mirror of
https://github.com/bitcoin/bitcoin.git
synced 2026-03-25 06:55:32 +01:00
Merge bitcoin/bitcoin#26691: Update secp256k1 subtree to libsecp256k1 version 0.2.0
2022917223Add secp256k1_selftest call (Pieter Wuille)3bfca788b0Remove explicit enabling of default modules (Pieter Wuille)4462cb0498Adapt to libsecp256k1 API changes (Pieter Wuille)9d47e7b71bSquashed 'src/secp256k1/' changes from 44c2452fd3..21ffe4b22a (Pieter Wuille) Pull request description: Now that libsecp256k1 has a release (https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2022-December/021271.html), update the subtree to match it. The changes themselves are not very impactful for Bitcoin Core, but include: * It's no longer needed to specify whether contexts are for signing or verification or both (all contexts support everything), so make use of that in this PR. * Verification operations can use the static context now, removing the need for some infrastructure in pubkey.cpp to make sure a context exists. * Most modules are now enabled by default, so we can drop explicit enabling for them. * CI improvements (in particular, MSVC and more recent MacOS) * Introduction of an internal int128 type, which has no effect for GCC/Clang builds, but enables 128-bit multiplication in MSVC, giving a ~20% speedup there (but still slower than GCC/Clang). * Release process changes (process documentation, changelog, ...). ACKs for top commit: Sjors: ACK2022917223, but4462cb0498could use more eyes on it. achow101: ACK2022917223jonasnick: utACK2022917223Tree-SHA512: 8a9fe28852abe74abd6f96fef16a94d5a427b1d99bff4caab1699014d24698aab9b966a5364a46ed1001c07a7c1d825154ed4e6557c7decce952b77330a8616b
This commit is contained in:
fanquake
100
src/pubkey.cpp
100
src/pubkey.cpp
@@ -16,10 +16,16 @@
|
||||
#include <algorithm>
|
||||
#include <cassert>
|
||||
|
||||
namespace
|
||||
namespace {
|
||||
|
||||
struct Secp256k1SelfTester
|
||||
{
|
||||
/* Global secp256k1_context object used for verification. */
|
||||
secp256k1_context* secp256k1_context_verify = nullptr;
|
||||
Secp256k1SelfTester() {
|
||||
/* Run libsecp256k1 self-test before using the secp256k1_context_static. */
|
||||
secp256k1_selftest();
|
||||
}
|
||||
} SECP256K1_SELFTESTER;
|
||||
|
||||
} // namespace
|
||||
|
||||
/** This function is taken from the libsecp256k1 distribution and implements
|
||||
@@ -32,7 +38,7 @@ secp256k1_context* secp256k1_context_verify = nullptr;
|
||||
* strict DER before being passed to this module, and we know it supports all
|
||||
* violations present in the blockchain before that point.
|
||||
*/
|
||||
int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
|
||||
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
|
||||
size_t rpos, rlen, spos, slen;
|
||||
size_t pos = 0;
|
||||
size_t lenbyte;
|
||||
@@ -40,7 +46,7 @@ int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_
|
||||
int overflow = 0;
|
||||
|
||||
/* Hack to initialize sig with a correctly-parsed but invalid signature. */
|
||||
secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
||||
secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
||||
|
||||
/* Sequence tag byte */
|
||||
if (pos == inputlen || input[pos] != 0x30) {
|
||||
@@ -163,13 +169,13 @@ int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1_ecdsa_
|
||||
}
|
||||
|
||||
if (!overflow) {
|
||||
overflow = !secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
||||
overflow = !secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
||||
}
|
||||
if (overflow) {
|
||||
/* Overwrite the result again with a correctly-parsed but invalid
|
||||
signature if parsing failed. */
|
||||
memset(tmpsig, 0, 64);
|
||||
secp256k1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
|
||||
secp256k1_ecdsa_signature_parse_compact(secp256k1_context_static, sig, tmpsig);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@@ -200,15 +206,15 @@ std::vector<CKeyID> XOnlyPubKey::GetKeyIDs() const
|
||||
bool XOnlyPubKey::IsFullyValid() const
|
||||
{
|
||||
secp256k1_xonly_pubkey pubkey;
