Files
wolfssl/wolfcrypt
Tobias Frauenschläger 13a016367f eccsi: fix universal signature forgery via r=0/s=0
wc_VerifyEccsiHash did not validate that r and s lie in [1, q-1]
after decoding them from the signature buffer.  With s=0 the scalar
multiplication [s](...) returns the point at infinity (J_x=0); with
r=0 the final mp_cmp(0,0)==MP_EQ check then accepts the forged
signature unconditionally against any message and any identity.

Add [1, q-1] range checks for r (in wc_VerifyEccsiHash, after params
are loaded) and for s (in eccsi_calc_j, after eccsi_decode_sig_s),
mirroring the checks already present in wc_ecc_check_r_s_range.
Add a defense-in-depth point-at-infinity guard on J before the final
comparison.

Reported-by: Nicholas Carlini (Anthropic) & Bronson Yen (Calif.io)
2026-04-02 12:35:15 +02:00
..