File: 0008-tests-avoid-gpg-interop-with-weak-DSA-with-gpg-sq.patch

package info (click to toggle)
rnp 0.18.0-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid
  • size: 18,660 kB
  • sloc: cpp: 74,609; python: 5,247; ansic: 5,035; sh: 1,651; makefile: 25
file content (76 lines) | stat: -rw-r--r-- 3,245 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
From: Daniel Kahn Gillmor <dkg@fifthhorseman.net>
Date: Thu, 16 Oct 2025 17:43:16 -0400
Subject: tests: avoid gpg interop with weak DSA with gpg-sq

Future versions of gpg might adopt the IETF guidance to avoid 1024-bit
DSA as well.
---
 src/tests/cli_tests.py | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/src/tests/cli_tests.py b/src/tests/cli_tests.py
index cfab385..5692a39 100755
--- a/src/tests/cli_tests.py
+++ b/src/tests/cli_tests.py
@@ -39,6 +39,7 @@ GPG_ELG = False
 GPG_3DES = False
 GPG_IDEA = False
 GPG_CAST5 = False
+GPG_WEAK_DSA = False
 TESTS_SUCCEEDED = []
 TESTS_FAILED = []
 TEST_WORKFILES = []
@@ -866,10 +867,13 @@ def rnp_cleartext_signing_gpg_to_rnp(filesize):
 
 def gpg_check_features():
     global GPG_ELG, GPG_AEAD, GPG_AEAD_EAX, GPG_AEAD_OCB, GPG_NO_OLD, GPG_BRAINPOOL
-    global GPG_3DES, GPG_IDEA, GPG_CAST5
+    global GPG_3DES, GPG_IDEA, GPG_CAST5, GPG_WEAK_DSA
     _, out, _ = run_proc(GPG, ["--version"])
     # El Gamal
     GPG_ELG = re.match(r'(?s)^.*ELG.*', out) is not None
+    # Accepting weak DSA is not visible in --version output.
+    # We assume that weak DSA is acceptable to GnuPG unless it is the Chameleon.
+    GPG_WEAK_DSA = re.match(r'(?s)^.*Chameleon.*', out) is None
     # old symmetric ciphers
     GPG_3DES = re.match(r'(?s)^.*3DES.*', out) is not None
     GPG_IDEA = re.match(r'(?s)^.*IDEA.*', out) is not None
@@ -5520,6 +5524,8 @@ class SignDSA(Sign):
     def key_pfx(p): return "GnuPG_dsa_elgamal_%d_%d" % (p, p)
 
     def do_test_sign(self, p_size):
+        if p_size < 2048 and not GPG_WEAK_DSA:
+            self.skipTest("gpg doesn't support weak DSA")
         pfx = SignDSA.key_pfx(p_size)
         self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
         self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
@@ -5527,6 +5533,8 @@ class SignDSA(Sign):
         self._sign_verify(self.rnp, self.gpg)
 
     def do_test_verify(self, p_size):
+        if p_size < 2048 and not GPG_WEAK_DSA:
+            self.skipTest("gpg doesn't support weak DSA")
         pfx = SignDSA.key_pfx(p_size)
         self.operation_key_location = tuple((key_path(pfx, False), key_path(pfx, True)))
         self.rnp.userid = self.gpg.userid = pfx + AT_EXAMPLE
@@ -5544,14 +5552,20 @@ class SignDSA(Sign):
     def test_verify_P2112_Q256(self): self.do_test_verify(2112)
 
     def test_sign_P1088_Q224(self):
+        if not GPG_WEAK_DSA:
+            self.skipTest("gpg doesn't support weak DSA")
         self.operation_key_gencmd = SignDSA.RNP_GENERATE_DSA_PATTERN.format(1088)
         self._sign_verify(self.rnp, self.gpg)
 
     def test_verify_P1088_Q224(self):
+        if not GPG_WEAK_DSA:
+            self.skipTest("gpg doesn't support weak DSA")
         self.operation_key_gencmd = SignDSA.GPG_GENERATE_DSA_PATTERN.format("1088", self.rnp.userid)
         self._sign_verify(self.gpg, self.rnp)
 
     def test_hash_truncation(self):
+        if not GPG_WEAK_DSA:
+            self.skipTest("gpg doesn't support weak DSA")
         '''
         Signs message hashed with SHA512 with a key of size 160 bits. Implementation
         truncates leftmost 160 bits of a hash before signing (see FIPS 186-4, 4.2)