The hash length check wasn't strict enough,

author Bodo Möller <bodo@openssl.org>

Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)

committer Bodo Möller <bodo@openssl.org>

Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
author Bodo Möller <bodo@openssl.org>
Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
committer Bodo Möller <bodo@openssl.org>
Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
diff --git a/crypto/ecdsa/ecs_ossl.c b/crypto/ecdsa/ecs_ossl.c

index 32d66a97741d43ae11be4088f0a4767e7826cf06..f8b5d4ed6a2e53f4116dc1621f5c98f0bcff1a7a 100644 (file)
--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -251,8 +251,16 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                 goto err;
         }
-       if (dgst_len > BN_num_bytes(order))
+       if (8 * dgst_len > BN_num_bits(order))
         {
+               /* XXX
+                * 
+                * Should provide for optional hash truncation:
+                * Keep the BN_num_bits(order) leftmost bits of dgst
+                * (see March 2006 FIPS 186-3 draft, which has a few
+                * confusing errors in this part though)
+                */
+
                 ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
                         ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                 goto err;
author	Bodo Möller <bodo@openssl.org>
	Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)
committer	Bodo Möller <bodo@openssl.org>
	Fri, 16 Nov 2007 13:00:57 +0000 (13:00 +0000)