Wire Sysio Wire Sysion 1.0.0
Loading...
Searching...
No Matches
secp256k1.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#define SECP256K1_BUILD
8
9#include "../include/secp256k1.h"
10#include "../include/secp256k1_preallocated.h"
11
12#include "assumptions.h"
13#include "util.h"
14#include "field_impl.h"
15#include "scalar_impl.h"
16#include "group_impl.h"
17#include "ecmult_impl.h"
18#include "ecmult_const_impl.h"
19#include "ecmult_gen_impl.h"
20#include "ecdsa_impl.h"
21#include "eckey_impl.h"
22#include "hash_impl.h"
23#include "scratch_impl.h"
24#include "selftest.h"
25
26#ifdef SECP256K1_NO_BUILD
27# error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c"
28#endif
29
30#if defined(VALGRIND)
31# include <valgrind/memcheck.h>
32#endif
33
34#define ARG_CHECK(cond) do { \
35 if (EXPECT(!(cond), 0)) { \
36 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
37 return 0; \
38 } \
39} while(0)
40
41#define ARG_CHECK_NO_RETURN(cond) do { \
42 if (EXPECT(!(cond), 0)) { \
43 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
44 } \
45} while(0)
46
53
54static const secp256k1_context secp256k1_context_no_precomp_ = {
55 { 0 },
56 { secp256k1_default_illegal_callback_fn, 0 },
57 { secp256k1_default_error_callback_fn, 0 },
58 0
59};
60const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
61
62size_t secp256k1_context_preallocated_size(unsigned int flags) {
63 size_t ret = sizeof(secp256k1_context);
64 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
65 VERIFY_CHECK(ret != 0);
66
67 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
68 secp256k1_callback_call(&default_illegal_callback,
69 "Invalid flags");
70 return 0;
71 }
72
73 return ret;
74}
75
76size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
77 size_t ret = sizeof(secp256k1_context);
78 VERIFY_CHECK(ctx != NULL);
79 return ret;
80}
81
82secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
83 size_t prealloc_size;
84 secp256k1_context* ret;
85
86 if (!secp256k1_selftest()) {
87 secp256k1_callback_call(&default_error_callback, "self test failed");
88 }
89
90 prealloc_size = secp256k1_context_preallocated_size(flags);
91 if (prealloc_size == 0) {
92 return NULL;
93 }
94 VERIFY_CHECK(prealloc != NULL);
95 ret = (secp256k1_context*)prealloc;
96 ret->illegal_callback = default_illegal_callback;
97 ret->error_callback = default_error_callback;
98
99 /* Flags have been checked by secp256k1_context_preallocated_size. */
100 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
101 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx);
102 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
103
104 return ret;
105}
106
107secp256k1_context* secp256k1_context_create(unsigned int flags) {
108 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
109 secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
110 if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
111 free(ctx);
112 return NULL;
113 }
114
115 return ctx;
116}
117
118secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
119 secp256k1_context* ret;
120 VERIFY_CHECK(ctx != NULL);
121 ARG_CHECK(prealloc != NULL);
122
123 ret = (secp256k1_context*)prealloc;
124 *ret = *ctx;
125 return ret;
126}
127
128secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
129 secp256k1_context* ret;
130 size_t prealloc_size;
131
132 VERIFY_CHECK(ctx != NULL);
133 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
134 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
135 ret = secp256k1_context_preallocated_clone(ctx, ret);
136 return ret;
137}
138
139void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
140 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
141 if (ctx != NULL) {
142 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
143 }
144}
145
146void secp256k1_context_destroy(secp256k1_context* ctx) {
147 if (ctx != NULL) {
148 secp256k1_context_preallocated_destroy(ctx);
149 free(ctx);
150 }
151}
152
153void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
154 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
155 if (fun == NULL) {
156 fun = secp256k1_default_illegal_callback_fn;
157 }
158 ctx->illegal_callback.fn = fun;
159 ctx->illegal_callback.data = data;
160}
161
162void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
163 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
164 if (fun == NULL) {
165 fun = secp256k1_default_error_callback_fn;
166 }
167 ctx->error_callback.fn = fun;
168 ctx->error_callback.data = data;
169}
170
171secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
172 VERIFY_CHECK(ctx != NULL);
173 return secp256k1_scratch_create(&ctx->error_callback, max_size);
174}
175
176void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
177 VERIFY_CHECK(ctx != NULL);
178 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
179}
180
181/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
182 * of the software. This is setup for use with valgrind but could be substituted with
183 * the appropriate instrumentation for other analysis tools.
