
ECDSA pubkey recovery succeeds with invalid signature

guidovranken opened this issue · 3 comments

#include <botan/ecdsa.h>

int main(void)
    const auto pub = ::Botan::ECDSA_PublicKey(


    return 0;

In this PoC the signature S is larger than curve order. libsecp256k1 rejects this.

Is this intentionally allowed or a bug?

edit: Fixed link.

Not intentional - missing a check r/s are within range of the order. Tests here are currently insufficient - we don't have any negative tests at all.

I also found an input where S = 0 and Botan recovers a pubkey, meaning the lower bound isn't checked either.

Also I think the recovery ID shouldn't be allowed to be 4:

For reference see libsecp256k1: https://github.com/bitcoin-core/secp256k1/blob/c083cc6e52a3ab749f5451de9c515d75897649c6/src/modules/recovery/main_impl.h#L46

Fixed on master now - checking 0 < r,s < order and v < 4