|
| 1 | +// SPDX-License-Identifier: CC0-1.0 |
| 2 | + |
| 3 | +use std::cell::RefCell; |
| 4 | +use std::marker::PhantomData; |
| 5 | +use std::mem::ManuallyDrop; |
| 6 | +use std::ptr::NonNull; |
| 7 | + |
| 8 | +use secp256k1_sys as ffi; |
| 9 | + |
| 10 | +use crate::{All, Context, Secp256k1}; |
| 11 | + |
| 12 | +thread_local! { |
| 13 | + static SECP256K1: RefCell<Secp256k1<All>> = RefCell::new(Secp256k1::new()); |
| 14 | + static RAND_SEED: RefCell<[u8; 32]> = const { RefCell::new([0; 32]) }; |
| 15 | +} |
| 16 | + |
| 17 | +/// Borrows the global context and do some operation on it. |
| 18 | +/// |
| 19 | +/// If provided, after the operation is complete, [`rerandomize_global_context`] |
| 20 | +/// is called on the context. If you have some random data available, |
| 21 | +pub fn with_global_context<T, Ctx: Context, F: FnOnce(&Secp256k1<Ctx>) -> T>( |
| 22 | + f: F, |
| 23 | + rerandomize_seed: Option<&[u8; 32]>, |
| 24 | +) -> T { |
| 25 | + with_raw_global_context( |
| 26 | + |ctx| { |
| 27 | + let secp = ManuallyDrop::new(Secp256k1 { ctx, phantom: PhantomData }); |
| 28 | + f(&*secp) |
| 29 | + }, |
| 30 | + rerandomize_seed, |
| 31 | + ) |
| 32 | +} |
| 33 | + |
| 34 | +/// Borrows the global context as a raw pointer and do some operation on it. |
| 35 | +/// |
| 36 | +/// If provided, after the operation is complete, [`rerandomize_global_context`] |
| 37 | +/// is called on the context. If you have some random data available, |
| 38 | +pub fn with_raw_global_context<T, F: FnOnce(NonNull<ffi::Context>) -> T>( |
| 39 | + f: F, |
| 40 | + rerandomize_seed: Option<&[u8; 32]>, |
| 41 | +) -> T { |
| 42 | + SECP256K1.with(|secp| { |
| 43 | + let borrow = secp.borrow(); |
| 44 | + let ret = f(borrow.ctx); |
| 45 | + drop(borrow); |
| 46 | + |
| 47 | + if let Some(seed) = rerandomize_seed { |
| 48 | + rerandomize_global_context(seed); |
| 49 | + } |
| 50 | + ret |
| 51 | + }) |
| 52 | +} |
| 53 | + |
| 54 | +/// Rerandomize the global context, using the given data as a seed. |
| 55 | +/// |
| 56 | +/// The provided data will be mixed with the entropy from previous calls in a timing |
| 57 | +/// analysis resistant way. It is safe to directly pass secret data to this function. |
| 58 | +pub fn rerandomize_global_context(seed: &[u8; 32]) { |
| 59 | + SECP256K1.with(|secp| { |
| 60 | + RAND_SEED.with(|rand_seed| { |
| 61 | + let mut old_seed = rand_seed.borrow_mut(); |
| 62 | + let mut new_seed = [0; 32]; |
| 63 | + // We don't have direct access to sha256 except through the default nonce |
| 64 | + // functions. The ECDSA one uses RFC6979 which is absurdly slow, but the |
| 65 | + // Schnorr one is not too bad. |
| 66 | + unsafe { |
| 67 | + assert_eq!( |
| 68 | + (ffi::secp256k1_nonce_function_bip340.unwrap())( |
| 69 | + new_seed.as_mut_ptr(), |
| 70 | + seed.as_ptr(), // msg |
| 71 | + seed.len(), // msg len |
| 72 | + old_seed.as_ptr(), // key32 |
| 73 | + old_seed.as_ptr(), // xonly_pk32 |
| 74 | + b"rust-secp-randomize".as_ptr(), |
| 75 | + b"rust-secp-randomize".len(), |
| 76 | + core::ptr::null_mut(), |
| 77 | + ), |
| 78 | + 1, |
| 79 | + "calling bip340 nonce function failed", |
| 80 | + ); |
| 81 | + } |
| 82 | + |
| 83 | + // If we have access to the thread rng then use it as well. |
| 84 | + #[cfg(feature = "rand")] |
| 85 | + { |
| 86 | + let mask: [u8; 32] = rand::random(); |
| 87 | + for (byte, mask) in new_seed.iter_mut().zip(mask.iter()) { |
| 88 | + *byte ^= *mask; |
| 89 | + } |
| 90 | + } |
| 91 | + |
| 92 | + // Actual rerandomization |
| 93 | + let mut borrow = secp.borrow_mut(); |
| 94 | + borrow.seeded_randomize(&new_seed); |
| 95 | + old_seed.copy_from_slice(&new_seed); |
| 96 | + }); |
| 97 | + }); |
| 98 | +} |
0 commit comments