1 /***********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7 #include "include/secp256k1.h"
8 #include "include/secp256k1_preallocated.h"
9
10 #include "assumptions.h"
11 #include "util.h"
12 #include "field_impl.h"
13 #include "scalar_impl.h"
14 #include "group_impl.h"
15 #include "ecmult_impl.h"
16 #include "ecmult_const_impl.h"
17 #include "ecmult_gen_impl.h"
18 #include "ecdsa_impl.h"
19 #include "eckey_impl.h"
20 #include "hash_impl.h"
21 #include "scratch_impl.h"
22 #include "selftest.h"
23
24 #if defined(VALGRIND)
25 # include <valgrind/memcheck.h>
26 #endif
27
28 #define ARG_CHECK(cond) do { \
29 if (EXPECT(!(cond), 0)) { \
30 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
31 return 0; \
32 } \
33 } while(0)
34
35 #define ARG_CHECK_NO_RETURN(cond) do { \
36 if (EXPECT(!(cond), 0)) { \
37 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
38 } \
39 } while(0)
40
41 #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
42 #include <stdlib.h>
43 #include <stdio.h>
secp256k1_default_illegal_callback_fn(const char * str,void * data)44 static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
45 (void)data;
46 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
47 abort();
48 }
secp256k1_default_error_callback_fn(const char * str,void * data)49 static void secp256k1_default_error_callback_fn(const char* str, void* data) {
50 (void)data;
51 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
52 abort();
53 }
54 #else
55 void secp256k1_default_illegal_callback_fn(const char* str, void* data);
56 void secp256k1_default_error_callback_fn(const char* str, void* data);
57 #endif
58
59 static const secp256k1_callback default_illegal_callback = {
60 secp256k1_default_illegal_callback_fn,
61 NULL
62 };
63
64 static const secp256k1_callback default_error_callback = {
65 secp256k1_default_error_callback_fn,
66 NULL
67 };
68
69 struct secp256k1_context_struct {
70 secp256k1_ecmult_context ecmult_ctx;
71 secp256k1_ecmult_gen_context ecmult_gen_ctx;
72 secp256k1_callback illegal_callback;
73 secp256k1_callback error_callback;
74 int declassify;
75 };
76
77 static const secp256k1_context secp256k1_context_no_precomp_ = {
78 { 0 },
79 { 0 },
80 { secp256k1_default_illegal_callback_fn, 0 },
81 { secp256k1_default_error_callback_fn, 0 },
82 0
83 };
84 const secp256k1_context *secp256k1_context_no_precomp = &secp256k1_context_no_precomp_;
85
secp256k1_context_preallocated_size(unsigned int flags)86 size_t secp256k1_context_preallocated_size(unsigned int flags) {
87 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
88 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */
89 VERIFY_CHECK(ret != 0);
90
91 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
92 secp256k1_callback_call(&default_illegal_callback,
93 "Invalid flags");
94 return 0;
95 }
96
97 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
98 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
99 }
100 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
101 ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
102 }
103 return ret;
104 }
105
secp256k1_context_preallocated_clone_size(const secp256k1_context * ctx)106 size_t secp256k1_context_preallocated_clone_size(const secp256k1_context* ctx) {
107 size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
108 VERIFY_CHECK(ctx != NULL);
109 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
110 ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE;
111 }
112 if (secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)) {
113 ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE;
114 }
115 return ret;
116 }
117
secp256k1_context_preallocated_create(void * prealloc,unsigned int flags)118 secp256k1_context* secp256k1_context_preallocated_create(void* prealloc, unsigned int flags) {
119 void* const base = prealloc;
120 size_t prealloc_size;
121 secp256k1_context* ret;
122
123 if (!secp256k1_selftest()) {
124 secp256k1_callback_call(&default_error_callback, "self test failed");
125 }
126
127 prealloc_size = secp256k1_context_preallocated_size(flags);
128 if (prealloc_size == 0) {
129 return NULL;
130 }
131 VERIFY_CHECK(prealloc != NULL);
132 ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
133 ret->illegal_callback = default_illegal_callback;
134 ret->error_callback = default_error_callback;
135
136 secp256k1_ecmult_context_init(&ret->ecmult_ctx);
137 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
138
139 /* Flags have been checked by secp256k1_context_preallocated_size. */
