|
|
|
@ -25,32 +25,37 @@ static const secp256k1_fe_t secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_C
|
|
|
|
);
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
|
|
static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size) {
|
|
|
|
static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size) {
|
|
|
|
|
|
|
|
unsigned char ra[32] = {0}, sa[32] = {0};
|
|
|
|
|
|
|
|
const unsigned char *rp;
|
|
|
|
|
|
|
|
const unsigned char *sp;
|
|
|
|
|
|
|
|
int lenr;
|
|
|
|
|
|
|
|
int lens;
|
|
|
|
|
|
|
|
int overflow;
|
|
|
|
if (sig[0] != 0x30) return 0;
|
|
|
|
if (sig[0] != 0x30) return 0;
|
|
|
|
int lenr = sig[3];
|
|
|
|
lenr = sig[3];
|
|
|
|
if (5+lenr >= size) return 0;
|
|
|
|
if (5+lenr >= size) return 0;
|
|
|
|
int lens = sig[lenr+5];
|
|
|
|
lens = sig[lenr+5];
|
|
|
|
if (sig[1] != lenr+lens+4) return 0;
|
|
|
|
if (sig[1] != lenr+lens+4) return 0;
|
|
|
|
if (lenr+lens+6 > size) return 0;
|
|
|
|
if (lenr+lens+6 > size) return 0;
|
|
|
|
if (sig[2] != 0x02) return 0;
|
|
|
|
if (sig[2] != 0x02) return 0;
|
|
|
|
if (lenr == 0) return 0;
|
|
|
|
if (lenr == 0) return 0;
|
|
|
|
if (sig[lenr+4] != 0x02) return 0;
|
|
|
|
if (sig[lenr+4] != 0x02) return 0;
|
|
|
|
if (lens == 0) return 0;
|
|
|
|
if (lens == 0) return 0;
|
|
|
|
const unsigned char *sp = sig + 6 + lenr;
|
|
|
|
sp = sig + 6 + lenr;
|
|
|
|
while (lens > 0 && sp[0] == 0) {
|
|
|
|
while (lens > 0 && sp[0] == 0) {
|
|
|
|
lens--;
|
|
|
|
lens--;
|
|
|
|
sp++;
|
|
|
|
sp++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (lens > 32) return 0;
|
|
|
|
if (lens > 32) return 0;
|
|
|
|
const unsigned char *rp = sig + 4;
|
|
|
|
rp = sig + 4;
|
|
|
|
while (lenr > 0 && rp[0] == 0) {
|
|
|
|
while (lenr > 0 && rp[0] == 0) {
|
|
|
|
lenr--;
|
|
|
|
lenr--;
|
|
|
|
rp++;
|
|
|
|
rp++;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (lenr > 32) return 0;
|
|
|
|
if (lenr > 32) return 0;
|
|
|
|
unsigned char ra[32] = {0}, sa[32] = {0};
|
|
|
|
|
|
|
|
memcpy(ra + 32 - lenr, rp, lenr);
|
|
|
|
memcpy(ra + 32 - lenr, rp, lenr);
|
|
|
|
memcpy(sa + 32 - lens, sp, lens);
|
|
|
|
memcpy(sa + 32 - lens, sp, lens);
|
|
|
|
int overflow = 0;
|
|
|
|
overflow = 0;
|
|
|
|
secp256k1_scalar_set_b32(&r->r, ra, &overflow);
|
|
|
|
secp256k1_scalar_set_b32(&r->r, ra, &overflow);
|
|
|
|
if (overflow) return 0;
|
|
|
|
if (overflow) return 0;
|
|
|
|
secp256k1_scalar_set_b32(&r->s, sa, &overflow);
|
|
|
|
secp256k1_scalar_set_b32(&r->s, sa, &overflow);
|
|
|
|
@ -60,10 +65,10 @@ static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned ch
|
|
|
|
|
|
|
|
|
|
|
|
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a) {
|
|
|
|
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a) {
|
|
|
|
unsigned char r[33] = {0}, s[33] = {0};
|
|
|
|
unsigned char r[33] = {0}, s[33] = {0};
|
|
|
|
secp256k1_scalar_get_b32(&r[1], &a->r);
