Commit cff26040d8e4019e2c9db950d7986f6422c6711b
1 parent
ce19471f
Using insecure crytpo from the CLI is now an error by default
Showing
6 changed files
with
19 additions
and
25 deletions
ChangeLog
| 1 | +2022-04-30 Jay Berkenbilt <ejb@ql.org> | ||
| 2 | + | ||
| 3 | + * Make attempting to write encrypted files that use RC4 (40-bit or | ||
| 4 | + 128-bit without AES) an error rather than a warning when | ||
| 5 | + --allow-weak-crypto is not specified. | ||
| 6 | + | ||
| 1 | 2022-04-29 Jay Berkenbilt <ejb@ql.org> | 7 | 2022-04-29 Jay Berkenbilt <ejb@ql.org> |
| 2 | 8 | ||
| 3 | * QPDFObjectHandle: for the methods insertItem, appendItem, | 9 | * QPDFObjectHandle: for the methods insertItem, appendItem, |
TODO
| @@ -486,16 +486,6 @@ in source and header files to find items not listed here. | @@ -486,16 +486,6 @@ in source and header files to find items not listed here. | ||
| 486 | developer and user experience. We don't want to create a situation | 486 | developer and user experience. We don't want to create a situation |
| 487 | where exactly the same code fails to work in 11 but worked on 10. | 487 | where exactly the same code fails to work in 11 but worked on 10. |
| 488 | See #576 for latest notes. | 488 | See #576 for latest notes. |
| 489 | - * Change deterministic id to use something other than MD5 but allow | ||
| 490 | - the old way for compatibility -- maybe rename the method to force | ||
| 491 | - the developer to make a choice | ||
| 492 | - * Find other uses of MD5 and find the ones that are discretionary, | ||
| 493 | - if any | ||
| 494 | - * Have QPDFWriter raise an exception if it's about to write using | ||
| 495 | - weak crypto and hasn't been given permission | ||
| 496 | - * Search for --allow-weak-crypto in the manual and in qpdf.cc's help | ||
| 497 | - information | ||
| 498 | - * Update the ref.weak-crypto section of the manual | ||
| 499 | 489 | ||
| 500 | Page splitting/merging | 490 | Page splitting/merging |
| 501 | ====================== | 491 | ====================== |
job.sums
| @@ -14,4 +14,4 @@ libqpdf/qpdf/auto_job_json_decl.hh 06caa46eaf71db8a50c046f91866baa8087745a947431 | @@ -14,4 +14,4 @@ libqpdf/qpdf/auto_job_json_decl.hh 06caa46eaf71db8a50c046f91866baa8087745a947431 | ||
| 14 | libqpdf/qpdf/auto_job_json_init.hh 06d51f11c117011256e175386eee9946441f3c22b49dd91fc591bbc1fa3bbeec | 14 | libqpdf/qpdf/auto_job_json_init.hh 06d51f11c117011256e175386eee9946441f3c22b49dd91fc591bbc1fa3bbeec |
| 15 | libqpdf/qpdf/auto_job_schema.hh 43273b9edfc48b1f4cccbff1d2b31916a9057c474ef97d2936b2f1f14170885b | 15 | libqpdf/qpdf/auto_job_schema.hh 43273b9edfc48b1f4cccbff1d2b31916a9057c474ef97d2936b2f1f14170885b |
| 16 | manual/_ext/qpdf.py e9ac9d6c70642a3d29281ee5ad92ae2422dee8be9306fb8a0bc9dba0ed5e28f3 | 16 | manual/_ext/qpdf.py e9ac9d6c70642a3d29281ee5ad92ae2422dee8be9306fb8a0bc9dba0ed5e28f3 |
| 17 | -manual/cli.rst aa44cbe7b6281ee05dc8b19ee1b12ca770503681ffc8ba90e795fc3c3b55153d | 17 | +manual/cli.rst 6a2d99acedbd207370a8dc2807f6657323c42bccbe51ebdc6bc2d00f6851219c |
libqpdf/QPDFJob.cc
| @@ -2812,18 +2812,17 @@ QPDFJob::setEncryptionOptions(QPDF& pdf, QPDFWriter& w) | @@ -2812,18 +2812,17 @@ QPDFJob::setEncryptionOptions(QPDF& pdf, QPDFWriter& w) | ||
| 2812 | maybeFixWritePassword(R, m->owner_password); | 2812 | maybeFixWritePassword(R, m->owner_password); |
| 2813 | if ((R < 4) || ((R == 4) && (!m->use_aes))) { | 2813 | if ((R < 4) || ((R == 4) && (!m->use_aes))) { |
| 2814 | if (!m->allow_weak_crypto) { | 2814 | if (!m->allow_weak_crypto) { |
| 2815 | - // Do not set warnings = true for this case as this does | ||