184 */
185static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
186#if defined(VALGRIND)
187 if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
188#else
189 (void)ctx;
190 (void)p;
191 (void)len;
192#endif
193}
194
195static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
196 if (sizeof(secp256k1_ge_storage) == 64) {
197 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
198 * representation inside secp256k1_pubkey, as conversion is very fast.
199 * Note that secp256k1_pubkey_save must use the same representation. */
200 secp256k1_ge_storage s;
201 memcpy(&s, &pubkey->data[0], sizeof(s));
202 secp256k1_ge_from_storage(ge, &s);
203 } else {
204 /* Otherwise, fall back to 32-byte big endian for X and Y. */
205 secp256k1_fe x, y;
206 secp256k1_fe_set_b32(&x, pubkey->data);
207 secp256k1_fe_set_b32(&y, pubkey->data + 32);
208 secp256k1_ge_set_xy(ge, &x, &y);
209 }
210 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
211 return 1;
212}
213
214static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
215 if (sizeof(secp256k1_ge_storage) == 64) {
216 secp256k1_ge_storage s;
217 secp256k1_ge_to_storage(&s, ge);
218 memcpy(&pubkey->data[0], &s, sizeof(s));
219 } else {
220 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
221 secp256k1_fe_normalize_var(&ge->x);
222 secp256k1_fe_normalize_var(&ge->y);
223 secp256k1_fe_get_b32(pubkey->data, &ge->x);
224 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
225 }
226}
227
228int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
229 secp256k1_ge Q;
230
231 VERIFY_CHECK(ctx != NULL);
232 ARG_CHECK(pubkey != NULL);
233 memset(pubkey, 0, sizeof(*pubkey));
234 ARG_CHECK(input != NULL);
235 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
236 return 0;
237 }
238 if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
239 return 0;
240 }
241 secp256k1_pubkey_save(pubkey, &Q);
242 secp256k1_ge_clear(&Q);
243 return 1;
244}
245
246int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
247 secp256k1_ge Q;
248 size_t len;
249 int ret = 0;
250
251 VERIFY_CHECK(ctx != NULL);
252 ARG_CHECK(outputlen != NULL);
253 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
254 len = *outputlen;
255 *outputlen = 0;
256 ARG_CHECK(output != NULL);
257 memset(output, 0, len);
258 ARG_CHECK(pubkey != NULL);
259 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
260 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
261 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
262 if (ret) {
263 *outputlen = len;
264 }
265 }
266 return ret;
267}
268
269int secp256k1_ec_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey0, const secp256k1_pubkey* pubkey1) {
270 unsigned char out[2][33];
271 const secp256k1_pubkey* pk[2];
272 int i;
273
274 VERIFY_CHECK(ctx != NULL);
275 pk[0] = pubkey0; pk[1] = pubkey1;
276 for (i = 0; i < 2; i++) {
277 size_t out_size = sizeof(out[i]);
278 /* If the public key is NULL or invalid, ec_pubkey_serialize will call
279 * the illegal_callback and return 0. In that case we will serialize the
280 * key as all zeros which is less than any valid public key. This
281 * results in consistent comparisons even if NULL or invalid pubkeys are
282 * involved and prevents edge cases such as sorting algorithms that use
283 * this function and do not terminate as a result. */
284 if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) {
285 /* Note that ec_pubkey_serialize should already set the output to
286 * zero in that case, but it's not guaranteed by the API, we can't
287 * test it and writing a VERIFY_CHECK is more complex than
288 * explicitly memsetting (again). */
289 memset(out[i], 0, sizeof(out[i]));
290 }
291 }
292 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0]));
293}
294
295static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
296 (void)ctx;
297 if (sizeof(secp256k1_scalar) == 32) {
