Bitcoin Core  0.20.99
P2P Digital Currency
secp256k1.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013-2015 Pieter Wuille *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #include "include/secp256k1.h"
9 
10 #include "util.h"
11 #include "num_impl.h"
12 #include "field_impl.h"
13 #include "scalar_impl.h"
14 #include "group_impl.h"
15 #include "ecmult_impl.h"
16 #include "ecmult_const_impl.h"
17 #include "ecmult_gen_impl.h"
18 #include "ecdsa_impl.h"
19 #include "eckey_impl.h"
20 #include "hash_impl.h"
21 #include "scratch_impl.h"
22 
23 #if defined(VALGRIND)
24 # include <valgrind/memcheck.h>
25 #endif
26 
27 #define ARG_CHECK(cond) do { \
28  if (EXPECT(!(cond), 0)) { \
29  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
30  return 0; \
31  } \
32 } while(0)
33 
34 #define ARG_CHECK_NO_RETURN(cond) do { \
35  if (EXPECT(!(cond), 0)) { \
36  secp256k1_callback_call(&ctx->illegal_callback, #cond); \
37  } \
38 } while(0)
39 
40 #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
41 #include <stdlib.h>
42 #include <stdio.h>
43 static void secp256k1_default_illegal_callback_fn(const char* str, void* data) {
44  (void)data;
45  fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
46  abort();
47 }
48 static void secp256k1_default_error_callback_fn(const char* str, void* data) {
49  (void)data;
50  fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
51  abort();
52 }
53 #else
54 void secp256k1_default_illegal_callback_fn(const char* str, void* data);
55 void secp256k1_default_error_callback_fn(const char* str, void* data);
56 #endif
57 
60  NULL
61 };
62 
65  NULL
66 };
67 
74 };
75 
77  { 0 },
78  { 0 },
81  0
82 };
84 
86  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
87 
89  secp256k1_callback_call(&default_illegal_callback,
90  "Invalid flags");
91  return 0;
92  }
93 
96  }
99  }
100  return ret;
101 }
102 
104  size_t ret = ROUND_TO_ALIGN(sizeof(secp256k1_context));
105  VERIFY_CHECK(ctx != NULL);
108  }
111  }
112  return ret;
113 }
114 
116  void* const base = prealloc;
117  size_t prealloc_size;
118  secp256k1_context* ret;
119 
120  VERIFY_CHECK(prealloc != NULL);
121  prealloc_size = secp256k1_context_preallocated_size(flags);
122  ret = (secp256k1_context*)manual_alloc(&prealloc, sizeof(secp256k1_context), base, prealloc_size);
125 
128  "Invalid flags");
129  return NULL;
130  }
131 
134 
135  if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
137  }
139  secp256k1_ecmult_context_build(&ret->ecmult_ctx, &prealloc);
140  }
142 
143  return (secp256k1_context*) ret;
144 }
145 
147  size_t const prealloc_size = secp256k1_context_preallocated_size(flags);
148  secp256k1_context* ctx = (secp256k1_context*)checked_malloc(&default_error_callback, prealloc_size);
149  if (EXPECT(secp256k1_context_preallocated_create(ctx, flags) == NULL, 0)) {
150  free(ctx);
151  return NULL;
152  }
153 
154  return ctx;
155 }
156 
158  size_t prealloc_size;
159  secp256k1_context* ret;
160  VERIFY_CHECK(ctx != NULL);
161  ARG_CHECK(prealloc != NULL);
162 
163  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
164  ret = (secp256k1_context*)prealloc;
165  memcpy(ret, ctx, prealloc_size);
168  return ret;
169 }
170 
172  secp256k1_context* ret;
173  size_t prealloc_size;
174 
175  VERIFY_CHECK(ctx != NULL);
176  prealloc_size = secp256k1_context_preallocated_clone_size(ctx);
177  ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, prealloc_size);
178  ret = secp256k1_context_preallocated_clone(ctx, ret);
179  return ret;
180 }
181 
183  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
184  if (ctx != NULL) {
187  }
188 }
189 
191  if (ctx != NULL) {
193  free(ctx);
194  }
195 }
196 
197 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
198  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
199  if (fun == NULL) {
201  }
202  ctx->illegal_callback.fn = fun;
203  ctx->illegal_callback.data = data;
204 }
205 
206 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
207  ARG_CHECK_NO_RETURN(ctx != secp256k1_context_no_precomp);
208  if (fun == NULL) {
210  }
211  ctx->error_callback.fn = fun;
212  ctx->error_callback.data = data;
213 }
214 
216  VERIFY_CHECK(ctx != NULL);
217  return secp256k1_scratch_create(&ctx->error_callback, max_size);
218 }
219 
221  VERIFY_CHECK(ctx != NULL);
223 }
224 
225 /* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour
226  * of the software. This is setup for use with valgrind but could be substituted with
227  * the appropriate instrumentation for other analysis tools.
