]> Git Repo - secp256k1.git/blame - src/secp256k1.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
changed import to use brackets <> for openssl as they are not local to the project
[secp256k1.git] / src / secp256k1.c
CommitLineData
07aa4c70
DA		 1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
0a433ea2 6
04e34d18 7#include "include/secp256k1.h"
238305fd 8#include "include/secp256k1_preallocated.h"
04e34d18 9
7c068998 10#include "assumptions.h"
1c7fa133 11#include "util.h"
11ab5622 12#include "field_impl.h"
a9f5c8b8 13#include "scalar_impl.h"
11ab5622
PW		 14#include "group_impl.h"
15#include "ecmult_impl.h"
44015000 16#include "ecmult_const_impl.h"
949c1ebb 17#include "ecmult_gen_impl.h"
11ab5622 18#include "ecdsa_impl.h"
e2f71f1e 19#include "eckey_impl.h"
b37fbc28 20#include "hash_impl.h"
548de42e 21#include "scratch_impl.h"
8bc6aeff 22#include "selftest.h"
254327e4 23
7b50483a
GM		 24#if defined(VALGRIND)
25# include <valgrind/memcheck.h>
26#endif
27
995c5487
PW		 28#define ARG_CHECK(cond) do { \
29 if (EXPECT(!(cond), 0)) { \
dd891e0e 30 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
995c5487
PW		 31 return 0; \
32 } \
33} while(0)
34
6095a863
TR		 35#define ARG_CHECK_NO_RETURN(cond) do { \
36 if (EXPECT(!(cond), 0)) { \
37 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
38 } \
39} while(0)
40
5db782e6 41#ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
908bdce6
TR		 42#include <stdlib.h>
43#include <stdio.h>
77defd2c 44static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
995c5487
PW		 45 (void)data;
46 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
47 abort();
48}
77defd2c 49static void secp256k1_default_error_callback_fn(const char* str, void* data) {
995c5487
PW		 50 (void)data;
51 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
52 abort();
53}
5db782e6 54#else
77defd2c
TR		 55void secp256k1_default_illegal_callback_fn(const char* str, void* data);
56void secp256k1_default_error_callback_fn(const char* str, void* data);
5db782e6
TR		 57#endif
58
59static const secp256k1_callback default_illegal_callback = {
77defd2c 60 secp256k1_default_illegal_callback_fn,
5db782e6
TR		 61 NULL
62};
995c5487 63
dd891e0e 64static const secp256k1_callback default_error_callback = {
77defd2c 65 secp256k1_default_error_callback_fn,
995c5487
PW		 66 NULL
67};
68
a9b6595e 69struct secp256k1_context_struct {
dd891e0e
PW		 70 secp256k1_ecmult_context ecmult_ctx;
71 secp256k1_ecmult_gen_context ecmult_gen_ctx;
72 secp256k1_callback illegal_callback;
73 secp256k1_callback error_callback;
7b50483a 74 int declassify;
a9b6595e
PW		 75};
76
ed7c0841
AP		 77static const secp256k1_context secp256k1_context_no_precomp_ = {
78 { 0 },
79 { 0 },
77defd2c 80 { secp256k1_default_illegal_callback_fn, 0 },
7b50483a
GM		 81 { secp256k1_default_error_callback_fn, 0 },
82 0
ed7c0841
AP		 83};
84const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
85
ef020de1
TR		 86size_t secp256k1_context_preallocated_size(unsigned int flags) {
87 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
ebfa2058
TR		 88 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
89 VERIFY_CHECK(ret != 0);
ef020de1
TR		 90
91 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
92 secp256k1_callback_call(&default_illegal_callback,
93 "Invalid flags");
94 return 0;
95 }
96
97 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
98 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
99 }
100 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
101 ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
102 }
103 return ret;
104}
105
5feadde4
TR		 106size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
107 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
ba12dd08 108 VERIFY_CHECK(ctx != NULL);
5feadde4
TR		 109 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
110 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
111 }
112 if (secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)) {
113 ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
114 }
115 return ret;
116}
117
c4fd5dab
TR		 118secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
119 void* const base = prealloc;
ba12dd08
TR		 120 size_t prealloc_size;
121 secp256k1_context* ret;
c4fd5dab 122
8bc6aeff
PW		 123 if (!secp256k1_selftest()) {
124 secp256k1_callback_call(&default_error_callback, "self test failed");
125 }
ebfa2058 126
ba12dd08 127 prealloc_size = secp256k1_context_preallocated_size(flags);
ebfa2058
TR		 128 if (prealloc_size == 0) {
129 return NULL;
130 }
131 VERIFY_CHECK(prealloc != NULL);
ba12dd08 132 ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
995c5487
PW		 133 ret->illegal_callback = default_illegal_callback;
134 ret->error_callback = default_error_callback;
a9b6595e
PW		 135
136 secp256k1_ecmult_context_init(&ret->ecmult_ctx);
137 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
138
ebfa2058
TR		 139 /* Flags have been checked by secp256k1_context_preallocated_size. */
140 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
9234391e 141 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
c4fd5dab 142 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc);
04e34d18 143 }
9234391e 144 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
c4fd5dab 145 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
04e34d18 146 }
7b50483a 147 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
a9b6595e 148
c4fd5dab
TR		 149 return (secp256k1_context*) ret;
150}
151
152secp256k1_context* secp256k1_context_create(unsigned int flags) {
153 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
154 secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
155 if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
156 free(ctx);
157 return NULL;
158 }
159
160 return ctx;
254327e4
PW		 161}
162
5feadde4 163secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
ba12dd08
TR		 164 size_t prealloc_size;
165 secp256k1_context* ret;
166 VERIFY_CHECK(ctx != NULL);
167 ARG_CHECK(prealloc != NULL);
168
169 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
170 ret = (secp256k1_context*)prealloc;
c4fd5dab
TR		 171 memcpy(ret, ctx, prealloc_size);
172 secp256k1_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx);
173 secp256k1_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx);
d899b5b6
AP		 174 return ret;
175}
176
5feadde4 177secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
ba12dd08
TR		 178 secp256k1_context* ret;
179 size_t prealloc_size;
180
181 VERIFY_CHECK(ctx != NULL);
182 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
183 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
5feadde4
TR		 184 ret = secp256k1_context_preallocated_clone(ctx, ret);
185 return ret;
186}
187
c4fd5dab 188void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
6095a863 189 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
2b199de8 190 if (ctx != NULL) {
912f203f
GM		 191 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
192 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
c4fd5dab
TR		 193 }
194}
9aac0080 195
c4fd5dab
TR		 196void secp256k1_context_destroy(secp256k1_context* ctx) {
197 if (ctx != NULL) {
198 secp256k1_context_preallocated_destroy(ctx);
912f203f
GM		 199 free(ctx);
200 }
254327e4
PW		 201}
202
dd891e0e 203void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
6095a863 204 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
2b199de8 205 if (fun == NULL) {
77defd2c 206 fun = secp256k1_default_illegal_callback_fn;
912f203f 207 }
995c5487
PW		 208 ctx->illegal_callback.fn = fun;
209 ctx->illegal_callback.data = data;
210}
211
dd891e0e 212void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
6095a863 213 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
2b199de8 214 if (fun == NULL) {
77defd2c 215 fun = secp256k1_default_error_callback_fn;
912f203f 216 }
995c5487
PW		 217 ctx->error_callback.fn = fun;
218 ctx->error_callback.data = data;
219}
220
6fe50439 221secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
548de42e 222 VERIFY_CHECK(ctx != NULL);
6fe50439 223 return secp256k1_scratch_create(&ctx->error_callback, max_size);
548de42e
AP		 224}
225
c2b028a2
AP		 226void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
227 VERIFY_CHECK(ctx != NULL);
228 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
548de42e
AP		 229}
230
7b50483a
GM		 231/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
232 * of the software. This is setup for use with valgrind but could be substituted with
233 * the appropriate instrumentation for other analysis tools.
