github.com/ethereumproject/go-ethereum@v5.5.2+incompatible/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #define SECP256K1_BUILD (1) 8 9 #include "include/secp256k1.h" 10 11 #include "util.h" 12 #include "num_impl.h" 13 #include "field_impl.h" 14 #include "scalar_impl.h" 15 #include "group_impl.h" 16 #include "ecmult_impl.h" 17 #include "ecmult_const_impl.h" 18 #include "ecmult_gen_impl.h" 19 #include "ecdsa_impl.h" 20 #include "eckey_impl.h" 21 #include "hash_impl.h" 22 23 #define ARG_CHECK(cond) do { \ 24 if (EXPECT(!(cond), 0)) { \ 25 secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 26 return 0; \ 27 } \ 28 } while(0) 29 30 static void default_illegal_callback_fn(const char* str, void* data) { 31 (void)data; 32 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); 33 abort(); 34 } 35 36 static const secp256k1_callback default_illegal_callback = { 37 default_illegal_callback_fn, 38 NULL 39 }; 40 41 static void default_error_callback_fn(const char* str, void* data) { 42 (void)data; 43 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); 44 abort(); 45 } 46 47 static const secp256k1_callback default_error_callback = { 48 default_error_callback_fn, 49 NULL 50 }; 51 52 53 struct secp256k1_context_struct { 54 secp256k1_ecmult_context ecmult_ctx; 55 secp256k1_ecmult_gen_context ecmult_gen_ctx; 56 secp256k1_callback illegal_callback; 57 secp256k1_callback error_callback; 58 }; 59 60 secp256k1_context* secp256k1_context_create(unsigned int flags) { 61 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context)); 62 ret->illegal_callback = default_illegal_callback; 63 ret->error_callback = default_error_callback; 64 65 secp256k1_ecmult_context_init(&ret->ecmult_ctx); 66 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx); 67 68 if (flags & SECP256K1_CONTEXT_SIGN) { 69 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback); 70 } 71 if (flags & SECP256K1_CONTEXT_VERIFY) { 72 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback); 73 } 74 75 return ret; 76 } 77 78 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) { 79 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context)); 80 ret->illegal_callback = ctx->illegal_callback; 81 ret->error_callback = ctx->error_callback; 82 secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback); 83 secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback); 84 return ret; 85 } 86 87 void secp256k1_context_destroy(secp256k1_context* ctx) { 88 if (ctx != NULL) { 89 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx); 90 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 91 92 free(ctx); 93 } 94 } 95 96 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 97 if (fun == NULL) { 98 fun = default_illegal_callback_fn; 99 } 100 ctx->illegal_callback.fn = fun; 101 ctx->illegal_callback.data = data; 102 } 103 104 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 105 if (fun == NULL) { 106 fun = default_error_callback_fn; 107 } 108 ctx->error_callback.fn = fun; 109 ctx->error_callback.data = data; 110 } 111 112 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) { 113 if (sizeof(secp256k1_ge_storage) == 64) { 114 /* When the secp256k1_ge_storage type is exactly 64 byte, use its 115 * representation inside secp256k1_pubkey, as conversion is very fast. 116 * Note that secp256k1_pubkey_save must use the same representation. */ 117 secp256k1_ge_storage s; 118 memcpy(&s, &pubkey->data[0], 64); 119 secp256k1_ge_from_storage(ge, &s); 120 } else { 121 /* Otherwise, fall back to 32-byte big endian for X and Y. */ 122 secp256k1_fe x, y; 123 secp256k1_fe_set_b32(&x, pubkey->data); 124 secp256k1_fe_set_b32(&y, pubkey->data + 32); 125 secp256k1_ge_set_xy(ge, &x, &y); 126 } 127 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x)); 128 return 