Skip to content

Commit 1897b8e

Browse files
sipasipa
committed
Merge pull request #229
efc571c Add simple testcases for signing with rfc6979 extra entropy. (Gregory Maxwell) 1573a10 Add ability to pass extra entropy to rfc6979 (Pieter Wuille)
2 parents 3087bc4 + efc571c commit 1897b8e

File tree

7 files changed

+69
-24
lines changed

7 files changed

+69
-24
lines changed

include/secp256k1.h

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,7 +97,10 @@ typedef int (*secp256k1_nonce_function_t)(
9797
const void *data
9898
);
9999

100-
/** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. */
100+
/** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
101+
* If a data pointer is passed, it is assumed to be a pointer to 32 bytes of
102+
* extra entropy.
103+
*/
101104
extern const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979;
102105

103106
/** A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979). */

src/bench_internal.c

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -265,7 +265,7 @@ void bench_rfc6979_hmac_sha256(void* arg) {
265265
secp256k1_rfc6979_hmac_sha256_t rng;
266266

267267
for (i = 0; i < 20000; i++) {
268-
secp256k1_rfc6979_hmac_sha256_initialize(&rng, data->data, 32, data->data, 32);
268+
secp256k1_rfc6979_hmac_sha256_initialize(&rng, data->data, 32, data->data, 32, NULL, 0);
269269
secp256k1_rfc6979_hmac_sha256_generate(&rng, data->data, 32);
270270
}
271271
}

src/hash.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ typedef struct {
3434
int retry;
3535
} secp256k1_rfc6979_hmac_sha256_t;
3636

37-
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen, const unsigned char *msg, size_t msglen);
37+
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen, const unsigned char *msg, size_t msglen, const unsigned char *rnd, size_t rndlen);
3838
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256_t *rng, unsigned char *out, size_t outlen);
3939
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256_t *rng);
4040

src/hash_impl.h

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -200,7 +200,7 @@ static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256_t *hash, unsign
200200
}
201201

202202

203-
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen, const unsigned char *msg, size_t msglen) {
203+
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256_t *rng, const unsigned char *key, size_t keylen, const unsigned char *msg, size_t msglen, const unsigned char *rnd, size_t rndlen) {
204204
secp256k1_hmac_sha256_t hmac;
205205
static const unsigned char zero[1] = {0x00};
206206
static const unsigned char one[1] = {0x01};
@@ -213,6 +213,9 @@ static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha2
213213
secp256k1_hmac_sha256_write(&hmac, zero, 1);
214214
secp256k1_hmac_sha256_write(&hmac, key, keylen);
215215
secp256k1_hmac_sha256_write(&hmac, msg, msglen);
216+
if (rnd && rndlen) {
217+
secp256k1_hmac_sha256_write(&hmac, rnd, rndlen);
218+
}
216219
secp256k1_hmac_sha256_finalize(&hmac, rng->k);
217220
secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32);
218221
secp256k1_hmac_sha256_write(&hmac, rng->v, 32);
@@ -223,6 +226,9 @@ static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha2
223226
secp256k1_hmac_sha256_write(&hmac, one, 1);
224227
secp256k1_hmac_sha256_write(&hmac, key, keylen);
225228
secp256k1_hmac_sha256_write(&hmac, msg, msglen);
229+
if (rnd && rndlen) {
230+
secp256k1_hmac_sha256_write(&hmac, rnd, rndlen);
231+
}
226232
secp256k1_hmac_sha256_finalize(&hmac, rng->k);
227233
secp256k1_hmac_sha256_initialize(&hmac, rng->k, 32);
228234
secp256k1_hmac_sha256_write(&hmac, rng->v, 32);

src/secp256k1.c

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -66,8 +66,7 @@ int secp256k1_ecdsa_verify(const unsigned char *msg32, const unsigned char *sig,
6666
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
6767
secp256k1_rfc6979_hmac_sha256_t rng;
6868
unsigned int i;
69-
(void)data;
70-
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key32, 32, msg32, 32);
69+
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key32, 32, msg32, 32, data, data != NULL ? 32 : 0);
7170
for (i = 0; i <= counter; i++) {
7271
secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
7372
}

src/testrand_impl.h

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ static uint32_t secp256k1_test_rng_precomputed[8];
1818
static int secp256k1_test_rng_precomputed_used = 8;
1919

