summaryrefslogtreecommitdiffstats
path: root/sm/certcheck.c
diff options
context:
space:
mode:
authorWerner Koch <wk@gnupg.org>2020-06-17 14:27:12 +0200
committerWerner Koch <wk@gnupg.org>2020-06-17 14:27:12 +0200
commit596212e71abf33b30608348b782c093dace83110 (patch)
treea0e4bbdded71f362b93d32f999f1b9a47e7e74db /sm/certcheck.c
parentgpg: Fix for new SOS changes when used with Libgcrypt < 1.8.6. (diff)
downloadgnupg2-596212e71abf33b30608348b782c093dace83110.tar.xz
gnupg2-596212e71abf33b30608348b782c093dace83110.zip
sm: Support verification of nistp521 signatures.
* sm/certcheck.c (do_encode_md): Take care of nistp521. -- That curve is a bit odd in that it does not match a common hash digest length. We fix that here for just this case instead of writing more general code to support all allowed cases (i.e. hash shorter than Q). Signed-off-by: Werner Koch <wk@gnupg.org>
Diffstat (limited to 'sm/certcheck.c')
-rw-r--r--sm/certcheck.c13
1 files changed, 8 insertions, 5 deletions
diff --git a/sm/certcheck.c b/sm/certcheck.c
index 3604ac788..cf9495a58 100644
--- a/sm/certcheck.c
+++ b/sm/certcheck.c
@@ -77,12 +77,15 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (pkalgo == GCRY_PK_DSA || pkalgo == GCRY_PK_ECC)
{
- unsigned int qbits;
+ unsigned int qbits0, qbits;
if ( pkalgo == GCRY_PK_ECC )
- qbits = gcry_pk_get_nbits (pkey);
+ {
+ qbits0 = gcry_pk_get_nbits (pkey);
+ qbits = qbits0 == 521? 512 : qbits;
+ }
else
- qbits = get_dsa_qbits (pkey);
+ qbits0 = qbits = get_dsa_qbits (pkey);
if ( (qbits%8) )
{
@@ -99,7 +102,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
if (qbits < 160)
{
log_error (_("%s key uses an unsafe (%u bit) hash\n"),
- gcry_pk_algo_name (pkalgo), qbits);
+ gcry_pk_algo_name (pkalgo), qbits0);
return gpg_error (GPG_ERR_INTERNAL);
}
@@ -110,7 +113,7 @@ do_encode_md (gcry_md_hd_t md, int algo, int pkalgo, unsigned int nbits,
{
log_error (_("a %u bit hash is not valid for a %u bit %s key\n"),
(unsigned int)nframe*8,
- gcry_pk_get_nbits (pkey),
+ qbits0,
gcry_pk_algo_name (pkalgo));
/* FIXME: we need to check the requirements for ECDSA. */
if (nframe < 20 || pkalgo == GCRY_PK_DSA )