-
Notifications
You must be signed in to change notification settings - Fork 296
Description
does signing context generate entropy on creation? testing now but this may be a big issue for using verification from a WASM module with no entropy because the get random number methods may panic.
For manually generated contexts, this happens only if you randomize them explicitly, see
Lines 354 to 380 in 48683d8
/// (Re)randomizes the Secp256k1 context for cheap sidechannel resistance; | |
/// see comment in libsecp256k1 commit d2275795f by Gregory Maxwell. Requires | |
/// compilation with "rand" feature. | |
#[cfg(any(test, feature = "rand"))] | |
pub fn randomize<R: Rng + ?Sized>(&mut self, rng: &mut R) { | |
let mut seed = [0u8; 32]; | |
rng.fill_bytes(&mut seed); | |
self.seeded_randomize(&seed); | |
} | |
/// (Re)randomizes the Secp256k1 context for cheap sidechannel resistance given 32 bytes of | |
/// cryptographically-secure random data; | |
/// see comment in libsecp256k1 commit d2275795f by Gregory Maxwell. | |
pub fn seeded_randomize(&mut self, seed: &[u8; 32]) { | |
unsafe { | |
let err = ffi::secp256k1_context_randomize(self.ctx, seed.as_c_ptr()); | |
// This function cannot fail; it has an error return for future-proofing. | |
// We do not expose this error since it is impossible to hit, and we have | |
// precedent for not exposing impossible errors (for example in | |
// `PublicKey::from_secret_key` where it is impossible to create an invalid | |
// secret key through the API.) | |
// However, if this DOES fail, the result is potentially weaker side-channel | |
// resistance, which is deadly and undetectable, so we take out the entire | |
// thread to be on the safe side. | |
assert_eq!(err, 1); | |
} | |
} |
For the global context, it depends on the enabled feature: The global-context
feature randomizes the context automatically and depends on rand
, and the global-context-less-secure
feature gives you a context that is not randomized (and can't be randomized).
Originally posted by @real-or-random in #342 (comment)
We should probably think through what it means to use any of these contexts in a WASM context! Especially in wasm32-unknown-unknown you have no syscalls or way of getting entropy, so this could be problematic.
Fully isolated WASM is really great to provide first-class support for for a myriad of reasons, but we'd need to think through carefully exactly what we do. Maybe we can detect if we're in wasm and disable some targets if we don't have symbols for getting entropy linked? Not sure :)