-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement new global context #605
base: master
Are you sure you want to change the base?
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,16 +1,17 @@ | ||
#![cfg(feature = "std")] | ||
|
||
extern crate secp256k1; | ||
|
||
use secp256k1::{PublicKey, Secp256k1, SecretKey}; | ||
use secp256k1::{PublicKey, SecretKey}; | ||
|
||
fn main() { | ||
let secp = Secp256k1::new(); | ||
let mut rng = rand::thread_rng(); | ||
// First option: | ||
let (seckey, pubkey) = secp.generate_keypair(&mut rng); | ||
let (seckey, pubkey) = secp256k1::generate_keypair(&mut rng); | ||
|
||
assert_eq!(pubkey, PublicKey::from_secret_key(&secp, &seckey)); | ||
assert_eq!(pubkey, PublicKey::from_secret_key(&seckey)); | ||
|
||
// Second option: | ||
let seckey = SecretKey::new(&mut rng); | ||
let _pubkey = PublicKey::from_secret_key(&secp, &seckey); | ||
let _pubkey = PublicKey::from_secret_key(&seckey); | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -10,6 +10,258 @@ use crate::ffi::types::{c_uint, c_void, AlignedType}; | |
use crate::ffi::{self, CPtr}; | ||
use crate::{Error, Secp256k1}; | ||
|
||
/// TODO: Rename to global and remove the other one. | ||
#[cfg(feature = "std")] | ||
pub mod _global { | ||
use core::convert::TryFrom; | ||
use core::sync::atomic::{AtomicBool, AtomicU8, AtomicUsize, Ordering}; | ||
use std::ops::Deref; | ||
use std::sync::Once; | ||
|
||
use super::alloc_only::{SignOnly, VerifyOnly}; | ||
use crate::ffi::CPtr; | ||
use crate::{ffi, Secp256k1}; | ||
|
||
struct GlobalVerifyContext { | ||
__private: (), | ||
} | ||
|
||
impl Deref for GlobalVerifyContext { | ||
type Target = Secp256k1<VerifyOnly>; | ||
|
||
fn deref(&self) -> &Self::Target { | ||
static ONCE: Once = Once::new(); | ||
static mut CONTEXT: Option<Secp256k1<VerifyOnly>> = None; | ||
ONCE.call_once(|| unsafe { | ||
let ctx = Secp256k1::verification_only(); | ||
CONTEXT = Some(ctx); | ||
}); | ||
unsafe { CONTEXT.as_ref().unwrap() } | ||
} | ||
} | ||
|
||
struct GlobalSignContext { | ||
__private: (), | ||
} | ||
|
||
impl Deref for GlobalSignContext { | ||
type Target = Secp256k1<SignOnly>; | ||
|
||
fn deref(&self) -> &Self::Target { | ||
static ONCE: Once = Once::new(); | ||
static mut CONTEXT: Option<Secp256k1<SignOnly>> = None; | ||
ONCE.call_once(|| unsafe { | ||
let ctx = Secp256k1::signing_only(); | ||
CONTEXT = Some(ctx); | ||
}); | ||
unsafe { CONTEXT.as_ref().unwrap() } | ||
} | ||
} | ||
|
||
static GLOBAL_VERIFY_CONTEXT: &GlobalVerifyContext = &GlobalVerifyContext { __private: () }; | ||
|
||
static GLOBAL_SIGN_CONTEXTS: [&GlobalSignContext; 2] = | ||
[&GlobalSignContext { __private: () }, &GlobalSignContext { __private: () }]; | ||
|
||
static SIGN_CONTEXTS_DIRTY: [AtomicBool; 2] = [AtomicBool::new(false), AtomicBool::new(false)]; | ||
|
||
/// The sign contexts semaphore, stores two flags in the lowest bits and the reader count | ||
/// in the remaining bits. Thus adding or subtracting 4 increments/decrements the counter. | ||
/// | ||
/// The two flags are: | ||
/// * Active context bit - least significant (0b1) | ||
/// * Swap bit - second least significant (0b10) (see [`needs_swap`]). | ||
static SIGN_CONTEXTS_SEM: AtomicUsize = AtomicUsize::new(0); | ||
|
||
/// Re-randomization lock, true==locked, false==unlocked. | ||
static RERAND_LOCK: AtomicBool = AtomicBool::new(false); | ||
|
||
/// Stores the seed for RNG. Notably it doesn't matter that a thread may read "inconsistent" | ||
/// content because it's all random data. If the array is being overwritten while being read it | ||
/// cannot worsen entropy and the exact data doesn't matter. | ||
/// | ||
/// We still have to use atomics because multiple mutable accesses is undefined behavior in Rust. | ||
