From b1252fedf6ee1dbb8468d1d3f177711a16e83e52 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Niels=20M=C3=B6ller?= <nisse@lysator.liu.se>
Date: Fri, 9 Jun 2017 22:46:04 +0200
Subject: [PATCH] Fix assertion failure in pss signature verification.

* pss.c (pss_verify_mgf1): Check for m being too large, fixing an
assertion failure for certain invalid signatures. Based on a patch
contributed by Daiki Ueno.
---
 pss.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/pss.c b/pss.c
index 9af72e51..88125c06 100644
--- a/pss.c
+++ b/pss.c
@@ -143,6 +143,9 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
   if (key_size < hash->digest_size + salt_length + 2)
     goto cleanup;
 
+  if (mpz_sizeinbase(m, 2) > bits)
+    goto cleanup;
+
   nettle_mpz_get_str_256(key_size, em, m);
 
   /* Check the trailer field.  */
@@ -152,10 +155,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
   /* Extract H.  */
   h = em + (key_size - hash->digest_size - 1);
 
-  /* Check if the leftmost 8 * emLen - emBits bits of the leftmost
-   * octet of EM are all equal to zero. */
-  if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0)
-    goto cleanup;
+  /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM
+   * must all equal to zero. Always true here, thanks to the above
+   * check on the bit size of m. */
+  assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0);
 
   /* Compute dbMask.  */
   hash->init(state);
-- 
GitLab