secp256k1.c (33565B)
1 /*********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.* 5 ***********************************************************************/ 6 7 /* This is a C project. It should not be compiled with a C++ compiler, 8 * and we error out if we detect one. 9 * 10 * We still want to be able to test the project with a C++ compiler 11 * because it is still good to know if this will lead to real trouble, so 12 * there is a possibility to override the check. But be warned that 13 * compiling with a C++ compiler is not supported. */ 14 #if defined(__cplusplus) && !defined(SECP256K1_CPLUSPLUS_TEST_OVERRIDE) 15 #error Trying to compile a C project with a C++ compiler. 16 #endif 17 18 #define SECP256K1_BUILD 19 20 #include "../include/secp256k1.h" 21 #include "../include/secp256k1_preallocated.h" 22 23 #include "assumptions.h" 24 #include "checkmem.h" 25 #include "util.h" 26 27 #include "field_impl.h" 28 #include "scalar_impl.h" 29 #include "group_impl.h" 30 #include "ecmult_impl.h" 31 #include "ecmult_const_impl.h" 32 #include "ecmult_gen_impl.h" 33 #include "ecdsa_impl.h" 34 #include "eckey_impl.h" 35 #include "hash_impl.h" 36 #include "int128_impl.h" 37 #include "scratch_impl.h" 38 #include "selftest.h" 39 40 #ifdef SECP256K1_NO_BUILD 41 # error "secp256k1.h processed without SECP256K1_BUILD defined while building secp256k1.c" 42 #endif 43 44 #define ARG_CHECK(cond) do { \ 45 if (EXPECT(!(cond), 0)) { \ 46 haskellsecp256k1_v0_1_0_callback_call(&ctx->illegal_callback, #cond); \ 47 return 0; \ 48 } \ 49 } while(0) 50 51 #define ARG_CHECK_VOID(cond) do { \ 52 if (EXPECT(!(cond), 0)) { \ 53 haskellsecp256k1_v0_1_0_callback_call(&ctx->illegal_callback, #cond); \ 54 return; \ 55 } \ 56 } while(0) 57 58 /* Note that whenever you change the context struct, you must also change the 59 * context_eq function. */ 60 struct haskellsecp256k1_v0_1_0_context_struct { 61 haskellsecp256k1_v0_1_0_ecmult_gen_context ecmult_gen_ctx; 62 haskellsecp256k1_v0_1_0_callback illegal_callback; 63 haskellsecp256k1_v0_1_0_callback error_callback; 64 int declassify; 65 }; 66 67 static const haskellsecp256k1_v0_1_0_context haskellsecp256k1_v0_1_0_context_static_ = { 68 { 0 }, 69 { haskellsecp256k1_v0_1_0_default_illegal_callback_fn, 0 }, 70 { haskellsecp256k1_v0_1_0_default_error_callback_fn, 0 }, 71 0 72 }; 73 const haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_static = &haskellsecp256k1_v0_1_0_context_static_; 74 const haskellsecp256k1_v0_1_0_context *haskellsecp256k1_v0_1_0_context_no_precomp = &haskellsecp256k1_v0_1_0_context_static_; 75 76 /* Helper function that determines if a context is proper, i.e., is not the static context or a copy thereof. 77 * 78 * This is intended for "context" functions such as haskellsecp256k1_v0_1_0_context_clone. Function which need specific 79 * features of a context should still check for these features directly. For example, a function that needs 80 * ecmult_gen should directly check for the existence of the ecmult_gen context. */ 81 static int haskellsecp256k1_v0_1_0_context_is_proper(const haskellsecp256k1_v0_1_0_context* ctx) { 82 return haskellsecp256k1_v0_1_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx); 83 } 84 85 void haskellsecp256k1_v0_1_0_selftest(void) { 86 if (!haskellsecp256k1_v0_1_0_selftest_passes()) { 87 haskellsecp256k1_v0_1_0_callback_call(&default_error_callback, "self test failed"); 88 } 89 } 90 91 size_t haskellsecp256k1_v0_1_0_context_preallocated_size(unsigned int flags) { 92 size_t ret = sizeof(haskellsecp256k1_v0_1_0_context); 93 /* A return value of 0 is reserved as an indicator for errors when we call this function internally. */ 94 VERIFY_CHECK(ret != 0); 95 96 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { 97 haskellsecp256k1_v0_1_0_callback_call(&default_illegal_callback, 98 "Invalid flags"); 99 return 0; 100 } 101 102 if (EXPECT(!SECP256K1_CHECKMEM_RUNNING() && (flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY), 0)) { 103 haskellsecp256k1_v0_1_0_callback_call(&default_illegal_callback, 104 "Declassify