aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/key.cpp75
-rw-r--r--src/key.h28
-rw-r--r--src/pubkey.cpp33
-rw-r--r--src/pubkey.h37
-rw-r--r--src/script/interpreter.cpp6
5 files changed, 117 insertions, 62 deletions
diff --git a/src/key.cpp b/src/key.cpp
index 9d4c4498d8..9893b88220 100644
--- a/src/key.cpp
+++ b/src/key.cpp
@@ -1,4 +1,5 @@
// Copyright (c) 2009-2016 The Bitcoin Core developers
+// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -15,43 +16,62 @@
static secp256k1_context* secp256k1_context_sign = nullptr;
/** These functions are taken from the libsecp256k1 distribution and are very ugly. */
+
+/**
+ * This parses a format loosely based on a DER encoding of the ECPrivateKey type from
+ * section C.4 of SEC 1 <http://www.secg.org/sec1-v2.pdf>, with the following caveats:
+ *
+ * * The octet-length of the SEQUENCE must be encoded as 1 or 2 octets. It is not
+ * required to be encoded as one octet if it is less than 256, as DER would require.
+ * * The octet-length of the SEQUENCE must not be greater than the remaining
+ * length of the key encoding, but need not match it (i.e. the encoding may contain
+ * junk after the encoded SEQUENCE).
+ * * The privateKey OCTET STRING is zero-filled on the left to 32 octets.
+ * * Anything after the encoding of the privateKey OCTET STRING is ignored, whether
+ * or not it is validly encoded DER.
+ *
+ * out32 must point to an output buffer of length at least 32 bytes.
+ */
static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) {
const unsigned char *end = privkey + privkeylen;
- int lenb = 0;
- int len = 0;
memset(out32, 0, 32);
/* sequence header */
- if (end < privkey+1 || *privkey != 0x30) {
+ if (end - privkey < 1 || *privkey != 0x30u) {
return 0;
}
privkey++;
/* sequence length constructor */
- if (end < privkey+1 || !(*privkey & 0x80)) {
+ if (end - privkey < 1 || !(*privkey & 0x80u)) {
return 0;
}
- lenb = *privkey & ~0x80; privkey++;
+ size_t lenb = *privkey & ~0x80u; privkey++;
if (lenb < 1 || lenb > 2) {
return 0;
}
- if (end < privkey+lenb) {
+ if (end - privkey < lenb) {
return 0;
}
/* sequence length */
- len = privkey[lenb-1] | (lenb > 1 ? privkey[lenb-2] << 8 : 0);
+ size_t len = privkey[lenb-1] | (lenb > 1 ? privkey[lenb-2] << 8 : 0u);
privkey += lenb;
- if (end < privkey+len) {
+ if (end - privkey < len) {
return 0;
}
/* sequence element 0: version number (=1) */
- if (end < privkey+3 || privkey[0] != 0x02 || privkey[1] != 0x01 || privkey[2] != 0x01) {
+ if (end - privkey < 3 || privkey[0] != 0x02u || privkey[1] != 0x01u || privkey[2] != 0x01u) {
return 0;
}
privkey += 3;
/* sequence element 1: octet string, up to 32 bytes */
- if (end < privkey+2 || privkey[0] != 0x04 || privkey[1] > 0x20 || end < privkey+2+privkey[1]) {
+ if (end - privkey < 2 || privkey[0] != 0x04u) {
+ return 0;
+ }
+ size_t oslen = privkey[1];
+ privkey += 2;
+ if (oslen > 32 || end - privkey < oslen) {
return 0;
}
- memcpy(out32 + 32 - privkey[1], privkey + 2, privkey[1]);
+ memcpy(out32 + (32 - oslen), privkey, oslen);
if (!secp256k1_ec_seckey_verify(ctx, out32)) {
memset(out32, 0, 32);
return 0;
@@ -59,7 +79,18 @@ static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *ou
return 1;
}
+/**
+ * This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1
+ * <http://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are
+ * included.
+ *
+ * privkey must point to an output buffer of length at least CKey::PRIVATE_KEY_SIZE bytes.
+ * privkeylen must initially be set to the size of the privkey buffer. Upon return it
+ * will be set to the number of bytes used in the buffer.
+ * key32 must point to a 32-byte raw private key.
