Update secp256k1 (support custom function for ECDH) (#137)

* Update secp256k1 to e34ceb3

* Move system include to end of list (#135)

* Fix linting issues

* Add preprocessor coditions for depricated V8 methods

Author: fanatid

benchmarks/ecdsa.js

@@ -1,5 +1,5 @@
 'use strict'
-var assert = require('assert')
+var assert = require('assert').strict
 var BigInteger = require('bigi')
 var ecdsa = require('ecdsa')
 var ecurve = require('ecurve')

binding.gyp

@@ -24,19 +24,21 @@
       "./src/secp256k1-src/contrib/lax_der_privatekey_parsing.c"
     ],
     "include_dirs": [
-      "/usr/local/include",
       "./src/secp256k1-src",
       "./src/secp256k1-src/contrib",
       "./src/secp256k1-src/include",
       "./src/secp256k1-src/src",
-      "<!(node -e \"require('nan')\")"
+      "<!(node -e \"require('nan')\")",
+      "/usr/local/include"
     ],
     "defines": [
+      "ENABLE_MODULE_ECDH=1",
       "ENABLE_MODULE_RECOVERY=1"
     ],
     "cflags": [
       "-Wall",
       "-Wno-maybe-uninitialized",
+      "-Wno-nonnull-compare",
       "-Wno-uninitialized",
       "-Wno-unused-function",
       "-Wextra"

lib/elliptic/index.js

@@ -214,7 +214,7 @@ exports.sign = function (message, privateKey, noncefn, data) {
 }
 
 exports.verify = function (message, signature, publicKey) {
-  var sigObj = {r: signature.slice(0, 32), s: signature.slice(32, 64)}
+  var sigObj = { r: signature.slice(0, 32), s: signature.slice(32, 64) }
 
   var sigr = new BN(sigObj.r)
   var sigs = new BN(sigObj.s)
@@ -224,11 +224,11 @@ exports.verify = function (message, signature, publicKey) {
   var pair = loadPublicKey(publicKey)
   if (pair === null) throw new Error(messages.EC_PUBLIC_KEY_PARSE_FAIL)
 
-  return ec.verify(message, sigObj, {x: pair.pub.x, y: pair.pub.y})
+  return ec.verify(message, sigObj, { x: pair.pub.x, y: pair.pub.y })
 }
 
 exports.recover = function (message, signature, recovery, compressed) {
-  var sigObj = {r: signature.slice(0, 32), s: signature.slice(32, 64)}
+  var sigObj = { r: signature.slice(0, 32), s: signature.slice(32, 64) }
 
   var sigr = new BN(sigObj.r)
   var sigs = new BN(sigObj.s)

src/ecdh.cc

@@ -1,89 +1,13 @@
 #include <node.h>
 #include <nan.h>
 #include <secp256k1.h>
-#include <util.h>
-#include <field_impl.h>
-#include <scalar_impl.h>
-#include <group_impl.h>
-#include <ecmult_const_impl.h>
-#include <ecmult_gen_impl.h>
+#include <secp256k1_ecdh.h>
 
 #include "messages.h"
 #include "util.h"
 
 extern secp256k1_context* secp256k1ctx;
 
-// from bitcoin/secp256k1
-#define ARG_CHECK(cond) do { \
-    if (EXPECT(!(cond), 0)) { \
-        secp256k1_callback_call(&ctx->illegal_callback, #cond); \
-        return 0; \
-    } \
-} while(0)
-
-static void default_illegal_callback_fn(const char* str, void* data) {
-    (void)data;
-    fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
-    abort();
-}
-
-static const secp256k1_callback default_illegal_callback = {
-    default_illegal_callback_fn,
-    NULL
-};
-
-static void default_error_callback_fn(const char* str, void* data) {
-    (void)data;
-    fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
-    abort();
-}
-
-static const secp256k1_callback default_error_callback = {
-    default_error_callback_fn,
-    NULL
-};
-
-struct secp256k1_context_struct {
-    secp256k1_ecmult_context ecmult_ctx;
-    secp256k1_ecmult_gen_context ecmult_gen_ctx;
-    secp256k1_callback illegal_callback;
-    secp256k1_callback error_callback;
-};
-
-int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
-    if (sizeof(secp256k1_ge_storage) == 64) {
-        /* When the secp256k1_ge_storage type is exactly 64 byte, use its
-         * representation inside secp256k1_pubkey, as conversion is very fast.
-         * Note that secp256k1_pubkey_save must use the same representation. */
-        secp256k1_ge_storage s;
-        memcpy(&s, &pubkey->data[0], 64);
-        secp256k1_ge_from_storage(ge, &s);
-    } else {
-        /* Otherwise, fall back to 32-byte big endian for X and Y. */
-        secp256k1_fe x, y;
-        secp256k1_fe_set_b32(&x, pubkey->data);
-        secp256k1_fe_set_b32(&y, pubkey->data + 32);
-        secp256k1_ge_set_xy(ge, &x, &y);
-    }
-    ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
-    return 1;
-}
-
-void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
-    if (sizeof(secp256k1_ge_storage) == 64) {
-        secp256k1_ge_storage s;
-        secp256k1_ge_to_storage(&s, ge);
-        memcpy(&pubkey->data[0], &s, 64);
-    } else {
-        VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
-        secp256k1_fe_normalize_var(&ge->x);
-        secp256k1_fe_normalize_var(&ge->y);
-        secp256k1_fe_get_b32(pubkey->data, &ge->x);
-        secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
-    }
-}
-
-// bindings
 NAN_METHOD(ecdh) {
   Nan::HandleScope scope;
 
