src/secp256k1.c

/**********************************************************************
 * Copyright (c) 2013-2015 Pieter Wuille                              *
 * Distributed under the MIT software license, see the accompanying   *
 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
 **********************************************************************/

#define SECP256K1_BUILD (1)

#include "include/secp256k1.h"

#include "util.h"
#include "num_impl.h"
#include "field_impl.h"
#include "scalar_impl.h"
#include "group_impl.h"
#include "ecmult_impl.h"
#include "ecmult_const_impl.h"
#include "ecmult_gen_impl.h"
#include "ecdsa_impl.h"
#include "eckey_impl.h"
#include "hash_impl.h"

#define ARG_CHECK(cond) do { \
    if (EXPECT(!(cond), 0)) { \
        ctx->illegal_callback.fn(#cond, ctx->illegal_callback.data); \
        return 0; \
    } \
} while(0)

static void default_illegal_callback_fn(const char* str, void* data) {
    (void)data;
    fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
    abort();
}

static const callback_t default_illegal_callback = {
    default_illegal_callback_fn,
    NULL
};

static void default_error_callback_fn(const char* str, void* data) {
    (void)data;
    fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
    abort();
}

static const callback_t default_error_callback = {
    default_error_callback_fn,
    NULL
};


struct secp256k1_context_struct {
    secp256k1_ecmult_context_t ecmult_ctx;
    secp256k1_ecmult_gen_context_t ecmult_gen_ctx;
    callback_t illegal_callback;
    callback_t error_callback;
};

secp256k1_context_t* secp256k1_context_create(int flags) {
    secp256k1_context_t* ret = (secp256k1_context_t*)checked_malloc(&default_error_callback, sizeof(secp256k1_context_t));
    ret->illegal_callback = default_illegal_callback;
    ret->error_callback = default_error_callback;

    secp256k1_ecmult_context_init(&ret->ecmult_ctx);
    secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);

    if (flags & SECP256K1_CONTEXT_SIGN) {
        secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
    }
    if (flags & SECP256K1_CONTEXT_VERIFY) {
        secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
    }

    return ret;
}

secp256k1_context_t* secp256k1_context_clone(const secp256k1_context_t* ctx) {
    secp256k1_context_t* ret = (secp256k1_context_t*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context_t));
    ret->illegal_callback = ctx->illegal_callback;
    ret->error_callback = ctx->error_callback;
    secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
    secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
    return ret;
}

void secp256k1_context_destroy(secp256k1_context_t* ctx) {
    secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
    secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);

    free(ctx);
}

void secp256k1_context_set_illegal_callback(secp256k1_context_t* ctx, void (*fun)(const char* message, void* data), void* data) {
    ctx->illegal_callback.fn = fun;
    ctx->illegal_callback.data = data;
}

void secp256k1_context_set_error_callback(secp256k1_context_t* ctx, void (*fun)(const char* message, void* data), void* data) {
    ctx->error_callback.fn = fun;
    ctx->error_callback.data = data;
}

static int secp256k1_pubkey_load(const secp256k1_context_t* ctx, secp256k1_ge_t* ge, const secp256k1_pubkey_t* pubkey) {
    if (sizeof(secp256k1_ge_storage_t) == 64) {
        /* When the secp256k1_ge_storage_t type is exactly 64 byte, use its
         * representation inside secp256k1_pubkey_t, as conversion is very fast.
         * Note that secp256k1_pubkey_save must use the same representation. */
        secp256k1_ge_storage_t s;
        memcpy(&s, &pubkey->data[0], 64);
        secp256k1_ge_from_storage(ge, &s);
    } else {
        /* Otherwise, fall back to 32-byte big endian for X and Y. */
        secp256k1_fe_t x, y;
        secp256k1_fe_set_b32(&x, pubkey->data);
        secp256k1_fe_set_b32(&y, pubkey->data + 32);
        secp256k1_ge_set_xy(ge, &x, &y);
    }
    ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
    return 1;
}

static void secp256k1_pubkey_save(secp256k1_pubkey_t* pubkey, secp256k1_ge_t* ge) {
    if (sizeof(secp256k1_ge_storage_t) == 64) {
        secp256k1_ge_storage_t s;
        secp256k1_ge_to_storage(&s, ge);
        memcpy(&pubkey->data[0], &s, 64);
    } else {
        VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
        secp256k1_fe_normalize_var(&ge->x);
        secp256k1_fe_normalize_var(&ge->y);
        secp256k1_fe_get_b32(pubkey->data, &ge->x);
        secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
    }
}

int secp256k1_ec_pubkey_parse(const secp256k1_context_t* ctx, secp256k1_pubkey_t* pubkey, const unsigned char *input, int inputlen) {
    secp256k1_ge_t Q;

