Check for missing DSA parameters.

If DSA parameters are absent return -1 (for unknown) in DSA_security_bits. If parameters are absent when a certificate is set in an SSL/SSL_CTX structure this will reject the certificate by default. This will cause DSA certificates which omit parameters to be rejected but that is never (?) done in practice. Thanks to Brian 'geeknik' Carpenter for reporting this issue. Reviewed-by: Emilia Käsper <emilia@openssl.org>
author: Dr. Stephen Henson <steve@openssl.org> 2015-12-30 13:34:53 +0000
committer: Dr. Stephen Henson <steve@openssl.org> 2015-12-30 13:34:53 +0000
commit: 72245f340c41c7d04b7a2b7a99aec9897e22d9cb (patch)
tree: 5063291084666d4cc180c5b4086e1cc65e0748ea /crypto/dsa/dsa_lib.c
parent: 923ffa97d1278a155d2ec7783c997fb7e2c5e28b (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/crypto/dsa/dsa_lib.c b/crypto/dsa/dsa_lib.c
index 4b02d770de..722602cc90 100644
--- a/crypto/dsa/dsa_lib.c
+++ b/crypto/dsa/dsa_lib.c
@@ -246,7 +246,9 @@ void *DSA_get_ex_data(DSA *d, int idx)
 
 int DSA_security_bits(const DSA *d)
 {
-    return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q));
+    if (d->p && d->q)
+        return BN_security_bits(BN_num_bits(d->p), BN_num_bits(d->q));
+    return -1;
 }
 
 #ifndef OPENSSL_NO_DH
author	Dr. Stephen Henson <steve@openssl.org>	2015-12-30 13:34:53 +0000
committer	Dr. Stephen Henson <steve@openssl.org>	2015-12-30 13:34:53 +0000
commit	72245f340c41c7d04b7a2b7a99aec9897e22d9cb (patch)
tree	5063291084666d4cc180c5b4086e1cc65e0748ea /crypto/dsa/dsa_lib.c
parent	923ffa97d1278a155d2ec7783c997fb7e2c5e28b (diff)