libgcrypt P256 signature malleability via weak DER enforcement
Jake Ginesin
jakeginesin at gmail.com
Sat Jan 10 06:00:20 CET 2026
Hi,
libgcrypt's ECDSA signatures are malleable, as the signature verifier
accepts malforned DER-encoded signatures. We currently fail in three
scenarios:
1. Missing leading zero: per X.690 section 8.3.3, integers are two's
complement. A positive integer with high bit set requires a leading 0x00 to
avoid being interpreted as negative. libgcrypt accepts signatures missing
this byte.
2. Extra leading zeros: per X.690 section 8.3.2, integer encoding must be
minimal. libgcrypt accepts r/s values with unnecessary leading zeros.
3. BER long-form length: per X.690 section 10.1, DER requires the definite
length form encoded in the minimum number of octets. libgcrypt accepts
BER-style long-form encoding where short-form is required.
The test vectors are available here:
https://github.com/C2SP/wycheproof/blob/main/testvectors_v1/ecdsa_secp256k1_sha256_test.json
(tcId 6, 8, 84, 128 are relevant for this issue)
Similar issues received CVEs in other libraries (CVE-2020-13822,
CVE-2024-42460).
Happy to provide my proof-of-concept exploits, Wycheproof-libgcrypt
harness, or discuss further.
Thanks,
Jake
https://jakegines.in
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-devel/attachments/20260110/25a41ee9/attachment-0001.html>
More information about the Gnupg-devel
mailing list