diff options
author | Bodo Möller <bodo@openssl.org> | 2007-11-19 07:25:55 +0000 |
---|---|---|
committer | Bodo Möller <bodo@openssl.org> | 2007-11-19 07:25:55 +0000 |
commit | 4726fcfc25c19fe25dfd3b7757787db1cf76da6b (patch) | |
tree | 7610df8e01ad38b2cefa98e161962fe5cdcd3eb4 /crypto/ecdsa | |
parent | 15bd07e9233dd01e6d1730400ffa58c540a315cd (diff) |
Should reject signatures that we can't properly verify
and couldn't generate
(as pointed out by Ernst G Giessmann)
Diffstat (limited to 'crypto/ecdsa')
-rw-r--r-- | crypto/ecdsa/ecs_ossl.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c index f8b5d4ed6a..3ead1af94e 100644 --- a/crypto/ecdsa/ecs_ossl.c +++ b/crypto/ecdsa/ecs_ossl.c @@ -384,6 +384,21 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len, ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB); goto err; } + if (8 * dgst_len > BN_num_bits(order)) + { + /* XXX + * + * Should provide for optional hash truncation: + * Keep the BN_num_bits(order) leftmost bits of dgst + * (see March 2006 FIPS 186-3 draft, which has a few + * confusing errors in this part though) + */ + + ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, + ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); + ret = 0; + goto err; + } if (BN_is_zero(sig->r) || BN_is_negative(sig->r) || BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) || |