From 712ecabf36b715e704b058bbbe5b39fa75da9339 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Fri, 22 Feb 2019 15:29:45 -0800
Subject: [PATCH 1/2] Fix for ECC sign with hardware to ensure the input is
 truncated to the key order.

---
 wolfcrypt/src/ecc.c | 16 ++++++++++++++--
 1 file changed, 14 insertions(+), 2 deletions(-)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 8e5bf8ef0..7f4cd2822 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -4239,13 +4239,25 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
 #endif
     {
         word32 keysize = (word32)key->dp->size;
+        word32 orderBits;
+        DECLARE_CURVE_SPECS(curve, 1);
 
         /* Check args */
-        if (keysize > ECC_MAX_CRYPTO_HW_SIZE || inlen != keysize ||
-                                                *outlen < keysize*2) {
+        if (keysize > ECC_MAX_CRYPTO_HW_SIZE || *outlen < keysize*2) {
             return ECC_BAD_ARG_E;
         }
 
+        /* if the input is larger than curve order, we must truncate */
+        ALLOC_CURVE_SPECS(1);
+        err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ORDER);
+        if (err != 0)
+           return err;
+        orderBits = mp_count_bits(curve->order);
+        if ((inlen * WOLFSSL_BIT_SIZE) > orderBits) {
+           inlen = (orderBits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;
+        }
+        FREE_CURVE_SPECS();
+
     #if defined(WOLFSSL_ATECC508A)
         key->slot = atmel_ecc_alloc(ATMEL_SLOT_DEVICE);
         if (key->slot == ATECC_INVALID_SLOT) {

From 2bb5dd710c32f313d1b870ac5630ac95b248ba84 Mon Sep 17 00:00:00 2001
From: David Garske <david@wolfssl.com>
Date: Mon, 25 Feb 2019 15:19:31 -0800
Subject: [PATCH 2/2] Fix for curve load failure leak.

---
 wolfcrypt/src/ecc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/ecc.c b/wolfcrypt/src/ecc.c
index 7f4cd2822..440556b60 100644
--- a/wolfcrypt/src/ecc.c
+++ b/wolfcrypt/src/ecc.c
@@ -4250,8 +4250,10 @@ static int wc_ecc_sign_hash_hw(const byte* in, word32 inlen,
         /* if the input is larger than curve order, we must truncate */
         ALLOC_CURVE_SPECS(1);
         err = wc_ecc_curve_load(key->dp, &curve, ECC_CURVE_FIELD_ORDER);
-        if (err != 0)
+        if (err != 0) {
+           FREE_CURVE_SPECS();
            return err;
+        }
         orderBits = mp_count_bits(curve->order);
         if ((inlen * WOLFSSL_BIT_SIZE) > orderBits) {
            inlen = (orderBits + WOLFSSL_BIT_SIZE - 1) / WOLFSSL_BIT_SIZE;