234 */
3e08b02e 235static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
7b50483a
GM		 236#if defined(VALGRIND)
237 if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
238#else
239 (void)ctx;
240 (void)p;
241 (void)len;
242#endif
243}
244
dd891e0e
PW		 245static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
246 if (sizeof(secp256k1_ge_storage) == 64) {
247 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
248 * representation inside secp256k1_pubkey, as conversion is very fast.
23cfa914 249 * Note that secp256k1_pubkey_save must use the same representation. */
dd891e0e 250 secp256k1_ge_storage s;
c7680e57 251 memcpy(&s, &pubkey->data[0], sizeof(s));
23cfa914 252 secp256k1_ge_from_storage(ge, &s);
23cfa914
PW		 253 } else {
254 /* Otherwise, fall back to 32-byte big endian for X and Y. */
dd891e0e 255 secp256k1_fe x, y;
23cfa914 256 secp256k1_fe_set_b32(&x, pubkey->data);
23cfa914
PW		 257 secp256k1_fe_set_b32(&y, pubkey->data + 32);
258 secp256k1_ge_set_xy(ge, &x, &y);
259 }
995c5487
PW		 260 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
261 return 1;
23cfa914
PW		 262}
263
dd891e0e
PW		 264static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
265 if (sizeof(secp256k1_ge_storage) == 64) {
266 secp256k1_ge_storage s;
23cfa914 267 secp256k1_ge_to_storage(&s, ge);
c7680e57 268 memcpy(&pubkey->data[0], &s, sizeof(s));
23cfa914
PW		 269 } else {
270 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
271 secp256k1_fe_normalize_var(&ge->x);
272 secp256k1_fe_normalize_var(&ge->y);
273 secp256k1_fe_get_b32(pubkey->data, &ge->x);
274 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
275 }
276}
277
dd891e0e
PW		 278int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
279 secp256k1_ge Q;
23cfa914 280
ee2cb400
GM		 281 VERIFY_CHECK(ctx != NULL);
282 ARG_CHECK(pubkey != NULL);
283 memset(pubkey, 0, sizeof(*pubkey));
284 ARG_CHECK(input != NULL);
23cfa914 285 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
23cfa914
PW		 286 return 0;
287 }
08d7d892
PW		 288 if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
289 return 0;
290 }
23cfa914
PW		 291 secp256k1_pubkey_save(pubkey, &Q);
292 secp256k1_ge_clear(&Q);
293 return 1;
294}
295
dd891e0e
PW		 296int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
297 secp256k1_ge Q;
5b71a3f4
GM		 298 size_t len;
299 int ret = 0;
23cfa914 300
ee2cb400 301 VERIFY_CHECK(ctx != NULL);
ee2cb400 302 ARG_CHECK(outputlen != NULL);
1309c03c 303 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
5b71a3f4
GM		 304 len = *outputlen;
305 *outputlen = 0;
306 ARG_CHECK(output != NULL);
307 memset(output, 0, len);
ee2cb400 308 ARG_CHECK(pubkey != NULL);
9234391e 309 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
5b71a3f4
GM		 310 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
311 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
312 if (ret) {
313 *outputlen = len;
314 }
315 }
316 return ret;
23cfa914
PW		 317}
318
dd891e0e 319static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
439d34ad 320 (void)ctx;
dd891e0e
PW		 321 if (sizeof(secp256k1_scalar) == 32) {
322 /* When the secp256k1_scalar type is exactly 32 byte, use its
323 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
439d34ad
PW		 324 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
325 memcpy(r, &sig->data[0], 32);
326 memcpy(s, &sig->data[32], 32);
327 } else {
328 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
329 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
330 }
331}
332
dd891e0e
PW		 333static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
334 if (sizeof(secp256k1_scalar) == 32) {
439d34ad
PW		 335 memcpy(&sig->data[0], r, 32);
336 memcpy(&sig->data[32], s, 32);
337 } else {
338 secp256k1_scalar_get_b32(&sig->data[0], r);
