From 89c53e1962bbff7b8866c09895489eaaca736f39 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Wed, 17 Apr 2024 10:49:31 +0200
Subject: [PATCH] libgcrypt: Prevent signature blob to start with 1 bit

This should prevent the long standing random failures of libgcrypt pipeline. I
was recently able to reproduce it only with dropbear, which sounds like choking
on the signature starting with bit 1, possibly interpretting it as a negative
value.

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
---
 src/pki_gcrypt.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/pki_gcrypt.c b/src/pki_gcrypt.c
index 6c498c5b..8aec75e9 100644
--- a/src/pki_gcrypt.c
+++ b/src/pki_gcrypt.c
@@ -1664,7 +1664,13 @@ ssh_string pki_signature_to_blob(const ssh_signature sig)
                 return NULL;
             }
             s = gcry_sexp_nth_data(sexp, 1, &size);
-            if (*s == 0) {
+
+            /*
+             * Remove leading zeroes, but only the ones that do not make the MPI
+             * representation look like a negative value (first bit is one),
+             * which might confuse some implementations.
+             */
+            while (size > 1 && s[0] == 0 && (s[1] & 0x80) == 0) {
                 size--;
                 s++;
             }