Commit graph

89 commits

Author SHA1 Message Date
Jonas Schnelli
463921bb64
CKey: add method to negate the key 2019-03-27 13:59:50 +01:00
Arvid Norberg
3ccfa34b32 convert C-style (void) parameter lists to C++ style () 2018-09-13 10:36:41 -07:00
Wladimir J. van der Laan
2115cba9c6
Merge #13666: Always create signatures with Low R values
e306be7429 Use 72 byte dummy signatures when watching only inputs may be used (Andrew Chow)
48b1473c89 Use 71 byte signature for DUMMY_SIGNATURE_CREATOR (Andrew Chow)
18dfea0dd0 Always create 70 byte signatures with low R values (Andrew Chow)

Pull request description:

  When creating signatures for transactions, always make one which has a 32 byte or smaller R and 32 byte or smaller S value. This results in signatures that are always less than 71 bytes (32 byte R + 32 byte S + 6 bytes DER + 1 byte sighash) with low R values. In most cases, the signature will be 71 bytes.

  Because R is not mutable in the same way that S is, a low R value can only be found by trying different nonces. RFC 6979 for deterministic nonce generation has the option to specify additional entropy, so we simply use that and add a uin32_t counter which we increment in order to try different nonces. Nonces are sill deterministically generated as the nonce used will the be the first one where the counter results in a nonce that results in a low R value. Because different nonces need to be tried, time to produce a signature does increase. On average, it takes twice as long to make a signature as two signatures need to be created, on average, to find one with a low R.

  Having a fixed size signature makes size calculations easier and also saves half a byte of transaction size, on average.

  DUMMY_SIGNATURE_CREATOR has been modified to produce 71 byte dummy signatures instead of 72 byte signatures.

Tree-SHA512: 3cd791505126ce92da7c631856a97ba0b59e87d9c132feff6e0eef1dc47768e81fbb38bfbe970371bedf9714b7f61a13a5fe9f30f962c81734092a4d19a4ef33
2018-08-13 12:07:20 +02:00
Andrew Chow
18dfea0dd0 Always create 70 byte signatures with low R values
When extra entropy is not specified by the caller, CKey::Sign will
now always create a signature that has a low R value and is at most
70 bytes. The resulting signature on the stack will be 71 bytes when
the sighash byte is included.

Using low R signatures means that the resulting DER encoded signature
will never need to have additional padding to account for high R
values.
2018-08-09 18:39:56 -07:00
DrahtBot
eb7daf4d60 Update copyright headers to 2018 2018-07-27 07:15:02 -04:00
John Newbery
131d4450b9 scripted-diff: Rename master key to seed
-BEGIN VERIFY SCRIPT-

ren() { git grep -l "\<$1\>" 'src/*.cpp' 'src/*.h' test | xargs sed -i "s:\<$1\>:$2:g"; }
ren GenerateNewHDMasterKey  GenerateNewSeed
ren DeriveNewMasterHDKey    DeriveNewSeed
ren SetHDMasterKey          SetHDSeed
ren hdMasterKeyID           hd_seed_id
ren masterKeyID             seed_id
ren SetMaster               SetSeed
ren hdmasterkeyid           hdseedid
ren hdmaster                hdseed

-END VERIFY SCRIPT-
2018-05-19 11:16:00 -04:00
Russell Yanofsky
04ededf001 Make CKey::Load references const
No change in behavior, this just prevents CKey::Load arguments from looking
like outputs.
2018-01-23 13:16:56 -05:00
Akira Takizawa
595a7bab23 Increment MIT Licence copyright header year on files modified in 2017 2018-01-03 02:26:56 +09:00
Wladimir J. van der Laan
79399c8cd0
Merge #10657: Utils: Improvements to ECDSA key-handling code
63179d0 Scope the ECDSA constant sizes to CPubKey / CKey classes (Jack Grigg)
1ce9f0a Ensure that ECDSA constant sizes are correctly-sized (Jack Grigg)
48abe78 Remove redundant `= 0` initialisations (Jack Grigg)
17fa391 Specify ECDSA constant sizes as constants (Jack Grigg)
e4a1086 Update Debian copyright list (Jack Grigg)
e181dbe Add comments (Jack Grigg)
a3603ac Fix potential overflows in ECDSA DER parsers (Jack Grigg)

Pull request description:

  Mostly trivial, but includes fixes to potential overflows in the ECDSA DER parsers.

