From: Jonathan McDowell <noodles@earth.li>
Date: Mon, 25 Sep 2023 20:22:19 +0000 (+0100)
Subject: Ensure EDDSA signatures including leading zeros
X-Git-Tag: onak-0.6.3~1
X-Git-Url: https://the.earth.li/gitweb/?p=onak.git;a=commitdiff_plain;h=549f5e6b9048759dd5bcbdf5f376e0766692418c

Ensure EDDSA signatures including leading zeros

mpz_export() expands an mpz to only the correct number of bytes
required. EDDSA signatures are based on a full 64 bytes of signature
data. But if either element of the signature (r or s) is fewer than 249
bits we'll end up with fewer than 32 bytes output and the signature
won't valid.

Ensure our output is right justified so we don't lose the leftmost
zeros.
---

diff --git a/sigcheck.c b/sigcheck.c
index 963eeff..c1a7ce5 100644
--- a/sigcheck.c
+++ b/sigcheck.c
@@ -289,6 +289,7 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey,
 	uint8_t sigkeytype;
 	uint8_t edsig[64];
 	int len, ofs;
+	size_t count;
 	mpz_t s;
 
 	ret = onak_parse_key_material(sigkey, &pubkey);
@@ -361,8 +362,22 @@ onak_status_t onak_check_hash_sig(struct openpgp_packet *sigkey,
 		MPI_TO_MPZ(sig, dsasig.r);
 		if (ret == ONAK_E_OK)
 			MPI_TO_MPZ(sig, dsasig.s);
-		mpz_export(edsig, NULL, 1, 1, 0, 0, dsasig.r);
-		mpz_export(&edsig[32], NULL, 1, 1, 0, 0, dsasig.s);
+		mpz_export(edsig, &count, 1, 1, 0, 0, dsasig.r);
+		if (count < 32) {
+			memmove(&edsig[32 - count], edsig, count);
+			while (count < 32) {
+				count++;
+				edsig[32 - count] = 0;
+			}
+		}
+		mpz_export(&edsig[32], &count, 1, 1, 0, 0, dsasig.s);
+		if (count < 32) {
+			memmove(&edsig[32 - count], edsig, count);
+			while (count < 32) {
+				count++;
+				edsig[32 - count] = 0;
+			}
+		}
 		break;
 	case OPENPGP_PKALGO_RSA:
 	case OPENPGP_PKALGO_RSA_SIGN: