update upstream libsecp256k1 to 314a61d72474aa29ff4afba8472553ad91d88e9d

2018-11-06 21:36:43 +00:00 · 2018-11-06 21:36:43 +00:00 · 4653100b7a
parent ca08c4f338
commit 4653100b7a
10 changed files with 158 additions and 47 deletions
--- a/depend/secp256k1/include/secp256k1.h
+++ b/depend/secp256k1/include/secp256k1.h
@ -179,6 +179,13 @@ typedef int (*secp256k1_nonce_function)(
 #define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06
 #define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07

+/** A simple secp256k1 context object with no precomputed tables. These are useful for
+ *  type serialization/parsing functions which require a context object to maintain
+ *  API consistency, but currently do not require expensive precomputations or dynamic
+ *  allocations.
+ */
+SECP256K1_API extern const secp256k1_context *secp256k1_context_no_precomp;
+
 /** Create a secp256k1 context object.
 *
 *  Returns: a newly created context object.
--- a/depend/secp256k1/include/secp256k1_ecdh.h
+++ b/depend/secp256k1/include/secp256k1_ecdh.h
@ -7,21 +7,45 @@
 extern "C" {
 #endif

+/** A pointer to a function that applies hash function to a point
+ *
+ *  Returns: 1 if a point was successfully hashed. 0 will cause ecdh to fail
+ *  Out:    output:     pointer to an array to be filled by the function
+ *  In:     x:          pointer to a 32-byte x coordinate
+ *          y:          pointer to a 32-byte y coordinate
+ *          data:       Arbitrary data pointer that is passed through
+ */
+typedef int (*secp256k1_ecdh_hash_function)(
+  unsigned char *output,
+  const unsigned char *x,
+  const unsigned char *y,
+  void *data
+);
+
+/** An implementation of SHA256 hash function that applies to compressed public key. */
+SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256;
+
+/** A default ecdh hash function (currently equal to secp256k1_ecdh_hash_function_sha256). */
+SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default;
+
 /** Compute an EC Diffie-Hellman secret in constant time
 *  Returns: 1: exponentiation was successful
 *           0: scalar was invalid (zero or overflow)
 *  Args:    ctx:        pointer to a context object (cannot be NULL)
- *  Out:     result:     a 32-byte array which will be populated by an ECDH
- *                       secret computed from the point and scalar
+ *  Out:     output:     pointer to an array to be filled by the function
 *  In:      pubkey:     a pointer to a secp256k1_pubkey containing an
 *                       initialized public key
 *           privkey:    a 32-byte scalar with which to multiply the point
+ *           hashfp:     pointer to a hash function. If NULL, secp256k1_ecdh_hash_function_sha256 is used
+ *           data:       Arbitrary data pointer that is passed through
 */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
  const secp256k1_context* ctx,
-  unsigned char *result,
+  unsigned char *output,
  const secp256k1_pubkey *pubkey,
-  const unsigned char *privkey
+  const unsigned char *privkey,
+  secp256k1_ecdh_hash_function hashfp,
+  void *data
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);

 #ifdef __cplusplus
--- a/depend/secp256k1/src/bench_ecdh.c
+++ b/depend/secp256k1/src/bench_ecdh.c
@ -42,7 +42,7 @@ static void bench_ecdh(void* arg) {
    bench_ecdh_data *data = (bench_ecdh_data*)arg;

    for (i = 0; i < 20000; i++) {
-        CHECK(secp256k1_ecdh(data->ctx, res, &data->point, data->scalar) == 1);
+        CHECK(secp256k1_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1);
    }
 }

--- a/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c
+++ b/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c
@ -83,7 +83,7 @@ SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1e

  secp256k1_ecdsa_signature sig[72];

-  int ret = secp256k1_ecdsa_sign(ctx, sig, data, secKey, NULL, NULL );
+  int ret = secp256k1_ecdsa_sign(ctx, sig, data, secKey, NULL, NULL);

  unsigned char outputSer[72];
  size_t outputLen = 72;
@ -353,7 +353,9 @@ SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_secp256k1_1e
      ctx,
      nonce_res,
      &pubkey,
-      secdata
+      secdata,
+      NULL,
+      NULL
    );
  }

--- a/depend/secp256k1/src/modules/ecdh/main_impl.h
+++ b/depend/secp256k1/src/modules/ecdh/main_impl.h
@ -10,16 +10,35 @@
 #include "include/secp256k1_ecdh.h"
 #include "ecmult_const_impl.h"

