Should reject signatures that we can't properly verify
authorBodo Möller <bodo@openssl.org>
Mon, 19 Nov 2007 07:25:55 +0000 (07:25 +0000)
committerBodo Möller <bodo@openssl.org>
Mon, 19 Nov 2007 07:25:55 +0000 (07:25 +0000)
and couldn't generate
(as pointed out by Ernst G Giessmann)

crypto/ecdsa/ecs_ossl.c

index f8b5d4e..3ead1af 100644 (file)
@@ -384,6 +384,21 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
+       if (8 * dgst_len > BN_num_bits(order))
+       {
+               /* XXX
+                * 
+                * Should provide for optional hash truncation:
+                * Keep the BN_num_bits(order) leftmost bits of dgst
+                * (see March 2006 FIPS 186-3 draft, which has a few
+                * confusing errors in this part though)
+                */
+
+               ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
+                       ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
+               ret = 0;
+               goto err;
+       }
 
        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||