fix ec verification for high s values on non-historical data.

2016-04-19 20:10:22 -07:00 · 2016-04-19 20:10:22 -07:00 · 64813d3de1
commit 64813d3de1
parent 4456e468af
3 changed files with 15 additions and 8 deletions
--- a/lib/bcoin/chain.js
+++ b/lib/bcoin/chain.js
@ -863,10 +863,11 @@ Chain.prototype._checkInputs = function _checkInputs(block, prev, flags, callbac
            tx.rhash);
          bcoin.debug('TX:');
          bcoin.debug(tx);
-          bcoin.debug('Input:');
+          bcoin.debug('Input (%d):', j);
          bcoin.debug(tx.inputs[j]);
          bcoin.debug('TX with coins:');
          bcoin.debug(tx.toExtended('hex', true));
+          bcoin.debug('Flags: %d', flags);
          assert(!historical, 'BUG: Invalid inputs in historical data!');
          return callback(new VerifyError(block,
            'invalid',
--- a/lib/bcoin/ec.js
+++ b/lib/bcoin/ec.js
@ -102,11 +102,12 @@ ec.random = function random(size) {
 * @param {Buffer} key
 * @param {Boolean?} - Whether this should be treated as a
 * "historical" signature. This allows signatures to be of
- * odd lengths and high S values.
+ * odd lengths.
+ * @param {Boolean?} high - Allow high S value.
 * @returns {Boolean}
 */

-ec.verify = function verify(msg, sig, key, historical) {
+ec.verify = function verify(msg, sig, key, historical, high) {
  if (!Buffer.isBuffer(sig))
    return false;

@ -130,7 +131,7 @@ ec.verify = function verify(msg, sig, key, historical) {
    if (secp256k1) {
      // secp256k1 fails on high s values. This is
      // bad for verifying historical data.
-      if (historical)
+      if (high)
        sig = ec.toLowS(sig);

      // Import from DER.
@ -138,6 +139,10 @@ ec.verify = function verify(msg, sig, key, historical) {

      return secp256k1.verify(msg, sig, key);
    }
+    // Make elliptic mimic secp256k1's
+    // failure with high S values.
+    if (!high && !ec.isLowS(sig))
+      return false;
    return ec.elliptic.verify(msg, sig, key);
  } catch (e) {
    // if (!ec.publicKeyVerify(key))
--- a/lib/bcoin/script.js
+++ b/lib/bcoin/script.js
@ -4017,6 +4017,7 @@ Script.concat = function concat(scripts) {

 Script.checksig = function checksig(msg, sig, key, flags) {
  var historical = false;
+  var high = false;

  if (flags == null)
    flags = constants.flags.STANDARD_VERIFY_FLAGS;
@ -4024,9 +4025,6 @@ Script.checksig = function checksig(msg, sig, key, flags) {
  if (!Buffer.isBuffer(sig))
    return false;

-  if (sig.length === 0)
-    return false;
-
  // Attempt to normalize the signature
  // length before passing to elliptic.
  // Note: We only do this for historical data!
@ -4037,7 +4035,10 @@ Script.checksig = function checksig(msg, sig, key, flags) {
    historical = true;
  }

-  return bcoin.ec.verify(msg, sig.slice(0, -1), key, historical);
+  if (!(flags & constants.flags.VERIFY_LOW_S))
+    high = true;
+
+  return bcoin.ec.verify(msg, sig.slice(0, -1), key, historical, high);
 };

 /**