228  */
229 static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context* ctx, void *p, size_t len) {
230 #if defined(VALGRIND)
231  if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len);
232 #else
233  (void)ctx;
234  (void)p;
235  (void)len;
236 #endif
237 }
238 
239 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
240  if (sizeof(secp256k1_ge_storage) == 64) {
241  /* When the secp256k1_ge_storage type is exactly 64 byte, use its
242  * representation inside secp256k1_pubkey, as conversion is very fast.
243  * Note that secp256k1_pubkey_save must use the same representation. */
245  memcpy(&s, &pubkey->data[0], sizeof(s));
247  } else {
248  /* Otherwise, fall back to 32-byte big endian for X and Y. */
249  secp256k1_fe x, y;
250  secp256k1_fe_set_b32(&x, pubkey->data);
251  secp256k1_fe_set_b32(&y, pubkey->data + 32);
252  secp256k1_ge_set_xy(ge, &x, &y);
253  }
255  return 1;
256 }
257 
259  if (sizeof(secp256k1_ge_storage) == 64) {
261  secp256k1_ge_to_storage(&s, ge);
262  memcpy(&pubkey->data[0], &s, sizeof(s));
263  } else {
267  secp256k1_fe_get_b32(pubkey->data, &ge->x);
268  secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
269  }
270 }
271 
272 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
273  secp256k1_ge Q;
274 
275  VERIFY_CHECK(ctx != NULL);
276  ARG_CHECK(pubkey != NULL);
277  memset(pubkey, 0, sizeof(*pubkey));
278  ARG_CHECK(input != NULL);
279  if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
280  return 0;
281  }
282  secp256k1_pubkey_save(pubkey, &Q);
283  secp256k1_ge_clear(&Q);
284  return 1;
285 }
286 
287 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
288  secp256k1_ge Q;
289  size_t len;
290  int ret = 0;
291 
292  VERIFY_CHECK(ctx != NULL);
293  ARG_CHECK(outputlen != NULL);
294  ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
295  len = *outputlen;
296  *outputlen = 0;
297  ARG_CHECK(output != NULL);
298  memset(output, 0, len);
299  ARG_CHECK(pubkey != NULL);
301  if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
302  ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
303  if (ret) {
304  *outputlen = len;
305  }
306  }
307  return ret;
308 }
309 
311  (void)ctx;
312  if (sizeof(secp256k1_scalar) == 32) {
313  /* When the secp256k1_scalar type is exactly 32 byte, use its
314  * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
315  * Note that secp256k1_ecdsa_signature_save must use the same representation. */
316  memcpy(r, &sig->data[0], 32);
317  memcpy(s, &sig->data[32], 32);
318  } else {
319  secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
320  secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
321  }
322 }
323 
325  if (sizeof(secp256k1_scalar) == 32) {
326  memcpy(&sig->data[0], r, 32);
327  memcpy(&sig->data[32], s, 32);
328  } else {
329  secp256k1_scalar_get_b32(&sig->data[0], r);
330  secp256k1_scalar_get_b32(&sig->data[32], s);
331  }
332 }
333 
334 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
335  secp256k1_scalar r, s;
336 
337  VERIFY_CHECK(ctx != NULL);
338  ARG_CHECK(sig != NULL);
339  ARG_CHECK(input != NULL);
340 
341  if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
342  secp256k1_ecdsa_signature_save(sig, &r, &s);
343  return 1;
344  } else {
345  memset(sig, 0, sizeof(*sig));
346  return 0;
347  }
348 }
349 
350 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
351  secp256k1_scalar r, s;
352  int ret = 1;
353  int overflow = 0;
354 
355  VERIFY_CHECK(ctx != NULL);
356  ARG_CHECK(sig != NULL);
357  ARG_CHECK(input64 != NULL);
358 
359  secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
360  ret &= !overflow;
361  secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
362  ret &= !overflow;
363  if (ret) {
364  secp256k1_ecdsa_signature_save(sig, &r, &s);
365  } else {
366  memset(sig, 0, sizeof(*sig));
367  }
368  return ret;
369 }
370 
371 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
372  secp256k1_scalar r, s;
373 
374  VERIFY_CHECK(ctx != NULL);
375  ARG_CHECK(output != NULL);
376  ARG_CHECK(outputlen != NULL);
377  ARG_CHECK(sig != NULL);
378 
379  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
380  return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
381 }
382 
384  secp256k1_scalar r, s;
385 
386  VERIFY_CHECK(ctx != NULL);
387  ARG_CHECK(output64 != NULL);
388  ARG_CHECK(sig != NULL);
389 
390  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
391  secp256k1_scalar_get_b32(&output64[0], &r);
392  secp256k1_scalar_get_b32(&output64[32], &s);
393  return 1;
394 }
395 
397  secp256k1_scalar r, s;
398  int ret = 0;
399 
400  VERIFY_CHECK(ctx != NULL);
401  ARG_CHECK(sigin != NULL);
402 
403  secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
404  ret = secp256k1_scalar_is_high(&s);
405  if (sigout != NULL) {
406  if (ret) {
407  secp256k1_scalar_negate(&s, &s);
408  }
409  secp256k1_ecdsa_signature_save(sigout, &r, &s);
410  }
411 
412  return ret;
413 }
414 
415 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
