[release/1.3.4] parmas, crypto, core, core/vm: homestead consensus protocol changes

* change gas cost for contract creating txs
* invalidate signature with s value greater than secp256k1 N / 2
* OOG contract creation if not enough gas to store code
* new difficulty adjustment algorithm
* new DELEGATECALL op code

Conflicts:
	core/vm/environment.go
	crypto/crypto.go
	crypto/secp256k1/secp256.go
	eth/api.go

3 files changed, 22 insertions, 4 deletions

diff --git a/crypto/crypto.go b/crypto/crypto.go
index 8685d62d3..c944fd553 100644
--- a/crypto/crypto.go
+++ b/crypto/crypto.go
@@ -171,12 +171,21 @@ func GenerateKey() (*ecdsa.PrivateKey, error) {
 	return ecdsa.GenerateKey(S256(), rand.Reader)
 }
 
-func ValidateSignatureValues(v byte, r, s *big.Int) bool {
+func ValidateSignatureValues(v byte, r, s *big.Int, homestead bool) bool {
 	if r.Cmp(common.Big1) < 0 || s.Cmp(common.Big1) < 0 {
 		return false
 	}
 	vint := uint32(v)
-	if r.Cmp(secp256k1n) < 0 && s.Cmp(secp256k1n) < 0 && (vint == 27 || vint == 28) {
+	// reject upper range of s values (ECDSA malleability)
+	// see discussion in secp256k1/libsecp256k1/include/secp256k1.h
+	if homestead && s.Cmp(secp256k1.HalfN) > 0 {
+		return false
+	}
+	// Frontier: allow s to be in full N range
+	if s.Cmp(secp256k1.N) >= 0 {
+		return false
+	}
+	if r.Cmp(secp256k1.N) < 0 && (vint == 27 || vint == 28) {
 		return true
 	} else {
 		return false
diff --git a/crypto/crypto_test.go b/crypto/crypto_test.go
index fdd9c1ee8..a366313df 100644
--- a/crypto/crypto_test.go
+++ b/crypto/crypto_test.go
@@ -174,7 +174,7 @@ func TestLoadECDSAFile(t *testing.T) {
 
 func TestValidateSignatureValues(t *testing.T) {
 	check := func(expected bool, v byte, r, s *big.Int) {
-		if ValidateSignatureValues(v, r, s) != expected {
+		if ValidateSignatureValues(v, r, s, false) != expected {
 			t.Errorf("mismatch for v: %d r: %d s: %d want: %v", v, r, s, expected)
 		}
 	}
diff --git a/crypto/secp256k1/secp256.go b/crypto/secp256k1/secp256.go
index 41a5608a5..93f7f5143 100644
--- a/crypto/secp256k1/secp256.go
+++ b/crypto/secp256k1/secp256.go
@@ -44,6 +44,7 @@ import "C"
 
 import (
 	"errors"
+	"math/big"
 	"unsafe"
 
 	"github.com/ethereum/go-ethereum/crypto/randentropy"
@@ -60,9 +61,17 @@ import (
 */
 
 // holds ptr to secp256k1_context_struct (see secp256k1/include/secp256k1.h)
-var context *C.secp256k1_context
+var (
+	context *C.secp256k1_context
+	N       *big.Int
+	HalfN   *big.Int
+)
 
 func init() {
+	N, _ = new(big.Int).SetString("fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141", 16)
+	// N / 2 == 57896044618658097711785492504343953926418782139537452191302581570759080747168
+	HalfN, _ = new(big.Int).SetString("7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0", 16)
+
 	// around 20 ms on a modern CPU.
 	context = C.secp256k1_context_create(3) // SECP256K1_START_SIGN | SECP256K1_START_VERIFY
 	C.secp256k1_context_set_illegal_callback(context, C.callbackFunc(C.secp256k1GoPanicIllegal), nil)