github.com/ethereum/go-ethereum@v1.16.1/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about) 1 /*********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 /* This is a C project. It should not be compiled with a C++ compiler, 8 * and we error out if we detect one. 9 * 10 * We still want to be able to test the project with a C++ compiler 11 * because it is still good to know if this will lead to real trouble, so 12 * there is a possibility to override the check. But be warned that 13 * compiling with a C++ compiler is not supported. */ 14 #if defined(__cplusplus) && !defined(SECP256K1_CPLUSPLUS_TEST_OVERRIDE) 15 #error Trying to compile a C project with a C++ compiler. 16 #endif 17 18 #define SECP256K1_BUILD 19 20 #include "../include/secp256k1.h" 21 #include "../include/secp256k1_preallocated.h" 22 23 #include "assumptions.h" 24 #include "checkmem.h" 25 #include "util.h" 26 27 #include "field_impl.h" 28 #include "scalar_impl.h" 29 #include "group_impl.h" 30 #include "ecmult_impl.h" 31 #include "ecmult_const_impl.h" 32 #include "ecmult_gen_impl.h" 33 #include "ecdsa_impl.h" 34 #include "eckey_impl.h" 35 #include "hash_impl.h" 36 #include "int128_impl.h" 37 #include "scratch_impl.h" 38 #include "selftest.h" 39 #include "hsort_impl.h" 40 41 #ifdef SECP256K1_NO_BUILD 42 # error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c" 43 #endif 44 45 #define ARG_CHECK(cond) do { \ 46 if (EXPECT(!(cond), 0)) { \ 47 secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 48 return 0; \ 49 } \ 50 } while(0) 51 52 #define ARG_CHECK_VOID(cond) do { \ 53 if (EXPECT(!(cond), 0)) { \ 54 secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 55 return; \ 56 } \ 57 } while(0) 58 59 /* Note that whenever you change the context struct, you must also change the 60 * context_eq function. */ 61 struct secp256k1_context_struct { 62 secp256k1_ecmult_gen_context ecmult_gen_ctx; 63 secp256k1_callback illegal_callback; 64 secp256k1_callback error_callback; 65 int declassify; 66 }; 67 68 static const secp256k1_context secp256k1_context_static_ = { 69 { 0 }, 70 { secp256k1_default_illegal_callback_fn, 0 }, 71 { secp256k1_default_error_callback_fn, 0 }, 72 0 73 }; 74 const secp256k1_context *secp256k1_context_static = &secp256k1_context_static_; 75 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_static_; 76 77 /* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof. 78 * 79 * This is intended for "context" functions such as secp256k1_context_clone. Functions that need specific 80 * features of a context should still check for these features directly. For example, a function that needs 81 * ecmult_gen should directly check for the existence of the ecmult_gen context. */ 82 static int secp256k1_context_is_proper(const secp256k1_context* ctx) { 83 return secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx); 84 } 85 86 void secp256k1_selftest(void) { 87 if (!secp256k1_selftest_passes()) { 88 secp256k1_callback_call(&default_error_callback, "self test failed"); 89 } 90 } 91 92 size_t secp256k1_context_preallocated_size(unsigned int flags) { 93 size_t ret = sizeof(secp256k1_context); 94 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */ 95 VERIFY_CHECK(ret != 0); 96 97 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { 98 secp256k1_callback_call(&default_illegal_callback, 99 "Invalid flags"); 100 return 0; 101 } 102 103 if (EXPECT(!SECP256K1_CHECKMEM_RUNNING() && (flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY), 0)) { 104 secp256k1_callback_call(&default_illegal_callback, 105 "Declassify flag requires running with memory checking"); 106 return 0; 107 } 108 109 return ret; 110 } 111 112 size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) { 113 VERIFY_CHECK(ctx != NULL); 114 ARG_CHECK(secp256k1_context_is_proper(ctx)); 115 return sizeof(secp256k1_context); 116 } 117 118 secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) { 119 size_t prealloc_size; 120 secp256k1_context* ret; 121 122 secp256k1_selftest(); 123 124 prealloc_size = secp256k1_context_preallocated_size(flags); 125 if (prealloc_size == 0) { 126 return NULL; 127 } 128 VERIFY_CHECK(prealloc != NULL); 129 ret = (secp256k1_context*)prealloc; 130 ret->illegal_callback = default_illegal_callback; 131 ret->error_callback = default_error_callback; 132 133 /* Flags have been checked by secp256k1_context_preallocated_size. */ 134 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT); 135 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx); 136 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); 137 138 return ret; 139 } 140 141 secp256k1_context* secp256k1_context_create(unsigned int flags) { 142 size_t const prealloc_size = secp256k1_context_preallocated_size(flags); 143 secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size); 144 if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) { 145 free(ctx); 146 return NULL; 147 } 148 149 return ctx; 150 } 151 152 secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) { 153 secp256k1_context* ret; 154 VERIFY_CHECK(ctx != NULL); 155 ARG_CHECK(prealloc != NULL); 156 ARG_CHECK(secp256k1_context_is_proper(ctx)); 157 158 ret = (secp256k1_context*)prealloc; 159 *ret = *ctx; 160 return ret; 161 } 162 163 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) { 164 secp256k1_context* ret; 165 size_t prealloc_size; 166 167 VERIFY_CHECK(ctx != NULL); 168 ARG_CHECK(secp256k1_context_is_proper(ctx)); 169 170 prealloc_size = secp256k1_context_preallocated_clone_size(ctx); 171 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size); 172 ret = secp256k1_context_preallocated_clone(ctx, ret); 173 return ret; 174 } 175 176 void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) { 177 ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx)); 178 179 /* Defined as noop */ 180 if (ctx == NULL) { 181 return; 182 } 183 184 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 185 } 186 187 void secp256k1_context_destroy(secp256k1_context* ctx) { 188 ARG_CHECK_VOID(ctx == NULL || secp256k1_context_is_proper(ctx)); 189 190 /* Defined as noop */ 191 if (ctx == NULL) { 192 return; 193 } 194 195 secp256k1_context_preallocated_destroy(ctx); 196 free(ctx); 197 } 198 199 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 200 /* We compare pointers instead of checking secp256k1_context_is_proper() here 201 because setting callbacks is allowed on *copies* of the static context: 202 it's harmless and makes testing easier. */ 203 ARG_CHECK_VOID(ctx != secp256k1_context_static); 204 if (fun == NULL) { 205 fun = secp256k1_default_illegal_callback_fn; 206 } 207 ctx->illegal_callback.fn = fun; 208 ctx->illegal_callback.data = data; 209 } 210 211 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 212 /* We compare pointers instead of checking secp256k1_context_is_proper() here 213 because setting callbacks is allowed on *copies* of the static context: 214 it's harmless and makes testing easier. */ 215 ARG_CHECK_VOID(ctx != secp256k1_context_static); 216 if (fun == NULL) { 217 fun = secp256k1_default_error_callback_fn; 218 } 219 ctx->error_callback.fn = fun; 220 ctx->error_callback.data = data; 221 } 222 223 static secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) { 224 VERIFY_CHECK(ctx != NULL); 225 return secp256k1_scratch_create(&ctx->error_callback, max_size); 226 } 227 228 static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) { 229 VERIFY_CHECK(ctx != NULL); 230 secp256k1_scratch_destroy(&ctx->error_callback, scratch); 231 } 232 233 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour 234 * of the software. 