  Cherry-picked from Zcash PR https://github.com/zcash/zcash/pull/2335

Tree-SHA512: 8fcbd51b0bd6723e5d33fa5d592f7cb68ed182796a9b837ecc8217991ad69d6c970258617dc00eb378c8caa4cec5d6b304d9d2c066acd40cda98e4da68e0caa4
2017-12-20 18:00:32 +01:00
MeshCollider
1a445343f6 scripted-diff: Replace #include "" with #include <> (ryanofsky)
-BEGIN VERIFY SCRIPT-
for f in \
  src/*.cpp \
  src/*.h \
  src/bench/*.cpp \
  src/bench/*.h \
  src/compat/*.cpp \
  src/compat/*.h \
  src/consensus/*.cpp \
  src/consensus/*.h \
  src/crypto/*.cpp \
  src/crypto/*.h \
  src/crypto/ctaes/*.h \
  src/policy/*.cpp \
  src/policy/*.h \
  src/primitives/*.cpp \
  src/primitives/*.h \
  src/qt/*.cpp \
  src/qt/*.h \
  src/qt/test/*.cpp \
  src/qt/test/*.h \
  src/rpc/*.cpp \
  src/rpc/*.h \
  src/script/*.cpp \
  src/script/*.h \
  src/support/*.cpp \
  src/support/*.h \
  src/support/allocators/*.h \
  src/test/*.cpp \
  src/test/*.h \
  src/wallet/*.cpp \
  src/wallet/*.h \
  src/wallet/test/*.cpp \
  src/wallet/test/*.h \
  src/zmq/*.cpp \
  src/zmq/*.h
do
  base=${f%/*}/ relbase=${base#src/} sed -i "s:#include \"\(.*\)\"\(.*\):if test -e \$base'\\1'; then echo \"#include <\"\$relbase\"\\1>\\2\"; else echo \"#include <\\1>\\2\"; fi:e" $f
done
-END VERIFY SCRIPT-
2017-11-16 08:23:01 +13:00
Jack Grigg
63179d0283
Scope the ECDSA constant sizes to CPubKey / CKey classes 2017-10-04 14:41:40 +01:00
Pieter Wuille
46c90437f9 Remove some unused functions and methods
In the case of CKey's destructor, it seems to have been an oversight in
f4d1fc259 not to delete it. At this point, it results in the move
constructors/assignment operators for CKey being deleted, which may have
a performance impact.
2017-09-21 23:40:33 -07:00
Jonas Schnelli
07685d1bc1
Add length check for CExtKey deserialization 2017-08-17 21:54:23 +02:00
Jack Grigg
17fa3913ef
Specify ECDSA constant sizes as constants 2017-07-17 11:57:23 -05:00
practicalswift
b51aaf1c42 Remove unused C++ code not covered by unit tests 2017-04-26 21:20:02 +02:00
Michael Goldstein
f490dae56b Trivial: Fix typo in key.h comment 2017-03-18 18:13:55 -07:00
isle2983
27765b6403 Increment MIT Licence copyright header year on files modified in 2016
Edited via:

$ contrib/devtools/copyright_header.py update .
2016-12-31 11:01:21 -07:00
Pieter Wuille
528472111b Get rid of nType and nVersion
Remove the nType and nVersion as parameters to all serialization methods
and functions. There is only one place where it's read and has an impact
(in CAddress), and even there it does not impact any of the recursively
invoked serializers.

Instead, the few places that need nType or nVersion are changed to read
it directly from the stream object, through GetType() and GetVersion()
methods which are added to all stream classes.
2016-11-07 13:56:27 -08:00
Wladimir J. van der Laan
f4d1fc259b wallet: Get rid of LockObject and UnlockObject calls in key.h
Replace these with vectors allocated from the secure allocator.

This avoids mlock syscall churn on stack pages, as well as makes
it possible to get rid of these functions.