|
||||
return secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data());
|
||||
return secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data());
|
||||
}
|
||||
|
||||
bool XOnlyPubKey::VerifySchnorr(const uint256& msg, Span<const unsigned char> sigbytes) const
|
||||
{
|
||||
assert(sigbytes.size() == 64);
|
||||
secp256k1_xonly_pubkey pubkey;
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &pubkey, m_keydata.data())) return false;
|
||||
return secp256k1_schnorrsig_verify(secp256k1_context_verify, sigbytes.data(), msg.begin(), 32, &pubkey);
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &pubkey, m_keydata.data())) return false;
|
||||
return secp256k1_schnorrsig_verify(secp256k1_context_static, sigbytes.data(), msg.begin(), 32, &pubkey);
|
||||
}
|
||||
|
||||
static const HashWriter HASHER_TAPTWEAK{TaggedHash("TapTweak")};
|
||||
@@ -227,23 +233,23 @@ uint256 XOnlyPubKey::ComputeTapTweakHash(const uint256* merkle_root) const
|
||||
bool XOnlyPubKey::CheckTapTweak(const XOnlyPubKey& internal, const uint256& merkle_root, bool parity) const
|
||||
{
|
||||
secp256k1_xonly_pubkey internal_key;
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &internal_key, internal.data())) return false;
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &internal_key, internal.data())) return false;
|
||||
uint256 tweak = internal.ComputeTapTweakHash(&merkle_root);
|
||||
return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_verify, m_keydata.begin(), parity, &internal_key, tweak.begin());
|
||||
return secp256k1_xonly_pubkey_tweak_add_check(secp256k1_context_static, m_keydata.begin(), parity, &internal_key, tweak.begin());
|
||||
}
|
||||
|
||||
std::optional<std::pair<XOnlyPubKey, bool>> XOnlyPubKey::CreateTapTweak(const uint256* merkle_root) const
|
||||
{
|
||||
secp256k1_xonly_pubkey base_point;
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_verify, &base_point, data())) return std::nullopt;
|
||||
if (!secp256k1_xonly_pubkey_parse(secp256k1_context_static, &base_point, data())) return std::nullopt;
|
||||
secp256k1_pubkey out;
|
||||
uint256 tweak = ComputeTapTweakHash(merkle_root);
|
||||
if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_verify, &out, &base_point, tweak.data())) return std::nullopt;
|
||||
if (!secp256k1_xonly_pubkey_tweak_add(secp256k1_context_static, &out, &base_point, tweak.data())) return std::nullopt;
|
||||
int parity = -1;
|
||||
std::pair<XOnlyPubKey, bool> ret;
|
||||
secp256k1_xonly_pubkey out_xonly;
|
||||
if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_verify, &out_xonly, &parity, &out)) return std::nullopt;
|
||||
secp256k1_xonly_pubkey_serialize(secp256k1_context_verify, ret.first.begin(), &out_xonly);
|
||||
if (!secp256k1_xonly_pubkey_from_pubkey(secp256k1_context_static, &out_xonly, &parity, &out)) return std::nullopt;
|
||||
secp256k1_xonly_pubkey_serialize(secp256k1_context_static, ret.first.begin(), &out_xonly);
|
||||
assert(parity == 0 || parity == 1);
|
||||
ret.second = parity;
|
||||
return ret;
|
||||
@@ -255,17 +261,16 @@ bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchS
|
||||
return false;
|
||||
secp256k1_pubkey pubkey;
|
||||
secp256k1_ecdsa_signature sig;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
||||
return false;
|
||||
}
|
||||
if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
|
||||
if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
|
||||
return false;
|
||||
}
|
||||
/* libsecp256k1's ECDSA verification requires lower-S signatures, which have
|
||||
* not historically been enforced in Bitcoin, so normalize them first. */
|
||||
secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, &sig, &sig);
|
||||
return secp256k1_ecdsa_verify(secp256k1_context_verify, &sig, hash.begin(), &pubkey);
|
||||
secp256k1_ecdsa_signature_normalize(secp256k1_context_static, &sig, &sig);
|
||||
return secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pubkey);
|
||||
}
|
||||
|
||||
bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
