crypto/ecdsa: fix case where p != 0 mod 8 and the hash length < p.

author Adam Langley <agl@golang.org>

Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)

committer Adam Langley <agl@golang.org>

Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)
author Adam Langley <agl@golang.org>
Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)
committer Adam Langley <agl@golang.org>
Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)
diff --git a/src/pkg/crypto/ecdsa/ecdsa.go b/src/pkg/crypto/ecdsa/ecdsa.go

index b28239b7862d3714eea3a353b2777eef8cddb6f7..8508e3b4f8da113771a725f9ed8249144a5a333d 100644 (file)
--- a/src/pkg/crypto/ecdsa/ecdsa.go
+++ b/src/pkg/crypto/ecdsa/ecdsa.go
@@ -66,7 +66,9 @@ func GenerateKey(c elliptic.Curve, rand io.Reader) (priv *PrivateKey, err error)
  // hashToInt converts a hash value to an integer. There is some disagreement
  // about how this is done. [NSA] suggests that this is done in the obvious
  // manner, but [SECG] truncates the hash to the bit-length of the curve order
-// first. We follow [SECG] because that's what OpenSSL does.
+// first. We follow [SECG] because that's what OpenSSL does. Additionally,
+// OpenSSL right shifts excess bits from the number if the hash is too large
+// and we mirror that too.
  func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
         orderBits := c.Params().N.BitLen()
         orderBytes := (orderBits + 7) / 8
@@ -75,7 +77,7 @@ func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
         }
  
         ret := new(big.Int).SetBytes(hash)
-       excess := orderBytes*8 - orderBits
+       excess := len(hash)*8 - orderBits
         if excess > 0 {
                 ret.Rsh(ret, uint(excess))
         }
author	Adam Langley <agl@golang.org>
	Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)
committer	Adam Langley <agl@golang.org>
	Tue, 22 May 2012 14:17:39 +0000 (10:17 -0400)