Should reject signatures that we can't properly verify
and couldn't generate (as pointed out by Ernst G Giessmann)
This commit is contained in:
Bodo Möller
parent
25550b2dd4
commit
7d610299c9
1 changed files with 15 additions and 0 deletions
|
|
@ -384,6 +384,21 @@ static int ecdsa_do_verify(const unsigned char *dgst, int dgst_len,
|
|||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY, ERR_R_EC_LIB);
|
||||
goto err;
|
||||
}
|
||||
if (8 * dgst_len > BN_num_bits(order))
|
||||
{
|
||||
/* XXX
|
||||
*
|
||||
* Should provide for optional hash truncation:
|
||||
* Keep the BN_num_bits(order) leftmost bits of dgst
|
||||
* (see March 2006 FIPS 186-3 draft, which has a few
|
||||
* confusing errors in this part though)
|
||||
*/
|
||||
|
||||
ECDSAerr(ECDSA_F_ECDSA_DO_VERIFY,
|
||||
ECDSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
|
||||
ret = 0;
|
||||
goto err;
|
||||
}
|
||||
|
||||
if (BN_is_zero(sig->r) || BN_is_negative(sig->r) ||
|
||||
BN_ucmp(sig->r, order) >= 0 || BN_is_zero(sig->s) ||
|
||||
|
|
|
|||
Loading…
Reference in a new issue