agent: Fix RSA verification for card.

* agent/pksign.c (agent_pksign_do): Use S-exp of public key, instead of shadowed key. -- Reported-by: Justus Winter Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
2016-01-05 10:15:49 +09:00 · 2016-01-05 10:15:49 +09:00 · ff3b607fc8
parent 575c15a090
commit ff3b607fc8
1 changed files with 5 additions and 6 deletions
--- a/agent/pksign.c
+++ b/agent/pksign.c
@ -492,21 +492,20 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
   * for RSA internally there is no need to do it here again.  */
  if (check_signature)
    {
+      gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
+
      if (s_hash == NULL)
        {
          if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
            rc = do_encode_raw_pkcs1 (data, datalen,
-                                      gcry_pk_get_nbits (s_skey),
-                                      &s_hash);
+                                      gcry_pk_get_nbits (sexp_key), &s_hash);
          else
-            rc = do_encode_md (data, datalen,
-                               ctrl->digest.algo,
-                               &s_hash,
+            rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
                               ctrl->digest.raw_value);
        }

      if (! rc)
-        rc = gcry_pk_verify (s_sig, s_hash, s_pkey? s_pkey: s_skey);
+        rc = gcry_pk_verify (s_sig, s_hash, sexp_key);

      if (rc)
        {