|
|
|
// Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.
|
|
|
|
// Use of this source code is governed by a BSD-style license that can be found in
|
|
|
|
// the LICENSE file.
|
|
|
|
|
|
|
|
//go:build !gofuzz && cgo
|
|
|
|
// +build !gofuzz,cgo
|
crypto/secp256k1: fix undefined behavior in BitCurve.Add (#22621)
This commit changes the behavior of BitCurve.Add to be more inline
with btcd. It fixes two different bugs:
1) When adding a point at infinity to another point, the other point
should be returned. While this is undefined behavior, it is better
to be more inline with the go standard library.
Thus (0,0) + (a, b) = (a,b)
2) Adding the same point to itself produced the point at infinity.
This is incorrect, now doubleJacobian is used to correctly calculate it.
Thus (a,b) + (a,b) == 2* (a,b) and not (0,0) anymore.
The change also adds a differential fuzzer for Add, testing it against btcd.
Co-authored-by: Felix Lange <fjl@twurst.com>
4 years ago
|
|
|
|
|
|
|
// Package secp256k1 wraps the bitcoin secp256k1 C library.
|
|
|
|
package secp256k1
|
|
|
|
|
|
|
|
/*
|
|
|
|
#cgo CFLAGS: -I./libsecp256k1
|
|
|
|
#cgo CFLAGS: -I./libsecp256k1/src/
|
|
|
|
|
|
|
|
#ifdef __SIZEOF_INT128__
|
|
|
|
# define HAVE___INT128
|
|
|
|
# define USE_FIELD_5X52
|
|
|
|
# define USE_SCALAR_4X64
|
|
|
|
#else
|
|
|
|
# define USE_FIELD_10X26
|
|
|
|
# define USE_SCALAR_8X32
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef NDEBUG
|
|
|
|
# define NDEBUG
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#define USE_ENDOMORPHISM
|
|
|
|
#define USE_NUM_NONE
|
|
|
|
#define USE_FIELD_INV_BUILTIN
|
|
|
|
#define USE_SCALAR_INV_BUILTIN
|
|
|
|
#include "./libsecp256k1/src/secp256k1.c"
|
|
|
|
#include "./libsecp256k1/src/modules/recovery/main_impl.h"
|
|
|
|
#include "ext.h"
|
|
|
|
|
|
|
|
typedef void (*callbackFunc) (const char* msg, void* data);
|
|
|
|
extern void secp256k1GoPanicIllegal(const char* msg, void* data);
|
|
|
|
extern void secp256k1GoPanicError(const char* msg, void* data);
|
|
|
|
*/
|
|
|
|
import "C"
|
|
|
|
|
|
|
|
import (
|
|
|
|
"errors"
|
|
|
|
"math/big"
|
|
|
|
"unsafe"
|
|
|
|
)
|
|
|
|
|
|
|
|
var context *C.secp256k1_context
|
|
|
|
|
|
|
|
func init() {
|
|
|
|
// around 20 ms on a modern CPU.
|
|
|
|
context = C.secp256k1_context_create_sign_verify()
|
|
|
|
C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)
|
|
|
|
C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes")
|
|
|
|
ErrInvalidSignatureLen = errors.New("invalid signature length")
|
|
|
|
ErrInvalidRecoveryID = errors.New("invalid signature recovery id")
|
|
|
|
ErrInvalidKey = errors.New("invalid private key")
|
|
|
|
ErrInvalidPubkey = errors.New("invalid public key")
|
|
|
|
ErrSignFailed = errors.New("signing failed")
|
|
|
|
ErrRecoverFailed = errors.New("recovery failed")
|
|
|
|
)
|
|
|
|
|
|
|
|
// Sign creates a recoverable ECDSA signature.
|
|
|
|
// The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
|
|
|
|
//
|
|
|
|
// The caller is responsible for ensuring that msg cannot be chosen
|
|
|
|
// directly by an attacker. It is usually preferable to use a cryptographic
|
|
|
|
// hash function on any input before handing it to this function.
