Daiki Ueno ueno@gnu.org writes:
If this EM is the same EM recovered when verifying the signature, then it must still correspond to an integer of size at most modBits - 1.
Yes, that seems to be correct, as both EMSA-PSS-ENCODE and EMSA-PSS-VERIFY takes emBits (= modBits - 1), which is defined as "maximal bit length of the integer OS2IP (EM)".
I am sorry for the confusion.
No problem, thanks for the bug report and patch.
I've now committed your patch with some reorganization of this part (I added a bit-size check, and turned the later, supposedly redundant, check on leading bits to an assert) and minor changes to the test case.
Pushed to the master-updates branch, please have a look and see if you think I got it right.
As for the locked up report on https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=2132, I've read up a bit on oss-fuzz policy, and I'd expect it to be made publicly viewable a month after the bug is fixed or three months after original filing, whichever happens first. If you like, you could add me to the cc list on the report, then I may be able to access it right away (I haven't yet been able to see it).
Regards, /Niels