summaryrefslogtreecommitdiff
path: root/lib/libcrypto/dsa
diff options
context:
space:
mode:
authorMiod Vallat <miod@cvs.openbsd.org>2015-09-10 18:12:56 +0000
committerMiod Vallat <miod@cvs.openbsd.org>2015-09-10 18:12:56 +0000
commit49570d7ab26986d50e68f2af3044176bba1a1878 (patch)
tree424d60909e639124931c97c9b7c2cd28544ab4e6 /lib/libcrypto/dsa
parent9e5345612d31eae6cfba6cf4defb425cec71df86 (diff)
When loading a DSA key from an raw (without DH parameters) ASN.1 serialization,
perform some consistency checks on its `p' and `q' values, and return an error if the checks failed. Thanks for Georgi Guninski (guninski at guninski dot com) for mentioning the possibility of a weak (non prime) q value and providing a test case. See https://cpunks.org/pipermail/cypherpunks/2015-September/009007.html for a longer discussion. ok bcook@ beck@
Diffstat (limited to 'lib/libcrypto/dsa')
-rw-r--r--lib/libcrypto/dsa/dsa_ameth.c50
1 files changed, 48 insertions, 2 deletions
diff --git a/lib/libcrypto/dsa/dsa_ameth.c b/lib/libcrypto/dsa/dsa_ameth.c
index b9ee49f0559..9bef6e5a13e 100644
--- a/lib/libcrypto/dsa/dsa_ameth.c
+++ b/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.17 2015/02/14 15:11:22 miod Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.18 2015/09/10 18:12:55 miod Exp $ */
/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
* project 2006.
*/
@@ -519,13 +519,59 @@ static int
old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
{
DSA *dsa;
+ BN_CTX *ctx = NULL;
+ BIGNUM *j, *p1, *newp1;
- if (!(dsa = d2i_DSAPrivateKey (NULL, pder, derlen))) {
+ if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);
return 0;
}
+
+ ctx = BN_CTX_new();
+ if (ctx == NULL)
+ goto err;
+
+ /*
+ * Check that p and q are consistent with each other.
+ */
+
+ j = BN_CTX_get(ctx);
+ p1 = BN_CTX_get(ctx);
+ newp1 = BN_CTX_get(ctx);
+ if (j == NULL || p1 == NULL || newp1 == NULL)
+ goto err;
+ /* p1 = p - 1 */
+ if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
+ goto err;
+ /* j = (p - 1) / q */
+ if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
+ goto err;
+ /* q * j should == p - 1 */
+ if (BN_mul(newp1, dsa->q, j, ctx) == 0)
+ goto err;
+ if (BN_cmp(newp1, p1) != 0) {
+ DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+ goto err;
+ }
+
+ /*
+ * Check that q is not a composite number.
+ */
+
+ if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) {
+ DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+ goto err;
+ }
+
+ BN_CTX_free(ctx);
+
EVP_PKEY_assign_DSA(pkey, dsa);
return 1;
+
+err:
+ BN_CTX_free(ctx);
+ DSA_free(dsa);
+ return 0;
}
static int