Merge pull request #3637

6fd7ef2 Also switch the (unused) verification code to low-s instead of even-s. (Pieter Wuille)
author: Wladimir J. van der Laan <laanwj@gmail.com> 2014-05-09 16:24:46 +0200
committer: Wladimir J. van der Laan <laanwj@gmail.com> 2014-05-09 16:24:57 +0200
commit: 72f754cf51d09ea9c3daec398da7a8ca7fce8d6e (patch)
tree: 39835783d027e3d879d9ac3fd9e94fbf049fcd5a /src/script.cpp
parent: 54f102248b183618ed7bd198c995232c89dc3152 (diff)
parent: 6fd7ef2bbf1f941c8dee302ffdeb44e603148723 (diff)
download: bitcoin-72f754cf51d09ea9c3daec398da7a8ca7fce8d6e.tar.xz
1 files changed, 6 insertions, 3 deletions
diff --git a/src/script.cpp b/src/script.cpp
index 4e2eeaf075..ac6d4b316f 100644
--- a/src/script.cpp
+++ b/src/script.cpp
@@ -286,9 +286,12 @@ bool IsCanonicalSignature(const valtype &vchSig, unsigned int flags) {
     if (nLenS > 1 && (S[0] == 0x00) && !(S[1] & 0x80))
         return error("Non-canonical signature: S value excessively padded");
 
-    if (flags & SCRIPT_VERIFY_EVEN_S) {
-        if (S[nLenS-1] & 1)
-            return error("Non-canonical signature: S value odd");
+    if (flags & SCRIPT_VERIFY_LOW_S) {
+        // If the S value is above the order of the curve divided by two, its
+        // complement modulo the order could have been used instead, which is
+        // one byte shorter when encoded correctly.
+        if (!CKey::CheckSignatureElement(S, nLenS, true))
+            return error("Non-canonical signature: S value is unnecessarily high");
     }
 
     return true;
author	Wladimir J. van der Laan <laanwj@gmail.com>	2014-05-09 16:24:46 +0200
committer	Wladimir J. van der Laan <laanwj@gmail.com>	2014-05-09 16:24:57 +0200
commit	72f754cf51d09ea9c3daec398da7a8ca7fce8d6e (patch)
tree	39835783d027e3d879d9ac3fd9e94fbf049fcd5a /src/script.cpp
parent	54f102248b183618ed7bd198c995232c89dc3152 (diff)
parent	6fd7ef2bbf1f941c8dee302ffdeb44e603148723 (diff)
download	bitcoin-72f754cf51d09ea9c3daec398da7a8ca7fce8d6e.tar.xz