Fix DER encoding.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-12-23 09:04:22 +01:00 · 2015-06-04 15:46:49 +09:30
parent 623c6562af
commit 17c56a8cfc
7 changed files with 168 additions and 57 deletions
--- a/bitcoin_script.c
+++ b/bitcoin_script.c
@@ -66,23 +66,115 @@ static void add_push_key(u8 **scriptp, const struct pubkey *key)
 	add_push_bytes(scriptp, key->key, pubkey_len(key));
 }

-/* Bitcoin wants DER encoding. */
-static void add_push_sig(u8 **scriptp, const struct signature *sig)
+/* Stolen direct from bitcoin/src/script/sign.cpp:
+// Copyright (c) 2009-2010 Satoshi Nakamoto
+// Copyright (c) 2009-2014 The Bitcoin Core developers
+// Distributed under the MIT software license, see the accompanying
+// file COPYING or http://www.opensource.org/licenses/mit-license.php.
+*/
+static bool IsValidSignatureEncoding(const unsigned char sig[], size_t len)
 {
-	u8 der[2 + 2 + sizeof(sig->r) + 2 + sizeof(sig->s)];
+    // Format: 0x30 [total-length] 0x02 [R-length] [R] 0x02 [S-length] [S] [sighash]
+    // * total-length: 1-byte length descriptor of everything that follows,
+    //   excluding the sighash byte.
+    // * R-length: 1-byte length descriptor of the R value that follows.
+    // * R: arbitrary-length big-endian encoded R value. It must use the shortest
+    //   possible encoding for a positive integers (which means no null bytes at
+    //   the start, except a single one when the next byte has its highest bit set).
+    // * S-length: 1-byte length descriptor of the S value that follows.
+    // * S: arbitrary-length big-endian encoded S value. The same rules apply.
+    // * sighash: 1-byte value indicating what data is hashed (not part of the DER
+    //   signature)

-	der[0] = 0x30; /* Type */
-	der[1] = sizeof(der) - 2; /* Total length */
+    // Minimum and maximum size constraints.
+    if (len < 9) return false;
+    if (len > 73) return false;

-	der[2] = 0x2; /* r value type. */
-	der[3] = sizeof(sig->r); /* r length */
-	memcpy(der+4, sig->r, sizeof(sig->r));
+    // A signature is of type 0x30 (compound).
+    if (sig[0] != 0x30) return false;

-	der[4 + sizeof(sig->r)] = 0x2; /* s value type. */
-	der[4 + sizeof(sig->r) + 1] = sizeof(sig->s); /* s value length. */
-	memcpy(der+4+sizeof(sig->r)+2, sig->s, sizeof(sig->s));
+    // Make sure the length covers the entire signature.
+    if (sig[1] != len - 3) return false;

-	add_push_bytes(scriptp, der, sizeof(der));
+    // Extract the length of the R element.
+    unsigned int lenR = sig[3];
+
+    // Make sure the length of the S element is still inside the signature.
+    if (5 + lenR >= len) return false;
+
+    // Extract the length of the S element.
+    unsigned int lenS = sig[5 + lenR];
+
+    // Verify that the length of the signature matches the sum of the length
+    // of the elements.
+    if ((size_t)(lenR + lenS + 7) != len) return false;
+ 
+    // Check whether the R element is an integer.
+    if (sig[2] != 0x02) return false;
+
+    // Zero-length integers are not allowed for R.
+    if (lenR == 0) return false;
+
+    // Negative numbers are not allowed for R.
+    if (sig[4] & 0x80) return false;
+
+    // Null bytes at the start of R are not allowed, unless R would
+    // otherwise be interpreted as a negative number.
+    if (lenR > 1 && (sig[4] == 0x00) && !(sig[5] & 0x80)) return false;
+
+    // Check whether the S element is an integer.
+    if (sig[lenR + 4] != 0x02) return false;
+
+    // Zero-length integers are not allowed for S.
+    if (lenS == 0) return false;
+
+    // Negative numbers are not allowed for S.
+    if (sig[lenR + 6] & 0x80) return false;
+
+    // Null bytes at the start of S are not allowed, unless S would otherwise be
+    // interpreted as a negative number.
+    if (lenS > 1 && (sig[lenR + 6] == 0x00) && !(sig[lenR + 7] & 0x80)) return false;
+
+    return true;
+}
+
+/* DER encode a value, return length used. */
+static size_t der_encode_val(const u8 *val, u8 *der)
+{
+	size_t len = 0;
+
+	der[len++] = 0x2; /* value type. */
+	/* Add zero byte if it would otherwise be signed. */
+	if (val[0] & 0x80) {
+		der[len++] = 33; /* value length */
+		der[len++] = 0;
+	} else
+		der[len++] = 32; /* value length */
+
+	memcpy(der + len, val, 32);
+	return len + 32;
+}
+	
+/* Bitcoin wants DER encoding. */
+static void add_push_sig(u8 **scriptp, const struct bitcoin_signature *sig)
+{
+	u8 der[2 + 2 + 1 + sizeof(sig->sig.r) + 2 + 1 + sizeof(sig->sig.s) + 1];
+	size_t len = 0;
+
+	der[len++] = 0x30; /* Type */
+	der[len++] = 0; /* Total length after this: fill it at end. */
+
+	len += der_encode_val(sig->sig.r, der + len);
+	len += der_encode_val(sig->sig.s, der + len);
+
+	/* Fix up total length */
+	der[1] = len - 2;
+
+	/* Append sighash type */
+	der[len++] = sig->stype;
+
+	assert(IsValidSignatureEncoding(der, len));
+	add_push_bytes(scriptp, der, len);
 }

 /* FIXME: permute? */
@@ -155,7 +247,7 @@ u8 *scriptpubkey_pay_to_pubkeyhash(const tal_t *ctx,

 u8 *scriptsig_pay_to_pubkeyhash(const tal_t *ctx,
 				const struct pubkey *key,
-				const struct signature *sig)
+				const struct bitcoin_signature *sig)
 {
 	u8 *script = tal_arr(ctx, u8, 0);

@@ -166,8 +258,8 @@ u8 *scriptsig_pay_to_pubkeyhash(const tal_t *ctx,
 }

 u8 *scriptsig_p2sh_2of2(const tal_t *ctx,
-			const struct signature *sig1,
-			const struct signature *sig2,
+			const struct bitcoin_signature *sig1,
+			const struct bitcoin_signature *sig2,
 			const struct pubkey *key1,
 			const struct pubkey *key2)
 {