diff options
author | Bryan Donlan <bdonlan@amazon.com> | 2018-07-17 13:38:17 -0700 |
---|---|---|
committer | Andy Polyakov <appro@openssl.org> | 2018-07-29 21:26:29 +0200 |
commit | 665d9d1c0655d6f709c99e1211c1e11fcebfeecd (patch) | |
tree | f0c0999c1170898570d362f5e4dd9412f2612c3e | |
parent | bd93f1ac2750450033dbfa76b5f1597b0145b585 (diff) |
Remove DSA digest length checks when no digest is passed
FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.
Fixes: #6748
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
-rw-r--r-- | crypto/dsa/dsa_pmeth.c | 18 |
1 files changed, 4 insertions, 14 deletions
diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c index f66317b87d..b4ee5a7571 100644 --- a/crypto/dsa/dsa_pmeth.c +++ b/crypto/dsa/dsa_pmeth.c @@ -77,13 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa); @@ -101,13 +96,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, DSA_PKEY_CTX *dctx = ctx->data; DSA *dsa = ctx->pkey->pkey.dsa; - if (dctx->md) { - if (tbslen != (size_t)EVP_MD_size(dctx->md)) - return 0; - } else { - if (tbslen != SHA_DIGEST_LENGTH) - return 0; - } + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa); |