1 files changed, 24 insertions, 30 deletions
diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c
index 3ead1af94e..551cf5068f 100644
--- a/src/lib/libcrypto/ecdsa/ecs_ossl.c
+++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -212,7 +212,7 @@ err:
 static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len, 
                const BIGNUM *in_kinv, const BIGNUM *in_r, EC_KEY *eckey)
 {
-        int     ok = 0;
+        int     ok = 0, i;
        BIGNUM *kinv=NULL, *s, *m=NULL,*tmp=NULL,*order=NULL;
        const BIGNUM *ckinv;
        BN_CTX     *ctx = NULL;
@@ -251,22 +251,19 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
                goto err;
        }
-        if (8 * dgst_len > BN_num_bits(order))
+        i = BN_num_bits(order);
+        /* Need to truncate digest if it is too long: first truncate whole
+         * bytes.
+         */
+        if (8 * dgst_len > i)
+                dgst_len = (i + 7)/8;
+        if (!BN_bin2bn(dgst, dgst_len, m))
        {
-                /* XXX
+                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
-                 * 
-                 * Should provide for optional hash truncation:
-                 * Keep the BN_num_bits(order) leftmost bits of dgst
-                 * (see March 2006 FIPS 186-3 draft, which has a few
-                 * confusing errors in this part though)
-                 */
-                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-                        ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
                goto err;
        }
+        /* If still too long truncate remaining bits with a shift */
-        if (!BN_bin2bn(dgst, dgst_len, m))
+        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
        {
                ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
                goto err;
@@ -346,7 +343,7 @@ err:
 static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                const ECDSA_SIG *sig, EC_KEY *eckey)
 {
-        int ret = -1;
+        int ret = -1, i;
        BN_CTX   *ctx;
        BIGNUM   *order, *u1, *u2, *m, *X;
        EC_POINT *point = NULL;
@@ -384,21 +381,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
                goto err;
        }
-        if (8 * dgst_len > BN_num_bits(order))
-        {
-                /* XXX
-                 * 
-                 * Should provide for optional hash truncation:
-                 * Keep the BN_num_bits(order) leftmost bits of dgst
-                 * (see March 2006 FIPS 186-3 draft, which has a few
-                 * confusing errors in this part though)
-                 */
-                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
-                        ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-                ret = 0;
-                goto err;
-        }
        if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
            BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
@@ -415,11 +397,23 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
                goto err;
        }
        /* digest -> m */
+        i = BN_num_bits(order);
+        /* Need to truncate digest if it is too long: first truncate whole
+         * bytes.
+         */
+        if (8 * dgst_len > i)
+                dgst_len = (i + 7)/8;
        if (!BN_bin2bn(dgst, dgst_len, m))
        {
                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
                goto err;
        }
+        /* If still too long truncate remaining bits with a shift */
+        if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
+        {
+                ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
+                goto err;
+        }
        /* u1 = m * tmp mod order */
        if (!BN_mod_mul(u1, m, u2, order, ctx))
        {

diff --git a/src/lib/libcrypto/ecdsa/ecs_ossl.c b/src/lib/libcrypto/ecdsa/ecs_ossl.c index 3ead1af94e..551cf5068f 100644 --- a/src/lib/libcrypto/ecdsa/ecs_ossl.c +++ b/src/lib/libcrypto/ecdsa/ecs_ossl.c
@@ -212,7 +212,7 @@ err:
212	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,	212	static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,
213	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *eckey)	213	const BIGNUM in_kinv, const BIGNUM in_r, EC_KEY *eckey)
214	{	214	{
215	int ok = 0;	215	int ok = 0, i;
216	BIGNUM kinv=NULL, s, m=NULL,tmp=NULL,*order=NULL;	216	BIGNUM kinv=NULL, s, m=NULL,tmp=NULL,*order=NULL;
217	const BIGNUM *ckinv;	217	const BIGNUM *ckinv;
218	BN_CTX *ctx = NULL;	218	BN_CTX *ctx = NULL;
@@ -251,22 +251,19 @@ static ECDSA_SIG ecdsa_do_sign(const unsigned char dgst, int dgst_len,
251	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);	251	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
252	goto err;	252	goto err;
253	}	253	}
254	if (8 * dgst_len > BN_num_bits(order))	254	i = BN_num_bits(order);
		255	/* Need to truncate digest if it is too long: first truncate whole
		256	* bytes.
		257	*/
		258	if (8 * dgst_len > i)
		259	dgst_len = (i + 7)/8;
		260	if (!BN_bin2bn(dgst, dgst_len, m))
255	{	261	{
256	/* XXX	262	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
257	*
258	* Should provide for optional hash truncation:
259	* Keep the BN_num_bits(order) leftmost bits of dgst
260	* (see March 2006 FIPS 186-3 draft, which has a few
261	* confusing errors in this part though)
262	*/
263
264	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
265	ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
266	goto err;	263	goto err;
267	}	264	}
268		265	/* If still too long truncate remaining bits with a shift */
269	if (!BN_bin2bn(dgst, dgst_len, m))	266	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
270	{	267	{
271	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);	268	ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
272	goto err;	269	goto err;
@@ -346,7 +343,7 @@ err:
346	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,	343	static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
347	const ECDSA_SIG sig, EC_KEY eckey)	344	const ECDSA_SIG sig, EC_KEY eckey)
348	{	345	{
349	int ret = -1;	346	int ret = -1, i;
350	BN_CTX *ctx;	347	BN_CTX *ctx;
351	BIGNUM order, u1, u2, m, *X;	348	BIGNUM order, u1, u2, m, *X;
352	EC_POINT *point = NULL;	349	EC_POINT *point = NULL;
@@ -384,21 +381,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
384	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);	381	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
385	goto err;	382	goto err;
386	}	383	}
387	if (8 * dgst_len > BN_num_bits(order))
388	{
389	/* XXX
390	*
391	* Should provide for optional hash truncation:
392	* Keep the BN_num_bits(order) leftmost bits of dgst
393	* (see March 2006 FIPS 186-3 draft, which has a few
394	* confusing errors in this part though)
395	*/
396
397	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
398	ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
399	ret = 0;
400	goto err;
401	}
402		384
403	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|	385	if (BN_is_zero(sig->r) \|\| BN_is_negative(sig->r) \|\|
404	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|	386	BN_ucmp(sig->r, order) >= 0 \|\| BN_is_zero(sig->s) \|\|
@@ -415,11 +397,23 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
415	goto err;	397	goto err;
416	}	398	}
417	/* digest -> m */	399	/* digest -> m */
		400	i = BN_num_bits(order);
		401	/* Need to truncate digest if it is too long: first truncate whole
		402	* bytes.
		403	*/
		404	if (8 * dgst_len > i)
		405	dgst_len = (i + 7)/8;
418	if (!BN_bin2bn(dgst, dgst_len, m))	406	if (!BN_bin2bn(dgst, dgst_len, m))
419	{	407	{
420	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);	408	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
421	goto err;	409	goto err;
422	}	410	}
		411	/* If still too long truncate remaining bits with a shift */
		412	if ((8 * dgst_len > i) && !BN_rshift(m, m, 8 - (i & 0x7)))
		413	{
		414	ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
		415	goto err;
		416	}
423	/* u1 = m * tmp mod order */	417	/* u1 = m * tmp mod order */
424	if (!BN_mod_mul(u1, m, u2, order, ctx))	418	if (!BN_mod_mul(u1, m, u2, order, ctx))
425	{	419	{