Skip to content
Permalink
Browse files Browse the repository at this point in the history
verify: fix signature verification (CVE-2022-24884)
Verify that r and s are non-zero. Without these checks, an all-zero
signature is always considered valid.

While it would be nicer to error out in ecdsa_verify_prepare_legacy()
already, that would require users of libecdsautil to check a return value
of the prepare step. To be safe, implement the fix in an API/ABI-compatible
way that doesn't need changes to the users.
  • Loading branch information
NeoRaider committed Apr 27, 2022
1 parent 0753889 commit 1d4b091
Showing 1 changed file with 10 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/lib/ecdsa.c
Expand Up @@ -135,6 +135,12 @@ void ecdsa_sign_legacy(ecdsa_signature_t *signature, const ecc_int256_t *hash, c
void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
ecc_int256_t w, u1, tmp;

if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
// Signature is invalid, mark by setting ctx->r to an invalid value
memset(&ctx->r, 0, sizeof(ctx->r));
return;
}

ctx->r = signature->r;

ecc_25519_gf_recip(&w, &signature->s);
Expand All @@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
ecc_25519_work_t s2, work;
ecc_int256_t w, tmp;

// Signature was detected as invalid in prepare step
if (ecc_25519_gf_is_zero(&ctx->r))
return false;

ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
ecc_25519_add(&work, &ctx->s1, &s2);
ecc_25519_store_xy_legacy(&w, NULL, &work);
Expand Down

0 comments on commit 1d4b091

Please sign in to comment.