298 /* When the secp256k1_scalar type is exactly 32 byte, use its
299 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
300 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
301 memcpy(r, &sig->data[0], 32);
302 memcpy(s, &sig->data[32], 32);
303 } else {
304 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
305 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
306 }
307}
308
309static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
310 if (sizeof(secp256k1_scalar) == 32) {
311 memcpy(&sig->data[0], r, 32);
312 memcpy(&sig->data[32], s, 32);
313 } else {
314 secp256k1_scalar_get_b32(&sig->data[0], r);
315 secp256k1_scalar_get_b32(&sig->data[32], s);
316 }
317}
318
319int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
320 secp256k1_scalar r, s;
321
322 VERIFY_CHECK(ctx != NULL);
323 ARG_CHECK(sig != NULL);
324 ARG_CHECK(input != NULL);
325
326 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
327 secp256k1_ecdsa_signature_save(sig, &r, &s);
328 return 1;
329 } else {
330 memset(sig, 0, sizeof(*sig));
331 return 0;
332 }
333}
334
335int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
336 secp256k1_scalar r, s;
337 int ret = 1;
338 int overflow = 0;
339
340 VERIFY_CHECK(ctx != NULL);
341 ARG_CHECK(sig != NULL);
342 ARG_CHECK(input64 != NULL);
343
344 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
345 ret &= !overflow;
346 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
347 ret &= !overflow;
348 if (ret) {
349 secp256k1_ecdsa_signature_save(sig, &r, &s);
350 } else {
351 memset(sig, 0, sizeof(*sig));
352 }
353 return ret;
354}
355
356int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
357 secp256k1_scalar r, s;
358
359 VERIFY_CHECK(ctx != NULL);
360 ARG_CHECK(output != NULL);
361 ARG_CHECK(outputlen != NULL);
362 ARG_CHECK(sig != NULL);
363
364 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
365 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
366}
367
368int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
369 secp256k1_scalar r, s;
370
371 VERIFY_CHECK(ctx != NULL);
372 ARG_CHECK(output64 != NULL);
373 ARG_CHECK(sig != NULL);
374
375 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
376 secp256k1_scalar_get_b32(&output64[0], &r);
377 secp256k1_scalar_get_b32(&output64[32], &s);
378 return 1;
379}
380
381int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
382 secp256k1_scalar r, s;
383 int ret = 0;
384
385 VERIFY_CHECK(ctx != NULL);
386 ARG_CHECK(sigin != NULL);
387
388 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
389 ret = secp256k1_scalar_is_high(&s);
390 if (sigout != NULL) {
391 if (ret) {
392 secp256k1_scalar_negate(&s, &s);
393 }
394 secp256k1_ecdsa_signature_save(sigout, &r, &s);
395 }
396
397 return ret;
398}
399
400int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
401 secp256k1_ge q;
402 secp256k1_scalar r, s;
403 secp256k1_scalar m;
404 VERIFY_CHECK(ctx != NULL);
405 ARG_CHECK(msghash32 != NULL);
406 ARG_CHECK(sig != NULL);
407 ARG_CHECK(pubkey != NULL);
408
409 secp256k1_scalar_set_b32(&m, msghash32, NULL);
410 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
411 return (!secp256k1_scalar_is_high(&s) &&
412 secp256k1_pubkey_load(ctx, &q, pubkey) &&
413 secp256k1_ecdsa_sig_verify(&r, &s, &q, &m));
414}
415
416static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
417 memcpy(buf + *offset, data, len);
418 *offset += len;
419}
420
421static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
422 unsigned char keydata[112];
423 unsigned int offset = 0;
424 secp256k1_rfc6979_hmac_sha256 rng;
425 unsigned int i;
426 secp256k1_scalar msg;
427 unsigned char msgmod32[32];
428 secp256k1_scalar_set_b32(&msg, msg32, NULL);
429 secp256k1_scalar_get_b32(msgmod32, &msg);
430 /* We feed a byte array to the PRNG as input, consisting of:
431 * - the private key (32 bytes) and reduced message (32 bytes), see RFC 6979 3.2d.