235 */ 236 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) { 237 if (EXPECT(ctx->declassify, 0)) SECP256K1_CHECKMEM_DEFINE(p, len); 238 } 239 240 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) { 241 secp256k1_ge_from_bytes(ge, pubkey->data); 242 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x)); 243 return 1; 244 } 245 246 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) { 247 secp256k1_ge_to_bytes(pubkey->data, ge); 248 } 249 250 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 251 secp256k1_ge Q; 252 253 VERIFY_CHECK(ctx != NULL); 254 ARG_CHECK(pubkey != NULL); 255 memset(pubkey, 0, sizeof(*pubkey)); 256 ARG_CHECK(input != NULL); 257 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) { 258 return 0; 259 } 260 if (!secp256k1_ge_is_in_correct_subgroup(&Q)) { 261 return 0; 262 } 263 secp256k1_pubkey_save(pubkey, &Q); 264 secp256k1_ge_clear(&Q); 265 return 1; 266 } 267 268 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) { 269 secp256k1_ge Q; 270 size_t len; 271 int ret = 0; 272 273 VERIFY_CHECK(ctx != NULL); 274 ARG_CHECK(outputlen != NULL); 275 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u)); 276 len = *outputlen; 277 *outputlen = 0; 278 ARG_CHECK(output != NULL); 279 memset(output, 0, len); 280 ARG_CHECK(pubkey != NULL); 281 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); 282 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) { 283 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); 284 if (ret) { 285 *outputlen = len; 286 } 287 } 288 return ret; 289 } 290 291 int secp256k1_ec_pubkey_cmp(const secp256k1_context* ctx, const secp256k1_pubkey* pubkey0, const secp256k1_pubkey* pubkey1) { 292 unsigned char out[2][33]; 293 const secp256k1_pubkey* pk[2]; 294 int i; 295 296 VERIFY_CHECK(ctx != NULL); 297 pk[0] = pubkey0; pk[1] = pubkey1; 298 for (i = 0; i < 2; i++) { 299 size_t out_size = sizeof(out[i]); 300 /* If the public key is NULL or invalid, ec_pubkey_serialize will call 301 * the illegal_callback and return 0. In that case we will serialize the 302 * key as all zeros which is less than any valid public key. This 303 * results in consistent comparisons even if NULL or invalid pubkeys are 304 * involved and prevents edge cases such as sorting algorithms that use 305 * this function and do not terminate as a result. */ 306 if (!secp256k1_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) { 307 /* Note that ec_pubkey_serialize should already set the output to 308 * zero in that case, but it's not guaranteed by the API, we can't 309 * test it and writing a VERIFY_CHECK is more complex than 310 * explicitly memsetting (again). */ 311 memset(out[i], 0, sizeof(out[i])); 312 } 313 } 314 return secp256k1_memcmp_var(out[0], out[1], sizeof(out[0])); 315 } 316 317 static int secp256k1_ec_pubkey_sort_cmp(const void* pk1, const void* pk2, void *ctx) { 318 return secp256k1_ec_pubkey_cmp((secp256k1_context *)ctx, 319 *(secp256k1_pubkey **)pk1, 320 *(secp256k1_pubkey **)pk2); 321 } 322 323 int secp256k1_ec_pubkey_sort(const secp256k1_context* ctx, const secp256k1_pubkey **pubkeys, size_t n_pubkeys) { 324 VERIFY_CHECK(ctx != NULL); 325 ARG_CHECK(pubkeys != NULL); 326 327 /* Suppress wrong warning (fixed in MSVC 19.33) */ 328 #if defined(_MSC_VER) && (_MSC_VER < 1933) 329 #pragma warning(push) 330 #pragma warning(disable: 4090) 331 #endif 332 333 /* Casting away const is fine because neither secp256k1_hsort nor 334 * secp256k1_ec_pubkey_sort_cmp modify the data pointed to by the cmp_data 335 * argument. */ 336 secp256k1_hsort(pubkeys, n_pubkeys, sizeof(*pubkeys), secp256k1_ec_pubkey_sort_cmp, (void *)ctx); 337 338 #if defined(_MSC_VER) && (_MSC_VER < 1933) 339 #pragma warning(pop) 340 #endif 341 342 return 1; 343 } 344 345 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) { 346 (void)ctx; 347 if (sizeof(secp256k1_scalar) == 32) { 348 /* When the secp256k1_scalar type is exactly 32 byte, use its 349 * representation inside secp256k1_ecdsa_signature, as conversion is very fast. 350 * Note that secp256k1_ecdsa_signature_save must use the same representation. */ 351 memcpy(r, &sig->data[0], 32); 352 memcpy(s, &sig->data[32], 32); 353 } else { 354 secp256k1_scalar_set_b32(r, &sig->data[0], NULL); 355 secp256k1_scalar_set_b32(s, &sig->data[32], NULL); 356 } 357 } 358 359 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) { 360 if (sizeof(secp256k1_scalar) == 32) { 361 memcpy(&sig->data[0], r, 32); 362 memcpy(&sig->data[32], s, 32); 363 } else { 364 secp256k1_scalar_get_b32(&sig->data[0], r); 365 secp256k1_scalar_get_b32(&sig->data[32], s); 366 } 367 } 368 369 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 370 secp256k1_scalar r, s; 371 372 VERIFY_CHECK(ctx != NULL); 373 ARG_CHECK(sig != NULL); 374 ARG_CHECK(input != NULL); 375 376 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) { 377 secp256k1_ecdsa_signature_save(sig, &r, &s); 378 return 1; 379 } else { 380 memset(sig, 0, sizeof(*sig)); 381 return 0; 382 } 383 } 384 385 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) { 386 secp256k1_scalar r, s; 387 int ret = 1; 388 int overflow = 0; 389 390 VERIFY_CHECK(ctx != NULL); 391 ARG_CHECK(sig != NULL); 392 ARG_CHECK(input64 != NULL); 393 394 secp256k1_scalar_set_b32(&r, &input64[0], &overflow); 395 ret &= !overflow; 396 secp256k1_scalar_set_b32(&s, &input64[32], &overflow); 397 ret &= !overflow; 398 if (ret) { 399 secp256k1_ecdsa_signature_save(sig, &r, &s); 400 } else { 401 memset(sig, 0, sizeof(*sig)); 402 } 403 return ret; 404 } 405 406 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) { 407 secp256k1_scalar r, s; 408 409 VERIFY_CHECK(ctx != NULL); 410 ARG_CHECK(output != NULL); 411 ARG_CHECK(outputlen != NULL); 412 ARG_CHECK(sig != NULL); 413 414 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 415 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s); 416 } 417 418 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) { 419 secp256k1_scalar r, s; 420 421 VERIFY_CHECK(ctx != NULL); 422 ARG_CHECK(output64 != NULL); 423 ARG_CHECK(sig != NULL); 424 425 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 426 secp256k1_scalar_get_b32(&output64[0], &r); 427 secp256k1_scalar_get_b32(&output64[32], &s); 428 return 1; 429 } 430 431 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) { 432 secp256k1_scalar r, s; 433 int ret = 0; 434 435 VERIFY_CHECK(ctx != NULL); 436 ARG_CHECK(sigin != NULL); 437 438 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin); 439 ret = secp256k1_scalar_is_high(&s); 440 if (sigout != NULL) { 441 if (ret) { 442 secp256k1_scalar_negate(&s, &s); 443 } 444 secp256k1_ecdsa_signature_save(sigout, &r, &s); 445 } 446 447 return ret; 448 } 449 450 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) { 451 secp256k1_ge q; 452 secp256k1_scalar r, s; 453 secp256k1_scalar m; 454 VERIFY_CHECK(ctx != NULL); 455 ARG_CHECK(msghash32 != NULL); 456 ARG_CHECK(sig != NULL); 457 ARG_CHECK(pubkey != NULL); 458 459 secp256k1_scalar_set_b32(&m, msghash32, NULL); 460 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 461 return (!secp256k1_scalar_is_high(&s) && 462 secp256k1_pubkey_load(ctx, &q, pubkey) && 463 secp256k1_ecdsa_sig_verify(&r, &s, &q, &m)); 464 } 465 466 