diff options
author | Pieter Wuille <pieter.wuille@gmail.com> | 2013-09-18 23:37:05 +0200 |
---|---|---|
committer | Pieter Wuille <pieter.wuille@gmail.com> | 2013-09-20 09:30:41 +0200 |
commit | e0e14e43d9586409e42919f6cb955540134cda2a (patch) | |
tree | ee5fbee5dedf8615b9f641b5abcd8901a446858e /src | |
parent | 9196f38c8fce3b9f98461f050450a14fd2291015 (diff) |
Use 'low S' as malleability breaker rather than 'even S'
Diffstat (limited to 'src')
-rw-r--r-- | src/key.cpp | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/src/key.cpp b/src/key.cpp index 85dc9cda2b..8ef1c414c4 100644 --- a/src/key.cpp +++ b/src/key.cpp @@ -199,17 +199,19 @@ public: ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); if (sig == NULL) return false; - if (BN_is_odd(sig->s)) { - // enforce even S values, by negating the value (modulo the order) if odd - BN_CTX *ctx = BN_CTX_new(); - BN_CTX_start(ctx); - const EC_GROUP *group = EC_KEY_get0_group(pkey); - BIGNUM *order = BN_CTX_get(ctx); - EC_GROUP_get_order(group, order, ctx); + BN_CTX *ctx = BN_CTX_new(); + BN_CTX_start(ctx); + const EC_GROUP *group = EC_KEY_get0_group(pkey); + BIGNUM *order = BN_CTX_get(ctx); + BIGNUM *halforder = BN_CTX_get(ctx); + EC_GROUP_get_order(group, order, ctx); + BN_rshift1(halforder, order); + if (BN_cmp(sig->s, halforder) > 0) { + // enforce low S values, by negating the value (modulo the order) if above order/2. BN_sub(sig->s, order, sig->s); - BN_CTX_end(ctx); - BN_CTX_free(ctx); } + BN_CTX_end(ctx); + BN_CTX_free(ctx); unsigned int nSize = ECDSA_size(pkey); vchSig.resize(nSize); // Make sure it is big enough unsigned char *pos = &vchSig[0]; |