Should reject signatures that we can't properly verify

and couldn't generate (as pointed out by Ernst G Giessmann)
author: Bodo Möller <bodo@openssl.org> 2007-11-19 07:25:28 +0000
committer: Bodo Möller <bodo@openssl.org> 2007-11-19 07:25:28 +0000
commit: 7d610299c9d4947af2e681e4a2aad15bb218ac26 (patch)
tree: d78be2ff43021d19f3800d1c9a2b5b3d435694f4 /crypto/ecdsa
parent: 25550b2dd48a8182ede8896cdff73fe517f29925 (diff)
1 files changed, 15 insertions, 0 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index f8b5d4ed6a..3ead1af94e 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -384,6 +384,21 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
 		goto err;
 	}
+	if (8 * dgst_len > BN_num_bits(order))
+	{
+		/* XXX
+		 * 
+		 * Should provide for optional hash truncation:
+		 * Keep the BN_num_bits(order) leftmost bits of dgst
+		 * (see March 2006 FIPS 186-3 draft, which has a few
+		 * confusing errors in this part though)
+		 */
+
+		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
+			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+		ret = 0;
+		goto err;
+	}
 
 	if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
 	    BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
author	Bodo Möller <bodo@openssl.org>	2007-11-19 07:25:28 +0000
committer	Bodo Möller <bodo@openssl.org>	2007-11-19 07:25:28 +0000
commit	7d610299c9d4947af2e681e4a2aad15bb218ac26 (patch)
tree	d78be2ff43021d19f3800d1c9a2b5b3d435694f4 /crypto/ecdsa
parent	25550b2dd48a8182ede8896cdff73fe517f29925 (diff)