+ */
static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) {
+ assert(*privkeylen >= CKey::PRIVATE_KEY_SIZE);
secp256k1_pubkey pubkey;
size_t pubkeylen = 0;
if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) {
@@ -85,10 +116,11 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
memcpy(ptr, key32, 32); ptr += 32;
memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
- pubkeylen = 33;
+ pubkeylen = CPubKey::COMPRESSED_PUBLIC_KEY_SIZE;
secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
ptr += pubkeylen;
*privkeylen = ptr - privkey;
+ assert(*privkeylen == CKey::COMPRESSED_PRIVATE_KEY_SIZE);
} else {
static const unsigned char begin[] = {
0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20
@@ -110,10 +142,11 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
memcpy(ptr, key32, 32); ptr += 32;
memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
- pubkeylen = 65;
+ pubkeylen = CPubKey::PUBLIC_KEY_SIZE;
secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
ptr += pubkeylen;
*privkeylen = ptr - privkey;
+ assert(*privkeylen == CKey::PRIVATE_KEY_SIZE);
}
return 1;
}
@@ -135,8 +168,8 @@ CPrivKey CKey::GetPrivKey() const {
CPrivKey privkey;
int ret;
size_t privkeylen;
- privkey.resize(279);
- privkeylen = 279;
+ privkey.resize(PRIVATE_KEY_SIZE);
+ privkeylen = PRIVATE_KEY_SIZE;
ret = ec_privkey_export_der(secp256k1_context_sign, (unsigned char*) privkey.data(), &privkeylen, begin(), fCompressed ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
assert(ret);
privkey.resize(privkeylen);
@@ -146,7 +179,7 @@ CPrivKey CKey::GetPrivKey() const {
CPubKey CKey::GetPubKey() const {
assert(fValid);
secp256k1_pubkey pubkey;
- size_t clen = 65;
+ size_t clen = CPubKey::PUBLIC_KEY_SIZE;
CPubKey result;
int ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pubkey, begin());
assert(ret);
@@ -159,8 +192,8 @@ CPubKey CKey::GetPubKey() const {
bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig, uint32_t test_case) const {
if (!fValid)
return false;
- vchSig.resize(72);
- size_t nSigLen = 72;
+ vchSig.resize(CPubKey::SIGNATURE_SIZE);
+ size_t nSigLen = CPubKey::SIGNATURE_SIZE;
unsigned char extra_entropy[32] = {0};
WriteLE32(extra_entropy, test_case);
secp256k1_ecdsa_signature sig;
@@ -188,7 +221,7 @@ bool CKey::VerifyPubKey(const CPubKey& pubkey) const {
bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
if (!fValid)
return false;
- vchSig.resize(65);
+ vchSig.resize(CPubKey::COMPACT_SIGNATURE_SIZE);
int rec = -1;
secp256k1_ecdsa_recoverable_signature sig;
int ret = secp256k1_ecdsa_sign_recoverable(secp256k1_context_sign, &sig, hash.begin(), begin(), secp256k1_nonce_function_rfc6979, nullptr);
@@ -218,10 +251,10 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
if ((nChild >> 31) == 0) {
CPubKey pubkey = GetPubKey();
- assert(pubkey.begin() + 33 == pubkey.end());
+ assert(pubkey.size() == CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, vout.data());
} else {
- assert(begin() + 32 == end());
+ assert(size() == 32);
BIP32Hash(cc, nChild, 0, begin(), vout.data());
}
memcpy(ccChild.begin(), vout.data()+32, 32);
diff --git a/src/key.h b/src/key.h
index c610e5e6cd..8ef6c51b14 100644
--- a/src/key.h
+++ b/src/key.h
@@ -1,5 +1,6 @@
// Copyright (c) 2009-2010 Satoshi Nakamoto
// Copyright (c) 2009-2016 The Bitcoin Core developers
+// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -16,24 +17,29 @@
/**
- * secp256k1:
- * const unsigned int PRIVATE_KEY_SIZE = 279;
- * const unsigned int PUBLIC_KEY_SIZE = 65;
- * const unsigned int SIGNATURE_SIZE = 72;
- *
- * see www.keylength.com
- * script supports up to 75 for single byte push
- */
-
-/**
* secure_allocator is defined in allocators.h
- * CPrivKey is a serialized private key, with all parameters included (279 bytes)
+ * CPrivKey is a serialized private key, with all parameters included
+ * (PRIVATE_KEY_SIZE bytes)
*/
typedef std::vector<unsigned char, secure_allocator<unsigned char> > CPrivKey;
/** An encapsulated private key. */
class CKey
{
+public:
+ /**
+ * secp256k1:
+ */
+ static const unsigned int PRIVATE_KEY_SIZE = 279;
+ static const unsigned int COMPRESSED_PRIVATE_KEY_SIZE = 214;
+ /**
+ * see www.keylength.com
+ * script supports up to 75 for single byte push
+ */
+ static_assert(
+ PRIVATE_KEY_SIZE >= COMPRESSED_PRIVATE_KEY_SIZE,
+ "COMPRESSED_PRIVATE_KEY_SIZE is larger than PRIVATE_KEY_SIZE");
+
private:
//! Whether this private key is valid. We check for correctness when modifying the key
//! data, so fValid should always correspond to the actual state.