flag requires running with memory checking"); 105 return 0; 106 } 107 108 return ret; 109 } 110 111 size_t haskellsecp256k1_v0_1_0_context_preallocated_clone_size(const haskellsecp256k1_v0_1_0_context* ctx) { 112 VERIFY_CHECK(ctx != NULL); 113 ARG_CHECK(haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 114 return sizeof(haskellsecp256k1_v0_1_0_context); 115 } 116 117 haskellsecp256k1_v0_1_0_context* haskellsecp256k1_v0_1_0_context_preallocated_create(void* prealloc, unsigned int flags) { 118 size_t prealloc_size; 119 haskellsecp256k1_v0_1_0_context* ret; 120 121 haskellsecp256k1_v0_1_0_selftest(); 122 123 prealloc_size = haskellsecp256k1_v0_1_0_context_preallocated_size(flags); 124 if (prealloc_size == 0) { 125 return NULL; 126 } 127 VERIFY_CHECK(prealloc != NULL); 128 ret = (haskellsecp256k1_v0_1_0_context*)prealloc; 129 ret->illegal_callback = default_illegal_callback; 130 ret->error_callback = default_error_callback; 131 132 /* Flags have been checked by haskellsecp256k1_v0_1_0_context_preallocated_size. */ 133 VERIFY_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_CONTEXT); 134 haskellsecp256k1_v0_1_0_ecmult_gen_context_build(&ret->ecmult_gen_ctx); 135 ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); 136 137 return ret; 138 } 139 140 haskellsecp256k1_v0_1_0_context* haskellsecp256k1_v0_1_0_context_create(unsigned int flags) { 141 size_t const prealloc_size = haskellsecp256k1_v0_1_0_context_preallocated_size(flags); 142 haskellsecp256k1_v0_1_0_context* ctx = (haskellsecp256k1_v0_1_0_context*)checked_malloc(&default_error_callback, prealloc_size); 143 if (EXPECT(haskellsecp256k1_v0_1_0_context_preallocated_create(ctx, flags) == NULL, 0)) { 144 free(ctx); 145 return NULL; 146 } 147 148 return ctx; 149 } 150 151 haskellsecp256k1_v0_1_0_context* haskellsecp256k1_v0_1_0_context_preallocated_clone(const haskellsecp256k1_v0_1_0_context* ctx, void* prealloc) { 152 haskellsecp256k1_v0_1_0_context* ret; 153 VERIFY_CHECK(ctx != NULL); 154 ARG_CHECK(prealloc != NULL); 155 ARG_CHECK(haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 156 157 ret = (haskellsecp256k1_v0_1_0_context*)prealloc; 158 *ret = *ctx; 159 return ret; 160 } 161 162 haskellsecp256k1_v0_1_0_context* haskellsecp256k1_v0_1_0_context_clone(const haskellsecp256k1_v0_1_0_context* ctx) { 163 haskellsecp256k1_v0_1_0_context* ret; 164 size_t prealloc_size; 165 166 VERIFY_CHECK(ctx != NULL); 167 ARG_CHECK(haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 168 169 prealloc_size = haskellsecp256k1_v0_1_0_context_preallocated_clone_size(ctx); 170 ret = (haskellsecp256k1_v0_1_0_context*)checked_malloc(&ctx->error_callback, prealloc_size); 171 ret = haskellsecp256k1_v0_1_0_context_preallocated_clone(ctx, ret); 172 return ret; 173 } 174 175 void haskellsecp256k1_v0_1_0_context_preallocated_destroy(haskellsecp256k1_v0_1_0_context* ctx) { 176 ARG_CHECK_VOID(ctx == NULL || haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 177 178 /* Defined as noop */ 179 if (ctx == NULL) { 180 return; 181 } 182 183 haskellsecp256k1_v0_1_0_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 184 } 185 186 void haskellsecp256k1_v0_1_0_context_destroy(haskellsecp256k1_v0_1_0_context* ctx) { 187 ARG_CHECK_VOID(ctx == NULL || haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 188 189 /* Defined as noop */ 190 if (ctx == NULL) { 191 return; 192 } 193 194 haskellsecp256k1_v0_1_0_context_preallocated_destroy(ctx); 195 free(ctx); 196 } 197 198 void haskellsecp256k1_v0_1_0_context_set_illegal_callback(haskellsecp256k1_v0_1_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 199 /* We compare pointers instead of checking haskellsecp256k1_v0_1_0_context_is_proper() here 200 because setting callbacks is allowed on *copies* of the static context: 201 it's harmless and makes testing easier. */ 202 ARG_CHECK_VOID(ctx != haskellsecp256k1_v0_1_0_context_static); 203 if (fun == NULL) { 204 fun = haskellsecp256k1_v0_1_0_default_illegal_callback_fn; 205 } 206 ctx->illegal_callback.fn = fun; 207 ctx->illegal_callback.data = data; 208 } 209 210 void haskellsecp256k1_v0_1_0_context_set_error_callback(haskellsecp256k1_v0_1_0_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 211 /* We compare pointers instead of checking haskellsecp256k1_v0_1_0_context_is_proper() here 212 because setting callbacks is allowed on *copies* of the static context: 213 it's harmless and makes testing easier. */ 214 ARG_CHECK_VOID(ctx != haskellsecp256k1_v0_1_0_context_static); 215 if (fun == NULL) { 216 fun = haskellsecp256k1_v0_1_0_default_error_callback_fn; 217 } 218 ctx->error_callback.fn = fun; 219 ctx->error_callback.data = data; 220 } 221 222 haskellsecp256k1_v0_1_0_scratch_space* haskellsecp256k1_v0_1_0_scratch_space_create(const haskellsecp256k1_v0_1_0_context* ctx, size_t max_size) { 223 VERIFY_CHECK(ctx != NULL); 224 return haskellsecp256k1_v0_1_0_scratch_create(&ctx->error_callback, max_size); 225 } 226 227 void haskellsecp256k1_v0_1_0_scratch_space_destroy(const haskellsecp256k1_v0_1_0_context *ctx, haskellsecp256k1_v0_1_0_scratch_space* scratch) { 228 VERIFY_CHECK(ctx != NULL); 229 haskellsecp256k1_v0_1_0_scratch_destroy(&ctx->error_callback, scratch); 230 } 231 232 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour 233 * of the software. 234 */ 235 static SECP256K1_INLINE void haskellsecp256k1_v0_1_0_declassify(const haskellsecp256k1_v0_1_0_context* ctx, const void *p, size_t len) { 236 if (EXPECT(ctx->declassify, 0)) SECP256K1_CHECKMEM_DEFINE(p, len); 237 } 238 239 static int haskellsecp256k1_v0_1_0_pubkey_load(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_ge* ge, const haskellsecp256k1_v0_1_0_pubkey* pubkey) { 240 haskellsecp256k1_v0_1_0_ge_storage s; 241 242 /* We require that the haskellsecp256k1_v0_1_0_ge_storage type is exactly 64 bytes. 243 * This is formally not guaranteed by the C standard, but should hold on any 244 * sane compiler in the real world. */ 245 STATIC_ASSERT(sizeof(haskellsecp256k1_v0_1_0_ge_storage) == 64); 246 memcpy(&s, &pubkey->data[0], 64); 247 haskellsecp256k1_v0_1_0_ge_from_storage(ge, &s); 248 ARG_CHECK(!haskellsecp256k1_v0_1_0_fe_is_zero(&ge->x)); 249 return 1; 250 } 251 252 static void haskellsecp256k1_v0_1_0_pubkey_save(haskellsecp256k1_v0_1_0_pubkey* pubkey, haskellsecp256k1_v0_1_0_ge* ge) { 253 haskellsecp256k1_v0_1_0_ge_storage s; 254 255 STATIC_ASSERT(sizeof(haskellsecp256k1_v0_1_0_ge_storage) == 64); 256 VERIFY_CHECK(!haskellsecp256k1_v0_1_0_ge_is_infinity(ge)); 257 haskellsecp256k1_v0_1_0_ge_to_storage(&s, ge); 258 memcpy(&pubkey->data[0], &s, 64); 259 } 260 261 int haskellsecp256k1_v0_1_0_ec_pubkey_parse(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 262 haskellsecp256k1_v0_1_0_ge Q; 263 264 VERIFY_CHECK(ctx != NULL); 265 ARG_CHECK(pubkey != NULL); 266 memset(pubkey, 0, sizeof(*pubkey)); 267 ARG_CHECK(input != NULL); 268 if (!haskellsecp256k1_v0_1_0_eckey_pubkey_parse(&Q, input, inputlen)) { 269 return 0; 270 } 271 if (!haskellsecp256k1_v0_1_0_ge_is_in_correct_subgroup(&Q)) { 272 return 0; 273 } 274 haskellsecp256k1_v0_1_0_pubkey_save(pubkey, &Q); 275 haskellsecp256k1_v0_1_0_ge_clear(&Q); 276 return 1; 277 } 278 279 int haskellsecp256k1_v0_1_0_ec_pubkey_serialize(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *output, size_t *outputlen, const haskellsecp256k1_v0_1_0_pubkey* pubkey, unsigned int flags) { 280 haskellsecp256k1_v0_1_0_ge Q; 281 size_t len; 282 int ret = 0; 283 284 VERIFY_CHECK(ctx != NULL); 285 ARG_CHECK(outputlen != NULL); 286 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u)); 287 len = *outputlen; 288 *outputlen = 0; 289 ARG_CHECK(output != NULL); 290 memset(output, 0, len); 291 ARG_CHECK(pubkey != NULL); 292 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); 293 if (haskellsecp256k1_v0_1_0_pubkey_load(ctx, &Q, pubkey)) { 294 ret = haskellsecp256k1_v0_1_0_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); 295 if (ret) { 296 *outputlen = len; 297 } 298 } 299 return ret; 300 } 301 302 int haskellsecp256k1_v0_1_0_ec_pubkey_cmp(const haskellsecp256k1_v0_1_0_context* ctx, const haskellsecp256k1_v0_1_0_pubkey* pubkey0, const