@@ -103,40 +27,20 @@ NAN_METHOD(ecdh) {
     return Nan::ThrowError(EC_PUBLIC_KEY_PARSE_FAIL);
   }
 
-  secp256k1_scalar s;
-  int overflow = 0;
-  secp256k1_scalar_set_b32(&s, private_key, &overflow);
-  if (overflow || secp256k1_scalar_is_zero(&s)) {
-    secp256k1_scalar_clear(&s);
+  unsigned char output[32];
+  if (secp256k1_ecdh(secp256k1ctx, &output[0], &public_key, private_key, secp256k1_ecdh_hash_function_sha256, NULL) == 0) {
     return Nan::ThrowError(ECDH_FAIL);
   }
 
-  secp256k1_ge pt;
-  secp256k1_gej res;
-  unsigned char y[1];
-  unsigned char x[32];
-  secp256k1_sha256_t sha;
-  unsigned char output[32];
-
-  secp256k1_pubkey_load(secp256k1ctx, &pt, &public_key);
-  secp256k1_ecmult_const(&res, &pt, &s);
-  secp256k1_scalar_clear(&s);
-
-  secp256k1_ge_set_gej(&pt, &res);
-  secp256k1_fe_normalize(&pt.y);
-  secp256k1_fe_normalize(&pt.x);
-
-  y[0] = 0x02 | secp256k1_fe_is_odd(&pt.y);
-  secp256k1_fe_get_b32(&x[0], &pt.x);
-
-  secp256k1_sha256_initialize(&sha);
-  secp256k1_sha256_write(&sha, y, sizeof(y));
-  secp256k1_sha256_write(&sha, x, sizeof(x));
-  secp256k1_sha256_finalize(&sha, &output[0]);
-
   info.GetReturnValue().Set(COPY_BUFFER(&output[0], 32));
 }
 
+int ecdh_hash_function_unsafe(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) {
+  memcpy(output, x, 32);
+  memcpy(output + 32, y, 32);
+  return 1;
+}
+
 NAN_METHOD(ecdhUnsafe) {
   Nan::HandleScope scope;
 
@@ -159,26 +63,12 @@ NAN_METHOD(ecdhUnsafe) {
   unsigned int flags = SECP256K1_EC_COMPRESSED;
   UPDATE_COMPRESSED_VALUE(flags, info[2], SECP256K1_EC_COMPRESSED, SECP256K1_EC_UNCOMPRESSED);
 
-  secp256k1_scalar s;
-  int overflow = 0;
-  secp256k1_scalar_set_b32(&s, private_key, &overflow);
-  if (overflow || secp256k1_scalar_is_zero(&s)) {
-    secp256k1_scalar_clear(&s);
+  if (secp256k1_ecdh(secp256k1ctx, &public_key.data[0], &public_key, private_key, ecdh_hash_function_unsafe, NULL) == 0) {
     return Nan::ThrowError(ECDH_FAIL);
   }
 
