Commit b1252fed authored by Niels Möller's avatar Niels Möller

Fix assertion failure in pss signature verification.

* pss.c (pss_verify_mgf1): Check for m being too large, fixing an
assertion failure for certain invalid signatures. Based on a patch
contributed by Daiki Ueno.
parent cc2a3f8a
......@@ -143,6 +143,9 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
if (key_size < hash->digest_size + salt_length + 2)
goto cleanup;
if (mpz_sizeinbase(m, 2) > bits)
goto cleanup;
nettle_mpz_get_str_256(key_size, em, m);
/* Check the trailer field. */
......@@ -152,10 +155,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
/* Extract H. */
h = em + (key_size - hash->digest_size - 1);
/* Check if the leftmost 8 * emLen - emBits bits of the leftmost
* octet of EM are all equal to zero. */
if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0)
goto cleanup;
/* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM
* must all equal to zero. Always true here, thanks to the above
* check on the bit size of m. */
assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0);
/* Compute dbMask. */
hash->init(state);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment