Fix assertion failure in pss signature verification.

* pss.c (pss_verify_mgf1): Check for m being too large, fixing an
assertion failure for certain invalid signatures. Based on a patch
contributed by Daiki Ueno.

diff --git a/pss.c b/pss.c
index 9af72e518eeb0264c16570188e7fb9a2d5b0c0d2..88125c064ef1ea3727a4f5a570ec609f75dbdf9b 100644 (file)
--- a/pss.c
+++ b/pss.c
@@ -143,6 +143,9 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
   if (key_size < hash->digest_size + salt_length + 2)
     goto cleanup;
 
+  if (mpz_sizeinbase(m, 2) > bits)
+    goto cleanup;
+
   nettle_mpz_get_str_256(key_size, em, m);
 
   /* Check the trailer field.  */
@@ -152,10 +155,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits,
   /* Extract H.  */
   h = em + (key_size - hash->digest_size - 1);
 
-  /* Check if the leftmost 8 * emLen - emBits bits of the leftmost
-   * octet of EM are all equal to zero. */
-  if ((*em & ~pss_masks[(8 * key_size - bits)]) != 0)
-    goto cleanup;
+  /* The leftmost 8 * emLen - emBits bits of the leftmost octet of EM
+   * must all equal to zero. Always true here, thanks to the above
+   * check on the bit size of m. */
+  assert((*em & ~pss_masks[(8 * key_size - bits)]) == 0);
 
   /* Compute dbMask.  */
   hash->init(state);