From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1URhwE-00047r-AO for bitcoin-development@lists.sourceforge.net; Mon, 15 Apr 2013 11:51:10 +0000 X-ACL-Warn: Received: from vps7135.xlshosting.net ([178.18.90.41]) by sog-mx-4.v43.ch3.sourceforge.com with esmtp (Exim 4.76) id 1URhwC-0007QO-8g for bitcoin-development@lists.sourceforge.net; Mon, 15 Apr 2013 11:51:10 +0000 Received: by vps7135.xlshosting.net (Postfix, from userid 1000) id 48412BC74E; Mon, 15 Apr 2013 13:51:02 +0200 (CEST) Date: Mon, 15 Apr 2013 13:51:02 +0200 From: Pieter Wuille To: Gregory Maxwell Message-ID: <20130415115100.GA31477@vps7135.xlshosting.net> References: MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: X-PGP-Key: http://sipa.ulyssis.org/pubkey.asc User-Agent: Mutt/1.5.21 (2010-09-15) Content-Transfer-Encoding: quoted-printable X-Spam-Score: 0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pieter.wuille[at]gmail.com) 0.0 DKIM_ADSP_CUSTOM_MED No valid author signature, adsp_override is CUSTOM_MED -0.7 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain 1.2 NML_ADSP_CUSTOM_MED ADSP custom_med hit, and not from a mailing list X-Headers-End: 1URhwC-0007QO-8g Cc: Bitcoin Dev Subject: Re: [Bitcoin-development] Who is creating non-DER signatures? X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 15 Apr 2013 11:51:10 -0000 On Sat, Apr 13, 2013 at 02:58:21PM -0700, Gregory Maxwell wrote: > I think the latter is unlikely right now=E2=80=94 but if the network do= esn't > stop relaying these transactions it seems inevitable. A patch was just merged in git head to enforce strict encodings for accep= ting transactions into the memory pool. As miners and other nodes don't upgrad= e immediately (and 0.8.2 isn't even released yet), this means such transact= ions will likely still make it into blocks, but will have an increasingly hard= er time doing so. When the rate of non-standard encodings in the block chain has dropped fa= r enough, we can attempt scheduling a soft forking change to make it requir= ed. At that point, the network rules will no longer depend on OpenSSL's parse= rs. As a summary, here are the rules now enforced for acceptance into the mem= ory pool: * 0. These rules are only applied for _evaluated_ scripts, as there is no guaranteed way to know which data is supposed to be interpreted as a public key or signature before actually evaluating the script. This means that for example a 1-of-2 multisig can have an incorrectly- encoded public key, but still be redeemed if a valid (and correctly encoded) signature is given for the other key. * 1. Public keys are either compressed (0x02 + 32 bytes, or 0x03 + 32 byt= es) or uncompressed (0x04 + 64 bytes). The non-standard "hybrid" encodin= g supported by OpenSSL is not allowed. * 2. Signatures are strictly DER-encoded (+ hashtype byte). The format is= : 0x30 0x02 0x02 * R and S are signed integers, encoded as a big-endian byte sequence= . They are stored in as few bytes as possible (i.e., no 0x00 padding= in front), except that a single 0x00 byte is needed and even required when the byte following it has its highest bit set, to prevent it from being interpreted as a negative number. * lenR and lenS are one byte, containing the length of the R and S records, respectively. * lenT is one byte, containing the length of the complete structure following it, starting from the 0x02, up to the S record. Thus, it must be equal to lenR + lenS + 4. * The hashtype is one byte, and is either 0x01, 0x02, 0x03, 0x81, 0x= 82 or 0x83. * No padding is allowed before or after the hashtype byte, thus lenT is equal to the size of the whole signature minus 3. * 3. These rules also apply to testnet. Cheers, -- Pieter