Merge pull request #4463 from JacobBarthelmeh/fuzzing

DSA: add check on bit length of q
2021-10-14 08:06:53 +10:00 · 2021-10-14 08:06:53 +10:00 · b93b7b07a9
parent cc63668691 63c9fa7a37
commit b93b7b07a9
2 changed files with 19 additions and 0 deletions
--- a/tests/api.c
+++ b/tests/api.c
@ -19589,6 +19589,13 @@ static int test_wc_DsaSignVerify (void)
        }
    }

+#if !defined(HAVE_FIPS) && defined(WOLFSSL_PUBLIC_MP)
+    /* hard set q to 0 and test fail case */
+    mp_free(&key.q);
+    mp_init(&key.q);
+    AssertIntEQ(wc_DsaSign(hash, signature, &key, &rng), BAD_FUNC_ARG);
+#endif
+
    if (wc_FreeRng(&rng) && ret == 0) {
        ret = WOLFSSL_FATAL_ERROR;
    }
--- a/wolfcrypt/src/dsa.c
+++ b/wolfcrypt/src/dsa.c
@ -736,6 +736,18 @@ int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
                }

        halfSz = min(DSA_MAX_HALF_SIZE, mp_unsigned_bin_size(&key->q));
+        /* NIST FIPS 186-4: Sections 4.1
+         * q is a prime divisor where 2^(N-1) < q < 2^N and N is the bit length
+         * of q.
+         * To satisfy this constraint if N is 0 then q would still need to be
+         * larger than 0.5, but since there is 0 bits in q it can not be any
+         * value.
+         */
+        if (halfSz == 0) {
+            ret = BAD_FUNC_ARG;
+            break;
+        }
+
        tmp = out;
        qMinus1 = kInv;