From dece06fba998a548424a22ed357a4b9933150345 Mon Sep 17 00:00:00 2001
From: Marian Beermann <public@enkore.de>
Date: Sat, 16 Apr 2016 00:20:55 +0200
Subject: [PATCH] KeyTestCase, test_decrypt_integrity

---
 borg/testsuite/__init__.py |  2 ++
 borg/testsuite/key.py      | 33 +++++++++++++++++++++++++++++++--
 2 files changed, 33 insertions(+), 2 deletions(-)

diff --git a/borg/testsuite/__init__.py b/borg/testsuite/__init__.py
index cccf97a82..978c1ab42 100644
--- a/borg/testsuite/__init__.py
+++ b/borg/testsuite/__init__.py
@@ -45,6 +45,8 @@ class BaseTestCase(unittest.TestCase):
     assert_not_in = unittest.TestCase.assertNotIn
     assert_equal = unittest.TestCase.assertEqual
     assert_not_equal = unittest.TestCase.assertNotEqual
+    assert_raises = unittest.TestCase.assertRaises
+    assert_raises_regex = unittest.TestCase.assertRaisesRegex
     assert_true = unittest.TestCase.assertTrue
 
     if raises:
diff --git a/borg/testsuite/key.py b/borg/testsuite/key.py
index 11eb35061..4f9ec7b4c 100644
--- a/borg/testsuite/key.py
+++ b/borg/testsuite/key.py
@@ -6,8 +6,8 @@ from binascii import hexlify, unhexlify
 
 from ..crypto import bytes_to_long, num_aes_blocks
 from ..key import PlaintextKey, PassphraseKey, KeyfileKey
-from ..helpers import Location, Chunk, bin_to_hex
-from . import BaseTestCase, environment_variable
+from ..helpers import Location, IntegrityError, Chunk, bin_to_hex
+from . import environment_variable
 
 
 class KeyTestCase(BaseTestCase):
@@ -126,3 +126,32 @@ class KeyTestCase(BaseTestCase):
         chunk = Chunk(b'foo')
         self.assert_equal(hexlify(key.id_hash(chunk.data)), b'818217cf07d37efad3860766dcdf1d21e401650fed2d76ed1d797d3aae925990')
         self.assert_equal(chunk, key2.decrypt(key2.id_hash(chunk.data), key.encrypt(chunk)))
+
+    def test_decrypt_integrity(self):
+        with open(os.path.join(os.environ['BORG_KEYS_DIR'], 'keyfile'), 'w') as fd:
+            fd.write(self.keyfile2_key_file)
+        os.environ['BORG_PASSPHRASE'] = 'passphrase'
+        key = KeyfileKey.detect(self.MockRepository(), self.keyfile2_cdata)
+        with self.assert_raises_regex(IntegrityError, 'Invalid encryption envelope'):
+            data = bytearray(self.keyfile2_cdata)
+            data[0] += 5  # wrong TYPE
+            key.decrypt("", data)
+        with self.assert_raises_regex(IntegrityError, 'Encryption envelope checksum mismatch'):
+            data = bytearray(self.keyfile2_cdata)
+            data[5] += 5  # corrupt HMAC
+            key.decrypt("", data)
+        with self.assert_raises_regex(IntegrityError, 'Encryption envelope checksum mismatch'):
+            data = bytearray(self.keyfile2_cdata)
+            id = key.id_hash(data)
+            data[36] += 123  # this in the IV/CTR
+            key.decrypt(id, data)
+        with self.assert_raises_regex(IntegrityError, 'Encryption envelope checksum mismatch'):
+            data = bytearray(self.keyfile2_cdata)
+            id = key.id_hash(data)
+            data[50] += 1  # corrupt data
+            key.decrypt(id, data)
+        with self.assert_raises_regex(IntegrityError, 'Chunk id verification failed'):
+            data = bytearray(self.keyfile2_cdata)
+            id = bytearray(key.id_hash(data))  # corrupt chunk id
+            id[12] = 0
+            key.decrypt(id, data)