diff options
author | lloyd <[email protected]> | 2011-05-19 12:56:05 +0000 |
---|---|---|
committer | lloyd <[email protected]> | 2011-05-19 12:56:05 +0000 |
commit | 2bfbaa792c71d289d433afb9fcec173110aa7006 (patch) | |
tree | fc37f5a2e8579bcd126e475e64900e695b54048f /src/pubkey/ecdsa | |
parent | 49e6d3fdbd47cf827f6ac2e23ab1061abf3084ea (diff) |
Reject s == 0 or r == 0 in a ECC signature.
In ECDSA, this cases should all be caught by the later check that R is
not zero, so I don't believe there is any security danger.
However the GOST 34.10 implementation did not have either check.
Fortunately, the function that extracts the affine X coordinate from
the Jacobian coordinates will throw an exception if the point is at
infinity, so we would not in fact accept invalid signatures, but this
is mostly by luck. And still represents a bit of a DoS potential.
I checked the history, it looks like not checking for zeros at the
start traces back to the original InSiTo code, and I copied the ECDSA
code for GOST without thinking about it too much.
Diffstat (limited to 'src/pubkey/ecdsa')
-rw-r--r-- | src/pubkey/ecdsa/ecdsa.cpp | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/pubkey/ecdsa/ecdsa.cpp b/src/pubkey/ecdsa/ecdsa.cpp index 9a3510c33..79b4d7f51 100644 --- a/src/pubkey/ecdsa/ecdsa.cpp +++ b/src/pubkey/ecdsa/ecdsa.cpp @@ -80,7 +80,7 @@ bool ECDSA_Verification_Operation::verify(const byte msg[], size_t msg_len, BigInt r(sig, sig_len / 2); BigInt s(sig + sig_len / 2, sig_len / 2); - if(r < 0 || r >= order || s < 0 || s >= order) + if(r <= 0 || r >= order || s <= 0 || s >= order) return false; BigInt w = inverse_mod(s, order); |