ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
goto err;
}
- if (dgst_len > BN_num_bytes(order))
+ if (8 * dgst_len > BN_num_bits(order))
{
+ /* XXX
+ *
+ * Should provide for optional hash truncation:
+ * Keep the BN_num_bits(order) leftmost bits of dgst
+ * (see March 2006 FIPS 186-3 draft, which has a few
+ * confusing errors in this part though)
+ */
+
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
goto err;
ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
goto err;
}
+ if (BN_is_zero(s))
+ {
+ /* if kinv and r have been supplied by the caller
+ * don't to generate new kinv and r values */
+ if (in_kinv != NULL && in_r != NULL)
+ {
+ ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
+ goto err;
+ }
+ }
+ else
+ /* s != 0 => we have a valid signature */
+ break;
}
- while (BN_is_zero(s));
+ while (1);
ok = 1;
err:
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
goto err;
}
+ if (8 * dgst_len > BN_num_bits(order))
+ {
+ /* XXX
+ *
+ * Should provide for optional hash truncation:
+ * Keep the BN_num_bits(order) leftmost bits of dgst
+ * (see March 2006 FIPS 186-3 draft, which has a few
+ * confusing errors in this part though)
+ */
+
+ ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
+ ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+ ret = 0;
+ goto err;
+ }
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||