NR_Verification_Operation::verify_mr would return false if the input

was not the right size for a signature (following DSA). This would
silently convert to an empty vector which we would treat as a valid
message on the return. However the EMSA checks will always fail so not
a huge problem.

While checking this out I noticed that an empty value for EMSA4 would
result in us reading memory we didn't own.

2 files changed, 5 insertions, 2 deletions

diff --git a/src/pk_pad/emsa4/emsa4.cpp b/src/pk_pad/emsa4/emsa4.cpp
index ef88e1953..194d934c1 100644
--- a/src/pk_pad/emsa4/emsa4.cpp
+++ b/src/pk_pad/emsa4/emsa4.cpp
@@ -74,10 +74,13 @@ bool EMSA4::verify(const MemoryRegion<byte>& const_coded,
 
    if(key_bits < 8*HASH_SIZE + 9)
       return false;
+
    if(raw.size() != HASH_SIZE)
       return false;
-   if(const_coded.size() > KEY_BYTES)
+
+   if(const_coded.size() > KEY_BYTES || const_coded.size() <= 1)
       return false;
+
    if(const_coded[const_coded.size()-1] != 0xBC)
       return false;
 
diff --git a/src/pubkey/nr/nr.cpp b/src/pubkey/nr/nr.cpp
index 61cf7eb3f..03885e140 100644
--- a/src/pubkey/nr/nr.cpp
+++ b/src/pubkey/nr/nr.cpp
@@ -124,7 +124,7 @@ NR_Verification_Operation::verify_mr(const byte msg[], size_t msg_len)
    const BigInt& q = mod_q.get_modulus();
 
    if(msg_len != 2*q.bytes())
-      return false;
+      throw Invalid_Argument("NR verification: Invalid signature");
 
    BigInt c(msg, q.bytes());
    BigInt d(msg + q.bytes(), q.bytes());