go-ethereum/crypto/secp256k1/secp256.go

// Copyright 2015 The go-ethereum Authors
// This file is part of the go-ethereum library.
//
// The go-ethereum library is free software: you can redistribute it and/or modify
// it under the terms of the GNU Lesser General Public License as published by
// the Free Software Foundation, either version 3 of the License, or
// (at your option) any later version.
//
// The go-ethereum library is distributed in the hope that it will be useful,
// but WITHOUT ANY WARRANTY; without even the implied warranty of
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
// GNU Lesser General Public License for more details.
//
// You should have received a copy of the GNU Lesser General Public License
// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.

// Package secp256k1 wraps the bitcoin secp256k1 C library.
package secp256k1

/*
#cgo CFLAGS: -I./libsecp256k1
#cgo CFLAGS: -I./libsecp256k1/src/
#define USE_NUM_NONE
#define USE_FIELD_10X26
#define USE_FIELD_INV_BUILTIN
#define USE_SCALAR_8X32
#define USE_SCALAR_INV_BUILTIN
#define NDEBUG
#include "./libsecp256k1/src/secp256k1.c"
#include "./libsecp256k1/src/modules/recovery/main_impl.h"
#include "ext.h"

typedef void (*callbackFunc) (const char* msg, void* data);
extern void secp256k1GoPanicIllegal(const char* msg, void* data);
extern void secp256k1GoPanicError(const char* msg, void* data);
*/
import "C"

import (
	"errors"
	"unsafe"
)

var context *C.secp256k1_context

func init() {
	// around 20 ms on a modern CPU.
	context = C.secp256k1_context_create_sign_verify()
	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)
	C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)
}

var (
	ErrInvalidMsgLen       = errors.New("invalid message length, need 32 bytes")
	ErrInvalidSignatureLen = errors.New("invalid signature length")
	ErrInvalidRecoveryID   = errors.New("invalid signature recovery id")
	ErrInvalidKey          = errors.New("invalid private key")
	ErrSignFailed          = errors.New("signing failed")
	ErrRecoverFailed       = errors.New("recovery failed")
)

// Sign creates a recoverable ECDSA signature.
// The produced signature is in the 65-byte [R || S || V] format where V is 0 or 1.
//
// The caller is responsible for ensuring that msg cannot be chosen
// directly by an attacker. It is usually preferable to use a cryptographic
// hash function on any input before handing it to this function.
func Sign(msg []byte, seckey []byte) ([]byte, error) {
	if len(msg) != 32 {
		return nil, ErrInvalidMsgLen
	}
	if len(seckey) != 32 {
		return nil, ErrInvalidKey
	}
	seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))
	if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {
		return nil, ErrInvalidKey
	}

	var (
		msgdata   = (*C.uchar)(unsafe.Pointer(&msg[0]))
		noncefunc = C.secp256k1_nonce_function_rfc6979
		sigstruct C.secp256k1_ecdsa_recoverable_signature
	)
	if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {
		return nil, ErrSignFailed
	}

	var (
		sig     = make([]byte, 65)
		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
		recid   C.int
	)
	C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)
	sig[64] = byte(recid) // add back recid to get 65 bytes sig
	return sig, nil
}

// RecoverPubkey returns the the public key of the signer.
// msg must be the 32-byte hash of the message to be signed.
// sig must be a 65-byte compact ECDSA signature containing the
// recovery id as the last element.
func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {
	if len(msg) != 32 {
		return nil, ErrInvalidMsgLen
	}
	if err := checkSignature(sig); err != nil {
		return nil, err
	}

	var (
		pubkey  = make([]byte, 65)
		sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))
		msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))
	)
	if C.secp256k1_ecdsa_recover_pubkey(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {
		return nil, ErrRecoverFailed
	}
	return pubkey, nil
}