432 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
433 * - optionally 16 extra bytes with the algorithm name.
434 * Because the arguments have distinct fixed lengths it is not possible for
435 * different argument mixtures to emulate each other and result in the same
436 * nonces.
437 */
438 buffer_append(keydata, &offset, key32, 32);
439 buffer_append(keydata, &offset, msgmod32, 32);
440 if (data != NULL) {
441 buffer_append(keydata, &offset, data, 32);
442 }
443 if (algo16 != NULL) {
444 buffer_append(keydata, &offset, algo16, 16);
445 }
446 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
447 memset(keydata, 0, sizeof(keydata));
448 for (i = 0; i <= counter; i++) {
449 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
450 }
451 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
452 return 1;
453}
454
455const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
456const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
457
458static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
459 secp256k1_scalar sec, non, msg;
460 int ret = 0;
461 int is_sec_valid;
462 unsigned char nonce32[32];
463 unsigned int count = 0;
464 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
465 *r = secp256k1_scalar_zero;
466 *s = secp256k1_scalar_zero;
467 if (recid) {
468 *recid = 0;
469 }
470 if (noncefp == NULL) {
471 noncefp = secp256k1_nonce_function_default;
472 }
473
474 /* Fail if the secret key is invalid. */
475 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
476 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
477 secp256k1_scalar_set_b32(&msg, msg32, NULL);
478 while (1) {
479 int is_nonce_valid;
480 ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
481 if (!ret) {
482 break;
483 }
484 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
485 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
486 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
487 if (is_nonce_valid) {
488 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
489 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
490 secp256k1_declassify(ctx, &ret, sizeof(ret));
491 if (ret) {
492 break;
493 }
494 }
495 count++;
496 }
497 /* We don't want to declassify is_sec_valid and therefore the range of
498 * seckey. As a result is_sec_valid is included in ret only after ret was
499 * used as a branching variable. */
500 ret &= is_sec_valid;
501 memset(nonce32, 0, 32);
502 secp256k1_scalar_clear(&msg);
503 secp256k1_scalar_clear(&non);
504 secp256k1_scalar_clear(&sec);
505 secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
506 secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
507 if (recid) {
508 const int zero = 0;
509 secp256k1_int_cmov(recid, &zero, !ret);
510 }
511 return ret;
512}
513
514int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
515 secp256k1_scalar r, s;
516 int ret;
517 VERIFY_CHECK(ctx != NULL);
518 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
519 ARG_CHECK(msghash32 != NULL);
520 ARG_CHECK(signature != NULL);
521 ARG_CHECK(seckey != NULL);
522
523 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
524 secp256k1_ecdsa_signature_save(signature, &r, &s);
525 return ret;
526}
527
528int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
529 secp256k1_scalar sec;
530 int ret;
531 VERIFY_CHECK(ctx != NULL);
532 ARG_CHECK(seckey != NULL);
533
534 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
535 secp256k1_scalar_clear(&sec);
536 return ret;
537}
538
539static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
540 secp256k1_gej pj;
541 int ret;
542
543 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
544 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
545
546 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
547 secp256k1_ge_set_gej(p, &pj);
548 return ret;
549}
550
551int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
552 secp256k1_ge p;
553 secp256k1_scalar seckey_scalar;
554 int ret = 0;
555 VERIFY_CHECK(ctx != NULL);
556 ARG_CHECK(pubkey != NULL);
557 memset(pubkey, 0, sizeof(*pubkey));
558 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
559 ARG_CHECK(seckey != NULL);
560
561 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
562 secp256k1_pubkey_save(pubkey, &p);
563 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
564
565 secp256k1_scalar_clear(&seckey_scalar);
566 return ret;
567}
568
