gpg: Avoid NULL-deref in default key listing.

* g10/keyid.c (hash_public_key): Take care of NULL keys. * g10/misc.c (pubkey_nbits): Ditto. -- This problem was mainly due to our ECC code while checking for opaque MPIs with the curve name.
2025-05-24 16:43:28 +02:00 · 2014-06-02 19:51:23 +02:00 · 2014-06-02 19:51:23 +02:00 · 958e5f292f
commit 958e5f292f
parent f3249b1c4d
2 changed files with 50 additions and 34 deletions
--- a/g10/keyid.c
+++ b/g10/keyid.c
@ -167,7 +167,15 @@ hash_public_key (gcry_md_hd_t md, PKT_public_key *pk)
    {
      for (i=0; i < npkey; i++ )
        {
-          if (gcry_mpi_get_flag (pk->pkey[i], GCRYMPI_FLAG_OPAQUE))
+          if (!pk->pkey[i])
            {
              /* This case may only happen if the parsing of the MPI
                 failed but the key was anyway created.  May happen
                 during "gpg KEYFILE".  */
              pp[i] = NULL;
              nn[i] = 0;
            }
          else if (gcry_mpi_get_flag (pk->pkey[i], GCRYMPI_FLAG_OPAQUE))
            {
              const void *p;
--- a/g10/misc.c
+++ b/g10/misc.c
@ -1628,46 +1628,54 @@ pubkey_get_nenc (pubkey_algo_t algo)
 unsigned int
 pubkey_nbits( int algo, gcry_mpi_t *key )
 {
-    int rc, nbits;
+  int rc, nbits;
-    gcry_sexp_t sexp;
+  gcry_sexp_t sexp;
-    if( algo == PUBKEY_ALGO_DSA ) {
+  if (algo == PUBKEY_ALGO_DSA
-	rc = gcry_sexp_build ( &sexp, NULL,
+      && key[0] && key[1] && key[2] && key[3])
-			      "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))",
+    {
-				  key[0], key[1], key[2], key[3] );
+      rc = gcry_sexp_build (&sexp, NULL,
                            "(public-key(dsa(p%m)(q%m)(g%m)(y%m)))",
                            key[0], key[1], key[2], key[3] );
    }
-    else if( algo == PUBKEY_ALGO_ELGAMAL || algo == PUBKEY_ALGO_ELGAMAL_E ) {
+  else if ((algo == PUBKEY_ALGO_ELGAMAL || algo == PUBKEY_ALGO_ELGAMAL_E)
-	rc = gcry_sexp_build ( &sexp, NULL,
+           && key[0] && key[1] && key[2])
-			      "(public-key(elg(p%m)(g%m)(y%m)))",
+    {
-				  key[0], key[1], key[2] );
+      rc = gcry_sexp_build (&sexp, NULL,
                            "(public-key(elg(p%m)(g%m)(y%m)))",
                            key[0], key[1], key[2] );
    }
-    else if( is_RSA (algo) ) {
+  else if (is_RSA (algo)
-	rc = gcry_sexp_build ( &sexp, NULL,
+           && key[0] && key[1])
-			      "(public-key(rsa(n%m)(e%m)))",
+    {
-				  key[0], key[1] );
+      rc = gcry_sexp_build (&sexp, NULL,
                            "(public-key(rsa(n%m)(e%m)))",
                            key[0], key[1] );
    }
-    else if (algo == PUBKEY_ALGO_ECDSA || algo == PUBKEY_ALGO_ECDH
+  else if ((algo == PUBKEY_ALGO_ECDSA || algo == PUBKEY_ALGO_ECDH
-             || algo == PUBKEY_ALGO_EDDSA) {
+            || algo == PUBKEY_ALGO_EDDSA)
-        char *curve = openpgp_oid_to_str (key[0]);
+           && key[0] && key[1])
-        if (!curve)
+    {
-          rc = gpg_error_from_syserror ();
+      char *curve = openpgp_oid_to_str (key[0]);
-        else
+      if (!curve)
-          {
+        rc = gpg_error_from_syserror ();
-            rc = gcry_sexp_build (&sexp, NULL,
+      else
-                                  "(public-key(ecc(curve%s)(q%m)))",
+        {
-				  curve, key[1]);
+          rc = gcry_sexp_build (&sexp, NULL,
-            xfree (curve);
+                                "(public-key(ecc(curve%s)(q%m)))",
-          }
+                                curve, key[1]);
          xfree (curve);
        }
    }
-    else
+  else
-	return 0;
+    return 0;
-    if ( rc )
+  if (rc)
-	BUG ();
+    BUG ();
-    nbits = gcry_pk_get_nbits( sexp );
+  nbits = gcry_pk_get_nbits (sexp);
-    gcry_sexp_release( sexp );
+  gcry_sexp_release (sexp);
-    return nbits;
+  return nbits;
 }