From 3e22ea2445f805dfe0df9bbf15a03cbc53a88167 Mon Sep 17 00:00:00 2001 From: drebs Date: Tue, 14 May 2013 18:56:12 -0300 Subject: Add MAC authentication to encrypted docs. * Fix review comments: * Use of literal string instead of self.STORAGE_SECRETS_KEY * Add mac_method param to mac_doc() * Verify mac_method in mac_doc() and raise in there if unknown method * Use different parts of storage_secret for generating doc passphrase and mac key. * Add changes file. --- src/leap/soledad/tests/test_crypto.py | 43 +++++++++++++++++++++++++++++ src/leap/soledad/tests/test_leap_backend.py | 2 +- 2 files changed, 44 insertions(+), 1 deletion(-) (limited to 'src/leap/soledad/tests') diff --git a/src/leap/soledad/tests/test_crypto.py b/src/leap/soledad/tests/test_crypto.py index 720e95fa..6804723a 100644 --- a/src/leap/soledad/tests/test_crypto.py +++ b/src/leap/soledad/tests/test_crypto.py @@ -37,6 +37,10 @@ from leap.soledad.backends.leap_backend import ( LeapSyncTarget, ENC_JSON_KEY, ENC_SCHEME_KEY, + MAC_METHOD_KEY, + MAC_KEY, + UnknownMacMethod, + WrongMac, ) from leap.soledad.backends.couch import CouchDatabase from leap.soledad import KeyAlreadyExists, Soledad @@ -243,3 +247,42 @@ class CryptoMethodsTestCase(BaseSoledadTest): sol = self._soledad_instance(user='user@leap.se', prefix='/3') self.assertTrue(sol._has_secret(), "Should have a secret at " "this point") + + +class MacAuthTestCase(BaseSoledadTest): + + def test_decrypt_with_wrong_mac_raises(self): + """ + Trying to decrypt a document with wrong MAC should raise. + """ + simpledoc = {'key': 'val'} + doc = LeapDocument(doc_id='id') + doc.content = simpledoc + # encrypt doc + doc.set_json(encrypt_doc(self._soledad._crypto, doc)) + self.assertTrue(MAC_KEY in doc.content) + self.assertTrue(MAC_METHOD_KEY in doc.content) + # mess with MAC + doc.content[MAC_KEY] = 'wrongmac' + # try to decrypt doc + self.assertRaises( + WrongMac, + decrypt_doc, self._soledad._crypto, doc) + + def test_decrypt_with_unknown_mac_method_raises(self): + """ + Trying to decrypt a document with unknown MAC method should raise. + """ + simpledoc = {'key': 'val'} + doc = LeapDocument(doc_id='id') + doc.content = simpledoc + # encrypt doc + doc.set_json(encrypt_doc(self._soledad._crypto, doc)) + self.assertTrue(MAC_KEY in doc.content) + self.assertTrue(MAC_METHOD_KEY in doc.content) + # mess with MAC method + doc.content[MAC_METHOD_KEY] = 'mymac' + # try to decrypt doc + self.assertRaises( + UnknownMacMethod, + decrypt_doc, self._soledad._crypto, doc) diff --git a/src/leap/soledad/tests/test_leap_backend.py b/src/leap/soledad/tests/test_leap_backend.py index c0510373..9bd7b604 100644 --- a/src/leap/soledad/tests/test_leap_backend.py +++ b/src/leap/soledad/tests/test_leap_backend.py @@ -284,7 +284,7 @@ class TestLeapParsingSyncStream( """ Test adapted to use encrypted content. """ - doc = leap_backend.LeapDocument('i') + doc = leap_backend.LeapDocument('i', rev='r') doc.content = {} enc_json = leap_backend.encrypt_doc(self._soledad._crypto, doc) tgt = leap_backend.LeapSyncTarget( -- cgit v1.2.3