DSA verification should insist that r and s are in the allowed range.
authorBodo Möller <bodo@openssl.org>
Tue, 26 Jun 2001 09:48:17 +0000 (09:48 +0000)
committerBodo Möller <bodo@openssl.org>
Tue, 26 Jun 2001 09:48:17 +0000 (09:48 +0000)
CHANGES
crypto/dsa/dsa_ossl.c

diff --git a/CHANGES b/CHANGES
index d85f349..c039034 100644 (file)
--- a/CHANGES
+++ b/CHANGES
          *) applies to 0.9.6a (/0.9.6b) and 0.9.7
          +) applies to 0.9.7 only
 
+  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
+     positive and less than q.
+     [Bodo Moeller]
+
   +) Enhance the general user interface with mechanisms for inner control
      and with pssibilities to have yes/no kind of prompts.
      [Richard Levitte]
index f91a3a9..7a5adc6 100644 (file)
@@ -246,6 +246,17 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
        BN_init(&u2);
        BN_init(&t1);
 
+       if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
+               {
+               ret = 0;
+               goto err;
+               }
+       if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
+               {
+               ret = 0;
+               goto err;
+               }
+
        /* Calculate W = inv(S) mod Q
         * save W in u2 */
        if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;