From d4982bb9884ade03cece09f3fc5b221de39b2454 Mon Sep 17 00:00:00 2001
From: toddouska <todd@wolfssl.com>
Date: Thu, 7 May 2015 15:10:33 -0700
Subject: [PATCH] add dsa verify input check, not used at TLS or default

---
 wolfcrypt/src/dsa.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/wolfcrypt/src/dsa.c b/wolfcrypt/src/dsa.c
index ac0d3b75b..4de4d8196 100644
--- a/wolfcrypt/src/dsa.c
+++ b/wolfcrypt/src/dsa.c
@@ -174,7 +174,12 @@ int wc_DsaVerify(const byte* digest, const byte* sig, DsaKey* key, int* answer)
         ret = MP_READ_E;
 
     /* sanity checks */
-
+    if (ret == 0) {
+        if (mp_iszero(&r) == MP_YES || mp_iszero(&s) == MP_YES ||
+                mp_cmp(&r, &key->q) != MP_LT || mp_cmp(&s, &key->q) != MP_LT) {
+            ret = MP_ZERO_E;
+        }
+    }
 
     /* put H into u1 from sha digest */
     if (ret == 0 && mp_read_unsigned_bin(&u1,digest,SHA_DIGEST_SIZE) != MP_OKAY)