|
|
@ -93,76 +93,76 @@ bool static IsCompressedOrUncompressedPubKey(const valtype &vchPubKey) { |
|
|
|
* in which case a single 0 byte is necessary and even required). |
|
|
|
* in which case a single 0 byte is necessary and even required). |
|
|
|
* |
|
|
|
* |
|
|
|
* See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
|
|
|
|
* See https://bitcointalk.org/index.php?topic=8392.msg127623#msg127623
|
|
|
|
|
|
|
|
* |
|
|
|
|
|
|
|
* This function is consensus-critical since BIP66. |
|
|
|
*/ |
|
|
|
*/ |
|
|
|
bool static IsDERSignature(const valtype &vchSig) { |
|
|
|
bool static IsValidSignatureEncoding(const std::vector<unsigned char> &sig) { |
|
|
|
|
|
|
|
// Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
|
|
|
|
|
|
|
|
// * total-length: 1-byte length descriptor of everything that follows,
|
|
|
|
|
|
|
|
// excluding the sighash byte.
|
|
|
|
|
|
|
|
// * R-length: 1-byte length descriptor of the R value that follows.
|
|
|
|
|
|
|
|
// * R: arbitrary-length big-endian encoded R value. It must use the shortest
|
|
|
|
|
|
|
|
// possible encoding for a positive integers (which means no null bytes at
|
|
|
|
|
|
|
|
// the start, except a single one when the next byte has its highest bit set).
|
|
|
|
|
|
|
|
// * S-length: 1-byte length descriptor of the S value that follows.
|
|
|
|
|
|
|
|
// * S: arbitrary-length big-endian encoded S value. The same rules apply.
|
|
|
|
|
|
|
|
// * sighash: 1-byte value indicating what data is hashed (not part of the DER
|
|
|
|
|
|
|
|
// signature)
|
|
|
|
|
|
|
|
|
|
|
|
if (vchSig.size() < 9) { |
|
|
|
// Minimum and maximum size constraints.
|
|
|
|
// Non-canonical signature: too short
|
|
|
|
if (sig.size() < 9) return false; |
|
|
|
return false; |
|
|
|
if (sig.size() > 73) return false; |
|
|
|
} |
|
|
|
|
|
|
|
if (vchSig.size() > 73) { |
|
|
|
|
|
|
|
// Non-canonical signature: too long
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (vchSig[0] != 0x30) { |
|
|
|
|
|
|
|
// Non-canonical signature: wrong type
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (vchSig[1] != vchSig.size()-3) { |
|
|
|
|
|
|
|
// Non-canonical signature: wrong length marker
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
unsigned int nLenR = vchSig[3]; |
|
|
|
|
|
|
|
if (5 + nLenR >= vchSig.size()) { |
|
|
|
|
|
|
|
// Non-canonical signature: S length misplaced
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
unsigned int nLenS = vchSig[5+nLenR]; |
|
|
|
|
|
|
|
if ((unsigned long)(nLenR+nLenS+7) != vchSig.size()) { |
|
|
|
|
|
|
|
// Non-canonical signature: R+S length mismatch
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
const unsigned char *R = &vchSig[4]; |
|
|
|
// A signature is of type 0x30 (compound).
|
|
|
|
if (R[-2] != 0x02) { |
|
|
|
if (sig[0] != 0x30) return false; |
|
|
|
// Non-canonical signature: R value type mismatch
|
|
|
|
|
|
|
|
return false; |
|
|
|
// Make sure the length covers the entire signature.
|
|
|
|
} |
|
|
|
if (sig[1] != sig.size() - 3) return false; |
|
|
|
if (nLenR == 0) { |
|
|
|
|
|
|
|
// Non-canonical signature: R length is zero
|
|
|
|
// Extract the length of the R element.
|
|
|
|
return false; |
|
|
|
unsigned int lenR = sig[3]; |
|
|
|
} |
|
|
|
|
|
|
|
if (R[0] & 0x80) { |
|
|
|
// Make sure the length of the S element is still inside the signature.