-int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *result, const secp256k1_pubkey *point, const unsigned char *scalar) {
+static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
+    unsigned char version = (y[31] & 0x01) | 0x02;
+    secp256k1_sha256 sha;
+    (void)data;
+
+    secp256k1_sha256_initialize(&sha);
+    secp256k1_sha256_write(&sha, &version, 1);
+    secp256k1_sha256_write(&sha, x, 32);
+    secp256k1_sha256_finalize(&sha, output);
+
+    return 1;
+}
+
+const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256 = ecdh_hash_function_sha256;
+const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default = ecdh_hash_function_sha256;
+
+int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *output, const secp256k1_pubkey *point, const unsigned char *scalar, secp256k1_ecdh_hash_function hashfp, void *data) {
    int ret = 0;
    int overflow = 0;
    secp256k1_gej res;
    secp256k1_ge pt;
    secp256k1_scalar s;
    VERIFY_CHECK(ctx != NULL);
-    ARG_CHECK(result != NULL);
+    ARG_CHECK(output != NULL);
    ARG_CHECK(point != NULL);
    ARG_CHECK(scalar != NULL);
+    if (hashfp == NULL) {
+        hashfp = secp256k1_ecdh_hash_function_default;
+    }

    secp256k1_pubkey_load(ctx, &pt, point);
    secp256k1_scalar_set_b32(&s, scalar, &overflow);
@ -27,24 +46,18 @@ int secp256k1_ecdh(const secp256k1_context* ctx, unsigned char *result, const se
        ret = 0;
    } else {
        unsigned char x[32];
-        unsigned char y[1];
-        secp256k1_sha256 sha;
+        unsigned char y[32];

        secp256k1_ecmult_const(&res, &pt, &s, 256);
        secp256k1_ge_set_gej(&pt, &res);
-        /* Compute a hash of the point in compressed form
-         * Note we cannot use secp256k1_eckey_pubkey_serialize here since it does not
-         * expect its output to be secret and has a timing sidechannel. */
+
+        /* Compute a hash of the point */
        secp256k1_fe_normalize(&pt.x);
        secp256k1_fe_normalize(&pt.y);
        secp256k1_fe_get_b32(x, &pt.x);
-        y[0] = 0x02 | secp256k1_fe_is_odd(&pt.y);
+        secp256k1_fe_get_b32(y, &pt.y);

-        secp256k1_sha256_initialize(&sha);
-        secp256k1_sha256_write(&sha, y, sizeof(y));
-        secp256k1_sha256_write(&sha, x, sizeof(x));
-        secp256k1_sha256_finalize(&sha, result);
-        ret = 1;
+        ret = hashfp(output, x, y, data);
    }

    secp256k1_scalar_clear(&s);
--- a/depend/secp256k1/src/modules/ecdh/tests_impl.h
+++ b/depend/secp256k1/src/modules/ecdh/tests_impl.h
@ -7,6 +7,23 @@
 #ifndef SECP256K1_MODULE_ECDH_TESTS_H
 #define SECP256K1_MODULE_ECDH_TESTS_H

+int ecdh_hash_function_test_fail(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
+    (void)output;
+    (void)x;
+    (void)y;
+    (void)data;
+    return 0;
+}
+
+int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
+    (void)data;
+    /* Save x and y as uncompressed public key */
+    output[0] = 0x04;
+    memcpy(output + 1, x, 32);
+    memcpy(output + 33, y, 32);
+    return 1;
+}
+
 void test_ecdh_api(void) {
    /* Setup context that just counts errors */
    secp256k1_context *tctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
@ -21,15 +38,15 @@ void test_ecdh_api(void) {
    CHECK(secp256k1_ec_pubkey_create(tctx, &point, s_one) == 1);

    /* Check all NULLs are detected */
-    CHECK(secp256k1_ecdh(tctx, res, &point, s_one) == 1);
+    CHECK(secp256k1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1);
    CHECK(ecount == 0);
-    CHECK(secp256k1_ecdh(tctx, NULL, &point, s_one) == 0);
+    CHECK(secp256k1_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0);
    CHECK(ecount == 1);
-    CHECK(secp256k1_ecdh(tctx, res, NULL, s_one) == 0);
+    CHECK(secp256k1_ecdh(tctx, res, NULL, s_one, NULL, NULL) == 0);
    CHECK(ecount == 2);
-    CHECK(secp256k1_ecdh(tctx, res, &point, NULL) == 0);
+    CHECK(secp256k1_ecdh(tctx, res, &point, NULL, NULL, NULL) == 0);
    CHECK(ecount == 3);
-    CHECK(secp256k1_ecdh(tctx, res, &point, s_one) == 1);
+    CHECK(secp256k1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1);
    CHECK(ecount == 3);

    /* Cleanup */
@ -46,27 +63,34 @@ void test_ecdh_generator_basepoint(void) {
    for (i = 0; i < 100; ++i) {
        secp256k1_sha256 sha;
        unsigned char s_b32[32];
-        unsigned char output_ecdh[32];
+        unsigned char output_ecdh[65];
        unsigned char output_ser[32];
-        unsigned char point_ser[33];
+        unsigned char point_ser[65];
        size_t point_ser_len = sizeof(point_ser);
        secp256k1_scalar s;

        random_scalar_order(&s);
        secp256k1_scalar_get_b32(s_b32, &s);

-        /* compute using ECDH function */
        CHECK(secp256k1_ec_pubkey_create(ctx, &point[0], s_one) == 1);
-        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32) == 1);
-        /* compute "explicitly" */
        CHECK(secp256k1_ec_pubkey_create(ctx, &point[1], s_b32) == 1);
+
+        /* compute using ECDH function with custom hash function */
+        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1);
+        /* compute "explicitly" */
+        CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1);
+        /* compare */
+        CHECK(memcmp(output_ecdh, point_ser, 65) == 0);
+
+        /* compute using ECDH function with default hash function */
+        CHECK(secp256k1_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1);
+        /* compute "explicitly" */
        CHECK(secp256k1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1);
-        CHECK(point_ser_len == sizeof(point_ser));
        secp256k1_sha256_initialize(&sha);
        secp256k1_sha256_write(&sha, point_ser, point_ser_len);
        secp256k1_sha256_finalize(&sha, output_ser);
        /* compare */
-        CHECK(memcmp(output_ecdh, output_ser, sizeof(output_ser)) == 0);
+        CHECK(memcmp(output_ecdh, output_ser, 32) == 0);
    }
 }

@ -89,11 +113,14 @@ void test_bad_scalar(void) {
    CHECK(secp256k1_ec_pubkey_create(ctx, &point, s_rand) == 1);

    /* Try to multiply it by bad values */
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_zero) == 0);
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow) == 0);
+    CHECK(secp256k1_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0);
+    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0);
    /* ...and a good one */
    s_overflow[31] -= 1;
-    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow) == 1);
+    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1);
+
+    /* Hash function failure results in ecdh failure */
+    CHECK(secp256k1_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0);
 }

 void run_ecdh_tests(void) {
--- a/depend/secp256k1/src/secp256k1.c
+++ b/depend/secp256k1/src/secp256k1.c
@ -56,6 +56,14 @@ struct secp256k1_context_struct {
    secp256k1_callback error_callback;
 };

+static const secp256k1_context secp256k1_context_no_precomp_ = {
+    { 0 },
+    { 0 },
+    { default_illegal_callback_fn, 0 },
+    { default_error_callback_fn, 0 }
+};
+const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
+
 secp256k1_context* secp256k1_context_create(unsigned int flags) {
    secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
    ret->illegal_callback = default_illegal_callback;
@ -91,6 +99,7 @@ secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
 }

 void secp256k1_context_destroy(secp256k1_context* ctx) {
+    CHECK(ctx != secp256k1_context_no_precomp);
    if (ctx != NULL) {
        secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
        secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
@ -100,6 +109,7 @@ void secp256k1_context_destroy(secp256k1_context* ctx) {
 }

 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
+    CHECK(ctx != secp256k1_context_no_precomp);
    if (fun == NULL) {
        fun = default_illegal_callback_fn;
    }
@ -108,6 +118,7 @@ void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(
 }

 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
+    CHECK(ctx != secp256k1_context_no_precomp);
    if (fun == NULL) {
        fun = default_error_callback_fn;
    }
@ -559,6 +570,7 @@ int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey

 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
    VERIFY_CHECK(ctx != NULL);
+    CHECK(ctx != secp256k1_context_no_precomp);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
    return 1;
--- a/depend/secp256k1/src/tests.c
+++ b/depend/secp256k1/src/tests.c
@ -3599,6 +3599,7 @@ void run_ec_pubkey_parse_test(void) {
    ecount = 0;
    VG_UNDEF(&pubkey, sizeof(pubkey));
    CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
+    CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
    VG_CHECK(&pubkey, sizeof(pubkey));
    CHECK(ecount == 0);
    VG_UNDEF(&ge, sizeof(ge));
--- a/src/ecdh.rs
+++ b/src/ecdh.rs
@ -16,7 +16,7 @@
 //! Support for shared secret computations
 //!

-use std::ops;
+use std::{ops, ptr};

 use super::Secp256k1;
 use key::{SecretKey, PublicKey};
@ -32,7 +32,14 @@ impl SharedSecret {
    pub fn new<C>(secp: &Secp256k1<C>, point: &PublicKey, scalar: &SecretKey) -> SharedSecret {
        unsafe {
            let mut ss = ffi::SharedSecret::blank();
-            let res = ffi::secp256k1_ecdh(secp.ctx, &mut ss, point.as_ptr(), scalar.as_ptr());
+            let res = ffi::secp256k1_ecdh(
+                secp.ctx,
+                &mut ss,
+                point.as_ptr(),
+                scalar.as_ptr(),
+                ffi::secp256k1_ecdh_hash_function_default,
+                ptr::null_mut(),
+            );
            debug_assert_eq!(res, 1);
            SharedSecret(ss)
        }
--- a/src/ffi.rs
+++ b/src/ffi.rs
@ -46,6 +46,14 @@ pub type NonceFn = unsafe extern "C" fn(nonce32: *mut c_uchar,
                                        attempt: c_uint,
                                        data: *const c_void);

+/// Hash function to use to post-process an ECDH point to get
+/// a shared secret.
+pub type EcdhHashFn = unsafe extern "C" fn(
+    output: *mut c_uchar,
+    x: *const c_uchar,
+    y: *const c_uchar,
+    data: *const c_void,
+);

 /// A Secp256k1 context, containing various precomputed values and such
 /// needed to do elliptic curve computations. If you create one of these
@ -114,6 +122,9 @@ impl SharedSecret {

 #[cfg(not(feature = "fuzztarget"))]
 extern "C" {
+    /// Default ECDH hash function
+    pub static secp256k1_ecdh_hash_function_default: EcdhHashFn;
+
    pub static secp256k1_nonce_function_rfc6979: NonceFn;

    pub static secp256k1_nonce_function_default: NonceFn;
@ -248,11 +259,14 @@ extern "C" {
                                       n: c_int)
                                       -> c_int;

-    pub fn secp256k1_ecdh(cx: *const Context,
-                          out: *mut SharedSecret,
-                          point: *const PublicKey,
-                          scalar: *const c_uchar)
-                          -> c_int;
+    pub fn secp256k1_ecdh(
+        cx: *const Context,
+        output: *mut SharedSecret,
+        pubkey: *const PublicKey,
+        privkey: *const c_uchar,
+        hashfp: EcdhHashFn,
+        data: *mut c_void,
+    ) -> c_int;
 }

 #[cfg(feature = "fuzztarget")]
@ -262,6 +276,7 @@ mod fuzz_dummy {
    use std::ptr;

    extern "C" {
+        pub static secp256k1_ecdh_hash_function_default: EcdhHashFn;
        pub static secp256k1_nonce_function_rfc6979: NonceFn;
    }

@ -618,11 +633,14 @@ mod fuzz_dummy {
    }

    /// Sets out to point[0..16]||scalar[0..16]
-    pub unsafe fn secp256k1_ecdh(cx: *const Context,
-                                 out: *mut SharedSecret,
-                                 point: *const PublicKey,
-                                 scalar: *const c_uchar)
-                                 -> c_int {
+    pub unsafe fn secp256k1_ecdh(
+        cx: *const Context,
+        out: *mut SharedSecret,
+        point: *const PublicKey,
+        scalar: *const c_uchar,
+        hashfp: EcdhHashFn,
+        data: *mut c_void,
+    ) -> c_int {
        assert!(!cx.is_null() && (*cx).0 as u32 & !(SECP256K1_START_NONE | SECP256K1_START_VERIFY | SECP256K1_START_SIGN) == 0);
        assert!((*cx).0 as u32 & SECP256K1_START_SIGN == SECP256K1_START_SIGN);
        if secp256k1_ec_seckey_verify(cx, scalar) != 1 { return 0; }