Daiki Ueno ueno@gnu.org writes:
Nikos told me that there is a case where RSA-PSS signature verification leads to an assertion failure:
bignum.c:120: nettle_mpz_get_str_256: Assertion `nettle_mpz_sizeinbase_256_u(x) <= length' failed.
I thought it wouldn't be possible because 'x' is already rounded by the RSA modulus and 'length' is bound to the modulus.
However, actually 'length' is calculated as ((modBits - 1) + 7) / 8, i.e. one bit less than the original modulus.
Ok, so if the modulo is k bits, m must be at most k-1 bits. Makes some sense.
Spotted by oss-fuzz at: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132
That url gives me a permission denied. (I even tried all my work accounts: chromium.org, webrtc.org and google.com). So what's needed to get access?
- /* Check "integer too long" error of I2OSP. */
- if (key_size < nettle_mpz_sizeinbase_256_u(m))
- goto cleanup;
I don't understand the I2OSP acronym. And I think this check would be more explicit as
if (mpz_sizeinbase(m, 2) > bits) goto cleanup;
(one might also move initial size checks before the allocations).
Thanks! /Niels