Closed adelapie closed 4 years ago
Thanks for raising this issue. Will have to look at intermediate values as to why this is failing, which means debugging the C extensions. Any further debug info you found will be helpful in fixing this.
Thanks, Anton
Found the issue, had to do with a case where the point at infinity was not handled correctly in the C code. Fix is in release v2.1.2
.
➜ Desktop pyenv shell 3.7.5
➜ Desktop pip install fastecdsa==2.1.2
Collecting fastecdsa==2.1.2
Downloading fastecdsa-2.1.2-cp37-cp37m-macosx_10_14_x86_64.whl (53 kB)
|████████████████████████████████| 53 kB 1.6 MB/s
Installing collected packages: fastecdsa
Successfully installed fastecdsa-2.1.2
➜ Desktop ./poc.py
Result fast-ecdsa: True
Result cryptography.io: True
Hello Anton,
I got this bug assigned to CVE-2020-12607, if you want to use it, with the following description: An issue was discovered in fastecdsa before 2.1.2. When using the NIST P-256 curve in the ECDSA implementation, the point at infinity is mishandled. This means that for an extreme value in k and s^-1, the signature verification fails even if the signature is correct. This behavior is not solely a usability problem. There are some threat models where an attacker can benefit by successfully guessing users for whom signature verification will fail.
Best regards, Antonio
Hey Antonio,
Thanks for getting the CVE assigned. Just looked it up in the database and saw that it's reserved. It's probably worth fixing this via a patch release for recent older versions as well. Shouldn't take long to make those updates.
-Anton
Hello,
When verifying a ECDSA signature (P-256, SHA-256) with a extreme value in k and s^-1, the verification fails even if the signature is correct. It is possible to check this using the Google Wycheproof test 345 (https://github.com/google/wycheproof/blob/master/testvectors/ecdsa_secp256r1_sha256_test.json):
I've added a PoC using fast-ecdsa and python-cryptography (below).
Best regards, Antonio