1; 129 } 130 131 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) { 132 if (sizeof(secp256k1_ge_storage) == 64) { 133 secp256k1_ge_storage s; 134 secp256k1_ge_to_storage(&s, ge); 135 memcpy(&pubkey->data[0], &s, 64); 136 } else { 137 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge)); 138 secp256k1_fe_normalize_var(&ge->x); 139 secp256k1_fe_normalize_var(&ge->y); 140 secp256k1_fe_get_b32(pubkey->data, &ge->x); 141 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y); 142 } 143 } 144 145 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 146 secp256k1_ge Q; 147 148 (void)ctx; 149 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) { 150 memset(pubkey, 0, sizeof(*pubkey)); 151 return 0; 152 } 153 secp256k1_pubkey_save(pubkey, &Q); 154 secp256k1_ge_clear(&Q); 155 return 1; 156 } 157 158 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) { 159 secp256k1_ge Q; 160 161 (void)ctx; 162 return (secp256k1_pubkey_load(ctx, &Q, pubkey) && 163 secp256k1_eckey_pubkey_serialize(&Q, output, outputlen, flags)); 164 } 165 166 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) { 167 (void)ctx; 168 if (sizeof(secp256k1_scalar) == 32) { 169 /* When the secp256k1_scalar type is exactly 32 byte, use its 170 * representation inside secp256k1_ecdsa_signature, as conversion is very fast. 171 * Note that secp256k1_ecdsa_signature_save must use the same representation. */ 172 memcpy(r, &sig->data[0], 32); 173 memcpy(s, &sig->data[32], 32); 174 } else { 175 secp256k1_scalar_set_b32(r, &sig->data[0], NULL); 176 secp256k1_scalar_set_b32(s, &sig->data[32], NULL); 177 } 178 } 179 180 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) { 181 if (sizeof(secp256k1_scalar) == 32) { 182 memcpy(&sig->data[0], r, 32); 183 memcpy(&sig->data[32], s, 32); 184 } else { 185 secp256k1_scalar_get_b32(&sig->data[0], r); 186 secp256k1_scalar_get_b32(&sig->data[32], s); 187 } 188 } 189 190 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 191 secp256k1_scalar r, s; 192 193 (void)ctx; 194 ARG_CHECK(sig != NULL); 195 ARG_CHECK(input != NULL); 196 197 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) { 198 secp256k1_ecdsa_signature_save(sig, &r, &s); 199 return 1; 200 } else { 201 memset(sig, 0, sizeof(*sig)); 202 return 0; 203 } 204 } 205 206 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) { 207 secp256k1_scalar r, s; 208 209 (void)ctx; 210 ARG_CHECK(output != NULL); 211 ARG_CHECK(outputlen != NULL); 212 ARG_CHECK(sig != NULL); 213 214 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 215 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s); 216 } 217 218 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) { 219 secp256k1_ge q; 220 secp256k1_scalar r, s; 221 secp256k1_scalar m; 222 VERIFY_CHECK(ctx != NULL); 223 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 224 ARG_CHECK(msg32 != NULL); 225 ARG_CHECK(sig != NULL); 226 ARG_CHECK(pubkey != NULL); 227 228 secp256k1_scalar_set_b32(&m, msg32, NULL); 229 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 230 return (secp256k1_pubkey_load(ctx, &q, pubkey) && 231 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); 232 } 233 234 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 235 unsigned char keydata[112]; 236 int keylen = 64; 237 secp256k1_rfc6979_hmac_sha256_t rng; 238 unsigned int i; 239 /* We feed a byte array to the PRNG as input, consisting of: 240 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. 241 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 242 * - optionally 16 extra bytes with the algorithm name (the extra data bytes 243 * are set to zeroes when not present, while the algorithm name is). 