Page MenuHomePhabricator
Differential D7590 Diff 23864 src/secp256k1/src/secp256k1.c

Changeset View

Standalone View

View Options

src/secp256k1/src/secp256k1.c

Show First 20 LinesShow All 461 Lines▼ Show 20 Linesstatic int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
} }
secp256k1_rfc6979_hmac_sha256_finalize(&rng); secp256k1_rfc6979_hmac_sha256_finalize(&rng);
return 1; return 1;
} }
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, int* recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void* noncedata) {
/* Default initialization here is important so we won't pass uninit values to the cmov in the end */
secp256k1_scalar r = secp256k1_scalar_zero, s = secp256k1_scalar_zero;
secp256k1_scalar sec, non, msg; secp256k1_scalar sec, non, msg;
int ret = 0; int ret = 0;
int is_sec_valid; int is_sec_valid;
unsigned char nonce32[32]; unsigned char nonce32[32];
unsigned int count = 0; unsigned int count = 0;
const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER "; /* Default initialization here is important so we won't pass uninit values to the cmov in the end */
VERIFY_CHECK(ctx != NULL); *r = secp256k1_scalar_zero;
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); *s = secp256k1_scalar_zero;
ARG_CHECK(msg32 != NULL); if (recid) {
ARG_CHECK(signature != NULL); *recid = 0;
ARG_CHECK(seckey != NULL); }
if (noncefp == NULL) { if (noncefp == NULL) {
noncefp = secp256k1_nonce_function_default; noncefp = secp256k1_nonce_function_default;
} }
/* Fail if the secret key is invalid. */ /* Fail if the secret key is invalid. */
is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey); is_sec_valid = secp256k1_scalar_set_b32_seckey(&sec, seckey);
secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid); secp256k1_scalar_cmov(&sec, &secp256k1_scalar_one, !is_sec_valid);
secp256k1_scalar_set_b32(&msg, msg32, NULL); secp256k1_scalar_set_b32(&msg, msg32, NULL);
while (1) { while (1) {
int is_nonce_valid; int is_nonce_valid;
ret = !!noncefp(nonce32, msg32, seckey, secp256k1_ecdsa_der_algo16, (void*)noncedata, count); ret = !!noncefp(nonce32, msg32, seckey, algo16, (void*)noncedata, count);
if (!ret) { if (!ret) {
break; break;
} }
is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32); is_nonce_valid = secp256k1_scalar_set_b32_seckey(&non, nonce32);
/* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */
secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); secp256k1_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid));
if (is_nonce_valid) { if (is_nonce_valid) {
ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL); ret = secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, r, s, &sec, &msg, &non, recid);
/* The final signature is no longer a secret, nor is the fact that we were successful or not. */ /* The final signature is no longer a secret, nor is the fact that we were successful or not. */
secp256k1_declassify(ctx, &ret, sizeof(ret)); secp256k1_declassify(ctx, &ret, sizeof(ret));
if (ret) { if (ret) {
break; break;
} }
} }
count++; count++;
} }
/* We don't want to declassify is_sec_valid and therefore the range of /* We don't want to declassify is_sec_valid and therefore the range of
* seckey. As a result is_sec_valid is included in ret only after ret was * seckey. As a result is_sec_valid is included in ret only after ret was
* used as a branching variable. */ * used as a branching variable. */
ret &= is_sec_valid; ret &= is_sec_valid;
memset(nonce32, 0, 32); memset(nonce32, 0, 32);
secp256k1_scalar_clear(&msg); secp256k1_scalar_clear(&msg);
secp256k1_scalar_clear(&non); secp256k1_scalar_clear(&non);
secp256k1_scalar_clear(&sec); secp256k1_scalar_clear(&sec);
secp256k1_scalar_cmov(&r, &secp256k1_scalar_zero, !ret); secp256k1_scalar_cmov(r, &secp256k1_scalar_zero, !ret);
secp256k1_scalar_cmov(&s, &secp256k1_scalar_zero, !ret); secp256k1_scalar_cmov(s, &secp256k1_scalar_zero, !ret);
if (recid) {
const int zero = 0;
secp256k1_int_cmov(recid, &zero, !ret);
}
return ret;
}
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
secp256k1_scalar r, s;
int ret;
const unsigned char secp256k1_ecdsa_der_algo16[17] = "ECDSA+DER ";
VERIFY_CHECK(ctx != NULL);
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
ARG_CHECK(msg32 != NULL);
ARG_CHECK(signature != NULL);
ARG_CHECK(seckey != NULL);
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msg32, seckey, noncefp, secp256k1_ecdsa_der_algo16, noncedata);
secp256k1_ecdsa_signature_save(signature, &r, &s); secp256k1_ecdsa_signature_save(signature, &r, &s);
return ret; return ret;
} }
int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
secp256k1_scalar sec; secp256k1_scalar sec;
int ret; int ret;
VERIFY_CHECK(ctx != NULL); VERIFY_CHECK(ctx != NULL);
▲ Show 20 LinesShow All 208 LinesShow Last 20 Lines