From ce823c9f84a3ab46003d1167ee54ab59b01092d6 Mon Sep 17 00:00:00 2001 From: Felix Lange Date: Wed, 20 Dec 2017 13:30:00 +0100 Subject: [PATCH] crypto: ensure that VerifySignature rejects malleable signatures (#15708) * crypto: ensure that VerifySignature rejects malleable signatures It already rejected them when using libsecp256k1, make sure the nocgo version does the same thing. * crypto: simplify check * crypto: fix build --- crypto/signature_nocgo.go | 4 ++++ crypto/signature_test.go | 10 ++++++++++ 2 files changed, 14 insertions(+) diff --git a/crypto/signature_nocgo.go b/crypto/signature_nocgo.go index 78b99c02b0..f636b23772 100644 --- a/crypto/signature_nocgo.go +++ b/crypto/signature_nocgo.go @@ -87,6 +87,10 @@ func VerifySignature(pubkey, hash, signature []byte) bool { if err != nil { return false } + // Reject malleable signatures. libsecp256k1 does this check but btcec doesn't. + if sig.S.Cmp(secp256k1_halfN) > 0 { + return false + } return sig.Verify(hash, key) } diff --git a/crypto/signature_test.go b/crypto/signature_test.go index 5e2efc7e05..aecff76bfb 100644 --- a/crypto/signature_test.go +++ b/crypto/signature_test.go @@ -75,6 +75,16 @@ func TestVerifySignature(t *testing.T) { } } +// This test checks that VerifySignature rejects malleable signatures with s > N/2. +func TestVerifySignatureMalleable(t *testing.T) { + sig := hexutil.MustDecode("0x638a54215d80a6713c8d523a6adc4e6e73652d859103a36b700851cb0e61b66b8ebfc1a610c57d732ec6e0a8f06a9a7a28df5051ece514702ff9cdff0b11f454") + key := hexutil.MustDecode("0x03ca634cae0d49acb401d8a4c6b6fe8c55b70d115bf400769cc1400f3258cd3138") + msg := hexutil.MustDecode("0xd301ce462d3e639518f482c7f03821fec1e602018630ce621e1e7851c12343a6") + if VerifySignature(key, msg, sig) { + t.Error("VerifySignature returned true for malleable signature") + } +} + func TestDecompressPubkey(t *testing.T) { key, err := DecompressPubkey(testpubkeyc) if err != nil {