diff --git a/src/signature/generalized_xmss.rs b/src/signature/generalized_xmss.rs index 872f827..1f9d098 100644 --- a/src/signature/generalized_xmss.rs +++ b/src/signature/generalized_xmss.rs @@ -859,11 +859,25 @@ where message: &[u8; MESSAGE_LENGTH], sig: &Self::Signature, ) -> bool { - assert!( + debug_assert!( (epoch as u64) < Self::LIFETIME, "Generalized XMSS - Verify: Epoch too large." ); + debug_assert!( + sig.hashes.len() == IE::DIMENSION, + "Generalized XMSS - Verify: Wrong number of hashes." + ); + + // some sanity checks on inputs: signature has correct structure + // and epoch in range. We reject in case a check fails. + if (epoch as u64) >= Self::LIFETIME { + return false; + } + if sig.hashes.len() != IE::DIMENSION { + return false; + } + // first get back the codeword and make sure // encoding succeeded with the given randomness. let Ok(x) = IE::encode(&pk.parameter.into(), message, &sig.rho, epoch) else { diff --git a/src/symmetric/tweak_hash_tree.rs b/src/symmetric/tweak_hash_tree.rs index 3f9f981..d0b0bae 100644 --- a/src/symmetric/tweak_hash_tree.rs +++ b/src/symmetric/tweak_hash_tree.rs @@ -607,16 +607,26 @@ pub fn hash_tree_verify( let depth = opening.co_path.len(); let num_leafs: u64 = 1 << depth; - assert!( + debug_assert!( depth <= 32, "Hash-Tree verify: Tree depth must be at most 32" ); - assert!( + debug_assert!( (position as u64) < num_leafs, "Hash-Tree verify: Position and Path Length not compatible" ); + // some sanity checks: Tree depth must be at most 32 + // and Position and Path Length must be compatible + // we let verification reject if this does not hold. + if depth > 32 { + return false; + } + if (position as u64) >= num_leafs { + return false; + } + // first hash the leaf to get the node in the bottom layer let tweak = TH::tree_tweak(0, position); let mut current_node = TH::apply(parameter, &tweak, leaf);