The hash length check wasn't strict enough,
authorBodo Möller <bodo@openssl.org>
Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
committerBodo Möller <bodo@openssl.org>
Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
as pointed out by Ernst G Giessmann

crypto/ecdsa/ecs_ossl.c

index 32d66a97741d43ae11be4088f0a4767e7826cf06..f8b5d4ed6a2e53f4116dc1621f5c98f0bcff1a7a 100644 (file)
@@ -251,8 +251,16 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                goto err;
        }
-       if (dgst_len > BN_num_bytes(order))
+       if (8 * dgst_len > BN_num_bits(order))
        {
+               /* XXX
+                * 
+                * Should provide for optional hash truncation:
+                * Keep the BN_num_bits(order) leftmost bits of dgst
+                * (see March 2006 FIPS 186-3 draft, which has a few
+                * confusing errors in this part though)
+                */
+
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
                        ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                goto err;