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { 467 memcpy(buf + *offset, data, len); 468 *offset += len; 469 } 470 471 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 472 unsigned char keydata[112]; 473 unsigned int offset = 0; 474 secp256k1_rfc6979_hmac_sha256 rng; 475 unsigned int i; 476 secp256k1_scalar msg; 477 unsigned char msgmod32[32]; 478 secp256k1_scalar_set_b32(&msg, msg32, NULL); 479 secp256k1_scalar_get_b32(msgmod32, &msg); 480 /* We feed a byte array to the PRNG as input, consisting of: 481 * - the private key (32 bytes) and reduced message (32 bytes), see RFC 6979 3.2d. 482 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 483 * - optionally 16 extra bytes with the algorithm name. 484 * Because the arguments have distinct fixed lengths it is not possible for 485 * different argument mixtures to emulate each other and result in the same 486 * nonces. 487 */ 488 buffer_append(keydata, &offset, key32, 32); 489 buffer_append(keydata, &offset, msgmod32, 32); 490 if (data != NULL) { 491 buffer_append(keydata, &offset, data, 32); 492 } 493 if (algo16 != NULL) { 494 buffer_append(keydata, &offset, algo16, 16); 495 } 496 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); 497 for (i = 0; i <= counter; i++) { 498 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 499 } 500 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 501 502 secp256k1_memclear(keydata, sizeof(keydata)); 503 secp256k1_rfc6979_hmac_sha256_clear(&rng); 504 return 1; 505 } 506 507 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; 508 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; 509 510 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { 511 secp256k1_scalar sec, non, msg; 512 int ret = 0; 513 int is_sec_valid; 514 unsigned char nonce32[32]; 515 unsigned int count = 0; 516 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */ 517 *r = secp256k1_scalar_zero; 518 *s = secp256k1_scalar_zero; 519 if (recid) { 520 *recid = 0; 521 } 522 if (noncefp == NULL) { 523 noncefp = secp256k1_nonce_function_default; 524 } 525 526 /* Fail if the secret key is invalid. */ 527 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey); 528 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid); 529 secp256k1_scalar_set_b32(&msg, msg32, NULL); 530 while (1) { 531 int is_nonce_valid; 532 ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 533 if (!ret) { 534 break; 535 } 536 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32); 537 /* The nonce is still secret here, but it being invalid is less likely than 1:2^255. */ 538 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); 539 if (is_nonce_valid) { 540 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); 541 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ 542 secp256k1_declassify(ctx, &ret, sizeof(ret)); 543 if (ret) { 544 break; 545 } 546 } 547 count++; 548 } 549 /* We don't want to declassify is_sec_valid and therefore the range of 550 * seckey. As a result is_sec_valid is included in ret only after ret was 551 * used as a branching variable. */ 552 ret &= is_sec_valid; 553 secp256k1_memclear(nonce32, sizeof(nonce32)); 554 secp256k1_scalar_clear(&msg); 555 secp256k1_scalar_clear(&non); 556 secp256k1_scalar_clear(&sec); 557 secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret); 558 secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret); 559 if (recid) { 560 const int zero = 0; 561 secp256k1_int_cmov(recid, &zero, !ret); 562 } 563 return ret; 564 } 565 566 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { 567 secp256k1_scalar r, s; 568 int ret; 569 VERIFY_CHECK(ctx != NULL); 570 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 571 ARG_CHECK(msghash32 != NULL); 572 ARG_CHECK(signature != NULL); 573 ARG_CHECK(seckey != NULL); 574 575 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata); 576 secp256k1_ecdsa_signature_save(signature, &r, &s); 577 return ret; 578 } 579 580 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { 581 secp256k1_scalar sec; 582 int ret; 583 VERIFY_CHECK(ctx != NULL); 584 ARG_CHECK(seckey != NULL); 585 586 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey); 587 secp256k1_scalar_clear(&sec); 588 return ret; 589 } 590 591 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) { 592 secp256k1_gej pj; 593 int ret; 594 595 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey); 596 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret); 597 598 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); 599 secp256k1_ge_set_gej(p, &pj); 600 secp256k1_gej_clear(&pj); 601 return ret; 602 } 603 604 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) { 605 secp256k1_ge p; 606 secp256k1_scalar seckey_scalar; 607 int ret = 0; 608 VERIFY_CHECK(ctx != NULL); 609 ARG_CHECK(pubkey != NULL); 610 memset(pubkey, 0, sizeof(*pubkey)); 611 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 612 ARG_CHECK(seckey != NULL); 613 614 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); 615 secp256k1_pubkey_save(pubkey, &p); 616 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret); 617 618 secp256k1_scalar_clear(&seckey_scalar); 619 return ret; 620 } 621 622 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) { 623 secp256k1_scalar sec; 624 int ret = 0; 625 VERIFY_CHECK(ctx != NULL); 626 ARG_CHECK(seckey != NULL); 627 628 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey); 629 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret); 630 secp256k1_scalar_negate(&sec, &sec); 631 secp256k1_scalar_get_b32(seckey, &sec); 632 633 secp256k1_scalar_clear(&sec); 634 return ret; 635 } 636 637 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) { 638 return secp256k1_ec_seckey_negate(ctx, seckey); 639 } 640 641 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) { 642 int ret = 0; 643 secp256k1_ge p; 644 VERIFY_CHECK(ctx != NULL); 645 ARG_CHECK(pubkey != NULL); 646 647 ret = secp256k1_pubkey_load(ctx, &p, pubkey); 648 memset(pubkey, 0, sizeof(*pubkey)); 649 if (ret) { 650 secp256k1_ge_neg(&p, &p); 651 secp256k1_pubkey_save(pubkey, &p); 652 } 653 return ret; 654 } 655 656 657 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) { 658 secp256k1_scalar term; 659 int overflow = 0; 660 int ret = 0; 661 662 secp256k1_scalar_set_b32(&term, tweak32, &overflow); 663 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term); 664 secp256k1_scalar_clear(&term); 665 return ret; 666 } 667 668 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 669 secp256k1_scalar sec; 670 int ret = 0; 671 VERIFY_CHECK(ctx != NULL); 672 ARG_CHECK(seckey != NULL); 673 ARG_CHECK(tweak32 != NULL); 674 675 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey); 676 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32); 677 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret); 678 secp256k1_scalar_get_b32(seckey, &sec); 679 680 secp256k1_scalar_clear(&sec); 681 return ret; 682 } 683 684 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 685 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32); 686 } 687 688 static int secp256k1_ec_pubkey_tweak_add_helper(secp256k1_ge *p, const unsigned char *tweak32) { 689 secp256k1_scalar term; 690 int overflow = 0; 691 secp256k1_scalar_set_b32(&term, tweak32, &overflow); 692 return !overflow && secp256k1_eckey_pubkey_tweak_add(p, &term); 693 } 694 695 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) { 696 secp256k1_ge p; 