Author

Topic: Is there any scenario where rlen=0/r=0 or slen=0/s=0 wouldn't fail CheckSig? (Read 112 times)

legendary
Activity: 3472
Merit: 10611
No, that line is checking to see if there is any bytes left in the array/stream (called input) it is reading from, before it reads the "lenbyte" value which is the rlen and could have a value of zero itself.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Doesn't this code in [1] close to the function beginning already check for zero r-lengths?

Code:
   /* Integer length for R */
    if (pos == inputlen) {
        return 0;
    }
legendary
Activity: 3472
Merit: 10611
Looking at the code, when parsing dersig[1] if r or s length or value is equal to zero, the parser still returns true. Ignoring the strict der encoding enforcement (eg. pre-activation of BIP66) the code eventually ends up here[2] where it would reject the zero r/s values.

My question is if there is any scenario where somewhere in the middle of going from [1] to [2] that it would ignore ECDSA verification and returns true?
Or a better way of asking this question is why isn't the parser in [1] just reject invalid signatures (eg. rlen=0) and return false right there instead of letting it go to [2]?

[1] https://github.com/bitcoin/bitcoin/blob/e7a0e9627196655be5aa6c2738d4b57646a03726/src/pubkey.cpp#L35
[2] https://github.com/bitcoin/bitcoin/blob/c06cda3e48e9826043ebc5790a7bb505bfbf368c/src/secp256k1/src/ecdsa_impl.h#L216
Jump to: