the changes announced on Sep, 28. include an additional check in

0.9.7k -> 0.9.7l, dsa_ossl.c:277, function static int dsa_do_verify(
const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa)

if (BN_num_bits(dsa->q) !=3D 160)
return -1;

I have certificates with 161 bits in q. Is it okay to extend the check
to also accept 161bit values? (In my case it helps me to get the
back to work)

The certificate has been generated by SAP R/3, possibly an older version
using a Secude-library.

What about other values for the size of q? Could it be that tomorrow
wants me to accept 162bit or 320bit ? Theoretically possible?

What's the risk when I remove the check? What is it good for?

Thanks for any hints


__________________________________________________ ______=20

Robert Lill
Engineering Archive + Storage
Security Consultant

IXOS, an OpenText Company
Werner-von-Siemens-Ring 20=20
85630 Grasbrunn

Phone: +49-89-4629-1526
Telefax: +49-89-4629-33-1526
eMail: mailto:reiglmai@opentext.com
Internet: http://www.opentext.com

__________________________________________________ ____________________
OpenSSL Project http://www.openssl.org
Development Mailing List openssl-dev@openssl.org
Automated List Manager majordomo@openssl.org