Fix wolfCLU_sign_data_ecc and wolfCLU_verify_signature_ecc

embhorn · embhorn · commit 04122c8f6546 · 2026-04-07T15:32:59.000-05:00
diff --git a/src/sign-verify/clu_sign.c b/src/sign-verify/clu_sign.c
@@ -388,11 +388,34 @@ int wolfCLU_sign_data_ecc(byte* data, char* out, word32 fSz, char* privKey,
         }
     }
     if (ret == 0) {
+        int keySz;
+        enum wc_HashType hashType;
+        int digestSz;
+        byte hashBuf[WC_MAX_DIGEST_SIZE];
+
         XMEMSET(outBuf, 0, outBufSz);
 
-        /* signing input with ecc priv key to produce signature */
-        outLen = (word32)outBufSz;
-        ret = wc_ecc_sign_hash(data, fSz, outBuf, &outLen, &rng, &key);
+        /* hash the input data before signing -- ECDSA signs a digest, not raw
+         * data.  Select a hash whose digest size matches the curve. */
+        keySz = wc_ecc_size(&key);
+        if (keySz <= 32) {
+            hashType = WC_HASH_TYPE_SHA256;
+        }
+        else if (keySz <= 48) {
+            hashType = WC_HASH_TYPE_SHA384;
+        }
+        else {
+            hashType = WC_HASH_TYPE_SHA512;
+        }
+        digestSz = wc_HashGetDigestSize(hashType);
+        ret = wc_Hash(hashType, data, fSz, hashBuf, digestSz);
+
+        /* signing the hash with ecc priv key to produce signature */
+        if (ret == 0) {
+            outLen = (word32)outBufSz;
+            ret = wc_ecc_sign_hash(hashBuf, digestSz, outBuf, &outLen,
+                                   &rng, &key);
+        }
         if (ret >= 0) {
             XFILE s;
             s = XFOPEN(out, "wb");
diff --git a/src/sign-verify/clu_verify.c b/src/sign-verify/clu_verify.c
@@ -566,10 +566,33 @@ int wolfCLU_verify_signature_ecc(byte* sig, int sigSz, byte* hash, int hashSz,
         }
     }
     if (ret == 0) {
+        int keySz;
+        enum wc_HashType hashType;
+        int digestSz;
+        byte hashBuf[WC_MAX_DIGEST_SIZE];
+
         XMEMSET(outBuf, 0, outBufSz);
 
-        /* verify data with Ecc public key */
-        ret = wc_ecc_verify_hash(sig, sigSz, hash, hashSz, &stat, &key);
+        /* hash the input data before verifying -- ECDSA operates on a digest,
+         * not raw data.  Select a hash whose digest size matches the curve. */
+        keySz = wc_ecc_size(&key);
+        if (keySz <= 32) {
+            hashType = WC_HASH_TYPE_SHA256;
+        }
+        else if (keySz <= 48) {
+            hashType = WC_HASH_TYPE_SHA384;
+        }
+        else {
+            hashType = WC_HASH_TYPE_SHA512;
+        }
+        digestSz = wc_HashGetDigestSize(hashType);
+        ret = wc_Hash(hashType, hash, hashSz, hashBuf, digestSz);
+
+        /* verify the hash with Ecc public key */
+        if (ret == 0) {
+            ret = wc_ecc_verify_hash(sig, sigSz, hashBuf, digestSz,
+                                     &stat, &key);
+        }
         if (ret < 0) {
             wolfCLU_LogError("Failed to verify data with pub key.\nRET: %d", ret);
         }
