Hi,

the changes announced on Sep, 28. include an additional check in
crypto/dsa/dsa_ossl.c:

0.9.7k -> 0.9.7l, dsa_ossl.c:277, function static int dsa_do_verify(
const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)

if (BN_num_bits(dsa->q) !=3D 160)
{
DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE);
return -1;
}

I have certificates with 161 bits in q. Is it okay to extend the check
to also accept 161bit values? (In my case it helps me to get the
verification
back to work)

The certificate has been generated by SAP R/3, possibly an older version
using a Secude-library.

What about other values for the size of q? Could it be that tomorrow
somebody
wants me to accept 162bit or 320bit ? Theoretically possible?

What's the risk when I remove the check? What is it good for?

Thanks for any hints

Robert

__________________________________________________ ______=20

Robert Lill
Engineering Archive + Storage
Security Consultant

IXOS, an OpenText Company
Werner-von-Siemens-Ring 20=20
85630 Grasbrunn
GERMANY

Phone: +49-89-4629-1526
Telefax: +49-89-4629-33-1526
eMail: mailto:reiglmai@opentext.com
Internet: http://www.opentext.com


__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org