If you didn't specify a qbits for the DSA kosherizer, then it would

choose 256 bits unless the pbits was exactly 1024. That would mean you
for pbits = 512/768, the FIPS 186-3 size check would fail and it
wouldn't work. Pointed out by Rickard Bellgrim.

1 files changed, 20 insertions, 19 deletions

diff --git a/src/pubkey/dl_group/dl_group.cpp b/src/pubkey/dl_group/dl_group.cpp
index cbbea5a60..d4e306ac3 100644
--- a/src/pubkey/dl_group/dl_group.cpp
+++ b/src/pubkey/dl_group/dl_group.cpp
@@ -55,31 +55,32 @@ DL_Group::DL_Group(RandomNumberGenerator& rng,
       q = (p - 1) / 2;
       g = 2;
       }
-   else if(type == Prime_Subgroup || type == DSA_Kosherizer)
+   else if(type == Prime_Subgroup)
       {
-      if(type == Prime_Subgroup)
-         {
-         if(!qbits)
-            qbits = 2 * dl_work_factor(pbits);
-
-         q = random_prime(rng, qbits);
-         BigInt X;
-         while(p.bits() != pbits || !check_prime(p, rng))
-            {
-            X.randomize(rng, pbits);
-            p = X - (X % (2*q) - 1);
-            }
-         }
-      else
+      if(!qbits)
+         qbits = 2 * dl_work_factor(pbits);
+
+      q = random_prime(rng, qbits);
+      BigInt X;
+      while(p.bits() != pbits || !check_prime(p, rng))
          {
-         qbits = qbits ? qbits : ((pbits == 1024) ? 160 : 256);
-         generate_dsa_primes(rng,
-                             global_state().algorithm_factory(),
-                             p, q, pbits, qbits);
+         X.randomize(rng, pbits);
+         p = X - (X % (2*q) - 1);
          }
 
       g = make_dsa_generator(p, q);
       }
+   else if(type == DSA_Kosherizer)
+      {
+      qbits = qbits ? qbits : ((pbits <= 1024) ? 160 : 256);
+
+      generate_dsa_primes(rng,
+                          global_state().algorithm_factory(),
+                          p, q,
+                          pbits, qbits);
+
+      g = make_dsa_generator(p, q);
+      }
 
    initialized = true;
    }