tarcieri
commented
2 months ago This was likely fixed in #777, which was an oversight. I could potentially backport it to older versions of ecdsa.
While it's a bug, it's one I don't believe to be security-critical in that the miscomputed k values are still uniformly random HMAC-DRBG output, and in that regard if someone were to use our buggy implementation as well as a correct one which produce two different k values for the same message, that's no different from signing the same message twice with two different (uniformly) randomly generated k values.
Security critical impacts would either involve reuse of k or producing a k which is not uniformly random, neither of which is happening here.
Hello 👋 I'm Emil, Security Engineer at Wire (github.com/wireapp) an E2EE secure messenger. We recently conducted a security audit of our core-crypto library which implements the MLS standard and the external researchers found an issue in the P256 + RFC6979 implementation leading to non conforming signatures.
Expected signature:
9ac51396b0c8d0a5a082b5d88b45760504c1e7c8ba1a49e8b40f4098ac74c757563050ecbfc45165503f9ef57b3039baae0000d6eebcecd922bb280b35d2db79Actual signature using p256 version 0.13.2
5dcd6baac9e02e2351763333d40d73157d4fee343954c7a380c7fb688f9ef9609f473dcdbc0fbc2bcf020ac3cf5eeed9d88634c0014419a0bdc4c0f88341ca57This seems to have been fixed in
p256 0.14.0-pre.0which produces the correct signature.Since this doesn't have security implications for Wire but might have implications for other users, I'd suggest investigating the implementation.
Cheers & thank you for your work <3
PS: A more detailed writeup is available to @tarcieri