projects / secp256k1.git / blame
| Commit | Line | Data |
|---|---|---|
| 9f443be0 PW |
1 | /********************************************************************** |
| 2 | * Copyright (c) 2013-2015 Pieter Wuille * | |
| 3 | * Distributed under the MIT software license, see the accompanying * | |
| 4 | * file COPYING or http://www.opensource.org/licenses/mit-license.php.* | |
| 5 | **********************************************************************/ | |
| 6 | ||
| abe2d3e8 DR |
7 | #ifndef SECP256K1_MODULE_RECOVERY_MAIN_H |
| 8 | #define SECP256K1_MODULE_RECOVERY_MAIN_H | |
| 9f443be0 PW |
9 | |
| 10 | #include "include/secp256k1_recovery.h" | |
| 11 | ||
| dd891e0e | 12 | static void secp256k1_ecdsa_recoverable_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const secp256k1_ecdsa_recoverable_signature* sig) { |
| 9f443be0 | 13 | (void)ctx; |
| dd891e0e PW |
14 | if (sizeof(secp256k1_scalar) == 32) { |
| 15 | /* When the secp256k1_scalar type is exactly 32 byte, use its | |
| 16 | * representation inside secp256k1_ecdsa_signature, as conversion is very fast. | |
| 9f443be0 PW |
17 | * Note that secp256k1_ecdsa_signature_save must use the same representation. */ |
| 18 | memcpy(r, &sig->data[0], 32); | |
| 19 | memcpy(s, &sig->data[32], 32); | |
| 20 | } else { | |
| 21 | secp256k1_scalar_set_b32(r, &sig->data[0], NULL); | |
| 22 | secp256k1_scalar_set_b32(s, &sig->data[32], NULL); | |
| 23 | } | |
| 24 | *recid = sig->data[64]; | |
| 25 | } | |
| 26 | ||
| dd891e0e PW |
27 | static void secp256k1_ecdsa_recoverable_signature_save(secp256k1_ecdsa_recoverable_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s, int recid) { |
| 28 | if (sizeof(secp256k1_scalar) == 32) { | |
| 9f443be0 PW |
29 | memcpy(&sig->data[0], r, 32); |
| 30 | memcpy(&sig->data[32], s, 32); | |
| 31 | } else { | |
| 32 | secp256k1_scalar_get_b32(&sig->data[0], r); | |
| 33 | secp256k1_scalar_get_b32(&sig->data[32], s); | |
| 34 | } | |
| 35 | sig->data[64] = recid; | |
| 36 | } | |
| 37 | ||
| dd891e0e PW |
38 | int secp256k1_ecdsa_recoverable_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) { |
| 39 | secp256k1_scalar r, s; | |
| 9f443be0 PW |
40 | int ret = 1; |
| 41 | int overflow = 0; | |
| 42 | ||
| 43 | (void)ctx; | |
| 44 | ARG_CHECK(sig != NULL); | |
| 45 | ARG_CHECK(input64 != NULL); | |
| 46 | ARG_CHECK(recid >= 0 && recid <= 3); | |
| 47 | ||
| 48 | secp256k1_scalar_set_b32(&r, &input64[0], &overflow); | |
| 49 | ret &= !overflow; | |
| 50 | secp256k1_scalar_set_b32(&s, &input64[32], &overflow); | |
| 51 | ret &= !overflow; | |
| 52 | if (ret) { | |
| 53 | secp256k1_ecdsa_recoverable_signature_save(sig, &r, &s, recid); | |
| 54 | } else { | |
| 55 | memset(sig, 0, sizeof(*sig)); | |
| 56 | } | |
| 57 | return ret; | |
| 58 | } | |
| 59 | ||
| dd891e0e PW |
60 | int secp256k1_ecdsa_recoverable_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_recoverable_signature* sig) { |
| 61 | secp256k1_scalar r, s; | |
| 9f443be0 PW |
62 | |
| 63 | (void)ctx; | |
| 64 | ARG_CHECK(output64 != NULL); | |
| 65 | ARG_CHECK(sig != NULL); | |
| 3bb9c447 | 66 | ARG_CHECK(recid != NULL); |
| 9f443be0 PW |
67 | |
| 68 | secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig); | |
| 69 | secp256k1_scalar_get_b32(&output64[0], &r); | |
| 70 | secp256k1_scalar_get_b32(&output64[32], &s); | |
| 71 | return 1; | |
| 72 | } | |
| 73 | ||
| dd891e0e PW |
74 | int secp256k1_ecdsa_recoverable_signature_convert(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const secp256k1_ecdsa_recoverable_signature* sigin) { |