    (void)ctx;
    if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
        memset(pubkey, 0, sizeof(*pubkey));
        return 0;
    }
    secp256k1_pubkey_save(pubkey, &Q);
    secp256k1_ge_clear(&Q);
    return 1;
}

int secp256k1_ec_pubkey_serialize(const secp256k1_context_t* ctx, unsigned char *output, int *outputlen, const secp256k1_pubkey_t* pubkey, int compressed) {
    secp256k1_ge_t Q;

    (void)ctx;
    return (secp256k1_pubkey_load(ctx, &Q, pubkey) &&
            secp256k1_eckey_pubkey_serialize(&Q, output, outputlen, compressed));
}

static void secp256k1_ecdsa_signature_load(const secp256k1_context_t* ctx, secp256k1_scalar_t* r, secp256k1_scalar_t* s, int* recid, const secp256k1_ecdsa_signature_t* sig) {
    (void)ctx;
    if (sizeof(secp256k1_scalar_t) == 32) {
        /* When the secp256k1_scalar_t type is exactly 32 byte, use its
         * representation inside secp256k1_ecdsa_signature_t, as conversion is very fast.
         * Note that secp256k1_ecdsa_signature_save must use the same representation. */
        memcpy(r, &sig->data[0], 32);
        memcpy(s, &sig->data[32], 32);
    } else {
        secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
        secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
    }
    if (recid) {
        *recid = sig->data[64];
    }
}

static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature_t* sig, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, int recid) {
    if (sizeof(secp256k1_scalar_t) == 32) {
        memcpy(&sig->data[0], r, 32);
        memcpy(&sig->data[32], s, 32);
    } else {
        secp256k1_scalar_get_b32(&sig->data[0], r);
        secp256k1_scalar_get_b32(&sig->data[32], s);
    }
    sig->data[64] = recid;
}

int secp256k1_ecdsa_signature_parse_der(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input, int inputlen) {
    secp256k1_scalar_t r, s;

    (void)ctx;
    ARG_CHECK(sig != NULL);
    ARG_CHECK(input != NULL);

    if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
        secp256k1_ecdsa_signature_save(sig, &r, &s, -1);
        return 1;
    } else {
        memset(sig, 0, sizeof(*sig));
        return 0;
    }
}

int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input64, int recid) {
    secp256k1_scalar_t r, s;
    int ret = 1;
    int overflow = 0;

    (void)ctx;
    ARG_CHECK(sig != NULL);
    ARG_CHECK(input64 != NULL);

    secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
    ret &= !overflow;
    secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
    ret &= !overflow;
    ret &= (recid == -1 || (recid >= 0 && recid < 4));
    if (ret) {
        secp256k1_ecdsa_signature_save(sig, &r, &s, recid);
    } else {
        memset(sig, 0, sizeof(*sig));
    }
    return ret;
}

int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context_t* ctx, unsigned char *output, int *outputlen, const secp256k1_ecdsa_signature_t* sig) {
    secp256k1_scalar_t r, s;

    (void)ctx;
    ARG_CHECK(output != NULL);
    ARG_CHECK(outputlen != NULL);
    ARG_CHECK(sig != NULL);

    secp256k1_ecdsa_signature_load(ctx, &r, &s, NULL, sig);
    return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
}

int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context_t* ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_signature_t* sig) {
    secp256k1_scalar_t r, s;
    int rec;

    (void)ctx;
    ARG_CHECK(output64 != NULL);
    ARG_CHECK(sig != NULL);

    secp256k1_ecdsa_signature_load(ctx, &r, &s, &rec, sig);
    secp256k1_scalar_get_b32(&output64[0], &r);
    secp256k1_scalar_get_b32(&output64[32], &s);
    if (recid) {
        ARG_CHECK(rec >= 0 && rec < 4);
        *recid = rec;
    }
    return 1;
}

int secp256k1_ecdsa_verify(const secp256k1_context_t* ctx, const unsigned char *msg32, const secp256k1_ecdsa_signature_t *sig, const secp256k1_pubkey_t *pubkey) {
    secp256k1_ge_t q;
    secp256k1_scalar_t r, s;
    secp256k1_scalar_t m;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(sig != NULL);
    ARG_CHECK(pubkey != NULL);

    secp256k1_scalar_set_b32(&m, msg32, NULL);
    secp256k1_ecdsa_signature_load(ctx, &r, &s, NULL, sig);
    return (secp256k1_pubkey_load(ctx, &q, pubkey) &&
            secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
}

static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
   unsigned char keydata[96];
   secp256k1_rfc6979_hmac_sha256_t rng;
   unsigned int i;
   /* We feed a byte array to the PRNG as input, consisting of:
    * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
    * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
    */
   memcpy(keydata, key32, 32);
   memcpy(keydata + 32, msg32, 32);
   if (data != NULL) {
       memcpy(keydata + 64, data, 32);
   }
   secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, data != NULL ? 96 : 64);
   memset(keydata, 0, sizeof(keydata));
   for (i = 0; i <= counter; i++) {
       secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
   }
   secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   return 1;
}

const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
const secp256k1_nonce_function_t secp256k1_nonce_function_default = nonce_function_rfc6979;

int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char *msg32, secp256k1_ecdsa_signature_t *signature, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata) {
    secp256k1_scalar_t r, s;
    secp256k1_scalar_t sec, non, msg;
    int recid;
    int ret = 0;
    int overflow = 0;
    unsigned int count = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(seckey != NULL);
    if (noncefp == NULL) {
        noncefp = secp256k1_nonce_function_default;
    }

