1
0
mirror of git://git.gnupg.org/gnupg.git synced 2025-01-08 12:44:23 +01:00

sm: Support verification of nistp521 signatures.

* sm/certcheck.c (do_encode_md): Take care of nistp521.
--

That curve is a bit odd in that it does not match a common hash digest
length.  We fix that here for just this case instead of writing more
general code to support all allowed cases (i.e. hash shorter than Q).

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-06-17 14:27:12 +02:00
parent eeb599c9e2
commit 596212e71a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -77,12 +77,15 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (pkalgo == GCRY_PK_DSA || pkalgo == GCRY_PK_ECC) if (pkalgo == GCRY_PK_DSA || pkalgo == GCRY_PK_ECC)
{ {
unsigned int qbits; unsigned int qbits0, qbits;
if ( pkalgo == GCRY_PK_ECC ) if ( pkalgo == GCRY_PK_ECC )
qbits = gcry_pk_get_nbits (pkey); {
qbits0 = gcry_pk_get_nbits (pkey);
qbits = qbits0 == 521? 512 : qbits;
}
else else
qbits = get_dsa_qbits (pkey); qbits0 = qbits = get_dsa_qbits (pkey);
if ( (qbits%8) ) if ( (qbits%8) )
{ {
@ -99,7 +102,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (qbits < 160) if (qbits < 160)
{ {
log_error (_("%s key uses an unsafe (%u bit) hash\n"), log_error (_("%s key uses an unsafe (%u bit) hash\n"),
gcry_pk_algo_name (pkalgo), qbits); gcry_pk_algo_name (pkalgo), qbits0);
return gpg_error (GPG_ERR_INTERNAL); return gpg_error (GPG_ERR_INTERNAL);
} }
@ -110,7 +113,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
{ {
log_error (_("a %u bit hash is not valid for a %u bit %s key\n"), log_error (_("a %u bit hash is not valid for a %u bit %s key\n"),
(unsigned int)nframe*8, (unsigned int)nframe*8,
gcry_pk_get_nbits (pkey), qbits0,
gcry_pk_algo_name (pkalgo)); gcry_pk_algo_name (pkalgo));
/* FIXME: we need to check the requirements for ECDSA. */ /* FIXME: we need to check the requirements for ECDSA. */
if (nframe < 20 || pkalgo == GCRY_PK_DSA ) if (nframe < 20 || pkalgo == GCRY_PK_DSA )