crypto: fix infinite recursion in Secp256k1 string formatting (#5707)
This caused stack overflow panics in E2E tests, e.g.:
```
2020-11-24T02:37:17.6085640Z [35mvalidator04 |[0m runtime: goroutine stack exceeds 1000000000-byte limit
2020-11-24T02:37:17.6087818Z [35mvalidator04 |[0m runtime: sp=0xc0234b23c0 stack=[0xc0234b2000, 0xc0434b2000]
2020-11-24T02:37:17.6088920Z [35mvalidator04 |[0m fatal error: stack overflow
2020-11-24T02:37:17.6089776Z [35mvalidator04 |[0m
2020-11-24T02:37:17.6090569Z [35mvalidator04 |[0m runtime stack:
2020-11-24T02:37:17.6091677Z [35mvalidator04 |[0m runtime.throw(0x12dc476, 0xe)
2020-11-24T02:37:17.6093123Z [35mvalidator04 |[0m /usr/local/go/src/runtime/panic.go:1116 +0x72
2020-11-24T02:37:17.6094320Z [35mvalidator04 |[0m runtime.newstack()
2020-11-24T02:37:17.6095374Z [35mvalidator04 |[0m /usr/local/go/src/runtime/stack.go:1067 +0x78d
2020-11-24T02:37:17.6096381Z [35mvalidator04 |[0m runtime.morestack()
2020-11-24T02:37:17.6097657Z [35mvalidator04 |[0m /usr/local/go/src/runtime/asm_amd64.s:449 +0x8f
2020-11-24T02:37:17.6098505Z [35mvalidator04 |[0m
2020-11-24T02:37:17.6099328Z [35mvalidator04 |[0m goroutine 88 [running]:
2020-11-24T02:37:17.6100470Z [35mvalidator04 |[0m runtime.heapBitsSetType(0xc009565380, 0x20, 0x18, 0x1137e00)
2020-11-24T02:37:17.6101961Z [35mvalidator04 |[0m /usr/local/go/src/runtime/mbitmap.go:911 +0xaa5 fp=0xc0234b23d0 sp=0xc0234b23c8 pc=0x432625
2020-11-24T02:37:17.6103906Z [35mvalidator04 |[0m runtime.mallocgc(0x20, 0x1137e00, 0x117b601, 0x11e9240)
2020-11-24T02:37:17.6105179Z [35mvalidator04 |[0m /usr/local/go/src/runtime/malloc.go:1090 +0x5a5 fp=0xc0234b2470 sp=0xc0234b23d0 pc=0x428b25
2020-11-24T02:37:17.6106540Z [35mvalidator04 |[0m runtime.convTslice(0xc002743710, 0x21, 0x21, 0xc0234b24e8)
2020-11-24T02:37:17.6107861Z [35mvalidator04 |[0m /usr/local/go/src/runtime/iface.go:385 +0x59 fp=0xc0234b24a0 sp=0xc0234b2470 pc=0x426379
2020-11-24T02:37:17.6109315Z [35mvalidator04 |[0m github.com/tendermint/tendermint/crypto/secp256k1.PubKey.String(...)
2020-11-24T02:37:17.6151692Z [35mvalidator04 |[0m /src/tendermint/crypto/secp256k1/secp256k1.go:161
2020-11-24T02:37:17.6153872Z [35mvalidator04 |[0m github.com/tendermint/tendermint/crypto/secp256k1.(*PubKey).String(0xc009565360, 0x11e9240, 0xc009565360)
2020-11-24T02:37:17.6157421Z [35mvalidator04 |[0m <autogenerated>:1 +0x65 fp=0xc0234b24f8 sp=0xc0234b24a0 pc=0x656965
2020-11-24T02:37:17.6159134Z [35mvalidator04 |[0m fmt.(*pp).handleMethods(0xc00956c680, 0x58, 0xc0234b2801)
2020-11-24T02:37:17.6161462Z [35mvalidator04 |[0m /usr/local/go/src/fmt/print.go:630 +0x30a fp=0xc0234b2768 sp=0xc0234b24f8 pc=0x518b8a
[...]
2020-11-24T02:37:17.6649685Z [35mvalidator04 |[0m /usr/local/go/src/fmt/print.go:630 +0x30a fp=0xc0234b7f48 sp=0xc0234b7cd8 pc=0x518b8a
2020-11-24T02:37:17.6651177Z [35mvalidator04 |[0m created by github.com/tendermint/tendermint/node.startStateSync
2020-11-24T02:37:17.6652521Z [35mvalidator04 |[0m /src/tendermint/node/node.go:587 +0x150
``` 4 years ago |
|
- package secp256k1
-
- import (
- "bytes"
- "crypto/sha256"
- "crypto/subtle"
- "fmt"
- "io"
- "math/big"
-
- secp256k1 "github.com/btcsuite/btcd/btcec"
- "golang.org/x/crypto/ripemd160" // nolint: staticcheck // necessary for Bitcoin address format
-
- "github.com/tendermint/tendermint/crypto"
- tmjson "github.com/tendermint/tendermint/libs/json"
- )
-
- //-------------------------------------
- const (
- PrivKeyName = "tendermint/PrivKeySecp256k1"
- PubKeyName = "tendermint/PubKeySecp256k1"
-
- KeyType = "secp256k1"
- PrivKeySize = 32
- )
-
- func init() {
- tmjson.RegisterType(PubKey{}, PubKeyName)
- tmjson.RegisterType(PrivKey{}, PrivKeyName)
- }
-
- var _ crypto.PrivKey = PrivKey{}
-
- // PrivKey implements PrivKey.
