From ce823c9f84a3ab46003d1167ee54ab59b01092d6 Mon Sep 17 00:00:00 2001
From: Felix Lange <fjl@users.noreply.github.com>
Date: Wed, 20 Dec 2017 13:30:00 +0100
Subject: crypto: ensure that VerifySignature rejects malleable signatures
 (#15708)

* crypto: ensure that VerifySignature rejects malleable signatures

It already rejected them when using libsecp256k1, make sure the nocgo
version does the same thing.

* crypto: simplify check

* crypto: fix build
---
 crypto/signature_nocgo.go | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'crypto/signature_nocgo.go')

diff --git a/crypto/signature_nocgo.go b/crypto/signature_nocgo.go
index 78b99c02b..f636b2377 100644
--- a/crypto/signature_nocgo.go
+++ b/crypto/signature_nocgo.go
@@ -87,6 +87,10 @@ func VerifySignature(pubkey, hash, signature []byte) bool {
 	if err != nil {
 		return false
 	}
+	// Reject malleable signatures. libsecp256k1 does this check but btcec doesn't.
+	if sig.S.Cmp(secp256k1_halfN) > 0 {
+		return false
+	}
 	return sig.Verify(hash, key)
 }
 
-- 
cgit v1.2.3