Ensure EDDSA signatures including leading zeros

mpz_export() expands an mpz to only the correct number of bytes
required. EDDSA signatures are based on a full 64 bytes of signature
data. But if either element of the signature (r or s) is fewer than 249
bits we'll end up with fewer than 32 bytes output and the signature
won't valid.

Ensure our output is right justified so we don't lose the leftmost
zeros.

diff --git a/sigcheck.c b/sigcheck.c
index 963eeffe4beb3ef19f81eed1e5cb756c5d16ca4f..c1a7ce541f3931aaa40640919dec99b810b8f794 100644 (file)
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -289,6 +289,7 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey,
        uint8_t sigkeytype;
        uint8_t edsig[64];
        int len, ofs;
+       size_t count;
        mpz_t s;
 
        ret = onak_parse_key_material(sigkey, &pubkey);
@@ -361,8 +362,22 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey,
                MPI_TO_MPZ(sig, dsasig.r);
                if (ret == ONAK_E_OK)
                        MPI_TO_MPZ(sig, dsasig.s);
-               mpz_export(edsig, NULL, 1, 1, 0, 0, dsasig.r);
-               mpz_export(&edsig[32], NULL, 1, 1, 0, 0, dsasig.s);
+               mpz_export(edsig, &count, 1, 1, 0, 0, dsasig.r);
+               if (count < 32) {
+                       memmove(&edsig[32 - count], edsig, count);
+                       while (count < 32) {
+                               count++;
+                               edsig[32 - count] = 0;
+                       }
+               }
+               mpz_export(&edsig[32], &count, 1, 1, 0, 0, dsasig.s);
+               if (count < 32) {
+                       memmove(&edsig[32 - count], edsig, count);
+                       while (count < 32) {
+                               count++;
+                               edsig[32 - count] = 0;
+                       }
+               }
                break;
        case OPENPGP_PKALGO_RSA:
        case OPENPGP_PKALGO_RSA_SIGN: