Bruce Stephens <bruce.steph...@isode.com> writes:

[...]

> Wouldn't it make sense for the truncation to be done in ECDSA_do_sign(),
> as it is in dsa_do_sign()?

Presuming that this is sensible, would this change be about right?

--- a/crypto/ecdsa/ecs_ossl.c
+++ b/crypto/ecdsa/ecs_ossl.c
@@ -251,26 +251,16 @@ static ECDSA_SIG *ecdsa_do_sign(const unsigned char *dgst, int dgst_len,
 		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_EC_LIB);
 		goto err;
 	}
-	if (8 * dgst_len > BN_num_bits(order))
-	{
-		/* XXX
-		 * 
-		 * Should provide for optional hash truncation:
-		 * Keep the BN_num_bits(order) leftmost bits of dgst
-		 * (see March 2006 FIPS 186-3 draft, which has a few
-		 * confusing errors in this part though)
-		 */
-
-		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN,
-			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-		goto err;
-	}
-
 	if (!BN_bin2bn(dgst, dgst_len, m))
 	{
 		ECDSAerr(ECDSA_F_ECDSA_DO_SIGN, ERR_R_BN_LIB);
 		goto err;
 	}
+	if (8 * dgst_len > BN_num_bits(order))
+	{
+		BN_rshift(m, m, 8 * dgst_len - BN_num_bits(order));
+	}
+
 	do
 	{
 		if (in_kinv == NULL || in_r == NULL)
@@ -384,21 +374,6 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
 		goto err;
 	}
-	if (8 * dgst_len > BN_num_bits(order))
-	{
-		/* XXX
-		 * 
-		 * Should provide for optional hash truncation:
-		 * Keep the BN_num_bits(order) leftmost bits of dgst
-		 * (see March 2006 FIPS 186-3 draft, which has a few
-		 * confusing errors in this part though)
-		 */
-
-		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
-			ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-		ret = 0;
-		goto err;
-	}
 
 	if (BN_is_zero(sig->r)          || BN_is_negative(sig->r) || 
 	    BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s)  ||
@@ -420,6 +395,11 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
 		ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_BN_LIB);
 		goto err;
 	}
+	/* truncate digest if longer than order */
+	if (8 * dgst_len > BN_num_bits(order))
+	{
+		BN_rshift(m, m, 8 * dgst_len - BN_num_bits(order));
+	}
 	/* u1 = m * tmp mod order */
 	if (!BN_mod_mul(u1, m, u2, order, ctx))
 	{
-- 
1.6.5.GIT

Reply via email to