github.com/verovm/record-replay@v1.9.7/crypto/secp256k1/libsecp256k1/src/ecdsa_impl.h (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 8 #ifndef _SECP256K1_ECDSA_IMPL_H_ 9 #define _SECP256K1_ECDSA_IMPL_H_ 10 11 #include "scalar.h" 12 #include "field.h" 13 #include "group.h" 14 #include "ecmult.h" 15 #include "ecmult_gen.h" 16 #include "ecdsa.h" 17 18 /** Group order for secp256k1 defined as 'n' in "Standards for Efficient Cryptography" (SEC2) 2.7.1 19 * sage: for t in xrange(1023, -1, -1): 20 * .. p = 2**256 - 2**32 - t 21 * .. if p.is_prime(): 22 * .. print '%x'%p 23 * .. break 24 * 'fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f' 25 * sage: a = 0 26 * sage: b = 7 27 * sage: F = FiniteField (p) 28 * sage: '%x' % (EllipticCurve ([F (a), F (b)]).order()) 29 * 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141' 30 */ 31 static const secp256k1_fe secp256k1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( 32 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 33 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL 34 ); 35 36 /** Difference between field and order, values 'p' and 'n' values defined in 37 * "Standards for Efficient Cryptography" (SEC2) 2.7.1. 38 * sage: p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F 39 * sage: a = 0 40 * sage: b = 7 41 * sage: F = FiniteField (p) 42 * sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order()) 43 * '14551231950b75fc4402da1722fc9baee' 44 */ 45 static const secp256k1_fe secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( 46 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL 47 ); 48 49 static int secp256k1_der_read_len(const unsigned char **sigp, const unsigned char *sigend) { 50 int lenleft, b1; 51 size_t ret = 0; 52 if (*sigp >= sigend) { 53 return -1; 54 } 55 b1 = *((*sigp)++); 56 if (b1 == 0xFF) { 57 /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */ 58 return -1; 59 } 60 if ((b1 & 0x80) == 0) { 61 /* X.690-0207 8.1.3.4 short form length octets */ 62 return b1; 63 } 64 if (b1 == 0x80) { 65 /* Indefinite length is not allowed in DER. */ 66 return -1; 67 } 68 /* X.690-207 8.1.3.5 long form length octets */ 69 lenleft = b1 & 0x7F; 70 if (lenleft > sigend - *sigp) { 71 return -1; 72 } 73 if (**sigp == 0) { 74 /* Not the shortest possible length encoding. */ 75 return -1; 76 } 77 if ((size_t)lenleft > sizeof(size_t)) { 78 /* The resulting length would exceed the range of a size_t, so 79 * certainly longer than the passed array size. 80 */ 81 return -1; 82 } 83 while (lenleft > 0) { 84 if ((ret >> ((sizeof(size_t) - 1) * 8)) != 0) { 85 } 86 ret = (ret << 8) | **sigp; 87 if (ret + lenleft > (size_t)(sigend - *sigp)) { 88 /* Result exceeds the length of the passed array. */ 89 return -1; 90 } 91 (*sigp)++; 92 lenleft--; 93 } 94 if (ret < 128) { 95 /* Not the shortest possible length encoding. */ 96 return -1; 97 } 98 return ret; 99 } 100 101 static int secp256k1_der_parse_integer(secp256k1_scalar *r, const unsigned char **sig, const unsigned char *sigend) { 102 int overflow = 0; 103 unsigned char ra[32] = {0}; 104 int rlen; 105 106 if (*sig == sigend || **sig != 0x02) { 107 /* Not a primitive integer (X.690-0207 8.3.1). */ 108 return 0; 109 } 110 (*sig)++; 111 rlen = secp256k1_der_read_len(sig, sigend); 112 if (rlen <= 0 || (*sig) + rlen > sigend) { 113 /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */ 114 return 0; 115 } 116 if (**sig == 0x00 && rlen > 1 && (((*sig)[1]) & 0x80) == 0x00) { 117 /* Excessive 0x00 padding. */ 118 return 0; 119 } 120 if (**sig == 0xFF && rlen > 1 && (((*sig)[1]) & 0x80) == 0x80) { 121 /* Excessive 0xFF padding. */ 122 return 0; 123 } 124 if ((**sig & 0x80) == 0x80) { 125 /* Negative. */ 126 overflow = 1; 127 } 128 while (rlen > 0 && **sig == 0) { 129 /* Skip leading zero bytes */ 130 rlen--; 131 (*sig)++; 132 } 133 if (rlen > 32) { 134 overflow = 1; 135 } 136 if (!overflow) { 137 memcpy(ra + 32 - rlen, *sig, rlen); 138 secp256k1_scalar_set_b32(r, ra, &overflow); 139 } 140 if (overflow) { 141 secp256k1_scalar_set_int(r, 0); 142 } 143 (*sig) += rlen; 144 return 1; 145 } 146 147 static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *rr, secp256k1_scalar *rs, const unsigned char *sig, size_t size) { 148 const unsigned char *sigend = sig + size; 149 int rlen; 150 if (sig == sigend || *(sig++) != 0x30) { 151 /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */ 152 return 0; 153 } 154 rlen = secp256k1_der_read_len(&sig, sigend); 155 if (rlen < 0 || sig + rlen > sigend) { 156 /* Tuple exceeds bounds */ 157 return 0; 158 } 159 if (sig + rlen != sigend) { 160 /* Garbage after tuple. */ 161 return 0; 162 } 163 164 if (!secp256k1_der_parse_integer(rr, &sig, sigend)) { 165 return 0; 166 } 167 if (!secp256k1_der_parse_integer(rs, &sig, sigend)) { 168 return 0; 169 } 170 171 if (sig != sigend) { 172 /* Trailing garbage inside tuple. */ 173 return 0; 174 } 175 176 return 1; 177 } 178 179 static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar* ar, const secp256k1_scalar* as) { 180 unsigned char r[33] = {0}, s[33] = {0}; 181 unsigned char *rp = r, *sp = s; 182 size_t lenR = 33, lenS = 33; 183 secp256k1_scalar_get_b32(&r[1], ar); 184 secp256k1_scalar_get_b32(&s[1], as); 185 while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; } 186 while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; } 187 if (*size < 6+lenS+lenR) { 188 *size = 6 + lenS + lenR; 189 return 0; 190 } 191 *size = 6 + lenS + lenR; 192 sig[0] = 0x30; 193 sig[1] = 4 + lenS + lenR; 194 sig[2] = 0x02; 195 sig[3] = lenR; 196 memcpy(sig+4, rp, lenR); 197 sig[4+lenR] = 0x02; 198 sig[5+lenR] = lenS; 199 memcpy(sig+lenR+6, sp, lenS); 200 return 1; 201 } 202 203 static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *sigr, const secp256k1_scalar *sigs, const secp256k1_ge *pubkey, const secp256k1_scalar *message) { 204 unsigned char c[32]; 205 secp256k1_scalar sn, u1, u2; 206 #if !defined(EXHAUSTIVE_TEST_ORDER) 207 secp256k1_fe xr; 208 #endif 209 secp256k1_gej pubkeyj; 210 secp256k1_gej pr; 211 212 if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) { 213 return 0; 214 } 215 216 secp256k1_scalar_inverse_var(&sn, sigs); 217 secp256k1_scalar_mul(&u1, &sn, message); 218 secp256k1_scalar_mul(&u2, &sn, sigr); 219 secp256k1_gej_set_ge(&pubkeyj, pubkey); 220 secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); 221 if (secp256k1_gej_is_infinity(&pr)) { 222 return 0; 223 } 224 225 #if defined(EXHAUSTIVE_TEST_ORDER) 226 { 227 secp256k1_scalar computed_r; 228 secp256k1_ge pr_ge; 229 secp256k1_ge_set_gej(&pr_ge, &pr); 230 secp256k1_fe_normalize(&pr_ge.x); 231 232 secp256k1_fe_get_b32(c, &pr_ge.x); 233 secp256k1_scalar_set_b32(&computed_r, c, NULL); 234 return secp256k1_scalar_eq(sigr, &computed_r); 235 } 236 #else 237 secp256k1_scalar_get_b32(c, sigr); 238 secp256k1_fe_set_b32(&xr, c); 239 240 /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) 241 * in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), 242 * compute the remainder modulo n, and compare it to xr. However: 243 * 244 * xr == X(pr) mod n 245 * <=> exists h. (xr + h * n < p && xr + h * n == X(pr)) 246 * [Since 2 * n > p, h can only be 0 or 1] 247 * <=> (xr == X(pr)) || (xr + n < p && xr + n == X(pr)) 248 * [In Jacobian coordinates, X(pr) is pr.x / pr.z^2 mod p] 249 * <=> (xr == pr.x / pr.z^2 mod p) || (xr + n < p && xr + n == pr.x / pr.z^2 mod p) 250 * [Multiplying both sides of the equations by pr.z^2 mod p] 251 * <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x) 252 * 253 * Thus, we can avoid the inversion, but we have to check both cases separately. 254 * secp256k1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. 255 */ 256 if (secp256k1_gej_eq_x_var(&xr, &pr)) { 257 /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */ 258 return 1; 259 } 260 if (secp256k1_fe_cmp_var(&xr, &secp256k1_ecdsa_const_p_minus_order) >= 0) { 261 /* xr + n >= p, so we can skip testing the second case. */ 262 return 0; 263 } 264 secp256k1_fe_add(&xr, &secp256k1_ecdsa_const_order_as_fe); 265 if (secp256k1_gej_eq_x_var(&xr, &pr)) { 266 /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */ 267 return 1; 268 } 269 return 0; 270 #endif 271 } 272 273 static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid) { 274 unsigned char b[32]; 275 secp256k1_gej rp; 276 secp256k1_ge r; 277 secp256k1_scalar n; 278 int overflow = 0; 279 280 secp256k1_ecmult_gen(ctx, &rp, nonce); 281 secp256k1_ge_set_gej(&r, &rp); 282 secp256k1_fe_normalize(&r.x); 283 secp256k1_fe_normalize(&r.y); 284 secp256k1_fe_get_b32(b, &r.x); 285 secp256k1_scalar_set_b32(sigr, b, &overflow); 286 /* These two conditions should be checked before calling */ 287 VERIFY_CHECK(!secp256k1_scalar_is_zero(sigr)); 288 VERIFY_CHECK(overflow == 0); 289 290 if (recid) { 291 /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log 292 * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. 293 */ 294 *recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0); 295 } 296 secp256k1_scalar_mul(&n, sigr, seckey); 297 secp256k1_scalar_add(&n, &n, message); 298 secp256k1_scalar_inverse(sigs, nonce); 299 secp256k1_scalar_mul(sigs, sigs, &n); 300 secp256k1_scalar_clear(&n); 301 secp256k1_gej_clear(&rp); 302 secp256k1_ge_clear(&r); 303 if (secp256k1_scalar_is_zero(sigs)) { 304 return 0; 305 } 306 if (secp256k1_scalar_is_high(sigs)) { 307 secp256k1_scalar_negate(sigs, sigs); 308 if (recid) { 309 *recid ^= 1; 310 } 311 } 312 return 1; 313 } 314 315 #endif