1 /**********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #include "include/secp256k1.h"
11 #include "field_impl.h"
12 #include "scalar_impl.h"
13 #include "group_impl.h"
14 #include "ecmult_impl.h"
15 #include "ecmult_const_impl.h"
16 #include "ecmult_gen_impl.h"
17 #include "ecdsa_impl.h"
18 #include "eckey_impl.h"
19 #include "hash_impl.h"
21 #define ARG_CHECK(cond) do { \
22 if (EXPECT(!(cond), 0)) { \
23 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
28 static void default_illegal_callback_fn(const char* str
, void* data
) {
30 fprintf(stderr
, "[libsecp256k1] illegal argument: %s\n", str
);
34 static const secp256k1_callback default_illegal_callback
= {
35 default_illegal_callback_fn
,
39 static void default_error_callback_fn(const char* str
, void* data
) {
41 fprintf(stderr
, "[libsecp256k1] internal consistency check failed: %s\n", str
);
45 static const secp256k1_callback default_error_callback
= {
46 default_error_callback_fn
,
51 struct secp256k1_context_struct
{
52 secp256k1_ecmult_context ecmult_ctx
;
53 secp256k1_ecmult_gen_context ecmult_gen_ctx
;
54 secp256k1_callback illegal_callback
;
55 secp256k1_callback error_callback
;
58 secp256k1_context
* secp256k1_context_create(unsigned int flags
) {
59 secp256k1_context
* ret
= (secp256k1_context
*)checked_malloc(&default_error_callback
, sizeof(secp256k1_context
));
60 ret
->illegal_callback
= default_illegal_callback
;
61 ret
->error_callback
= default_error_callback
;
63 if (EXPECT((flags
& SECP256K1_FLAGS_TYPE_MASK
) != SECP256K1_FLAGS_TYPE_CONTEXT
, 0)) {
64 secp256k1_callback_call(&ret
->illegal_callback
,
70 secp256k1_ecmult_context_init(&ret
->ecmult_ctx
);
71 secp256k1_ecmult_gen_context_init(&ret
->ecmult_gen_ctx
);
73 if (flags
& SECP256K1_FLAGS_BIT_CONTEXT_SIGN
) {
74 secp256k1_ecmult_gen_context_build(&ret
->ecmult_gen_ctx
, &ret
->error_callback
);
76 if (flags
& SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
) {
77 secp256k1_ecmult_context_build(&ret
->ecmult_ctx
, &ret
->error_callback
);
83 secp256k1_context
* secp256k1_context_clone(const secp256k1_context
* ctx
) {
84 secp256k1_context
* ret
= (secp256k1_context
*)checked_malloc(&ctx
->error_callback
, sizeof(secp256k1_context
));
85 ret
->illegal_callback
= ctx
->illegal_callback
;
86 ret
->error_callback
= ctx
->error_callback
;
87 secp256k1_ecmult_context_clone(&ret
->ecmult_ctx
, &ctx
->ecmult_ctx
, &ctx
->error_callback
);
88 secp256k1_ecmult_gen_context_clone(&ret
->ecmult_gen_ctx
, &ctx
->ecmult_gen_ctx
, &ctx
->error_callback
);
92 void secp256k1_context_destroy(secp256k1_context
* ctx
) {
94 secp256k1_ecmult_context_clear(&ctx
->ecmult_ctx
);
95 secp256k1_ecmult_gen_context_clear(&ctx
->ecmult_gen_ctx
);
101 void secp256k1_context_set_illegal_callback(secp256k1_context
* ctx
, void (*fun
)(const char* message
, void* data
), const void* data
) {
103 fun
= default_illegal_callback_fn
;
105 ctx
->illegal_callback
.fn
= fun
;
106 ctx
->illegal_callback
.data
= data
;
109 void secp256k1_context_set_error_callback(secp256k1_context
* ctx
, void (*fun
)(const char* message
, void* data
), const void* data
) {
111 fun
= default_error_callback_fn
;
113 ctx
->error_callback
.fn
= fun
;
114 ctx
->error_callback
.data
= data
;
117 static int secp256k1_pubkey_load(const secp256k1_context
* ctx
, secp256k1_ge
* ge
, const secp256k1_pubkey
* pubkey
) {
118 if (sizeof(secp256k1_ge_storage
) == 64) {
119 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
120 * representation inside secp256k1_pubkey, as conversion is very fast.