haskellsecp256k1_v0_1_0_pubkey* pubkey1) { 303 unsigned char out[2][33]; 304 const haskellsecp256k1_v0_1_0_pubkey* pk[2]; 305 int i; 306 307 VERIFY_CHECK(ctx != NULL); 308 pk[0] = pubkey0; pk[1] = pubkey1; 309 for (i = 0; i < 2; i++) { 310 size_t out_size = sizeof(out[i]); 311 /* If the public key is NULL or invalid, ec_pubkey_serialize will call 312 * the illegal_callback and return 0. In that case we will serialize the 313 * key as all zeros which is less than any valid public key. This 314 * results in consistent comparisons even if NULL or invalid pubkeys are 315 * involved and prevents edge cases such as sorting algorithms that use 316 * this function and do not terminate as a result. */ 317 if (!haskellsecp256k1_v0_1_0_ec_pubkey_serialize(ctx, out[i], &out_size, pk[i], SECP256K1_EC_COMPRESSED)) { 318 /* Note that ec_pubkey_serialize should already set the output to 319 * zero in that case, but it's not guaranteed by the API, we can't 320 * test it and writing a VERIFY_CHECK is more complex than 321 * explicitly memsetting (again). */ 322 memset(out[i], 0, sizeof(out[i])); 323 } 324 } 325 return haskellsecp256k1_v0_1_0_memcmp_var(out[0], out[1], sizeof(out[0])); 326 } 327 328 static void haskellsecp256k1_v0_1_0_ecdsa_signature_load(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_scalar* r, haskellsecp256k1_v0_1_0_scalar* s, const haskellsecp256k1_v0_1_0_ecdsa_signature* sig) { 329 (void)ctx; 330 if (sizeof(haskellsecp256k1_v0_1_0_scalar) == 32) { 331 /* When the haskellsecp256k1_v0_1_0_scalar type is exactly 32 byte, use its 332 * representation inside haskellsecp256k1_v0_1_0_ecdsa_signature, as conversion is very fast. 333 * Note that haskellsecp256k1_v0_1_0_ecdsa_signature_save must use the same representation. */ 334 memcpy(r, &sig->data[0], 32); 335 memcpy(s, &sig->data[32], 32); 336 } else { 337 haskellsecp256k1_v0_1_0_scalar_set_b32(r, &sig->data[0], NULL); 338 haskellsecp256k1_v0_1_0_scalar_set_b32(s, &sig->data[32], NULL); 339 } 340 } 341 342 static void haskellsecp256k1_v0_1_0_ecdsa_signature_save(haskellsecp256k1_v0_1_0_ecdsa_signature* sig, const haskellsecp256k1_v0_1_0_scalar* r, const haskellsecp256k1_v0_1_0_scalar* s) { 343 if (sizeof(haskellsecp256k1_v0_1_0_scalar) == 32) { 344 memcpy(&sig->data[0], r, 32); 345 memcpy(&sig->data[32], s, 32); 346 } else { 347 haskellsecp256k1_v0_1_0_scalar_get_b32(&sig->data[0], r); 348 haskellsecp256k1_v0_1_0_scalar_get_b32(&sig->data[32], s); 349 } 350 } 351 352 int haskellsecp256k1_v0_1_0_ecdsa_signature_parse_der(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 353 haskellsecp256k1_v0_1_0_scalar r, s; 354 355 VERIFY_CHECK(ctx != NULL); 356 ARG_CHECK(sig != NULL); 357 ARG_CHECK(input != NULL); 358 359 if (haskellsecp256k1_v0_1_0_ecdsa_sig_parse(&r, &s, input, inputlen)) { 360 haskellsecp256k1_v0_1_0_ecdsa_signature_save(sig, &r, &s); 361 return 1; 362 } else { 363 memset(sig, 0, sizeof(*sig)); 364 return 0; 365 } 366 } 367 368 int haskellsecp256k1_v0_1_0_ecdsa_signature_parse_compact(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_ecdsa_signature* sig, const unsigned char *input64) { 369 haskellsecp256k1_v0_1_0_scalar r, s; 370 int ret = 1; 371 int overflow = 0; 372 373 VERIFY_CHECK(ctx != NULL); 374 ARG_CHECK(sig != NULL); 375 ARG_CHECK(input64 != NULL); 376 377 haskellsecp256k1_v0_1_0_scalar_set_b32(&r, &input64[0], &overflow); 378 ret &= !overflow; 379 haskellsecp256k1_v0_1_0_scalar_set_b32(&s, &input64[32], &overflow); 380 ret &= !overflow; 381 if (ret) { 382 haskellsecp256k1_v0_1_0_ecdsa_signature_save(sig, &r, &s); 383 } else { 384 memset(sig, 0, sizeof(*sig)); 385 } 386 return ret; 387 } 388 389 int haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_der(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *output, size_t *outputlen, const haskellsecp256k1_v0_1_0_ecdsa_signature* sig) { 390 haskellsecp256k1_v0_1_0_scalar r, s; 391 392 VERIFY_CHECK(ctx != NULL); 393 ARG_CHECK(output != NULL); 394 ARG_CHECK(outputlen != NULL); 395 ARG_CHECK(sig != NULL); 396 397 haskellsecp256k1_v0_1_0_ecdsa_signature_load(ctx, &r, &s, sig); 