| 75 | secp256k1_scalar r, s; | |
| 9f443be0 PW |
76 | int recid; |
| 77 | ||
| 78 | (void)ctx; | |
| 79 | ARG_CHECK(sig != NULL); | |
| 80 | ARG_CHECK(sigin != NULL); | |
| 81 | ||
| 82 | secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin); | |
| 83 | secp256k1_ecdsa_signature_save(sig, &r, &s); | |
| 84 | return 1; | |
| 85 | } | |
| 86 | ||
| 1b3efc11 GM |
87 | static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar* sigs, secp256k1_ge *pubkey, const secp256k1_scalar *message, int recid) { |
| 88 | unsigned char brx[32]; | |
| 89 | secp256k1_fe fx; | |
| 90 | secp256k1_ge x; | |
| 91 | secp256k1_gej xj; | |
| 92 | secp256k1_scalar rn, u1, u2; | |
| 93 | secp256k1_gej qj; | |
| 94 | int r; | |
| 95 | ||
| 96 | if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) { | |
| 97 | return 0; | |
| 98 | } | |
| 99 | ||
| 100 | secp256k1_scalar_get_b32(brx, sigr); | |
| 101 | r = secp256k1_fe_set_b32(&fx, brx); | |
| 102 | (void)r; | |
| 103 | VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */ | |
| 104 | if (recid & 2) { | |
| 105 | if (secp256k1_fe_cmp_var(&fx, &secp256k1_ecdsa_const_p_minus_order) >= 0) { | |
| 106 | return 0; | |
| 107 | } | |
| 108 | secp256k1_fe_add(&fx, &secp256k1_ecdsa_const_order_as_fe); | |
| 109 | } | |
| 110 | if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1)) { | |
| 111 | return 0; | |
| 112 | } | |
| 113 | secp256k1_gej_set_ge(&xj, &x); | |
| 114 | secp256k1_scalar_inverse_var(&rn, sigr); | |
| 115 | secp256k1_scalar_mul(&u1, &rn, message); | |
| 116 | secp256k1_scalar_negate(&u1, &u1); | |
| 117 | secp256k1_scalar_mul(&u2, &rn, sigs); | |
| 118 | secp256k1_ecmult(ctx, &qj, &xj, &u2, &u1); | |
| 119 | secp256k1_ge_set_gej_var(pubkey, &qj); | |
| 120 | return !secp256k1_gej_is_infinity(&qj); | |
| 121 | } | |
| 122 | ||
| dd891e0e PW |
123 | int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { |
| 124 | secp256k1_scalar r, s; | |
| 2876af4f | 125 | int ret, recid; |
| b183b411 | 126 | VERIFY_CHECK(ctx != NULL); |
| 9f443be0 PW |
127 | ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); |
| 128 | ARG_CHECK(msg32 != NULL); | |
| 129 | ARG_CHECK(signature != NULL); | |
| 130 | ARG_CHECK(seckey != NULL); | |
| 9f443be0 | 131 | |
| 2876af4f ET |
132 | ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msg32, seckey, noncefp, noncedata); |
| 133 | secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid); | |
| 9f443be0 PW |
134 | return ret; |
| 135 | } | |
| 136 | ||
| dd891e0e PW |
137 | int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) { |
| 138 | secp256k1_ge q; | |
| 139 | secp256k1_scalar r, s; | |
| 140 | secp256k1_scalar m; | |
| 9f443be0 | 141 | int recid; |
| b183b411 | 142 | VERIFY_CHECK(ctx != NULL); |
| 9f443be0 PW |
143 | ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); |
| 144 | ARG_CHECK(msg32 != NULL); | |
| 145 | ARG_CHECK(signature != NULL); | |
| 146 | ARG_CHECK(pubkey != NULL); | |
| 147 | ||
| 148 | secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature); | |
| b5951639 | 149 | VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */ |
| 9f443be0 PW |
150 | secp256k1_scalar_set_b32(&m, msg32, NULL); |
| 151 | if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) { | |
| 152 | secp256k1_pubkey_save(pubkey, &q); | |
| 153 | return 1; | |
| 154 | } else { | |
| 155 | memset(pubkey, 0, sizeof(*pubkey)); | |
| 156 | return 0; | |
| 157 | } | |
| 158 | } | |
| 159 | ||
| abe2d3e8 | 160 | #endif /* SECP256K1_MODULE_RECOVERY_MAIN_H */ |