Please review this commit and the previous one carefully that
no `sizeof(vectortype)` remains in the memcpys and memcmps usage
(ick!), and `.data()` or `&vec[x]` is used as appropriate instead of
&vec.
2016-10-19 16:17:33 +02:00
Wladimir J. van der Laan
133c727cc4
Merge #8321: [trivial] Switched constants to sizeof()
fbc6070 [trivial] Switched constants to sizeof() (Thomas Snider)
2016-07-28 13:54:08 +02:00
lizhi
cc021ef486 remove outdated legacy code
CheckSignatureElement is not used,it be replaced by eccrypto::CheckSignatureElement.
2016-07-24 10:49:07 +08:00
Thomas Snider
fbc60703a5 [trivial] Switched constants to sizeof() 2016-07-18 19:42:09 -07:00
Jonas Schnelli
90604f16af
add bip32 pubkey serialization
CExtPubKey should be serializable like CPubKey
2016-04-14 20:56:33 +02:00
MarcoFalke
fa24439ff3 Bump copyright headers to 2015 2015-12-13 18:08:39 +01:00
Wladimir J. van der Laan
6a877e870e
Merge pull request #6034
a574899 chaincodes: abstract away more chaincode behavior [squashme] replace struct CCainCode with a typedef uint256 ChainCode (Cory Fields)
8cf1485 Abstract chaincodes into CChainCode (Pieter Wuille)
2015-05-06 18:37:49 +02:00
Cory Fields
a574899671 chaincodes: abstract away more chaincode behavior
[squashme] replace struct CCainCode with a typedef uint256 ChainCode
2015-05-06 17:22:46 +02:00
Pieter Wuille
a56054be65 Update key.cpp to use new libsecp256k1
libsecp256k1's API changed, so update key.cpp to use it.

Libsecp256k1 now has explicit context objects, which makes it completely thread-safe.
In turn, keep an explicit context object in key.cpp, which is explicitly initialized
destroyed. This is not really pretty now, but it's more efficient than the static
initialized object in key.cpp (which made for example bitcoin-tx slow, as for most of
its calls, libsecp256k1 wasn't actually needed).

This also brings in the new blinding support in libsecp256k1. By passing in a random
seed, temporary variables during the elliptic curve computations are altered, in such
a way that if an attacker does not know the blind, observing the internal operations
leaks less information about the keys used. This was implemented by Greg Maxwell.
2015-05-04 14:45:34 +02:00
Pieter Wuille
8cf1485f3b Abstract chaincodes into CChainCode
# Conflicts:
#	src/key.cpp
#	src/key.h
2015-05-02 11:17:16 +02:00
Pieter Wuille
437ada3e55 Switch test case signing to RFC6979 extra entropy
Instead of manually tweaking the deterministic nonce post-generation,
pass the test case number in as extra entropy to RFC6979.
2015-03-27 15:31:47 -07:00
Cory Fields
d7d187e8a4 allocators: split allocators and pagelocker
Pagelocker is only needed for secure (usually wallet) operations, so don't make
the zero-after-free allocator depend on it.
2015-03-20 12:23:44 +01:00
sandakersmann
f914f1a746
Added "Core" to copyright headers
Github-Pull: #5494
Rebased-From: 15de949bb9277e442302bdd8dee299a8d6deee60
2014-12-19 19:55:32 +01:00
Wladimir J. van der Laan
f0877f8b62
Merge pull request #5227
4cdaa95 Resize after succesful result (Pieter Wuille)
9d8604f Header define style cleanups (Pieter Wuille)
a53fd41 Deterministic signing (Pieter Wuille)
3060e36 Add the RFC6979 PRNG (Pieter Wuille)
a8f5087 Add HMAC-SHA256 (Pieter Wuille)
36fa4a7 Split up crypto/sha2 (Pieter Wuille)
2014-12-01 14:57:58 +01:00
Wladimir J. van der Laan
6582f323f0
Merge pull request #5224
f321d6b Add key generation/verification to ECC sanity check (Pieter Wuille)
d0c41a7 Add sanity check after key generation (Pieter Wuille)
2014-11-24 14:39:25 +01:00
Pieter Wuille
d0c41a7350 Add sanity check after key generation
Add a sanity check to prevent cosmic rays from flipping a bit in the
generated public key, or bugs in the elliptic curve code. This is
simply done by signing a (randomized) message, and verifying the
result.
2014-11-23 10:47:39 +01:00
Pieter Wuille
a53fd41485 Deterministic signing 2014-11-20 17:22:06 +01:00
Philip Kaufmann
a01fa3035f minor style cleanup after HTTP rest interface merge
- no code changes
2014-11-20 12:29:19 +01:00
Pieter Wuille
f4e0aefadc Do signature-s negation inside the tests
To avoid the need for libsecp256k1 to expose such functionality.
2014-11-10 05:03:24 -08:00
ENikS
5985ba9e61 Fixing warning C4099: 'CExtPubKey' : type name first seen using 'class' now seen using 'struct' 2014-11-06 17:53:25 -05:00
Philip Kaufmann
b4347f6035 minor code style cleanup after recent merges
- add a missing license header
- correct some header orderings etc.
2014-11-04 14:36:46 +01:00
Cory Fields
d2e74c55bd boost: moveonly: split CPubKey and friends to new files 2014-10-31 01:19:37 -04:00
Michael Ford
ffd8eddab5 Update comments in key to be doxygen compatible 2014-10-28 12:02:25 +08:00
Cory Fields
066e2a1403 script: move CScriptID to standard.h and add a ctor for creating them from CScripts
This allows for a reversal of the current behavior.

