mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-11-10 14:08:40 +01:00
Merge #10657: Utils: Improvements to ECDSA key-handling code
63179d0Scope the ECDSA constant sizes to CPubKey / CKey classes (Jack Grigg)1ce9f0aEnsure that ECDSA constant sizes are correctly-sized (Jack Grigg)48abe78Remove redundant `= 0` initialisations (Jack Grigg)17fa391Specify ECDSA constant sizes as constants (Jack Grigg)e4a1086Update Debian copyright list (Jack Grigg)e181dbeAdd comments (Jack Grigg)a3603acFix potential overflows in ECDSA DER parsers (Jack Grigg) Pull request description: Mostly trivial, but includes fixes to potential overflows in the ECDSA DER parsers. Cherry-picked from Zcash PR https://github.com/zcash/zcash/pull/2335 Tree-SHA512: 8fcbd51b0bd6723e5d33fa5d592f7cb68ed182796a9b837ecc8217991ad69d6c970258617dc00eb378c8caa4cec5d6b304d9d2c066acd40cda98e4da68e0caa4
This commit is contained in:
Wladimir J. van der Laan
75
src/key.cpp
75
src/key.cpp
@@ -1,4 +1,5 @@
|
||||
// Copyright (c) 2009-2016 The Bitcoin Core developers
|
||||
// Copyright (c) 2017 The Zcash developers
|
||||
// Distributed under the MIT software license, see the accompanying
|
||||
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
||||
|
||||
@@ -15,43 +16,62 @@
|
||||
static secp256k1_context* secp256k1_context_sign = nullptr;
|
||||
|
||||
/** These functions are taken from the libsecp256k1 distribution and are very ugly. */
|
||||
|
||||
/**
|
||||
* This parses a format loosely based on a DER encoding of the ECPrivateKey type from
|
||||
* section C.4 of SEC 1 <http://www.secg.org/sec1-v2.pdf>, with the following caveats:
|
||||
*
|
||||
* * The octet-length of the SEQUENCE must be encoded as 1 or 2 octets. It is not
|
||||
* required to be encoded as one octet if it is less than 256, as DER would require.
|
||||
* * The octet-length of the SEQUENCE must not be greater than the remaining
|
||||
* length of the key encoding, but need not match it (i.e. the encoding may contain
|
||||
* junk after the encoded SEQUENCE).
|
||||
* * The privateKey OCTET STRING is zero-filled on the left to 32 octets.
|
||||
* * Anything after the encoding of the privateKey OCTET STRING is ignored, whether
|
||||
* or not it is validly encoded DER.
|
||||
*
|
||||
* out32 must point to an output buffer of length at least 32 bytes.
|
||||
*/
|
||||
static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) {
|
||||
const unsigned char *end = privkey + privkeylen;
|
||||
int lenb = 0;
|
||||
int len = 0;
|
||||
memset(out32, 0, 32);
|
||||
/* sequence header */
|
||||
if (end < privkey+1 || *privkey != 0x30) {
|
||||
if (end - privkey < 1 || *privkey != 0x30u) {
|
||||
return 0;
|
||||
}
|
||||
privkey++;
|
||||
/* sequence length constructor */
|
||||
if (end < privkey+1 || !(*privkey & 0x80)) {
|
||||
if (end - privkey < 1 || !(*privkey & 0x80u)) {
|
||||
return 0;
|
||||
}
|
||||
lenb = *privkey & ~0x80; privkey++;
|
||||
size_t lenb = *privkey & ~0x80u; privkey++;
|
||||
if (lenb < 1 || lenb > 2) {
|
||||
return 0;
|
||||
}
|
||||
if (end < privkey+lenb) {
|
||||
if (end - privkey < lenb) {
|
||||
return 0;
|
||||
}
|
||||
/* sequence length */
|
||||
len = privkey[lenb-1] | (lenb > 1 ? privkey[lenb-2] << 8 : 0);
|
||||
size_t len = privkey[lenb-1] | (lenb > 1 ? privkey[lenb-2] << 8 : 0u);
|
||||
privkey += lenb;
|
||||
if (end < privkey+len) {
|
||||
if (end - privkey < len) {
|
||||
return 0;
|
||||
}
|
||||
/* sequence element 0: version number (=1) */
|
||||
if (end < privkey+3 || privkey[0] != 0x02 || privkey[1] != 0x01 || privkey[2] != 0x01) {
|
||||
if (end - privkey < 3 || privkey[0] != 0x02u || privkey[1] != 0x01u || privkey[2] != 0x01u) {
|
||||
return 0;
|
||||
}
|
||||
privkey += 3;
|
||||
/* sequence element 1: octet string, up to 32 bytes */
|
||||
if (end < privkey+2 || privkey[0] != 0x04 || privkey[1] > 0x20 || end < privkey+2+privkey[1]) {
|
||||
if (end - privkey < 2 || privkey[0] != 0x04u) {
|
||||
return 0;
|
||||
}
|
||||
memcpy(out32 + 32 - privkey[1], privkey + 2, privkey[1]);
|
||||
size_t oslen = privkey[1];
|
||||
privkey += 2;
|
||||
if (oslen > 32 || end - privkey < oslen) {
|
||||
return 0;
|
||||
}
|
||||
memcpy(out32 + (32 - oslen), privkey, oslen);
|
||||
if (!secp256k1_ec_seckey_verify(ctx, out32)) {
|
||||
memset(out32, 0, 32);
|
||||
return 0;
|
||||
@@ -59,7 +79,18 @@ static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *ou
|
||||
return 1;
|
||||
}
|
||||
|
||||
/**
|
||||
* This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1
|
||||
* <http://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are
|
||||
* included.
