25# include <valgrind/memcheck.h>
28#define ARG_CHECK(cond) do { \
29 if (EXPECT(!(cond), 0)) { \
30 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
35#define ARG_CHECK_NO_RETURN(cond) do { \
36 if (EXPECT(!(cond), 0)) { \
37 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
41#ifndef USE_EXTERNAL_DEFAULT_CALLBACKS
46 fprintf(
stderr,
"[libsecp256k1] illegal argument: %s\n", str);
51 fprintf(
stderr,
"[libsecp256k1] internal consistency check failed: %s\n", str);
283 memset(pubkey, 0,
sizeof(*pubkey));
320 unsigned char out[2][33];
326 for (i = 0; i < 2; i++) {
339 memset(out[i], 0,
sizeof(out[i]));
473 unsigned char keydata[112];
494 memset(keydata, 0,
sizeof(keydata));
495 for (i = 0; i <=
counter; i++) {
510 unsigned int count = 0;
517 if (noncefp ==
NULL) {
605 memset(pubkey, 0,
sizeof(*pubkey));
643 memset(pubkey, 0,
sizeof(*pubkey));
699 memset(pubkey, 0,
sizeof(*pubkey));
744 memset(pubkey, 0,
sizeof(*pubkey));
776 for (i = 0; i < n; i++) {
801#ifdef ENABLE_MODULE_ECDH
805#ifdef ENABLE_MODULE_MULTISET
809#ifdef ENABLE_MODULE_RECOVERY
813#ifdef ENABLE_MODULE_SCHNORR
817#ifdef ENABLE_MODULE_EXTRAKEYS
821#ifdef ENABLE_MODULE_SCHNORRSIG
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const secp256k1_scalar *r, const secp256k1_scalar *s)
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
static int secp256k1_eckey_pubkey_tweak_mul(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_add(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_privkey_tweak_mul(secp256k1_scalar *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_tweak_add(const secp256k1_ecmult_context *ctx, secp256k1_ge *key, const secp256k1_scalar *tweak)
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
static void secp256k1_ecmult_context_clear(secp256k1_ecmult_context *ctx)
static void secp256k1_ecmult_context_init(secp256k1_ecmult_context *ctx)
static int secp256k1_ecmult_context_is_built(const secp256k1_ecmult_context *ctx)
static void secp256k1_ecmult_context_finalize_memcpy(secp256k1_ecmult_context *dst, const secp256k1_ecmult_context *src)
static void secp256k1_ecmult_context_build(secp256k1_ecmult_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_context_clear(secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
static void secp256k1_ecmult_gen_context_init(secp256k1_ecmult_gen_context *ctx)
static int secp256k1_ecmult_gen_context_is_built(const secp256k1_ecmult_gen_context *ctx)
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, void **prealloc)
static void secp256k1_ecmult_gen_context_finalize_memcpy(secp256k1_ecmult_gen_context *dst, const secp256k1_ecmult_gen_context *src)
static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE
static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
static void secp256k1_ge_set_xy(secp256k1_ge *r, const secp256k1_fe *x, const secp256k1_fe *y)
Set a group element equal to the point with given X and Y coordinates.
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
static int secp256k1_ge_is_in_correct_subgroup(const secp256k1_ge *ge)
Determine if a point (which is assumed to be on the curve) is in the correct (sub)group of the curve.
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
static void secp256k1_sha256_initialize_tagged(secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
T GetRand(T nMax=std::numeric_limits< T >::max()) noexcept
Generate a uniform random integer of type T in the range [0..nMax) nMax defaults to std::numeric_limi...
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
static const secp256k1_scalar secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_one
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
static SECP256K1_INLINE void * manual_alloc(void **prealloc_ptr, size_t alloc_size, void *base, size_t max_size)
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
#define ROUND_TO_ALIGN(size)
#define VERIFY_CHECK(cond)
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
static SECP256K1_INLINE void secp256k1_callback_call(const secp256k1_callback *const cb, const char *const text)
int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
const secp256k1_nonce_function secp256k1_nonce_function_default
A default safe nonce generation function (currently equal to secp256k1_nonce_function_rfc6979).
secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc)
Copy a secp256k1 context object into caller-provided memory.
const secp256k1_nonce_function secp256k1_nonce_function_rfc6979
An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function.
int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen)
Compute a tagged hash as defined in BIP-340.
int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by adding tweak times the generator to it.
int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags)
Serialize a pubkey object into a serialized byte sequence.
