Calling `Secp256k1::randomize` on a verification-only context will abort the process #82

apoelstra · 2018-11-12T20:59:14Z

TIL that secp256k1_context_randomize actually requires a signing context, despite the docs not mentioning this. See bitcoin-core/secp256k1#573

The following code can trigger a process abort in a unit test (run with cargo test --features "rand")

diff --git a/src/lib.rs b/src/lib.rs
index 81cbc57..2b0a4a7 100644
--- a/src/lib.rs
+++ b/src/lib.rs
@@ -1179,6 +1179,13 @@ mod tests {
 
         assert_tokens(&sig, &[Token::BorrowedBytes(&SIG_BYTES[..])]);
     }
+
+    #[cfg(feature="rand")]
+    #[test]
+    fn test_randomize() {
+        let mut s = Secp256k1::verification_only();
+        s.randomize(&mut ::rand::thread_rng());
+    }
 }

 #[cfg(all(test, feature = "unstable"))]

The text was updated successfully, but these errors were encountered:

apoelstra · 2018-11-12T21:01:05Z

As a secondary bug, there are no unit tests for the context randomization function.

Edit: Ah, there sorta are, but they're spread throughout the rest of the tests and I evidently only thought to add it to signing tests.

6198375 Make randomization of a non-signing context a noop (Tim Ruffing) Pull request description: Before this commit secp256k1_context_randomize called illegal_callback when called on a context not initialized for signing. This is not documented. Moreover, it is not desirable because non-signing contexts may use randomization in the future. This commit makes secp256k1_context_randomize a noop in this case. This is safe because the context cannot be used for signing anyway. This fixes #573 and it fixes rust-bitcoin/rust-secp256k1#82. Tree-SHA512: 34ddfeb004d9da8f4a77c739fa2110544c28939378e779226da52f410a0e36b3aacb3ebd2e3f3918832a9027684c161789cfdc27a133f2f0e0f1c47e8363029c

real-or-random · 2019-02-27T00:00:56Z

This has been fixed upstream.

As a secondary bug, there are no unit tests for the context randomization function.

Edit: Ah, there sorta are, but they're spread throughout the rest of the tests and I evidently only thought to add it to signing tests.

Closing here for now but just reply if you think that we should improve that.

apoelstra · 2019-02-27T02:31:24Z

I guess we ought to reopen until we update our C code to use the new upstream.

Before this commit secp256k1_context_randomize called illegal_callback when called on a context not initialized for signing. This is not documented. Moreover, it is not desirable because non-signing contexts may use randomization in the future. This commit makes secp256k1_context_randomize a noop in this case. This is safe because the context cannot be used for signing anyway. This fixes #573 and it fixes rust-bitcoin/rust-secp256k1#82.

Summary: Before this commit secp256k1_context_randomize called illegal_callback when called on a context not initialized for signing. This is not documented. Moreover, it is not desirable because non-signing contexts may use randomization in the future. This commit makes secp256k1_context_randomize a noop in this case. This is safe because the context cannot be used for signing anyway. This fixes #573 and it fixes rust-bitcoin/rust-secp256k1#82. This is a backport of secp256k1's PR587 Depends on D4971 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4980

Summary: Before this commit secp256k1_context_randomize called illegal_callback when called on a context not initialized for signing. This is not documented. Moreover, it is not desirable because non-signing contexts may use randomization in the future. This commit makes secp256k1_context_randomize a noop in this case. This is safe because the context cannot be used for signing anyway. This fixes BitcoinUnlimited#573 and it fixes rust-bitcoin/rust-secp256k1#82. This is a backport of secp256k1's PR587 Depends on D4971 Test Plan: ninja check-secp256k1 Reviewers: #bitcoin_abc, Fabien Reviewed By: #bitcoin_abc, Fabien Differential Revision: https://reviews.bitcoinabc.org/D4980

real-or-random mentioned this issue Jan 27, 2019

Make randomization of a non-signing context a noop bitcoin-core/secp256k1#587

Merged

real-or-random closed this as completed Feb 27, 2019

apoelstra reopened this Feb 27, 2019

real-or-random closed this as completed in real-or-random/secp256k1@6198375 Mar 8, 2019

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Calling `Secp256k1::randomize` on a verification-only context will abort the process #82

Calling `Secp256k1::randomize` on a verification-only context will abort the process #82

apoelstra commented Nov 12, 2018 •

edited

Loading

apoelstra commented Nov 12, 2018 •

edited

Loading

real-or-random commented Feb 27, 2019 •

edited

Loading

apoelstra commented Feb 27, 2019

Calling Secp256k1::randomize on a verification-only context will abort the process #82

Calling Secp256k1::randomize on a verification-only context will abort the process #82

Comments

apoelstra commented Nov 12, 2018 • edited Loading

apoelstra commented Nov 12, 2018 • edited Loading

real-or-random commented Feb 27, 2019 • edited Loading

apoelstra commented Feb 27, 2019

Calling `Secp256k1::randomize` on a verification-only context will abort the process #82

Calling `Secp256k1::randomize` on a verification-only context will abort the process #82

apoelstra commented Nov 12, 2018 •

edited

Loading

apoelstra commented Nov 12, 2018 •

edited

Loading

real-or-random commented Feb 27, 2019 •

edited

Loading