|
|
|
|
|
|
|
|
secp256k1_scalar_get_b32(&s[1], &a->s);
|
|
|
|
|
|
|
|
unsigned char *rp = r, *sp = s;
|
|
|
|
unsigned char *rp = r, *sp = s;
|
|
|
|
int lenR = 33, lenS = 33;
|
|
|
|
int lenR = 33, lenS = 33;
|
|
|
|
|
|
|
|
secp256k1_scalar_get_b32(&r[1], &a->r);
|
|
|
|
|
|
|
|
secp256k1_scalar_get_b32(&s[1], &a->s);
|
|
|
|
while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
|
|
|
|
while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
|
|
|
|
while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
|
|
|
|
while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
|
|
|
|
if (*size < 6+lenS+lenR)
|
|
|
|
if (*size < 6+lenS+lenR)
|
|
|
|
@ -81,21 +86,24 @@ static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const se
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
|
|
|
|
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
|
|
|
|
|
|
|
|
unsigned char c[32];
|
|
|
|
|
|
|
|
secp256k1_scalar_t sn, u1, u2;
|
|
|
|
|
|
|
|
secp256k1_fe_t xr;
|
|
|
|
|
|
|
|
secp256k1_gej_t pubkeyj;
|
|
|
|
|
|
|
|
secp256k1_gej_t pr;
|
|
|
|
|
|
|
|
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s))
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s))
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
secp256k1_scalar_t sn, u1, u2;
|
|
|
|
|
|
|
|
secp256k1_scalar_inverse_var(&sn, &sig->s);
|
|
|
|
secp256k1_scalar_inverse_var(&sn, &sig->s);
|
|
|
|
secp256k1_scalar_mul(&u1, &sn, message);
|
|
|
|
secp256k1_scalar_mul(&u1, &sn, message);
|
|
|
|
secp256k1_scalar_mul(&u2, &sn, &sig->r);
|
|
|
|
secp256k1_scalar_mul(&u2, &sn, &sig->r);
|
|
|
|
secp256k1_gej_t pubkeyj; secp256k1_gej_set_ge(&pubkeyj, pubkey);
|
|
|
|
secp256k1_gej_set_ge(&pubkeyj, pubkey);
|
|
|
|
secp256k1_gej_t pr; secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
|
|
|
|
secp256k1_ecmult(&pr, &pubkeyj, &u2, &u1);
|
|
|
|
if (secp256k1_gej_is_infinity(&pr)) {
|
|
|
|
if (secp256k1_gej_is_infinity(&pr)) {
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
unsigned char c[32];
|
|
|
|
|
|
|
|
secp256k1_scalar_get_b32(c, &sig->r);
|
|
|
|
secp256k1_scalar_get_b32(c, &sig->r);
|
|
|
|
secp256k1_fe_t xr;
|
|
|
|
|
|
|
|
secp256k1_fe_set_b32(&xr, c);
|
|
|
|
secp256k1_fe_set_b32(&xr, c);
|
|
|
|
|
|
|
|
|
|
|
|
/** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
|
|
|
|
/** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
|
|
|
|
@ -131,44 +139,47 @@ static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const se
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid) {
|
|
|
|
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid) {
|
|
|
|
|
|
|
|
unsigned char brx[32];
|
|
|
|
|
|
|
|
secp256k1_fe_t fx;
|
|
|
|
|
|
|
|
secp256k1_ge_t x;
|
|
|
|
|
|
|
|
secp256k1_gej_t xj;
|
|
|
|
|
|
|
|
secp256k1_scalar_t rn, u1, u2;
|
|
|
|
|
|
|
|
secp256k1_gej_t qj;
|
|
|
|