    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
    /* Fail if the secret key is invalid. */
    if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
        secp256k1_scalar_set_b32(&msg, msg32, NULL);
        while (1) {
            unsigned char nonce32[32];
            ret = noncefp(nonce32, msg32, seckey, count, noncedata);
            if (!ret) {
                break;
            }
            secp256k1_scalar_set_b32(&non, nonce32, &overflow);
            memset(nonce32, 0, 32);
            if (!secp256k1_scalar_is_zero(&non) && !overflow) {
                if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
                    break;
                }
            }
            count++;
        }
        secp256k1_scalar_clear(&msg);
        secp256k1_scalar_clear(&non);
        secp256k1_scalar_clear(&sec);
    }
    if (ret) {
        secp256k1_ecdsa_signature_save(signature, &r, &s, recid);
    } else {
        memset(signature, 0, sizeof(*signature));
    }
    return ret;
}

int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char *msg32, const secp256k1_ecdsa_signature_t *signature, secp256k1_pubkey_t *pubkey) {
    secp256k1_ge_t q;
    secp256k1_scalar_t r, s;
    secp256k1_scalar_t m;
    int recid;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(msg32 != NULL);
    ARG_CHECK(signature != NULL);
    ARG_CHECK(pubkey != NULL);

    secp256k1_ecdsa_signature_load(ctx, &r, &s, &recid, signature);
    ARG_CHECK(recid >= 0 && recid < 4);
    secp256k1_scalar_set_b32(&m, msg32, NULL);
    if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
        secp256k1_pubkey_save(pubkey, &q);
        return 1;
    } else {
        memset(pubkey, 0, sizeof(*pubkey));
        return 0;
    }
}

int secp256k1_ec_seckey_verify(const secp256k1_context_t* ctx, const unsigned char *seckey) {
    secp256k1_scalar_t sec;
    int ret;
    int overflow;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(seckey != NULL);
    (void)ctx;

    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
    ret = !secp256k1_scalar_is_zero(&sec) && !overflow;
    secp256k1_scalar_clear(&sec);
    return ret;
}

int secp256k1_ec_pubkey_create(const secp256k1_context_t* ctx, secp256k1_pubkey_t *pubkey, const unsigned char *seckey) {
    secp256k1_gej_t pj;
    secp256k1_ge_t p;
    secp256k1_scalar_t sec;
    int overflow;
    int ret = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    ARG_CHECK(pubkey != NULL);
    ARG_CHECK(seckey != NULL);

    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
    ret = !overflow & !secp256k1_scalar_is_zero(&sec);
    secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
    secp256k1_ge_set_gej(&p, &pj);
    secp256k1_pubkey_save(pubkey, &p);
    secp256k1_scalar_clear(&sec);
    if (!ret) {
        memset(pubkey, 0, sizeof(*pubkey));
    }
    return ret;
}

int secp256k1_ec_privkey_tweak_add(const secp256k1_context_t* ctx, unsigned char *seckey, const unsigned char *tweak) {
    secp256k1_scalar_t term;
    secp256k1_scalar_t sec;
    int ret = 0;
    int overflow = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(seckey != NULL);
    ARG_CHECK(tweak != NULL);
    (void)ctx;

    secp256k1_scalar_set_b32(&term, tweak, &overflow);
    secp256k1_scalar_set_b32(&sec, seckey, NULL);

    ret = secp256k1_eckey_privkey_tweak_add(&sec, &term) && !overflow;
    if (ret) {
        secp256k1_scalar_get_b32(seckey, &sec);
    }

    secp256k1_scalar_clear(&sec);
    secp256k1_scalar_clear(&term);
    return ret;
}

int secp256k1_ec_pubkey_tweak_add(const secp256k1_context_t* ctx, secp256k1_pubkey_t *pubkey, const unsigned char *tweak) {
    secp256k1_ge_t p;
    secp256k1_scalar_t term;
    int ret = 0;
    int overflow = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(pubkey != NULL);
    ARG_CHECK(tweak != NULL);

    secp256k1_scalar_set_b32(&term, tweak, &overflow);
    if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) {
        ret = secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term);
        if (ret) {
            secp256k1_pubkey_save(pubkey, &p);
        } else {
            memset(pubkey, 0, sizeof(*pubkey));
        }
    }

