crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560…

…f9 (ethereum#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code
illya13 · Jan 12, 2017 · e0ceeab · e0ceeab
1 parent 93077c9
commit e0ceeab
Show file tree

Hide file tree

Showing 79 changed files with 8,229 additions and 1,998 deletions.
diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go
@@ -72,14 +72,6 @@ func BenchmarkSha3(b *testing.B) {
 	fmt.Println(amount, ":", time.Since(start))
 }
 
-func Test0Key(t *testing.T) {
-	key := common.Hex2Bytes("0000000000000000000000000000000000000000000000000000000000000000")
-	_, err := secp256k1.GeneratePubKey(key)
-	if err == nil {
-		t.Errorf("expected error due to zero privkey")
-	}
-}
-
 func TestSign(t *testing.T) {
 	key, _ := HexToECDSA(testPrivHex)
 	addr := common.HexToAddress(testAddrHex)

diff --git a/crypto/secp256k1/curve.go b/crypto/secp256k1/curve.go
@@ -33,7 +33,6 @@ package secp256k1
 
 import (
 	"crypto/elliptic"
-	"io"
 	"math/big"
 	"sync"
 	"unsafe"
@@ -224,6 +223,7 @@ func (BitCurve *BitCurve) ScalarMult(Bx, By *big.Int, scalar []byte) (*big.Int,
 	if len(scalar) > 32 {
 		panic("can't handle scalars > 256 bits")
 	}
+	// NOTE: potential timing issue
 	padded := make([]byte, 32)
 	copy(padded[32-len(scalar):], scalar)
 	scalar = padded
@@ -257,31 +257,6 @@ func (BitCurve *BitCurve) ScalarBaseMult(k []byte) (*big.Int, *big.Int) {
 	return BitCurve.ScalarMult(BitCurve.Gx, BitCurve.Gy, k)
 }
 
-var mask = []byte{0xff, 0x1, 0x3, 0x7, 0xf, 0x1f, 0x3f, 0x7f}
-
-//TODO: double check if it is okay
-// GenerateKey returns a public/private key pair. The private key is generated
-// using the given reader, which must return random data.
-func (BitCurve *BitCurve) GenerateKey(rand io.Reader) (priv []byte, x, y *big.Int, err error) {
-	byteLen := (BitCurve.BitSize + 7) >> 3
-	priv = make([]byte, byteLen)
-
-	for x == nil {
-		_, err = io.ReadFull(rand, priv)
-		if err != nil {
-			return
-		}
-		// We have to mask off any excess bits in the case that the size of the
-		// underlying field is not a whole number of bytes.
-		priv[0] &= mask[BitCurve.BitSize%8]
-		// This is because, in tests, rand will return all zeros and we don't
-		// want to get the point at infinity and loop forever.
-		priv[1] ^= 0x42
-		x, y = BitCurve.ScalarBaseMult(priv)
-	}
-	return
-}
-
 // Marshal converts a point into the form specified in section 4.3.6 of ANSI
 // X9.62.
 func (BitCurve *BitCurve) Marshal(x, y *big.Int) []byte {

