Hello, Nikos told me that there is a case where RSA-PSS signature verification leads to an assertion failure:
bignum.c:120: nettle_mpz_get_str_256: Assertion `nettle_mpz_sizeinbase_256_u(x) <= length' failed. I thought it wouldn't be possible because 'x' is already rounded by the RSA modulus and 'length' is bound to the modulus. However, actually 'length' is calculated as ((modBits - 1) + 7) / 8, i.e. one bit less than the original modulus. Thus, it would be possible that the octet length of 'x' exceeds 'length'. I am attaching a patch for this. Regards, -- Daiki Ueno
>From 10c86090e6ee33d6016ee6c21eb2dd38363ca8ba Mon Sep 17 00:00:00 2001 From: Daiki Ueno <du...@redhat.com> Date: Thu, 8 Jun 2017 11:36:11 +0200 Subject: [PATCH] Avoid assertion failure in pss_verify_mgf1 Even if M is rounded by the RSA modulus, it is possible that the number of octets needed to represent M exceeds key_size, when the value of M is close to the RSA modulus. Spotted by oss-fuzz at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132 --- pss.c | 4 ++++ testsuite/rsa-pss-sign-tr-test.c | 25 +++++++++++++++++++++++++ 2 files changed, 29 insertions(+) diff --git a/pss.c b/pss.c index 9af72e5..96e029f 100644 --- a/pss.c +++ b/pss.c @@ -143,6 +143,10 @@ pss_verify_mgf1(const mpz_t m, size_t bits, if (key_size < hash->digest_size + salt_length + 2) goto cleanup; + /* Check "integer too long" error of I2OSP. */ + if (key_size < nettle_mpz_sizeinbase_256_u(m)) + goto cleanup; + nettle_mpz_get_str_256(key_size, em, m); /* Check the trailer field. */ diff --git a/testsuite/rsa-pss-sign-tr-test.c b/testsuite/rsa-pss-sign-tr-test.c index 2ba043c..2cebc30 100644 --- a/testsuite/rsa-pss-sign-tr-test.c +++ b/testsuite/rsa-pss-sign-tr-test.c @@ -321,6 +321,31 @@ test_main(void) salt->length, salt->data, msg->length, msg->data, expected); + /* The case previously caused assertion failure + * nettle_mpz_sizeinbase_256_u(x) <= length + * in nettle_mpz_get_str_256. + */ + mpz_set_str(pub.n, + "1d64559685aad3490e976b48aacf442ecee847268f882341eafe78" + "a0ca4ef88f66edbaf55b70e5285cc117aa9ceb322a4227c17e9e89" + "27bf38e5672faecf79e2983d92766fbb6624522f072ae0e4e46d37" + "052ce1e5745c2dd8fd67de3862e4711161e359b96bda85911ebf4e" + "6ce1bea625970269c77004a3cb03f9c382c5f79", 16); + mpz_set_str(pub.e, "10001", 16); + + ASSERT (rsa_public_key_prepare(&pub)); + + msg = SHEX("7f85e4909ff7bb29536e540a53031ef03ddcb129e553a43273fa1f" + "ed28c22a8b57c7bde101ff746f335ba69b29642019"); + mpz_set_str(expected, + "000000000000000000000000000000000000000000000000000000" + "000000000000000000000000000000000000000000000005ffff05" + "000000000000000000000000000000000000000000000000000000" + "000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000", 16); + + rsa_pss_sha384_verify_digest(&pub, 48, msg->data, expected); + rsa_private_key_clear(&key); rsa_public_key_clear(&pub); mpz_clear(expected); -- 2.9.4
_______________________________________________ nettle-bugs mailing list nettle-bugs@lists.lysator.liu.se http://lists.lysator.liu.se/mailman/listinfo/nettle-bugs