    return ret;
}

int secp256k1_ec_privkey_tweak_mul(const secp256k1_context_t* ctx, unsigned char *seckey, const unsigned char *tweak) {
    secp256k1_scalar_t factor;
    secp256k1_scalar_t sec;
    int ret = 0;
    int overflow = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(seckey != NULL);
    ARG_CHECK(tweak != NULL);
    (void)ctx;

    secp256k1_scalar_set_b32(&factor, tweak, &overflow);
    secp256k1_scalar_set_b32(&sec, seckey, NULL);
    ret = secp256k1_eckey_privkey_tweak_mul(&sec, &factor) && !overflow;
    if (ret) {
        secp256k1_scalar_get_b32(seckey, &sec);
    }

    secp256k1_scalar_clear(&sec);
    secp256k1_scalar_clear(&factor);
    return ret;
}

int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context_t* ctx, secp256k1_pubkey_t *pubkey, const unsigned char *tweak) {
    secp256k1_ge_t p;
    secp256k1_scalar_t factor;
    int ret = 0;
    int overflow = 0;
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
    ARG_CHECK(pubkey != NULL);
    ARG_CHECK(tweak != NULL);

    secp256k1_scalar_set_b32(&factor, tweak, &overflow);
    if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) {
        ret = secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor);
        if (ret) {
            secp256k1_pubkey_save(pubkey, &p);
        } else {
            memset(pubkey, 0, sizeof(*pubkey));
        }
    }

    return ret;
}

int secp256k1_ec_privkey_export(const secp256k1_context_t* ctx, const unsigned char *seckey, unsigned char *privkey, int *privkeylen, int compressed) {
    secp256k1_scalar_t key;
    int ret = 0;
    ARG_CHECK(seckey != NULL);
    ARG_CHECK(privkey != NULL);
    ARG_CHECK(privkeylen != NULL);
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));

    secp256k1_scalar_set_b32(&key, seckey, NULL);
    ret = secp256k1_eckey_privkey_serialize(&ctx->ecmult_gen_ctx, privkey, privkeylen, &key, compressed);
    secp256k1_scalar_clear(&key);
    return ret;
}

int secp256k1_ec_privkey_import(const secp256k1_context_t* ctx, unsigned char *seckey, const unsigned char *privkey, int privkeylen) {
    secp256k1_scalar_t key;
    int ret = 0;
    ARG_CHECK(seckey != NULL);
    ARG_CHECK(privkey != NULL);
    (void)ctx;

    ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen);
    if (ret) {
        secp256k1_scalar_get_b32(seckey, &key);
    }
    secp256k1_scalar_clear(&key);
    return ret;
}