|
|
|
|
// Non-canonical signature: R value negative
|
|
|
|
if (5 + lenR >= sig.size()) return false; |
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
// Extract the length of the S element.
|
|
|
|
if (nLenR > 1 && (R[0] == 0x00) && !(R[1] & 0x80)) { |
|
|
|
unsigned int lenS = sig[5 + lenR]; |
|
|
|
// Non-canonical signature: R value excessively padded
|
|
|
|
|
|
|
|
return false; |
|
|
|
// Verify that the length of the signature matches the sum of the length
|
|
|
|
} |
|
|
|
// of the elements.
|
|
|
|
|
|
|
|
if ((size_t)(lenR + lenS + 7) != sig.size()) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Check whether the R element is an integer.
|
|
|
|
|
|
|
|
if (sig[2] != 0x02) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for R.
|
|
|
|
|
|
|
|
if (lenR == 0) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for R.
|
|
|
|
|
|
|
|
if (sig[4] & 0x80) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of R are not allowed, unless R would
|
|
|
|
|
|
|
|
// otherwise be interpreted as a negative number.
|
|
|
|
|
|
|
|
if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Check whether the S element is an integer.
|
|
|
|
|
|
|
|
if (sig[lenR + 4] != 0x02) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Zero-length integers are not allowed for S.
|
|
|
|
|
|
|
|
if (lenS == 0) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Negative numbers are not allowed for S.
|
|
|
|
|
|
|
|
if (sig[lenR + 6] & 0x80) return false; |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
// Null bytes at the start of S are not allowed, unless S would otherwise be
|
|
|
|
|
|
|
|
// interpreted as a negative number.
|
|
|
|
|
|
|
|
if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false; |
|
|
|
|
|
|
|
|
|
|
|
const unsigned char *S = &vchSig[6+nLenR]; |
|
|
|
|
|
|
|
if (S[-2] != 0x02) { |
|
|
|
|
|
|
|
// Non-canonical signature: S value type mismatch
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (nLenS == 0) { |
|
|
|
|
|
|
|
// Non-canonical signature: S length is zero
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (S[0] & 0x80) { |
|
|
|
|
|
|
|
// Non-canonical signature: S value negative
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
if (nLenS > 1 && (S[0] == 0x00) && !(S[1] & 0x80)) { |
|
|
|
|
|
|
|
// Non-canonical signature: S value excessively padded
|
|
|
|
|
|
|
|
return false; |
|
|
|
|
|
|
|
} |
|
|
|
|
|
|
|
return true; |
|
|
|
return true; |
|
|
|
} |
|
|
|
} |
|
|
|
|
|
|
|
|
|
|
|
bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) { |
|
|
|
bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) { |
|
|
|
if (!IsDERSignature(vchSig)) { |
|
|
|
if (!IsValidSignatureEncoding(vchSig)) { |
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER); |
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER); |
|
|
|
} |
|
|
|
} |
|
|
|
unsigned int nLenR = vchSig[3]; |
|
|
|
unsigned int nLenR = vchSig[3]; |
|
|
@ -194,7 +194,7 @@ bool static CheckSignatureEncoding(const valtype &vchSig, unsigned int flags, Sc |
|
|
|
if (vchSig.size() == 0) { |
|
|
|
if (vchSig.size() == 0) { |
|
|
|
return true; |
|
|
|
return true; |
|
|
|
} |
|
|
|
} |
|
|
|
if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsDERSignature(vchSig)) { |
|
|
|
if ((flags & (SCRIPT_VERIFY_DERSIG | SCRIPT_VERIFY_LOW_S | SCRIPT_VERIFY_STRICTENC)) != 0 && !IsValidSignatureEncoding(vchSig)) { |
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER); |
|
|
|
return set_error(serror, SCRIPT_ERR_SIG_DER); |
|
|
|
} else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) { |
|
|
|
} else if ((flags & SCRIPT_VERIFY_LOW_S) != 0 && !IsLowDERSignature(vchSig, serror)) { |
|
|
|
// serror is set
|
|
|
|
// serror is set
|
|
|
|