697 int ret = 0; 698 VERIFY_CHECK(ctx != NULL); 699 ARG_CHECK(pubkey != NULL); 700 ARG_CHECK(tweak32 != NULL); 701 702 ret = secp256k1_pubkey_load(ctx, &p, pubkey); 703 memset(pubkey, 0, sizeof(*pubkey)); 704 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&p, tweak32); 705 if (ret) { 706 secp256k1_pubkey_save(pubkey, &p); 707 } 708 709 return ret; 710 } 711 712 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 713 secp256k1_scalar factor; 714 secp256k1_scalar sec; 715 int ret = 0; 716 int overflow = 0; 717 VERIFY_CHECK(ctx != NULL); 718 ARG_CHECK(seckey != NULL); 719 ARG_CHECK(tweak32 != NULL); 720 721 secp256k1_scalar_set_b32(&factor, tweak32, &overflow); 722 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey); 723 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor); 724 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret); 725 secp256k1_scalar_get_b32(seckey, &sec); 726 727 secp256k1_scalar_clear(&sec); 728 secp256k1_scalar_clear(&factor); 729 return ret; 730 } 731 732 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 733 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32); 734 } 735 736 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) { 737 secp256k1_ge p; 738 secp256k1_scalar factor; 739 int ret = 0; 740 int overflow = 0; 741 VERIFY_CHECK(ctx != NULL); 742 ARG_CHECK(pubkey != NULL); 743 ARG_CHECK(tweak32 != NULL); 744 745 secp256k1_scalar_set_b32(&factor, tweak32, &overflow); 746 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey); 747 memset(pubkey, 0, sizeof(*pubkey)); 748 if (ret) { 749 if (secp256k1_eckey_pubkey_tweak_mul(&p, &factor)) { 750 secp256k1_pubkey_save(pubkey, &p); 751 } else { 752 ret = 0; 753 } 754 } 755 756 return ret; 757 } 758 759 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) { 760 VERIFY_CHECK(ctx != NULL); 761 ARG_CHECK(secp256k1_context_is_proper(ctx)); 762 763 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { 764 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 765 } 766 return 1; 767 } 768 769 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) { 770 size_t i; 771 secp256k1_gej Qj; 772 secp256k1_ge Q; 773 774 VERIFY_CHECK(ctx != NULL); 775 ARG_CHECK(pubnonce != NULL); 776 memset(pubnonce, 0, sizeof(*pubnonce)); 777 ARG_CHECK(n >= 1); 778 ARG_CHECK(pubnonces != NULL); 779 780 secp256k1_gej_set_infinity(&Qj); 781 782 for (i = 0; i < n; i++) { 783 ARG_CHECK(pubnonces[i] != NULL); 784 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]); 785 secp256k1_gej_add_ge(&Qj, &Qj, &Q); 786 } 787 if (secp256k1_gej_is_infinity(&Qj)) { 788 return 0; 789 } 790 secp256k1_ge_set_gej(&Q, &Qj); 791 secp256k1_pubkey_save(pubnonce, &Q); 792 return 1; 793 } 794 795 int secp256k1_tagged_sha256(const secp256k1_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) { 796 secp256k1_sha256 sha; 797 VERIFY_CHECK(ctx != NULL); 798 ARG_CHECK(hash32 != NULL); 799 ARG_CHECK(tag != NULL); 800 ARG_CHECK(msg != NULL); 801 802 secp256k1_sha256_initialize_tagged(&sha, tag, taglen); 803 secp256k1_sha256_write(&sha, msg, msglen); 804 secp256k1_sha256_finalize(&sha, hash32); 805 secp256k1_sha256_clear(&sha); 806 return 1; 807 } 808 809 #ifdef ENABLE_MODULE_ECDH 810 # include "modules/ecdh/main_impl.h" 811 #endif 812 813 #ifdef ENABLE_MODULE_RECOVERY 814 # include "modules/recovery/main_impl.h" 815 #endif 816 817 #ifdef ENABLE_MODULE_EXTRAKEYS 818 # include "modules/extrakeys/main_impl.h" 819 #endif 820 821 #ifdef ENABLE_MODULE_SCHNORRSIG 822 # include "modules/schnorrsig/main_impl.h" 823 #endif 824 825 #ifdef ENABLE_MODULE_MUSIG 826 # include "modules/musig/main_impl.h" 827 #endif 828 829 #ifdef ENABLE_MODULE_ELLSWIFT 830 # include "modules/ellswift/main_impl.h" 831 #endif