NoBey/openzeppelin-contracts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix ECDSA signature malleability (#3610)

Browse Source
This commit is contained in:
Francisco
2022-08-10 15:40:03 -03:00
committed by GitHub
parent ff16696c9c
commit d693d89d99
3 changed files with 16 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
CHANGELOG.md
View File

@ -18,6 +18,12 @@
ERC-721 integrators that interpret contract state from events should make sure that they implement the clearing of approval that is implicit in every transfer according to the EIP. Previous versions of OpenZeppellin Contracts emitted an explicit `Approval` event even though it was not required by the specification, and this is no longer the case. ERC-721 integrators that interpret contract state from events should make sure that they implement the clearing of approval that is implicit in every transfer according to the EIP. Previous versions of OpenZeppellin Contracts emitted an explicit `Approval` event even though it was not required by the specification, and this is no longer the case.
## 4.7.3
### Breaking changes
* `ECDSA`: `recover(bytes32,bytes)` and `tryRecover(bytes32,bytes)` no longer accept compact signatures to prevent malleability. Compact signature support remains available using `recover(bytes32,bytes32,bytes32)` and `tryRecover(bytes32,bytes32,bytes32)`.
## 4.7.2 ## 4.7.2
* `LibArbitrumL2`, `CrossChainEnabledArbitrumL2`: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. ([#3578](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578)) * `LibArbitrumL2`, `CrossChainEnabledArbitrumL2`: Fixed detection of cross-chain calls for EOAs. Previously, calls from EOAs would be classified as cross-chain calls. ([#3578](https://github.com/OpenZeppelin/openzeppelin-contracts/pull/3578))

14
contracts/utils/cryptography/ECDSA.sol
View File

@ -55,9 +55,6 @@ library ECDSA {
* _Available since v4.3._ * _Available since v4.3._
*/ */
function tryRecover(bytes32 hash, bytes memory signature) internal pure returns (address, RecoverError) { function tryRecover(bytes32 hash, bytes memory signature) internal pure returns (address, RecoverError) {
// Check the signature length
// - case 65: r,s,v signature (standard)
// - case 64: r,vs signature (cf https://eips.ethereum.org/EIPS/eip-2098) _Available since v4.1._
if (signature.length == 65) { if (signature.length == 65) {
bytes32 r; bytes32 r;
bytes32 s; bytes32 s;
@ -71,17 +68,6 @@ library ECDSA {
v := byte(0, mload(add(signature, 0x60))) v := byte(0, mload(add(signature, 0x60)))
} }
return tryRecover(hash, v, r, s); return tryRecover(hash, v, r, s);
} else if (signature.length == 64) {
bytes32 r;
bytes32 vs;
// ecrecover takes the signature parameters, and the only way to get them
// currently is to use assembly.
/// @solidity memory-safe-assembly
assembly {
r := mload(add(signature, 0x20))
vs := mload(add(signature, 0x40))
}
return tryRecover(hash, r, vs);
} else { } else {
return (address(0), RecoverError.InvalidSignatureLength); return (address(0), RecoverError.InvalidSignatureLength);
} }

26
test/utils/cryptography/ECDSA.test.js
View File

@ -22,16 +22,6 @@ function to2098Format (signature) {
return web3.utils.bytesToHex(short); return web3.utils.bytesToHex(short);
} }
function from2098Format (signature) {
const short = web3.utils.hexToBytes(signature);
if (short.length !== 64) {
throw new Error('invalid signature length (expected short format)');
}
short.push((short[32] >> 7) + 27);
short[32] &= (1 << 7) - 1; // zero out the first bit of 1 the 32nd byte
return web3.utils.bytesToHex(short);
}
function split (signature) { function split (signature) {
const raw = web3.utils.hexToBytes(signature); const raw = web3.utils.hexToBytes(signature);
switch (raw.length) { switch (raw.length) {
@ -144,11 +134,13 @@ contract('ECDSA', function (accounts) {
); );
}); });
it('works with short EIP2098 format', async function () { it('rejects short EIP2098 format', async function () {
const version = '1b'; // 27 = 1b. const version = '1b'; // 27 = 1b.
const signature = signatureWithoutVersion + version; const signature = signatureWithoutVersion + version;
expect(await this.ecdsa.recover(TEST_MESSAGE, to2098Format(signature))).to.equal(signer); await expectRevert(
expect(await this.ecdsa.recover(TEST_MESSAGE, from2098Format(to2098Format(signature)))).to.equal(signer); this.ecdsa.recover(TEST_MESSAGE, to2098Format(signature)),
'ECDSA: invalid signature length',
);
}); });
}); });
@ -187,11 +179,13 @@ contract('ECDSA', function (accounts) {
); );
}); });
it('works with short EIP2098 format', async function () { it('rejects short EIP2098 format', async function () {
const version = '1c'; // 27 = 1b. const version = '1c'; // 27 = 1b.
const signature = signatureWithoutVersion + version; const signature = signatureWithoutVersion + version;
expect(await this.ecdsa.recover(TEST_MESSAGE, to2098Format(signature))).to.equal(signer); await expectRevert(
expect(await this.ecdsa.recover(TEST_MESSAGE, from2098Format(to2098Format(signature)))).to.equal(signer); this.ecdsa.recover(TEST_MESSAGE, to2098Format(signature)),
'ECDSA: invalid signature length',
);
}); });
}); });