From 9fa57863403fca76101b5c144deb618cc30889d4 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Bodo=20M=C3=B6ller?= <bodo@openssl.org>
Date: Tue, 26 Jun 2001 09:48:56 +0000
Subject: [PATCH] DSA verification should insist that r and s are in the
 allowed range.

---
 CHANGES               |  4 ++++
 crypto/dsa/dsa_ossl.c | 11 +++++++++++
 2 files changed, 15 insertions(+)

diff --git a/CHANGES b/CHANGES
index 7b324389b8..748f0f8654 100644
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 0.9.6a and 0.9.6b  [XX xxx XXXX]
 
+  *) In dsa_do_verify (crypto/dsa/dsa_ossl.c), verify that r and s are
+     positive and less than q.
+     [Bodo Moeller]
+
   *) Don't change *pointer in CRYPTO_add_lock() is add_lock_callback is
      used: it isn't thread safe and the add_lock_callback should handle
      that itself.
diff --git a/crypto/dsa/dsa_ossl.c b/crypto/dsa/dsa_ossl.c
index 331d176d66..cac42c362d 100644
--- a/crypto/dsa/dsa_ossl.c
+++ b/crypto/dsa/dsa_ossl.c
@@ -240,6 +240,17 @@ static int dsa_do_verify(const unsigned char *dgst, int dgst_len, DSA_SIG *sig,
 	BN_init(&u2);
 	BN_init(&t1);
 
+	if (BN_is_zero(sig->r) || sig->r->neg || BN_ucmp(sig->r, dsa->q) >= 0)
+		{
+		ret = 0;
+		goto err;
+		}
+	if (BN_is_zero(sig->s) || sig->s->neg || BN_ucmp(sig->s, dsa->q) >= 0)
+		{
+		ret = 0;
+		goto err;
+		}
+
 	/* Calculate W = inv(S) mod Q
 	 * save W in u2 */
 	if ((BN_mod_inverse(&u2,sig->s,dsa->q,ctx)) == NULL) goto err;
-- 
2.25.1