On Fri, Jun 9, 2017 at 11:01 PM, Niels Möller wrote:
> Daiki Ueno writes:
>
>>> If this EM is the same EM recovered when verifying the signature, then
>>> it must still correspond to an integer of size at most modBits - 1.
>>
>> Yes, that seems to be correct, as both EMSA-PSS-ENCODE and
>> EMSA-P
Daiki Ueno writes:
>> If this EM is the same EM recovered when verifying the signature, then
>> it must still correspond to an integer of size at most modBits - 1.
>
> Yes, that seems to be correct, as both EMSA-PSS-ENCODE and
> EMSA-PSS-VERIFY takes emBits (= modBits - 1), which is defined as
>
ni...@lysator.liu.se (Niels Möller) writes:
> Daiki Ueno writes:
>
>> ni...@lysator.liu.se (Niels Möller) writes:
>>
>>> if (mpz_sizeinbase(m, 2) > bits)
>>> goto cleanup;
>>>
>>> (one might also move initial size checks before the allocations).
>
>> I think the above check is too rigid, si
Daiki Ueno writes:
> ni...@lysator.liu.se (Niels Möller) writes:
>
>> if (mpz_sizeinbase(m, 2) > bits)
>> goto cleanup;
>>
>> (one might also move initial size checks before the allocations).
> I think the above check is too rigid, since it is based on bit-length,
> it wouldn't tolerate so
ni...@lysator.liu.se (Niels Möller) writes:
>> + /* Check "integer too long" error of I2OSP. */
>> + if (key_size < nettle_mpz_sizeinbase_256_u(m))
>> +goto cleanup;
>> +
>
> I don't understand the I2OSP acronym. And I think this check would be
> more explicit as
>
> if (mpz_sizeinbase(m,
Daiki Ueno writes:
> Nikos told me that there is a case where RSA-PSS signature verification
> leads to an assertion failure:
>
> bignum.c:120: nettle_mpz_get_str_256: Assertion
> `nettle_mpz_sizeinbase_256_u(x) <= length' failed.
>
> I thought it wouldn't be possible because 'x' is already ro
I am attaching a patch for this.
Regards,
--
Daiki Ueno
>From 10c86090e6ee33d6016ee6c21eb2dd38363ca8ba Mon Sep 17 00:00:00 2001
From: Daiki Ueno
Date: Thu, 8 Jun 2017 11:36:11 +0200
Subject: [PATCH] Avoid assertion failure in pss_verify_mgf1
Even if M is rounded by the RSA modulus, it is possibl