Accept ECDSA signatures shorter than 71 bytes#69
Open
johnzilla wants to merge 1 commit into
Open
Conversation
ECDSA signatures are not fixed length: a low-S DER signature is shorter than the usual 71 or 72 bytes when r or s serialize to fewer than 32 bytes (roughly 1% of signatures). verify_full_p2wpkh matched the encoded signature length against `71 | 72` and rejected everything else with Error::SignatureLength, so a valid signature that sign_simple itself can produce was rejected by verify_simple. Split the trailing sighash flag off and let from_der validate the remainder rather than gating on length. The empty case is guarded so the slice index cannot panic.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
verify_full_p2wpkhgated the encoded ECDSA signature length on71 | 72and rejected everything else withError::SignatureLength. ECDSA signatures aren't fixed length — a low-S DER signature is shorter than 71 bytes whenrorsserialize to fewer than 32 bytes (~1% of signatures) — so valid signatures thatsign_simpleitself produces were rejected byverify_simple.This peels the trailing sighash flag off and lets
from_dervalidate the remainder instead of gating on length, with an empty-input guard so the slice index can't panic. The taproot path is unchanged.Adds a P2WPKH regression vector (a 70-byte signature); it fails on
masterand passes with this change.cargo fmt --check,cargo clippy --all --all-targets -- --deny warnings, andcargo test --allare green.Fixes #68.