summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2019-08-26 18:25:25 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2019-08-26 18:25:25 +0700
commit2f2ba9e88cd6eb21c7325df3c53d2224e6f11175 (patch)
tree78ac37080817b3a390c1d51462b31f2707fcb0d2
parentFix circular dependence of statics (diff)
downloadBouncyCastle.NET-ed25519-2f2ba9e88cd6eb21c7325df3c53d2224e6f11175.tar.xz
PssSigner verification improvements
- enforce leading zero bits consistency requirement
- explicitly zero when cipher output is short
Diffstat
-rw-r--r--crypto/src/crypto/signers/PssSigner.cs20
1 files changed, 13 insertions, 7 deletions
diff --git a/crypto/src/crypto/signers/PssSigner.cs b/crypto/src/crypto/signers/PssSigner.cs
index e29ed3c45..b31384783 100644
--- a/crypto/src/crypto/signers/PssSigner.cs
+++ b/crypto/src/crypto/signers/PssSigner.cs
@@ -3,6 +3,7 @@ using System;
 using Org.BouncyCastle.Crypto.Digests;
 using Org.BouncyCastle.Crypto.Parameters;
 using Org.BouncyCastle.Security;
+using Org.BouncyCastle.Utilities;
 
 namespace Org.BouncyCastle.Crypto.Signers
 {
@@ -250,11 +251,12 @@ namespace Org.BouncyCastle.Crypto.Signers
 				block[i] ^= dbMask[i];
 			}
 
-			block[0] &= (byte) ((0xff >> ((block.Length * 8) - emBits)));
+            h.CopyTo(block, block.Length - hLen - 1);
 
-			h.CopyTo(block, block.Length - hLen - 1);
+            uint firstByteMask = 0xFFU >> ((block.Length * 8) - emBits);
 
-			block[block.Length - 1] = trailer;
+            block[0] &= (byte)firstByteMask;
+            block[block.Length - 1] = trailer;
 
 			byte[] b = cipher.ProcessBlock(block, 0, block.Length);
 
@@ -269,12 +271,16 @@ namespace Org.BouncyCastle.Crypto.Signers
 		public virtual bool VerifySignature(
 			byte[] signature)
 		{
-			contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
+            contentDigest1.DoFinal(mDash, mDash.Length - hLen - sLen);
 
-			byte[] b = cipher.ProcessBlock(signature, 0, signature.Length);
+            byte[] b = cipher.ProcessBlock(signature, 0, signature.Length);
+            Arrays.Fill(block, 0, block.Length - b.Length, 0);
 			b.CopyTo(block, block.Length - b.Length);
 
-			if (block[block.Length - 1] != trailer)
+            uint firstByteMask = 0xFFU >> ((block.Length * 8) - emBits);
+
+			if (block[0] != (byte)(block[0] & firstByteMask)
+                || block[block.Length - 1] != trailer)
 			{
 				ClearBlock(block);
 				return false;
@@ -287,7 +293,7 @@ namespace Org.BouncyCastle.Crypto.Signers
 				block[i] ^= dbMask[i];
 			}
 
-			block[0] &= (byte) ((0xff >> ((block.Length * 8) - emBits)));
+            block[0] &= (byte)firstByteMask;
 
 			for (int i = 0; i != block.Length - hLen - sLen - 2; i++)
 			{
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-19 21:56:53 +0000