boxtec
/
bitcoin
mirror of https://github.com/bitcoin/bitcoin
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

Avoid nonce_function_rfc6979 algo16 argument emulation.

Browse Source 
This avoids data=NULL and data = zeros to producing the same nonce.

Previously the code tried to avoid the case where some data inputs
 aliased algo16 inputs by always padding out the data.

But because algo16 and data are different lengths they cannot
 emulate each other, and the padding would match a data value of
 all zeros.
pull/11871/head
Gregory Maxwell 9 years ago
parent 70d4640172
commit b30fc85c9e
2 changed files with 34 additions and 5 deletions
Show Stats Download Patch File Download Diff File

11
src/secp256k1.c
Unescape View File

@ -300,8 +300,10 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
/* We feed a byte array to the PRNG as input, consisting of: /* We feed a byte array to the PRNG as input, consisting of:
* - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
* - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
* - optionally 16 extra bytes with the algorithm name (the extra data bytes * - optionally 16 extra bytes with the algorithm name.
* are set to zeroes when not present, while the algorithm name is). * Because the arguments have distinct fixed lengths it is not possible for
* different argument mixtures to emulate each other and result in the same
* nonces.
*/ */
memcpy(keydata, key32, 32); memcpy(keydata, key32, 32);
memcpy(keydata + 32, msg32, 32); memcpy(keydata + 32, msg32, 32);
@ -310,9 +312,8 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m
keylen = 96; keylen = 96;
} }
if (algo16 != NULL) { if (algo16 != NULL) {
memset(keydata + keylen, 0, 96 - keylen); memcpy(keydata + keylen, algo16, 16);
memcpy(keydata + 96, algo16, 16); keylen += 16;
keylen = 112;
} }
secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen); secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen);
memset(keydata, 0, sizeof(keydata)); memset(keydata, 0, sizeof(keydata));

28
src/tests.c
Unescape View File

@ -2960,6 +2960,34 @@ void test_ecdsa_edge_cases(void) {
key[0] = 0; key[0] = 0;
} }
{
/* Check that optional nonce arguments do not have equivilent effect. */
const unsigned char zeros[32] = {0};
unsigned char nonce[32];
unsigned char nonce2[32];
unsigned char nonce3[32];
unsigned char nonce4[32];
VG_UNDEF(nonce,32);
VG_UNDEF(nonce2,32);
VG_UNDEF(nonce3,32);
VG_UNDEF(nonce4,32);
CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
VG_CHECK(nonce,32);
CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
VG_CHECK(nonce2,32);
CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
VG_CHECK(nonce3,32);
CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
VG_CHECK(nonce4,32);
CHECK(memcmp(nonce, nonce2, 32) != 0);
CHECK(memcmp(nonce, nonce3, 32) != 0);
CHECK(memcmp(nonce, nonce4, 32) != 0);
CHECK(memcmp(nonce2, nonce3, 32) != 0);
CHECK(memcmp(nonce2, nonce4, 32) != 0);
CHECK(memcmp(nonce3, nonce4, 32) != 0);
}
/* Privkey export where pubkey is the point at infinity. */ /* Privkey export where pubkey is the point at infinity. */
{ {
unsigned char privkey[300]; unsigned char privkey[300];

Write Preview
Loading…
Cancel
Save