gpg,gpgsm: Fix compliance check for DSA and avoid an assert.

* common/compliance.c (gnupg_pk_is_compliant): Swap P and Q for DSA check. Explicitly check for allowed ECC algos. (gnupg_pk_is_allowed): Swap P and Q for DSA check. * g10/mainproc.c (proc_encrypted): Simplify SYMKEYS check. Replace assert by debug message. -- Note that in mainproc.c SYMKEYS is unsigned and thus a greater than 0 condition is surprising because it leads to the assumption SYMKEYS could be negative. Better use a boolean test. The assert could have lead to a regression for no good reason. Not being compliant is better than breaking existing users. Signed-off-by: Werner Koch <[email protected]>
author: Werner Koch <[email protected]> 2017-06-19 15:50:02 +0000
committer: Werner Koch <[email protected]> 2017-06-19 17:57:11 +0000
commit: 3621dbe52584bc8b417f61b5370ebaa5598db956 (patch)
tree: fb35fed8b4be7e65927e3935313bea70750193ed /common/compliance.c
parent: indent: Always use "_(" and not "_ (" to mark translatable strings. (diff)
download: gnupg-3621dbe52584bc8b417f61b5370ebaa5598db956.tar.gz
gnupg-3621dbe52584bc8b417f61b5370ebaa5598db956.zip
1 files changed, 11 insertions, 10 deletions
diff --git a/common/compliance.c b/common/compliance.c
index 3c43fd821..8b9167758 100644
--- a/common/compliance.c
+++ b/common/compliance.c
@@ -154,10 +154,10 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
 	case is_dsa:
 	  if (key)
 	    {
-	      size_t L = gcry_mpi_get_nbits (key[0] /* p */);
-	      size_t N = gcry_mpi_get_nbits (key[1] /* q */);
-	      result = (L == 256
-			&& (N == 2048 || N == 3072));
+	      size_t P = gcry_mpi_get_nbits (key[0]);
+	      size_t Q = gcry_mpi_get_nbits (key[1]);
+	      result = (Q == 256
+			&& (P == 2048 || P == 3072));
 	    }
 	  break;
 
@@ -171,7 +171,8 @@ gnupg_pk_is_compliant (enum gnupg_compliance_mode compliance, int algo,
             }
 
           result = (curvename
-                    && algo != PUBKEY_ALGO_EDDSA
+                    && (algo == PUBKEY_ALGO_ECDH
+                        || algo == PUBKEY_ALGO_ECDSA)
                     && (!strcmp (curvename, "brainpoolP256r1")
                         || !strcmp (curvename, "brainpoolP384r1")
                         || !strcmp (curvename, "brainpoolP512r1")));
@@ -238,13 +239,13 @@ gnupg_pk_is_allowed (enum gnupg_compliance_mode compliance,
 	case PUBKEY_ALGO_DSA:
 	  if (key)
 	    {
-	      size_t L = gcry_mpi_get_nbits (key[0] /* p */);
-	      size_t N = gcry_mpi_get_nbits (key[1] /* q */);
+	      size_t P = gcry_mpi_get_nbits (key[0]);
+	      size_t Q = gcry_mpi_get_nbits (key[1]);
 	      return ((use == PK_USE_SIGNING
-		       && L == 256
-		       && (N == 2048 || N == 3072))
+		       && Q == 256
+		       && (P == 2048 || P == 3072))
 		      || (use == PK_USE_VERIFICATION
-			  && N < 2048));
+			  && P < 2048));
 	    }
 	  else
 	    return 0;
author	Werner Koch <[email protected]>	2017-06-19 15:50:02 +0000
committer	Werner Koch <[email protected]>	2017-06-19 17:57:11 +0000
commit	3621dbe52584bc8b417f61b5370ebaa5598db956 (patch)
tree	fb35fed8b4be7e65927e3935313bea70750193ed /common/compliance.c
parent	indent: Always use "_(" and not "_ (" to mark translatable strings. (diff)
download	gnupg-3621dbe52584bc8b417f61b5370ebaa5598db956.tar.gz gnupg-3621dbe52584bc8b417f61b5370ebaa5598db956.zip