Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ECDSA pubkey recovery succeeds with invalid signature #2698

Closed
guidovranken opened this issue Apr 5, 2021 · 3 comments
Closed

ECDSA pubkey recovery succeeds with invalid signature #2698

guidovranken opened this issue Apr 5, 2021 · 3 comments

Comments

@guidovranken
Copy link

guidovranken commented Apr 5, 2021
edited
Loading 

#include <botan/ecdsa.h>

int main(void)
{
    const auto pub = ::Botan::ECDSA_PublicKey(
            ::Botan::EC_Group("secp256k1"),
            {0},
            ::Botan::BigInt("115792089237316195423570985008687907852837564279374904382605163141518161494307"),
            ::Botan::BigInt("115792089237316195423570985008687907852837564279074904382605163141518161494336"),
            1);

    printf("%s\n%s\n",
            pub.public_point().get_affine_x().to_dec_string().c_str(),
            pub.public_point().get_affine_y().to_dec_string().c_str());

    return 0;
}

In this PoC the signature S is larger than curve order. libsecp256k1 rejects this.

Is this intentionally allowed or a bug?

edit: Fixed link.
@randombit
Copy link
Owner

Not intentional - missing a check r/s are within range of the order. Tests here are currently insufficient - we don't have any negative tests at all.

@guidovranken
Copy link
Author

I also found an input where S = 0 and Botan recovers a pubkey, meaning the lower bound isn't checked either.

Also I think the recovery ID shouldn't be allowed to be 4:

botan/src/lib/pubkey/ecdsa/ecdsa.cpp

Line 39 in 8ba41c3

if(v > 4)

For reference see libsecp256k1: https://github.com/bitcoin-core/secp256k1/blob/c083cc6e52a3ab749f5451de9c515d75897649c6/src/modules/recovery/main_impl.h#L46

randombit added a commit that referenced this issue Apr 5, 2021
@randombit
ECDSA public key recovery: improve validation of r/s/v
631e22b 
GH #2698
@randombit
Copy link
Owner

Fixed on master now - checking 0 < r,s < order and v < 4

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@randombit @guidovranken