339 secp256k1_scalar_get_b32(&sig->data[32], s);
340 }
341}
342
dd891e0e
PW		 343int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
344 secp256k1_scalar r, s;
74a2acdb 345
bcc4881d 346 VERIFY_CHECK(ctx != NULL);
995c5487
PW		 347 ARG_CHECK(sig != NULL);
348 ARG_CHECK(input != NULL);
74a2acdb 349
18c329c5 350 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
439d34ad 351 secp256k1_ecdsa_signature_save(sig, &r, &s);
74a2acdb
PW		 352 return 1;
353 } else {
354 memset(sig, 0, sizeof(*sig));
355 return 0;
356 }
357}
358
3bb9c447
PW		 359int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
360 secp256k1_scalar r, s;
361 int ret = 1;
362 int overflow = 0;
363
bcc4881d 364 VERIFY_CHECK(ctx != NULL);
3bb9c447
PW		 365 ARG_CHECK(sig != NULL);
366 ARG_CHECK(input64 != NULL);
367
368 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
369 ret &= !overflow;
370 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
371 ret &= !overflow;
372 if (ret) {
373 secp256k1_ecdsa_signature_save(sig, &r, &s);
374 } else {
375 memset(sig, 0, sizeof(*sig));
376 }
377 return ret;
378}
379
dd891e0e
PW		 380int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
381 secp256k1_scalar r, s;
74a2acdb 382
bcc4881d 383 VERIFY_CHECK(ctx != NULL);
995c5487
PW		 384 ARG_CHECK(output != NULL);
385 ARG_CHECK(outputlen != NULL);
386 ARG_CHECK(sig != NULL);
74a2acdb 387
439d34ad 388 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
18c329c5 389 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
74a2acdb
PW		 390}
391
3bb9c447
PW		 392int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
393 secp256k1_scalar r, s;
394
bcc4881d 395 VERIFY_CHECK(ctx != NULL);
3bb9c447
PW		 396 ARG_CHECK(output64 != NULL);
397 ARG_CHECK(sig != NULL);
398
399 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
400 secp256k1_scalar_get_b32(&output64[0], &r);
401 secp256k1_scalar_get_b32(&output64[32], &s);
402 return 1;
403}
404
0c6ab2ff
PW		 405int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
406 secp256k1_scalar r, s;
407 int ret = 0;
408
409 VERIFY_CHECK(ctx != NULL);
410 ARG_CHECK(sigin != NULL);
411
412 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
413 ret = secp256k1_scalar_is_high(&s);
414 if (sigout != NULL) {
415 if (ret) {
416 secp256k1_scalar_negate(&s, &s);
417 }
418 secp256k1_ecdsa_signature_save(sigout, &r, &s);
419 }
420
421 return ret;
422}
423
f587f04e 424int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
dd891e0e
PW		 425 secp256k1_ge q;
426 secp256k1_scalar r, s;
427 secp256k1_scalar m;
b183b411 428 VERIFY_CHECK(ctx != NULL);
995c5487 429 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
f587f04e 430 ARG_CHECK(msghash32 != NULL);
995c5487
PW		 431 ARG_CHECK(sig != NULL);
432 ARG_CHECK(pubkey != NULL);
1c7fa133 433
f587f04e 434 secp256k1_scalar_set_b32(&m, msghash32, NULL);
439d34ad 435 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
0c6ab2ff
PW		 436 return (!secp256k1_scalar_is_high(&s) &&
437 secp256k1_pubkey_load(ctx, &q, pubkey) &&
995c5487 438 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
607884fc
PW		 439}
440
c7680e57
TS		 441static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
442 memcpy(buf + *offset, data, len);
443 *offset += len;
444}
445
05732c5a 446static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
a5a66c70 447 unsigned char keydata[112];
c7680e57 448 unsigned int offset = 0;
d1dc9dfc 449 secp256k1_rfc6979_hmac_sha256 rng;
f735446c 450 unsigned int i;
3e6f1e20
PW		 451 /* We feed a byte array to the PRNG as input, consisting of:
452 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
453 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
b30fc85c
GM		 454 * - optionally 16 extra bytes with the algorithm name.
