security-and-privacy/gnupg
security-and-privacy
/
gnupg
mirror of git://git.gnupg.org/gnupg.git
1
0
Fork 0
Code Releases Activity

dirmngr: Fix verification of ECDSA signed CRLs. 

* dirmngr/crlcache.c (finish_sig_check): Use raw value for the data.
--

This had the usual signed/unsigned problem.  By using the modern form
we enforce Libgcrypt internal parsing as unsigned integer.
This commit is contained in:
Werner Koch 2022-11-15 09:56:13 +01:00
parent 80ccded042
commit 868dabb402
No known key found for this signature in database
GPG Key ID: E3FDFF218E45B72B
2 changed files with 4 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
dirmngr/crlcache.c
View File

@ -1831,9 +1831,10 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
if (n > qbits/8)
n = qbits/8;
err = gcry_sexp_build (&s_hash, NULL, "%b",
err = gcry_sexp_build (&s_hash, NULL, "(data(flags raw)(value %b))",
(int)n,
gcry_md_read (md, algo));
}
else
{
@ -1852,7 +1853,7 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
/* Pass this on to the signature verification. */
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
if (DBG_X509)
log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));
leave:
xfree (sigval);

2
dirmngr/validate.c
View File

@ -1164,7 +1164,7 @@ check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
if (!err)
err = gcry_pk_verify (s_sig, s_hash, s_pkey);
if (DBG_X509)
log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));
leave:
gcry_md_close (md);