Add a sanity check on the length of pkeyutl inputs

When signing or verifying a file using pkeyutl the input is supposed to be a hash. Some algorithms sanity check the length of the input, while others don't and silently truncate. To avoid accidents we check that the length of the input looks sane. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6284)
author: Matt Caswell <matt@openssl.org> 2018-05-17 14:53:07 +0300
committer: Matt Caswell <matt@openssl.org> 2018-05-24 19:26:03 +0300
commit: a0abb6a10f4c5fc6dd20c487aa0db085fbfb3562 (patch)
tree: 711cca97bea1c2b1a25d66496c246e1592332282 /CHANGES
parent: 07824f304a220ea09ec369bad60f4fcfd01d5d14 (diff)
1 files changed, 4 insertions, 0 deletions
diff --git a/CHANGES b/CHANGES
index 612da599b1..7a478521c1 100644
--- a/CHANGES
+++ b/CHANGES
@@ -8,6 +8,10 @@
  release branch.
 
  Changes between 1.1.0h and 1.1.1 [xx XXX xxxx]
+  *) Enforce checking in the pkeyutl command line app to ensure that the input
+     length does not exceed the maximum supported digest length when performing
+     a sign, verify or verifyrecover operation.
+     [Matt Caswell]
 
   *) SSL_MODE_AUTO_RETRY is enabled by default. Applications that use blocking
      I/O in combination with something like select() or poll() will hang. This
author	Matt Caswell <matt@openssl.org>	2018-05-17 14:53:07 +0300
committer	Matt Caswell <matt@openssl.org>	2018-05-24 19:26:03 +0300
commit	a0abb6a10f4c5fc6dd20c487aa0db085fbfb3562 (patch)
tree	711cca97bea1c2b1a25d66496c246e1592332282 /CHANGES
parent	07824f304a220ea09ec369bad60f4fcfd01d5d14 (diff)