398 return haskellsecp256k1_v0_1_0_ecdsa_sig_serialize(output, outputlen, &r, &s); 399 } 400 401 int haskellsecp256k1_v0_1_0_ecdsa_signature_serialize_compact(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *output64, const haskellsecp256k1_v0_1_0_ecdsa_signature* sig) { 402 haskellsecp256k1_v0_1_0_scalar r, s; 403 404 VERIFY_CHECK(ctx != NULL); 405 ARG_CHECK(output64 != NULL); 406 ARG_CHECK(sig != NULL); 407 408 haskellsecp256k1_v0_1_0_ecdsa_signature_load(ctx, &r, &s, sig); 409 haskellsecp256k1_v0_1_0_scalar_get_b32(&output64[0], &r); 410 haskellsecp256k1_v0_1_0_scalar_get_b32(&output64[32], &s); 411 return 1; 412 } 413 414 int haskellsecp256k1_v0_1_0_ecdsa_signature_normalize(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_ecdsa_signature *sigout, const haskellsecp256k1_v0_1_0_ecdsa_signature *sigin) { 415 haskellsecp256k1_v0_1_0_scalar r, s; 416 int ret = 0; 417 418 VERIFY_CHECK(ctx != NULL); 419 ARG_CHECK(sigin != NULL); 420 421 haskellsecp256k1_v0_1_0_ecdsa_signature_load(ctx, &r, &s, sigin); 422 ret = haskellsecp256k1_v0_1_0_scalar_is_high(&s); 423 if (sigout != NULL) { 424 if (ret) { 425 haskellsecp256k1_v0_1_0_scalar_negate(&s, &s); 426 } 427 haskellsecp256k1_v0_1_0_ecdsa_signature_save(sigout, &r, &s); 428 } 429 430 return ret; 431 } 432 433 int haskellsecp256k1_v0_1_0_ecdsa_verify(const haskellsecp256k1_v0_1_0_context* ctx, const haskellsecp256k1_v0_1_0_ecdsa_signature *sig, const unsigned char *msghash32, const haskellsecp256k1_v0_1_0_pubkey *pubkey) { 434 haskellsecp256k1_v0_1_0_ge q; 435 haskellsecp256k1_v0_1_0_scalar r, s; 436 haskellsecp256k1_v0_1_0_scalar m; 437 VERIFY_CHECK(ctx != NULL); 438 ARG_CHECK(msghash32 != NULL); 439 ARG_CHECK(sig != NULL); 440 ARG_CHECK(pubkey != NULL); 441 442 haskellsecp256k1_v0_1_0_scalar_set_b32(&m, msghash32, NULL); 443 haskellsecp256k1_v0_1_0_ecdsa_signature_load(ctx, &r, &s, sig); 444 return (!haskellsecp256k1_v0_1_0_scalar_is_high(&s) && 445 haskellsecp256k1_v0_1_0_pubkey_load(ctx, &q, pubkey) && 446 haskellsecp256k1_v0_1_0_ecdsa_sig_verify(&r, &s, &q, &m)); 447 } 448 449 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { 450 memcpy(buf + *offset, data, len); 451 *offset += len; 452 } 453 454 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 455 unsigned char keydata[112]; 456 unsigned int offset = 0; 457 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256 rng; 458 unsigned int i; 459 haskellsecp256k1_v0_1_0_scalar msg; 460 unsigned char msgmod32[32]; 461 haskellsecp256k1_v0_1_0_scalar_set_b32(&msg, msg32, NULL); 462 haskellsecp256k1_v0_1_0_scalar_get_b32(msgmod32, &msg); 463 /* We feed a byte array to the PRNG as input, consisting of: 464 * - the private key (32 bytes) and reduced message (32 bytes), see RFC 6979 3.2d. 465 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 466 * - optionally 16 extra bytes with the algorithm name. 467 * Because the arguments have distinct fixed lengths it is not possible for 468 * different argument mixtures to emulate each other and result in the same 469 * nonces. 470 */ 471 buffer_append(keydata, &offset, key32, 32); 472 buffer_append(keydata, &offset, msgmod32, 32); 473 if (data != NULL) { 474 buffer_append(keydata, &offset, data, 32); 475 } 476 if (algo16 != NULL) { 477 buffer_append(keydata, &offset, algo16, 16); 478 } 479 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); 480 memset(keydata, 0, sizeof(keydata)); 481 for (i = 0; i <= counter; i++) { 482 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 483 } 484 haskellsecp256k1_v0_1_0_rfc6979_hmac_sha256_finalize(&rng); 485 return 1; 486 } 487 488 const haskellsecp256k1_v0_1_0_nonce_function haskellsecp256k1_v0_1_0_nonce_function_rfc6979 = nonce_function_rfc6979; 489 const haskellsecp256k1_v0_1_0_nonce_function haskellsecp256k1_v0_1_0_nonce_function_default = nonce_function_rfc6979; 490 491 static int haskellsecp256k1_v0_1_0_ecdsa_sign_inner(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_scalar* r, haskellsecp256k1_v0_1_0_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, haskellsecp256k1_v0_1_0_nonce_function