416  secp256k1_ge q;
417  secp256k1_scalar r, s;
419  VERIFY_CHECK(ctx != NULL);
421  ARG_CHECK(msg32 != NULL);
422  ARG_CHECK(sig != NULL);
423  ARG_CHECK(pubkey != NULL);
424 
425  secp256k1_scalar_set_b32(&m, msg32, NULL);
426  secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
427  return (!secp256k1_scalar_is_high(&s) &&
428  secp256k1_pubkey_load(ctx, &q, pubkey) &&
429  secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
430 }
431 
432 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) {
433  memcpy(buf + *offset, data, len);
434  *offset += len;
435 }
436 
437 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
438  unsigned char keydata[112];
439  unsigned int offset = 0;
441  unsigned int i;
442  /* We feed a byte array to the PRNG as input, consisting of:
443  * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
444  * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
445  * - optionally 16 extra bytes with the algorithm name.
446  * Because the arguments have distinct fixed lengths it is not possible for
447  * different argument mixtures to emulate each other and result in the same
448  * nonces.
449  */
450  buffer_append(keydata, &offset, key32, 32);
451  buffer_append(keydata, &offset, msg32, 32);
452  if (data != NULL) {
453  buffer_append(keydata, &offset, data, 32);
454  }
455  if (algo16 != NULL) {
456  buffer_append(keydata, &offset, algo16, 16);
457  }
458  secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset);
459  memset(keydata, 0, sizeof(keydata));
460  for (i = 0; i <= counter; i++) {
461  secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
462  }
464  return 1;
465 }
466 
469 
470 static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
471  secp256k1_scalar sec, non, msg;
472  int ret = 0;
473  int is_sec_valid;
474  unsigned char nonce32[32];
475  unsigned int count = 0;
476  /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
479  if (recid) {
480  *recid = 0;
481  }
482  if (noncefp == NULL) {
484  }
485 
486  /* Fail if the secret key is invalid. */
487  is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
488  secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
489  secp256k1_scalar_set_b32(&msg, msg32, NULL);
490  while (1) {
491  int is_nonce_valid;
492  ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
493  if (!ret) {
494  break;
495  }
496  is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
497  /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
498  secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
499  if (is_nonce_valid) {
500  ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
501  /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
502  secp256k1_declassify(ctx, &ret, sizeof(ret));
503  if (ret) {
504  break;
505  }
506  }
507  count++;
508  }
509  /* We don't want to declassify is_sec_valid and therefore the range of
510  * seckey. As a result is_sec_valid is included in ret only after ret was
511  * used as a branching variable. */
512  ret &= is_sec_valid;
513  memset(nonce32, 0, 32);
519  if (recid) {
520  const int zero = 0;
521  secp256k1_int_cmov(recid, &zero, !ret);
522  }
523  return ret;
524 }
525 
526 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
527  secp256k1_scalar r, s;
528  int ret;
529  VERIFY_CHECK(ctx != NULL);
531  ARG_CHECK(msg32 != NULL);
532  ARG_CHECK(signature != NULL);
533  ARG_CHECK(seckey != NULL);
534 
535  ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msg32, seckey, noncefp, noncedata);
536  secp256k1_ecdsa_signature_save(signature, &r, &s);
537  return ret;
538 }
539 
540 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
541  secp256k1_scalar sec;
542  int ret;
543  VERIFY_CHECK(ctx != NULL);
544  ARG_CHECK(seckey != NULL);
545 
546  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
548  return ret;
549 }
550 
551 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
552  secp256k1_gej pj;
553  secp256k1_ge p;
554  secp256k1_scalar sec;
555  int ret = 0;
556  VERIFY_CHECK(ctx != NULL);
557  ARG_CHECK(pubkey != NULL);
558  memset(pubkey, 0, sizeof(*pubkey));
560  ARG_CHECK(seckey != NULL);
561 
562  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
564 
565  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
566  secp256k1_ge_set_gej(&p, &pj);
567  secp256k1_pubkey_save(pubkey, &p);
568  memczero(pubkey, sizeof(*pubkey), !ret);
569 
571  return ret;
572 }
573 
574 int secp256k1_ec_seckey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
575  secp256k1_scalar sec;
576  int ret = 0;
577  VERIFY_CHECK(ctx != NULL);
578  ARG_CHECK(seckey != NULL);
579 
580  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
582  secp256k1_scalar_negate(&sec, &sec);
583  secp256k1_scalar_get_b32(seckey, &sec);
584 
586  return ret;
587 }
588 
589 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
590  return secp256k1_ec_seckey_negate(ctx, seckey);
591 }
592 
594  int ret = 0;
595  secp256k1_ge p;
596  VERIFY_CHECK(ctx != NULL);
597  ARG_CHECK(pubkey != NULL);
