crypto/dsa: don't truncate input hashes.

Although FIPS 186-3 says that we should truncate the hashes, at least one other library (libgcrypt) doesn't. This means that it's impossible to interoperate with code using gcrypt if we enforce the truncation inside of crypto/dsa. This change shouldn't actually affect anything because nearly everybody pairs DSA with SHA1, which doesn't need to be truncated in either case. R=golang-dev, bradfitz, rsc CC=golang-dev https://golang.org/cl/5471043

crypto/dsa: don't truncate input hashes.
Although FIPS 186-3 says that we should truncate the hashes, at least one other library (libgcrypt) doesn't. This means that it's impossible to interoperate with code using gcrypt if we enforce the truncation inside of crypto/dsa. This change shouldn't actually affect anything because nearly everybody pairs DSA with SHA1, which doesn't need to be truncated in either case. R=golang-dev, bradfitz, rsc CC=golang-dev https://golang.org/cl/5471043
60f564fc · Adam Langley · 9d59c40e · 60f564fc
Commit 60f564fc authored Dec 08, 2011 by Adam Langley
Hide whitespace changes
Inline Side-by-side

Showing with 11 additions and 11 deletions

dsa.go src/pkg/crypto/dsa/dsa.go +11 -11

No files found.
--- a/src/pkg/crypto/dsa/dsa.go
+++ b/src/pkg/crypto/dsa/dsa.go
@@ -185,6 +185,10 @@ func GenerateKey(priv *PrivateKey, rand io.Reader) error {
 // larger message) using the private key, priv. It returns the signature as a
 // pair of integers. The security of the private key depends on the entropy of
 // rand.
+//
+// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
+// to the byte-length of the subgroup. This function does not perform that
+// truncation itself.
 func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
 	// FIPS 186-3, section 4.6
@@ -218,10 +222,7 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 			continue
 		}
-		if n > len(hash) {
+		z := k.SetBytes(hash)
-			n = len(hash)
-		}
-		z := k.SetBytes(hash[:n])
 		s = new(big.Int).Mul(priv.X, r)
 		s.Add(s, z)
@@ -238,7 +239,11 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 }
 // Verify verifies the signature in r, s of hash using the public key, pub. It
-// returns true iff the signature is valid.
+// reports whether the signature is valid.
+//
+// Note that FIPS 186-3 section 4.6 specifies that the hash should be truncated
+// to the byte-length of the subgroup. This function does not perform that
+// truncation itself.
 func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	// FIPS 186-3, section 4.7
@@ -255,12 +260,7 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	if n&7 != 0 {
 		return false
 	}
-	n >>= 3
+	z := new(big.Int).SetBytes(hash)
-	if n > len(hash) {
-		n = len(hash)
-	}
-	z := new(big.Int).SetBytes(hash[:n])
 	u1 := new(big.Int).Mul(z, w)
 	u1.Mod(u1, pub.Q)