signature: fix invalid S check.

The even-S check was based on https://github.com/sipa/bitcoin/commit/a81cd9680 which was replaced by a low-S check in commit e0e14e43d9586409e42919f6cb955540134cda2a Abstract out and fix the check. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
9 years ago · 1d82bf51fc
3 changed files with 11 additions and 3 deletions
--- a/bitcoin/signature.c
+++ b/bitcoin/signature.c
@ -306,3 +306,9 @@ size_t signature_to_der(u8 der[72], const struct signature *sig)
 	assert(IsValidSignatureEncoding(der, len + 1));
 	return len;
 }
+
+/* Signature must have low S value. */
+bool sig_valid(const struct signature *sig)
+{
+	return (sig->s[0] & 0x80) == 0;
+}
--- a/bitcoin/signature.h
+++ b/bitcoin/signature.h
@ -46,6 +46,9 @@ bool check_2of2_sig(struct bitcoin_tx *tx, size_t input_num,
 		    const struct bitcoin_signature *sig1,
 		    const struct bitcoin_signature *sig2);

+/* Signature must have low S value. */
+bool sig_valid(const struct signature *s);
+
 /* Give DER encoding of signature: returns length used (<= 72). */
 size_t signature_to_der(u8 der[72], const struct signature *s);

--- a/protobuf_convert.c
+++ b/protobuf_convert.c
@ -8,7 +8,7 @@ Signature *signature_to_proto(const tal_t *ctx, const struct signature *sig)
 	Signature *pb = tal(ctx, Signature);
 	signature__init(pb);

-	assert((sig->s[31] & 1) == 0);
+	assert(sig_valid(sig));

 	/* Kill me now... */
 	memcpy(&pb->r1, sig->r, 8);
@ -35,8 +35,7 @@ bool proto_to_signature(const Signature *pb, struct signature *sig)
 	memcpy(sig->s + 16, &pb->s3, 8);
 	memcpy(sig->s + 24, &pb->s4, 8);

-	/* S must be even */
-	return (sig->s[31] & 1) == 0;
+	return sig_valid(sig);
 }

 BitcoinPubkey *pubkey_to_proto(const tal_t *ctx, const struct pubkey *key)