598 
599  ret = secp256k1_pubkey_load(ctx, &p, pubkey);
600  memset(pubkey, 0, sizeof(*pubkey));
601  if (ret) {
602  secp256k1_ge_neg(&p, &p);
603  secp256k1_pubkey_save(pubkey, &p);
604  }
605  return ret;
606 }
607 
608 int secp256k1_ec_seckey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
609  secp256k1_scalar term;
610  secp256k1_scalar sec;
611  int ret = 0;
612  int overflow = 0;
613  VERIFY_CHECK(ctx != NULL);
614  ARG_CHECK(seckey != NULL);
615  ARG_CHECK(tweak != NULL);
616 
617  secp256k1_scalar_set_b32(&term, tweak, &overflow);
618  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
619 
620  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_add(&sec, &term);
622  secp256k1_scalar_get_b32(seckey, &sec);
623 
625  secp256k1_scalar_clear(&term);
626  return ret;
627 }
628 
629 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
630  return secp256k1_ec_seckey_tweak_add(ctx, seckey, tweak);
631 }
632 
633 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
634  secp256k1_ge p;
635  secp256k1_scalar term;
636  int ret = 0;
637  int overflow = 0;
638  VERIFY_CHECK(ctx != NULL);
640  ARG_CHECK(pubkey != NULL);
641  ARG_CHECK(tweak != NULL);
642 
643  secp256k1_scalar_set_b32(&term, tweak, &overflow);
644  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
645  memset(pubkey, 0, sizeof(*pubkey));
646  if (ret) {
647  if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
648  secp256k1_pubkey_save(pubkey, &p);
649  } else {
650  ret = 0;
651  }
652  }
653 
654  return ret;
655 }
656 
657 int secp256k1_ec_seckey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
658  secp256k1_scalar factor;
659  secp256k1_scalar sec;
660  int ret = 0;
661  int overflow = 0;
662  VERIFY_CHECK(ctx != NULL);
663  ARG_CHECK(seckey != NULL);
664  ARG_CHECK(tweak != NULL);
665 
666  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
667  ret = secp256k1_scalar_set_b32_seckey(&sec, seckey);
668  ret &= (!overflow) & secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
670  secp256k1_scalar_get_b32(seckey, &sec);
671 
673  secp256k1_scalar_clear(&factor);
674  return ret;
675 }
676 
677 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
678  return secp256k1_ec_seckey_tweak_mul(ctx, seckey, tweak);
679 }
680 
681 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
682  secp256k1_ge p;
683  secp256k1_scalar factor;
684  int ret = 0;
685  int overflow = 0;
686  VERIFY_CHECK(ctx != NULL);
688  ARG_CHECK(pubkey != NULL);
689  ARG_CHECK(tweak != NULL);
690 
691  secp256k1_scalar_set_b32(&factor, tweak, &overflow);
692  ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
693  memset(pubkey, 0, sizeof(*pubkey));
694  if (ret) {
695  if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
696  secp256k1_pubkey_save(pubkey, &p);
697  } else {
698  ret = 0;
699  }
700  }
701 
702  return ret;
703 }
704 
705 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
706  VERIFY_CHECK(ctx != NULL);
709  }
710  return 1;
711 }
712 
713 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
714  size_t i;
715  secp256k1_gej Qj;
716  secp256k1_ge Q;
717 
718  ARG_CHECK(pubnonce != NULL);
719  memset(pubnonce, 0, sizeof(*pubnonce));
720  ARG_CHECK(n >= 1);
721  ARG_CHECK(pubnonces != NULL);
722 
724 
725  for (i = 0; i < n; i++) {
726  secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
727  secp256k1_gej_add_ge(&Qj, &Qj, &Q);
728  }
729  if (secp256k1_gej_is_infinity(&Qj)) {
730  return 0;
731  }
732  secp256k1_ge_set_gej(&Q, &Qj);
733  secp256k1_pubkey_save(pubnonce, &Q);
734  return 1;
735 }
736 
737 #ifdef ENABLE_MODULE_ECDH
738 # include "modules/ecdh/main_impl.h"
739 #endif
740 
741 #ifdef ENABLE_MODULE_RECOVERY
743 #endif
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
#define VERIFY_CHECK(cond)
Definition: util.h:68
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:371
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
Definition: secp256k1.h:165
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
static const secp256k1_callback default_illegal_callback
Definition: secp256k1.c:58
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:589
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Definition: secp256k1.c:470
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:215
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:437
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:182
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:287
unsigned char data[64]
Definition: secp256k1.h:81
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: secp256k1.c:48
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
Definition: secp256k1.c:334
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:258
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:115
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
Definition: secp256k1.c:540
void(* fn)(const char *text, void *data)
Definition: util.h:20
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static const secp256k1_callback default_error_callback
Definition: secp256k1.c:63
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:157
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:43
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
Definition: util.h:134
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, void *p, size_t len)
Definition: secp256k1.c:229
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:324
#define SECP256K1_FLAGS_TYPE_CONTEXT
Definition: secp256k1.h:160
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
#define SECP256K1_FLAGS_TYPE_MASK
All flags&#39; lower 8 bits indicate what they&#39;re for.
Definition: secp256k1.h:159
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
Definition: secp256k1.c:467
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
Definition: secp256k1.c:526
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
#define SECP256K1_INLINE
Definition: secp256k1.h:124
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:171
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:681
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
Definition: secp256k1.c:713
static const secp256k1_context secp256k1_context_no_precomp_
Definition: secp256k1.c:76
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:70
#define ARG_CHECK(cond)
Definition: secp256k1.c:27
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
Definition: secp256k1.c:415
static secp256k1_context * ctx
Definition: tests.c:36
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
Definition: secp256k1.c:551
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise...
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:206
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:197
#define ARG_CHECK_NO_RETURN(cond)
Definition: secp256k1.c:34
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:69
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:80
secp256k1_fe x
Definition: group.h:15
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:657
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
Definition: secp256k1.c:468
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_callback illegal_callback
Definition: secp256k1.c:71
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:310
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
Definition: secp256k1.h:164
#define EXPECT(x, c)
Definition: util.h:43
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
Definition: secp256k1.c:593
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
int flags
Definition: bitcoin-tx.cpp:509
unsigned char data[64]
Definition: secp256k1.h:68
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
Definition: secp256k1.c:432
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:272
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
Definition: secp256k1.h:163
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
Definition: secp256k1.h:100
static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src)
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
void * memcpy(void *a, const void *b, size_t c)
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:608
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
Definition: util.h:24
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:383
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
#define ROUND_TO_ALIGN(size)
Definition: util.h:116
static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult.h:23
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static int count
Definition: tests.c:35
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:239
secp256k1_callback error_callback
Definition: secp256k1.c:72
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:220
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory...
Definition: secp256k1.c:103
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
Definition: ecmult_gen.h:38
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:83
const void * data
Definition: util.h:21
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:633
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
Definition: secp256k1.c:574
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:198
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:705
secp256k1_fe y
Definition: group.h:16
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:629
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory...
Definition: secp256k1.c:85
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static SECP256K1_INLINE void memczero(void *s, size_t len, int flag)
Definition: util.h:183
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
#define SECP256K1_FLAGS_TYPE_COMPRESSION
Definition: secp256k1.h:161
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:350
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:146
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:677
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:67
#define SECP256K1_FLAGS_BIT_COMPRESSION
Definition: secp256k1.h:166
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:396