569int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
570 secp256k1_scalar sec;
571 int ret = 0;
572 VERIFY_CHECK(ctx != NULL);
573 ARG_CHECK(seckey != NULL);
574
575 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
576 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
577 secp256k1_scalar_negate(&sec, &sec);
578 secp256k1_scalar_get_b32(seckey, &sec);
579
580 secp256k1_scalar_clear(&sec);
581 return ret;
582}
583
584int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
585 return secp256k1_ec_seckey_negate(ctx, seckey);
586}
587
588int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
589 int ret = 0;
590 secp256k1_ge p;
591 VERIFY_CHECK(ctx != NULL);
592 ARG_CHECK(pubkey != NULL);
593
594 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
595 memset(pubkey, 0, sizeof(*pubkey));
596 if (ret) {
597 secp256k1_ge_neg(&p, &p);
598 secp256k1_pubkey_save(pubkey, &p);
599 }
600 return ret;
601}
602
603
604static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
605 secp256k1_scalar term;
606 int overflow = 0;
607 int ret = 0;
608
609 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
610 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
611 secp256k1_scalar_clear(&term);
612 return ret;
613}
614
615int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
616 secp256k1_scalar sec;
617 int ret = 0;
618 VERIFY_CHECK(ctx != NULL);
619 ARG_CHECK(seckey != NULL);
620 ARG_CHECK(tweak32 != NULL);
621
622 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
623 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
624 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
625 secp256k1_scalar_get_b32(seckey, &sec);
626
627 secp256k1_scalar_clear(&sec);
628 return ret;
629}
630
631int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
632 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
633}
634
635static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) {
636 secp256k1_scalar term;
637 int overflow = 0;
638 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
639 return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term);
640}
641
642int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
643 secp256k1_ge p;
644 int ret = 0;
645 VERIFY_CHECK(ctx != NULL);
646 ARG_CHECK(pubkey != NULL);
647 ARG_CHECK(tweak32 != NULL);
648
649 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
650 memset(pubkey, 0, sizeof(*pubkey));
651 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32);
652 if (ret) {
653 secp256k1_pubkey_save(pubkey, &p);
654 }
655
656 return ret;
657}
658
659int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
660 secp256k1_scalar factor;
661 secp256k1_scalar sec;
662 int ret = 0;
663 int overflow = 0;
664 VERIFY_CHECK(ctx != NULL);
665 ARG_CHECK(seckey != NULL);
666 ARG_CHECK(tweak32 != NULL);
667
668 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
669 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
670 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
671 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
672 secp256k1_scalar_get_b32(seckey, &sec);
673
674 secp256k1_scalar_clear(&sec);
675 secp256k1_scalar_clear(&factor);
676 return ret;
677}
678
679int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
680 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
681}
682
683int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
684 secp256k1_ge p;
685 secp256k1_scalar factor;
686 int ret = 0;
687 int overflow = 0;
688 VERIFY_CHECK(ctx != NULL);
689 ARG_CHECK(pubkey != NULL);
690 ARG_CHECK(tweak32 != NULL);
691
692 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
693 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
694 memset(pubkey, 0, sizeof(*pubkey));
695 if (ret) {
696 if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) {
697 secp256k1_pubkey_save(pubkey, &p);
698 } else {
699 ret = 0;
700 }
701 }
702
703 return ret;
704}
705
706int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
707 VERIFY_CHECK(ctx != NULL);
708 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
709 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
710 }
711 return 1;
712}
713
714int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
715 size_t i;
716 secp256k1_gej Qj;
717 secp256k1_ge Q;
718
719 VERIFY_CHECK(ctx != NULL);
720 ARG_CHECK(pubnonce != NULL);
721 memset(pubnonce, 0, sizeof(*pubnonce));