244 */ 245 memcpy(keydata, key32, 32); 246 memcpy(keydata + 32, msg32, 32); 247 if (data != NULL) { 248 memcpy(keydata + 64, data, 32); 249 keylen = 96; 250 } 251 if (algo16 != NULL) { 252 memset(keydata + keylen, 0, 96 - keylen); 253 memcpy(keydata + 96, algo16, 16); 254 keylen = 112; 255 } 256 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen); 257 memset(keydata, 0, sizeof(keydata)); 258 for (i = 0; i <= counter; i++) { 259 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 260 } 261 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 262 return 1; 263 } 264 265 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; 266 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; 267 268 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { 269 secp256k1_scalar r, s; 270 secp256k1_scalar sec, non, msg; 271 int ret = 0; 272 int overflow = 0; 273 VERIFY_CHECK(ctx != NULL); 274 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 275 ARG_CHECK(msg32 != NULL); 276 ARG_CHECK(signature != NULL); 277 ARG_CHECK(seckey != NULL); 278 if (noncefp == NULL) { 279 noncefp = secp256k1_nonce_function_default; 280 } 281 282 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 283 /* Fail if the secret key is invalid. */ 284 if (!overflow && !secp256k1_scalar_is_zero(&sec)) { 285 unsigned int count = 0; 286 secp256k1_scalar_set_b32(&msg, msg32, NULL); 287 while (1) { 288 unsigned char nonce32[32]; 289 ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 290 if (!ret) { 291 break; 292 } 293 secp256k1_scalar_set_b32(&non, nonce32, &overflow); 294 memset(nonce32, 0, 32); 295 if (!overflow && !secp256k1_scalar_is_zero(&non)) { 296 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) { 297 break; 298 } 299 } 300 count++; 301 } 302 secp256k1_scalar_clear(&msg); 303 secp256k1_scalar_clear(&non); 304 secp256k1_scalar_clear(&sec); 305 } 306 if (ret) { 307 secp256k1_ecdsa_signature_save(signature, &r, &s); 308 } else { 309 memset(signature, 0, sizeof(*signature)); 310 } 311 return ret; 312 } 313 314 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { 315 secp256k1_scalar sec; 316 int ret; 317 int overflow; 318 VERIFY_CHECK(ctx != NULL); 319 ARG_CHECK(seckey != NULL); 320 (void)ctx; 321 322 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 323 ret = !overflow && !secp256k1_scalar_is_zero(&sec); 324 secp256k1_scalar_clear(&sec); 325 return ret; 326 } 327 328 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) { 329 secp256k1_gej pj; 330 secp256k1_ge p; 331 secp256k1_scalar sec; 332 int overflow; 333 int ret = 0; 334 VERIFY_CHECK(ctx != NULL); 335 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 336 ARG_CHECK(pubkey != NULL); 337 ARG_CHECK(seckey != NULL); 338 339 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 340 ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec)); 341 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); 342 secp256k1_ge_set_gej(&p, &pj); 343 secp256k1_pubkey_save(pubkey, &p); 344 secp256k1_scalar_clear(&sec); 345 if (!ret) { 346 memset(pubkey, 0, sizeof(*pubkey)); 347 } 348 return ret; 349 } 350 351 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 352 secp256k1_scalar term; 353 secp256k1_scalar sec; 354 int ret = 0; 355 int overflow = 0; 356 VERIFY_CHECK(ctx != NULL); 357 ARG_CHECK(seckey != NULL); 358 ARG_CHECK(tweak != NULL); 359 (void)ctx; 360 361 secp256k1_scalar_set_b32(&term, tweak, &overflow); 362 secp256k1_scalar_set_b32(&sec, seckey, NULL); 363 364 ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term); 365 if (ret) { 366 secp256k1_scalar_get_b32(seckey, &sec); 367 } 368 369 secp256k1_scalar_clear(&sec); 370 secp256k1_scalar_clear(&term); 371 return ret; 372 } 373 374 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 375 secp256k1_ge p; 376 secp256k1_scalar term; 377 int ret = 0; 378 int overflow = 0; 379 VERIFY_CHECK(ctx != NULL); 380 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 