From 5c829a47c076ff9df4fc790f7bb14c2ccf73a5a5 Mon Sep 17 00:00:00 2001
From: Tony Arcieri <bascule@gmail.com>
Date: Fri, 21 Jul 2023 19:40:42 -0600
Subject: [PATCH] k256: reject signatures which aren't low-S normalized (#914)

Closes #908
---
 k256/src/ecdsa.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/k256/src/ecdsa.rs b/k256/src/ecdsa.rs
index f8178395..a3f28ab7 100644
--- a/k256/src/ecdsa.rs
+++ b/k256/src/ecdsa.rs
@@ -198,7 +198,15 @@ impl SignPrimitive<Secp256k1> for Scalar {
 }
 
 #[cfg(feature = "ecdsa")]
-impl VerifyPrimitive<Secp256k1> for AffinePoint {}
+impl VerifyPrimitive<Secp256k1> for AffinePoint {
+    fn verify_prehashed(&self, z: &FieldBytes, sig: &Signature) -> Result<(), Error> {
+        if sig.s().is_high().into() {
+            return Err(Error::new());
+        }
+
+        hazmat::verify_prehashed(&self.into(), z, sig)
+    }
+}
 
 #[cfg(all(test, feature = "ecdsa", feature = "arithmetic"))]
 mod tests {