|
||||
@@ -275,16 +280,15 @@ bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned cha
|
||||
bool fComp = ((vchSig[0] - 27) & 4) != 0;
|
||||
secp256k1_pubkey pubkey;
|
||||
secp256k1_ecdsa_recoverable_signature sig;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_verify, &sig, &vchSig[1], recid)) {
|
||||
if (!secp256k1_ecdsa_recoverable_signature_parse_compact(secp256k1_context_static, &sig, &vchSig[1], recid)) {
|
||||
return false;
|
||||
}
|
||||
if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
|
||||
if (!secp256k1_ecdsa_recover(secp256k1_context_static, &pubkey, &sig, hash.begin())) {
|
||||
return false;
|
||||
}
|
||||
unsigned char pub[SIZE];
|
||||
size_t publen = SIZE;
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
||||
Set(pub, pub + publen);
|
||||
return true;
|
||||
}
|
||||
@@ -293,21 +297,19 @@ bool CPubKey::IsFullyValid() const {
|
||||
if (!IsValid())
|
||||
return false;
|
||||
secp256k1_pubkey pubkey;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
return secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size());
|
||||
return secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size());
|
||||
}
|
||||
|
||||
bool CPubKey::Decompress() {
|
||||
if (!IsValid())
|
||||
return false;
|
||||
secp256k1_pubkey pubkey;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
||||
return false;
|
||||
}
|
||||
unsigned char pub[SIZE];
|
||||
size_t publen = SIZE;
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
||||
Set(pub, pub + publen);
|
||||
return true;
|
||||
}
|
||||
@@ -320,16 +322,15 @@ bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChi
|
||||
BIP32Hash(cc, nChild, *begin(), begin()+1, out);
|
||||
memcpy(ccChild.begin(), out+32, 32);
|
||||
secp256k1_pubkey pubkey;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, vch, size())) {
|
||||
if (!secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, vch, size())) {
|
||||
return false;
|
||||
}
|
||||
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
|
||||
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_static, &pubkey, out)) {
|
||||
return false;
|
||||
}
|
||||
unsigned char pub[COMPRESSED_SIZE];
|
||||
size_t publen = COMPRESSED_SIZE;
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
|
||||
secp256k1_ec_pubkey_serialize(secp256k1_context_static, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
|
||||
pubkeyChild.Set(pub, pub + publen);
|
||||
return true;
|
||||
}
|
||||
@@ -375,35 +376,8 @@ bool CExtPubKey::Derive(CExtPubKey &out, unsigned int _nChild) const {
|
||||
|
||||
/* static */ bool CPubKey::CheckLowS(const std::vector<unsigned char>& vchSig) {
|
||||
secp256k1_ecdsa_signature sig;
|
||||
assert(secp256k1_context_verify && "secp256k1_context_verify must be initialized to use CPubKey.");
|
||||
if (!ecdsa_signature_parse_der_lax(secp256k1_context_verify, &sig, vchSig.data(), vchSig.size())) {
|
||||
if (!ecdsa_signature_parse_der_lax(&sig, vchSig.data(), vchSig.size())) {
|
||||
return false;
|
||||
}
|
||||
return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_verify, nullptr, &sig));
|
||||
}
|
||||
|
||||
/* static */ int ECCVerifyHandle::refcount = 0;
|
||||
|
||||
ECCVerifyHandle::ECCVerifyHandle()
|
||||
{
|
||||
if (refcount == 0) {
|
||||
assert(secp256k1_context_verify == nullptr);
|
||||
secp256k1_context_verify = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
|
||||
assert(secp256k1_context_verify != nullptr);
|
||||
}
|
||||
refcount++;
|
||||
}
|
||||
|
||||
ECCVerifyHandle::~ECCVerifyHandle()
|
||||
{
|
||||
refcount--;
|
||||
if (refcount == 0) {
|
||||
assert(secp256k1_context_verify != nullptr);
|
||||
secp256k1_context_destroy(secp256k1_context_verify);
|
||||
secp256k1_context_verify = nullptr;
|
||||
}
|
||||
}
|
||||
|
||||
const secp256k1_context* GetVerifyContext() {
|
||||
return secp256k1_context_verify;
|
||||
return (!secp256k1_ecdsa_signature_normalize(secp256k1_context_static, nullptr, &sig));
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user