121 * Note that secp256k1_pubkey_save must use the same representation. */
122 secp256k1_ge_storage s
;
123 memcpy(&s
, &pubkey
->data
[0], 64);
124 secp256k1_ge_from_storage(ge
, &s
);
126 /* Otherwise, fall back to 32-byte big endian for X and Y. */
128 secp256k1_fe_set_b32(&x
, pubkey
->data
);
129 secp256k1_fe_set_b32(&y
, pubkey
->data
+ 32);
130 secp256k1_ge_set_xy(ge
, &x
, &y
);
132 ARG_CHECK(!secp256k1_fe_is_zero(&ge
->x
));
136 static void secp256k1_pubkey_save(secp256k1_pubkey
* pubkey
, secp256k1_ge
* ge
) {
137 if (sizeof(secp256k1_ge_storage
) == 64) {
138 secp256k1_ge_storage s
;
139 secp256k1_ge_to_storage(&s
, ge
);
140 memcpy(&pubkey
->data
[0], &s
, 64);
142 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge
));
143 secp256k1_fe_normalize_var(&ge
->x
);
144 secp256k1_fe_normalize_var(&ge
->y
);
145 secp256k1_fe_get_b32(pubkey
->data
, &ge
->x
);
146 secp256k1_fe_get_b32(pubkey
->data
+ 32, &ge
->y
);
150 int secp256k1_ec_pubkey_parse(const secp256k1_context
* ctx
, secp256k1_pubkey
* pubkey
, const unsigned char *input
, size_t inputlen
) {
153 VERIFY_CHECK(ctx
!= NULL
);
154 ARG_CHECK(pubkey
!= NULL
);
155 memset(pubkey
, 0, sizeof(*pubkey
));
156 ARG_CHECK(input
!= NULL
);
157 if (!secp256k1_eckey_pubkey_parse(&Q
, input
, inputlen
)) {
160 secp256k1_pubkey_save(pubkey
, &Q
);
161 secp256k1_ge_clear(&Q
);
165 int secp256k1_ec_pubkey_serialize(const secp256k1_context
* ctx
, unsigned char *output
, size_t *outputlen
, const secp256k1_pubkey
* pubkey
, unsigned int flags
) {
170 VERIFY_CHECK(ctx
!= NULL
);
171 ARG_CHECK(outputlen
!= NULL
);
172 ARG_CHECK(*outputlen
>= ((flags
& SECP256K1_FLAGS_BIT_COMPRESSION
) ? 33 : 65));
175 ARG_CHECK(output
!= NULL
);
176 memset(output
, 0, len
);
177 ARG_CHECK(pubkey
!= NULL
);
178 ARG_CHECK((flags
& SECP256K1_FLAGS_TYPE_MASK
) == SECP256K1_FLAGS_TYPE_COMPRESSION
);
179 if (secp256k1_pubkey_load(ctx
, &Q
, pubkey
)) {
180 ret
= secp256k1_eckey_pubkey_serialize(&Q
, output
, &len
, flags
& SECP256K1_FLAGS_BIT_COMPRESSION
);
188 static void secp256k1_ecdsa_signature_load(const secp256k1_context
* ctx
, secp256k1_scalar
* r
, secp256k1_scalar
* s
, const secp256k1_ecdsa_signature
* sig
) {
190 if (sizeof(secp256k1_scalar
) == 32) {
191 /* When the secp256k1_scalar type is exactly 32 byte, use its
192 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
193 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
194 memcpy(r
, &sig
->data
[0], 32);
195 memcpy(s
, &sig
->data
[32], 32);
197 secp256k1_scalar_set_b32(r
, &sig
->data
[0], NULL
);
198 secp256k1_scalar_set_b32(s
, &sig
->data
[32], NULL
);
202 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature
* sig
, const secp256k1_scalar
* r
, const secp256k1_scalar
* s
) {
203 if (sizeof(secp256k1_scalar
) == 32) {
204 memcpy(&sig
->data
[0], r
, 32);
205 memcpy(&sig
->data
[32], s
, 32);
207 secp256k1_scalar_get_b32(&sig
->data
[0], r
);
208 secp256k1_scalar_get_b32(&sig
->data
[32], s
);
212 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context
* ctx
, secp256k1_ecdsa_signature
* sig
, const unsigned char *input
, size_t inputlen
) {
213 secp256k1_scalar r
, s
;
215 VERIFY_CHECK(ctx
!= NULL
);
216 ARG_CHECK(sig
!= NULL
);
217 ARG_CHECK(input
!= NULL
);
219 if (secp256k1_ecdsa_sig_parse(&r
, &s
, input
, inputlen
)) {
220 secp256k1_ecdsa_signature_save(sig
, &r
, &s
);
223 memset(sig
, 0, sizeof(*sig
));
228 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context
* ctx
, secp256k1_ecdsa_signature
* sig
, const unsigned char *input64
) {
229 secp256k1_scalar r
, s
;
233 VERIFY_CHECK(ctx
!= NULL
);
234 ARG_CHECK(sig
!= NULL
);
235 ARG_CHECK(input64
!= NULL
);
237 secp256k1_scalar_set_b32(&r
, &input64
[0], &overflow
);
239 secp256k1_scalar_set_b32(&s
, &input64
[32], &overflow
);
242 secp256k1_ecdsa_signature_save(sig
, &r
, &s
);
244 memset(sig
, 0, sizeof(*sig
));
249 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context
* ctx
, unsigned char *output
, size_t *outputlen
, const secp256k1_ecdsa_signature
* sig
) {
250 secp256k1_scalar r
, s
;
252 VERIFY_CHECK(ctx
!= NULL
);
253 ARG_CHECK(output
!= NULL
);
254 ARG_CHECK(outputlen
!= NULL
);
255 ARG_CHECK(sig
!= NULL
);
257 secp256k1_ecdsa_signature_load(ctx
, &r
, &s
, sig
);
258 return secp256k1_ecdsa_sig_serialize(output
, outputlen
, &r
, &s
);
261 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context
* ctx
, unsigned char *output64
, const secp256k1_ecdsa_signature
* sig
) {
262 secp256k1_scalar r
, s
;
264 VERIFY_CHECK(ctx
!= NULL
);
265 ARG_CHECK(output64
!= NULL
);
266 ARG_CHECK(sig
!= NULL
);
268 secp256k1_ecdsa_signature_load(ctx
, &r
, &s
, sig
);
269 secp256k1_scalar_get_b32(&output64
[0], &r
);
270 secp256k1_scalar_get_b32(&output64
[32], &s
);
274 int secp256k1_ecdsa_signature_normalize(const secp256k1_context
* ctx
, secp256k1_ecdsa_signature
*sigout
, const secp256k1_ecdsa_signature
*sigin
) {
275 secp256k1_scalar r
, s
;
278 VERIFY_CHECK(ctx
!= NULL
);
279 ARG_CHECK(sigin
!= NULL
);
281 secp256k1_ecdsa_signature_load(ctx
, &r
, &s
, sigin
);
282 ret
= secp256k1_scalar_is_high(&s
);
283 if (sigout
!= NULL
) {
285 secp256k1_scalar_negate(&s
, &s
);
287 secp256k1_ecdsa_signature_save(sigout
, &r
, &s
);
293 int secp256k1_ecdsa_verify(const secp256k1_context
* ctx
, const secp256k1_ecdsa_signature
*sig
, const unsigned char *msg32
, const secp256k1_pubkey
*pubkey
) {
295 secp256k1_scalar r
, s
;
297 VERIFY_CHECK(ctx
!= NULL
);
298 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx
->ecmult_ctx
));
299 ARG_CHECK(msg32
!= NULL
);
300 ARG_CHECK(sig
!= NULL
);
301 ARG_CHECK(pubkey
!= NULL
);
303 secp256k1_scalar_set_b32(&m
, msg32
, NULL
);
304 secp256k1_ecdsa_signature_load(ctx
, &r
, &s
, sig
);
305 return (!secp256k1_scalar_is_high(&s
) &&
306 secp256k1_pubkey_load(ctx
, &q
, pubkey
) &&
307 secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &r
, &s
, &q
, &m
));
310 static int nonce_function_rfc6979(unsigned char *nonce32
, const unsigned char *msg32
, const unsigned char *key32
, const unsigned char *algo16
, void *data
, unsigned int counter
) {
311 unsigned char keydata
[112];
313 secp256k1_rfc6979_hmac_sha256_t rng
;
315 /* We feed a byte array to the PRNG as input, consisting of:
316 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
317 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
318 * - optionally 16 extra bytes with the algorithm name.
319 * Because the arguments have distinct fixed lengths it is not possible for
320 * different argument mixtures to emulate each other and result in the same
323 memcpy(keydata
, key32
, 32);
324 memcpy(keydata
+ 32, msg32
, 32);
326 memcpy(keydata
+ 64, data
, 32);
329 if (algo16
!= NULL
) {
330 memcpy(keydata
+ keylen
, algo16
, 16);
333 secp256k1_rfc6979_hmac_sha256_initialize(&rng
, keydata
, keylen
);
334 memset(keydata
, 0, sizeof(keydata
));
335 for (i
= 0; i
<= counter
; i
++) {
336 secp256k1_rfc6979_hmac_sha256_generate(&rng
, nonce32
, 32);
338 secp256k1_rfc6979_hmac_sha256_finalize(&rng
);
342 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
= nonce_function_rfc6979
;
343 const secp256k1_nonce_function secp256k1_nonce_function_default
= nonce_function_rfc6979
;
345 int secp256k1_ecdsa_sign(const secp256k1_context
* ctx
, secp256k1_ecdsa_signature
*signature
, const unsigned char *msg32
, const unsigned char *seckey
, secp256k1_nonce_function noncefp
, const void* noncedata
) {
346 secp256k1_scalar r
, s
;
347 secp256k1_scalar sec
, non
, msg
;
350 VERIFY_CHECK(ctx
!= NULL
);
351 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx
->ecmult_gen_ctx
));
352 ARG_CHECK(msg32
!= NULL
);
353 ARG_CHECK(signature
!= NULL
);
354 ARG_CHECK(seckey
!= NULL
);
355 if (noncefp
== NULL
) {
356 noncefp
= secp256k1_nonce_function_default
;
359 secp256k1_scalar_set_b32(&sec
, seckey
, &overflow
);
360 /* Fail if the secret key is invalid. */
361 if (!overflow
&& !secp256k1_scalar_is_zero(&sec
)) {
362 unsigned char nonce32
[32];
363 unsigned int count
= 0;
364 secp256k1_scalar_set_b32(&msg
, msg32
, NULL
);
366 ret
= noncefp(nonce32
, msg32
, seckey
, NULL
, (void*)noncedata
, count
);
370 secp256k1_scalar_set_b32(&non
, nonce32
, &overflow
);
371 if (!overflow
