diff options
| author | Pieter Wuille <pieter.wuille@gmail.com> | 2013-09-23 06:05:29 -0700 |
|---|---|---|
| committer | Pieter Wuille <pieter.wuille@gmail.com> | 2013-09-23 06:05:29 -0700 |
| commit | a28fb70e45d764e558966ba3b02bd16e02b11c14 (patch) | |
| tree | 26cd568be6055e4c7f36c1db1587476b6ba2e7ca /src | |
| parent | 8e782e924e447b0dd4ba948243c6fa09ddb0fec0 (diff) | |
| parent | e0e14e43d9586409e42919f6cb955540134cda2a (diff) | |
Merge pull request #3016 from sipa/lows
Use 'low S' as malleability breaker rather than 'even S'
Diffstat (limited to 'src')
| -rw-r--r-- | src/key.cpp | 20 |
1 files changed, 11 insertions, 9 deletions
diff --git a/src/key.cpp b/src/key.cpp index 85dc9cda2b..8ef1c414c4 100644 --- a/src/key.cpp +++ b/src/key.cpp @@ -199,17 +199,19 @@ public: ECDSA_SIG *sig = ECDSA_do_sign((unsigned char*)&hash, sizeof(hash), pkey); if (sig == NULL) return false; - if (BN_is_odd(sig->s)) { - // enforce even S values, by negating the value (modulo the order) if odd - BN_CTX *ctx = BN_CTX_new(); - BN_CTX_start(ctx); - const EC_GROUP *group = EC_KEY_get0_group(pkey); - BIGNUM *order = BN_CTX_get(ctx); - EC_GROUP_get_order(group, order, ctx); + BN_CTX *ctx = BN_CTX_new(); + BN_CTX_start(ctx); + const EC_GROUP *group = EC_KEY_get0_group(pkey); + BIGNUM *order = BN_CTX_get(ctx); + BIGNUM *halforder = BN_CTX_get(ctx); + EC_GROUP_get_order(group, order, ctx); + BN_rshift1(halforder, order); + if (BN_cmp(sig->s, halforder) > 0) { + // enforce low S values, by negating the value (modulo the order) if above order/2. BN_sub(sig->s, order, sig->s); - BN_CTX_end(ctx); - BN_CTX_free(ctx); } + BN_CTX_end(ctx); + BN_CTX_free(ctx); unsigned int nSize = ECDSA_size(pkey); vchSig.resize(nSize); // Make sure it is big enough unsigned char *pos = &vchSig[0]; |