Avoid name clash.

[openssl.git] / crypto / ecdsa / ecs_ossl.c

diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 8be45ddc9369932e76924baf3babd9d4f3a3c118..3ead1af94e7351c5e4bf76aefe146e61b1e636a5 100644 (file)
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -251,8 +251,16 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                goto err;
        }
-       if (dgst_len > BN_num_bytes(order))
+       if (8 * dgst_len > BN_num_bits(order))
        {
+               /* XXX
+                * 
+                * Should provide for optional hash truncation:
+                * Keep the BN_num_bits(order) leftmost bits of dgst
+                * (see March 2006 FIPS 186-3 draft, which has a few
+                * confusing errors in this part though)
+                */
+
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
                        ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                goto err;
@@ -299,8 +307,21 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                        ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                        goto err;
                }
+               if (BN_is_zero(s))
+               {
+                       /* if kinv and r have been supplied by the caller
+                        * don't to generate new kinv and r values */
+                       if (in_kinv != NULL && in_r != NULL)
+                       {
+                               ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ECDSA_R_NEED_NEW_SETUP_VALUES);
+                               goto err;
+                       }
+               }
+               else
+                       /* s != 0 => we have a valid signature */
+                       break;
        }
-       while (BN_is_zero(s));
+       while (1);
 
        ok = 1;
 err:
@@ -363,6 +384,21 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
+       if (8 * dgst_len > BN_num_bits(order))
+       {
+               /* XXX
+                * 
+                * Should provide for optional hash truncation:
+                * Keep the BN_num_bits(order) leftmost bits of dgst
+                * (see March 2006 FIPS 186-3 draft, which has a few
+                * confusing errors in this part though)
+                */
+
+               ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
+                       ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+               ret = 0;
+               goto err;
+       }
 
        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||