From: Adam Langley Date: Thu, 8 Dec 2011 21:46:19 +0000 (-0500) Subject: crypto/dsa: don't truncate input hashes. X-Git-Tag: weekly.2011-12-14~136 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=60f564fc3759a2d4cb2216ed643a65aa963f06b3;p=gostls13.git crypto/dsa: don't truncate input hashes. Although FIPS 186-3 says that we should truncate the hashes, at least one other library (libgcrypt) doesn't. This means that it's impossible to interoperate with code using gcrypt if we enforce the truncation inside of crypto/dsa. This change shouldn't actually affect anything because nearly everybody pairs DSA with SHA1, which doesn't need to be truncated in either case. R=golang-dev, bradfitz, rsc CC=golang-dev https://golang.org/cl/5471043 --- diff --git a/src/pkg/crypto/dsa/dsa.go b/src/pkg/crypto/dsa/dsa.go index a2adc7eb5c..be47846845 100644 --- a/src/pkg/crypto/dsa/dsa.go +++ b/src/pkg/crypto/dsa/dsa.go @@ -185,6 +185,10 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error { // larger message) using the private key, priv. It returns the signature as a // pair of integers. The security of the private key depends on the entropy of // rand. +// +// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated +// to the byte-length of the subgroup. This function does not perform that +// truncation itself. func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) { // FIPS 186-3, section 4.6 @@ -218,10 +222,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err continue } - if n > len(hash) { - n = len(hash) - } - z := k.SetBytes(hash[:n]) + z := k.SetBytes(hash) s = new(big.Int).Mul(priv.X, r) s.Add(s, z) @@ -238,7 +239,11 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err } // Verify verifies the signature in r, s of hash using the public key, pub. It -// returns true iff the signature is valid. +// reports whether the signature is valid. +// +// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated +// to the byte-length of the subgroup. This function does not perform that +// truncation itself. func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { // FIPS 186-3, section 4.7 @@ -255,12 +260,7 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool { if n&7 != 0 { return false } - n >>= 3 - - if n > len(hash) { - n = len(hash) - } - z := new(big.Int).SetBytes(hash[:n]) + z := new(big.Int).SetBytes(hash) u1 := new(big.Int).Mul(z, w) u1.Mod(u1, pub.Q)