aboutsummaryrefslogtreecommitdiffstats
path: root/crypto
diff options
context:
space:
mode:
Diffstat (limited to 'crypto')
-rw-r--r--crypto/signature_nocgo.go4
-rw-r--r--crypto/signature_test.go10
2 files changed, 14 insertions, 0 deletions
diff --git a/crypto/signature_nocgo.go b/crypto/signature_nocgo.go
index 78b99c02b..f636b2377 100644
--- a/crypto/signature_nocgo.go
+++ b/crypto/signature_nocgo.go
@@ -87,6 +87,10 @@ func VerifySignature(pubkey, hash, signature []byte) bool {
if err != nil {
return false
}
+ // Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
+ if sig.S.Cmp(secp256k1_halfN) > 0 {
+ return false
+ }
return sig.Verify(hash, key)
}
diff --git a/crypto/signature_test.go b/crypto/signature_test.go
index 5e2efc7e0..aecff76bf 100644
--- a/crypto/signature_test.go
+++ b/crypto/signature_test.go
@@ -75,6 +75,16 @@ func TestVerifySignature(t *testing.T) {
}
}
+// This test checks that VerifySignature rejects malleable signatures with s > N/2.
+func TestVerifySignatureMalleable(t *testing.T) {
+ sig := hexutil.MustDecode("0x638a54215d80a6713c8d523a6adc4e6e73652d859103a36b700851cb0e61b66b8ebfc1a610c57d732ec6e0a8f06a9a7a28df5051ece514702ff9cdff0b11f454")
+ key := hexutil.MustDecode("0x03ca634cae0d49acb401d8a4c6b6fe8c55b70d115bf400769cc1400f3258cd3138")
+ msg := hexutil.MustDecode("0xd301ce462d3e639518f482c7f03821fec1e602018630ce621e1e7851c12343a6")
+ if VerifySignature(key, msg, sig) {
+ t.Error("VerifySignature returned true for malleable signature")
+ }
+}
+
func TestDecompressPubkey(t *testing.T) {
key, err := DecompressPubkey(testpubkeyc)
if err != nil {