&& !secp256k1_scalar_is_zero(&non
)) {
372 if (secp256k1_ecdsa_sig_sign(&ctx
->ecmult_gen_ctx
, &r
, &s
, &sec
, &msg
, &non
, NULL
)) {
378 memset(nonce32
, 0, 32);
379 secp256k1_scalar_clear(&msg
);
380 secp256k1_scalar_clear(&non
);
381 secp256k1_scalar_clear(&sec
);
384 secp256k1_ecdsa_signature_save(signature
, &r
, &s
);
386 memset(signature
, 0, sizeof(*signature
));
391 int secp256k1_ec_seckey_verify(const secp256k1_context
* ctx
, const unsigned char *seckey
) {
392 secp256k1_scalar sec
;
395 VERIFY_CHECK(ctx
!= NULL
);
396 ARG_CHECK(seckey
!= NULL
);
398 secp256k1_scalar_set_b32(&sec
, seckey
, &overflow
);
399 ret
= !overflow
&& !secp256k1_scalar_is_zero(&sec
);
400 secp256k1_scalar_clear(&sec
);
404 int secp256k1_ec_pubkey_create(const secp256k1_context
* ctx
, secp256k1_pubkey
*pubkey
, const unsigned char *seckey
) {
407 secp256k1_scalar sec
;
410 VERIFY_CHECK(ctx
!= NULL
);
411 ARG_CHECK(pubkey
!= NULL
);
412 memset(pubkey
, 0, sizeof(*pubkey
));
413 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx
->ecmult_gen_ctx
));
414 ARG_CHECK(seckey
!= NULL
);
416 secp256k1_scalar_set_b32(&sec
, seckey
, &overflow
);
417 ret
= (!overflow
) & (!secp256k1_scalar_is_zero(&sec
));
419 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &pj
, &sec
);
420 secp256k1_ge_set_gej(&p
, &pj
);
421 secp256k1_pubkey_save(pubkey
, &p
);
423 secp256k1_scalar_clear(&sec
);
427 int secp256k1_ec_privkey_negate(const secp256k1_context
* ctx
, unsigned char *seckey
) {
428 secp256k1_scalar sec
;
429 VERIFY_CHECK(ctx
!= NULL
);
430 ARG_CHECK(seckey
!= NULL
);
432 secp256k1_scalar_set_b32(&sec
, seckey
, NULL
);
433 secp256k1_scalar_negate(&sec
, &sec
);
434 secp256k1_scalar_get_b32(seckey
, &sec
);
439 int secp256k1_ec_pubkey_negate(const secp256k1_context
* ctx
, secp256k1_pubkey
*pubkey
) {
442 VERIFY_CHECK(ctx
!= NULL
);
443 ARG_CHECK(pubkey
!= NULL
);
445 ret
= secp256k1_pubkey_load(ctx
, &p
, pubkey
);
446 memset(pubkey
, 0, sizeof(*pubkey
));
448 secp256k1_ge_neg(&p
, &p
);
449 secp256k1_pubkey_save(pubkey
, &p
);
454 int secp256k1_ec_privkey_tweak_add(const secp256k1_context
* ctx
, unsigned char *seckey
, const unsigned char *tweak
) {
455 secp256k1_scalar term
;
456 secp256k1_scalar sec
;
459 VERIFY_CHECK(ctx
!= NULL
);
460 ARG_CHECK(seckey
!= NULL
);
461 ARG_CHECK(tweak
!= NULL
);
463 secp256k1_scalar_set_b32(&term
, tweak
, &overflow
);
464 secp256k1_scalar_set_b32(&sec
, seckey
, NULL
);
466 ret
= !overflow
&& secp256k1_eckey_privkey_tweak_add(&sec
, &term
);
467 memset(seckey
, 0, 32);
469 secp256k1_scalar_get_b32(seckey
, &sec
);
472 secp256k1_scalar_clear(&sec
);
473 secp256k1_scalar_clear(&term
);
477 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context
* ctx
, secp256k1_pubkey
*pubkey
