doc: update BOLT quotes (to include LOW-S-standard rule).

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>

Makefile

@@ -24,7 +24,7 @@ CCANDIR := ccan
 
 # Where we keep the BOLT RFCs
 BOLTDIR := ../lightning-rfc/
-BOLTVERSION := 7e8c478aef0d23a445845b7d297b0e804583697c
+BOLTVERSION := 01f29bf9feca66476423676365187e2175a3934b
 
 -include config.vars
 

bitcoin/signature.c

@@ -173,6 +173,14 @@ bool check_signed_hash(const struct sha256_double *hash,
 {
 	int ret;
 
+	/* BOLT #2:
+	 *
+	 * - if `signature` is incorrect OR non-compliant with
+	 *   LOW-S-standard rule
+	 */
+	/* From the secp256k1_ecdsa_verify documentation: "To avoid
+	 * accepting malleable signatures, only ECDSA signatures in
+	 * lower-S form are accepted." */
 	ret = secp256k1_ecdsa_verify(secp256k1_ctx,
 				     signature,
 				     hash->sha.u.u8, &key->pubkey);

channeld/channeld.c

@@ -1314,7 +1314,8 @@ static void handle_peer_commit_sig(struct peer *peer, const u8 *msg)
 	 *
 	 * A receiving node:
 	 *  - once all pending updates are applied:
-	 *    - if `signature` is not valid for its local commitment transaction:
+	 *    - if `signature` is not valid for its local commitment transaction
+	 *      OR non-compliant with LOW-S-standard rule...:
 	 *      - MUST fail the channel.
 	 */
 	if (!check_tx_sig(txs[0], 0, NULL, funding_wscript,
@@ -1349,7 +1350,7 @@ static void handle_peer_commit_sig(struct peer *peer, const u8 *msg)
 	/* BOLT #2:
 	 *
 	 *   - if any `htlc_signature` is not valid for the corresponding HTLC
-	 *     transaction:
+	 *     transaction OR non-compliant with LOW-S-standard rule...:
 	 *     - MUST fail the channel.
 	 */
 	for (i = 0; i < tal_count(htlc_sigs); i++) {

closingd/closingd.c

@@ -368,7 +368,8 @@ receive_offer(struct per_peer_state *pps,
 	 *
 	 * The receiving node:
 	 *   - if the `signature` is not valid for either variant of closing transaction
-	 *   specified in [BOLT #3](03-transactions.md#closing-transaction):
+	 *   specified in [BOLT #3](03-transactions.md#closing-transaction)
+	 *   OR non-compliant with LOW-S-standard rule...:
 	 *     - MUST fail the connection.
 	 */
 	tx = close_tx(tmpctx, chainparams, pps, channel_id,

openingd/dualopend.c

@@ -1722,7 +1722,8 @@ static void accepter_start(struct state *state, const u8 *oc2_msg)
 	/* BOLT #2:
 	 *
 	 * The recipient:
-	 *   - if `signature` is incorrect:
+	 *   - if `signature` is incorrect OR non-compliant with LOW-S-standard
+	 *       rule...:
 	 *     - MUST fail the channel.
 	 */
 	if (!check_tx_sig(local_commit, 0, NULL, wscript,
@@ -2203,7 +2204,8 @@ static void opener_start(struct state *state, u8 *msg)
 	/* BOLT #2:
 	 *
 	 * The recipient:
-	 *   - if `signature` is incorrect:
+	 *   - if `signature` is incorrect OR non-compliant with LOW-S-standard
+	 *     rule...:
 	 *     - MUST fail the channel.
 	 */
 	if (!check_tx_sig(local_commit, 0, NULL, wscript, &state->their_funding_pubkey,

openingd/openingd.c

@@ -628,8 +628,8 @@ static bool funder_finalize_channel_setup(struct state *state,
 	/* BOLT #2:
 	 *
 	 * The recipient:
-	 *   - if `signature` is incorrect:
+	 *   - if `signature` is incorrect OR non-compliant with LOW-S-standard rule...:
-	 *     - MUST fail the channel.
+	 *     - MUST fail the channel
 	 */
 	/* So we create *our* initial commitment transaction, and check the
 	 * signature they sent against that. */
@@ -1004,7 +1004,8 @@ static u8 *fundee_channel(struct state *state, const u8 *open_channel_msg)
 	/* BOLT #2:
 	 *
 	 * The recipient:
-	 *   - if `signature` is incorrect:
+	 *   - if `signature` is incorrect OR non-compliant with LOW-S-standard
+	 *     rule...:
 	 *     - MUST fail the channel.
 	 */
 	local_commit = initial_channel_tx(state, &wscript, state->channel,