noncefp, const void* noncedata) { 492 haskellsecp256k1_v0_1_0_scalar sec, non, msg; 493 int ret = 0; 494 int is_sec_valid; 495 unsigned char nonce32[32]; 496 unsigned int count = 0; 497 /* Default initialization here is important so we won't pass uninit values to the cmov in the end */ 498 *r = haskellsecp256k1_v0_1_0_scalar_zero; 499 *s = haskellsecp256k1_v0_1_0_scalar_zero; 500 if (recid) { 501 *recid = 0; 502 } 503 if (noncefp == NULL) { 504 noncefp = haskellsecp256k1_v0_1_0_nonce_function_default; 505 } 506 507 /* Fail if the secret key is invalid. */ 508 is_sec_valid = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&sec, seckey); 509 haskellsecp256k1_v0_1_0_scalar_cmov(&sec, &haskellsecp256k1_v0_1_0_scalar_one, !is_sec_valid); 510 haskellsecp256k1_v0_1_0_scalar_set_b32(&msg, msg32, NULL); 511 while (1) { 512 int is_nonce_valid; 513 ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 514 if (!ret) { 515 break; 516 } 517 is_nonce_valid = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&non, nonce32); 518 /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ 519 haskellsecp256k1_v0_1_0_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); 520 if (is_nonce_valid) { 521 ret = haskellsecp256k1_v0_1_0_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); 522 /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ 523 haskellsecp256k1_v0_1_0_declassify(ctx, &ret, sizeof(ret)); 524 if (ret) { 525 break; 526 } 527 } 528 count++; 529 } 530 /* We don't want to declassify is_sec_valid and therefore the range of 531 * seckey. As a result is_sec_valid is included in ret only after ret was 532 * used as a branching variable. */ 533 ret &= is_sec_valid; 534 memset(nonce32, 0, 32); 535 haskellsecp256k1_v0_1_0_scalar_clear(&msg); 536 haskellsecp256k1_v0_1_0_scalar_clear(&non); 537 haskellsecp256k1_v0_1_0_scalar_clear(&sec); 538 haskellsecp256k1_v0_1_0_scalar_cmov(r, &haskellsecp256k1_v0_1_0_scalar_zero, !ret); 539 haskellsecp256k1_v0_1_0_scalar_cmov(s, &haskellsecp256k1_v0_1_0_scalar_zero, !ret); 540 if (recid) { 541 const int zero = 0; 542 haskellsecp256k1_v0_1_0_int_cmov(recid, &zero, !ret); 543 } 544 return ret; 545 } 546 547 int haskellsecp256k1_v0_1_0_ecdsa_sign(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, haskellsecp256k1_v0_1_0_nonce_function noncefp, const void* noncedata) { 548 haskellsecp256k1_v0_1_0_scalar r, s; 549 int ret; 550 VERIFY_CHECK(ctx != NULL); 551 ARG_CHECK(haskellsecp256k1_v0_1_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 552 ARG_CHECK(msghash32 != NULL); 553 ARG_CHECK(signature != NULL); 554 ARG_CHECK(seckey != NULL); 555 556 ret = haskellsecp256k1_v0_1_0_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata); 557 haskellsecp256k1_v0_1_0_ecdsa_signature_save(signature, &r, &s); 558 return ret; 559 } 560 561 int haskellsecp256k1_v0_1_0_ec_seckey_verify(const haskellsecp256k1_v0_1_0_context* ctx, const unsigned char *seckey) { 562 haskellsecp256k1_v0_1_0_scalar sec; 563 int ret; 564 VERIFY_CHECK(ctx != NULL); 565 ARG_CHECK(seckey != NULL); 566 567 ret = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&sec, seckey); 568 haskellsecp256k1_v0_1_0_scalar_clear(&sec); 569 return ret; 570 } 571 572 static int haskellsecp256k1_v0_1_0_ec_pubkey_create_helper(const haskellsecp256k1_v0_1_0_ecmult_gen_context *ecmult_gen_ctx, haskellsecp256k1_v0_1_0_scalar *seckey_scalar, haskellsecp256k1_v0_1_0_ge *p, const unsigned char *seckey) { 573 haskellsecp256k1_v0_1_0_gej pj; 574 int ret; 575 576 ret = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(seckey_scalar, seckey); 577 haskellsecp256k1_v0_1_0_scalar_cmov(seckey_scalar, &haskellsecp256k1_v0_1_0_scalar_one, !ret); 578 579 haskellsecp256k1_v0_1_0_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar); 580 haskellsecp256k1_v0_1_0_ge_set_gej(p, &pj); 581 return ret; 582 } 583 584 int haskellsecp256k1_v0_1_0_ec_pubkey_create(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey *pubkey, const unsigned char *seckey) { 585 haskellsecp256k1_v0_1_0_ge p; 586 