From 868dabb4027a03f4ce39be3c143b480bccde1a63 Mon Sep 17 00:00:00 2001
From: Werner Koch <wk@gnupg.org>
Date: Tue, 15 Nov 2022 09:56:13 +0100
Subject: [PATCH] dirmngr: Fix verification of ECDSA signed CRLs.

* dirmngr/crlcache.c (finish_sig_check): Use raw value for the data.
--

This had the usual signed/unsigned problem.  By using the modern form
we enforce Libgcrypt internal parsing as unsigned integer.
---
 dirmngr/crlcache.c | 5 +++--
 dirmngr/validate.c | 2 +-
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/dirmngr/crlcache.c b/dirmngr/crlcache.c
index 45e0e6c0c..f0893a64a 100644
--- a/dirmngr/crlcache.c
+++ b/dirmngr/crlcache.c
@@ -1831,9 +1831,10 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
       if (n > qbits/8)
         n = qbits/8;
 
-      err = gcry_sexp_build (&s_hash, NULL, "%b",
+      err = gcry_sexp_build (&s_hash, NULL, "(data(flags raw)(value %b))",
                              (int)n,
                              gcry_md_read (md, algo));
+
     }
   else
     {
@@ -1852,7 +1853,7 @@ finish_sig_check (ksba_crl_t crl, gcry_md_hd_t md, int algo,
   /* Pass this on to the signature verification. */
   err = gcry_pk_verify (s_sig, s_hash, s_pkey);
   if (DBG_X509)
-    log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
+    log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));
 
  leave:
   xfree (sigval);
diff --git a/dirmngr/validate.c b/dirmngr/validate.c
index 231600ff6..399cca3a4 100644
--- a/dirmngr/validate.c
+++ b/dirmngr/validate.c
@@ -1164,7 +1164,7 @@ check_cert_sig (ksba_cert_t issuer_cert, ksba_cert_t cert)
   if (!err)
     err = gcry_pk_verify (s_sig, s_hash, s_pkey);
   if (DBG_X509)
-    log_debug ("gcry_pk_verify: %s\n", gpg_strerror (err));
+    log_debug ("%s: gcry_pk_verify: %s\n", __func__, gpg_strerror (err));
 
  leave:
   gcry_md_close (md);