diff --git a/src/pubkey.cpp b/src/pubkey.cpp
index 7f5ec1e8de..e52acf077c 100644
--- a/src/pubkey.cpp
+++ b/src/pubkey.cpp
@@ -1,4 +1,5 @@
// Copyright (c) 2009-2016 The Bitcoin Core developers
+// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -46,7 +47,7 @@ static int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1
lenbyte = input[pos++];
if (lenbyte & 0x80) {
lenbyte -= 0x80;
- if (pos + lenbyte > inputlen) {
+ if (lenbyte > inputlen - pos) {
return 0;
}
pos += lenbyte;
@@ -65,14 +66,15 @@ static int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1
lenbyte = input[pos++];
if (lenbyte & 0x80) {
lenbyte -= 0x80;
- if (pos + lenbyte > inputlen) {
+ if (lenbyte > inputlen - pos) {
return 0;
}
while (lenbyte > 0 && input[pos] == 0) {
pos++;
lenbyte--;
}
- if (lenbyte >= sizeof(size_t)) {
+ static_assert(sizeof(size_t) >= 4, "size_t too small");
+ if (lenbyte >= 4) {
return 0;
}
rlen = 0;
@@ -103,14 +105,15 @@ static int ecdsa_signature_parse_der_lax(const secp256k1_context* ctx, secp256k1
lenbyte = input[pos++];
if (lenbyte & 0x80) {
lenbyte -= 0x80;
- if (pos + lenbyte > inputlen) {
+ if (lenbyte > inputlen - pos) {
return 0;
}
while (lenbyte > 0 && input[pos] == 0) {
pos++;
lenbyte--;
}
- if (lenbyte >= sizeof(size_t)) {
+ static_assert(sizeof(size_t) >= 4, "size_t too small");
+ if (lenbyte >= 4) {
return 0;
}
slen = 0;
@@ -181,7 +184,7 @@ bool CPubKey::Verify(const uint256 &hash, const std::vector<unsigned char>& vchS
}
bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned char>& vchSig) {
- if (vchSig.size() != 65)
+ if (vchSig.size() != COMPACT_SIGNATURE_SIZE)
return false;
int recid = (vchSig[0] - 27) & 3;
bool fComp = ((vchSig[0] - 27) & 4) != 0;
@@ -193,8 +196,8 @@ bool CPubKey::RecoverCompact(const uint256 &hash, const std::vector<unsigned cha
if (!secp256k1_ecdsa_recover(secp256k1_context_verify, &pubkey, &sig, hash.begin())) {
return false;
}
- unsigned char pub[65];
- size_t publen = 65;
+ unsigned char pub[PUBLIC_KEY_SIZE];
+ size_t publen = PUBLIC_KEY_SIZE;
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, fComp ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
Set(pub, pub + publen);
return true;
@@ -214,8 +217,8 @@ bool CPubKey::Decompress() {
if (!secp256k1_ec_pubkey_parse(secp256k1_context_verify, &pubkey, &(*this)[0], size())) {
return false;
}
- unsigned char pub[65];
- size_t publen = 65;
+ unsigned char pub[PUBLIC_KEY_SIZE];
+ size_t publen = PUBLIC_KEY_SIZE;
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
Set(pub, pub + publen);
return true;
@@ -224,7 +227,7 @@ bool CPubKey::Decompress() {
bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
assert(IsValid());
assert((nChild >> 31) == 0);
- assert(begin() + 33 == end());
+ assert(size() == COMPRESSED_PUBLIC_KEY_SIZE);
unsigned char out[64];
BIP32Hash(cc, nChild, *begin(), begin()+1, out);
memcpy(ccChild.begin(), out+32, 32);
@@ -235,8 +238,8 @@ bool CPubKey::Derive(CPubKey& pubkeyChild, ChainCode &ccChild, unsigned int nChi
if (!secp256k1_ec_pubkey_tweak_add(secp256k1_context_verify, &pubkey, out)) {
return false;
}
- unsigned char pub[33];
- size_t publen = 33;
+ unsigned char pub[COMPRESSED_PUBLIC_KEY_SIZE];
+ size_t publen = COMPRESSED_PUBLIC_KEY_SIZE;
secp256k1_ec_pubkey_serialize(secp256k1_context_verify, pub, &publen, &pubkey, SECP256K1_EC_COMPRESSED);
pubkeyChild.Set(pub, pub + publen);
return true;
@@ -248,8 +251,8 @@ void CExtPubKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
code[5] = (nChild >> 24) & 0xFF; code[6] = (nChild >> 16) & 0xFF;
