From 60f564fc3759a2d4cb2216ed643a65aa963f06b3 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Thu, 8 Dec 2011 16:46:19 -0500 Subject: [PATCH] crypto/dsa: don't truncate input hashes. Although FIPS 186-3 says that we should truncate the hashes, at least one other library (libgcrypt) doesn't. This means that it's impossible to interoperate with code using gcrypt if we enforce the truncation inside of crypto/dsa. This change shouldn't actually affect anything because nearly everybody pairs DSA with SHA1, which doesn't need to be truncated in either case. R=golang-dev, bradfitz, rsc CC=golang-dev https://golang.org/cl/5471043 --- src/pkg/crypto/dsa/dsa.go | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/src/pkg/crypto/dsa/dsa.go b/src/pkg/crypto/dsa/dsa.go index a2adc7eb5c3..be478468455 100644 --- a/src/pkg/crypto/dsa/dsa.go +++ b/src/pkg/crypto/dsa/dsa.go @@ -185,6 +185,10 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { // larger message) using the private key, priv. It returns the signature as a // pair of integers. The security of the private key depends on the entropy of // rand. +// +// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated +// to the byte-length of the subgroup. This function does not perform that +// truncation itself. func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) { // FIPS 186-3, section 4.6 @@ -218,10 +222,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err continue } - if n > len(hash) { - n = len(hash) - } - z := k.SetBytes(hash[:n]) + z := k.SetBytes(hash) s = new(big.Int).Mul(priv.X, r) s.Add(s, z) @@ -238,7 +239,11 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err } // Verify verifies the signature in r, s of hash using the public key, pub. It -// returns true iff the signature is valid. +// reports whether the signature is valid. +// +// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated +// to the byte-length of the subgroup. This function does not perform that +// truncation itself. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { // FIPS 186-3, section 4.7 @@ -255,12 +260,7 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { if n&7 != 0 { return false } - n >>= 3 - - if n > len(hash) { - n = len(hash) - } - z := new(big.Int).SetBytes(hash[:n]) + z := new(big.Int).SetBytes(hash) u1 := new(big.Int).Mul(z, w) u1.Mod(u1, pub.Q)