Update dependencies

vendor/github.com/hdevalence/ed25519consensus/LICENSE

@@ -0,0 +1,28 @@
+Copyright (c) 2009 The Go Authors. All rights reserved.
+Copyright (c) 2020 Henry de Valence. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without
+modification, are permitted provided that the following conditions are
+met:
+
+   * Redistributions of source code must retain the above copyright
+notice, this list of conditions and the following disclaimer.
+   * Redistributions in binary form must reproduce the above
+copyright notice, this list of conditions and the following disclaimer
+in the documentation and/or other materials provided with the
+distribution.
+   * Neither the name of Google Inc. nor the names of its
+contributors may be used to endorse or promote products derived from
+this software without specific prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

vendor/github.com/hdevalence/ed25519consensus/README.md

@@ -0,0 +1,43 @@
+# Ed25519 for consensus-critical contexts
+
+This library provides an Ed25519 implementation with validation rules intended
+for consensus-critical contexts.
+
+Ed25519 signatures are widely used in consensus-critical contexts (e.g.,
+blockchains), where different nodes must agree on whether or not a given
+signature is valid.  However, Ed25519 does not clearly define criteria for
+signature validity, and even standards-conformant implementations are not
+required to agree on whether a signature is valid.
+
+Different Ed25519 implementations may not (and in practice, do not) agree on
+validation criteria in subtle edge cases.   This poses a double risk to the use
+of Ed25519 in consensus-critical contexts.  First, the presence of multiple
+Ed25519 implementations may open the possibility of consensus divergence.
+Second, even when a single implementation is used, the protocol implicitly
+includes that particular version's validation criteria as part of the consensus
+rules.  However, if the implementation is not intended to be used in
+consensus-critical contexts, it may change validation criteria between releases.
+
+For instance, the initial implementation of Zcash consensus in zcashd inherited
+validity criteria from a then-current version of libsodium (1.0.15). Due to a
+bug in libsodium, this was different from the intended criteria documented in
+the Zcash protocol specification 3 (before the specification was changed to
+match libsodium 1.0.15 in specification version 2020.1.2). Also, libsodium
+never guaranteed stable validity criteria, and changed behavior in a later
+point release. This forced zcashd to use an older version of the library before
+eventually patching a newer version to have consistent validity criteria. To be
+compatible, Zebra had to implement a special library, ed25519-zebra to provide
+Zcash-flavored Ed25519, attempting to match libsodium 1.0.15 exactly. And the
+initial attempt to implement ed25519-zebra was also incompatible, because it
+precisely matched the wrong compile-time configuration of libsodium.
+
+This problem is fixed by [ZIP215], a specification of a precise set of
+validation criteria for Ed25519 signatures.
+This repository contains a fork of Go's `crypto/ed25519` package with support
+for [ZIP215] verification.
+
+Note that the ZIP215 rules ensure that individual and batch verification are
+guaranteed to give the same results, so unlike `ed25519.Verify`, `ed25519consensus.Verify` is
+compatible with batch verification.
+
+[ZIP215]: https://zips.z.cash/zip-0215