- type PrivKey []byte
-
- // Bytes marshalls the private key using amino encoding.
- func (privKey PrivKey) Bytes() []byte {
- return []byte(privKey)
- }
-
- // PubKey performs the point-scalar multiplication from the privKey on the
- // generator point to get the pubkey.
- func (privKey PrivKey) PubKey() crypto.PubKey {
- _, pubkeyObject := secp256k1.PrivKeyFromBytes(secp256k1.S256(), privKey)
-
- pk := pubkeyObject.SerializeCompressed()
-
- return PubKey(pk)
- }
-
- // Equals - you probably don't need to use this.
- // Runs in constant time based on length of the keys.
- func (privKey PrivKey) Equals(other crypto.PrivKey) bool {
- if otherSecp, ok := other.(PrivKey); ok {
- return subtle.ConstantTimeCompare(privKey[:], otherSecp[:]) == 1
- }
- return false
- }
-
- func (privKey PrivKey) Type() string {
- return KeyType
- }
-
- // GenPrivKey generates a new ECDSA private key on curve secp256k1 private key.
- // It uses OS randomness to generate the private key.
- func GenPrivKey() PrivKey {
- return genPrivKey(crypto.CReader())
- }
-
- // genPrivKey generates a new secp256k1 private key using the provided reader.
- func genPrivKey(rand io.Reader) PrivKey {
- var privKeyBytes [PrivKeySize]byte
- d := new(big.Int)
-
- for {
- privKeyBytes = [PrivKeySize]byte{}
- _, err := io.ReadFull(rand, privKeyBytes[:])
- if err != nil {
- panic(err)
- }
-
- d.SetBytes(privKeyBytes[:])
- // break if we found a valid point (i.e. > 0 and < N == curverOrder)
- isValidFieldElement := 0 < d.Sign() && d.Cmp(secp256k1.S256().N) < 0
- if isValidFieldElement {
- break
- }
- }
-
- return PrivKey(privKeyBytes[:])
- }
-
- var one = new(big.Int).SetInt64(1)
-
- // GenPrivKeySecp256k1 hashes the secret with SHA2, and uses
- // that 32 byte output to create the private key.
- //
- // It makes sure the private key is a valid field element by setting:
- //
- // c = sha256(secret)
- // k = (c mod (n − 1)) + 1, where n = curve order.
- //
- // NOTE: secret should be the output of a KDF like bcrypt,
- // if it's derived from user input.
- func GenPrivKeySecp256k1(secret []byte) PrivKey {
- secHash := sha256.Sum256(secret)
- // to guarantee that we have a valid field element, we use the approach of:
- // "Suite B Implementer’s Guide to FIPS 186-3", A.2.1
- // https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/suite-b-implementers-guide-to-fips-186-3-ecdsa.cfm
- // see also https://github.com/golang/go/blob/0380c9ad38843d523d9c9804fe300cb7edd7cd3c/src/crypto/ecdsa/ecdsa.go#L89-L101
- fe := new(big.Int).SetBytes(secHash[:])
- n := new(big.Int).Sub(secp256k1.S256().N, one)
- fe.Mod(fe, n)
- fe.Add(fe, one)
-
- feB := fe.Bytes()
- privKey32 := make([]byte, PrivKeySize)
- // copy feB over to fixed 32 byte privKey32 and pad (if necessary)
- copy(privKey32[32-len(feB):32], feB)
-
- return PrivKey(privKey32)
- }
-
- //-------------------------------------
-
- var _ crypto.PubKey = PubKey{}
-
- // PubKeySize is comprised of 32 bytes for one field element
- // (the x-coordinate), plus one byte for the parity of the y-coordinate.
- const PubKeySize = 33
-
- // PubKey implements crypto.PubKey.
- // It is the compressed form of the pubkey. The first byte depends is a 0x02 byte
- // if the y-coordinate is the lexicographically largest of the two associated with
- // the x-coordinate. Otherwise the first byte is a 0x03.
- // This prefix is followed with the x-coordinate.
- type PubKey []byte
-
- // Address returns a Bitcoin style addresses: RIPEMD160(SHA256(pubkey))
- func (pubKey PubKey) Address() crypto.Address {
- if len(pubKey) != PubKeySize {
- panic("length of pubkey is incorrect")
- }
- hasherSHA256 := sha256.New()
- _, _ = hasherSHA256.Write(pubKey) // does not error
- sha := hasherSHA256.Sum(nil)
-
- hasherRIPEMD160 := ripemd160.New()
- _, _ = hasherRIPEMD160.Write(sha) // does not error
-
- return crypto.Address(hasherRIPEMD160.Sum(nil))
- }
-
- // Bytes returns the pubkey marshalled with amino encoding.
- func (pubKey PubKey) Bytes() []byte {
- return []byte(pubKey)
- }
-
- func (pubKey PubKey) String() string {
- return fmt.Sprintf("PubKeySecp256k1{%X}", []byte(pubKey))
- }
-
- func (pubKey PubKey) Equals(other crypto.PubKey) bool {
- if otherSecp, ok := other.(PubKey); ok {
- return bytes.Equal(pubKey[:], otherSecp[:])
- }
- return false
- }
-
- func (pubKey PubKey) Type() string {
- return KeyType
- }
|