Fixed RSA PSS verificatiobn bug (when hash_len != salt_len).

author Thomas Pornin <thomas.pornin@nccgroup.com>

Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)

committer Thomas Pornin <thomas.pornin@nccgroup.com>

Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)
author Thomas Pornin <thomas.pornin@nccgroup.com>
Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)
committer Thomas Pornin <thomas.pornin@nccgroup.com>
Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)
diff --git a/src/rsa/rsa_pss_sig_unpad.c b/src/rsa/rsa_pss_sig_unpad.c

index a9f8ca3..0c6ae99 100644 (file)
--- a/src/rsa/rsa_pss_sig_unpad.c
+++ b/src/rsa/rsa_pss_sig_unpad.c
@@ -114,7 +114,7 @@ br_rsa_pss_sig_unpad(const br_hash_class *hf_data,
          * in the string.
          */
         for (u = 0; u < hash_len; u ++) {
          * in the string.
          */
         for (u = 0; u < hash_len; u ++) {
-               r |= tmp[u] ^ x[(xlen - salt_len - 1) + u];
+               r |= tmp[u] ^ x[(xlen - hash_len - 1) + u];
         }
  
         return EQ0(r);
         }
  
         return EQ0(r);
author	Thomas Pornin <thomas.pornin@nccgroup.com>
	Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)
committer	Thomas Pornin <thomas.pornin@nccgroup.com>
	Wed, 8 Jun 2022 12:09:34 +0000 (08:09 -0400)