diff options
| author | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-11 15:29:04 +0000 |
|---|---|---|
| committer | Theo Buehler <tb@cvs.openbsd.org> | 2023-03-11 15:29:04 +0000 |
| commit | 57c815c8dcfe47595dc401bf0e72f25c0f752d2a (patch) | |
| tree | 5a9cc599a0cda38ab08b5856119cba8fd651717b /lib/libcrypto/dsa | |
| parent | 9b8245fc3a5383e3758568cd1d4a549a5ad57d33 (diff) | |
Fix an off-by-one in dsa_check_key()
The private key is a random number in [1, q-1], so 1 must be allowed.
Since q is at least an 160-bit prime and 2^159 + 1 is not prime (159
is not a power of 2), the probability that this is hit is < 2^-159,
but a tiny little bit wrong is still wrong.
Found while investigating a report by bluhm
ok jsing
Diffstat (limited to 'lib/libcrypto/dsa')
| -rw-r--r-- | lib/libcrypto/dsa/dsa_lib.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/libcrypto/dsa/dsa_lib.c b/lib/libcrypto/dsa/dsa_lib.c index 1a6ca54da12..6986f9ad6ba 100644 --- a/lib/libcrypto/dsa/dsa_lib.c +++ b/lib/libcrypto/dsa/dsa_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: dsa_lib.c,v 1.41 2023/03/07 09:27:10 jsing Exp $ */ +/* $OpenBSD: dsa_lib.c,v 1.42 2023/03/11 15:29:03 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -487,7 +487,7 @@ dsa_check_key(const DSA *dsa) /* The private key must be nonzero and in GF(q). */ if (dsa->priv_key != NULL) { - if (BN_cmp(dsa->priv_key, BN_value_one()) <= 0 || + if (BN_cmp(dsa->priv_key, BN_value_one()) < 0 || BN_cmp(dsa->priv_key, dsa->q) >= 0) { DSAerror(DSA_R_INVALID_PARAMETERS); return 0; |