simon-git: putty (main): Simon Tatham

Commits to Tartarus hosted VCS tartarus-commits at lists.tartarus.org
Thu Mar 12 13:22:01 GMT 2026 

TL;DR:
  af996b5e eddsa_verify: add check for out-of-range s.

Repository:     https://git.tartarus.org/simon/putty.git
On the web:     https://git.tartarus.org/?p=simon/putty.git
Branch updated: main
Committer:      Simon Tatham <anakin at pobox.com>
Date:           2026-03-12 13:22:01

commit af996b5ec27ab79bae3882071b9d6acf16044549
web diff https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=af996b5ec27ab79bae3882071b9d6acf16044549;hp=af33ecdc88fed05bfcd08a6d6d60c35775c743bd
Author: Simon Tatham <anakin at pobox.com>
Date:   Wed Feb 25 08:29:58 2026 +0000

    eddsa_verify: add check for out-of-range s.
    
    The integer s in an EdDSA signature is treated as an exponent: the
    curve's base point is raised to that power. (OK, multiplied by it, if
    you use the elliptic curve notational convention rather than the
    general group convention.) Therefore, in principle, it doesn't make
    any difference if s varies by a multiple of the base point's
    order (which is around 2^252, therefore a larger s still fits easily
    within the 256-bit space for it in the signature encoding). However,
    RFC 8032 requires s to be strictly less than that order, so that
    there's a single canonical encoding for any given signature.
    
    I'm not treating this as a vulnerability because I don't believe
    there's any situation in SSH where canonicality of signatures is
    important. But it should be fixed, nonetheless.
    
    In the fix, it's OK to use an ordinary if statement to check the bound
    on s, because they're visible to everybody anyway: the integer s is
    encoded directly in the signature, and the bound we're checking it
    against is a well-known public integer, so nothing new is revealed by
    any timing side channel proving that that was the reason for the
    rejection. (Not even if the message being signed were secret, which it
    is in SSH: the validation of s doesn't depend on the message.)
    
    Thanks to Yujie Zhu for the report.

 crypto/ecc-ssh.c   |  5 +++++
 test/cryptsuite.py | 18 ++++++++++++++++++
 2 files changed, 23 insertions(+)

More information about the tartarus-commits mailing list