gpg,gpgsm: Fix compliance check for DSA and avoid an assert.

* common/compliance.c (gnupg_pk_is_compliant): Swap P and Q for DSA check. Explicitly check for allowed ECC algos. (gnupg_pk_is_allowed): Swap P and Q for DSA check. * g10/mainproc.c (proc_encrypted): Simplify SYMKEYS check. Replace assert by debug message. -- Note that in mainproc.c SYMKEYS is unsigned and thus a greater than 0 condition is surprising because it leads to the assumption SYMKEYS could be negative. Better use a boolean test. The assert could have lead to a regression for no good reason. Not being compliant is better than breaking existing users. Signed-off-by: Werner Koch <wk@gnupg.org>
2025-07-02 22:46:30 +02:00 · 2017-06-19 17:50:02 +02:00 · 2017-06-19 17:50:02 +02:00 · 3621dbe525
commit 3621dbe525
parent 6cc4702767
4 changed files with 30 additions and 23 deletions
--- a/common/compliance.c
+++ b/common/compliance.c
@ -154,10 +154,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 	case is_dsa:
 	  if (key)
 	    {
-	      size_t L = gcry_mpi_get_nbits (key[0] /* p */);
-	      size_t N = gcry_mpi_get_nbits (key[1] /* q */);
-	      result = (L == 256
-			&& (N == 2048 || N == 3072));
+	      size_t P = gcry_mpi_get_nbits (key[0]);
+	      size_t Q = gcry_mpi_get_nbits (key[1]);
+	      result = (Q == 256
+			&& (P == 2048 || P == 3072));
 	    }
 	  break;

@ -171,7 +171,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
            }

          result = (curvename
-                    && algo != PUBKEY_ALGO_EDDSA
+                    && (algo == PUBKEY_ALGO_ECDH
+                        || algo == PUBKEY_ALGO_ECDSA)
                    && (!strcmp (curvename, "brainpoolP256r1")
                        || !strcmp (curvename, "brainpoolP384r1")
                        || !strcmp (curvename, "brainpoolP512r1")));
@ -238,13 +239,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	case PUBKEY_ALGO_DSA:
 	  if (key)
 	    {
-	      size_t L = gcry_mpi_get_nbits (key[0] /* p */);
-	      size_t N = gcry_mpi_get_nbits (key[1] /* q */);
+	      size_t P = gcry_mpi_get_nbits (key[0]);
+	      size_t Q = gcry_mpi_get_nbits (key[1]);
 	      return ((use == PK_USE_SIGNING
-		       && L == 256
-		       && (N == 2048 || N == 3072))
+		       && Q == 256
+		       && (P == 2048 || P == 3072))
 		      || (use == PK_USE_VERIFICATION
-			  && N < 2048));
+			  && P < 2048));
 	    }
 	  else
 	    return 0;