Also switch the (unused) verification code to low-s instead of even-s.

a81cd968 introduced a malleability breaker for signatures (using an even value for S). In e0e14e43 this was changed to the lower of two potential values, rather than the even one. Only the signing code was changed though, the (for now unused) verification code wasn't adapted.
author: Pieter Wuille <pieter.wuille@gmail.com> 2014-02-07 02:19:48 +0100
committer: Pieter Wuille <sipa@ulyssis.org> 2014-03-10 20:38:32 +0100
commit: 6fd7ef2bbf1f941c8dee302ffdeb44e603148723 (patch)
tree: 76cebc090b484368a68781cb393b1e1be7ad1717 /src/script.cpp
parent: a63f8b7b36e39722024a0ba061ca214f00a8f1bd (diff)
1 files changed, 6 insertions, 3 deletions
diff --git a/src/script.cpp b/src/script.cpp
index 810ba16d28..84a2a629e8 100644
--- a/src/script.cpp
+++ b/src/script.cpp
@@ -296,9 +296,12 @@ bool IsCanonicalSignature(const valtype &vchSig, unsigned int flags) {
     if (nLenS > 1 && (S[0] == 0x00) && !(S[1] & 0x80))
         return error("Non-canonical signature: S value excessively padded");
 
-    if (flags & SCRIPT_VERIFY_EVEN_S) {
-        if (S[nLenS-1] & 1)
-            return error("Non-canonical signature: S value odd");
+    if (flags & SCRIPT_VERIFY_LOW_S) {
+        // If the S value is above the order of the curve divided by two, its
+        // complement modulo the order could have been used instead, which is
+        // one byte shorter when encoded correctly.
+        if (!CKey::CheckSignatureElement(S, nLenS, true))
+            return error("Non-canonical signature: S value is unnecessarily high");
     }
 
     return true;
author	Pieter Wuille <pieter.wuille@gmail.com>	2014-02-07 02:19:48 +0100
committer	Pieter Wuille <sipa@ulyssis.org>	2014-03-10 20:38:32 +0100
commit	6fd7ef2bbf1f941c8dee302ffdeb44e603148723 (patch)
tree	76cebc090b484368a68781cb393b1e1be7ad1717 /src/script.cpp
parent	a63f8b7b36e39722024a0ba061ca214f00a8f1bd (diff)