-  secp256k1_ge pt;
-  secp256k1_gej res;
   unsigned char output[65];
-  size_t output_length = 65;
-
-  secp256k1_pubkey_load(secp256k1ctx, &pt, &public_key);
-  secp256k1_ecmult_const(&res, &pt, &s);
-  secp256k1_scalar_clear(&s);
-
-  secp256k1_ge_set_gej(&pt, &res);
-  secp256k1_pubkey_save(&public_key, &pt);
-
+  size_t output_length = flags == SECP256K1_EC_COMPRESSED ? 33 : 65;
   secp256k1_ec_pubkey_serialize(secp256k1ctx, &output[0], &output_length, &public_key, flags);
   info.GetReturnValue().Set(COPY_BUFFER(&output[0], output_length));
 }

src/ecdsa.cc

@@ -130,7 +130,11 @@ NAN_METHOD(recover) {
   v8::Local<v8::Object> recid_object = info[2].As<v8::Object>();
   CHECK_TYPE_NUMBER(recid_object, RECOVERY_ID_TYPE_INVALID);
   CHECK_NUMBER_IN_INTERVAL(recid_object, -1, 4, RECOVERY_ID_VALUE_INVALID);
+#if (NODE_MODULE_VERSION >= NODE_7_0_MODULE_VERSION)
+  int recid = (int) recid_object->IntegerValue(info.GetIsolate()->GetCurrentContext()).ToChecked();
+#else
   int recid = (int) recid_object->IntegerValue();
+#endif
 
   unsigned int flags = SECP256K1_EC_COMPRESSED;
   UPDATE_COMPRESSED_VALUE(flags, info[3], SECP256K1_EC_COMPRESSED, SECP256K1_EC_UNCOMPRESSED);

src/secp256k1-src

@@ -8,12 +8,21 @@
 
 #define COPY_BUFFER(data, datalen) Nan::CopyBuffer((const char*) data, (uint32_t) datalen).ToLocalChecked()
 
+#if (NODE_MODULE_VERSION >= NODE_7_0_MODULE_VERSION)
+#define UPDATE_COMPRESSED_VALUE(compressed, value, v_true, v_false) {          \
+  if (!value->IsUndefined()) {                                                 \
+    CHECK_TYPE_BOOLEAN(value, COMPRESSED_TYPE_INVALID);                        \
+    compressed = value->BooleanValue(info.GetIsolate()->GetCurrentContext()).ToChecked() ? v_true : v_false;                     \
+  }                                                                            \
+}
+#else
 #define UPDATE_COMPRESSED_VALUE(compressed, value, v_true, v_false) {          \
   if (!value->IsUndefined()) {                                                 \
     CHECK_TYPE_BOOLEAN(value, COMPRESSED_TYPE_INVALID);                        \
     compressed = value->BooleanValue() ? v_true : v_false;                     \
   }                                                                            \
 }
+#endif
 
 // TypeError
 #define CHECK_TYPE_ARRAY(value, message) {                                     \
@@ -78,10 +87,19 @@
   }                                                                            \
 }
 
+#if (NODE_MODULE_VERSION >= NODE_7_0_MODULE_VERSION)
+#define CHECK_NUMBER_IN_INTERVAL(number, x, y, message) {                      \
+  if (number->IntegerValue(info.GetIsolate()->GetCurrentContext()).ToChecked() <= x || number->IntegerValue(info.GetIsolate()->GetCurrentContext()).ToChecked() >= y) { \
+    return Nan::ThrowRangeError(message);                                      \
+  }                                                                            \
+}
+#else
 #define CHECK_NUMBER_IN_INTERVAL(number, x, y, message) {                      \
   if (number->IntegerValue() <= x || number->IntegerValue() >= y) {            \
     return Nan::ThrowRangeError(message);                                      \
   }                                                                            \
 }
+#endif
+
 
 #endif

src/util.h

@@ -92,7 +92,7 @@ function getEndoBasis (lambda) {
     b2 = b2.neg()
   }
 
-  return [{a: a1, b: b1}, {a: a2, b: b2}]
+  return [{ a: a1, b: b1 }, { a: a2, b: b2 }]
 }
 
 // Compute beta and lambda, that lambda * P = (beta * Px; Py)

utils/getEndo.js

@@ -18,7 +18,7 @@ for (var i = PWR.length - 1, start = PWR.bitLength() % 26; i >= 0; --i, start =
     if (operations.length > 0 && operations[operations.length - 1].op === 'sqr') {
       operations[operations.length - 1].v += 1
     } else {
-      operations.push({op: 'sqr', v: 1})
+      operations.push({ op: 'sqr', v: 1 })
     }
 
     if (bit === 0 && current === 0) {
@@ -33,7 +33,7 @@ for (var i = PWR.length - 1, start = PWR.bitLength() % 26; i >= 0; --i, start =
       continue
     }
 
-    operations.push({op: 'mul', v: current})
+    operations.push({ op: 'mul', v: current })
     reqValues[current] = true
     currentLen = 0
     current = 0