Merge #587: Make randomization of a non-signing context a noop

6198375 Make randomization of a non-signing context a noop (Tim Ruffing)

Pull request description:

  Before this commit secp256k1_context_randomize called illegal_callback
  when called on a context not initialized for signing. This is not
  documented. Moreover, it is not desirable because non-signing contexts
  may use randomization in the future.

  This commit makes secp256k1_context_randomize a noop in this case. This
  is safe because the context cannot be used for signing anyway.

  This fixes #573 and it fixes rust-bitcoin/rust-secp256k1#82.

Tree-SHA512: 34ddfeb004d9da8f4a77c739fa2110544c28939378e779226da52f410a0e36b3aacb3ebd2e3f3918832a9027684c161789cfdc27a133f2f0e0f1c47e8363029c

diff --git a/include/secp256k1.h b/include/secp256k1.h
index f1f78ab7d084db1324a21042deb558df8b862290..43af09c330de4e8a21552e821ee946d6f198738d 100644 (file)
--- a/include/secp256k1.h
+++ b/include/secp256k1.h
@@ -615,7 +615,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
 /** Updates the context randomization to protect against side-channel leakage.
- *  Returns: 1: randomization successfully updated
+ *  Returns: 1: randomization successfully updated or nothing to randomize
  *           0: error
  *  Args:    ctx:       pointer to a context object (cannot be NULL)
  *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state)
@@ -630,6 +630,11 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
  * that it does not affect function results, but shields against attacks which
  * rely on any input-dependent behaviour.
  *
+ * This function has currently an effect only on contexts initialized for signing
+ * because randomization is currently used only for signing. However, this is not
+ * guaranteed and may change in the future. It is safe to call this function on
+ * contexts not initialized for signing; then it will have no effect and return 1.
+ *
  * You should call this after secp256k1_context_create or
  * secp256k1_context_clone, and may call this repeatedly afterwards.
  */

diff --git a/src/secp256k1.c b/src/secp256k1.c
index a1e3908071a5e240640c45cbfabc69640bbd51ae..15981f46e21af11072a67f94504da842bd7eebd5 100644 (file)
--- a/src/secp256k1.c
+++ b/src/secp256k1.c
@@ -570,9 +570,9 @@ int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey
 
 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
     VERIFY_CHECK(ctx != NULL);
-    CHECK(ctx != secp256k1_context_no_precomp);
-    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
-    secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
+    if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
+        secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
+    }
     return 1;
 }
 

diff --git a/src/tests.c b/src/tests.c
index 61bb7fce8727e9ef617202e0d6c88df4338bebb4..a7f841de1a35c03c449070d67c3569c8317fc6dc 100644 (file)
--- a/src/tests.c
+++ b/src/tests.c
@@ -218,8 +218,12 @@ void run_context_tests(void) {
     CHECK(ecount == 3);
     CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
     CHECK(ecount == 3);
-    CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
-    CHECK(ecount == 4);
+    CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
+    CHECK(ecount == 3);
+    CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
+    CHECK(ecount2 == 14);
     CHECK(secp256k1_context_randomize(sign, NULL) == 1);
     CHECK(ecount2 == 14);
     secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);