haskellsecp256k1_v0_1_0_scalar seckey_scalar; 587 int ret = 0; 588 VERIFY_CHECK(ctx != NULL); 589 ARG_CHECK(pubkey != NULL); 590 memset(pubkey, 0, sizeof(*pubkey)); 591 ARG_CHECK(haskellsecp256k1_v0_1_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 592 ARG_CHECK(seckey != NULL); 593 594 ret = haskellsecp256k1_v0_1_0_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey); 595 haskellsecp256k1_v0_1_0_pubkey_save(pubkey, &p); 596 haskellsecp256k1_v0_1_0_memczero(pubkey, sizeof(*pubkey), !ret); 597 598 haskellsecp256k1_v0_1_0_scalar_clear(&seckey_scalar); 599 return ret; 600 } 601 602 int haskellsecp256k1_v0_1_0_ec_seckey_negate(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey) { 603 haskellsecp256k1_v0_1_0_scalar sec; 604 int ret = 0; 605 VERIFY_CHECK(ctx != NULL); 606 ARG_CHECK(seckey != NULL); 607 608 ret = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&sec, seckey); 609 haskellsecp256k1_v0_1_0_scalar_cmov(&sec, &haskellsecp256k1_v0_1_0_scalar_zero, !ret); 610 haskellsecp256k1_v0_1_0_scalar_negate(&sec, &sec); 611 haskellsecp256k1_v0_1_0_scalar_get_b32(seckey, &sec); 612 613 haskellsecp256k1_v0_1_0_scalar_clear(&sec); 614 return ret; 615 } 616 617 int haskellsecp256k1_v0_1_0_ec_privkey_negate(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey) { 618 return haskellsecp256k1_v0_1_0_ec_seckey_negate(ctx, seckey); 619 } 620 621 int haskellsecp256k1_v0_1_0_ec_pubkey_negate(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey *pubkey) { 622 int ret = 0; 623 haskellsecp256k1_v0_1_0_ge p; 624 VERIFY_CHECK(ctx != NULL); 625 ARG_CHECK(pubkey != NULL); 626 627 ret = haskellsecp256k1_v0_1_0_pubkey_load(ctx, &p, pubkey); 628 memset(pubkey, 0, sizeof(*pubkey)); 629 if (ret) { 630 haskellsecp256k1_v0_1_0_ge_neg(&p, &p); 631 haskellsecp256k1_v0_1_0_pubkey_save(pubkey, &p); 632 } 633 return ret; 634 } 635 636 637 static int haskellsecp256k1_v0_1_0_ec_seckey_tweak_add_helper(haskellsecp256k1_v0_1_0_scalar *sec, const unsigned char *tweak32) { 638 haskellsecp256k1_v0_1_0_scalar term; 639 int overflow = 0; 640 int ret = 0; 641 642 haskellsecp256k1_v0_1_0_scalar_set_b32(&term, tweak32, &overflow); 643 ret = (!overflow) & haskellsecp256k1_v0_1_0_eckey_privkey_tweak_add(sec, &term); 644 haskellsecp256k1_v0_1_0_scalar_clear(&term); 645 return ret; 646 } 647 648 int haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 649 haskellsecp256k1_v0_1_0_scalar sec; 650 int ret = 0; 651 VERIFY_CHECK(ctx != NULL); 652 ARG_CHECK(seckey != NULL); 653 ARG_CHECK(tweak32 != NULL); 654 655 ret = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&sec, seckey); 656 ret &= haskellsecp256k1_v0_1_0_ec_seckey_tweak_add_helper(&sec, tweak32); 657 haskellsecp256k1_v0_1_0_scalar_cmov(&sec, &haskellsecp256k1_v0_1_0_scalar_zero, !ret); 658 haskellsecp256k1_v0_1_0_scalar_get_b32(seckey, &sec); 659 660 haskellsecp256k1_v0_1_0_scalar_clear(&sec); 661 return ret; 662 } 663 664 int haskellsecp256k1_v0_1_0_ec_privkey_tweak_add(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 665 return haskellsecp256k1_v0_1_0_ec_seckey_tweak_add(ctx, seckey, tweak32); 666 } 667 668 static int haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add_helper(haskellsecp256k1_v0_1_0_ge *p, const unsigned char *tweak32) { 669 haskellsecp256k1_v0_1_0_scalar term; 670 int overflow = 0; 671 haskellsecp256k1_v0_1_0_scalar_set_b32(&term, tweak32, &overflow); 672 return !overflow && haskellsecp256k1_v0_1_0_eckey_pubkey_tweak_add(p, &term); 673 } 674 675 int haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey *pubkey, const unsigned char *tweak32) { 676 haskellsecp256k1_v0_1_0_ge p; 677 int ret = 0; 678 VERIFY_CHECK(ctx != NULL); 679 ARG_CHECK(pubkey != NULL); 680 ARG_CHECK(tweak32 != NULL); 681 682 ret = haskellsecp256k1_v0_1_0_pubkey_load(ctx, &p, pubkey); 683 memset(pubkey, 0, sizeof(*pubkey)); 684 ret = ret && haskellsecp256k1_v0_1_0_ec_pubkey_tweak_add_helper(&p, tweak32); 685 if (ret) { 686 haskellsecp256k1_v0_1_0_pubkey_save(pubkey, &p); 687 } 688 689 return ret; 690 } 691 692 int haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 