From ff3b607fc879b70665c187500022cc63e2a0cd86 Mon Sep 17 00:00:00 2001
From: NIIBE Yutaka <gniibe@fsij.org>
Date: Tue, 5 Jan 2016 10:15:49 +0900
Subject: [PATCH] agent: Fix RSA verification for card.

* agent/pksign.c (agent_pksign_do): Use S-exp of public key, instead
of shadowed key.

--

Reported-by: Justus Winter
Signed-off-by: NIIBE Yutaka <gniibe@fsij.org>
---
 agent/pksign.c | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/agent/pksign.c b/agent/pksign.c
index 7b498d464..9011be2e9 100644
--- a/agent/pksign.c
+++ b/agent/pksign.c
@@ -492,21 +492,20 @@ agent_pksign_do (ctrl_t ctrl, const char *cache_nonce,
    * for RSA internally there is no need to do it here again.  */
   if (check_signature)
     {
+      gcry_sexp_t sexp_key = s_pkey? s_pkey: s_skey;
+
       if (s_hash == NULL)
         {
           if (ctrl->digest.algo == MD_USER_TLS_MD5SHA1)
             rc = do_encode_raw_pkcs1 (data, datalen,
-                                      gcry_pk_get_nbits (s_skey),
-                                      &s_hash);
+                                      gcry_pk_get_nbits (sexp_key), &s_hash);
           else
-            rc = do_encode_md (data, datalen,
-                               ctrl->digest.algo,
-                               &s_hash,
+            rc = do_encode_md (data, datalen, ctrl->digest.algo, &s_hash,
                                ctrl->digest.raw_value);
         }
 
       if (! rc)
-        rc = gcry_pk_verify (s_sig, s_hash, s_pkey? s_pkey: s_skey);
+        rc = gcry_pk_verify (s_sig, s_hash, sexp_key);
 
       if (rc)
         {