From 5f184de4150286af7949950692d02e304b25506e Mon Sep 17 00:00:00 2001
From: Daiki Ueno <dueno@redhat.com>
Date: Fri, 9 Jun 2017 22:48:34 +0200
Subject: [PATCH] Test case for pss signature problem.

* rsa-pss-sign-tr-test.c (test_main): Add test case
contributed by Daiki Ueno. Problem originally found by oss-fuzz,
see https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132.
That problem report is currently embargoed, but will hopefully be
public in a month or two.
---
 testsuite/rsa-pss-sign-tr-test.c | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/testsuite/rsa-pss-sign-tr-test.c b/testsuite/rsa-pss-sign-tr-test.c
index 2ba043c5..6dfba734 100644
--- a/testsuite/rsa-pss-sign-tr-test.c
+++ b/testsuite/rsa-pss-sign-tr-test.c
@@ -321,6 +321,35 @@ test_main(void)
 		       salt->length, salt->data, msg->length, msg->data,
 		       expected);
 
+  /* The public key n for this test is of size k = 1017 bits, and the
+     pss "em" value is limited to k - 1 = 1016 bits or 127 octets. The
+     alleged signature below results in a 1017 bit number during the
+     signature verification, which is too large, and used to result in
+     an assertion failure when attempting to convert the number to a
+     127 octet string.
+  */
+  mpz_set_str(pub.n,
+	      "1d64559685aad3490e976b48aacf442ecee847268f882341eafe78"
+	      "a0ca4ef88f66edbaf55b70e5285cc117aa9ceb322a4227c17e9e89"
+	      "27bf38e5672faecf79e2983d92766fbb6624522f072ae0e4e46d37"
+	      "052ce1e5745c2dd8fd67de3862e4711161e359b96bda85911ebf4e"
+	      "6ce1bea625970269c77004a3cb03f9c382c5f79", 16);
+  mpz_set_str(pub.e, "10001", 16);
+
+  ASSERT (rsa_public_key_prepare(&pub));
+
+  msg = SHEX("7f85e4909ff7bb29536e540a53031ef03ddcb129e553a43273fa1f"
+	     "ed28c22a8b57c7bde101ff746f335ba69b29642019");
+  /* Alleged signature, resulting in a too large m. */
+  mpz_set_str(expected,
+	      "000000000000000000000000000000000000000000000000000000"
+	      "000000000000000000000000000000000000000000000005ffff05"
+	      "000000000000000000000000000000000000000000000000000000"
+	      "000000000000000000000000000000000000000000000000000000"
+	      "0000000000000000000000000000000000000000", 16);
+
+  ASSERT(!rsa_pss_sha384_verify_digest(&pub, 48, msg->data, expected));
+
   rsa_private_key_clear(&key);
   rsa_public_key_clear(&pub);
   mpz_clear(expected);
-- 
GitLab