Since FIPS 186-3 specifies we use the leftmost bits of the digest

we shouldn't reject digest lengths larger than SHA256: the FIPS algorithm tests include SHA384 and SHA512 tests.
author: Dr. Stephen Henson <steve@openssl.org> 2011-02-01 12:53:47 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2011-02-01 12:53:47 +0000
commit: 5080fbbef024e8dca56f2ce94cef0c37a2bf3bcb (patch)
tree: 4193826276dccde472e82605bee418ee7da6630d /crypto/dsa
parent: b5b724348de90ba791a51c443ea1aa3aa8ee70a0 (diff)
1 files changed, 0 insertions, 18 deletions
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 1b416901b4..b3d78e524c 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -149,15 +149,6 @@ static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa)
 
 	s=BN_new();
 	if (s == NULL) goto err;
-
-	/* reject a excessive digest length (currently at most
-	 * dsa-with-SHA256 is supported) */
-	if (dlen > SHA256_DIGEST_LENGTH)
-		{
-		reason=DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE;
-		goto err;
-		}
-
 	ctx=BN_CTX_new();
 	if (ctx == NULL) goto err;
 redo:
@@ -339,15 +330,6 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_MODULUS_TOO_LARGE);
 		return -1;
 		}
-
-	/* reject a excessive digest length (currently at most
-	 * dsa-with-SHA256 is supported) */
-	if (dgst_len > SHA256_DIGEST_LENGTH)
-		{
-		DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE);
-		return -1;
-		}
-
 	BN_init(&u1);
 	BN_init(&u2);
 	BN_init(&t1);
author	Dr. Stephen Henson <steve@openssl.org>	2011-02-01 12:53:47 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2011-02-01 12:53:47 +0000
commit	5080fbbef024e8dca56f2ce94cef0c37a2bf3bcb (patch)
tree	4193826276dccde472e82605bee418ee7da6630d /crypto/dsa
parent	b5b724348de90ba791a51c443ea1aa3aa8ee70a0 (diff)