2 files changed, 96 insertions, 4 deletions
diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c
index b9ee49f055..9bef6e5a13 100644
--- a/src/lib/libcrypto/dsa/dsa_ameth.c
+++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.17 2015/02/14 15:11:22 miod Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.18 2015/09/10 18:12:55 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -519,13 +519,59 @@ static int
 old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
 {
        DSA *dsa;
+        BN_CTX *ctx = NULL;
+        BIGNUM *j, *p1, *newp1;
-        if (!(dsa = d2i_DSAPrivateKey (NULL, pder, derlen))) {
+        if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
                DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);
                return 0;
        }
+        ctx = BN_CTX_new();
+        if (ctx == NULL)
+                goto err;
+        /*
+         * Check that p and q are consistent with each other.
+         */
+        j = BN_CTX_get(ctx);
+        p1 = BN_CTX_get(ctx);
+        newp1 = BN_CTX_get(ctx);
+        if (j == NULL || p1 == NULL || newp1 == NULL)
+                goto err;
+        /* p1 = p - 1 */
+        if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
+                goto err;
+        /* j = (p - 1) / q */
+        if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
+                goto err;
+        /* q * j should == p - 1 */
+        if (BN_mul(newp1, dsa->q, j, ctx) == 0)
+                goto err;
+        if (BN_cmp(newp1, p1) != 0) {
+                DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+                goto err;
+        }
+        /*
+         * Check that q is not a composite number.
+         */
+        if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) {
+                DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+                goto err;
+        }
+        BN_CTX_free(ctx);
        EVP_PKEY_assign_DSA(pkey, dsa);
        return 1;
+err:
+        BN_CTX_free(ctx);
+        DSA_free(dsa);
+        return 0;
 }
 static int
diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ameth.c b/src/lib/libssl/src/crypto/dsa/dsa_ameth.c
index b9ee49f055..9bef6e5a13 100644
--- a/src/lib/libssl/src/crypto/dsa/dsa_ameth.c
+++ b/src/lib/libssl/src/crypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_ameth.c,v 1.17 2015/02/14 15:11:22 miod Exp $ */
+/* $OpenBSD: dsa_ameth.c,v 1.18 2015/09/10 18:12:55 miod Exp $ */
 /* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
 * project 2006.
 */
@@ -519,13 +519,59 @@ static int
 old_dsa_priv_decode(EVP_PKEY *pkey, const unsigned char **pder, int derlen)
 {
        DSA *dsa;
+        BN_CTX *ctx = NULL;
+        BIGNUM *j, *p1, *newp1;
-        if (!(dsa = d2i_DSAPrivateKey (NULL, pder, derlen))) {
+        if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
                DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);
                return 0;
        }
+        ctx = BN_CTX_new();
+        if (ctx == NULL)
+                goto err;
+        /*
+         * Check that p and q are consistent with each other.
+         */
+        j = BN_CTX_get(ctx);
+        p1 = BN_CTX_get(ctx);
+        newp1 = BN_CTX_get(ctx);
+        if (j == NULL || p1 == NULL || newp1 == NULL)
+                goto err;
+        /* p1 = p - 1 */
+        if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
+                goto err;
+        /* j = (p - 1) / q */
+        if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
+                goto err;
+        /* q * j should == p - 1 */
+        if (BN_mul(newp1, dsa->q, j, ctx) == 0)
+                goto err;
+        if (BN_cmp(newp1, p1) != 0) {
+                DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+                goto err;
+        }
+        /*
+         * Check that q is not a composite number.
+         */
+        if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) {
+                DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
+                goto err;
+        }
+        BN_CTX_free(ctx);
        EVP_PKEY_assign_DSA(pkey, dsa);
        return 1;
+err:
+        BN_CTX_free(ctx);
+        DSA_free(dsa);
+        return 0;
 }
 static int

diff --git a/src/lib/libcrypto/dsa/dsa_ameth.c b/src/lib/libcrypto/dsa/dsa_ameth.c index b9ee49f055..9bef6e5a13 100644 --- a/src/lib/libcrypto/dsa/dsa_ameth.c +++ b/src/lib/libcrypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dsa_ameth.c,v 1.17 2015/02/14 15:11:22 miod Exp $ */	1	/* $OpenBSD: dsa_ameth.c,v 1.18 2015/09/10 18:12:55 miod Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -519,13 +519,59 @@ static int
519	old_dsa_priv_decode(EVP_PKEY pkey, const unsigned char *pder, int derlen)	519	old_dsa_priv_decode(EVP_PKEY pkey, const unsigned char *pder, int derlen)
520	{	520	{
521	DSA *dsa;	521	DSA *dsa;
		522	BN_CTX *ctx = NULL;
		523	BIGNUM j, p1, *newp1;
522		524
523	if (!(dsa = d2i_DSAPrivateKey (NULL, pder, derlen))) {	525	if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
524	DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);	526	DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);
525	return 0;	527	return 0;
526	}	528	}
		529
		530	ctx = BN_CTX_new();
		531	if (ctx == NULL)
		532	goto err;
		533
		534	/*
		535	* Check that p and q are consistent with each other.