722 ARG_CHECK(n >= 1);
723 ARG_CHECK(pubnonces != NULL);
724
725 secp256k1_gej_set_infinity(&Qj);
726
727 for (i = 0; i < n; i++) {
728 ARG_CHECK(pubnonces[i] != NULL);
729 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
730 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
731 }
732 if (secp256k1_gej_is_infinity(&Qj)) {
733 return 0;
734 }
735 secp256k1_ge_set_gej(&Q, &Qj);
736 secp256k1_pubkey_save(pubnonce, &Q);
737 return 1;
738}
739
740int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) {
741 secp256k1_sha256 sha;
742 VERIFY_CHECK(ctx != NULL);
743 ARG_CHECK(hash32 != NULL);
744 ARG_CHECK(tag != NULL);
745 ARG_CHECK(msg != NULL);
746
747 secp256k1_sha256_initialize_tagged(&sha, tag, taglen);
748 secp256k1_sha256_write(&sha, msg, msglen);
749 secp256k1_sha256_finalize(&sha, hash32);
750 return 1;
751}
752
753#ifdef ENABLE_MODULE_ECDH
754# include "modules/ecdh/main_impl.h"
755#endif
756
757#ifdef ENABLE_MODULE_RECOVERY
758# include "modules/recovery/main_impl.h"
759#endif
760
761#ifdef ENABLE_MODULE_EXTRAKEYS
762# include "modules/extrakeys/main_impl.h"
763#endif
764
765#ifdef ENABLE_MODULE_SCHNORRSIG
766# include "modules/schnorrsig/main_impl.h"
767#endif
p
const mie::Vuint & p
Definition bn.cpp:27
r
const mie::Vuint & r
Definition bn.cpp:28
main_impl.h
ecdsa_impl.h
eckey_impl.h
ecmult_const_impl.h
ecmult_gen_impl.h
ecmult_impl.h
main_impl.h
EXPECT
#define EXPECT(x, c)
Definition util.h:70
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition util.h:95
field_impl.h
count
int * count
Definition gmock_stress_test.cc:177
group_impl.h
hash_impl.h
Catch::rng
std::mt19937 & rng()
Definition catch_random_number_generator.cpp:14
fc::y
uint64_t y
Definition sha3.cpp:34
main_impl.h
scalar_impl.h
main_impl.h
scratch_impl.h
secp256k1_ec_privkey_tweak_add
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Definition secp256k1.c:631
secp256k1_ec_privkey_negate
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Definition secp256k1.c:584
secp256k1_nonce_function_default
const secp256k1_nonce_function secp256k1_nonce_function_default
Definition secp256k1.c:456
secp256k1_context_preallocated_clone
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Definition secp256k1.c:118
secp256k1_nonce_function_rfc6979
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
Definition secp256k1.c:455
secp256k1_tagged_sha256
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Definition secp256k1.c:740
secp256k1_ec_pubkey_tweak_add
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Definition secp256k1.c:642
secp256k1_ec_pubkey_serialize
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Definition secp256k1.c:246
secp256k1_ecdsa_signature_serialize_der
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Definition secp256k1.c:356
secp256k1_ec_seckey_tweak_mul
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Definition secp256k1.c:659
secp256k1_ec_pubkey_parse
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Definition secp256k1.c:228
secp256k1_context_preallocated_clone_size
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Definition secp256k1.c:76
secp256k1_ec_seckey_verify
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Definition secp256k1.c:528
secp256k1_context_no_precomp
const secp256k1_context * secp256k1_context_no_precomp
Definition secp256k1.c:60
secp256k1_ec_seckey_tweak_add
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Definition secp256k1.c:615
secp256k1_context_preallocated_destroy
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Definition secp256k1.c:139
ARG_CHECK
#define ARG_CHECK(cond)
Definition secp256k1.c:34
secp256k1_ecdsa_signature_normalize
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Definition secp256k1.c:381
secp256k1_context_set_error_callback
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Definition secp256k1.c:162
secp256k1_ecdsa_signature_parse_der
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Definition secp256k1.c:319
secp256k1_context_create
secp256k1_context * secp256k1_context_create(unsigned int flags)
Definition secp256k1.c:107
secp256k1_ec_seckey_negate
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Definition secp256k1.c:569
secp256k1_ec_pubkey_cmp
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Definition secp256k1.c:269
secp256k1_ec_pubkey_combine
