Merge pull request #4463 from JacobBarthelmeh/fuzzing

DSA: add check on bit length of q

tests/api.c

@@ -19589,6 +19589,13 @@ static int test_wc_DsaSignVerify (void)
         }
     }
 
+#if !defined(HAVE_FIPS) && defined(WOLFSSL_PUBLIC_MP)
+    /* hard set q to 0 and test fail case */
+    mp_free(&key.q);
+    mp_init(&key.q);
+    AssertIntEQ(wc_DsaSign(hash, signature, &key, &rng), BAD_FUNC_ARG);
+#endif
+
     if (wc_FreeRng(&rng) && ret == 0) {
         ret = WOLFSSL_FATAL_ERROR;
     }

wolfcrypt/src/dsa.c

@@ -736,6 +736,18 @@ int wc_DsaSign(const byte* digest, byte* out, DsaKey* key, WC_RNG* rng)
                 }
 
         halfSz = min(DSA_MAX_HALF_SIZE, mp_unsigned_bin_size(&key->q));
+        /* NIST FIPS 186-4: Sections 4.1
+         * q is a prime divisor where 2^(N-1) < q < 2^N and N is the bit length
+         * of q.
+         * To satisfy this constraint if N is 0 then q would still need to be
+         * larger than 0.5, but since there is 0 bits in q it can not be any
+         * value.
+         */
+        if (halfSz == 0) {
+            ret = BAD_FUNC_ARG;
+            break;
+        }
+
         tmp = out;
         qMinus1 = kInv;