Build(deps): Upgrade libsecp256k1 version 0.3.5 => 0.7.0

This resolves security issues with Signature::parse functions See paritytech/libsecp256k1@b525d5d
aurora-is-near · May 26, 2022 · d8a2683 · d8a2683
1 parent 20bc5a9
commit d8a2683
Show file tree

Hide file tree

Showing 7 changed files with 79 additions and 81 deletions.
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/engine-precompiles/Cargo.toml b/engine-precompiles/Cargo.toml
@@ -21,7 +21,7 @@ borsh = { version = "0.8.2", default-features = false }
 bn = { package = "aurora-bn", git = "https://github.com/aurora-is-near/aurora-bn.git", default-features = false }
 evm = { git = "https://github.com/aurora-is-near/sputnikvm.git", rev = "37448b6cacd98b06282cff5a559684505c29bd2b", default-features = false }
 evm-core = { git = "https://github.com/aurora-is-near/sputnikvm.git", rev = "37448b6cacd98b06282cff5a559684505c29bd2b", default-features = false }
-libsecp256k1 = { version = "0.3.5", default-features = false }
+libsecp256k1 = { version = "0.7.0", default-features = false }
 num = { version = "0.4.0", default-features = false, features = ["alloc"] }
 primitive-types = { version = "0.10.0", default-features = false, features = ["rlp"] }
 ripemd160 = { version = "0.9.1", default-features = false }

diff --git a/engine-precompiles/src/secp256k1.rs b/engine-precompiles/src/secp256k1.rs
@@ -32,16 +32,16 @@ pub fn ecrecover(hash: H256, signature: &[u8]) -> Result<Address, ExitError> {
 fn internal_impl(hash: H256, signature: &[u8]) -> Result<Address, ExitError> {
     use sha3::Digest;
 
-    let hash = secp256k1::Message::parse_slice(hash.as_bytes()).unwrap();
+    let hash = libsecp256k1::Message::parse_slice(hash.as_bytes()).unwrap();
     let v = signature[64];
-    let signature = secp256k1::Signature::parse_slice(&signature[0..64]).unwrap();
+    let signature = libsecp256k1::Signature::parse_standard_slice(&signature[0..64]).unwrap();
     let bit = match v {
         0..=26 => v,
         _ => v - 27,
     };
 
-    if let Ok(recovery_id) = secp256k1::RecoveryId::parse(bit) {
-        if let Ok(public_key) = secp256k1::recover(&hash, &signature, &recovery_id) {
+    if let Ok(recovery_id) = libsecp256k1::RecoveryId::parse(bit) {
+        if let Ok(public_key) = libsecp256k1::recover(&hash, &signature, &recovery_id) {
             // recover returns a 65-byte key, but addresses come from the raw 64-byte key
             let r = sha3::Keccak256::digest(&public_key.serialize()[1..]);
             return Address::try_from_slice(&r[12..])

diff --git a/engine-tests/Cargo.toml b/engine-tests/Cargo.toml
@@ -42,7 +42,7 @@ near-vm-runner = { git = "https://github.com/near/nearcore.git", rev = "83fc0f7d
 near-vm-logic = { git = "https://github.com/near/nearcore.git", rev = "83fc0f7d6b212bacc49f058e7400743de3e59783" }
 near-primitives-core = { git = "https://github.com/near/nearcore.git", rev = "83fc0f7d6b212bacc49f058e7400743de3e59783" }
 near-primitives = { git = "https://github.com/near/nearcore.git", rev = "83fc0f7d6b212bacc49f058e7400743de3e59783" }
-libsecp256k1 = "0.3.5"
+libsecp256k1 = "0.7.0"
 rand = "0.7.3"
 criterion = "0.3.4"
 git2 = "0.13"