Skip to content

Commit 1d4b091

Browse files
committed
verify: fix signature verification (CVE-2022-24884)
Verify that r and s are non-zero. Without these checks, an all-zero signature is always considered valid. While it would be nicer to error out in ecdsa_verify_prepare_legacy() already, that would require users of libecdsautil to check a return value of the prepare step. To be safe, implement the fix in an API/ABI-compatible way that doesn't need changes to the users.
1 parent 0753889 commit 1d4b091

File tree

1 file changed

+10
-0
lines changed

1 file changed

+10
-0
lines changed

Diff for: src/lib/ecdsa.c

+10
Original file line numberDiff line numberDiff line change
@@ -135,6 +135,12 @@ void ecdsa_sign_legacy(ecdsa_signature_t *signature, const ecc_int256_t *hash, c
135135
void ecdsa_verify_prepare_legacy(ecdsa_verify_context_t *ctx, const ecc_int256_t *hash, const ecdsa_signature_t *signature) {
136136
ecc_int256_t w, u1, tmp;
137137

138+
if (ecc_25519_gf_is_zero(&signature->s) || ecc_25519_gf_is_zero(&signature->r)) {
139+
// Signature is invalid, mark by setting ctx->r to an invalid value
140+
memset(&ctx->r, 0, sizeof(ctx->r));
141+
return;
142+
}
143+
138144
ctx->r = signature->r;
139145

140146
ecc_25519_gf_recip(&w, &signature->s);
@@ -149,6 +155,10 @@ bool ecdsa_verify_legacy(const ecdsa_verify_context_t *ctx, const ecc_25519_work
149155
ecc_25519_work_t s2, work;
150156
ecc_int256_t w, tmp;
151157

158+
// Signature was detected as invalid in prepare step
159+
if (ecc_25519_gf_is_zero(&ctx->r))
160+
return false;
161+
152162
ecc_25519_scalarmult(&s2, &ctx->u2, pubkey);
153163
ecc_25519_add(&work, &ctx->s1, &s2);
154164
ecc_25519_store_xy_legacy(&w, NULL, &work);

0 commit comments

Comments
 (0)