[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Andy Polyakov appro at openssl.org
Sun Jul 29 19:29:03 UTC 2018 

The branch OpenSSL_1_1_0-stable has been updated
       via  34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94 (commit)
      from  3c0addb71c66adf729f48050c3a75f68c44b23b6 (commit)


- Log -----------------------------------------------------------------
commit 34515e8f88e57c13cdf2b1d4ec094ffd4e9f8d94
Author: Bryan Donlan <bdonlan at amazon.com>
Date:   Tue Jul 17 13:38:17 2018 -0700

    Remove DSA digest length checks when no digest is passed
    
    FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
    and in any case the current check rejects the FIPS recommended digest
    lengths for key sizes != 1024 bits.
    
    Fixes: #6748
    
    Reviewed-by: Rich Salz <rsalz at openssl.org>
    Reviewed-by: Andy Polyakov <appro at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6749)
    
    (cherry picked from commit 665d9d1c0655d6f709c99e1211c1e11fcebfeecd)

-----------------------------------------------------------------------

Summary of changes:
 crypto/dsa/dsa_pmeth.c | 18 ++++--------------
 1 file changed, 4 insertions(+), 14 deletions(-)

diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index a1cbaad..a82c4c9 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -76,13 +76,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md) {
-        if (tbslen != (size_t)EVP_MD_size(dctx->md))
-            return 0;
-    } else {
-        if (tbslen != SHA_DIGEST_LENGTH)
-            return 0;
-    }
+    if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))
+        return 0;
 
     ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa);
 
@@ -100,13 +95,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md) {
-        if (tbslen != (size_t)EVP_MD_size(dctx->md))
-            return 0;
-    } else {
-        if (tbslen != SHA_DIGEST_LENGTH)
-            return 0;
-    }
+    if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))
+        return 0;
 
     ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa);

More information about the openssl-commits mailing list