Commit 665d9d1c authored by Bryan Donlan's avatar Bryan Donlan Committed by Andy Polyakov
Browse files

Remove DSA digest length checks when no digest is passed 



FIPS 186-4 does not specify a hard requirement on DSA digest lengths,
and in any case the current check rejects the FIPS recommended digest
lengths for key sizes != 1024 bits.

Fixes: #6748

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
Reviewed-by: default avatarAndy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
parent bd93f1ac

crypto/dsa/dsa_pmeth.c

+4 −14
Original line number Diff line number Diff line
@@ -77,13 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig, 
    DSA_PKEY_CTX *dctx = ctx->data;

    DSA *dsa = ctx->pkey->pkey.dsa;



    if (dctx->md) {

        if (tbslen != (size_t)EVP_MD_size(dctx->md))

    if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))

        return 0;

    } else {

        if (tbslen != SHA_DIGEST_LENGTH)

            return 0;

    }



    ret = DSA_sign(0, tbs, tbslen, sig, &sltmp, dsa);
@@ -101,13 +96,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx, 
    DSA_PKEY_CTX *dctx = ctx->data;

    DSA *dsa = ctx->pkey->pkey.dsa;



    if (dctx->md) {

        if (tbslen != (size_t)EVP_MD_size(dctx->md))

    if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md))

        return 0;

    } else {

        if (tbslen != SHA_DIGEST_LENGTH)

            return 0;

    }



    ret = DSA_verify(0, tbs, tbslen, sig, siglen, dsa);