diff options
| author | Dr. Stephen Henson <steve@openssl.org> | 2011-02-01 12:52:01 +0000 |
|---|---|---|
| committer | Dr. Stephen Henson <steve@openssl.org> | 2011-02-01 12:52:01 +0000 |
| commit | 7f64c26588cabfa17bac0093284054445b44cddb (patch) | |
| tree | 5b47eab3f180d59a3756954440e5cb96bf883474 | |
| parent | 3dd9b31dc4fc935543d4142dfdd9a88e3ef6dcd8 (diff) | |
Since FIPS 186-3 specifies we use the leftmost bits of the digest
we shouldn't reject digest lengths larger than SHA256: the FIPS
algorithm tests include SHA384 and SHA512 tests.
| -rw-r--r-- | crypto/dsa/dsa_ossl.c | 18 | ||||
| -rw-r--r-- | fips/dsa/fips_dssvs.c | 28 |
2 files changed, 12 insertions, 34 deletions
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c index 33ac3e130e..fd757082f9 100644 --- a/crypto/dsa/dsa_ossl.c +++ b/crypto/dsa/dsa_ossl.c @@ -166,15 +166,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa) s=BN_new(); if (s == NULL) goto err; - - /* reject a excessive digest length (currently at most - * dsa-with-SHA256 is supported) */ - if (dlen > SHA256_DIGEST_LENGTH) - { - reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE; - goto err; - } - ctx=BN_CTX_new(); if (ctx == NULL) goto err; redo: @@ -370,15 +361,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE); return -1; } - - /* reject a excessive digest length (currently at most - * dsa-with-SHA256 is supported) */ - if (dgst_len > SHA256_DIGEST_LENGTH) - { - DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - return -1; - } - BN_init(&u1); BN_init(&u2); BN_init(&t1); diff --git a/fips/dsa/fips_dssvs.c b/fips/dsa/fips_dssvs.c index 5e9d83900c..156ad05e59 100644 --- a/fips/dsa/fips_dssvs.c +++ b/fips/dsa/fips_dssvs.c @@ -494,7 +494,9 @@ static void sigver() char lbuf[1024]; unsigned char msg[1024]; char *keyword, *value; - int nmod=0, n=0; + int n=0; + int dsa2, L, N; + const EVP_MD *md = NULL; DSA_SIG sg, *sig = &sg; sig->r = NULL; @@ -507,27 +509,24 @@ static void sigver() fputs(buf,stdout); continue; } + fputs(buf,stdout); if(!strcmp(keyword,"[mod")) { - nmod=atoi(value); - if(dsa) + if (!parse_mod(value, &dsa2, &L, &N, &md)) + { + fprintf(stderr, "Mod Parse Error\n"); + exit (1); + } + if (dsa) FIPS_dsa_free(dsa); - dsa=FIPS_dsa_new(); + dsa = FIPS_dsa_new(); } else if(!strcmp(keyword,"P")) dsa->p=hex2bn(value); else if(!strcmp(keyword,"Q")) dsa->q=hex2bn(value); else if(!strcmp(keyword,"G")) - { dsa->g=hex2bn(value); - - printf("[mod = %d]\n\n",nmod); - pbn("P",dsa->p); - pbn("Q",dsa->q); - pbn("G",dsa->g); - putc('\n',stdout); - } else if(!strcmp(keyword,"Msg")) { n=hex2bin(value,msg); @@ -544,10 +543,7 @@ static void sigver() EVP_MD_CTX_init(&mctx); sig->s=hex2bn(value); - pbn("Y",dsa->pub_key); - pbn("R",sig->r); - pbn("S",sig->s); - EVP_DigestInit_ex(&mctx, EVP_sha1(), NULL); + EVP_DigestInit_ex(&mctx, md, NULL); EVP_DigestUpdate(&mctx, msg, n); no_err = 1; r = FIPS_dsa_verify_ctx(dsa, &mctx, sig); |