int secp256k1_context_randomize(secp256k1_context_t* ctx, const unsigned char *seed32) {
    ARG_CHECK(ctx != NULL);
    ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
    secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
    return 1;
}
Commit	Line	Data
	1	/**********************************************************************
	2	* Copyright (c) 2013-2015 Pieter Wuille *
	3	* Distributed under the MIT software license, see the accompanying *
	4	* file COPYING or http://www.opensource.org/licenses/mit-license.php.*
	5	**********************************************************************/
	6
	7	#define SECP256K1_BUILD (1)
	8
	9	#include "include/secp256k1.h"
	10
	11	#include "util.h"
	12	#include "num_impl.h"
	13	#include "field_impl.h"
	14	#include "scalar_impl.h"
	15	#include "group_impl.h"
	16	#include "ecmult_impl.h"
	17	#include "ecmult_const_impl.h"
	18	#include "ecmult_gen_impl.h"
	19	#include "ecdsa_impl.h"
	20	#include "eckey_impl.h"
	21	#include "hash_impl.h"
	22
	23	#define ARG_CHECK(cond) do { \
	24	if (EXPECT(!(cond), 0)) { \
	25	ctx->illegal_callback.fn(#cond, ctx->illegal_callback.data); \
	26	return 0; \
	27	} \
	28	} while(0)
	29
	30	static void default_illegal_callback_fn(const char* str, void* data) {
	31	(void)data;
	32	fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
	33	abort();
	34	}
	35
	36	static const callback_t default_illegal_callback = {
	37	default_illegal_callback_fn,
	38	NULL
	39	};
	40
	41	static void default_error_callback_fn(const char* str, void* data) {
	42	(void)data;
	43	fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
	44	abort();
	45	}
	46
	47	static const callback_t default_error_callback = {
	48	default_error_callback_fn,
	49	NULL
	50	};
	51
	52
	53	struct secp256k1_context_struct {
	54	secp256k1_ecmult_context_t ecmult_ctx;
	55	secp256k1_ecmult_gen_context_t ecmult_gen_ctx;
	56	callback_t illegal_callback;
	57	callback_t error_callback;
	58	};
	59
	60	secp256k1_context_t* secp256k1_context_create(int flags) {
	61	secp256k1_context_t* ret = (secp256k1_context_t*)checked_malloc(&default_error_callback, sizeof(secp256k1_context_t));
	62	ret->illegal_callback = default_illegal_callback;
	63	ret->error_callback = default_error_callback;
	64
	65	secp256k1_ecmult_context_init(&ret->ecmult_ctx);
	66	secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
	67
	68	if (flags & SECP256K1_CONTEXT_SIGN) {
	69	secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
	70	}
	71	if (flags & SECP256K1_CONTEXT_VERIFY) {
	72	secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
	73	}
	74
	75	return ret;
	76	}
	77
	78	secp256k1_context_t* secp256k1_context_clone(const secp256k1_context_t* ctx) {
	79	secp256k1_context_t* ret = (secp256k1_context_t*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context_t));
	80	ret->illegal_callback = ctx->illegal_callback;
	81	ret->error_callback = ctx->error_callback;
	82	secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
	83	secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
	84	return ret;
	85	}
	86
	87	void secp256k1_context_destroy(secp256k1_context_t* ctx) {
	88	secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
	89	secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
	90
	91	free(ctx);
	92	}
	93
	94	void secp256k1_context_set_illegal_callback(secp256k1_context_t* ctx, void (fun)(const char message, void* data), void* data) {
	95	ctx->illegal_callback.fn = fun;
	96	ctx->illegal_callback.data = data;
	97	}
	98
	99	void secp256k1_context_set_error_callback(secp256k1_context_t* ctx, void (fun)(const char message, void* data), void* data) {
	100	ctx->error_callback.fn = fun;
	101	ctx->error_callback.data = data;
	102	}
	103
	104	static int secp256k1_pubkey_load(const secp256k1_context_t* ctx, secp256k1_ge_t* ge, const secp256k1_pubkey_t* pubkey) {
	105	if (sizeof(secp256k1_ge_storage_t) == 64) {
	106	/* When the secp256k1_ge_storage_t type is exactly 64 byte, use its
	107	* representation inside secp256k1_pubkey_t, as conversion is very fast.
	108	* Note that secp256k1_pubkey_save must use the same representation. */
	109	secp256k1_ge_storage_t s;
	110	memcpy(&s, &pubkey->data[0], 64);
	111	secp256k1_ge_from_storage(ge, &s);
	112	} else {
	113	/* Otherwise, fall back to 32-byte big endian for X and Y. */
	114	secp256k1_fe_t x, y;
	115	secp256k1_fe_set_b32(&x, pubkey->data);
	116	secp256k1_fe_set_b32(&y, pubkey->data + 32);
	117	secp256k1_ge_set_xy(ge, &x, &y);
	118	}
	119	ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
	120	return 1;
	121	}
	122
	123	static void secp256k1_pubkey_save(secp256k1_pubkey_t* pubkey, secp256k1_ge_t* ge) {