		536	*/
		537
		538	j = BN_CTX_get(ctx);
		539	p1 = BN_CTX_get(ctx);
		540	newp1 = BN_CTX_get(ctx);
		541	if (j == NULL \|\| p1 == NULL \|\| newp1 == NULL)
		542	goto err;
		543	/* p1 = p - 1 */
		544	if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
		545	goto err;
		546	/* j = (p - 1) / q */
		547	if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
		548	goto err;
		549	/* q * j should == p - 1 */
		550	if (BN_mul(newp1, dsa->q, j, ctx) == 0)
		551	goto err;
		552	if (BN_cmp(newp1, p1) != 0) {
		553	DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
		554	goto err;
		555	}
		556
		557	/*
		558	* Check that q is not a composite number.
		559	*/
		560
		561	if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) {
		562	DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
		563	goto err;
		564	}
		565
		566	BN_CTX_free(ctx);
		567
527	EVP_PKEY_assign_DSA(pkey, dsa);	568	EVP_PKEY_assign_DSA(pkey, dsa);
528	return 1;	569	return 1;
		570
		571	err:
		572	BN_CTX_free(ctx);
		573	DSA_free(dsa);
		574	return 0;
529	}	575	}
530		576
531	static int	577	static int


diff --git a/src/lib/libssl/src/crypto/dsa/dsa_ameth.c b/src/lib/libssl/src/crypto/dsa/dsa_ameth.c index b9ee49f055..9bef6e5a13 100644 --- a/src/lib/libssl/src/crypto/dsa/dsa_ameth.c +++ b/src/lib/libssl/src/crypto/dsa/dsa_ameth.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: dsa_ameth.c,v 1.17 2015/02/14 15:11:22 miod Exp $ */	1	/* $OpenBSD: dsa_ameth.c,v 1.18 2015/09/10 18:12:55 miod Exp $ */
2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL	2	/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
3	* project 2006.	3	* project 2006.
4	*/	4	*/
@@ -519,13 +519,59 @@ static int
519	old_dsa_priv_decode(EVP_PKEY pkey, const unsigned char *pder, int derlen)	519	old_dsa_priv_decode(EVP_PKEY pkey, const unsigned char *pder, int derlen)
520	{	520	{
521	DSA *dsa;	521	DSA *dsa;
		522	BN_CTX *ctx = NULL;
		523	BIGNUM j, p1, *newp1;
522		524
523	if (!(dsa = d2i_DSAPrivateKey (NULL, pder, derlen))) {	525	if (!(dsa = d2i_DSAPrivateKey(NULL, pder, derlen))) {
524	DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);	526	DSAerr(DSA_F_OLD_DSA_PRIV_DECODE, ERR_R_DSA_LIB);
525	return 0;	527	return 0;
526	}	528	}
		529
		530	ctx = BN_CTX_new();
		531	if (ctx == NULL)
		532	goto err;
		533
		534	/*
		535	* Check that p and q are consistent with each other.
		536	*/
		537
		538	j = BN_CTX_get(ctx);
		539	p1 = BN_CTX_get(ctx);
		540	newp1 = BN_CTX_get(ctx);
		541	if (j == NULL \|\| p1 == NULL \|\| newp1 == NULL)
		542	goto err;
		543	/* p1 = p - 1 */
		544	if (BN_sub(p1, dsa->p, BN_value_one()) == 0)
		545	goto err;
		546	/* j = (p - 1) / q */
		547	if (BN_div(j, NULL, p1, dsa->q, ctx) == 0)
		548	goto err;
		549	/* q * j should == p - 1 */
		550	if (BN_mul(newp1, dsa->q, j, ctx) == 0)
		551	goto err;
		552	if (BN_cmp(newp1, p1) != 0) {
		553	DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
		554	goto err;
		555	}
		556
		557	/*
		558	* Check that q is not a composite number.
		559	*/
		560
		561	if (BN_is_prime_ex(dsa->q, BN_prime_checks, ctx, NULL) == 0) {
		562	DSAerr(DSA_F_DSA_PARAM_DECODE, DSA_R_BAD_Q_VALUE);
		563	goto err;
		564	}
		565
		566	BN_CTX_free(ctx);
		567
527	EVP_PKEY_assign_DSA(pkey, dsa);	568	EVP_PKEY_assign_DSA(pkey, dsa);
528	return 1;	569	return 1;
		570
		571	err:
		572	BN_CTX_free(ctx);
		573	DSA_free(dsa);
		574	return 0;
529	}	575	}
530		576
531	static int	577	static int