libgo: update to go1.7rc3

    
    Reviewed-on: https://go-review.googlesource.com/25150

From-SVN: r238662

2 files changed, 34 insertions, 10 deletions

diff --git a/libgo/go/crypto/ecdsa/ecdsa.go b/libgo/go/crypto/ecdsa/ecdsa.go
index e54488c..72fb499 100644
--- a/libgo/go/crypto/ecdsa/ecdsa.go
+++ b/libgo/go/crypto/ecdsa/ecdsa.go
@@ -97,17 +97,17 @@ func randFieldElement(c elliptic.Curve, rand io.Reader) (k *big.Int, err error)
 }
 
 // GenerateKey generates a public and private key pair.
-func GenerateKey(c elliptic.Curve, rand io.Reader) (priv *PrivateKey, err error) {
+func GenerateKey(c elliptic.Curve, rand io.Reader) (*PrivateKey, error) {
 	k, err := randFieldElement(c, rand)
 	if err != nil {
-		return
+		return nil, err
 	}
 
-	priv = new(PrivateKey)
+	priv := new(PrivateKey)
 	priv.PublicKey.Curve = c
 	priv.D = k
 	priv.PublicKey.X, priv.PublicKey.Y = c.ScalarBaseMult(k.Bytes())
-	return
+	return priv, nil
 }
 
 // hashToInt converts a hash value to an integer. There is some disagreement
@@ -143,10 +143,11 @@ func fermatInverse(k, N *big.Int) *big.Int {
 
 var errZeroParam = errors.New("zero parameter")
 
-// Sign signs an arbitrary length hash (which should be the result of hashing a
-// larger message) using the private key, priv. It returns the signature as a
-// pair of integers. The security of the private key depends on the entropy of
-// rand.
+// Sign signs a hash (which should be the result of hashing a larger message)
+// using the private key, priv. If the hash is longer than the bit-length of the
+// private key's curve order, the hash will be truncated to that length.  It
+// returns the signature as a pair of integers. The security of the private key
+// depends on the entropy of rand.
 func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err error) {
 	// Get max(log2(q) / 2, 256) bits of entropy from rand.
 	entropylen := (priv.Curve.Params().BitSize + 7) / 16
@@ -228,7 +229,7 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 	c := pub.Curve
 	N := c.Params().N
 
-	if r.Sign() == 0 || s.Sign() == 0 {
+	if r.Sign() <= 0 || s.Sign() <= 0 {
 		return false
 	}
 	if r.Cmp(N) >= 0 || s.Cmp(N) >= 0 {
diff --git a/libgo/go/crypto/ecdsa/ecdsa_test.go b/libgo/go/crypto/ecdsa/ecdsa_test.go
index 62a3fcc..fc25fd7 100644
--- a/libgo/go/crypto/ecdsa/ecdsa_test.go
+++ b/libgo/go/crypto/ecdsa/ecdsa_test.go
@@ -130,7 +130,7 @@ func testNonceSafety(t *testing.T, c elliptic.Curve, tag string) {
 	}
 
 	if r0.Cmp(r1) == 0 {
-		t.Errorf("%s: the nonce used for two diferent messages was the same", tag)
+		t.Errorf("%s: the nonce used for two different messages was the same", tag)
 	}
 }
 
@@ -296,3 +296,26 @@ func TestVectors(t *testing.T) {
 		}
 	}
 }
+
+func testNegativeInputs(t *testing.T, curve elliptic.Curve, tag string) {
+	key, err := GenerateKey(curve, rand.Reader)
+	if err != nil {
+		t.Errorf("failed to generate key for %q", tag)
+	}
+
+	var hash [32]byte
+	r := new(big.Int).SetInt64(1)
+	r.Lsh(r, 550 /* larger than any supported curve */)
+	r.Neg(r)
+
+	if Verify(&key.PublicKey, hash[:], r, r) {
+		t.Errorf("bogus signature accepted for %q", tag)
+	}
+}
+
+func TestNegativeInputs(t *testing.T) {
+	testNegativeInputs(t, elliptic.P224(), "p224")
+	testNegativeInputs(t, elliptic.P256(), "p256")
+	testNegativeInputs(t, elliptic.P384(), "p384")
+	testNegativeInputs(t, elliptic.P521(), "p521")
+}