140 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT);
141 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
142 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc);
143 }
144 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
145 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
146 }
147 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY);
148
149 return (secp256k1_context*) ret;
150 }
151
secp256k1_context_create(unsigned int flags)152 secp256k1_context* secp256k1_context_create(unsigned int flags) {
153 size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
154 secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
155 if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
156 free(ctx);
157 return NULL;
158 }
159
160 return ctx;
161 }
162
secp256k1_context_preallocated_clone(const secp256k1_context * ctx,void * prealloc)163 secp256k1_context* secp256k1_context_preallocated_clone(const secp256k1_context* ctx, void* prealloc) {
164 size_t prealloc_size;
165 secp256k1_context* ret;
166 VERIFY_CHECK(ctx != NULL);
167 ARG_CHECK(prealloc != NULL);
168
169 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
170 ret = (secp256k1_context*)prealloc;
171 memcpy(ret, ctx, prealloc_size);
172 secp256k1_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx);
173 secp256k1_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx);
174 return ret;
175 }
176
secp256k1_context_clone(const secp256k1_context * ctx)177 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
178 secp256k1_context* ret;
179 size_t prealloc_size;
180
181 VERIFY_CHECK(ctx != NULL);
182 prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
183 ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
184 ret = secp256k1_context_preallocated_clone(ctx, ret);
185 return ret;
186 }
187
secp256k1_context_preallocated_destroy(secp256k1_context * ctx)188 void secp256k1_context_preallocated_destroy(secp256k1_context* ctx) {
189 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
190 if (ctx != NULL) {
191 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
192 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
193 }
194 }
195
secp256k1_context_destroy(secp256k1_context * ctx)196 void secp256k1_context_destroy(secp256k1_context* ctx) {
197 if (ctx != NULL) {
198 secp256k1_context_preallocated_destroy(ctx);
199 free(ctx);
200 }
201 }
202
secp256k1_context_set_illegal_callback(secp256k1_context * ctx,void (* fun)(const char * message,void * data),const void * data)203 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
204 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
205 if (fun == NULL) {
206 fun = secp256k1_default_illegal_callback_fn;
207 }
208 ctx->illegal_callback.fn = fun;
209 ctx->illegal_callback.data = data;
210 }
211
secp256k1_context_set_error_callback(secp256k1_context * ctx,void (* fun)(const char * message,void * data),const void * data)212 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
213 ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
214 if (fun == NULL) {
215 fun = secp256k1_default_error_callback_fn;
216 }
217 ctx->error_callback.fn = fun;
218 ctx->error_callback.data = data;
219 }
220
secp256k1_scratch_space_create(const secp256k1_context * ctx,size_t max_size)221 secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) {
222 VERIFY_CHECK(ctx != NULL);
223 return secp256k1_scratch_create(&ctx->error_callback, max_size);
224 }
225
secp256k1_scratch_space_destroy(const secp256k1_context * ctx,secp256k1_scratch_space * scratch)226 void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space* scratch) {
227 VERIFY_CHECK(ctx != NULL);
228 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
229 }
230
231 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
232 * of the software. This is setup for use with valgrind but could be substituted with
233 * the appropriate instrumentation for other analysis tools.
234 */
secp256k1_declassify(const secp256k1_context * ctx,const void * p,size_t len)235 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
236 #if defined(VALGRIND)
237 if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
238 #else
239 (void)ctx;
240 (void)p;
241 (void)len;
242 #endif
243 }
244
secp256k1_pubkey_load(const secp256k1_context * ctx,secp256k1_ge * ge,const secp256k1_pubkey * pubkey)245 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
246 if (sizeof(secp256k1_ge_storage) == 64) {
247 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
248 * representation inside secp256k1_pubkey, as conversion is very fast.
