Skip to content

Commit

Permalink
Return 0 if the given seckey is invalid in privkey_negate, privkey_tw…
Browse files Browse the repository at this point in the history
…eak_add and privkey_tweak_mul
  • Loading branch information
jonasnick committed Mar 30, 2020
1 parent 8f814cd commit 5894e1f
Show file tree
Hide file tree
Showing 4 changed files with 77 additions and 20 deletions.
21 changes: 13 additions & 8 deletions include/secp256k1.h
Original file line number Diff line number Diff line change
Expand Up @@ -579,9 +579,12 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(

/** Negates a private key in place.
*
* Returns: 1 always
* Returns: 0 if the given private key is invalid according to
* secp256k1_ec_seckey_verify. 1 otherwise
* Args: ctx: pointer to a context object
* In/Out: seckey: pointer to the 32-byte private key to be negated (cannot be NULL)
* In/Out: seckey: pointer to the 32-byte private key to be negated. The private
* key should be valid according to secp256k1_ec_seckey_verify
* (cannot be NULL)
*/
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(
const secp256k1_context* ctx,
Expand All @@ -601,9 +604,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(

/** Tweak a private key by adding tweak to it.
* Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
* uniformly random 32-byte arrays, or if the resulting private key
* would be invalid (only when the tweak is the complement of the
* private key). 1 otherwise.
* uniformly random 32-byte arrays, or if the given private key is
* invalid according to secp256k1_ec_seckey_verify, or if the resulting
* private key would be invalid (only when the tweak is the complement
* of the private key). 1 otherwise.
* Args: ctx: pointer to a context object (cannot be NULL).
* In/Out: seckey: pointer to a 32-byte private key.
* In: tweak: pointer to a 32-byte tweak.
Expand All @@ -616,9 +620,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(

/** Tweak a public key by adding tweak times the generator to it.
* Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for
* uniformly random 32-byte arrays, or if the resulting public key
* would be invalid (only when the tweak is the complement of the
* corresponding private key). 1 otherwise.
* uniformly random 32-byte arrays, or if the given private key is
* invalid according to secp256k1_ec_seckey_verify, or if the resulting
* public key would be invalid (only when the tweak is the complement
* of the corresponding private key). 1 otherwise.
* Args: ctx: pointer to a context object initialized for validation
* (cannot be NULL).
* In/Out: pubkey: pointer to a public key object.
Expand Down
5 changes: 1 addition & 4 deletions src/eckey_impl.h
Original file line number Diff line number Diff line change
Expand Up @@ -54,10 +54,7 @@ static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *p

static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak) {
secp256k1_scalar_add(key, key, tweak);
if (secp256k1_scalar_is_zero(key)) {
return 0;
}
return 1;
return !secp256k1_scalar_is_zero(key);
}

static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak) {
Expand Down
14 changes: 8 additions & 6 deletions src/secp256k1.c
Original file line number Diff line number Diff line change
Expand Up @@ -556,15 +556,17 @@ int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *p

int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
secp256k1_scalar sec;
int ret = 0;
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(seckey != NULL);

secp256k1_scalar_set_b32(&sec, seckey, NULL);
ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
secp256k1_scalar_negate(&sec, &sec);
secp256k1_scalar_get_b32(seckey, &sec);

secp256k1_scalar_clear(&sec);
return 1;
return ret;
}

int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
Expand Down Expand Up @@ -592,9 +594,9 @@ int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *
ARG_CHECK(tweak != NULL);

secp256k1_scalar_set_b32(&term, tweak, &overflow);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);

ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(&sec, &term);
ret &= (!overflow) & secp256k1_eckey_privkey_tweak_add(&sec, &term);
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
secp256k1_scalar_get_b32(seckey, &sec);

Expand Down Expand Up @@ -637,8 +639,8 @@ int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *
ARG_CHECK(tweak != NULL);

secp256k1_scalar_set_b32(&factor, tweak, &overflow);
secp256k1_scalar_set_b32(&sec, seckey, NULL);
ret = (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
secp256k1_scalar_get_b32(seckey, &sec);

Expand Down
57 changes: 55 additions & 2 deletions src/tests.c
Original file line number Diff line number Diff line change
Expand Up @@ -4000,7 +4000,20 @@ void run_eckey_edge_case_test(void) {
CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
memcpy(&pubkey, &pubkey2, sizeof(pubkey));
/* Overflowing key tweak zeroizes. */
/* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
seckey, the seckey is zeroized. */
memcpy(ctmp, orderc, 32);
memset(ctmp2, 0, 32);
ctmp2[31] = 0x01;
CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 0);
CHECK(memcmp(zeros, ctmp, 32) == 0);
memcpy(ctmp, orderc, 32);
CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
CHECK(memcmp(zeros, ctmp, 32) == 0);
/* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
tweak, the seckey is zeroized. */
memcpy(ctmp, orderc, 32);
ctmp[31] = 0x40;
CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
Expand All @@ -4011,13 +4024,20 @@ void run_eckey_edge_case_test(void) {
CHECK(memcmp(zeros, ctmp, 32) == 0);
memcpy(ctmp, orderc, 32);
ctmp[31] = 0x40;
/* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
tweak, the pubkey is zeroized. */
CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
memcpy(&pubkey, &pubkey2, sizeof(pubkey));
CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
memcpy(&pubkey, &pubkey2, sizeof(pubkey));
/* Private key tweaks results in a key of zero. */
/* If the resulting key in secp256k1_ec_seckey_tweak_add and
* secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
* case the pubkey is zeroized. */
memcpy(ctmp, orderc, 32);
ctmp[31] = 0x40;
memset(ctmp2, 0, 32);
ctmp2[31] = 1;
CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
CHECK(memcmp(zeros, ctmp2, 32) == 0);
Expand Down Expand Up @@ -4157,6 +4177,36 @@ void run_eckey_edge_case_test(void) {
secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
}

void run_eckey_negate_test(void) {
unsigned char seckey[32];
unsigned char seckey_tmp[32];

random_scalar_order_b32(seckey);
memcpy(seckey_tmp, seckey, 32);

/* Verify negation changes the key and changes it back */
CHECK(secp256k1_ec_privkey_negate(ctx, seckey) == 1);
CHECK(memcmp(seckey, seckey_tmp, 32) != 0);
CHECK(secp256k1_ec_privkey_negate(ctx, seckey) == 1);
CHECK(memcmp(seckey, seckey_tmp, 32) == 0);

/* Negating all 0s fails */
memset(seckey, 0, 32);
memset(seckey_tmp, 0, 32);
CHECK(secp256k1_ec_privkey_negate(ctx, seckey) == 0);
/* Check that seckey is not modified */
CHECK(memcmp(seckey, seckey_tmp, 32) == 0);

/* Negating an overflowing seckey fails and the seckey is zeroed. In this
* test, the seckey has 16 random bytes to ensure that ec_privkey_negate
* doesn't just set seckey to a constant value in case of failure. */
random_scalar_order_b32(seckey);
memset(seckey, 0xFF, 16);
memset(seckey_tmp, 0, 32);
CHECK(secp256k1_ec_privkey_negate(ctx, seckey) == 0);
CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
}

void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
secp256k1_scalar nonce;
do {
Expand Down Expand Up @@ -5347,6 +5397,9 @@ int main(int argc, char **argv) {
/* EC key edge cases */
run_eckey_edge_case_test();

/* EC key arithmetic test */
run_eckey_negate_test();

#ifdef ENABLE_MODULE_ECDH
/* ecdh tests */
run_ecdh_tests();
Expand Down

0 comments on commit 5894e1f

Please sign in to comment.