	124	if (sizeof(secp256k1_ge_storage_t) == 64) {
	125	secp256k1_ge_storage_t s;
	126	secp256k1_ge_to_storage(&s, ge);
	127	memcpy(&pubkey->data[0], &s, 64);
	128	} else {
	129	VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
	130	secp256k1_fe_normalize_var(&ge->x);
	131	secp256k1_fe_normalize_var(&ge->y);
	132	secp256k1_fe_get_b32(pubkey->data, &ge->x);
	133	secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
	134	}
	135	}
	136
	137	int secp256k1_ec_pubkey_parse(const secp256k1_context_t* ctx, secp256k1_pubkey_t* pubkey, const unsigned char *input, int inputlen) {
	138	secp256k1_ge_t Q;
	139
	140	(void)ctx;
	141	if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
	142	memset(pubkey, 0, sizeof(*pubkey));
	143	return 0;
	144	}
	145	secp256k1_pubkey_save(pubkey, &Q);
	146	secp256k1_ge_clear(&Q);
	147	return 1;
	148	}
	149
	150	int secp256k1_ec_pubkey_serialize(const secp256k1_context_t* ctx, unsigned char output, int outputlen, const secp256k1_pubkey_t* pubkey, int compressed) {
	151	secp256k1_ge_t Q;
	152
	153	(void)ctx;
	154	return (secp256k1_pubkey_load(ctx, &Q, pubkey) &&
	155	secp256k1_eckey_pubkey_serialize(&Q, output, outputlen, compressed));
	156	}
	157
	158	static void secp256k1_ecdsa_signature_load(const secp256k1_context_t* ctx, secp256k1_scalar_t* r, secp256k1_scalar_t* s, int* recid, const secp256k1_ecdsa_signature_t* sig) {
	159	(void)ctx;
	160	if (sizeof(secp256k1_scalar_t) == 32) {
	161	/* When the secp256k1_scalar_t type is exactly 32 byte, use its
	162	* representation inside secp256k1_ecdsa_signature_t, as conversion is very fast.
	163	* Note that secp256k1_ecdsa_signature_save must use the same representation. */
	164	memcpy(r, &sig->data[0], 32);
	165	memcpy(s, &sig->data[32], 32);
	166	} else {
	167	secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
	168	secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
	169	}
	170	if (recid) {
	171	*recid = sig->data[64];
	172	}
	173	}
	174
	175	static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature_t* sig, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, int recid) {
	176	if (sizeof(secp256k1_scalar_t) == 32) {
	177	memcpy(&sig->data[0], r, 32);
	178	memcpy(&sig->data[32], s, 32);
	179	} else {
	180	secp256k1_scalar_get_b32(&sig->data[0], r);
	181	secp256k1_scalar_get_b32(&sig->data[32], s);
	182	}
	183	sig->data[64] = recid;
	184	}
	185
	186	int secp256k1_ecdsa_signature_parse_der(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input, int inputlen) {
	187	secp256k1_scalar_t r, s;
	188
	189	(void)ctx;
	190	ARG_CHECK(sig != NULL);
	191	ARG_CHECK(input != NULL);
	192
	193	if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
	194	secp256k1_ecdsa_signature_save(sig, &r, &s, -1);
	195	return 1;
	196	} else {
	197	memset(sig, 0, sizeof(*sig));
	198	return 0;
	199	}
	200	}
	201
	202	int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input64, int recid) {
	203	secp256k1_scalar_t r, s;
	204	int ret = 1;
	205	int overflow = 0;
	206
	207	(void)ctx;
	208	ARG_CHECK(sig != NULL);
	209	ARG_CHECK(input64 != NULL);
	210
	211	secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
	212	ret &= !overflow;
	213	secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
	214	ret &= !overflow;
	215	ret &= (recid == -1 \|\| (recid >= 0 && recid < 4));
	216	if (ret) {
	217	secp256k1_ecdsa_signature_save(sig, &r, &s, recid);
	218	} else {
	219	memset(sig, 0, sizeof(*sig));
	220	}
	221	return ret;
	222	}
	223
	224	int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context_t* ctx, unsigned char output, int outputlen, const secp256k1_ecdsa_signature_t* sig) {
	225	secp256k1_scalar_t r, s;
	226
	227	(void)ctx;
	228	ARG_CHECK(output != NULL);
	229	ARG_CHECK(outputlen != NULL);
	230	ARG_CHECK(sig != NULL);
	231
	232	secp256k1_ecdsa_signature_load(ctx, &r, &s, NULL, sig);
	233	return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
	234	}
	235
	236	int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context_t* ctx, unsigned char output64, int recid, const secp256k1_ecdsa_signature_t* sig) {
	237	secp256k1_scalar_t r, s;
	238	int rec;
	239
	240	(void)ctx;
	241	ARG_CHECK(output64 != NULL);
	242	ARG_CHECK(sig != NULL);
	243
	244	secp256k1_ecdsa_signature_load(ctx, &r, &s, &rec, sig);
	245	secp256k1_scalar_get_b32(&output64[0], &r);
	246	secp256k1_scalar_get_b32(&output64[32], &s);
	247	if (recid) {
	248	ARG_CHECK(rec >= 0 && rec < 4);
	249	*recid = rec;
	250	}
	251	return 1;
	252	}
	253
	254	int secp256k1_ecdsa_verify(const secp256k1_context_t* ctx, const unsigned char msg32, const secp256k1_ecdsa_signature_t sig, const secp256k1_pubkey_t *pubkey) {
	255	secp256k1_ge_t q;