249 * Note that secp256k1_pubkey_save must use the same representation. */
250 secp256k1_ge_storage s;
251 memcpy(&s, &pubkey->data[0], sizeof(s));
252 secp256k1_ge_from_storage(ge, &s);
253 } else {
254 /* Otherwise, fall back to 32-byte big endian for X and Y. */
255 secp256k1_fe x, y;
256 secp256k1_fe_set_b32(&x, pubkey->data);
257 secp256k1_fe_set_b32(&y, pubkey->data + 32);
258 secp256k1_ge_set_xy(ge, &x, &y);
259 }
260 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
261 return 1;
262 }
263
secp256k1_pubkey_save(secp256k1_pubkey * pubkey,secp256k1_ge * ge)264 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
265 if (sizeof(secp256k1_ge_storage) == 64) {
266 secp256k1_ge_storage s;
267 secp256k1_ge_to_storage(&s, ge);
268 memcpy(&pubkey->data[0], &s, sizeof(s));
269 } else {
270 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
271 secp256k1_fe_normalize_var(&ge->x);
272 secp256k1_fe_normalize_var(&ge->y);
273 secp256k1_fe_get_b32(pubkey->data, &ge->x);
274 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
275 }
276 }
277
secp256k1_ec_pubkey_parse(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * input,size_t inputlen)278 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
279 secp256k1_ge Q;
280
281 VERIFY_CHECK(ctx != NULL);
282 ARG_CHECK(pubkey != NULL);
283 memset(pubkey, 0, sizeof(*pubkey));
284 ARG_CHECK(input != NULL);
285 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
286 return 0;
287 }
288 if (!secp256k1_ge_is_in_correct_subgroup(&Q)) {
289 return 0;
290 }
291 secp256k1_pubkey_save(pubkey, &Q);
292 secp256k1_ge_clear(&Q);
293 return 1;
294 }
295
secp256k1_ec_pubkey_serialize(const secp256k1_context * ctx,unsigned char * output,size_t * outputlen,const secp256k1_pubkey * pubkey,unsigned int flags)296 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
297 secp256k1_ge Q;
298 size_t len;
299 int ret = 0;
300
301 VERIFY_CHECK(ctx != NULL);
302 ARG_CHECK(outputlen != NULL);
303 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
304 len = *outputlen;
305 *outputlen = 0;
306 ARG_CHECK(output != NULL);
307 memset(output, 0, len);
308 ARG_CHECK(pubkey != NULL);
309 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
310 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
311 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
312 if (ret) {
313 *outputlen = len;
314 }
315 }
316 return ret;
317 }
318
secp256k1_ecdsa_signature_load(const secp256k1_context * ctx,secp256k1_scalar * r,secp256k1_scalar * s,const secp256k1_ecdsa_signature * sig)319 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
320 (void)ctx;
321 if (sizeof(secp256k1_scalar) == 32) {
322 /* When the secp256k1_scalar type is exactly 32 byte, use its
323 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
324 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
325 memcpy(r, &sig->data[0], 32);
326 memcpy(s, &sig->data[32], 32);
327 } else {
328 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
329 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
330 }
331 }
332
secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature * sig,const secp256k1_scalar * r,const secp256k1_scalar * s)333 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
334 if (sizeof(secp256k1_scalar) == 32) {
335 memcpy(&sig->data[0], r, 32);
336 memcpy(&sig->data[32], s, 32);
337 } else {
338 secp256k1_scalar_get_b32(&sig->data[0], r);
339 secp256k1_scalar_get_b32(&sig->data[32], s);
340 }
341 }
342
secp256k1_ecdsa_signature_parse_der(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sig,const unsigned char * input,size_t inputlen)343 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
344 secp256k1_scalar r, s;
345
346 VERIFY_CHECK(ctx != NULL);
347 ARG_CHECK(sig != NULL);
348 ARG_CHECK(input != NULL);
349
350 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
351 secp256k1_ecdsa_signature_save(sig, &r, &s);
352 return 1;
353 } else {
354 memset(sig, 0, sizeof(*sig));
355 return 0;
356 }
357 }
358
secp256k1_ecdsa_signature_parse_compact(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sig,const unsigned char * input64)359 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
360 secp256k1_scalar r, s;
361 int ret = 1;
362 int overflow = 0;
363
364 VERIFY_CHECK(ctx != NULL);
365 ARG_CHECK(sig != NULL);
366 ARG_CHECK(input64 != NULL);
367
368 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
369 ret &= !overflow;
370 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
371 ret &= !overflow;
372 if (ret) {
373 secp256k1_ecdsa_signature_save(sig, &r, &s);
374 } else {
375 memset(sig, 0, sizeof(*sig));
376 }
377 return ret;
378 }
379
secp256k1_ecdsa_signature_serialize_der(const secp256k1_context * ctx,unsigned char * output,size_t * outputlen,const secp256k1_ecdsa_signature * sig)380 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
