-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Missing checks during decoding of signatures leading to a certain degree of malleability of ECDSA and EDDSA signatures #317
Conversation
FTR: I found that the following three CVEs reference this PR. |
It'd be useful to add the tests for this into the PR as well. Would you prefer to add them @Markus-MS or mind if I submit a patch to your branch? |
Great idea @kdenhartog |
Ahhh. This seems to be the source of the Dependabot alerts mentioned here: #319 |
Solución para EDDSA Código: // Verificación de longitud durante la creación de la firma var msg = '54657374'; if (verifySignatureLength(sig)) { msg = '546573743137'; if (verifySignatureLength(sig)) { Solución para ECDSA Código: // Verificación del bit inicial de r y s var msg = '313233343030'; var hashMsg = hash.sha256().update(toArray(msg, 'hex')).digest(); if (verifyLeadingZero(sig)) { |
That sounds like a great idea in my opinion |
Any updates on when this will get merged? |
Hello! Any updates on when this will get merged? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
Thank you so much @Markus-MS ! |
Yeh Marcus |
There are some checks that need to be included during the decoding stage of both ECDSA and EDDSA signatures.
The absence of these checks leads to some mailability issues for ECDSA and EDDSA signatures.
The code provided in this pull request fixes these issues.
The following test vectors from the Wycheproof project showcase these issues:
EDDSA
A missing length check during the signature creation makes removing or appending zeros bytes possible.
testvectors_v1/ed25519_test.json
The proposed changes inside the
lib/elliptic/eddsa/signature.js
file check the length of the signature to fix this issue.ECDSA
The parsing of the ECDSA DER encode signatures has two minor issues.
Missing check if the leading bit of r and s is zero
According to the ASN encoding the leading bit for r and s should be zero.
testvectors_v1/ecdsa_secp256k1_sha256_test.json
Allowing BER-encoded signatures
DER requires a single valid encoding, and allowing for BER-encoded signatures creates the possibility of confusion and mailability.
Inside the
lib/elliptic/ec/signature.js
in thegetLength
function, allowing leading zeros for length sequence should not be permitted.testvectors_v1/ecdsa_secp521r1_sha512_test.json
To remedy this issue, an additional check was #added inside
lib/elliptic/ec/signature.js
in thegetLength
function if the current byte is zero, as this would not be permitted.