455 * Because the arguments have distinct fixed lengths it is not possible for
456 * different argument mixtures to emulate each other and result in the same
457 * nonces.
3e6f1e20 458 */
c7680e57
TS		 459 buffer_append(keydata, &offset, key32, 32);
460 buffer_append(keydata, &offset, msg32, 32);
3e6f1e20 461 if (data != NULL) {
c7680e57 462 buffer_append(keydata, &offset, data, 32);
3e6f1e20 463 }
a5a66c70 464 if (algo16 != NULL) {
c7680e57 465 buffer_append(keydata, &offset, algo16, 16);
a5a66c70 466 }
c7680e57 467 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
3e6f1e20 468 memset(keydata, 0, sizeof(keydata));
f735446c 469 for (i = 0; i <= counter; i++) {
bbd5ba7c
PW		 470 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
471 }
472 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
473 return 1;
474}
475
dd891e0e
PW		 476const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
477const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
bbd5ba7c 478
2876af4f 479static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
dd891e0e 480 secp256k1_scalar sec, non, msg;
439d34ad 481 int ret = 0;
3fec9826 482 int is_sec_valid;
34a67c77
GM		 483 unsigned char nonce32[32];
484 unsigned int count = 0;
2876af4f
ET		 485 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
486 *r = secp256k1_scalar_zero;
487 *s = secp256k1_scalar_zero;
488 if (recid) {
489 *recid = 0;
490 }
439d34ad
PW		 491 if (noncefp == NULL) {
492 noncefp = secp256k1_nonce_function_default;
493 }
494
439d34ad 495 /* Fail if the secret key is invalid. */
3fec9826
JN		 496 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
497 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
34a67c77
GM		 498 secp256k1_scalar_set_b32(&msg, msg32, NULL);
499 while (1) {
3fec9826
JN		 500 int is_nonce_valid;
501 ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
34a67c77
GM		 502 if (!ret) {
503 break;
504 }
3fec9826
JN		 505 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
506 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
507 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
508 if (is_nonce_valid) {
2876af4f 509 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
7b50483a
GM		 510 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
511 secp256k1_declassify(ctx, &ret, sizeof(ret));
512 if (ret) {
439d34ad
PW		 513 break;
514 }
439d34ad 515 }
34a67c77 516 count++;
439d34ad 517 }
3fec9826
JN		 518 /* We don't want to declassify is_sec_valid and therefore the range of
519 * seckey. As a result is_sec_valid is included in ret only after ret was
520 * used as a branching variable. */
521 ret &= is_sec_valid;
34a67c77
GM		 522 memset(nonce32, 0, 32);
523 secp256k1_scalar_clear(&msg);
524 secp256k1_scalar_clear(&non);
525 secp256k1_scalar_clear(&sec);
2876af4f
ET		 526 secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
527 secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
528 if (recid) {
529 const int zero = 0;
530 secp256k1_int_cmov(recid, &zero, !ret);
531 }
532 return ret;
533}
534
f587f04e 535int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
2876af4f
ET		 536 secp256k1_scalar r, s;
537 int ret;
538 VERIFY_CHECK(ctx != NULL);
539 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
f587f04e 540 ARG_CHECK(msghash32 != NULL);
2876af4f
ET		 541 ARG_CHECK(signature != NULL);
542 ARG_CHECK(seckey != NULL);
543
f587f04e 544 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
34a67c77 545 secp256k1_ecdsa_signature_save(signature, &r, &s);
3fec9826 546 return ret;
439d34ad
PW		 547}
548
dd891e0e
PW		 549int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
550 secp256k1_scalar sec;
f735446c 551 int ret;
b183b411 552 VERIFY_CHECK(ctx != NULL);
995c5487 553 ARG_CHECK(seckey != NULL);
f735446c 554