	256	secp256k1_scalar_t r, s;
	257	secp256k1_scalar_t m;
	258	ARG_CHECK(ctx != NULL);
	259	ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
	260	ARG_CHECK(msg32 != NULL);
	261	ARG_CHECK(sig != NULL);
	262	ARG_CHECK(pubkey != NULL);
	263
	264	secp256k1_scalar_set_b32(&m, msg32, NULL);
	265	secp256k1_ecdsa_signature_load(ctx, &r, &s, NULL, sig);
	266	return (secp256k1_pubkey_load(ctx, &q, pubkey) &&
	267	secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
	268	}
	269
	270	static int nonce_function_rfc6979(unsigned char nonce32, const unsigned char msg32, const unsigned char key32, unsigned int counter, const void data) {
	271	unsigned char keydata[96];
	272	secp256k1_rfc6979_hmac_sha256_t rng;
	273	unsigned int i;
	274	/* We feed a byte array to the PRNG as input, consisting of:
	275	* - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
	276	* - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
	277	*/
	278	memcpy(keydata, key32, 32);
	279	memcpy(keydata + 32, msg32, 32);
	280	if (data != NULL) {
	281	memcpy(keydata + 64, data, 32);
	282	}
	283	secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, data != NULL ? 96 : 64);
	284	memset(keydata, 0, sizeof(keydata));
	285	for (i = 0; i <= counter; i++) {
	286	secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
	287	}
	288	secp256k1_rfc6979_hmac_sha256_finalize(&rng);
	289	return 1;
	290	}
	291
	292	const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
	293	const secp256k1_nonce_function_t secp256k1_nonce_function_default = nonce_function_rfc6979;
	294
	295	int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char msg32, secp256k1_ecdsa_signature_t signature, const unsigned char seckey, secp256k1_nonce_function_t noncefp, const void noncedata) {
	296	secp256k1_scalar_t r, s;
	297	secp256k1_scalar_t sec, non, msg;
	298	int recid;
	299	int ret = 0;
	300	int overflow = 0;
	301	unsigned int count = 0;
	302	ARG_CHECK(ctx != NULL);
	303	ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
	304	ARG_CHECK(msg32 != NULL);
	305	ARG_CHECK(signature != NULL);
	306	ARG_CHECK(seckey != NULL);
	307	if (noncefp == NULL) {
	308	noncefp = secp256k1_nonce_function_default;
	309	}
	310
	311	secp256k1_scalar_set_b32(&sec, seckey, &overflow);
	312	/* Fail if the secret key is invalid. */
	313	if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
	314	secp256k1_scalar_set_b32(&msg, msg32, NULL);
	315	while (1) {
	316	unsigned char nonce32[32];
	317	ret = noncefp(nonce32, msg32, seckey, count, noncedata);
	318	if (!ret) {
	319	break;
	320	}
	321	secp256k1_scalar_set_b32(&non, nonce32, &overflow);
	322	memset(nonce32, 0, 32);
	323	if (!secp256k1_scalar_is_zero(&non) && !overflow) {
	324	if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
	325	break;
	326	}
	327	}
	328	count++;
	329	}
	330	secp256k1_scalar_clear(&msg);
	331	secp256k1_scalar_clear(&non);
	332	secp256k1_scalar_clear(&sec);
	333	}
	334	if (ret) {
	335	secp256k1_ecdsa_signature_save(signature, &r, &s, recid);
	336	} else {
	337	memset(signature, 0, sizeof(*signature));
	338	}
	339	return ret;
	340	}
	341
	342	int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char msg32, const secp256k1_ecdsa_signature_t signature, secp256k1_pubkey_t *pubkey) {
	343	secp256k1_ge_t q;
	344	secp256k1_scalar_t r, s;
	345	secp256k1_scalar_t m;
	346	int recid;
	347	ARG_CHECK(ctx != NULL);
	348	ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
	349	ARG_CHECK(msg32 != NULL);
	350	ARG_CHECK(signature != NULL);
	351	ARG_CHECK(pubkey != NULL);
	352
	353	secp256k1_ecdsa_signature_load(ctx, &r, &s, &recid, signature);
	354	ARG_CHECK(recid >= 0 && recid < 4);
	355	secp256k1_scalar_set_b32(&m, msg32, NULL);
	356	if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
	357	secp256k1_pubkey_save(pubkey, &q);
	358	return 1;
	359	} else {
	360	memset(pubkey, 0, sizeof(*pubkey));
	361	return 0;
	362	}
	363	}
	364
	365	int secp256k1_ec_seckey_verify(const secp256k1_context_t* ctx, const unsigned char *seckey) {
	366	secp256k1_scalar_t sec;
	367	int ret;
	368	int overflow;
	369	ARG_CHECK(ctx != NULL);
	370	ARG_CHECK(seckey != NULL);
	371	(void)ctx;
	372
	373	secp256k1_scalar_set_b32(&sec, seckey, &overflow);
	374	ret = !secp256k1_scalar_is_zero(&sec) && !overflow;
	375	secp256k1_scalar_clear(&sec);
	376	return ret;
	377	}
	378
	379	int secp256k1_ec_pubkey_create(const secp256k1_context_t* ctx, secp256k1_pubkey_t pubkey, const unsigned char seckey) {
	380	secp256k1_gej_t pj;
	381	secp256k1_ge_t p;
	382	secp256k1_scalar_t sec;
	383	int overflow;
	384	int ret = 0;
	385	ARG_CHECK(ctx != NULL);
	386	ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
