From bcd0bcc3904db4755ac6cf2b14020872ca328cc7 Mon Sep 17 00:00:00 2001
From: nobu <nobu@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Thu, 6 May 2010 10:13:46 +0000
Subject: [PATCH] * test/openssl/test_ec.rb: added
 test_dsa_sign_asn1_FIPS186_3. dgst is   truncated with
 ec_key.group.order.size after openssl 0.9.8m for   FIPS 186-3 compliance.

  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
  false when you pass dgst longer than expected (no truncation
  performed).

* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@27645 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 ChangeLog                  | 14 ++++++++++++++
 ext/openssl/ossl_pkey_ec.c |  2 +-
 test/openssl/test_ec.rb    | 19 +++++++++++++++++--
 3 files changed, 32 insertions(+), 3 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index a178f3bd89..7fe28bd6d8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+Thu May  6 19:13:43 2010  NAKAMURA, Hiroshi  <nahi@ruby-lang.org>
+
+	* test/openssl/test_ec.rb: added test_dsa_sign_asn1_FIPS186_3. dgst is
+	  truncated with ec_key.group.order.size after openssl 0.9.8m for
+	  FIPS 186-3 compliance.
+
+	  WARNING: ruby-openssl aims to wrap an OpenSSL so when you're using
+	  openssl 0.9.8l or earlier version, EC.dsa_sign_asn1 raises
+	  OpenSSL::PKey::ECError as before and EC.dsa_verify_asn1 just returns
+	  false when you pass dgst longer than expected (no truncation
+	  performed).
+
+	* ext/openssl/ossl_pkey_ec.c: rdoc typo fixed.
+
 Thu May  6 18:12:43 2010  Koichi Sasada  <ko1@atdot.net>
 
 	* cont.c (fiber_setcontext): Fix last commit.
diff --git a/ext/openssl/ossl_pkey_ec.c b/ext/openssl/ossl_pkey_ec.c
index 52e910cba8..df23fba3af 100644
--- a/ext/openssl/ossl_pkey_ec.c
+++ b/ext/openssl/ossl_pkey_ec.c
@@ -681,7 +681,7 @@ static VALUE ossl_ec_key_dsa_sign_asn1(VALUE self, VALUE data)
 
 /*
  *  call-seq:
- *     key.dsa_verify(data, sig)   => true or false
+ *     key.dsa_verify_asn1(data, sig)   => true or false
  *
  *  See the OpenSSL documentation for ECDSA_verify()
  */
diff --git a/test/openssl/test_ec.rb b/test/openssl/test_ec.rb
index 282bb67624..39f5577dc2 100644
--- a/test/openssl/test_ec.rb
+++ b/test/openssl/test_ec.rb
@@ -87,9 +87,24 @@ class OpenSSL::TestEC < Test::Unit::TestCase
   def test_dsa_sign_verify
     for key in @keys
       sig = key.dsa_sign_asn1(@data1)
-      assert_equal(key.dsa_verify_asn1(@data1, sig), true)
+      assert(key.dsa_verify_asn1(@data1, sig))
+    end
+  end
 
-      assert_raise(OpenSSL::PKey::ECError) { key.dsa_sign_asn1(@data2) }
+  def test_dsa_sign_asn1_FIPS186_3
+    for key in @keys
+      size = key.group.order.num_bits / 8 + 1
+      dgst = (1..size).to_a.pack('C*')
+      begin
+        sig = key.dsa_sign_asn1(dgst)
+        # dgst is auto-truncated according to FIPS186-3 after openssl-0.9.8m
+        assert(key.dsa_verify_asn1(dgst + "garbage", sig))
+      rescue OpenSSL::PKey::ECError => e
+        # just an exception for longer dgst before openssl-0.9.8m
+        assert_equal('ECDSA_sign: data too large for key size', e.message)
+        # no need to do following tests
+        return
+      end
     end
   end