File libgcrypt-fipsdrv-enable-algo-for-dsa-verify.patch of Package libgcrypt.14176

--- libgcrypt-1.6.1-orig/tests/fipsdrv.c	2017-10-20 10:39:56.080098385 +0000
+++ libgcrypt-1.6.1-orig/tests/fipsdrv.c	2017-10-20 10:41:15.780098385 +0000
@@ -2288,7 +2288,7 @@ run_dsa_sign (const void *data, size_t d
    S-expression in KEYFILE against the S-expression formatted
    signature in SIGFILE.  */
 static void
-run_dsa_verify (const void *data, size_t datalen,
+run_dsa_verify (const void *data, size_t datalen, int hashalgo,
                 const char *keyfile, const char *sigfile)
 
 {
@@ -2297,15 +2297,23 @@ run_dsa_verify (const void *data, size_t
   char hash[128];
   gcry_mpi_t tmpmpi;
   int algo;
+  int algo_len;
+  int hashalgo_len;
 
   s_key = read_sexp_from_file (keyfile);
   algo = dsa_hash_from_key(s_key);
 
-  gcry_md_hash_buffer (algo, hash, data, datalen);
+  algo_len = gcry_md_get_algo_dlen(algo);
+  hashalgo_len = gcry_md_get_algo_dlen(hashalgo);
+
+  if (hashalgo_len < algo_len)
+  algo_len = hashalgo_len;
+
+  gcry_md_hash_buffer (hashalgo, hash, data, datalen);
   /* Note that we can't simply use %b with HASH to build the
      S-expression, because that might yield a negative value.  */
   err = gcry_mpi_scan (&tmpmpi, GCRYMPI_FMT_USG, hash,
-                       gcry_md_get_algo_dlen(algo), NULL);
+                       algo_len, NULL);
   if (!err)
     {
       err = gcry_sexp_build (&s_data, NULL,
@@ -3011,10 +3019,17 @@ main (int argc, char **argv)
     }
   else if (!strcmp (mode_string, "dsa-verify"))
     {
+      int algo;
+
       if (!key_string)
         die ("option --key is required in this mode\n");
       if (access (key_string, R_OK))
         die ("option --key needs to specify an existing keyfile\n");
+      if (!algo_string)
+        die ("option --algo is required in this mode\n");
+      algo = gcry_md_map_name (algo_string);
+      if (!algo)
+        die ("digest algorithm `%s' is not supported\n", algo_string); 
       if (!data)
         die ("no data available (do not use --chunk)\n");
       if (!signature_string)
@@ -3022,7 +3037,7 @@ main (int argc, char **argv)
       if (access (signature_string, R_OK))
         die ("option --signature needs to specify an existing file\n");
 
-      run_dsa_verify (data, datalen, key_string, signature_string);
+      run_dsa_verify (data, datalen, algo, key_string, signature_string);
     }
   else if (!strcmp (mode_string, "ecdsa-gen-key"))
     {
openSUSE Build Service is sponsored by