diff --git a/CHANGES b/CHANGES
index b5a1a0d9f2..519aad60d6 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+2215.	[bug]		Bad REQUIRE check isc_hmacsha1_verify(). [RT #17094]
+
 2214.	[bug]		Deregister OpenSSL lock callback when cleaning
 			up.  Reorder OpenSSL cleanup so that RAND_cleanup()
 			is called before the locks are destroyed. [RT #17098]
diff --git a/lib/isc/hmacsha.c b/lib/isc/hmacsha.c
index 092386ffc1..dfcd8bf5a9 100644
--- a/lib/isc/hmacsha.c
+++ b/lib/isc/hmacsha.c
@@ -14,7 +14,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: hmacsha.c,v 1.7 2007/06/19 23:47:17 tbox Exp $ */
+/* $Id: hmacsha.c,v 1.8 2007/08/27 03:27:53 marka Exp $ */
 
 /*
  * This code implements the HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384
@@ -112,7 +112,7 @@ isc_boolean_t
 isc_hmacsha1_verify(isc_hmacsha1_t *ctx, unsigned char *digest, size_t len) {
 	unsigned char newdigest[ISC_SHA1_DIGESTLENGTH];
 
-	REQUIRE(len <= ISC_SHA1_BLOCK_LENGTH);
+	REQUIRE(len <= ISC_SHA1_DIGESTLENGTH);
 	isc_hmacsha1_sign(ctx, newdigest, ISC_SHA1_DIGESTLENGTH);
 	return (ISC_TF(memcmp(digest, newdigest, len) == 0));
 }