	387	ARG_CHECK(pubkey != NULL);
	388	ARG_CHECK(seckey != NULL);
	389
	390	secp256k1_scalar_set_b32(&sec, seckey, &overflow);
	391	ret = !overflow & !secp256k1_scalar_is_zero(&sec);
	392	secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
	393	secp256k1_ge_set_gej(&p, &pj);
	394	secp256k1_pubkey_save(pubkey, &p);
	395	secp256k1_scalar_clear(&sec);
	396	if (!ret) {
	397	memset(pubkey, 0, sizeof(*pubkey));
	398	}
	399	return ret;
	400	}
	401
	402	int secp256k1_ec_privkey_tweak_add(const secp256k1_context_t* ctx, unsigned char seckey, const unsigned char tweak) {
	403	secp256k1_scalar_t term;
	404	secp256k1_scalar_t sec;
	405	int ret = 0;
	406	int overflow = 0;
	407	ARG_CHECK(ctx != NULL);
	408	ARG_CHECK(seckey != NULL);
	409	ARG_CHECK(tweak != NULL);
	410	(void)ctx;
	411
	412	secp256k1_scalar_set_b32(&term, tweak, &overflow);
	413	secp256k1_scalar_set_b32(&sec, seckey, NULL);
	414
	415	ret = secp256k1_eckey_privkey_tweak_add(&sec, &term) && !overflow;
	416	if (ret) {
	417	secp256k1_scalar_get_b32(seckey, &sec);
	418	}
	419
	420	secp256k1_scalar_clear(&sec);
	421	secp256k1_scalar_clear(&term);
	422	return ret;
	423	}
	424
	425	int secp256k1_ec_pubkey_tweak_add(const secp256k1_context_t* ctx, secp256k1_pubkey_t pubkey, const unsigned char tweak) {
	426	secp256k1_ge_t p;
	427	secp256k1_scalar_t term;
	428	int ret = 0;
	429	int overflow = 0;
	430	ARG_CHECK(ctx != NULL);
	431	ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
	432	ARG_CHECK(pubkey != NULL);
	433	ARG_CHECK(tweak != NULL);
	434
	435	secp256k1_scalar_set_b32(&term, tweak, &overflow);
	436	if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) {
	437	ret = secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term);
	438	if (ret) {
	439	secp256k1_pubkey_save(pubkey, &p);
	440	} else {
	441	memset(pubkey, 0, sizeof(*pubkey));
	442	}
	443	}
	444
	445	return ret;
	446	}
	447
	448	int secp256k1_ec_privkey_tweak_mul(const secp256k1_context_t* ctx, unsigned char seckey, const unsigned char tweak) {
	449	secp256k1_scalar_t factor;
	450	secp256k1_scalar_t sec;
	451	int ret = 0;
	452	int overflow = 0;
	453	ARG_CHECK(ctx != NULL);
	454	ARG_CHECK(seckey != NULL);
	455	ARG_CHECK(tweak != NULL);
	456	(void)ctx;
	457
	458	secp256k1_scalar_set_b32(&factor, tweak, &overflow);
	459	secp256k1_scalar_set_b32(&sec, seckey, NULL);
	460	ret = secp256k1_eckey_privkey_tweak_mul(&sec, &factor) && !overflow;
	461	if (ret) {
	462	secp256k1_scalar_get_b32(seckey, &sec);
	463	}
	464
	465	secp256k1_scalar_clear(&sec);
	466	secp256k1_scalar_clear(&factor);
	467	return ret;
	468	}
	469
	470	int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context_t* ctx, secp256k1_pubkey_t pubkey, const unsigned char tweak) {
	471	secp256k1_ge_t p;
	472	secp256k1_scalar_t factor;
	473	int ret = 0;
	474	int overflow = 0;
	475	ARG_CHECK(ctx != NULL);
	476	ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
	477	ARG_CHECK(pubkey != NULL);
	478	ARG_CHECK(tweak != NULL);
	479
	480	secp256k1_scalar_set_b32(&factor, tweak, &overflow);
	481	if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) {
	482	ret = secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor);
	483	if (ret) {
	484	secp256k1_pubkey_save(pubkey, &p);
	485	} else {
	486	memset(pubkey, 0, sizeof(*pubkey));
	487	}
	488	}
	489
	490	return ret;
	491	}
	492
	493	int secp256k1_ec_privkey_export(const secp256k1_context_t* ctx, const unsigned char seckey, unsigned char privkey, int *privkeylen, int compressed) {
	494	secp256k1_scalar_t key;
	495	int ret = 0;
	496	ARG_CHECK(seckey != NULL);
	497	ARG_CHECK(privkey != NULL);
	498	ARG_CHECK(privkeylen != NULL);
	499	ARG_CHECK(ctx != NULL);
	500	ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
	501
	502	secp256k1_scalar_set_b32(&key, seckey, NULL);
	503	ret = secp256k1_eckey_privkey_serialize(&ctx->ecmult_gen_ctx, privkey, privkeylen, &key, compressed);
	504	secp256k1_scalar_clear(&key);
	505	return ret;
	506	}
	507
	508	int secp256k1_ec_privkey_import(const secp256k1_context_t* ctx, unsigned char seckey, const unsigned char privkey, int privkeylen) {
	509	secp256k1_scalar_t key;
	510	int ret = 0;
	511	ARG_CHECK(seckey != NULL);
	512	ARG_CHECK(privkey != NULL);
	513	(void)ctx;
	514
	515	ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen);
	516	if (ret) {
	517	secp256k1_scalar_get_b32(seckey, &key);
	518	}
	519	secp256k1_scalar_clear(&key);
	520	return ret;
	521	}
	522
	523	int secp256k1_context_randomize(secp256k1_context_t* ctx, const unsigned char *seed32) {
	524	ARG_CHECK(ctx != NULL);
	525	ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
	526	secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
	527	return 1;
	528	}