From: Bryan Donlan Date: Tue, 17 Jul 2018 20:38:17 +0000 (-0700) Subject: Remove DSA digest length checks when no digest is passed X-Git-Tag: OpenSSL_1_1_0i~19 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94;p=oweals%2Fopenssl.git Remove DSA digest length checks when no digest is passed FIPS 186-4 does not specify a hard requirement on DSA digest lengths, and in any case the current check rejects the FIPS recommended digest lengths for key sizes != 1024 bits. Fixes: #6748 Reviewed-by: Rich Salz Reviewed-by: Andy Polyakov (Merged from https://github.com/openssl/openssl/pull/6749) (cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd) --- diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index a1cbaadc64..a82c4c9811 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa); @@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa);