| 제목 | GitHub Dropbear 2025.89 Improper Verification of Cryptographic Signature |
|---|
| 설명 | The specific issue is located in curve25519.c:
Line 484 directly uses s+32 for computation, with no validation for S >= L at any point.
According to the RFC 8032 §5.1.7 specification, an out-of-bounds S should be rejected. Without this check, we can generate an equivalent signature by constructing S' = S + L. My local testing confirms that Dropbear's verification process accepts both the original signature and its S+L variant. Furthermore, the paper "The Provable Security of Ed25519: Theory and Practice" by Jacqueline Brendel, Cas Cremers, Dennis Jackson, and Mang Zhao (https://ieeexplore.ieee.org/stampPDF/getPDF.jsp?arnumber=9519456) emphasizes that strictly rejecting such non-canonical signatures is necessary to maintain Strong Existential Unforgeability under Chosen Message Attacks (SUF-CMA).
Historically, there have been multiple signature malleability vulnerabilities in other projects (e.g., CVE-2020-36843, CVE-2024-45193). This inconsistency with the specification breaks signature uniqueness and could potentially impact higher-level security policies or auditing logic that rely on it. |
|---|
| 원천 | ⚠️ https://github.com/mkj/dropbear/issues/406 |
|---|
| 사용자 | pythok (UID 95793) |
|---|
| 제출 | 2026. 02. 23. PM 05:02 (1 월 ago) |
|---|
| 모더레이션 | 2026. 03. 07. AM 10:07 (12 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 349652 [mkj Dropbear 까지 2025.89 S Range Check src/curve25519.c unpackneg 약한 인증] |
|---|
| 포인트들 | 20 |
|---|