Re: [PATCH] Avoid assertion failure in pss_verify_mgf1

On Fri, Jun 9, 2017 at 11:01 PM, Niels Möller wrote: > Daiki Ueno writes: > >>> If this EM is the same EM recovered when verifying the signature, then >>> it must still correspond to an integer of size at most modBits - 1. >> >> Yes, that seems to be correct,

Re: [PATCH] Avoid assertion failure in pss_verify_mgf1

Daiki Ueno writes: >> If this EM is the same EM recovered when verifying the signature, then >> it must still correspond to an integer of size at most modBits - 1. > > Yes, that seems to be correct, as both EMSA-PSS-ENCODE and > EMSA-PSS-VERIFY takes emBits (= modBits - 1), which

Re: [PATCH] Avoid assertion failure in pss_verify_mgf1

Daiki Ueno writes: > ni...@lysator.liu.se (Niels Möller) writes: > >> if (mpz_sizeinbase(m, 2) > bits) >> goto cleanup; >> >> (one might also move initial size checks before the allocations). > I think the above check is too rigid, since it is based on bit-length, > it

Re: [PATCH] Avoid assertion failure in pss_verify_mgf1

ni...@lysator.liu.se (Niels Möller) writes: >> + /* Check "integer too long" error of I2OSP. */ >> + if (key_size < nettle_mpz_sizeinbase_256_u(m)) >> +goto cleanup; >> + > > I don't understand the I2OSP acronym. And I think this check would be > more explicit as > > if

Re: [PATCH] Avoid assertion failure in pss_verify_mgf1

Daiki Ueno writes: > Nikos told me that there is a case where RSA-PSS signature verification > leads to an assertion failure: > > bignum.c:120: nettle_mpz_get_str_256: Assertion > `nettle_mpz_sizeinbase_256_u(x) <= length' failed. > > I thought it wouldn't be possible because

[PATCH] Avoid assertion failure in pss_verify_mgf1

t;From 10c86090e6ee33d6016ee6c21eb2dd38363ca8ba Mon Sep 17 00:00:00 2001 From: Daiki Ueno <du...@redhat.com> Date: Thu, 8 Jun 2017 11:36:11 +0200 Subject: [PATCH] Avoid assertion failure in pss_verify_mgf1 Even if M is rounded by the RSA modulus, it is possible that the number of octets needed to