381 secp256k1_scalar r, s;
382
383 VERIFY_CHECK(ctx != NULL);
384 ARG_CHECK(output != NULL);
385 ARG_CHECK(outputlen != NULL);
386 ARG_CHECK(sig != NULL);
387
388 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
389 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
390 }
391
secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context * ctx,unsigned char * output64,const secp256k1_ecdsa_signature * sig)392 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
393 secp256k1_scalar r, s;
394
395 VERIFY_CHECK(ctx != NULL);
396 ARG_CHECK(output64 != NULL);
397 ARG_CHECK(sig != NULL);
398
399 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
400 secp256k1_scalar_get_b32(&output64[0], &r);
401 secp256k1_scalar_get_b32(&output64[32], &s);
402 return 1;
403 }
404
secp256k1_ecdsa_signature_normalize(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sigout,const secp256k1_ecdsa_signature * sigin)405 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
406 secp256k1_scalar r, s;
407 int ret = 0;
408
409 VERIFY_CHECK(ctx != NULL);
410 ARG_CHECK(sigin != NULL);
411
412 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
413 ret = secp256k1_scalar_is_high(&s);
414 if (sigout != NULL) {
415 if (ret) {
416 secp256k1_scalar_negate(&s, &s);
417 }
418 secp256k1_ecdsa_signature_save(sigout, &r, &s);
419 }
420
421 return ret;
422 }
423
secp256k1_ecdsa_verify(const secp256k1_context * ctx,const secp256k1_ecdsa_signature * sig,const unsigned char * msghash32,const secp256k1_pubkey * pubkey)424 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
425 secp256k1_ge q;
426 secp256k1_scalar r, s;
427 secp256k1_scalar m;
428 VERIFY_CHECK(ctx != NULL);
429 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
430 ARG_CHECK(msghash32 != NULL);
431 ARG_CHECK(sig != NULL);
432 ARG_CHECK(pubkey != NULL);
433
434 secp256k1_scalar_set_b32(&m, msghash32, NULL);
435 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
436 return (!secp256k1_scalar_is_high(&s) &&
437 secp256k1_pubkey_load(ctx, &q, pubkey) &&
438 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
439 }
440
buffer_append(unsigned char * buf,unsigned int * offset,const void * data,unsigned int len)441 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
442 memcpy(buf + *offset, data, len);
443 *offset += len;
444 }
445
nonce_function_rfc6979(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)446 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
447 unsigned char keydata[112];
448 unsigned int offset = 0;
449 secp256k1_rfc6979_hmac_sha256 rng;
450 unsigned int i;
451 /* We feed a byte array to the PRNG as input, consisting of:
452 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
453 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
454 * - optionally 16 extra bytes with the algorithm name.
455 * Because the arguments have distinct fixed lengths it is not possible for
456 * different argument mixtures to emulate each other and result in the same
457 * nonces.
458 */
459 buffer_append(keydata, &offset, key32, 32);
460 buffer_append(keydata, &offset, msg32, 32);
461 if (data != NULL) {
462 buffer_append(keydata, &offset, data, 32);
463 }
464 if (algo16 != NULL) {
465 buffer_append(keydata, &offset, algo16, 16);
466 }
467 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
468 memset(keydata, 0, sizeof(keydata));
469 for (i = 0; i <= counter; i++) {
470 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
471 }
472 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
473 return 1;
474 }
475
476 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
477 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
478
secp256k1_ecdsa_sign_inner(const secp256k1_context * ctx,secp256k1_scalar * r,secp256k1_scalar * s,int * recid,const unsigned char * msg32,const unsigned char * seckey,secp256k1_nonce_function noncefp,const void * noncedata)479 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
480 secp256k1_scalar sec, non, msg;
481 int ret = 0;
482 int is_sec_valid;
483 unsigned char nonce32[32];
484 unsigned int count = 0;
485 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
486 *r = secp256k1_scalar_zero;
487 *s = secp256k1_scalar_zero;
488 if (recid) {
489 *recid = 0;
490 }
491 if (noncefp == NULL) {
492 noncefp = secp256k1_nonce_function_default;
493 }
494
495 /* Fail if the secret key is invalid. */
496 is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
497 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
498 secp256k1_scalar_set_b32(&msg, msg32, NULL);
499 while (1) {
500 int is_nonce_valid;
501 ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
502 if (!ret) {
503 break;
504 }
505 is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