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in DER format.
static int secp256k1_ec_seckey_tweak_add_helper(secp256k1_scalar *sec, const unsigned char *tweak32)
int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by multiplying it by a tweak.
int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen)
Parse a variable-length public key into the pubkey object.
size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx)
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
static int secp256k1_ecdsa_sign_inner(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, int *recid, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const unsigned char algo16[17], const void *noncedata)
static void secp256k1_default_error_callback_fn(const char *str, void *data)
int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey)
Verify an ECDSA secret key.
const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Tweak a secret key by adding tweak to it.
void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
static int secp256k1_ec_pubkey_create_helper(const secp256k1_ecmult_gen_context *ecmult_gen_ctx, secp256k1_scalar *seckey_scalar, secp256k1_ge *p, const unsigned char *seckey)
int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin)
Convert a signature to a normalized lower-S form.
void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an internal consistency check fails.
static const secp256k1_callback default_error_callback
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a DER ECDSA signature.
static int secp256k1_ec_pubkey_tweak_add_helper(const secp256k1_ecmult_context *ecmult_ctx, secp256k1_ge *p, const unsigned char *tweak32)
static SECP256K1_INLINE void secp256k1_declassify(const secp256k1_context *ctx, const void *p, size_t len)
secp256k1_context * secp256k1_context_create(unsigned int flags)
Create a secp256k1 context object (in dynamically allocated memory).
int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey)
Negates a secret key in place.
int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey0, const secp256k1_pubkey *pubkey1)
Compare two public keys using lexicographic (of compressed serialization) order.
int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey *const *pubnonces, size_t n)
Add a number of public keys together.
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64)
Parse an ECDSA signature in compact (64 bytes) format.
void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data)
Set a callback function to be called when an illegal argument is passed to an API call.
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
size_t secp256k1_context_preallocated_size(unsigned int flags)
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len)
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
#define ARG_CHECK_NO_RETURN(cond)
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
static const secp256k1_context secp256k1_context_no_precomp_
int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32)
Updates the context randomization to protect against side-channel leakage.
secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Create a secp256k1 scratch space object.
int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey)
Verify an ECDSA signature.
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig)
Serialize an ECDSA signature in compact (64 byte) format.
int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey)
Compute the public key for a secret key.
void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx)
Copy a secp256k1 context object (into dynamically allocated memory).
void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32)
Tweak a public key by multiplying it by a tweak value.
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags)
Create a secp256k1 context object in caller-provided memory.
int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *noncedata)
Create an ECDSA signature.
static const secp256k1_callback default_illegal_callback
int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey)
Negates a public key in place.
int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY
int(* secp256k1_nonce_function)(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt)
A pointer to a function to deterministically generate a nonce.
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY
The higher bits contain the actual data.
#define SECP256K1_FLAGS_TYPE_MASK
All flags' lower 8 bits indicate what they're for.
#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN
#define SECP256K1_FLAGS_BIT_COMPRESSION
#define SECP256K1_FLAGS_TYPE_CONTEXT
#define SECP256K1_FLAGS_TYPE_COMPRESSION
static int secp256k1_selftest(void)
void(* fn)(const char *text, void *data)
secp256k1_callback illegal_callback
secp256k1_callback error_callback
secp256k1_ecmult_gen_context ecmult_gen_ctx
secp256k1_ecmult_context ecmult_ctx
Opaque data structured that holds a parsed ECDSA signature.
A group element of the secp256k1 curve, in affine coordinates.
A group element of the secp256k1 curve, in jacobian coordinates.
Opaque data structure that holds a parsed and valid public key.
A scalar modulo the group order of the secp256k1 curve.
1.9.8