Hi, the changes announced on Sep, 28. include an additional check in crypto/dsa/dsa_ossl.c:
0.9.7k -> 0.9.7l, dsa_ossl.c:277, function static int dsa_do_verify( const unsigned char *dgst, int dgst_len, DSA_SIG *sig, DSA *dsa) if (BN_num_bits(dsa->q) != 160) { DSAerr(DSA_F_DSA_DO_VERIFY,DSA_R_BAD_Q_VALUE); return -1; } I have certificates with 161 bits in q. Is it okay to extend the check to also accept 161bit values? (In my case it helps me to get the verification back to work) The certificate has been generated by SAP R/3, possibly an older version using a Secude-library. What about other values for the size of q? Could it be that tomorrow somebody wants me to accept 162bit or 320bit ? Theoretically possible? What's the risk when I remove the check? What is it good for? Thanks for any hints Robert ________________________________________________________ Robert Lill Engineering Archive + Storage Security Consultant IXOS, an OpenText Company Werner-von-Siemens-Ring 20 85630 Grasbrunn GERMANY Phone: +49-89-4629-1526 Telefax: +49-89-4629-33-1526 eMail: mailto:[EMAIL PROTECTED] Internet: http://www.opentext.com ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]