| 2816 | - // not reflect a potential problem with the input file. | ||
| 2817 | - QTC::TC("qpdf", "QPDFJob weak crypto warning"); | 2815 | + QTC::TC("qpdf", "QPDFJob weak crypto error"); |
| 2818 | *(this->m->cerr) | 2816 | *(this->m->cerr) |
| 2819 | << this->m->message_prefix | 2817 | << this->m->message_prefix |
| 2820 | - << ": writing a file with RC4, a weak cryptographic algorithm" | 2818 | + << ": refusing to write a file with RC4, a weak cryptographic algorithm" |
| 2821 | << std::endl | 2819 | << std::endl |
| 2822 | << "Please use 256-bit keys for better security." << std::endl | 2820 | << "Please use 256-bit keys for better security." << std::endl |
| 2823 | - << "Pass --allow-weak-crypto to suppress this warning." | 2821 | + << "Pass --allow-weak-crypto to enable writing insecure files." |
| 2824 | << std::endl | 2822 | << std::endl |
| 2825 | - << "This will become an error in a future version of qpdf." | 2823 | + << "See also https://qpdf.readthedocs.io/en/stable/weak-crypto.html" |
| 2826 | << std::endl; | 2824 | << std::endl; |
| 2825 | + throw std::runtime_error("refusing to write a file with weak crypto"); | ||
| 2827 | } | 2826 | } |
| 2828 | } | 2827 | } |
| 2829 | switch (R) { | 2828 | switch (R) { |
qpdf/qpdf.testcov
| @@ -605,7 +605,7 @@ QPDFWriter exclude from object stream 0 | @@ -605,7 +605,7 @@ QPDFWriter exclude from object stream 0 | ||
| 605 | QPDF_pages findPage not found 0 | 605 | QPDF_pages findPage not found 0 |
| 606 | QPDFJob overlay page with no resources 0 | 606 | QPDFJob overlay page with no resources 0 |
| 607 | QPDFObjectHandle check ownership 0 | 607 | QPDFObjectHandle check ownership 0 |
| 608 | -QPDFJob weak crypto warning 0 | 608 | +QPDFJob weak crypto error 0 |
| 609 | qpdf-c called qpdf_oh_is_initialized 0 | 609 | qpdf-c called qpdf_oh_is_initialized 0 |
| 610 | qpdf-c registered progress reporter 0 | 610 | qpdf-c registered progress reporter 0 |
| 611 | qpdf-c called qpdf_oh_new_uninitialized 0 | 611 | qpdf-c called qpdf_oh_new_uninitialized 0 |
qpdf/qtest/qpdf.test
| @@ -3983,16 +3983,15 @@ $td->runtest("128-bit with AES: no warning", | @@ -3983,16 +3983,15 @@ $td->runtest("128-bit with AES: no warning", | ||
| 3983 | ' minimal.pdf a.pdf'}, | 3983 | ' minimal.pdf a.pdf'}, |
| 3984 | {$td->STRING => "", $td->EXIT_STATUS => 0}, | 3984 | {$td->STRING => "", $td->EXIT_STATUS => 0}, |
| 3985 | $td->NORMALIZE_NEWLINES); | 3985 | $td->NORMALIZE_NEWLINES); |
| 3986 | -# Note: we intentionally have exit status 0 for this warning. | ||
| 3987 | -$td->runtest("128-bit without AES: warning", | 3986 | +$td->runtest("128-bit without AES: error", |
| 3988 | {$td->COMMAND => 'qpdf --encrypt "" "" 128 -- minimal.pdf a.pdf'}, | 3987 | {$td->COMMAND => 'qpdf --encrypt "" "" 128 -- minimal.pdf a.pdf'}, |
| 3989 | - {$td->REGEXP => "Pass --allow-weak-crypto to suppress", | ||
| 3990 | - $td->EXIT_STATUS => 0}, | 3988 | + {$td->REGEXP => "Pass --allow-weak-crypto to enable", |
| 3989 | + $td->EXIT_STATUS => 2}, | ||
| 3991 | $td->NORMALIZE_NEWLINES); | 3990 | $td->NORMALIZE_NEWLINES); |
| 3992 | -$td->runtest("40-bit: warning", | 3991 | +$td->runtest("40-bit: error", |
| 3993 | {$td->COMMAND => 'qpdf --encrypt "" "" 40 -- minimal.pdf a.pdf'}, | 3992 | {$td->COMMAND => 'qpdf --encrypt "" "" 40 -- minimal.pdf a.pdf'}, |
| 3994 | - {$td->REGEXP => "Pass --allow-weak-crypto to suppress", | ||
| 3995 | - $td->EXIT_STATUS => 0}, | 3993 | + {$td->REGEXP => "Pass --allow-weak-crypto to enable", |
| 3994 | + $td->EXIT_STATUS => 2}, | ||
| 3996 | $td->NORMALIZE_NEWLINES); | 3995 | $td->NORMALIZE_NEWLINES); |
| 3997 | 3996 | ||
| 3998 | show_ntests(); | 3997 | show_ntests(); |