506 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
507 secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
508 if (is_nonce_valid) {
509 ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
510 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
511 secp256k1_declassify(ctx, &ret, sizeof(ret));
512 if (ret) {
513 break;
514 }
515 }
516 count++;
517 }
518 /* We don't want to declassify is_sec_valid and therefore the range of
519 * seckey. As a result is_sec_valid is included in ret only after ret was
520 * used as a branching variable. */
521 ret &= is_sec_valid;
522 memset(nonce32, 0, 32);
523 secp256k1_scalar_clear(&msg);
524 secp256k1_scalar_clear(&non);
525 secp256k1_scalar_clear(&sec);
526 secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
527 secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
528 if (recid) {
529 const int zero = 0;
530 secp256k1_int_cmov(recid, &zero, !ret);
531 }
532 return ret;
533 }
534
secp256k1_ecdsa_sign(const secp256k1_context * ctx,secp256k1_ecdsa_signature * signature,const unsigned char * msghash32,const unsigned char * seckey,secp256k1_nonce_function noncefp,const void * noncedata)535 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
536 secp256k1_scalar r, s;
537 int ret;
538 VERIFY_CHECK(ctx != NULL);
539 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
540 ARG_CHECK(msghash32 != NULL);
541 ARG_CHECK(signature != NULL);
542 ARG_CHECK(seckey != NULL);
543
544 ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
545 secp256k1_ecdsa_signature_save(signature, &r, &s);
546 return ret;
547 }
548
secp256k1_ec_seckey_verify(const secp256k1_context * ctx,const unsigned char * seckey)549 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
550 secp256k1_scalar sec;
551 int ret;
552 VERIFY_CHECK(ctx != NULL);
553 ARG_CHECK(seckey != NULL);
554
555 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
556 secp256k1_scalar_clear(&sec);
557 return ret;
558 }
559
secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context * ecmult_gen_ctx,secp256k1_scalar * seckey_scalar,secp256k1_ge * p,const unsigned char * seckey)560 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
561 secp256k1_gej pj;
562 int ret;
563
564 ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
565 secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
566
567 secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
568 secp256k1_ge_set_gej(p, &pj);
569 return ret;
570 }
571
secp256k1_ec_pubkey_create(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * seckey)572 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
573 secp256k1_ge p;
574 secp256k1_scalar seckey_scalar;
575 int ret = 0;
576 VERIFY_CHECK(ctx != NULL);
577 ARG_CHECK(pubkey != NULL);
578 memset(pubkey, 0, sizeof(*pubkey));
579 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
580 ARG_CHECK(seckey != NULL);
581
582 ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
583 secp256k1_pubkey_save(pubkey, &p);
584 secp256k1_memczero(pubkey, sizeof(*pubkey), !ret);
585
586 secp256k1_scalar_clear(&seckey_scalar);
587 return ret;
588 }
589
secp256k1_ec_seckey_negate(const secp256k1_context * ctx,unsigned char * seckey)590 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
591 secp256k1_scalar sec;
592 int ret = 0;
593 VERIFY_CHECK(ctx != NULL);
594 ARG_CHECK(seckey != NULL);
595
596 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
597 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
598 secp256k1_scalar_negate(&sec, &sec);
599 secp256k1_scalar_get_b32(seckey, &sec);
600
601 secp256k1_scalar_clear(&sec);
602 return ret;
603 }
604
secp256k1_ec_privkey_negate(const secp256k1_context * ctx,unsigned char * seckey)605 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
606 return secp256k1_ec_seckey_negate(ctx, seckey);
607 }
608
secp256k1_ec_pubkey_negate(const secp256k1_context * ctx,secp256k1_pubkey * pubkey)609 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
610 int ret = 0;
611 secp256k1_ge p;
612 VERIFY_CHECK(ctx != NULL);
613 ARG_CHECK(pubkey != NULL);
614
615 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
616 memset(pubkey, 0, sizeof(*pubkey));
617 if (ret) {
618 secp256k1_ge_neg(&p, &p);
619 secp256k1_pubkey_save(pubkey, &p);
620 }
621 return ret;
622 }
623
624
secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar * sec,const unsigned char * tweak32)625 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32) {
626 secp256k1_scalar term;
627 int overflow = 0;
628 int ret = 0;
629
630 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
631 ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
632 secp256k1_scalar_clear(&term);
633 return ret;
634 }
635
secp256k1_ec_seckey_tweak_add(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak32)636 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