381 ARG_CHECK(pubkey != NULL); 382 ARG_CHECK(tweak != NULL); 383 384 secp256k1_scalar_set_b32(&term, tweak, &overflow); 385 if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) { 386 ret = secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term); 387 if (ret) { 388 secp256k1_pubkey_save(pubkey, &p); 389 } else { 390 memset(pubkey, 0, sizeof(*pubkey)); 391 } 392 } 393 394 return ret; 395 } 396 397 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 398 secp256k1_scalar factor; 399 secp256k1_scalar sec; 400 int ret = 0; 401 int overflow = 0; 402 VERIFY_CHECK(ctx != NULL); 403 ARG_CHECK(seckey != NULL); 404 ARG_CHECK(tweak != NULL); 405 (void)ctx; 406 407 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 408 secp256k1_scalar_set_b32(&sec, seckey, NULL); 409 ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor); 410 if (ret) { 411 secp256k1_scalar_get_b32(seckey, &sec); 412 } 413 414 secp256k1_scalar_clear(&sec); 415 secp256k1_scalar_clear(&factor); 416 return ret; 417 } 418 419 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 420 secp256k1_ge p; 421 secp256k1_scalar factor; 422 int ret = 0; 423 int overflow = 0; 424 VERIFY_CHECK(ctx != NULL); 425 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 426 ARG_CHECK(pubkey != NULL); 427 ARG_CHECK(tweak != NULL); 428 429 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 430 if (!overflow && secp256k1_pubkey_load(ctx, &p, pubkey)) { 431 ret = secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor); 432 if (ret) { 433 secp256k1_pubkey_save(pubkey, &p); 434 } else { 435 memset(pubkey, 0, sizeof(*pubkey)); 436 } 437 } 438 439 return ret; 440 } 441 442 int secp256k1_ec_privkey_export(const secp256k1_context* ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *seckey, unsigned int flags) { 443 secp256k1_scalar key; 444 int ret = 0; 445 VERIFY_CHECK(ctx != NULL); 446 ARG_CHECK(seckey != NULL); 447 ARG_CHECK(privkey != NULL); 448 ARG_CHECK(privkeylen != NULL); 449 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 450 451 secp256k1_scalar_set_b32(&key, seckey, NULL); 452 ret = secp256k1_eckey_privkey_serialize(&ctx->ecmult_gen_ctx, privkey, privkeylen, &key, flags); 453 secp256k1_scalar_clear(&key); 454 return ret; 455 } 456 457 int secp256k1_ec_privkey_import(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *privkey, size_t privkeylen) { 458 secp256k1_scalar key; 459 int ret = 0; 460 ARG_CHECK(seckey != NULL); 461 ARG_CHECK(privkey != NULL); 462 (void)ctx; 463 464 ret = secp256k1_eckey_privkey_parse(&key, privkey, privkeylen); 465 if (ret) { 466 secp256k1_scalar_get_b32(seckey, &key); 467 } 468 secp256k1_scalar_clear(&key); 469 return ret; 470 } 471 472 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) { 473 VERIFY_CHECK(ctx != NULL); 474 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 475 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 476 return 1; 477 } 478 479 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, int n) { 480 int i; 481 secp256k1_gej Qj; 482 secp256k1_ge Q; 483 484 ARG_CHECK(pubnonce != NULL); 485 ARG_CHECK(n >= 1); 486 ARG_CHECK(pubnonces != NULL); 487 488 secp256k1_gej_set_infinity(&Qj); 489 490 for (i = 0; i < n; i++) { 491 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]); 492 secp256k1_gej_add_ge(&Qj, &Qj, &Q); 493 } 494 if (secp256k1_gej_is_infinity(&Qj)) { 495 memset(pubnonce, 0, sizeof(*pubnonce)); 496 return 0; 497 } 498 secp256k1_ge_set_gej(&Q, &Qj); 499 secp256k1_pubkey_save(pubnonce, &Q); 500 return 1; 501 } 502 503 #ifdef ENABLE_MODULE_ECDH 504 # include "modules/ecdh/main_impl.h" 505 #endif 506 507 #ifdef ENABLE_MODULE_SCHNORR 508 # include "modules/schnorr/main_impl.h" 509 #endif 510 511 #ifdef ENABLE_MODULE_RECOVERY 512 # include "modules/recovery/main_impl.h" 513 #endif