Hi,
the changes announced on Sep, 28. include an additional check in
crypto/dsa/dsa_ossl.c:
0.9.7k -> 0.9.7l, dsa_ossl.c:277, function static int dsa_do_verify(
const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)
if (BN_num_bits(dsa->q) != 160)
{
DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
return -1;
}
I have certificates with 161 bits in q. Is it okay to extend the check
to also accept 161bit values? (In my case it helps me to get the
verification
back to work)
The certificate has been generated by SAP R/3, possibly an older version
using a Secude-library.
What about other values for the size of q? Could it be that tomorrow
somebody
wants me to accept 162bit or 320bit ? Theoretically possible?
What's the risk when I remove the check? What is it good for?
Thanks for any hints
Robert
________________________________________________________
Robert Lill
Engineering Archive + Storage
Security Consultant
IXOS, an OpenText Company
Werner-von-Siemens-Ring 20
85630 Grasbrunn
GERMANY
Phone: +49-89-4629-1526
Telefax: +49-89-4629-33-1526
eMail: mailto:[EMAIL PROTECTED]
Internet: http://www.opentext.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
