");
|
||||
// }
|
||||
// }
|
||||
// fprintf(f, " };\n");
|
||||
// fprintf(f, "const unsigned int %s_length = %d;\n", name, keylen);
|
||||
//}
|
||||
|
||||
//void create_secretbox_key(const char *filebase, const char *varname) {
|
||||
// unsigned char key[crypto_secretbox_KEYBYTES];
|
||||
//
|
||||
// crypto_secretbox_keygen(key);
|
||||
//
|
||||
// char key_filename[4096];
|
||||
// char key_varname[4096];
|
||||
//
|
||||
// sprintf(key_filename, "%s_secretbox", filebase);
|
||||
// sprintf(key_varname, "%s_key", varname);
|
||||
//
|
||||
// write_key_files(key_filename, key_varname, key, crypto_secretbox_KEYBYTES);
|
||||
//}
|
||||
|
||||
void
|
||||
dump_key_as_c_code(FILE * f, const char *name, unsigned char *key,
|
||||
unsigned int keylen)
|
||||
{
|
||||
fprintf(f, "const unsigned char %s[] = { ", name);
|
||||
for (unsigned int i = 0; i < keylen; i++) {
|
||||
fprintf(f, "0x%02x", key[i]);
|
||||
if (i < keylen - 1) {
|
||||
fprintf(f, ", ");
|
||||
}
|
||||
}
|
||||
fprintf(f, " };\n");
|
||||
fprintf(f, "const unsigned int %s_length = %d;\n", name, keylen);
|
||||
}
|
||||
|
||||
void
|
||||
dump_key_as_exim_config(FILE * f, const char *name, unsigned char *key,
|
||||
unsigned int keylen)
|
||||
{
|
||||
dump_key_as_exim_config(FILE *f, const char *name, unsigned char *key,
|
||||
unsigned int keylen) {
|
||||
// write a comment with C variable declaration
|
||||
fprintf(f, "# const unsigned char %s[%d] = { ", name, keylen);
|
||||
for (unsigned int i = 0; i < keylen; i++) {
|
||||
@ -127,20 +129,6 @@ void create_cryptobox_keys(const char *filebase, const char *varname)
|
||||
|
||||
}
|
||||
|
||||
void create_secretbox_key(const char *filebase, const char *varname) {
|
||||
unsigned char key[crypto_secretbox_KEYBYTES];
|
||||
|
||||
crypto_secretbox_keygen(key);
|
||||
|
||||
char key_filename[4096];
|
||||
char key_varname[4096];
|
||||
|
||||
sprintf(key_filename, "%s_secretbox", filebase);
|
||||
sprintf(key_varname, "%s_key", varname);
|
||||
|
||||
write_key_files(key_filename, key_varname, key, crypto_secretbox_KEYBYTES);
|
||||
}
|
||||
|
||||
int main(void) {
|
||||
if (sodium_init() < 0) {
|
||||
fputs("Unable to initialize libsodium", stderr);
|
||||
|
||||
@ -1,7 +1,9 @@
|
||||
#!/bin/bash
|
||||
# shellcheck disable=SC2164
|
||||
|
||||
PATH=/sbin:/usr/sbin:$PATH
|
||||
# this script implements the TAP protocol (https://testanything.org)
|
||||
echo 1..2
|
||||
echo 1..6
|
||||
|
||||
# copy to /tmp to keep commandline arguments to exim calls under 256 chars (prevent problems on Ubuntu)
|
||||
install -t /tmp src/libexim-encrypt-dlfunc.so
|
||||
@ -26,7 +28,72 @@ CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${
|
||||
DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")
|
||||
|
||||
if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
|
||||
echo "ok 2 - sealed_box test successful"
|
||||
echo "ok 2 - sealed_box test with pre-generated key pair successful"
|
||||
else
|
||||
echo "not ok 2 - sealed_box test unsuccessful"
|
||||
echo "not ok 2 - sealed_box test with pre-generated key pair unsuccessful"
|
||||
fi
|
||||
|
||||
# skip test on Ubuntu
|
||||
#[ "$(lsb_release --id --short)" == "Ubuntu" ] && echo "not ok 3 # skip Ubuntu has patches against long commandline arguments, bailing out"
|
||||
|
||||
### Test libexim-encrypt-dlfunc-genkeys
|
||||
|
||||
TEMPDIR01="$(mktemp --directory --quiet)"
|
||||
TEMPDIR02="$(mktemp --directory --quiet)"
|
||||
cleanup() {
|
||||
rm -rf "${TEMPDIR01}" "${TEMPDIR02}"
|
||||
}
|
||||
trap cleanup EXIT INT TERM
|
||||
|
||||
CURDIR="$(pwd)"
|
||||
|
||||
pushd "${TEMPDIR01}" > /dev/null
|
||||
"${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" 2> /dev/null # TAP parser seems to hate the output
|
||||
PK="$(base64 cryptobox_recipient_pk.raw)"
|
||||
SK="$(base64 cryptobox_recipient_sk.raw)"
|
||||
popd > /dev/null
|
||||
|
||||
CIPHERTEXT=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal}{${PK}}{${CLEARTEXT}}}")
|
||||
DECRYPTED=$(exim -C /dev/null -be "\${dlfunc{${LIB}}{sodium_crypto_box_seal_open}{${SK}}{${PK}}{${CIPHERTEXT}}}")
|
||||
|
||||
if [ "${CLEARTEXT}" == "${DECRYPTED}" ] ; then
|
||||
echo "ok 3 - sealed_box test with newly generated key pair successful"
|
||||
else
|
||||
echo "not ok 3 - sealed_box test with newly generated key pair unsuccessful"
|
||||
fi
|
||||
|
||||
### Check if --help works
|
||||
|
||||
if src/libexim-encrypt-dlfunc-decrypt-secretbox --help > /dev/null ; then
|
||||
echo "ok 4 - secretbox --help argument works"
|
||||
else
|
||||
echo "not ok 4 - secretbox --help argument does not work"
|
||||
fi
|
||||
|
||||
if src/libexim-encrypt-dlfunc-decrypt-sealedbox --help > /dev/null ; then
|
||||
echo "ok 5 - sealedbox --help argument works"
|
||||
else
|
||||
echo "not ok 5 - sealedbox --help argument does not work"
|
||||
fi
|
||||
|
||||
### Code coverage for genkeys file access failures
|
||||
pushd "${TEMPDIR02}" > /dev/null
|
||||
KEYFILES=(cryptobox_recipient_pk.raw cryptobox_recipient_pk_exim.conf cryptobox_recipient_sk.raw cryptobox_recipient_sk_exim.conf)
|
||||
for KF in "${KEYFILES[@]}"; do
|
||||
rm -f "${KF}"
|
||||
touch "${KF}"
|
||||
done
|
||||
FS_ACCESS_FAILURE=0
|
||||
for KF in "${KEYFILES[@]}"; do
|
||||
su -s /bin/bash -c "${CURDIR}/src/libexim-encrypt-dlfunc-genkeys" - nobody 2> /dev/null && FS_ACCESS_FAILURE=1
|
||||
rm -f "${KF}"
|
||||
touch "${KF}"
|
||||
chown nobody: "${KF}"
|
||||
done
|
||||
|
||||
if [ ${FS_ACCESS_FAILURE} -eq 0 ]; then
|
||||
echo "ok 6 - genkeys should fail without filesystem access"
|
||||
else
|
||||
echo "not ok 6 - genkeys should fail without filesystem access"
|
||||
fi
|
||||
popd > /dev/null
|
||||
|
||||
Reference in New Issue
Block a user