Changeset View
Changeset View
Standalone View
Standalone View
src/secp256k1/src/secp256k1.c
Show First 20 Lines • Show All 461 Lines • ▼ Show 20 Lines | static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { | ||||
} | } | ||||
secp256k1_rfc6979_hmac_sha256_finalize(&rng); | secp256k1_rfc6979_hmac_sha256_finalize(&rng); | ||||
return 1; | return 1; | ||||
} | } | ||||
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; | const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; | ||||
const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; | const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; | ||||
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { | static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void* noncedata) { | ||||
/* Default initialization here is important so we won't pass uninit values to the cmov in the end */ | |||||
secp256k1_scalar r = secp256k1_scalar_zero, s = secp256k1_scalar_zero; | |||||
secp256k1_scalar sec, non, msg; | secp256k1_scalar sec, non, msg; | ||||
int ret = 0; | int ret = 0; | ||||
int is_sec_valid; | int is_sec_valid; | ||||
unsigned char nonce32[32]; | unsigned char nonce32[32]; | ||||
unsigned int count = 0; | unsigned int count = 0; | ||||
const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER "; | /* Default initialization here is important so we won't pass uninit values to the cmov in the end */ | ||||
VERIFY_CHECK(ctx != NULL); | *r = secp256k1_scalar_zero; | ||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); | *s = secp256k1_scalar_zero; | ||||
ARG_CHECK(msg32 != NULL); | if (recid) { | ||||
ARG_CHECK(signature != NULL); | *recid = 0; | ||||
ARG_CHECK(seckey != NULL); | } | ||||
if (noncefp == NULL) { | if (noncefp == NULL) { | ||||
noncefp = secp256k1_nonce_function_default; | noncefp = secp256k1_nonce_function_default; | ||||
} | } | ||||
/* Fail if the secret key is invalid. */ | /* Fail if the secret key is invalid. */ | ||||
is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey); | is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey); | ||||
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid); | secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid); | ||||
secp256k1_scalar_set_b32(&msg, msg32, NULL); | secp256k1_scalar_set_b32(&msg, msg32, NULL); | ||||
while (1) { | while (1) { | ||||
int is_nonce_valid; | int is_nonce_valid; | ||||
ret = !!noncefp(nonce32, msg32, seckey, secp256k1_ecdsa_der_algo16, (void*)noncedata, count); | ret = !!noncefp(nonce32, msg32, seckey, algo16, (void*)noncedata, count); | ||||
if (!ret) { | if (!ret) { | ||||
break; | break; | ||||
} | } | ||||
is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32); | is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32); | ||||
/* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ | /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ | ||||
secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); | secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); | ||||
if (is_nonce_valid) { | if (is_nonce_valid) { | ||||
ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL); | ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid); | ||||
/* The final signature is no longer a secret, nor is the fact that we were successful or not. */ | /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ | ||||
secp256k1_declassify(ctx, &ret, sizeof(ret)); | secp256k1_declassify(ctx, &ret, sizeof(ret)); | ||||
if (ret) { | if (ret) { | ||||
break; | break; | ||||
} | } | ||||
} | } | ||||
count++; | count++; | ||||
} | } | ||||
/* We don't want to declassify is_sec_valid and therefore the range of | /* We don't want to declassify is_sec_valid and therefore the range of | ||||
* seckey. As a result is_sec_valid is included in ret only after ret was | * seckey. As a result is_sec_valid is included in ret only after ret was | ||||
* used as a branching variable. */ | * used as a branching variable. */ | ||||
ret &= is_sec_valid; | ret &= is_sec_valid; | ||||
memset(nonce32, 0, 32); | memset(nonce32, 0, 32); | ||||
secp256k1_scalar_clear(&msg); | secp256k1_scalar_clear(&msg); | ||||
secp256k1_scalar_clear(&non); | secp256k1_scalar_clear(&non); | ||||
secp256k1_scalar_clear(&sec); | secp256k1_scalar_clear(&sec); | ||||
secp256k1_scalar_cmov(&r, &secp256k1_scalar_zero, !ret); | secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret); | ||||
secp256k1_scalar_cmov(&s, &secp256k1_scalar_zero, !ret); | secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret); | ||||
if (recid) { | |||||
const int zero = 0; | |||||
secp256k1_int_cmov(recid, &zero, !ret); | |||||
} | |||||
return ret; | |||||
} | |||||
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { | |||||
secp256k1_scalar r, s; | |||||
int ret; | |||||
const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER "; | |||||
VERIFY_CHECK(ctx != NULL); | |||||
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); | |||||
ARG_CHECK(msg32 != NULL); | |||||
ARG_CHECK(signature != NULL); | |||||
ARG_CHECK(seckey != NULL); | |||||
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msg32, seckey, noncefp, secp256k1_ecdsa_der_algo16, noncedata); | |||||
secp256k1_ecdsa_signature_save(signature, &r, &s); | secp256k1_ecdsa_signature_save(signature, &r, &s); | ||||
return ret; | return ret; | ||||
} | } | ||||
int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { | int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { | ||||
secp256k1_scalar sec; | secp256k1_scalar sec; | ||||
int ret; | int ret; | ||||
VERIFY_CHECK(ctx != NULL); | VERIFY_CHECK(ctx != NULL); | ||||
▲ Show 20 Lines • Show All 208 Lines • Show Last 20 Lines |