static GLOBAL_SEED: [AtomicU8; 32] = init_seed_buffer(); | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Why does this use atomics, if the seed is just randomness then we can read and write to it willy-nilly without a problem can't we? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Unfortunately, no. This is a common misconception, we're not programming a real hardware, we're programming a virtual machine that defines it as illegal and failing to do it correctly will result in arbitrary wrong stuff ("nasal daemons") because we would be lying about what the code is doing. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I don't understand, if you get time can you explain further or link me to something to read please? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This one is very good: https://predr.ag/blog/falsehoods-programmers-believe-about-undefined-behavior/ It had errors when I first saw it which, judging from a quick look at the end, the author fixed (the rest was fine from the beginning). In our case: Rust defines concurrently existing There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Ah cool, this is the bit I was missing. Thanks for the link too, that was interesting. |
||
|
||
/// Rerandomizes inactive context using first half of `seed` and stores the second half in the | ||
/// global seed buffer used for later rerandomizations. | ||
pub fn reseed(seed: &[u8; 64]) { | ||
if rerand_lock() { | ||
let last = sign_contexts_inc(); | ||
let other = 1 - active_context(last); | ||
|
||
_rerandomize(other, <&[u8; 32]>::try_from(&seed[0..32]).expect("32 bytes")); | ||
clear_context_dirty(other); | ||
rerand_unlock(); | ||
|
||
sign_contexts_dec(); | ||
|
||
// We unlock before setting the swap bit so that soon as another | ||
// reader sees the swap bit set they can grab the rand lock. | ||
sign_contexts_set_swap_bit(); | ||
} | ||
write_global_seed(<&[u8; 32]>::try_from(&seed[32..64]).expect("32 bytes")); | ||
} | ||
|
||
/// Perform function using the current active global verification context. | ||
/// | ||
/// # Safety | ||
/// | ||
/// TODO: Write safety docs. | ||
pub unsafe fn with_global_verify_context<F: FnOnce(*const ffi::Context) -> R, R>(f: F) -> R { | ||
f(GLOBAL_VERIFY_CONTEXT.ctx.as_ptr()) | ||
} | ||
|
||
/// Perform function using the current active global signing context. | ||
/// | ||
/// # Safety | ||
/// | ||
/// TODO: Write safety docs. | ||
pub unsafe fn with_global_signing_context<F: FnOnce(*const ffi::Context) -> R, R>(f: F) -> R { | ||
let last = sign_contexts_inc(); | ||
|
||
// Shift 2 for the 2 flag bits. | ||
if last >= usize::MAX >> 2 { | ||
// Having this many threads should be impossible so if this happens it's because of a bug. | ||
panic!("too many readers"); | ||
} | ||
|
||
let active = active_context(last); | ||
|
||
let res = f(GLOBAL_SIGN_CONTEXTS[active].ctx.as_ptr()); | ||
set_context_dirty(active); | ||
|
||
let last = sign_contexts_dec(); | ||
|
||
// No readers and needs swap. | ||
if last & !1 == 0b10 { | ||
if let Some(ctx) = sign_contexts_swap(last) { | ||
rerandomize_with_global_seed(ctx); | ||
} | ||
} | ||
res | ||
} | ||
|
||
/// Returns the index (into GLOBAL_SIGN_CONTEXTS) of the active context. | ||
fn active_context(sem: usize) -> usize { sem & 1 } | ||
|
||
/// Attempts to lock the rerand lock. | ||
/// | ||
/// # Returns | ||
/// | ||
/// `true` if lock was acquired, false otherwise. | ||
fn rerand_lock() -> bool { | ||
RERAND_LOCK.compare_exchange(false, true, Ordering::Acquire, Ordering::Relaxed).is_ok() | ||
} | ||
|
||
/// Attempts to unlock the rerand lock. | ||
/// | ||
/// # Returns | ||
/// | ||
/// `true` if the lock was unlocked by this operation. | ||
fn rerand_unlock() -> bool { | ||