693 haskellsecp256k1_v0_1_0_scalar factor; 694 haskellsecp256k1_v0_1_0_scalar sec; 695 int ret = 0; 696 int overflow = 0; 697 VERIFY_CHECK(ctx != NULL); 698 ARG_CHECK(seckey != NULL); 699 ARG_CHECK(tweak32 != NULL); 700 701 haskellsecp256k1_v0_1_0_scalar_set_b32(&factor, tweak32, &overflow); 702 ret = haskellsecp256k1_v0_1_0_scalar_set_b32_seckey(&sec, seckey); 703 ret &= (!overflow) & haskellsecp256k1_v0_1_0_eckey_privkey_tweak_mul(&sec, &factor); 704 haskellsecp256k1_v0_1_0_scalar_cmov(&sec, &haskellsecp256k1_v0_1_0_scalar_zero, !ret); 705 haskellsecp256k1_v0_1_0_scalar_get_b32(seckey, &sec); 706 707 haskellsecp256k1_v0_1_0_scalar_clear(&sec); 708 haskellsecp256k1_v0_1_0_scalar_clear(&factor); 709 return ret; 710 } 711 712 int haskellsecp256k1_v0_1_0_ec_privkey_tweak_mul(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *seckey, const unsigned char *tweak32) { 713 return haskellsecp256k1_v0_1_0_ec_seckey_tweak_mul(ctx, seckey, tweak32); 714 } 715 716 int haskellsecp256k1_v0_1_0_ec_pubkey_tweak_mul(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey *pubkey, const unsigned char *tweak32) { 717 haskellsecp256k1_v0_1_0_ge p; 718 haskellsecp256k1_v0_1_0_scalar factor; 719 int ret = 0; 720 int overflow = 0; 721 VERIFY_CHECK(ctx != NULL); 722 ARG_CHECK(pubkey != NULL); 723 ARG_CHECK(tweak32 != NULL); 724 725 haskellsecp256k1_v0_1_0_scalar_set_b32(&factor, tweak32, &overflow); 726 ret = !overflow && haskellsecp256k1_v0_1_0_pubkey_load(ctx, &p, pubkey); 727 memset(pubkey, 0, sizeof(*pubkey)); 728 if (ret) { 729 if (haskellsecp256k1_v0_1_0_eckey_pubkey_tweak_mul(&p, &factor)) { 730 haskellsecp256k1_v0_1_0_pubkey_save(pubkey, &p); 731 } else { 732 ret = 0; 733 } 734 } 735 736 return ret; 737 } 738 739 int haskellsecp256k1_v0_1_0_context_randomize(haskellsecp256k1_v0_1_0_context* ctx, const unsigned char *seed32) { 740 VERIFY_CHECK(ctx != NULL); 741 ARG_CHECK(haskellsecp256k1_v0_1_0_context_is_proper(ctx)); 742 743 if (haskellsecp256k1_v0_1_0_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { 744 haskellsecp256k1_v0_1_0_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 745 } 746 return 1; 747 } 748 749 int haskellsecp256k1_v0_1_0_ec_pubkey_combine(const haskellsecp256k1_v0_1_0_context* ctx, haskellsecp256k1_v0_1_0_pubkey *pubnonce, const haskellsecp256k1_v0_1_0_pubkey * const *pubnonces, size_t n) { 750 size_t i; 751 haskellsecp256k1_v0_1_0_gej Qj; 752 haskellsecp256k1_v0_1_0_ge Q; 753 754 VERIFY_CHECK(ctx != NULL); 755 ARG_CHECK(pubnonce != NULL); 756 memset(pubnonce, 0, sizeof(*pubnonce)); 757 ARG_CHECK(n >= 1); 758 ARG_CHECK(pubnonces != NULL); 759 760 haskellsecp256k1_v0_1_0_gej_set_infinity(&Qj); 761 762 for (i = 0; i < n; i++) { 763 ARG_CHECK(pubnonces[i] != NULL); 764 haskellsecp256k1_v0_1_0_pubkey_load(ctx, &Q, pubnonces[i]); 765 haskellsecp256k1_v0_1_0_gej_add_ge(&Qj, &Qj, &Q); 766 } 767 if (haskellsecp256k1_v0_1_0_gej_is_infinity(&Qj)) { 768 return 0; 769 } 770 haskellsecp256k1_v0_1_0_ge_set_gej(&Q, &Qj); 771 haskellsecp256k1_v0_1_0_pubkey_save(pubnonce, &Q); 772 return 1; 773 } 774 775 int haskellsecp256k1_v0_1_0_tagged_sha256(const haskellsecp256k1_v0_1_0_context* ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) { 776 haskellsecp256k1_v0_1_0_sha256 sha; 777 VERIFY_CHECK(ctx != NULL); 778 ARG_CHECK(hash32 != NULL); 779 ARG_CHECK(tag != NULL); 780 ARG_CHECK(msg != NULL); 781 782 haskellsecp256k1_v0_1_0_sha256_initialize_tagged(&sha, tag, taglen); 783 haskellsecp256k1_v0_1_0_sha256_write(&sha, msg, msglen); 784 haskellsecp256k1_v0_1_0_sha256_finalize(&sha, hash32); 785 return 1; 786 } 787 788 #ifdef ENABLE_MODULE_ECDH 789 # include "modules/ecdh/main_impl.h" 790 #endif 791 792 #ifdef ENABLE_MODULE_RECOVERY 793 # include "modules/recovery/main_impl.h" 794 #endif 795 796 #ifdef ENABLE_MODULE_EXTRAKEYS 797 # include "modules/extrakeys/main_impl.h" 798 #endif 799 800 #ifdef ENABLE_MODULE_SCHNORRSIG 801 # include "modules/schnorrsig/main_impl.h" 802 #endif 803 804 #ifdef ENABLE_MODULE_ELLSWIFT 805 # include "modules/ellswift/main_impl.h" 806 #endif