2020
SECP256K1_INLINE static void secp256k1_rand_seed(const unsigned char *seed16) {
21-
secp256k1_rfc6979_hmac_sha256_initialize(&secp256k1_test_rng, (const unsigned char*)"TestRNG", 7, seed16, 16);
21+
secp256k1_rfc6979_hmac_sha256_initialize(&secp256k1_test_rng, (const unsigned char*)"TestRNG", 7, seed16, 16, NULL, 0);
2222
}
2323

2424
SECP256K1_INLINE static uint32_t secp256k1_rand32(void) {

src/tests.c

Lines changed: 54 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -200,16 +200,24 @@ void run_rfc6979_hmac_sha256_tests(void) {
200200

201201
secp256k1_rfc6979_hmac_sha256_t rng;
202202
unsigned char out[32];
203+
unsigned char zero[1] = {0};
203204
int i;
204205

205-
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32);
206+
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, NULL, 1);
206207
for (i = 0; i < 3; i++) {
207208
secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
208209
CHECK(memcmp(out, out1[i], 32) == 0);
209210
}
210211
secp256k1_rfc6979_hmac_sha256_finalize(&rng);
211212

212-
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 32, msg2, 32);
213+
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, zero, 1);
214+
for (i = 0; i < 3; i++) {
215+
secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
216+
CHECK(memcmp(out, out1[i], 32) != 0);
217+
}
218+
secp256k1_rfc6979_hmac_sha256_finalize(&rng);
219+
220+
secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 32, msg2, 32, zero, 0);
213221
for (i = 0; i < 3; i++) {
214222
secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
215223
CHECK(memcmp(out, out2[i], 32) == 0);
@@ -1218,15 +1226,22 @@ int is_empty_compact_signature(const unsigned char *sig64) {
12181226
}
12191227

12201228
void test_ecdsa_end_to_end(void) {
1229+
unsigned char extra[32] = {0x00};
12211230
unsigned char privkey[32];
12221231
unsigned char message[32];
12231232
unsigned char privkey2[32];
12241233
unsigned char csignature[64];
12251234
unsigned char signature[72];
1235+
unsigned char signature2[72];
1236+
unsigned char signature3[72];
1237+
unsigned char signature4[72];
12261238
unsigned char pubkey[65];
12271239
unsigned char recpubkey[65];
12281240
unsigned char seckey[300];
12291241
int signaturelen = 72;
1242+
int signaturelen2 = 72;
1243+
int signaturelen3 = 72;
1244+
int signaturelen4 = 72;
12301245
int recid = 0;
12311246
int recpubkeylen = 0;
12321247
int pubkeylen = 65;
@@ -1289,8 +1304,26 @@ void test_ecdsa_end_to_end(void) {
12891304
/* Sign. */
12901305
CHECK(secp256k1_ecdsa_sign(message, signature, &signaturelen, privkey, NULL, NULL) == 1);
12911306
CHECK(signaturelen > 0);
1307+
CHECK(secp256k1_ecdsa_sign(message, signature2, &signaturelen2, privkey, NULL, extra) == 1);
1308+
CHECK(signaturelen2 > 0);
1309+
extra[31] = 1;
1310+
CHECK(secp256k1_ecdsa_sign(message, signature3, &signaturelen3, privkey, NULL, extra) == 1);
1311+
CHECK(signaturelen3 > 0);
1312+
extra[31] = 0;
1313+
extra[0] = 1;
1314+
CHECK(secp256k1_ecdsa_sign(message, signature4, &signaturelen4, privkey, NULL, extra) == 1);
1315+
CHECK(signaturelen3 > 0);
1316+
CHECK((signaturelen != signaturelen2) || (memcmp(signature, signature2, signaturelen) != 0));
1317+
CHECK((signaturelen != signaturelen3) || (memcmp(signature, signature3, signaturelen) != 0));
1318+
CHECK((signaturelen3 != signaturelen2) || (memcmp(signature3, signature2, signaturelen3) != 0));
1319+
CHECK((signaturelen4 != signaturelen3) || (memcmp(signature4, signature3, signaturelen4) != 0));
1320+
CHECK((signaturelen4 != signaturelen2) || (memcmp(signature4, signature2, signaturelen4) != 0));
1321+
CHECK((signaturelen4 != signaturelen) || (memcmp(signature4, signature, signaturelen4) != 0));
12921322
/* Verify. */
12931323
CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) == 1);
1324+
CHECK(secp256k1_ecdsa_verify(message, signature2, signaturelen2, pubkey, pubkeylen) == 1);
1325+
CHECK(secp256k1_ecdsa_verify(message, signature3, signaturelen3, pubkey, pubkeylen) == 1);
1326+
CHECK(secp256k1_ecdsa_verify(message, signature4, signaturelen4, pubkey, pubkeylen) == 1);
12941327
/* Destroy signature and verify again. */
12951328
signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
12961329
CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) != 1);
@@ -1397,6 +1430,7 @@ void test_ecdsa_edge_cases(void) {
13971430
0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
13981431
};
13991432
unsigned char pubkey[65];
1433+
int t;
14001434
int pubkeylen = 65;
14011435
/* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
14021436
const unsigned char sigb64[64] = {
@@ -1593,7 +1627,8 @@ void test_ecdsa_edge_cases(void) {
15931627
}
15941628

