From 73863fab8ae1ecd8307aaeef486919cc76b85d63 Mon Sep 17 00:00:00 2001
From: Guus Sliepen <guus@tinc-vpn.org>
Date: Fri, 8 Jul 2011 18:17:34 +0200
Subject: [PATCH] Hash input before signing it with ECDSA.

---
 src/openssl/ecdsa.c | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/src/openssl/ecdsa.c b/src/openssl/ecdsa.c
index 000bfaa5..c3b96833 100644
--- a/src/openssl/ecdsa.c
+++ b/src/openssl/ecdsa.c
@@ -70,13 +70,17 @@ size_t ecdsa_size(ecdsa_t *ecdsa) {
 	return ECDSA_size(*ecdsa);
 }
 
-// TODO: hash first, standardise output format?
+// TODO: standardise output format?
 
 bool ecdsa_sign(ecdsa_t *ecdsa, const void *in, size_t len, void *sig) {
 	unsigned int siglen = ECDSA_size(*ecdsa);
+
+	char hash[SHA512_DIGEST_LENGTH];
+	SHA512(in, len, hash);
+
 	memset(sig, 0, siglen);
 
-	if(!ECDSA_sign(0, in, len, sig, &siglen, *ecdsa)) {
+	if(!ECDSA_sign(0, hash, sizeof hash, sig, &siglen, *ecdsa)) {
 		logger(LOG_DEBUG, "ECDSA_sign() failed: %s", ERR_error_string(ERR_get_error(), NULL));
 		return false;
 	}
@@ -91,7 +95,10 @@ bool ecdsa_sign(ecdsa_t *ecdsa, const void *in, size_t len, void *sig) {
 bool ecdsa_verify(ecdsa_t *ecdsa, const void *in, size_t len, const void *sig) {
 	unsigned int siglen = ECDSA_size(*ecdsa);
 
-	if(!ECDSA_verify(0, in, len, sig, siglen, *ecdsa)) {
+	char hash[SHA512_DIGEST_LENGTH];
+	SHA512(in, len, hash);
+
+	if(!ECDSA_verify(0, hash, sizeof hash, sig, siglen, *ecdsa)) {
 		logger(LOG_DEBUG, "ECDSA_verify() failed: %s", ERR_error_string(ERR_get_error(), NULL));
 		return false;
 	}
-- 
2.20.1