[PATCH] g10: fix cmp_public_key and cmp_secret_keys

NIIBE Yutaka gniibe at fsij.org
Thu Apr 30 07:13:41 CEST 2015


Hello,

This patch is my attempt to fix GnuPG 1.4.x and 2.0.x for the issue
1962.

    https://bugs.gnupg.org/gnupg/issue1962

The specific problem of issue 1962 is that comparison of subkeys
always fails in merge_blocks and it results calling append_key always.

Following patch is for 2.0.x but similar can be applied to 1.4.x, too.
This patch basically intend to fix a problem of ECC key handling with
1.4 and 2.0, but the patch itself can also be applied to 2.1.

When the public key algorithm is not known, pkey[0] field is set with
opaque MPI in the parse_key function.  Thus, I think that the key can
be compared.

Actually, I got a report to me, my repeated subkey of secp256k1.  I
think that this was the cause.

diff --git a/g10/free-packet.c b/g10/free-packet.c
index 85f23ce..9b42cfd 100644
--- a/g10/free-packet.c
+++ b/g10/free-packet.c
@@ -452,11 +452,14 @@ cmp_public_keys( PKT_public_key *a, PKT_public_key *b )
 	return -1;

     n = pubkey_get_npkey( b->pubkey_algo );
-    if( !n )
-	return -1; /* can't compare due to unknown algorithm */
-    for(i=0; i < n; i++ ) {
-	if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
-	    return -1;
+    if( !n ) { /* unknown algorithm, rest is in opaque MPI */
+	if( mpi_cmp( a->pkey[0], b->pkey[0] ) )
+	    return -1; /* can't compare due to unknown algorithm */
+    } else {
+	for(i=0; i < n; i++ ) {
+	    if( mpi_cmp( a->pkey[i], b->pkey[i] ) )
+		return -1;
+	}
     }

     return 0;
@@ -479,11 +482,14 @@ cmp_secret_keys( PKT_secret_key *a, PKT_secret_key *b )
 	return -1;

     n = pubkey_get_npkey( b->pubkey_algo );
-    if( !n )
-	return -1; /* can't compare due to unknown algorithm */
-    for(i=0; i < n; i++ ) {
-	if( mpi_cmp( a->skey[i], b->skey[i] ) )
+    if( !n ) { /* unknown algorithm, rest is in opaque MPI */
+	if( mpi_cmp( a->skey[0], b->skey[0] ) )
 	    return -1;
+    } else {
+	for(i=0; i < n; i++ ) {
+	    if( mpi_cmp( a->skey[i], b->skey[i] ) )
+		return -1;
+	}
     }

     return 0;
--



More information about the Gnupg-devel mailing list