3fec9826 555 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
a9f5c8b8 556 secp256k1_scalar_clear(&sec);
42cccdaf
PW		 557 return ret;
558}
559
f0010349 560static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
dd891e0e 561 secp256k1_gej pj;
f0010349
JN		 562 int ret;
563
564 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
565 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
566
567 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
568 secp256k1_ge_set_gej(p, &pj);
569 return ret;
570}
571
572int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
dd891e0e 573 secp256k1_ge p;
f0010349 574 secp256k1_scalar seckey_scalar;
0065a8fb 575 int ret = 0;
b183b411 576 VERIFY_CHECK(ctx != NULL);
995c5487 577 ARG_CHECK(pubkey != NULL);
5b71a3f4
GM		 578 memset(pubkey, 0, sizeof(*pubkey));
579 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
995c5487 580 ARG_CHECK(seckey != NULL);
1c7fa133 581
f0010349 582 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
34a67c77 583 secp256k1_pubkey_save(pubkey, &p);
e89278f2 584 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
34a67c77 585
f0010349 586 secp256k1_scalar_clear(&seckey_scalar);
99fd963b
TK		 587 return ret;
588}
589
41fc7856 590int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
8e48aa60 591 secp256k1_scalar sec;
5894e1f1 592 int ret = 0;
8e48aa60
AP		 593 VERIFY_CHECK(ctx != NULL);
594 ARG_CHECK(seckey != NULL);
595
5894e1f1
JN		 596 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
597 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
8e48aa60
AP		 598 secp256k1_scalar_negate(&sec, &sec);
599 secp256k1_scalar_get_b32(seckey, &sec);
600
069870d9 601 secp256k1_scalar_clear(&sec);
5894e1f1 602 return ret;
8e48aa60
AP		 603}
604
41fc7856
JN		 605int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
606 return secp256k1_ec_seckey_negate(ctx, seckey);
607}
608
8e48aa60
AP		 609int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
610 int ret = 0;
611 secp256k1_ge p;
612 VERIFY_CHECK(ctx != NULL);
613 ARG_CHECK(pubkey != NULL);
614
615 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
616 memset(pubkey, 0, sizeof(*pubkey));
617 if (ret) {
618 secp256k1_ge_neg(&p, &p);
619 secp256k1_pubkey_save(pubkey, &p);
620 }
621 return ret;
622}
623
f0010349 624
6e85d675 625static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
dd891e0e 626 secp256k1_scalar term;
f0010349
JN		 627 int overflow = 0;
628 int ret = 0;
629
6e85d675 630 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
f0010349
JN		 631 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
632 secp256k1_scalar_clear(&term);
633 return ret;
634}
635
6e85d675 636int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
dd891e0e 637 secp256k1_scalar sec;
0065a8fb 638 int ret = 0;
b183b411 639 VERIFY_CHECK(ctx != NULL);
995c5487 640 ARG_CHECK(seckey != NULL);
6e85d675 641 ARG_CHECK(tweak32 != NULL);
1c7fa133 642
5894e1f1 643 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
6e85d675 644 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
34a67c77
GM		 645 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
646 secp256k1_scalar_get_b32(seckey, &sec);
eb74c36b 647
a9f5c8b8 648 secp256k1_scalar_clear(&sec);
561b0e10
PW		 649 return ret;
650}
651
6e85d675
JN		 652int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
653 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
41fc7856
JN		 654}
655
6e85d675 656static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32) {
176bfb11
JN		 657 secp256k1_scalar term;
658 int overflow = 0;
6e85d675 659 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
176bfb11
JN		 660 return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
661}
662
6e85d675 663int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
dd891e0e 664 secp256k1_ge p;
