|
|
|
@ -75,16 +75,38 @@ static void dump_tx(const char *msg UNUSED, |
|
|
|
} |
|
|
|
#endif |
|
|
|
|
|
|
|
/* Taken from https://github.com/bitcoin/bitcoin/blob/master/src/key.cpp */ |
|
|
|
/* Check that the sig has a low R value and will be less than 71 bytes */ |
|
|
|
static bool sig_has_low_r(const secp256k1_ecdsa_signature* sig) |
|
|
|
{ |
|
|
|
unsigned char compact_sig[64]; |
|
|
|
secp256k1_ecdsa_signature_serialize_compact(secp256k1_ctx, compact_sig, sig); |
|
|
|
|
|
|
|
/* In DER serialization, all values are interpreted as big-endian, signed
|
|
|
|
* integers. The highest bit in the integer indicates its signed-ness; 0 is |
|
|
|
* positive, 1 is negative. When the value is interpreted as a negative |
|
|
|
* integer, it must be converted to a positive value by prepending a 0x00 |
|
|
|
* byte so that the highest bit is 0. We can avoid this prepending by |
|
|
|
* ensuring that our highest bit is always 0, and thus we must check that |
|
|
|
* the first byte is less than 0x80. */ |
|
|
|
return compact_sig[0] < 0x80; |
|
|
|
} |
|
|
|
|
|
|
|
void sign_hash(const struct privkey *privkey, |
|
|
|
const struct sha256_double *h, |
|
|
|
secp256k1_ecdsa_signature *s) |
|
|
|
{ |
|
|
|
bool ok; |
|
|
|
|
|
|
|
ok = secp256k1_ecdsa_sign(secp256k1_ctx, |
|
|
|
s, |
|
|
|
h->sha.u.u8, |
|
|
|
privkey->secret.data, NULL, NULL); |
|
|
|
unsigned char extra_entropy[32] = {0}; |
|
|
|
|
|
|
|
/* Grind for low R */ |
|
|
|
do { |
|
|
|
ok = secp256k1_ecdsa_sign(secp256k1_ctx, |
|
|
|
s, |
|
|
|
h->sha.u.u8, |
|
|
|
privkey->secret.data, NULL, extra_entropy); |
|
|
|
((u32 *)extra_entropy)[0]++; |
|
|
|
} while (!sig_has_low_r(s)); |
|
|
|
assert(ok); |
|
|
|
} |
|
|
|
|
|
|
|
|
gorazdko
5 years ago
neil saitug