API/docs: Return value if ARG_CHECK fires #811

issue real-or-random openend this issue on September 11, 2020
  1. real-or-random commented at 7:03 pm on September 11, 2020: contributor

    For some functions handling public keys, the API docs claim that these functions always return 1. But when a zeroed pubkey is passed, the ARG_CHECK fires and they return 0.

    Examples:

    • secp256k1_ec_pubkey_negate
    • secp256k1_ec_pubkey_serialize

    Perhabs we can fix this as part of #783 .

  2. real-or-random commented at 7:05 pm on September 11, 2020: contributor

    Anyway, we say for the illegal callback: “It will only trigger for violations that are mentioned explicitly in the header.”

    I guess zeroed public keys are never really explicit in the header. That’s a little bit unfortunate. We have a special invalid value in our pubkey type for enhanced safety but it makes the API more complex.

  3. sipa commented at 7:16 pm on September 11, 2020: contributor
    I think any time you end up with a zeroed public key, it’s a sign you’re really using the API incorrectly? They’re not part of the public interface, but an additional safety check added by the implementation.
  4. gmaxwell commented at 0:18 am on September 14, 2020: contributor
    Right, if you operate on a zeroed pubkey you’ve failed to perform required error handling.
  5. elichai commented at 8:58 am on September 14, 2020: contributor

    FWIW, I wrote bindings in Go for libsecp and because of weird idioms in Go(all objects are zero init and there are no constructors) I’m checking if the pubkey is zero before calling these functions to prevent a user of the lib accidentally aborting the program because of it (specifically trying to serialize an empty pubkey for some reason)

    (a better fix might be to set a different illegal callback that will return an error or something like that)

  6. real-or-random commented at 11:24 am on September 14, 2020: contributor

    Right, if you operate on a zeroed pubkey you’ve failed to perform required error handling.

    Yes, my point is simply that this is not very clear from the docs.

  7. gmaxwell commented at 11:29 am on September 14, 2020: contributor

    @elichai if they’ve written their code like that– (i agree, easy mistakes to make, – not just in go but in C too) then they’re potentially vulnerable to worse things… accepting invalid signatures, leaking private keys (e.g. a buffer for a key gets reused for a key and serialized), or even RCEs (there are function pointers used in this library). So it is much better to have a reliable abort, because aborting essentially always safer than an RCE, and also that sort of misuse will likely end up aborting closer to every time, rather than looking kinda like it worked.

    (it would even be better if all the structures had canaries, so that invalid but coincidentally all zeros also got detected)

  8. real-or-random cross-referenced this on Nov 24, 2020 from issue Don't believe the header's lies by gmaxwell
  9. real-or-random added this to the milestone initial release (1.0.0-rc.1) on Nov 24, 2020
  10. real-or-random cross-referenced this on Nov 24, 2020 from issue Tighter verification bounds in mul/sqr by peterdettman


real-or-random sipa gmaxwell elichai

Milestone
stable release (1.0.0-rc.1)


github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 03:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me