func checkSignature(sig []byte) error {
	if len(sig) != 65 {
		return ErrInvalidSignatureLen
	}
	if sig[64] >= 4 {
		return ErrInvalidRecoveryID
	}
	return nil
}
all: update license information 2015-07-07 02:54:22 +02:00			`// Copyright 2015 The go-ethereum Authors`
all: update license headers to distiguish GPL/LGPL All code outside of cmd/ is licensed as LGPL. The headers now reflect this by calling the whole work "the go-ethereum library". 2015-07-22 18:48:40 +02:00			`// This file is part of the go-ethereum library.`
all: update license information 2015-07-07 02:54:22 +02:00			`//`
all: fix license headers one more time I forgot to update one instance of "go-ethereum" in commit 3f047be5a. 2015-07-23 18:35:11 +02:00			`// The go-ethereum library is free software: you can redistribute it and/or modify`
all: update license information 2015-07-07 02:54:22 +02:00			`// it under the terms of the GNU Lesser General Public License as published by`
			`// the Free Software Foundation, either version 3 of the License, or`
			`// (at your option) any later version.`
			`//`
all: update license headers to distiguish GPL/LGPL All code outside of cmd/ is licensed as LGPL. The headers now reflect this by calling the whole work "the go-ethereum library". 2015-07-22 18:48:40 +02:00			`// The go-ethereum library is distributed in the hope that it will be useful,`
all: update license information 2015-07-07 02:54:22 +02:00			`// but WITHOUT ANY WARRANTY; without even the implied warranty of`
all: update license headers to distiguish GPL/LGPL All code outside of cmd/ is licensed as LGPL. The headers now reflect this by calling the whole work "the go-ethereum library". 2015-07-22 18:48:40 +02:00			`// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the`
all: update license information 2015-07-07 02:54:22 +02:00			`// GNU Lesser General Public License for more details.`
			`//`
			`// You should have received a copy of the GNU Lesser General Public License`
all: update license headers to distiguish GPL/LGPL All code outside of cmd/ is licensed as LGPL. The headers now reflect this by calling the whole work "the go-ethereum library". 2015-07-22 18:48:40 +02:00			`// along with the go-ethereum library. If not, see <http://www.gnu.org/licenses/>.`
all: update license information 2015-07-07 02:54:22 +02:00
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`// Package secp256k1 wraps the bitcoin secp256k1 C library.`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`package secp256k1`

			`/*`
core/secp256k1: update libsecp256k1 Go wrapper and tests 2015-09-28 11:19:23 +02:00			`#cgo CFLAGS: -I./libsecp256k1`
crypto, crypto/ecies, crypto/secp256k1: libsecp256k1 scalar mult thanks to Felix Lange (fjl) for help with design & impl 2015-09-29 19:37:44 +02:00			`#cgo CFLAGS: -I./libsecp256k1/src/`
crypto/secp256k1: remove dependency on libgmp Turns out we actually don't need it, USE_NUM_NONE works because we also set USE_FIELD_INV_BUILTIN. 2015-12-03 20:04:39 +01:00			`#define USE_NUM_NONE`
Update Go wrapper around libbsecp256k1 2015-04-07 12:40:31 +02:00			`#define USE_FIELD_10X26`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`#define USE_FIELD_INV_BUILTIN`
Update Go wrapper around libbsecp256k1 2015-04-07 12:40:31 +02:00			`#define USE_SCALAR_8X32`
			`#define USE_SCALAR_INV_BUILTIN`
libsecp256k1 #define NDEBUG 2015-04-07 18:09:58 +02:00			`#define NDEBUG`
core/secp256k1: update libsecp256k1 Go wrapper and tests 2015-09-28 11:19:23 +02:00			`#include "./libsecp256k1/src/secp256k1.c"`
			`#include "./libsecp256k1/src/modules/recovery/main_impl.h"`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`#include "ext.h"`
crypto/secp256k1: raise internal errors as recoverable Go panic 2015-11-16 18:04:56 +01:00
			`typedef void (callbackFunc) (const char msg, void* data);`
			`extern void secp256k1GoPanicIllegal(const char* msg, void* data);`
			`extern void secp256k1GoPanicError(const char* msg, void* data);`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`*/`
			`import "C"`

			`import (`
			`"errors"`
			`"unsafe"`
			`)`

crypto: add btcec fallback for sign/recover without cgo (#3680) * vendor: add github.com/btcsuite/btcd/btcec * crypto: add btcec fallback for sign/recover without cgo This commit adds a non-cgo fallback implementation of secp256k1 operations. * crypto, core/vm: remove wrappers for sha256, ripemd160 2017-02-18 09:24:12 +01:00			`var context *C.secp256k1_context`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00
core/secp256k1: update libsecp256k1 Go wrapper and tests 2015-09-28 11:19:23 +02:00			`func init() {`
			`// around 20 ms on a modern CPU.`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`context = C.secp256k1_context_create_sign_verify()`
crypto/secp256k1: raise internal errors as recoverable Go panic 2015-11-16 18:04:56 +01:00			`C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)`
			`C.secp256k1_context_set_error_callback(context, C.callbackFunc(C.secp256k1GoPanicError), nil)`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`

crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`var (`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`ErrInvalidMsgLen = errors.New("invalid message length, need 32 bytes")`
crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`ErrInvalidSignatureLen = errors.New("invalid signature length")`
			`ErrInvalidRecoveryID = errors.New("invalid signature recovery id")`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`ErrInvalidKey = errors.New("invalid private key")`
			`ErrSignFailed = errors.New("signing failed")`
			`ErrRecoverFailed = errors.New("recovery failed")`
crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`)`

crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`// Sign creates a recoverable ECDSA signature.`
			`// The produced signature is in the 65-byte [R \|\| S \|\| V] format where V is 0 or 1.`
			`//`
			`// The caller is responsible for ensuring that msg cannot be chosen`
			`// directly by an attacker. It is usually preferable to use a cryptographic`
			`// hash function on any input before handing it to this function.`
			`func Sign(msg []byte, seckey []byte) ([]byte, error) {`
			`if len(msg) != 32 {`
			`return nil, ErrInvalidMsgLen`
Validate seckey when generating pub key 2015-02-15 02:20:31 +01:00			`}`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`if len(seckey) != 32 {`
			`return nil, ErrInvalidKey`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`seckeydata := (*C.uchar)(unsafe.Pointer(&seckey[0]))`
			`if C.secp256k1_ec_seckey_verify(context, seckeydata) != 1 {`
			`return nil, ErrInvalidKey`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`

crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`var (`
crypto/secp256k1: sign with deterministic K (rfc6979) (#3561) 2017-01-22 23:28:47 +01:00			`msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))`
			`noncefunc = C.secp256k1_nonce_function_rfc6979`
			`sigstruct C.secp256k1_ecdsa_recoverable_signature`
core/secp256k1: update libsecp256k1 Go wrapper and tests 2015-09-28 11:19:23 +02:00			`)`
crypto/secp256k1: sign with deterministic K (rfc6979) (#3561) 2017-01-22 23:28:47 +01:00			`if C.secp256k1_ecdsa_sign_recoverable(context, &sigstruct, msgdata, seckeydata, noncefunc, nil) == 0 {`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`return nil, ErrSignFailed`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`

crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`var (`
			`sig = make([]byte, 65)`
			`sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))`
			`recid C.int`
core/secp256k1: update libsecp256k1 Go wrapper and tests 2015-09-28 11:19:23 +02:00			`)`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`C.secp256k1_ecdsa_recoverable_signature_serialize_compact(context, sigdata, &recid, &sigstruct)`
			`sig[64] = byte(recid) // add back recid to get 65 bytes sig`
			`return sig, nil`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`

crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`// RecoverPubkey returns the the public key of the signer.`
			`// msg must be the 32-byte hash of the message to be signed.`
			`// sig must be a 65-byte compact ECDSA signature containing the`
			`// recovery id as the last element.`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`func RecoverPubkey(msg []byte, sig []byte) ([]byte, error) {`
crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`if len(msg) != 32 {`
			`return nil, ErrInvalidMsgLen`
			`}`
			`if err := checkSignature(sig); err != nil {`
			`return nil, err`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`

crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`var (`
			`pubkey = make([]byte, 65)`
			`sigdata = (*C.uchar)(unsafe.Pointer(&sig[0]))`
			`msgdata = (*C.uchar)(unsafe.Pointer(&msg[0]))`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`)`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`if C.secp256k1_ecdsa_recover_pubkey(context, (*C.uchar)(unsafe.Pointer(&pubkey[0])), sigdata, msgdata) == 0 {`
			`return nil, ErrRecoverFailed`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`return pubkey, nil`
crypto/secp256k1: verify recovery ID before calling libsecp256k1 The C library treats the recovery ID as trusted input and crashes the process for invalid values, so it needs to be verified before calling into C. This will inhibit the crash in #1983. Also remove VerifySignature because we don't use it. 2015-11-16 17:11:26 +01:00			`}`

			`func checkSignature(sig []byte) error {`
			`if len(sig) != 65 {`
			`return ErrInvalidSignatureLen`
			`}`
			`if sig[64] >= 4 {`
			`return ErrInvalidRecoveryID`
			`}`
			`return nil`
Moved `obscuren` secp256k1-go 2015-01-22 00:35:00 +01:00			`}`