637 secp256k1_scalar sec;
638 int ret = 0;
639 VERIFY_CHECK(ctx != NULL);
640 ARG_CHECK(seckey != NULL);
641 ARG_CHECK(tweak32 != NULL);
642
643 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
644 ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak32);
645 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
646 secp256k1_scalar_get_b32(seckey, &sec);
647
648 secp256k1_scalar_clear(&sec);
649 return ret;
650 }
651
secp256k1_ec_privkey_tweak_add(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak32)652 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
653 return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak32);
654 }
655
secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context * ecmult_ctx,secp256k1_ge * p,const unsigned char * tweak32)656 static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32) {
657 secp256k1_scalar term;
658 int overflow = 0;
659 secp256k1_scalar_set_b32(&term, tweak32, &overflow);
660 return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
661 }
662
secp256k1_ec_pubkey_tweak_add(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * tweak32)663 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
664 secp256k1_ge p;
665 int ret = 0;
666 VERIFY_CHECK(ctx != NULL);
667 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
668 ARG_CHECK(pubkey != NULL);
669 ARG_CHECK(tweak32 != NULL);
670
671 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
672 memset(pubkey, 0, sizeof(*pubkey));
673 ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak32);
674 if (ret) {
675 secp256k1_pubkey_save(pubkey, &p);
676 }
677
678 return ret;
679 }
680
secp256k1_ec_seckey_tweak_mul(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak32)681 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
682 secp256k1_scalar factor;
683 secp256k1_scalar sec;
684 int ret = 0;
685 int overflow = 0;
686 VERIFY_CHECK(ctx != NULL);
687 ARG_CHECK(seckey != NULL);
688 ARG_CHECK(tweak32 != NULL);
689
690 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
691 ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
692 ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
693 secp256k1_scalar_cmov(&sec, &secp256k1_scalar_zero, !ret);
694 secp256k1_scalar_get_b32(seckey, &sec);
695
696 secp256k1_scalar_clear(&sec);
697 secp256k1_scalar_clear(&factor);
698 return ret;
699 }
700
secp256k1_ec_privkey_tweak_mul(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak32)701 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak32) {
702 return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak32);
703 }
704
secp256k1_ec_pubkey_tweak_mul(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * tweak32)705 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) {
706 secp256k1_ge p;
707 secp256k1_scalar factor;
708 int ret = 0;
709 int overflow = 0;
710 VERIFY_CHECK(ctx != NULL);
711 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
712 ARG_CHECK(pubkey != NULL);
713 ARG_CHECK(tweak32 != NULL);
714
715 secp256k1_scalar_set_b32(&factor, tweak32, &overflow);
716 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
717 memset(pubkey, 0, sizeof(*pubkey));
718 if (ret) {
719 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
720 secp256k1_pubkey_save(pubkey, &p);
721 } else {
722 ret = 0;
723 }
724 }
725
726 return ret;
727 }
728
secp256k1_context_randomize(secp256k1_context * ctx,const unsigned char * seed32)729 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
730 VERIFY_CHECK(ctx != NULL);
731 if (secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) {
732 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
733 }
734 return 1;
735 }
736
secp256k1_ec_pubkey_combine(const secp256k1_context * ctx,secp256k1_pubkey * pubnonce,const secp256k1_pubkey * const * pubnonces,size_t n)737 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
738 size_t i;
739 secp256k1_gej Qj;
740 secp256k1_ge Q;
741
742 ARG_CHECK(pubnonce != NULL);
743 memset(pubnonce, 0, sizeof(*pubnonce));
744 ARG_CHECK(n >= 1);
745 ARG_CHECK(pubnonces != NULL);
746
747 secp256k1_gej_set_infinity(&Qj);
748
749 for (i = 0; i < n; i++) {
750 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
751 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
752 }
753 if (secp256k1_gej_is_infinity(&Qj)) {
754 return 0;
755 }
756 secp256k1_ge_set_gej(&Q, &Qj);
757 secp256k1_pubkey_save(pubnonce, &Q);
758 return 1;
759 }
760
761 #ifdef ENABLE_MODULE_ECDH
762 # include "modules/ecdh/main_impl.h"
763 #endif
764
765 #ifdef ENABLE_MODULE_RECOVERY
766 # include "modules/recovery/main_impl.h"
767 #endif
768
769 #ifdef ENABLE_MODULE_EXTRAKEYS
770 # include "modules/extrakeys/main_impl.h"
771 #endif
772
773 #ifdef ENABLE_MODULE_SCHNORRSIG
774 # include "modules/schnorrsig/main_impl.h"
775 #endif
776