|
|
|
|
func Sign(msg []byte, seckey []byte) ([]byte, error) {
|
|
|
|
if len(msg) != 32 {
|
|
|
|
return nil, ErrInvalidMsgLen
|
|
|
|
}
|
|
|
|
if len(seckey) != 32 {
|
|
|
|
return nil, ErrInvalidKey
|
|
|
|
}
|
|
|
|
seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
|
|
|
|
if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
|
|
|
|
return nil, ErrInvalidKey
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
|
|
noncefunc = C.secp256k1_nonce_function_rfc6979
|
|
|
|
sigstruct C.secp256k1_ecdsa_recoverable_signature
|
|
|
|
)
|
|
|
|
if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {
|
|
|
|
return nil, ErrSignFailed
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
sig = make([]byte, 65)
|
|
|
|
sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
|
|
|
|
recid C.int
|
|
|
|
)
|
|
|
|
C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
|
|
|
|
sig[64] = byte(recid) // add back recid to get 65 bytes sig
|
|
|
|
return sig, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// RecoverPubkey returns the public key of the signer.
|
|
|
|
// msg must be the 32-byte hash of the message to be signed.
|
|
|
|
// sig must be a 65-byte compact ECDSA signature containing the
|
|
|
|
// recovery id as the last element.
|
|
|
|
func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {
|
|
|
|
if len(msg) != 32 {
|
|
|
|
return nil, ErrInvalidMsgLen
|
|
|
|
}
|
|
|
|
if err := checkSignature(sig); err != nil {
|
|
|
|
return nil, err
|
|
|
|
}
|
|
|
|
|
|
|
|
var (
|
|
|
|
pubkey = make([]byte, 65)
|
|
|
|
sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
|
|
|
|
msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
|
|
)
|
|
|
|
if C.secp256k1_ext_ecdsa_recover(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {
|
|
|
|
return nil, ErrRecoverFailed
|
|
|
|
}
|
|
|
|
return pubkey, nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// VerifySignature checks that the given pubkey created signature over message.
|
|
|
|
// The signature should be in [R || S] format.
|
|
|
|
func VerifySignature(pubkey, msg, signature []byte) bool {
|
|
|
|
if len(msg) != 32 || len(signature) != 64 || len(pubkey) == 0 {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
sigdata := (*C.uchar)(unsafe.Pointer(&signature[0]))
|
|
|
|
msgdata := (*C.uchar)(unsafe.Pointer(&msg[0]))
|
|
|
|
keydata := (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
|
|
return C.secp256k1_ext_ecdsa_verify(context, sigdata, msgdata, keydata, C.size_t(len(pubkey))) != 0
|
|
|
|
}
|
|
|
|
|
|
|
|
// DecompressPubkey parses a public key in the 33-byte compressed format.
|
|
|
|
// It returns non-nil coordinates if the public key is valid.
|
|
|
|
func DecompressPubkey(pubkey []byte) (x, y *big.Int) {
|
|
|
|
if len(pubkey) != 33 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
var (
|
|
|
|
pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
|
|
pubkeylen = C.size_t(len(pubkey))
|
|
|
|
out = make([]byte, 65)
|
|
|
|
outdata = (*C.uchar)(unsafe.Pointer(&out[0]))
|
|
|
|
outlen = C.size_t(len(out))
|
|
|
|
)
|
|
|
|
if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
|
|
|
|
return nil, nil
|
|
|
|
}
|
|
|
|
return new(big.Int).SetBytes(out[1:33]), new(big.Int).SetBytes(out[33:])
|
|
|
|
}
|
|
|
|
|
|
|
|
// CompressPubkey encodes a public key to 33-byte compressed format.
|
|
|
|
func CompressPubkey(x, y *big.Int) []byte {
|
|
|
|
var (
|
|
|
|
pubkey = S256().Marshal(x, y)
|
|
|
|
pubkeydata = (*C.uchar)(unsafe.Pointer(&pubkey[0]))
|
|
|
|
pubkeylen = C.size_t(len(pubkey))
|
|
|
|
out = make([]byte, 33)
|
|
|
|
outdata = (*C.uchar)(unsafe.Pointer(&out[0]))
|
|
|
|
outlen = C.size_t(len(out))
|
|
|
|
)
|
|
|
|
if C.secp256k1_ext_reencode_pubkey(context, outdata, outlen, pubkeydata, pubkeylen) == 0 {
|
|
|
|
panic("libsecp256k1 error")
|
|
|
|
}
|
|
|
|
return out
|
|
|
|
}
|
|
|
|
|
|
|
|
func checkSignature(sig []byte) error {
|
|
|
|
if len(sig) != 65 {
|
|
|
|
return ErrInvalidSignatureLen
|
|
|
|
}
|
|
|
|
if sig[64] >= 4 {
|
|
|
|
return ErrInvalidRecoveryID
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|