status-im
/
secp256k1
mirror of https://github.com/status-im/secp256k1.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Break malleability by producing S <= order/2

This commit is contained in:
Pieter Wuille 2013-09-19 00:58:42 +02:00
parent 350ade2ab4
commit d0b33489f2
3 changed files with 6 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/group.h
View File

@ -26,6 +26,7 @@ typedef struct {
/** Global constants related to the group */
typedef struct {
secp256k1_num_t order; // the order of the curve (= order of its generator)
secp256k1_num_t half_order; // half the order of the curve (= order of its generator)
secp256k1_ge_t g; // the generator point
// constants related to secp256k1's efficiently computable endomorphism

2
src/impl/ecdsa.h
View File

@ -187,7 +187,7 @@ int static secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
secp256k1_num_free(&n);
if (secp256k1_num_is_zero(&sig->s))
return 0;
if (secp256k1_num_is_odd(&sig->s)) {
if (secp256k1_num_cmp(&sig->s, &c->half_order) > 0) {
secp256k1_num_sub(&sig->s, &c->order, &sig->s);
if (recid)
*recid ^= 1;

4
src/impl/group.h
View File

@ -359,6 +359,7 @@ void static secp256k1_ge_start(void) {
if (secp256k1_ge_consts == NULL) {
secp256k1_ge_consts_t *ret = (secp256k1_ge_consts_t*)malloc(sizeof(secp256k1_ge_consts_t));
secp256k1_num_init(&ret->order);
secp256k1_num_init(&ret->half_order);
secp256k1_num_init(&ret->lambda);
secp256k1_num_init(&ret->a1b2);
secp256k1_num_init(&ret->a2);
@ -368,6 +369,8 @@ void static secp256k1_ge_start(void) {
secp256k1_num_set_bin(&ret->a1b2, secp256k1_ge_consts_a1b2, sizeof(secp256k1_ge_consts_a1b2));
secp256k1_num_set_bin(&ret->a2, secp256k1_ge_consts_a2, sizeof(secp256k1_ge_consts_a2));
secp256k1_num_set_bin(&ret->b1, secp256k1_ge_consts_b1, sizeof(secp256k1_ge_consts_b1));
secp256k1_num_copy(&ret->half_order, &ret->order);
secp256k1_num_shift(&ret->half_order, 1);
secp256k1_fe_set_b32(&ret->beta, secp256k1_ge_consts_beta);
secp256k1_fe_t g_x, g_y;
secp256k1_fe_set_b32(&g_x, secp256k1_ge_consts_g_x);
@ -381,6 +384,7 @@ void static secp256k1_ge_stop(void) {
if (secp256k1_ge_consts != NULL) {
secp256k1_ge_consts_t *c = (secp256k1_ge_consts_t*)secp256k1_ge_consts;
secp256k1_num_free(&c->order);
secp256k1_num_free(&c->half_order);
secp256k1_num_free(&c->lambda);
secp256k1_num_free(&c->a1b2);
secp256k1_num_free(&c->a2);