Commit b1252fed authored by Niels Möller's avatar Niels Möller
Browse files

Fix assertion failure in pss signature verification.

* pss.c (pss_verify_mgf1): Check for m being too large, fixing an
assertion failure for certain invalid signatures. Based on a patch
contributed by Daiki Ueno.
parent cc2a3f8a
...@@ -143,6 +143,9 @@ pss_verify_mgf1(const mpz_t m, size_t bits, ...@@ -143,6 +143,9 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
if (key_size < hash->digest_size + salt_length + 2) if (key_size < hash->digest_size + salt_length + 2)
goto cleanup; goto cleanup;
if (mpz_sizeinbase(m, 2) > bits)
goto cleanup;
nettle_mpz_get_str_256(key_size, em, m); nettle_mpz_get_str_256(key_size, em, m);
/* Check the trailer field. */ /* Check the trailer field. */
...@@ -152,10 +155,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits, ...@@ -152,10 +155,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
/* Extract H. */ /* Extract H. */
h = em + (key_size - hash->digest_size - 1); h = em + (key_size - hash->digest_size - 1);
/* Check if the leftmost 8 * emLen - emBits bits of the leftmost /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM
* octet of EM are all equal to zero. */ * must all equal to zero. Always true here, thanks to the above
if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0) * check on the bit size of m. */
goto cleanup; assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0);
/* Compute dbMask. */ /* Compute dbMask. */
hash->init(state); hash->init(state);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment