From: Jonathan McDowell Date: Mon, 25 Sep 2023 20:22:19 +0000 (+0100) Subject: Ensure EDDSA signatures including leading zeros X-Git-Tag: onak-0.6.3~1 X-Git-Url: https://the.earth.li/gitweb/?a=commitdiff_plain;h=549f5e6b9048759dd5bcbdf5f376e0766692418c;p=onak.git Ensure EDDSA signatures including leading zeros mpz_export() expands an mpz to only the correct number of bytes required. EDDSA signatures are based on a full 64 bytes of signature data. But if either element of the signature (r or s) is fewer than 249 bits we'll end up with fewer than 32 bytes output and the signature won't valid. Ensure our output is right justified so we don't lose the leftmost zeros. --- diff --git a/sigcheck.c b/sigcheck.c index 963eeff..c1a7ce5 100644 --- a/sigcheck.c +++ b/sigcheck.c @@ -289,6 +289,7 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey, uint8_t sigkeytype; uint8_t edsig[64]; int len, ofs; + size_t count; mpz_t s; ret = onak_parse_key_material(sigkey, &pubkey); @@ -361,8 +362,22 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey, MPI_TO_MPZ(sig, dsasig.r); if (ret == ONAK_E_OK) MPI_TO_MPZ(sig, dsasig.s); - mpz_export(edsig, NULL, 1, 1, 0, 0, dsasig.r); - mpz_export(&edsig[32], NULL, 1, 1, 0, 0, dsasig.s); + mpz_export(edsig, &count, 1, 1, 0, 0, dsasig.r); + if (count < 32) { + memmove(&edsig[32 - count], edsig, count); + while (count < 32) { + count++; + edsig[32 - count] = 0; + } + } + mpz_export(&edsig[32], &count, 1, 1, 0, 0, dsasig.s); + if (count < 32) { + memmove(&edsig[32 - count], edsig, count); + while (count < 32) { + count++; + edsig[32 - count] = 0; + } + } break; case OPENPGP_PKALGO_RSA: case OPENPGP_PKALGO_RSA_SIGN: