Bitcoin Core  0.20.99
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #include "include/secp256k1.h"
9 
10 #include "assumptions.h"
11 #include "util.h"
12 #include "num_impl.h"
13 #include "field_impl.h"
14 #include "scalar_impl.h"
15 #include "group_impl.h"
16 #include "ecmult_impl.h"
17 #include "ecmult_const_impl.h"
18 #include "ecmult_gen_impl.h"
19 #include "ecdsa_impl.h"
20 #include "eckey_impl.h"
21 #include "hash_impl.h"
22 #include "scratch_impl.h"
23 #include "selftest.h"
24 
25 #if defined(VALGRIND)
26 # include <valgrind/memcheck.h>
27 #endif
28 
29 #define ARG_CHECK(cond) do { \
30  if (EXPECT(!(cond), 0)) { \
31  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
32  return 0; \
33  } \
34 } while(0)
35 
36 #define ARG_CHECK_NO_RETURN(cond) do { \
37  if (EXPECT(!(cond), 0)) { \
38  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
39  } \
40 } while(0)
41 
42 #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
43 #include <stdlib.h>
44 #include <stdio.h>
45 static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
46  (void)data;
47  fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
48  abort();
49 }
50 static void secp256k1_default_error_callback_fn(const char* str, void* data) {
51  (void)data;
52  fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
53  abort();
54 }
55 #else
56 void secp256k1_default_illegal_callback_fn(const char* str, void* data);
57 void secp256k1_default_error_callback_fn(const char* str, void* data);
58 #endif
59 
62  NULL
63 };
64 
67  NULL
68 };
69 
76 };
77 
79  { 0 },
80  { 0 },
83  0
84 };
86 
88  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
89 
91  secp256k1_callback_call(&default_illegal_callback,
92  "Invalid flags");
93  return 0;
94  }
95 
98  }
101  }
102  return ret;
103 }
104 
106  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
107  VERIFY_CHECK(ctx != NULL);
110  }
113  }
114  return ret;
115 }
116 
118  void* const base = prealloc;
119  size_t prealloc_size;
120  secp256k1_context* ret;
121 
122  if (!secp256k1_selftest()) {
123  secp256k1_callback_call(&default_error_callback, "self test failed");
124  }
125  VERIFY_CHECK(prealloc != NULL);
126  prealloc_size = secp256k1_context_preallocated_size(flags);
127  ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
130 
133  "Invalid flags");
134  return NULL;
135  }
136 
139 
140  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
142  }
144  secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
145  }
147 
148  return (secp256k1_context*) ret;
149 }
150 
152  size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
153  secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
154  if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
155  free(ctx);
156  return NULL;
157  }
158 
159  return ctx;
160 }
161 
163  size_t prealloc_size;
164  secp256k1_context* ret;
165  VERIFY_CHECK(ctx != NULL);
166  ARG_CHECK(prealloc != NULL);
167 
168  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
169  ret = (secp256k1_context*)prealloc;
170  memcpy(ret, ctx, prealloc_size);
173  return ret;
174 }
175 
177  secp256k1_context* ret;
178  size_t prealloc_size;
179 
180  VERIFY_CHECK(ctx != NULL);
181  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
182  ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
183  ret = secp256k1_context_preallocated_clone(ctx, ret);
184  return ret;
185 }
186 
188  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
189  if (ctx != NULL) {
192  }
193 }
194 
196  if (ctx != NULL) {
198  free(ctx);
199  }
200 }
201 
202 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
203  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
204  if (fun == NULL) {
206  }
207  ctx->illegal_callback.fn = fun;
208  ctx->illegal_callback.data = data;
209 }
210 
211 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
212  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
213  if (fun == NULL) {
215  }
216  ctx->error_callback.fn = fun;
217  ctx->error_callback.data = data;
218 }
219 
221  VERIFY_CHECK(ctx != NULL);
222  return secp256k1_scratch_create(&ctx->error_callback, max_size);
223 }
224 
226  VERIFY_CHECK(ctx != NULL);
228 }
229 
230 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
231  * of the software. This is setup for use with valgrind but could be substituted with
232  * the appropriate instrumentation for other analysis tools.
233  */
234 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, const void *p, size_t len) {
235 #if defined(VALGRIND)
236  if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
237 #else
238  (void)ctx;
239  (void)p;
240  (void)len;
241 #endif
242 }
243 
244 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
245  if (sizeof(secp256k1_ge_storage) == 64) {
246  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
247  * representation inside secp256k1_pubkey, as conversion is very fast.
248  * Note that secp256k1_pubkey_save must use the same representation. */
250  memcpy(&s, &pubkey->data[0], sizeof(s));
252  } else {
253  /* Otherwise, fall back to 32-byte big endian for X and Y. */
254  secp256k1_fe x, y;
255  secp256k1_fe_set_b32(&x, pubkey->data);
256  secp256k1_fe_set_b32(&y, pubkey->data + 32);
257  secp256k1_ge_set_xy(ge, &x, &y);
258  }
260  return 1;
261 }
262 
264  if (sizeof(secp256k1_ge_storage) == 64) {
266  secp256k1_ge_to_storage(&s, ge);
267  memcpy(&pubkey->data[0], &s, sizeof(s));
268  } else {
272  secp256k1_fe_get_b32(pubkey->data, &ge->x);
273  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
274  }
275 }
276 
277 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
278  secp256k1_ge Q;
279 
280  VERIFY_CHECK(ctx != NULL);
281  ARG_CHECK(pubkey != NULL);
282  memset(pubkey, 0, sizeof(*pubkey));
283  ARG_CHECK(input != NULL);
284  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
285  return 0;
286  }
288  return 0;
289  }
290  secp256k1_pubkey_save(pubkey, &Q);
291  secp256k1_ge_clear(&Q);
292  return 1;
293 }
294 
295 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
296  secp256k1_ge Q;
297  size_t len;
298  int ret = 0;
299 
300  VERIFY_CHECK(ctx != NULL);
301  ARG_CHECK(outputlen != NULL);
302  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33u : 65u));
303  len = *outputlen;
304  *outputlen = 0;
305  ARG_CHECK(output != NULL);
306  memset(output, 0, len);
307  ARG_CHECK(pubkey != NULL);
309  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
310  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
311  if (ret) {
312  *outputlen = len;
313  }
314  }
315  return ret;
316 }
317 
319  (void)ctx;
320  if (sizeof(secp256k1_scalar) == 32) {
321  /* When the secp256k1_scalar type is exactly 32 byte, use its
322  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
323  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
324  memcpy(r, &sig->data[0], 32);
325  memcpy(s, &sig->data[32], 32);
326  } else {
327  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
328  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
329  }
330 }
331 
333  if (sizeof(secp256k1_scalar) == 32) {
334  memcpy(&sig->data[0], r, 32);
335  memcpy(&sig->data[32], s, 32);
336  } else {
337  secp256k1_scalar_get_b32(&sig->data[0], r);
338  secp256k1_scalar_get_b32(&sig->data[32], s);
339  }
340 }
341 
342 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
343  secp256k1_scalar r, s;
344 
345  VERIFY_CHECK(ctx != NULL);
346  ARG_CHECK(sig != NULL);
347  ARG_CHECK(input != NULL);
348 
349  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
350  secp256k1_ecdsa_signature_save(sig, &r, &s);
351  return 1;
352  } else {
353  memset(sig, 0, sizeof(*sig));
354  return 0;
355  }
356 }
357 
358 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
359  secp256k1_scalar r, s;
360  int ret = 1;
361  int overflow = 0;
362 
363  VERIFY_CHECK(ctx != NULL);
364  ARG_CHECK(sig != NULL);
365  ARG_CHECK(input64 != NULL);
366 
367  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
368  ret &= !overflow;
369  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
370  ret &= !overflow;
371  if (ret) {
372  secp256k1_ecdsa_signature_save(sig, &r, &s);
373  } else {
374  memset(sig, 0, sizeof(*sig));
375  }
376  return ret;
377 }
378 
379 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
380  secp256k1_scalar r, s;
381 
382  VERIFY_CHECK(ctx != NULL);
383  ARG_CHECK(output != NULL);
384  ARG_CHECK(outputlen != NULL);
385  ARG_CHECK(sig != NULL);
386 
387  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
388  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
389 }
390 
392  secp256k1_scalar r, s;
393 
394  VERIFY_CHECK(ctx != NULL);
395  ARG_CHECK(output64 != NULL);
396  ARG_CHECK(sig != NULL);
397 
398  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
399  secp256k1_scalar_get_b32(&output64[0], &r);
400  secp256k1_scalar_get_b32(&output64[32], &s);
401  return 1;
402 }
403 
405  secp256k1_scalar r, s;
406  int ret = 0;
407 
408  VERIFY_CHECK(ctx != NULL);
409  ARG_CHECK(sigin != NULL);
410 
411  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
412  ret = secp256k1_scalar_is_high(&s);
413  if (sigout != NULL) {
414  if (ret) {
415  secp256k1_scalar_negate(&s, &s);
416  }
417  secp256k1_ecdsa_signature_save(sigout, &r, &s);
418  }
419 
420  return ret;
421 }
422 
423 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
424  secp256k1_ge q;
425  secp256k1_scalar r, s;
427  VERIFY_CHECK(ctx != NULL);
429  ARG_CHECK(msg32 != NULL);
430  ARG_CHECK(sig != NULL);
431  ARG_CHECK(pubkey != NULL);
432 
433  secp256k1_scalar_set_b32(&m, msg32, NULL);
434  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
435  return (!secp256k1_scalar_is_high(&s) &&
436  secp256k1_pubkey_load(ctx, &q, pubkey) &&
437  secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
438 }
439 
440 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
441  memcpy(buf + *offset, data, len);
442  *offset += len;
443 }
444 
445 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
446  unsigned char keydata[112];
447  unsigned int offset = 0;
449  unsigned int i;
450  /* We feed a byte array to the PRNG as input, consisting of:
451  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
452  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
453  * - optionally 16 extra bytes with the algorithm name.
454  * Because the arguments have distinct fixed lengths it is not possible for
455  * different argument mixtures to emulate each other and result in the same
456  * nonces.
457  */
458  buffer_append(keydata, &offset, key32, 32);
459  buffer_append(keydata, &offset, msg32, 32);
460  if (data != NULL) {
461  buffer_append(keydata, &offset, data, 32);
462  }
463  if (algo16 != NULL) {
464  buffer_append(keydata, &offset, algo16, 16);
465  }
466  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
467  memset(keydata, 0, sizeof(keydata));
468  for (i = 0; i <= counter; i++) {
469  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
470  }
472  return 1;
473 }
474 
477 
478 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
479  secp256k1_scalar sec, non, msg;
480  int ret = 0;
481  int is_sec_valid;
482  unsigned char nonce32[32];
483  unsigned int count = 0;
484  /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
487  if (recid) {
488  *recid = 0;
489  }
490  if (noncefp == NULL) {
492  }
493 
494  /* Fail if the secret key is invalid. */
495  is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
496  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
497  secp256k1_scalar_set_b32(&msg, msg32, NULL);
498  while (1) {
499  int is_nonce_valid;
500  ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
501  if (!ret) {
502  break;
503  }
504  is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
505  /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
506  secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
507  if (is_nonce_valid) {
508  ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
509  /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
510  secp256k1_declassify(ctx, &ret, sizeof(ret));
511  if (ret) {
512  break;
513  }
514  }
515  count++;
516  }
517  /* We don't want to declassify is_sec_valid and therefore the range of
518  * seckey. As a result is_sec_valid is included in ret only after ret was
519  * used as a branching variable. */
520  ret &= is_sec_valid;
521  memset(nonce32, 0, 32);
527  if (recid) {
528  const int zero = 0;
529  secp256k1_int_cmov(recid, &zero, !ret);
530  }
531  return ret;
532 }
533 
534 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
535  secp256k1_scalar r, s;
536  int ret;
537  VERIFY_CHECK(ctx != NULL);
539  ARG_CHECK(msg32 != NULL);
540  ARG_CHECK(signature != NULL);
541  ARG_CHECK(seckey != NULL);
542 
543  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msg32, seckey, noncefp, noncedata);
544  secp256k1_ecdsa_signature_save(signature, &r, &s);
545  return ret;
546 }
547 
548 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
549  secp256k1_scalar sec;
550  int ret;
551  VERIFY_CHECK(ctx != NULL);
552  ARG_CHECK(seckey != NULL);
553 
554  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
556  return ret;
557 }
558 
559 static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey) {
560  secp256k1_gej pj;
561  int ret;
562 
563  ret = secp256k1_scalar_set_b32_seckey(seckey_scalar, seckey);
564  secp256k1_scalar_cmov(seckey_scalar, &secp256k1_scalar_one, !ret);
565 
566  secp256k1_ecmult_gen(ecmult_gen_ctx, &pj, seckey_scalar);
567  secp256k1_ge_set_gej(p, &pj);
568  return ret;
569 }
570 
571 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
572  secp256k1_ge p;
573  secp256k1_scalar seckey_scalar;
574  int ret = 0;
575  VERIFY_CHECK(ctx != NULL);
576  ARG_CHECK(pubkey != NULL);
577  memset(pubkey, 0, sizeof(*pubkey));
579  ARG_CHECK(seckey != NULL);
580 
581  ret = secp256k1_ec_pubkey_create_helper(&ctx->ecmult_gen_ctx, &seckey_scalar, &p, seckey);
582  secp256k1_pubkey_save(pubkey, &p);
583  memczero(pubkey, sizeof(*pubkey), !ret);
584 
585  secp256k1_scalar_clear(&seckey_scalar);
586  return ret;
587 }
588 
589 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
590  secp256k1_scalar sec;
591  int ret = 0;
592  VERIFY_CHECK(ctx != NULL);
593  ARG_CHECK(seckey != NULL);
594 
595  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
597  secp256k1_scalar_negate(&sec, &sec);
598  secp256k1_scalar_get_b32(seckey, &sec);
599 
601  return ret;
602 }
603 
604 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
605  return secp256k1_ec_seckey_negate(ctx, seckey);
606 }
607 
609  int ret = 0;
610  secp256k1_ge p;
611  VERIFY_CHECK(ctx != NULL);
612  ARG_CHECK(pubkey != NULL);
613 
614  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
615  memset(pubkey, 0, sizeof(*pubkey));
616  if (ret) {
617  secp256k1_ge_neg(&p, &p);
618  secp256k1_pubkey_save(pubkey, &p);
619  }
620  return ret;
621 }
622 
623 
624 static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak) {
625  secp256k1_scalar term;
626  int overflow = 0;
627  int ret = 0;
628 
629  secp256k1_scalar_set_b32(&term, tweak, &overflow);
630  ret = (!overflow) & secp256k1_eckey_privkey_tweak_add(sec, &term);
631  secp256k1_scalar_clear(&term);
632  return ret;
633 }
634 
635 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
636  secp256k1_scalar sec;
637  int ret = 0;
638  VERIFY_CHECK(ctx != NULL);
639  ARG_CHECK(seckey != NULL);
640  ARG_CHECK(tweak != NULL);
641 
642  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
643  ret &= secp256k1_ec_seckey_tweak_add_helper(&sec, tweak);
645  secp256k1_scalar_get_b32(seckey, &sec);
646 
648  return ret;
649 }
650 
651 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
652  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak);
653 }
654 
655 static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context* ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak) {
656  secp256k1_scalar term;
657  int overflow = 0;
658  secp256k1_scalar_set_b32(&term, tweak, &overflow);
659  return !overflow && secp256k1_eckey_pubkey_tweak_add(ecmult_ctx, p, &term);
660 }
661 
662 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
663  secp256k1_ge p;
664  int ret = 0;
665  VERIFY_CHECK(ctx != NULL);
667  ARG_CHECK(pubkey != NULL);
668  ARG_CHECK(tweak != NULL);
669 
670  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
671  memset(pubkey, 0, sizeof(*pubkey));
672  ret = ret && secp256k1_ec_pubkey_tweak_add_helper(&ctx->ecmult_ctx, &p, tweak);
673  if (ret) {
674  secp256k1_pubkey_save(pubkey, &p);
675  }
676 
677  return ret;
678 }
679 
680 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
681  secp256k1_scalar factor;
682  secp256k1_scalar sec;
683  int ret = 0;
684  int overflow = 0;
685  VERIFY_CHECK(ctx != NULL);
686  ARG_CHECK(seckey != NULL);
687  ARG_CHECK(tweak != NULL);
688 
689  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
690  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
691  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
693  secp256k1_scalar_get_b32(seckey, &sec);
694 
696  secp256k1_scalar_clear(&factor);
697  return ret;
698 }
699 
700 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
701  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak);
702 }
703 
704 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
705  secp256k1_ge p;
706  secp256k1_scalar factor;
707  int ret = 0;
708  int overflow = 0;
709  VERIFY_CHECK(ctx != NULL);
711  ARG_CHECK(pubkey != NULL);
712  ARG_CHECK(tweak != NULL);
713 
714  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
715  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
716  memset(pubkey, 0, sizeof(*pubkey));
717  if (ret) {
718  if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
719  secp256k1_pubkey_save(pubkey, &p);
720  } else {
721  ret = 0;
722  }
723  }
724 
725  return ret;
726 }
727 
728 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
729  VERIFY_CHECK(ctx != NULL);
732  }
733  return 1;
734 }
735 
736 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
737  size_t i;
738  secp256k1_gej Qj;
739  secp256k1_ge Q;
740 
741  ARG_CHECK(pubnonce != NULL);
742  memset(pubnonce, 0, sizeof(*pubnonce));
743  ARG_CHECK(n >= 1);
744  ARG_CHECK(pubnonces != NULL);
745 
747 
748  for (i = 0; i < n; i++) {
749  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
750  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
751  }
752  if (secp256k1_gej_is_infinity(&Qj)) {
753  return 0;
754  }
755  secp256k1_ge_set_gej(&Q, &Qj);
756  secp256k1_pubkey_save(pubnonce, &Q);
757  return 1;
758 }
759 
760 #ifdef ENABLE_MODULE_ECDH
761 # include "modules/ecdh/main_impl.h"
762 #endif
763 
764 #ifdef ENABLE_MODULE_RECOVERY
766 #endif
767 
768 #ifdef ENABLE_MODULE_EXTRAKEYS
770 #endif
771 
772 #ifdef ENABLE_MODULE_SCHNORRSIG
774 #endif
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
#define VERIFY_CHECK(cond)
Definition: util.h:68
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:379
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:165
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:60
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:604
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:478
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:220
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:445
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:187
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:295
static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context *ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak)
Definition: secp256k1.c:655
unsigned char data[64]
Definition: secp256k1.h:81
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak)
Definition: secp256k1.c:624
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:50
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:342
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:263
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:117
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:548
void(* fn)(const char *text, void *data)
Definition: util.h:20
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:65
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:162
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:45
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
Definition: util.h:134
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:332
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:160
static int secp256k1_selftest(void)
Definition: selftest.h:28
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
#define SECP256K1_FLAGS_TYPE_MASK
All flags&#39; lower 8 bits indicate what they&#39;re for.
Definition: secp256k1.h:159
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:475
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:534
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
#define SECP256K1_INLINE
Definition: secp256k1.h:124
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
Definition: secp256k1.c:234
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:176
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:704
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:736
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:78
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:72
#define ARG_CHECK(cond)
Definition: secp256k1.c:29
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:423
static secp256k1_context * ctx
Definition: tests.c:36
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
Definition: secp256k1.c:559
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve...
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:571
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise...
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:211
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:202
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:36
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:71
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
secp256k1_fe x
Definition: group.h:15
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:680
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:476
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_callback illegal_callback
Definition: secp256k1.c:73
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:318
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:164
#define EXPECT(x, c)
Definition: util.h:43
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:608
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
int flags
Definition: bitcoin-tx.cpp:506
unsigned char data[64]
Definition: secp256k1.h:68
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:440
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:277
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:163
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:100
static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src)
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
void * memcpy(void *a, const void *b, size_t c)
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:635
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:195
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:391
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
#define ROUND_TO_ALIGN(size)
Definition: util.h:116
static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult.h:21
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int count
Definition: tests.c:35
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:244
secp256k1_callback error_callback
Definition: secp256k1.c:74
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:225
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory...
Definition: secp256k1.c:105
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult_gen.h:38
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:85
const void * data
Definition: util.h:21
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:662
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:589
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:728
secp256k1_fe y
Definition: group.h:16
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:651
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory...
Definition: secp256k1.c:87
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static SECP256K1_INLINE void memczero(void *s, size_t len, int flag)
Definition: util.h:205
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:161
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:358
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:151
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:700
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:166
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:404