From ecbac7324ea08e1712f63bb3d2133b92715f3f1e Mon Sep 17 00:00:00 2001
From: Karel Miko <karel.miko@gmail.com>
Date: Mon, 10 Oct 2016 21:51:22 +0200
Subject: [PATCH] DSA: properly handle FIPS 186-4 (4.6 + 4.7)

---
 src/pk/dsa/dsa_sign_hash.c   | 3 +++
 src/pk/dsa/dsa_verify_hash.c | 3 +++
 2 files changed, 6 insertions(+)

diff --git a/src/pk/dsa/dsa_sign_hash.c b/src/pk/dsa/dsa_sign_hash.c
index 3ccfcf5..7ac3f54 100644
--- a/src/pk/dsa/dsa_sign_hash.c
+++ b/src/pk/dsa/dsa_sign_hash.c
@@ -84,6 +84,9 @@ retry:
 
    if (mp_iszero(r) == LTC_MP_YES)                                                     { goto retry; }
 
+   /* FIPS 186-4 4.6: use leftmost min(bitlen(q), bitlen(hash)) */
+   if (inlen > (unsigned long)(key->qord)) inlen = (unsigned long)(key->qord);
+
    /* now find s = (in + xr)/k mod q */
    if ((err = mp_read_unsigned_bin(tmp, (unsigned char *)in, inlen)) != CRYPT_OK)      { goto error; }
    if ((err = mp_mul(key->x, r, s)) != CRYPT_OK)                                       { goto error; }
diff --git a/src/pk/dsa/dsa_verify_hash.c b/src/pk/dsa/dsa_verify_hash.c
index 59beec2..55bb454 100644
--- a/src/pk/dsa/dsa_verify_hash.c
+++ b/src/pk/dsa/dsa_verify_hash.c
@@ -54,6 +54,9 @@ int dsa_verify_hash_raw(         void   *r,          void   *s,
       goto error;
    }
    
+   /* FIPS 186-4 4.7: use leftmost min(bitlen(q), bitlen(hash)) bits of 'hash' */
+   if (hashlen > (unsigned long)(key->qord)) hashlen = (unsigned long)(key->qord);
+
    /* w = 1/s mod q */
    if ((err = mp_invmod(s, key->q, w)) != CRYPT_OK)                                       { goto error; }