1
0
mirror of git://git.gnupg.org/gnupg.git synced 2024-12-22 10:19:57 +01:00

sm: Support verification of nistp521 signatures.

* sm/certcheck.c (do_encode_md): Take care of nistp521.
--

That curve is a bit odd in that it does not match a common hash digest
length.  We fix that here for just this case instead of writing more
general code to support all allowed cases (i.e. hash shorter than Q).

Signed-off-by: Werner Koch <wk@gnupg.org>
This commit is contained in:
Werner Koch 2020-06-17 14:27:12 +02:00
parent eeb599c9e2
commit 596212e71a
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B

View File

@ -77,12 +77,15 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (pkalgo == GCRY_PK_DSA || pkalgo == GCRY_PK_ECC)
{
unsigned int qbits;
unsigned int qbits0, qbits;
if ( pkalgo == GCRY_PK_ECC )
qbits = gcry_pk_get_nbits (pkey);
{
qbits0 = gcry_pk_get_nbits (pkey);
qbits = qbits0 == 521? 512 : qbits;
}
else
qbits = get_dsa_qbits (pkey);
qbits0 = qbits = get_dsa_qbits (pkey);
if ( (qbits%8) )
{
@ -99,7 +102,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (qbits < 160)
{
log_error (_("%s key uses an unsafe (%u bit) hash\n"),
gcry_pk_algo_name (pkalgo), qbits);
gcry_pk_algo_name (pkalgo), qbits0);
return gpg_error (GPG_ERR_INTERNAL);
}
@ -110,7 +113,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
{
log_error (_("a %u bit hash is not valid for a %u bit %s key\n"),
(unsigned int)nframe*8,
gcry_pk_get_nbits (pkey),
qbits0,
gcry_pk_algo_name (pkalgo));
/* FIXME: we need to check the requirements for ECDSA. */
if (nframe < 20 || pkalgo == GCRY_PK_DSA )