diff --git a/crypto/secp256k1/ext.h b/crypto/secp256k1/ext.h
@@ -0,0 +1,87 @@
+// Copyright 2015 The go-ethereum Authors
+// This file is part of the go-ethereum library.
+//
+// The go-ethereum library is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Lesser General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// The go-ethereum library is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU Lesser General Public License for more details.
+//
+// You should have received a copy of the GNU Lesser General Public License
+// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.
+
+// secp256k1_context_create_sign_verify creates a context for signing and signature verification.
+static secp256k1_context* secp256k1_context_create_sign_verify() {
+	return secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
+}
+
+// secp256k1_ecdsa_recover_pubkey recovers the public key of an encoded compact signature.
+//
+// Returns: 1: recovery was successful
+//          0: recovery was not successful
+// Args:    ctx:        pointer to a context object (cannot be NULL)
+//  Out:    pubkey_out: the serialized 65-byte public key of the signer (cannot be NULL)
+//  In:     sigdata:    pointer to a 65-byte signature with the recovery id at the end (cannot be NULL)
+//          msgdata:    pointer to a 32-byte message (cannot be NULL)
+static int secp256k1_ecdsa_recover_pubkey(
+	const secp256k1_context* ctx,
+	unsigned char *pubkey_out,
+	const unsigned char *sigdata,
+	const unsigned char *msgdata
+) {
+	secp256k1_ecdsa_recoverable_signature sig;
+	secp256k1_pubkey pubkey;
+
+	if (!secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &sig, sigdata, (int)sigdata[64])) {
+		return 0;
+	}
+	if (!secp256k1_ecdsa_recover(ctx, &pubkey, &sig, msgdata)) {
+		return 0;
+	}
+	size_t outputlen = 65;
+	return secp256k1_ec_pubkey_serialize(ctx, pubkey_out, &outputlen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
+}
+
+// secp256k1_pubkey_scalar_mul multiplies a point by a scalar in constant time.
+//
+// Returns: 1: multiplication was successful
+//          0: scalar was invalid (zero or overflow)
+// Args:    ctx:      pointer to a context object (cannot be NULL)
+//  Out:    point:    the multiplied point (usually secret)
+//  In:     point:    pointer to a 64-byte public point,
+//                    encoded as two 256bit big-endian numbers.
+//          scalar:   a 32-byte scalar with which to multiply the point
+int secp256k1_pubkey_scalar_mul(const secp256k1_context* ctx, unsigned char *point, const unsigned char *scalar) {
+	int ret = 0;
+	int overflow = 0;
+	secp256k1_fe feX, feY;
+	secp256k1_gej res;
+	secp256k1_ge ge;
+	secp256k1_scalar s;
+	ARG_CHECK(point != NULL);
+	ARG_CHECK(scalar != NULL);
+	(void)ctx;
+
+	secp256k1_fe_set_b32(&feX, point);
+	secp256k1_fe_set_b32(&feY, point+32);
+	secp256k1_ge_set_xy(&ge, &feX, &feY);
+	secp256k1_scalar_set_b32(&s, scalar, &overflow);
+	if (overflow || secp256k1_scalar_is_zero(&s)) {
+		ret = 0;
+	} else {
+		secp256k1_ecmult_const(&res, &ge, &s);
+		secp256k1_ge_set_gej(&ge, &res);
+		/* Note: can't use secp256k1_pubkey_save here because it is not constant time. */
+		secp256k1_fe_normalize(&ge.x);
+		secp256k1_fe_normalize(&ge.y);
+		secp256k1_fe_get_b32(point, &ge.x);
+		secp256k1_fe_get_b32(point+32, &ge.y);
+		ret = 1;
+	}
+	secp256k1_scalar_clear(&s);
+	return ret;
+}
diff --git a/crypto/secp256k1/libsecp256k1/.gitignore b/crypto/secp256k1/libsecp256k1/.gitignore
@@ -6,6 +6,7 @@ bench_schnorr_verify
 bench_recover
 bench_internal
 tests
+exhaustive_tests
 gen_context
 *.exe
 *.so
@@ -25,17 +26,24 @@ config.status
 libtool
 .deps/
 .dirstamp
-build-aux/
 *.lo
 *.o
 *~
 src/libsecp256k1-config.h
 src/libsecp256k1-config.h.in
 src/ecmult_static_context.h
-m4/libtool.m4
-m4/ltoptions.m4
-m4/ltsugar.m4
-m4/ltversion.m4
-m4/lt~obsolete.m4
+build-aux/config.guess
+build-aux/config.sub
+build-aux/depcomp
+build-aux/install-sh
+build-aux/ltmain.sh
+build-aux/m4/libtool.m4
+build-aux/m4/lt~obsolete.m4
+build-aux/m4/ltoptions.m4
+build-aux/m4/ltsugar.m4
+build-aux/m4/ltversion.m4
+build-aux/missing
+build-aux/compile
+build-aux/test-driver
 src/stamp-h1
 libsecp256k1.pc
diff --git a/crypto/secp256k1/libsecp256k1/.travis.yml b/crypto/secp256k1/libsecp256k1/.travis.yml
@@ -6,25 +6,30 @@ addons:
 compiler:
   - clang
   - gcc
+cache:
+  directories:
+  - src/java/guava/
 env:
   global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  schnorr=NO  RECOVERY=NO
+    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no
+    - GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar
   matrix:
     - SCALAR=32bit    RECOVERY=yes
-    - SCALAR=32bit    FIELD=32bit       ECDH=yes
+    - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes
     - SCALAR=64bit
     - FIELD=64bit     RECOVERY=yes
     - FIELD=64bit     ENDOMORPHISM=yes
-    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes
+    - FIELD=64bit     ENDOMORPHISM=yes  ECDH=yes EXPERIMENTAL=yes
     - FIELD=64bit                       ASM=x86_64
     - FIELD=64bit     ENDOMORPHISM=yes  ASM=x86_64
-    - FIELD=32bit     SCHNORR=yes
     - FIELD=32bit     ENDOMORPHISM=yes
     - BIGNUM=no
-    - BIGNUM=no       ENDOMORPHISM=yes SCHNORR=yes  RECOVERY=yes
+    - BIGNUM=no       ENDOMORPHISM=yes RECOVERY=yes EXPERIMENTAL=yes
     - BIGNUM=no       STATICPRECOMPUTATION=no
     - BUILD=distcheck
-    - EXTRAFLAGS=CFLAGS=-DDETERMINISTIC
+    - EXTRAFLAGS=CPPFLAGS=-DDETERMINISTIC
+    - EXTRAFLAGS=CFLAGS=-O0
+    - BUILD=check-java ECDH=yes EXPERIMENTAL=yes
 matrix:
   fast_finish: true
   include:
@@ -54,9 +59,11 @@ matrix:
           packages:
             - gcc-multilib
             - libgmp-dev:i386
+before_install: mkdir -p `dirname $GUAVA_JAR`
+install: if [ ! -f $GUAVA_JAR ]; then wget $GUAVA_URL -O $GUAVA_JAR; fi
 before_script: ./autogen.sh
 script:
  - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
  - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- - ./configure --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-schnorr=$SCHNORR $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
+ - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
 os: linux