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Definition secp256k1.c:714
secp256k1_ecdsa_signature_parse_compact
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Definition secp256k1.c:335
secp256k1_context_set_illegal_callback
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Definition secp256k1.c:153
secp256k1_context_preallocated_size
size_t secp256k1_context_preallocated_size(unsigned int flags)
Definition secp256k1.c:62
ARG_CHECK_NO_RETURN
#define ARG_CHECK_NO_RETURN(cond)
Definition secp256k1.c:41
secp256k1_context_randomize
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Definition secp256k1.c:706
secp256k1_scratch_space_create
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition secp256k1.c:171
secp256k1_ecdsa_verify
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Definition secp256k1.c:400
secp256k1_ecdsa_signature_serialize_compact
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Definition secp256k1.c:368
secp256k1_ec_pubkey_create
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Definition secp256k1.c:551
secp256k1_context_destroy
void secp256k1_context_destroy(secp256k1_context *ctx)
Definition secp256k1.c:146
secp256k1_context_clone
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Definition secp256k1.c:128
secp256k1_scratch_space_destroy
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition secp256k1.c:176
secp256k1_ec_pubkey_tweak_mul
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Definition secp256k1.c:683
secp256k1_context_preallocated_create
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Definition secp256k1.c:82
secp256k1_ecdsa_sign
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition secp256k1.c:514
secp256k1_ec_pubkey_negate
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Definition secp256k1.c:588
secp256k1_ec_privkey_tweak_mul
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Definition secp256k1.c:679
secp256k1_context
struct secp256k1_context_struct secp256k1_context
Definition secp256k1.h:46
SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition secp256k1.h:190
secp256k1_nonce_function
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
Definition secp256k1.h:103
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Definition secp256k1.h:201
SECP256K1_INLINE
#define SECP256K1_INLINE
Definition secp256k1.h:127
SECP256K1_FLAGS_TYPE_MASK
#define SECP256K1_FLAGS_TYPE_MASK
Definition secp256k1.h:184
SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition secp256k1.h:191
SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition secp256k1.h:185
SECP256K1_FLAGS_TYPE_COMPRESSION
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition secp256k1.h:186
secp256k1_preallocated.h
secp256k1_callback
Definition util.h:19
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition util.h:20
secp256k1_callback::data
const void * data
Definition util.h:21
secp256k1_context_struct
Definition secp256k1.c:47
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition secp256k1.c:49
secp256k1_context_struct::declassify
int declassify
Definition secp256k1.c:51
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition secp256k1.c:50
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition secp256k1.c:48
secp256k1_ecdsa_signature
Definition secp256k1.h:83
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition secp256k1.h:84
secp256k1_ecmult_gen_context
Definition ecmult_gen.h:19
secp256k1_fe
Definition field_10x26.h:12
secp256k1_ge_storage
Definition group.h:38
secp256k1_ge
Definition group.h:16
secp256k1_ge::x
secp256k1_fe x
Definition group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition group.h:18
secp256k1_gej
Definition group.h:28
secp256k1_pubkey
Definition secp256k1.h:70
secp256k1_rfc6979_hmac_sha256
Definition hash.h:31
secp256k1_scalar
Definition scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition scratch.h:12
secp256k1_sha256
Definition hash.h:13
ret
CK_RV ret
Definition yubihsm_pkcs11.c:973
overflow
bool overflow
Definition yubihsm_pkcs11.c:467
s
char * s
Definition yubihsm_pkcs11.c:524
len
size_t len
Definition yubihsm_pkcs11.c:4771
buf
uint8_t buf[2048]
Definition yubihsm_pkcs11.c:4770
pubkey
CK_BYTE_PTR pubkey
Definition yubihsm_pkcs11.c:4984
memset
memset(pInfo->slotDescription, ' ', 64)
flags
pInfo flags
Definition yubihsm_pkcs11.c:540
memcpy
memcpy((char *) pInfo->slotDescription, s, l)