vendor/github.com/hdevalence/ed25519consensus/batch.go

@@ -0,0 +1,151 @@
+package ed25519consensus
+
+import (
+	"crypto/ed25519"
+	"crypto/rand"
+	"crypto/sha512"
+
+	"filippo.io/edwards25519"
+)
+
+// BatchVerifier accumulates batch entries with Add, before performing batch
+// verification with Verify.
+type BatchVerifier struct {
+	entries []entry
+}
+
+// entry represents a batch entry with the public key, signature and scalar
+// which the caller wants to verify.
+type entry struct {
+	good      bool // good is true if the Add inputs were valid
+	pubkey    [ed25519.PublicKeySize]byte
+	signature [ed25519.SignatureSize]byte
+	digest    [64]byte
+}
+
+// NewBatchVerifier creates an empty BatchVerifier.
+func NewBatchVerifier() BatchVerifier {
+	return BatchVerifier{
+		entries: []entry{},
+	}
+}
+
+// NewPreallocatedBatchVerifier creates a new BatchVerifier with
+// a preallocated capacity. If you know the size of the batch you plan
+// to create ahead of time, this can prevent needless memory copies.
+func NewPreallocatedBatchVerifier(size int) BatchVerifier {
+	return BatchVerifier{
+		entries: make([]entry, 0, size),
+	}
+}
+
+// Add adds a (public key, message, sig) triple to the current batch. It retains
+// no reference to the inputs.
+func (v *BatchVerifier) Add(publicKey ed25519.PublicKey, message, sig []byte) {
+	// Compute the challenge upfront to store it in the fixed-size entry
+	// structure that can get allocated on the caller stack and avoid heap
+	// allocations. Also, avoid holding any reference to the arguments.
+
+	v.entries = append(v.entries, entry{})
+	e := &v.entries[len(v.entries)-1]
+
+	if len(publicKey) != ed25519.PublicKeySize || len(sig) != ed25519.SignatureSize {
+		return
+	}
+
+	h := sha512.New()
+	h.Write(sig[:32])
+	h.Write(publicKey)
+	h.Write(message)
+	h.Sum(e.digest[:0])
+
+	copy(e.pubkey[:], publicKey)
+	copy(e.signature[:], sig)
+
+	e.good = true
+}
+
+// Verify checks all entries in the current batch, returning true if all entries
+// are valid and false if any one entry is invalid.
+//
+// If a failure arises it is unknown which entry failed, the caller must verify
+// each entry individually.
+//
+// Calling Verify on an empty batch returns false.
+func (v *BatchVerifier) Verify() bool {
+	vl := len(v.entries)
+	// Abort early on an empty batch, which probably indicates a bug
+	if vl == 0 {
+		return false
+	}
+
+	// The batch verification equation is
+	//
+	// [-sum(z_i * s_i)]B + sum([z_i]R_i) + sum([z_i * k_i]A_i) = 0.
+	// where for each signature i,
+	// - A_i is the verification key;
+	// - R_i is the signature's R value;
+	// - s_i is the signature's s value;
+	// - k_i is the hash of the message and other data;
+	// - z_i is a random 128-bit Scalar.
+	svals := make([]edwards25519.Scalar, 1+vl+vl)
+	scalars := make([]*edwards25519.Scalar, 1+vl+vl)
+
+	// Populate scalars variable with concrete scalars to reduce heap allocation
+	for i := range scalars {
+		scalars[i] = &svals[i]
+	}
+
+	Bcoeff := scalars[0]
+	Rcoeffs := scalars[1 : 1+vl]
+	Acoeffs := scalars[1+vl:]
+
+	pvals := make([]edwards25519.Point, 1+vl+vl)
+	points := make([]*edwards25519.Point, 1+vl+vl)
+	for i := range points {
+		points[i] = &pvals[i]
+	}
+	B := points[0]
+	Rs := points[1 : 1+vl]
+	As := points[1+vl:]
+
+	buf := make([]byte, 32)
+	B.Set(edwards25519.NewGeneratorPoint())
+	for i, entry := range v.entries {
+		if !entry.good {
+			return false
+		}
+
+		if _, err := Rs[i].SetBytes(entry.signature[:32]); err != nil {
+			return false
+		}
+
+		if _, err := As[i].SetBytes(entry.pubkey[:]); err != nil {
+			return false
+		}
+
+		if _, err := rand.Read(buf[:16]); err != nil {
+			return false
+		}
+		if _, err := Rcoeffs[i].SetCanonicalBytes(buf); err != nil {
+			return false
+		}
+
+		s, err := new(edwards25519.Scalar).SetCanonicalBytes(entry.signature[32:])
+		if err != nil {
+			return false
+		}
+		Bcoeff.MultiplyAdd(Rcoeffs[i], s, Bcoeff)
+
+		k, err := new(edwards25519.Scalar).SetUniformBytes(entry.digest[:])
+		if err != nil {
+			return false
+		}
+		Acoeffs[i].Multiply(Rcoeffs[i], k)
+	}
+	Bcoeff.Negate(Bcoeff) // this term is subtracted in the summation
+
+	check := new(edwards25519.Point).VarTimeMultiScalarMult(scalars, points)
+	check.MultByCofactor(check)
+	return check.Equal(edwards25519.NewIdentityPoint()) == 1
+}

vendor/github.com/hdevalence/ed25519consensus/ed25519.go

@@ -0,0 +1,67 @@
+// Copyright 2016 The Go Authors. All rights reserved.
+// Copyright 2016 Henry de Valence. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+// Package ed25519consensus implements Ed25519 verification according to ZIP215.
+package ed25519consensus
+
+import (
+	"crypto/ed25519"
+	"crypto/sha512"
+
+	"filippo.io/edwards25519"
+)
+
+// Verify reports whether sig is a valid signature of message by
+// publicKey, using precisely-specified validation criteria (ZIP 215) suitable
+// for use in consensus-critical contexts.
+func Verify(publicKey ed25519.PublicKey, message, sig []byte) bool {
+	if l := len(publicKey); l != ed25519.PublicKeySize {
+		return false
+	}
+
+	if len(sig) != ed25519.SignatureSize || sig[63]&224 != 0 {
+		return false
+	}
+
+	// ZIP215: this works because SetBytes does not check that encodings are canonical.
+	A, err := new(edwards25519.Point).SetBytes(publicKey)
+	if err != nil {
+		return false
+	}
+	A.Negate(A)
+
+	h := sha512.New()
+	h.Write(sig[:32])
+	h.Write(publicKey[:])
+	h.Write(message)
+	var digest [64]byte
+	h.Sum(digest[:0])
+
+	hReduced, err := new(edwards25519.Scalar).SetUniformBytes(digest[:])
+	if err != nil {
+		return false
+	}
+
+	// ZIP215: this works because SetBytes does not check that encodings are canonical.
+	checkR, err := new(edwards25519.Point).SetBytes(sig[:32])
+	if err != nil {
+		return false
+	}
+
+	// https://tools.ietf.org/html/rfc8032#section-5.1.7 requires that s be in
+	// the range [0, order) in order to prevent signature malleability.
+	// ZIP215: This is also required by ZIP215.
+	s, err := new(edwards25519.Scalar).SetCanonicalBytes(sig[32:])
+	if err != nil {
+		return false
+	}
+
+	R := new(edwards25519.Point).VarTimeDoubleScalarBaseMult(hReduced, A, s)
+
+	// ZIP215: We want to check [8](R - checkR) == 0
+	p := new(edwards25519.Point).Subtract(R, checkR) // p = R - checkR
+	p.MultByCofactor(p)
+	return p.Equal(edwards25519.NewIdentityPoint()) == 1 // p == 0
+}