, const unsigned char *tweak
) {
479 secp256k1_scalar term
;
482 VERIFY_CHECK(ctx
!= NULL
);
483 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx
->ecmult_ctx
));
484 ARG_CHECK(pubkey
!= NULL
);
485 ARG_CHECK(tweak
!= NULL
);
487 secp256k1_scalar_set_b32(&term
, tweak
, &overflow
);
488 ret
= !overflow
&& secp256k1_pubkey_load(ctx
, &p
, pubkey
);
489 memset(pubkey
, 0, sizeof(*pubkey
));
491 if (secp256k1_eckey_pubkey_tweak_add(&ctx
->ecmult_ctx
, &p
, &term
)) {
492 secp256k1_pubkey_save(pubkey
, &p
);
501 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context
* ctx
, unsigned char *seckey
, const unsigned char *tweak
) {
502 secp256k1_scalar factor
;
503 secp256k1_scalar sec
;
506 VERIFY_CHECK(ctx
!= NULL
);
507 ARG_CHECK(seckey
!= NULL
);
508 ARG_CHECK(tweak
!= NULL
);
510 secp256k1_scalar_set_b32(&factor
, tweak
, &overflow
);
511 secp256k1_scalar_set_b32(&sec
, seckey
, NULL
);
512 ret
= !overflow
&& secp256k1_eckey_privkey_tweak_mul(&sec
, &factor
);
513 memset(seckey
, 0, 32);
515 secp256k1_scalar_get_b32(seckey
, &sec
);
518 secp256k1_scalar_clear(&sec
);
519 secp256k1_scalar_clear(&factor
);
523 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context
* ctx
, secp256k1_pubkey
*pubkey
, const unsigned char *tweak
) {
525 secp256k1_scalar factor
;
528 VERIFY_CHECK(ctx
!= NULL
);
529 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx
->ecmult_ctx
));
530 ARG_CHECK(pubkey
!= NULL
);
531 ARG_CHECK(tweak
!= NULL
);
533 secp256k1_scalar_set_b32(&factor
, tweak
, &overflow
);
534 ret
= !overflow
&& secp256k1_pubkey_load(ctx
, &p
, pubkey
);
535 memset(pubkey
, 0, sizeof(*pubkey
));
537 if (secp256k1_eckey_pubkey_tweak_mul(&ctx
->ecmult_ctx
, &p
, &factor
)) {
538 secp256k1_pubkey_save(pubkey
, &p
);
547 int secp256k1_context_randomize(secp256k1_context
* ctx
, const unsigned char *seed32
) {
548 VERIFY_CHECK(ctx
!= NULL
);
549 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx
->ecmult_gen_ctx
));
550 secp256k1_ecmult_gen_blind(&ctx
->ecmult_gen_ctx
, seed32
);
554 int secp256k1_ec_pubkey_combine(const secp256k1_context
* ctx
, secp256k1_pubkey
*pubnonce
, const secp256k1_pubkey
* const *pubnonces
, size_t n
) {
559 ARG_CHECK(pubnonce
!= NULL
);
560 memset(pubnonce
, 0, sizeof(*pubnonce
));
562 ARG_CHECK(pubnonces
!= NULL
);
564 secp256k1_gej_set_infinity(&Qj
);
566 for (i
= 0; i
< n
; i
++) {
567 secp256k1_pubkey_load(ctx
, &Q
, pubnonces
[i
]);
568 secp256k1_gej_add_ge(&Qj
, &Qj
, &Q
);
570 if (secp256k1_gej_is_infinity(&Qj
)) {
573 secp256k1_ge_set_gej(&Q
, &Qj
);
574 secp256k1_pubkey_save(pubnonce
, &Q
);
578 #ifdef ENABLE_MODULE_ECDH
579 # include "modules/ecdh/main_impl.h"
582 #ifdef ENABLE_MODULE_RECOVERY
583 # include "modules/recovery/main_impl.h"