code[7] = (nChild >> 8) & 0xFF; code[8] = (nChild >> 0) & 0xFF;
memcpy(code+9, chaincode.begin(), 32);
- assert(pubkey.size() == 33);
- memcpy(code+41, pubkey.begin(), 33);
+ assert(pubkey.size() == CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
+ memcpy(code+41, pubkey.begin(), CPubKey::COMPRESSED_PUBLIC_KEY_SIZE);
}
void CExtPubKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
diff --git a/src/pubkey.h b/src/pubkey.h
index c9f3c18eb3..e6c32913de 100644
--- a/src/pubkey.h
+++ b/src/pubkey.h
@@ -1,5 +1,6 @@
// Copyright (c) 2009-2010 Satoshi Nakamoto
// Copyright (c) 2009-2016 The Bitcoin Core developers
+// Copyright (c) 2017 The Zcash developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
@@ -13,16 +14,6 @@
#include <stdexcept>
#include <vector>
-/**
- * secp256k1:
- * const unsigned int PRIVATE_KEY_SIZE = 279;
- * const unsigned int PUBLIC_KEY_SIZE = 65;
- * const unsigned int SIGNATURE_SIZE = 72;
- *
- * see www.keylength.com
- * script supports up to 75 for single byte push
- */
-
const unsigned int BIP32_EXTKEY_SIZE = 74;
/** A reference to a CKey: the Hash160 of its serialized public key */
@@ -38,21 +29,37 @@ typedef uint256 ChainCode;
/** An encapsulated public key. */
class CPubKey
{
+public:
+ /**
+ * secp256k1:
+ */
+ static const unsigned int PUBLIC_KEY_SIZE = 65;
+ static const unsigned int COMPRESSED_PUBLIC_KEY_SIZE = 33;
+ static const unsigned int SIGNATURE_SIZE = 72;
+ static const unsigned int COMPACT_SIGNATURE_SIZE = 65;
+ /**
+ * see www.keylength.com
+ * script supports up to 75 for single byte push
+ */
+ static_assert(
+ PUBLIC_KEY_SIZE >= COMPRESSED_PUBLIC_KEY_SIZE,
+ "COMPRESSED_PUBLIC_KEY_SIZE is larger than PUBLIC_KEY_SIZE");
+
private:
/**
* Just store the serialized data.
* Its length can very cheaply be computed from the first byte.
*/
- unsigned char vch[65];
+ unsigned char vch[PUBLIC_KEY_SIZE];
//! Compute the length of a pubkey with a given first byte.
unsigned int static GetLen(unsigned char chHeader)
{
if (chHeader == 2 || chHeader == 3)
- return 33;
+ return COMPRESSED_PUBLIC_KEY_SIZE;
if (chHeader == 4 || chHeader == 6 || chHeader == 7)
- return 65;
+ return PUBLIC_KEY_SIZE;
return 0;
}
@@ -127,7 +134,7 @@ public:
void Unserialize(Stream& s)
{
unsigned int len = ::ReadCompactSize(s);
- if (len <= 65) {
+ if (len <= PUBLIC_KEY_SIZE) {
s.read((char*)vch, len);
} else {
// invalid pubkey, skip available data
@@ -166,7 +173,7 @@ public:
//! Check whether this is a compressed public key.
bool IsCompressed() const
{
- return size() == 33;
+ return size() == COMPRESSED_PUBLIC_KEY_SIZE;
}
/**
diff --git a/src/script/interpreter.cpp b/src/script/interpreter.cpp
index 3c3f92fe46..62042e8e70 100644
--- a/src/script/interpreter.cpp
+++ b/src/script/interpreter.cpp
@@ -173,7 +173,13 @@ bool static IsLowDERSignature(const valtype &vchSig, ScriptError* serror) {
if (!IsValidSignatureEncoding(vchSig)) {
return set_error(serror, SCRIPT_ERR_SIG_DER);
}
+ // https://bitcoin.stackexchange.com/a/12556:
+ // Also note that inside transaction signatures, an extra hashtype byte
+ // follows the actual signature data.
std::vector<unsigned char> vchSigCopy(vchSig.begin(), vchSig.begin() + vchSig.size() - 1);
+ // If the S value is above the order of the curve divided by two, its
+ // complement modulo the order could have been used instead, which is
+ // one byte shorter when encoded correctly.
if (!CPubKey::CheckLowS(vchSigCopy)) {
return set_error(serror, SCRIPT_ERR_SIG_HIGH_S);
}