From 54339fe5b2356b1d99f7c91e10d2c804de525011 Mon Sep 17 00:00:00 2001
From: tb <tb@openbsd.org>
Date: Sat, 11 Mar 2023 15:29:03 +0000
Subject: [PATCH] Fix an off-by-one in dsa_check_key()

The private key is a random number in [1, q-1], so 1 must be allowed.
Since q is at least an 160-bit prime and 2^159 + 1 is not prime (159
is not a power of 2), the probability that this is hit is < 2^-159,
but a tiny little bit wrong is still wrong.

Found while investigating a report by bluhm
ok jsing
---
 lib/libcrypto/dsa/dsa_lib.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/lib/libcrypto/dsa/dsa_lib.c b/lib/libcrypto/dsa/dsa_lib.c
index 1a6ca54da12..6986f9ad6ba 100644
--- a/lib/libcrypto/dsa/dsa_lib.c
+++ b/lib/libcrypto/dsa/dsa_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: dsa_lib.c,v 1.41 2023/03/07 09:27:10 jsing Exp $ */
+/* $OpenBSD: dsa_lib.c,v 1.42 2023/03/11 15:29:03 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -487,7 +487,7 @@ dsa_check_key(const DSA *dsa)
 
 	/* The private key must be nonzero and in GF(q). */
 	if (dsa->priv_key != NULL) {
-		if (BN_cmp(dsa->priv_key, BN_value_one()) <= 0 ||
+		if (BN_cmp(dsa->priv_key, BN_value_one()) < 0 ||
 		    BN_cmp(dsa->priv_key, dsa->q) >= 0) {
 			DSAerror(DSA_R_INVALID_PARAMETERS);
 			return 0;
-- 
2.20.1