gpg: Fix modifying signature data by pk_verify for Ed25519.

* g10/pkglue.c (pk_verify): When fixing R and S, make sure those are copies. -- GnuPG-bug-id: 7426 Fixing-commit: 0a5a854510fda6e6990938a3fca424df868fe676 Signed-off-by: NIIBE Yutaka <gniibe@fsij.org> Also avoid clearing the error by the S code of a failed mpi_print of R. Signed-off-by: Werner Koch <wk@gnupg.org>
2024-12-22 10:19:57 +01:00 · 2024-11-25 14:39:59 +09:00 · 2024-11-25 14:39:59 +09:00 · 52616ae81d
commit 52616ae81d
parent 73f3d98444
1 changed files with 21 additions and 6 deletions
--- a/g10/pkglue.c
+++ b/g10/pkglue.c
@ -331,9 +331,18 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
            rc = gpg_error (GPG_ERR_BAD_MPI);
          else
            {
+              r = gcry_mpi_copy (r);
+              s = gcry_mpi_copy (s);
+
+              if (!r || !s)
+                {
+                  rc = gpg_error_from_syserror ();
+                  goto leave;
+                }
+
              /* We need to fixup the length in case of leading zeroes.
               * OpenPGP does not allow leading zeroes and the parser for
-               * the signature packet has no information on the use curve,
+               * the signature packet has no information on the used curve,
               * thus we need to do it here.  We won't do it for opaque
               * MPIs under the assumption that they are known to be fine;
               * we won't see them here anyway but the check is anyway
@ -343,12 +352,13 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,

              if (rlen < neededfixedlen
                  && !gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE)
-                  && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, r)))
+                  && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG,
+                                          buf, sizeof buf, &n, r)))
                {
                  log_assert (n < neededfixedlen);
                  memmove (buf + (neededfixedlen - n), buf, n);
                  memset (buf, 0, neededfixedlen - n);
-                  r = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
+                  gcry_mpi_set_opaque_copy (r, buf, neededfixedlen * 8);
                }
              else if (rlen < neededfixedlen
                       && gcry_mpi_get_flag (r, GCRYMPI_FLAG_OPAQUE))
@ -361,14 +371,18 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
                  memset (buf, 0, neededfixedlen - n);
                  gcry_mpi_set_opaque_copy (r, buf, neededfixedlen * 8);
                }
-              if (slen < neededfixedlen
+
+              if (rc)
+                ;
+              else if (slen < neededfixedlen
                  && !gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE)
-                  && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG, buf, sizeof buf, &n, s)))
+                  && !(rc=gcry_mpi_print (GCRYMPI_FMT_USG,
+                                          buf, sizeof buf, &n, s)))
                {
                  log_assert (n < neededfixedlen);
                  memmove (buf + (neededfixedlen - n), buf, n);
                  memset (buf, 0, neededfixedlen - n);
-                  s = gcry_mpi_set_opaque_copy (NULL, buf, neededfixedlen * 8);
+                  gcry_mpi_set_opaque_copy (s, buf, neededfixedlen * 8);
                }
              else if (slen < neededfixedlen
                       && gcry_mpi_get_flag (s, GCRYMPI_FLAG_OPAQUE))
@ -416,6 +430,7 @@ pk_verify (pubkey_algo_t pkalgo, gcry_mpi_t hash,
  if (!rc)
    rc = gcry_pk_verify (s_sig, s_hash, s_pkey);

+ leave:
  gcry_sexp_release (s_sig);
  gcry_sexp_release (s_hash);
  gcry_sexp_release (s_pkey);