15951629
/* Nonce function corner cases. */
1596-
{
1630+
for (t = 0; t < 2; t++) {
1631+
static const unsigned char zero[32] = {0x00};
15971632
int i;
15981633
unsigned char key[32];
15991634
unsigned char msg[32];
@@ -1603,53 +1638,55 @@ void test_ecdsa_edge_cases(void) {
16031638
int siglen = 72;
16041639
int siglen2 = 72;
16051640
int recid2;
1641+
const unsigned char *extra;
1642+
extra = t == 0 ? NULL : zero;
16061643
memset(msg, 0, 32);
16071644
msg[31] = 1;
16081645
/* High key results in signature failure. */
16091646
memset(key, 0xFF, 32);
1610-
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1647+
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, extra) == 0);
16111648
CHECK(siglen == 0);
16121649
/* Zero key results in signature failure. */
16131650
memset(key, 0, 32);
1614-
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1651+
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, extra) == 0);
16151652
CHECK(siglen == 0);
16161653
/* Nonce function failure results in signature failure. */
16171654
key[31] = 1;
1618-
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_fail, NULL) == 0);
1655+
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_fail, extra) == 0);
16191656
CHECK(siglen == 0);
1620-
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_fail, NULL, &recid) == 0);
1657+
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_fail, extra, &recid) == 0);
16211658
CHECK(is_empty_compact_signature(sig));
16221659
/* The retry loop successfully makes its way to the first good value. */
16231660
siglen = 72;
1624-
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_retry, NULL) == 1);
1661+
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_retry, extra) == 1);
16251662
CHECK(siglen > 0);
1626-
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, nonce_function_rfc6979, NULL) == 1);
1663+
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, nonce_function_rfc6979, extra) == 1);
16271664
CHECK(siglen > 0);
16281665
CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
1629-
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_retry, NULL, &recid) == 1);
1666+
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_retry, extra, &recid) == 1);
16301667
CHECK(!is_empty_compact_signature(sig));
1631-
CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, nonce_function_rfc6979, NULL, &recid2) == 1);
1668+
CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, nonce_function_rfc6979, extra, &recid2) == 1);
16321669
CHECK(!is_empty_compact_signature(sig2));
16331670
CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
16341671
/* The default nonce function is determinstic. */
16351672
siglen = 72;
16361673
siglen2 = 72;
1637-
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 1);
1674+
CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, extra) == 1);
16381675
CHECK(siglen > 0);
1639-
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1676+
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, extra) == 1);
16401677
CHECK(siglen2 > 0);
16411678
CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
1642-
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, NULL, NULL, &recid) == 1);
1679+
CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, NULL, extra, &recid) == 1);
16431680
CHECK(!is_empty_compact_signature(sig));
1644-
CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, NULL, NULL, &recid2) == 1);
1681+
CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, NULL, extra, &recid2) == 1);
16451682
CHECK(!is_empty_compact_signature(sig));
16461683
CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
16471684
/* The default nonce function changes output with different messages. */
16481685
for(i = 0; i < 256; i++) {
16491686
int j;
16501687
siglen2 = 72;
16511688
msg[0] = i;
1652-
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1689+
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, extra) == 1);
16531690
CHECK(!is_empty_compact_signature(sig));
16541691
CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
16551692
for (j = 0; j < i; j++) {
@@ -1663,7 +1700,7 @@ void test_ecdsa_edge_cases(void) {
16631700
int j;
16641701
siglen2 = 72;
16651702
key[0] = i - 256;
1666-
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1703+
CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, extra) == 1);
16671704
CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
16681705
for (j = 0; j < i; j++) {
16691706
CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));

0 commit comments

Comments
 (0)