From: Adam Langley <agl@golang.org>
Date: Tue, 22 May 2012 14:17:39 +0000 (-0400)
Subject: crypto/ecdsa: fix case where p != 0 mod 8 and the hash length < p.
X-Git-Tag: go1.1rc2~3163
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=477d7b166307916376dc94b6917597d768f102d3;p=gostls13.git

crypto/ecdsa: fix case where p != 0 mod 8 and the hash length < p.

I made a typo which breaks P-521.

R=golang-dev, rsc
CC=golang-dev
https://golang.org/cl/6219057
---

diff --git a/src/pkg/crypto/ecdsa/ecdsa.go b/src/pkg/crypto/ecdsa/ecdsa.go
index b28239b786..8508e3b4f8 100644
--- a/src/pkg/crypto/ecdsa/ecdsa.go
+++ b/src/pkg/crypto/ecdsa/ecdsa.go
@@ -66,7 +66,9 @@ func GenerateKey(c elliptic.Curve, rand io.Reader) (priv *PrivateKey, err error)
 // hashToInt converts a hash value to an integer. There is some disagreement
 // about how this is done. [NSA] suggests that this is done in the obvious
 // manner, but [SECG] truncates the hash to the bit-length of the curve order
-// first. We follow [SECG] because that's what OpenSSL does.
+// first. We follow [SECG] because that's what OpenSSL does. Additionally,
+// OpenSSL right shifts excess bits from the number if the hash is too large
+// and we mirror that too.
 func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
 	orderBits := c.Params().N.BitLen()
 	orderBytes := (orderBits + 7) / 8
@@ -75,7 +77,7 @@ func hashToInt(hash []byte, c elliptic.Curve) *big.Int {
 	}
 
 	ret := new(big.Int).SetBytes(hash)
-	excess := orderBytes*8 - orderBits
+	excess := len(hash)*8 - orderBits
 	if excess > 0 {
 		ret.Rsh(ret, uint(excess))
 	}