This:
CScript foo;
CScriptID bar(foo.GetID());

Becomes:
CScript foo;
CScriptID bar(foo);

This way, CScript is no longer dependent on CScriptID or Hash();
2014-10-17 13:44:14 -04:00
Pieter Wuille
8138cbea3c Add automatic script test generation, and actual checksig tests 2014-09-26 21:58:48 +02:00
Pieter Wuille
20e01b1a03 Apply clang-format on some infrequently-updated files 2014-09-19 19:21:46 +02:00
Wladimir J. van der Laan
f6a8105037
Merge pull request #4779
093303a add missing header end comments (Philip Kaufmann)
2014-09-01 15:35:09 +02:00
Philip Kaufmann
093303a887 add missing header end comments
- ensures a consistent usage in header files
- also add a blank line after the copyright header where missing
- also remove orphan new-lines at the end of some files
2014-08-28 22:25:21 +02:00
Wladimir J. van der Laan
8bdd2877c4
Fix a few "Uninitialized scalar field" warnings
Fix a few warnings reported by Coverity.
None of these is critical, but making sure that class fields are
initialized can avoid heisenbugs.
2014-08-28 15:30:50 +02:00
Andrew Poelstra
4a09e1df51
key.cpp: fail with a friendlier message on missing ssl EC support
Previously if bitcoind is linked with an OpenSSL which is compiled
without EC support, this is seen as an assertion failure "pKey !=
NULL" at key.cpp:134, which occurs after several seconds. It is an
esoteric piece of knowledge to interpret this as "oops, I linked
with the wrong OpenSSL", and because of the delay it may not even
be noticed.

The new output is

: OpenSSL appears to lack support for elliptic curve cryptography. For
more information, visit
https://en.bitcoin.it/wiki/OpenSSL_and_EC_Libraries
: Initialization sanity check failed. Bitcoin Core is shutting down.

which occurs immediately after attempted startup.

This also blocks in an InitSanityCheck() function which currently only
checks for EC support but should eventually do more. See #4081.
2014-06-03 12:09:51 -07:00
Kamil Domanski
f40dbeedde remove CPubKey::VerifyCompact( ) which is never used 2014-05-20 14:58:21 +02:00
Pieter Wuille
6fd7ef2bbf Also switch the (unused) verification code to low-s instead of even-s.
a81cd968 introduced a malleability breaker for signatures
(using an even value for S). In e0e14e43 this was changed to
the lower of two potential values, rather than the even one.
Only the signing code was changed though, the (for now unused)
verification code wasn't adapted.
2014-03-10 20:38:32 +01:00