The hash length check wasn't strict enough,

as pointed out by Ernst G Giessmann
author: Bodo Möller <bodo@openssl.org> 2007-11-16 13:01:14 +0000
committer: Bodo Möller <bodo@openssl.org> 2007-11-16 13:01:14 +0000
commit: da989402f22d44bab2e920ec4872e711991e0047 (patch)
tree: 1e8cb5c59799e9ce8ebbd5ee7cbfb3a7c9f48180
parent: 10f0c85cfc26ffafd426d9797275191829efd599 (diff)
download: openssl-da989402f22d44bab2e920ec4872e711991e0047.tar.gz
1 files changed, 9 insertions, 1 deletions
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c
index 32d66a9774..f8b5d4ed6a 100644
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -251,8 +251,16 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
 		goto err;
 	}
-	if (dgst_len > BN_num_bytes(order))
+	if (8 * dgst_len > BN_num_bits(order))
 	{
+		/* XXX
+		 * 
+		 * Should provide for optional hash truncation:
+		 * Keep the BN_num_bits(order) leftmost bits of dgst
+		 * (see March 2006 FIPS 186-3 draft, which has a few
+		 * confusing errors in this part though)
+		 */
+
 		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
 			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
 		goto err;
author	Bodo Möller <bodo@openssl.org>	2007-11-16 13:01:14 +0000
committer	Bodo Möller <bodo@openssl.org>	2007-11-16 13:01:14 +0000
commit	da989402f22d44bab2e920ec4872e711991e0047 (patch)
tree	1e8cb5c59799e9ce8ebbd5ee7cbfb3a7c9f48180
parent	10f0c85cfc26ffafd426d9797275191829efd599 (diff)
download	openssl-da989402f22d44bab2e920ec4872e711991e0047.tar.gz