DSA verification should insist that r and s are in the allowed range.

2025-01-18 13:44:20 +08:00 · 2001-06-26 09:48:17 +00:00 · 2001-06-26 09:48:17 +00:00 · c458a33196
commit c458a33196
parent 7953b8ff1b
2 changed files with 15 additions and 0 deletions
--- a/4
+++ b/4
@ -11,6 +11,10 @@
         *) applies to 0.9.6a (/0.9.6b) and 0.9.7
         +) applies to 0.9.7 only

+  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
+     positive and less than q.
+     [Bodo Moeller]
+
  +) Enhance the general user interface with mechanisms for inner control
     and with pssibilities to have yes/no kind of prompts.
     [Richard Levitte]
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@ -246,6 +246,17 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 	BN_init(&u2);
 	BN_init(&t1);

+	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
+		{
+		ret = 0;
+		goto err;
+		}
+	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
+		{
+		ret = 0;
+		goto err;
+		}
+
 	/* Calculate W = inv(S) mod Q
 	 * save W in u2 */
 	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;