|
||||
*
|
||||
* privkey must point to an output buffer of length at least CKey::PRIVATE_KEY_SIZE bytes.
|
||||
* privkeylen must initially be set to the size of the privkey buffer. Upon return it
|
||||
* will be set to the number of bytes used in the buffer.
|
||||
* key32 must point to a 32-byte raw private key.
|
||||
*/
|
||||
static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) {
|
||||
assert(*privkeylen >= CKey::PRIVATE_KEY_SIZE);
|
||||
secp256k1_pubkey pubkey;
|
||||
size_t pubkeylen = 0;
|
||||
if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) {
|
||||
@@ -85,10 +116,11 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
|
||||
memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
|
||||
memcpy(ptr, key32, 32); ptr += 32;
|
||||
memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
|
||||
pubkeylen = 33;
|
||||
pubkeylen = CPubKey::COMPRESSED_PUBLIC_KEY_SIZE;
|
||||
secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
|
||||
ptr += pubkeylen;
|
||||
*privkeylen = ptr - privkey;
|
||||
assert(*privkeylen == CKey::COMPRESSED_PRIVATE_KEY_SIZE);
|
||||
} else {
|
||||
static const unsigned char begin[] = {
|
||||
0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20
|
||||
@@ -110,10 +142,11 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
|
||||
memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
|
||||
memcpy(ptr, key32, 32); ptr += 32;
|
||||
memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
|
||||
pubkeylen = 65;
|
||||
pubkeylen = CPubKey::PUBLIC_KEY_SIZE;
|
||||
secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
|
||||
ptr += pubkeylen;
|
||||
*privkeylen = ptr - privkey;
|
||||
assert(*privkeylen == CKey::PRIVATE_KEY_SIZE);
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
@@ -135,8 +168,8 @@ CPrivKey CKey::GetPrivKey() const {
|
||||
CPrivKey privkey;
|
||||
int ret;
|
||||
size_t privkeylen;
|
||||
privkey.resize(279);
|
||||
privkeylen = 279;
|
||||
privkey.resize(PRIVATE_KEY_SIZE);
|
||||
privkeylen = PRIVATE_KEY_SIZE;
|
||||
ret = ec_privkey_export_der(secp256k1_context_sign, (unsigned char*) privkey.data(), &privkeylen, begin(), fCompressed ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
|
||||
assert(ret);
|
||||
privkey.resize(privkeylen);
|
||||
@@ -146,7 +179,7 @@ CPrivKey CKey::GetPrivKey() const {
|
||||
CPubKey CKey::GetPubKey() const {
|
||||
assert(fValid);
|
||||
secp256k1_pubkey pubkey;
|
||||
size_t clen = 65;
|
||||
size_t clen = CPubKey::PUBLIC_KEY_SIZE;
|
||||
CPubKey result;
|
||||
int ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pubkey, begin());
|
||||
assert(ret);
|
||||
@@ -159,8 +192,8 @@ CPubKey CKey::GetPubKey() const {
|
||||
bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig, uint32_t test_case) const {
|
||||
if (!fValid)
|
||||
return false;
|
||||
vchSig.resize(72);
|
||||
size_t nSigLen = 72;
|
||||
vchSig.resize(CPubKey::SIGNATURE_SIZE);
|
||||
size_t nSigLen = CPubKey::SIGNATURE_SIZE;
|
||||
unsigned char extra_entropy[32] = {0};
|
||||
WriteLE32(extra_entropy, test_case);
|
||||
secp256k1_ecdsa_signature sig;
|
||||
@@ -188,7 +221,7 @@ bool CKey::VerifyPubKey(const CPubKey& pubkey) const {
|
||||
bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
|
||||
if (!fValid)
|
||||
return false;
|
||||
vchSig.resize(65);
|
||||
vchSig.resize(CPubKey::COMPACT_SIGNATURE_SIZE);
|
||||
int rec = -1;
|
||||
secp256k1_ecdsa_recoverable_signature sig;
|
||||
int ret = secp256k1_ecdsa_sign_recoverable(secp256k1_context_sign, &sig, hash.begin(), begin(), secp256k1_nonce_function_rfc6979, nullptr);
|
||||
@@ -218,10 +251,10 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
|
||||
std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
|
||||
if ((nChild >> 31) == 0) {
|
||||
CPubKey pubkey = GetPubKey();
|
||||
assert(pubkey.begin() + 33 == pubkey.end());
|
||||
assert(pubkey.size() == CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
|
||||
BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, vout.data());
|
||||
} else {
|
||||
assert(begin() + 32 == end());
|
||||
assert(size() == 32);
|
||||
BIP32Hash(cc, nChild, 0, begin(), vout.data());
|
||||
}
|
||||
memcpy(ccChild.begin(), vout.data()+32, 32);
|
||||
|
||||
Reference in New Issue
Block a user