From d2fa6e7753deb0f7fe5e1d802460c88c2885b954 Mon Sep 17 00:00:00 2001 From: Ethan Buchman Date: Wed, 18 Mar 2015 20:56:06 -0700 Subject: [PATCH 1/2] vm: explicit error checks in ecrecover. closes #505 --- vm/address.go | 28 +++++++++++++++++++++------- 1 file changed, 21 insertions(+), 7 deletions(-) diff --git a/vm/address.go b/vm/address.go index 215f4bc8fa..e4c33ec808 100644 --- a/vm/address.go +++ b/vm/address.go @@ -3,8 +3,8 @@ package vm import ( "math/big" - "github.com/ethereum/go-ethereum/crypto" "github.com/ethereum/go-ethereum/common" + "github.com/ethereum/go-ethereum/crypto" ) type Address interface { @@ -61,15 +61,29 @@ func ripemd160Func(in []byte) []byte { return common.LeftPadBytes(crypto.Ripemd160(in), 32) } -func ecrecoverFunc(in []byte) []byte { - // In case of an invalid sig. Defaults to return nil - defer func() { recover() }() +const EcRecoverInputLength = 128 +func ecrecoverFunc(in []byte) []byte { + // "in" is (hash, v, r, s), each 32 bytes + // but for ecrecover we want (r, s, v) + if len(in) < EcRecoverInputLength { + return nil + } hash := in[:32] - v := common.BigD(in[32:64]).Bytes()[0] - 27 + // v is only a bit, but comes as 32 bytes from vm. We only need least significant byte + encodedV := in[32:64] + v := encodedV[31] - 27 + if !(v == 0 || v == 1) { + return nil + } sig := append(in[64:], v) - - return common.LeftPadBytes(crypto.Sha3(crypto.Ecrecover(append(hash, sig...))[1:])[12:], 32) + pubKey := crypto.Ecrecover(append(hash, sig...)) + // secp256.go returns either nil or 65 bytes + if pubKey == nil || len(pubKey) != 65 { + return nil + } + // the first byte of pubkey is bitcoin heritage + return common.LeftPadBytes(crypto.Sha3(pubKey[1:])[12:], 32) } func memCpy(in []byte) []byte { From 61c5edcb57a200764bfa37e3a7da909727a7852b Mon Sep 17 00:00:00 2001 From: obscuren Date: Sun, 29 Mar 2015 15:02:49 +0200 Subject: [PATCH 2/2] Cleanup. --- core/vm/address.go | 23 +++++++++++++---------- crypto/crypto.go | 16 +++++++--------- 2 files changed, 20 insertions(+), 19 deletions(-) diff --git a/core/vm/address.go b/core/vm/address.go index e4c33ec808..0b3a95dd08 100644 --- a/core/vm/address.go +++ b/core/vm/address.go @@ -61,27 +61,30 @@ func ripemd160Func(in []byte) []byte { return common.LeftPadBytes(crypto.Ripemd160(in), 32) } -const EcRecoverInputLength = 128 +const ecRecoverInputLength = 128 func ecrecoverFunc(in []byte) []byte { // "in" is (hash, v, r, s), each 32 bytes // but for ecrecover we want (r, s, v) - if len(in) < EcRecoverInputLength { + if len(in) < ecRecoverInputLength { return nil } - hash := in[:32] - // v is only a bit, but comes as 32 bytes from vm. We only need least significant byte - encodedV := in[32:64] - v := encodedV[31] - 27 - if !(v == 0 || v == 1) { + + // Treat V as a 256bit integer + v := new(big.Int).Sub(common.Bytes2Big(in[32:64]), big.NewInt(27)) + // Ethereum requires V to be either 0 or 1 => (27 || 28) + if !(v.Cmp(Zero) == 0 || v.Cmp(One) == 0) { return nil } - sig := append(in[64:], v) - pubKey := crypto.Ecrecover(append(hash, sig...)) - // secp256.go returns either nil or 65 bytes + + // v needs to be moved to the end + rsv := append(in[64:128], byte(v.Uint64())) + pubKey := crypto.Ecrecover(in[:32], rsv) + // make sure the public key is a valid one if pubKey == nil || len(pubKey) != 65 { return nil } + // the first byte of pubkey is bitcoin heritage return common.LeftPadBytes(crypto.Sha3(pubKey[1:])[12:], 32) } diff --git a/crypto/crypto.go b/crypto/crypto.go index 442942c6c5..9a1559fbfb 100644 --- a/crypto/crypto.go +++ b/crypto/crypto.go @@ -68,13 +68,8 @@ func Ripemd160(data []byte) []byte { return ripemd.Sum(nil) } -func Ecrecover(data []byte) []byte { - var in = struct { - hash []byte - sig []byte - }{data[:32], data[32:]} - - r, _ := secp256k1.RecoverPubkey(in.hash, in.sig) +func Ecrecover(hash, sig []byte) []byte { + r, _ := secp256k1.RecoverPubkey(hash, sig) return r } @@ -151,9 +146,12 @@ func GenerateKey() (*ecdsa.PrivateKey, error) { } func SigToPub(hash, sig []byte) *ecdsa.PublicKey { - s := Ecrecover(append(hash, sig...)) - x, y := elliptic.Unmarshal(S256(), s) + s := Ecrecover(hash, sig) + if s == nil || len(s) != 65 { + return nil + } + x, y := elliptic.Unmarshal(S256(), s) return &ecdsa.PublicKey{S256(), x, y} }