From: Dr. Stephen Henson <steve@openssl.org>
Date: Thu, 30 Apr 2015 13:16:07 +0000 (+0100)
Subject: Add DSA digest length checks.
X-Git-Tag: OpenSSL_1_1_0-pre1~792
X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=9d04f83410ac052aecf7a3031ad20f5237c02014;hp=9b86974e0c705ea321ddbc9a9d8562c894809e5b

Add DSA digest length checks.

Reviewed-by: Ben Laurie <ben@openssl.org>
---

diff --git a/crypto/dsa/dsa_pmeth.c b/crypto/dsa/dsa_pmeth.c
index 594583ffc8..1adab4f8ec 100644
--- a/crypto/dsa/dsa_pmeth.c
+++ b/crypto/dsa/dsa_pmeth.c
@@ -125,10 +125,15 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *ctx, unsigned char *sig,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md)
+    if (dctx->md) {
+        if (tbslen != (size_t)EVP_MD_size(dctx->md))
+            return 0;
         type = EVP_MD_type(dctx->md);
-    else
+    } else {
+        if (tbslen != SHA_DIGEST_LENGTH)
+            return 0;
         type = NID_sha1;
+    }
 
     ret = DSA_sign(type, tbs, tbslen, sig, &sltmp, dsa);
 
@@ -146,10 +151,15 @@ static int pkey_dsa_verify(EVP_PKEY_CTX *ctx,
     DSA_PKEY_CTX *dctx = ctx->data;
     DSA *dsa = ctx->pkey->pkey.dsa;
 
-    if (dctx->md)
+    if (dctx->md) {
+        if (tbslen != (size_t)EVP_MD_size(dctx->md))
+            return 0;
         type = EVP_MD_type(dctx->md);
-    else
+    } else {
+        if (tbslen != SHA_DIGEST_LENGTH)
+            return 0;
         type = NID_sha1;
+    }
 
     ret = DSA_verify(type, tbs, tbslen, sig, siglen, dsa);