diff options
| -rw-r--r-- | src/lib/libcrypto/ecdsa/ecs_ossl.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index de51d3aa4a..0ca2651f25 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ecs_ossl.c,v 1.70 2023/07/04 14:59:32 tb Exp $ */ | 1 | /* $OpenBSD: ecs_ossl.c,v 1.71 2023/07/04 15:09:31 tb Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Written by Nils Larsch for the OpenSSL project | 3 | * Written by Nils Larsch for the OpenSSL project |
| 4 | */ | 4 | */ |
| @@ -316,6 +316,16 @@ ecdsa_compute_s(BIGNUM **out_s, const BIGNUM *e, const BIGNUM *kinv, | |||
| 316 | if ((s = BN_new()) == NULL) | 316 | if ((s = BN_new()) == NULL) |
| 317 | goto err; | 317 | goto err; |
| 318 | 318 | ||
| 319 | /* | ||
| 320 | * In a valid ECDSA signature, r must be in [1, order). Since r can be | ||
| 321 | * caller provided - either directly or by replacing sign_setup() - we | ||
| 322 | * can't rely on this being the case. | ||
| 323 | */ | ||
| 324 | if (BN_cmp(r, BN_value_one()) < 0 || BN_cmp(r, order) >= 0) { | ||
| 325 | ECDSAerror(ECDSA_R_BAD_SIGNATURE); | ||
| 326 | goto err; | ||
| 327 | } | ||
| 328 | |||
| 319 | if (!bn_rand_interval(b, BN_value_one(), order)) { | 329 | if (!bn_rand_interval(b, BN_value_one(), order)) { |
| 320 | ECDSAerror(ERR_R_BN_LIB); | 330 | ECDSAerror(ERR_R_BN_LIB); |
| 321 | goto err; | 331 | goto err; |