RERAND_LOCK.compare_exchange(true, false, Ordering::Acquire, Ordering::Relaxed).is_ok() | ||
} | ||
|
||
/// Increments the sign-contexts reader semaphore. | ||
// FIXME: What happens if we have more than usize::MAX >> 2 readers i.e., overflow? | ||
fn sign_contexts_inc() -> usize { SIGN_CONTEXTS_SEM.fetch_add(4, Ordering::Acquire) } | ||
|
||
/// Decrements the sign-contexts reader semaphore. | ||
fn sign_contexts_dec() -> usize { SIGN_CONTEXTS_SEM.fetch_sub(4, Ordering::Acquire) } | ||
|
||
/// Swap the active context and clear the swap bit. | ||
/// | ||
/// # Panics | ||
/// | ||
/// If `lock` has count > 0. | ||
/// | ||
/// # Returns | ||
/// | ||
/// The now-inactive context index (ie, the index of the context swapped out). | ||
fn sign_contexts_swap(sem: usize) -> Option<usize> { | ||
assert!(sem & !0b11 == 0); // reader count == 0 | ||
let new = (sem & !0b10) ^ 0b01; // turn off swap bit, toggle active bit. | ||
match SIGN_CONTEXTS_SEM.compare_exchange(sem, new, Ordering::Relaxed, Ordering::Relaxed) { | ||
Ok(last) => Some(active_context(last)), | ||
// Another reader signaled before we had a chance to swap. | ||
Err(_) => None, | ||
} | ||
} | ||
|
||
/// Unconditionally turns on the "needs swap" bit. | ||
fn sign_contexts_set_swap_bit() { SIGN_CONTEXTS_SEM.fetch_or(0b10, Ordering::Relaxed); } | ||
|
||
fn set_context_dirty(ctx: usize) { | ||
assert!(ctx < 2); | ||
SIGN_CONTEXTS_DIRTY[ctx].store(true, Ordering::Relaxed); | ||
} | ||
|
||
fn clear_context_dirty(ctx: usize) { | ||
assert!(ctx < 2); | ||
SIGN_CONTEXTS_DIRTY[ctx].store(true, Ordering::Relaxed); | ||
} | ||
|
||
fn write_global_seed(seed: &[u8; 32]) { | ||
for (i, b) in seed.iter().enumerate() { | ||
GLOBAL_SEED[i].store(*b, Ordering::Relaxed); | ||
} | ||
} | ||
|
||
/// Rerandomize the global signing context using randomness in the global seed. | ||
fn rerandomize_with_global_seed(ctx: usize) { | ||
let mut buf = [0_u8; 32]; | ||
for (i, b) in buf.iter_mut().enumerate() { | ||
let atomic = &GLOBAL_SEED[i]; | ||
*b = atomic.load(Ordering::Relaxed); | ||
} | ||
rerandomize(ctx, &buf) | ||
} | ||
|
||
/// Rerandomize global context index `ctx` using randomness in `seed`. | ||
fn rerandomize(ctx: usize, seed: &[u8; 32]) { | ||
assert!(ctx < 2); | ||
if rerand_lock() { | ||
_rerandomize(ctx, seed); | ||
clear_context_dirty(ctx); | ||
rerand_unlock(); | ||
|
||
// We unlock before setting the swap bit so that soon as another | ||
// reader sees the swap bit set they can grab the rand lock. | ||
sign_contexts_set_swap_bit(); | ||
} | ||
} | ||
|
||
/// Should be called with the RERAND_LOCK held. | ||
fn _rerandomize(ctx: usize, seed: &[u8; 32]) { | ||
let secp = GLOBAL_SIGN_CONTEXTS[ctx]; | ||
unsafe { | ||
let err = ffi::secp256k1_context_randomize(secp.ctx, seed.as_c_ptr()); | ||
// This function cannot fail; it has an error return for future-proofing. | ||
// We do not expose this error since it is impossible to hit, and we have | ||
// precedent for not exposing impossible errors (for example in | ||
// `PublicKey::from_secret_key` where it is impossible to create an invalid | ||
// secret key through the API.) | ||
// However, if this DOES fail, the result is potentially weaker side-channel | ||
// resistance, which is deadly and undetectable, so we take out the entire | ||
// thread to be on the safe side. | ||
assert_eq!(err, 1); | ||
} | ||
} | ||
|
||
// TODO: Find better way to do this. | ||
#[rustfmt::skip] | ||
const fn init_seed_buffer() -> [AtomicU8; 32] { | ||
let buf: [AtomicU8; 32] = [ | ||
AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can simplify this by first assigning to a const:
(in latest rust you can: |
||
AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), | ||
AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), | ||
AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), AtomicU8::new(0), | ||
]; | ||
buf | ||
} | ||
} | ||
|
||
#[cfg(all(feature = "global-context", feature = "std"))] | ||
/// Module implementing a singleton pattern for a global `Secp256k1` context. | ||
pub mod global { | ||
|
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,86 @@ | ||
//! Drop in replacement for all the methods currently implemented on the global context (SECP256K1). | ||
|
||
use core::ptr; | ||
|
||
use super::Signature; | ||
use crate::ffi::CPtr; | ||
use crate::{ffi, Error, Message, PublicKey, SecretKey}; | ||
|
||
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce | ||
pub fn sign_ecdsa(msg: &Message, sk: &SecretKey) -> Signature { | ||
sign_ecdsa_with_noncedata_pointer(msg, sk, None) | ||
} | ||
|
||
/// Constructs a signature for `msg` using the secret key `sk` and RFC6979 nonce | ||
/// and includes 32 bytes of noncedata in the nonce generation via inclusion in | ||
/// one of the hash operations during nonce generation. This is useful when multiple | ||
/// signatures are needed for the same Message and SecretKey while still using RFC6979. | ||
/// Requires a signing-capable context. | ||
pub fn sign_ecdsa_with_noncedata(msg: &Message, sk: &SecretKey, noncedata: &[u8; 32]) -> Signature { | ||
sign_ecdsa_with_noncedata_pointer(msg, sk, Some(noncedata)) | ||
} | ||
|
||
/// Checks that `sig` is a valid ECDSA signature for `msg` using the public | ||
/// key `pubkey`. Returns `Ok(())` on success. Note that this function cannot | ||
/// be used for Bitcoin consensus checking since there may exist signatures | ||
/// which OpenSSL would verify but not libsecp256k1, or vice-versa. Requires a | ||
/// verify-capable context. | ||
/// | ||
/// ```rust | ||
/// # #[cfg(feature = "rand-std")] { | ||
/// # use secp256k1::{rand, Secp256k1, Message, Error}; | ||
/// # | ||
/// # let secp = Secp256k1::new(); | ||
/// # let (secret_key, public_key) = secp.generate_keypair(&mut rand::thread_rng()); | ||
/// # | ||
/// let message = Message::from_slice(&[0xab; 32]).expect("32 bytes"); | ||
/// let sig = secp.sign_ecdsa(&message, &secret_key); | ||
/// assert_eq!(secp.verify_ecdsa(&message, &sig, &public_key), Ok(())); | ||
/// | ||
/// let message = Message::from_slice(&[0xcd; 32]).expect("32 bytes"); | ||
/// assert_eq!(secp.verify_ecdsa(&message, &sig, &public_key), Err(Error::IncorrectSignature)); | ||
/// # } | ||
/// ``` | ||
#[inline] | ||
pub fn verify_ecdsa(msg: &Message, sig: &Signature, pk: &PublicKey) -> Result<(), Error> { | ||
unsafe { | ||
crate::context::_global::with_global_verify_context(|ctx| { | ||
if ffi::secp256k1_ecdsa_verify(ctx, sig.as_c_ptr(), msg.as_c_ptr(), pk.as_c_ptr()) == 0 | ||
{ | ||
Err(Error::IncorrectSignature) | ||
} else { | ||
Ok(()) | ||
} | ||
}) | ||
} | ||
} | ||
|
||
fn sign_ecdsa_with_noncedata_pointer( | ||
msg: &Message, | ||
sk: &SecretKey, | ||
noncedata: Option<&[u8; 32]>, | ||
) -> Signature { | ||
unsafe { | ||
let mut ret = ffi::Signature::new(); | ||
let noncedata_ptr = match noncedata { | ||
Some(arr) => arr.as_c_ptr() as *const _, | ||
None => ptr::null(), | ||
}; | ||
crate::context::_global::with_global_signing_context(|ctx| { | ||
// We can assume the return value because it's not possible to construct | ||
// an invalid signature from a valid `Message` and `SecretKey` | ||
assert_eq!( | ||
ffi::secp256k1_ecdsa_sign( | ||
ctx, | ||
&mut ret, | ||
msg.as_c_ptr(), | ||
sk.as_c_ptr(), | ||
ffi::secp256k1_nonce_function_rfc6979, | ||
noncedata_ptr | ||
), | ||
1 | ||
); | ||
}); | ||
Signature::from(ret) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why does this have a field in it? What value does the __private provide?