0065a8fb 665 int ret = 0;
b183b411 666 VERIFY_CHECK(ctx != NULL);
995c5487
PW		 667 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
668 ARG_CHECK(pubkey != NULL);
6e85d675 669 ARG_CHECK(tweak32 != NULL);
1c7fa133 670
176bfb11 671 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
bb5aa4df 672 memset(pubkey, 0, sizeof(*pubkey));
6e85d675 673 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32);
bb5aa4df 674 if (ret) {
176bfb11 675 secp256k1_pubkey_save(pubkey, &p);
86d3cce2 676 }
eb74c36b 677
86d3cce2
PW		 678 return ret;
679}
680
6e85d675 681int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
dd891e0e
PW		 682 secp256k1_scalar factor;
683 secp256k1_scalar sec;
0065a8fb 684 int ret = 0;
f735446c 685 int overflow = 0;
b183b411 686 VERIFY_CHECK(ctx != NULL);
995c5487 687 ARG_CHECK(seckey != NULL);
6e85d675 688 ARG_CHECK(tweak32 != NULL);
1c7fa133 689
6e85d675 690 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
5894e1f1
JN		 691 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
692 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
34a67c77
GM		 693 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
694 secp256k1_scalar_get_b32(seckey, &sec);
eb74c36b 695
a9f5c8b8
PW		 696 secp256k1_scalar_clear(&sec);
697 secp256k1_scalar_clear(&factor);
86d3cce2
PW		 698 return ret;
699}
700
6e85d675
JN		 701int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
702 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
41fc7856
JN		 703}
704
6e85d675 705int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
dd891e0e
PW		 706 secp256k1_ge p;
707 secp256k1_scalar factor;
0065a8fb 708 int ret = 0;
f735446c 709 int overflow = 0;
b183b411 710 VERIFY_CHECK(ctx != NULL);
995c5487
PW		 711 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
712 ARG_CHECK(pubkey != NULL);
6e85d675 713 ARG_CHECK(tweak32 != NULL);
1c7fa133 714
6e85d675 715 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
bb5aa4df
GM		 716 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
717 memset(pubkey, 0, sizeof(*pubkey));
718 if (ret) {
719 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
23cfa914
PW		 720 secp256k1_pubkey_save(pubkey, &p);
721 } else {
bb5aa4df 722 ret = 0;
0065a8fb 723 }
561b0e10 724 }
eb74c36b 725
561b0e10
PW		 726 return ret;
727}
728
dd891e0e 729int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
b183b411 730 VERIFY_CHECK(ctx != NULL);
61983752
TR		 731 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
732 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
733 }
d2275795
GM		 734 return 1;
735}
0739bbb6 736
8e48787d
GM		 737int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
738 size_t i;
dd891e0e
PW		 739 secp256k1_gej Qj;
740 secp256k1_ge Q;
a5a66c70
PW		 741
742 ARG_CHECK(pubnonce != NULL);
c69dea02 743 memset(pubnonce, 0, sizeof(*pubnonce));
a5a66c70
PW		 744 ARG_CHECK(n >= 1);
745 ARG_CHECK(pubnonces != NULL);
746
747 secp256k1_gej_set_infinity(&Qj);
748
749 for (i = 0; i < n; i++) {
750 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
751 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
752 }
753 if (secp256k1_gej_is_infinity(&Qj)) {
a5a66c70
PW		 754 return 0;
755 }
756 secp256k1_ge_set_gej(&Q, &Qj);
757 secp256k1_pubkey_save(pubnonce, &Q);
758 return 1;
759}
760
0739bbb6
AP		 761#ifdef ENABLE_MODULE_ECDH
762# include "modules/ecdh/main_impl.h"
763#endif
a5a66c70 764
9f443be0
PW		 765#ifdef ENABLE_MODULE_RECOVERY
766# include "modules/recovery/main_impl.h"
767#endif
47e6618e
JN		 768
769#ifdef ENABLE_MODULE_EXTRAKEYS
770# include "modules/extrakeys/main_impl.h"
771#endif
7a703fd9
JN		 772
773#ifdef ENABLE_MODULE_SCHNORRSIG
774# include "modules/schnorrsig/main_impl.h"
775#endif
Empty description
This page took 0.164278 seconds and 4 git commands to generate.