|
|
|
|
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s))
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s))
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
|
|
unsigned char brx[32];
|
|
|
|
|
|
|
|
secp256k1_scalar_get_b32(brx, &sig->r);
|
|
|
|
secp256k1_scalar_get_b32(brx, &sig->r);
|
|
|
|
secp256k1_fe_t fx;
|
|
|
|
|
|
|
|
VERIFY_CHECK(secp256k1_fe_set_b32(&fx, brx)); /* brx comes from a scalar, so is less than the order; certainly less than p */
|
|
|
|
VERIFY_CHECK(secp256k1_fe_set_b32(&fx, brx)); /* brx comes from a scalar, so is less than the order; certainly less than p */
|
|
|
|
if (recid & 2) {
|
|
|
|
if (recid & 2) {
|
|
|
|
if (secp256k1_fe_cmp_var(&fx, &secp256k1_ecdsa_const_p_minus_order) >= 0)
|
|
|
|
if (secp256k1_fe_cmp_var(&fx, &secp256k1_ecdsa_const_p_minus_order) >= 0)
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
secp256k1_fe_add(&fx, &secp256k1_ecdsa_const_order_as_fe);
|
|
|
|
secp256k1_fe_add(&fx, &secp256k1_ecdsa_const_order_as_fe);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
secp256k1_ge_t x;
|
|
|
|
|
|
|
|
if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1))
|
|
|
|
if (!secp256k1_ge_set_xo_var(&x, &fx, recid & 1))
|
|
|
|
return 0;
|
|
|
|
return 0;
|
|
|
|
secp256k1_gej_t xj;
|
|
|
|
|
|
|
|
secp256k1_gej_set_ge(&xj, &x);
|
|
|
|
secp256k1_gej_set_ge(&xj, &x);
|
|
|
|
secp256k1_scalar_t rn, u1, u2;
|
|
|
|
|
|
|
|
secp256k1_scalar_inverse_var(&rn, &sig->r);
|
|
|
|
secp256k1_scalar_inverse_var(&rn, &sig->r);
|
|
|
|
secp256k1_scalar_mul(&u1, &rn, message);
|
|
|
|
secp256k1_scalar_mul(&u1, &rn, message);
|
|
|
|
secp256k1_scalar_negate(&u1, &u1);
|
|
|
|
secp256k1_scalar_negate(&u1, &u1);
|
|
|
|
secp256k1_scalar_mul(&u2, &rn, &sig->s);
|
|
|
|
secp256k1_scalar_mul(&u2, &rn, &sig->s);
|
|
|
|
secp256k1_gej_t qj;
|
|
|
|
|
|
|
|
secp256k1_ecmult(&qj, &xj, &u2, &u1);
|
|
|
|
secp256k1_ecmult(&qj, &xj, &u2, &u1);
|
|
|
|
secp256k1_ge_set_gej_var(pubkey, &qj);
|
|
|
|
secp256k1_ge_set_gej_var(pubkey, &qj);
|
|
|
|
return !secp256k1_gej_is_infinity(&qj);
|
|
|
|
return !secp256k1_gej_is_infinity(&qj);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid) {
|
|
|
|
static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid) {
|
|
|
|
|
|
|
|
unsigned char b[32];
|
|
|
|
secp256k1_gej_t rp;
|
|
|
|
secp256k1_gej_t rp;
|
|
|
|
secp256k1_ecmult_gen(&rp, nonce);
|
|
|
|
|
|
|
|
secp256k1_ge_t r;
|
|
|
|
secp256k1_ge_t r;
|
|
|
|
|
|
|
|
secp256k1_scalar_t n;
|
|
|
|
|
|
|
|
int overflow = 0;
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
secp256k1_ecmult_gen(&rp, nonce);
|
|
|
|
secp256k1_ge_set_gej(&r, &rp);
|
|
|
|
secp256k1_ge_set_gej(&r, &rp);
|
|
|
|
unsigned char b[32];
|
|
|
|
|
|
|
|
secp256k1_fe_normalize(&r.x);
|
|
|
|
secp256k1_fe_normalize(&r.x);
|
|
|
|
secp256k1_fe_normalize(&r.y);
|
|
|
|
secp256k1_fe_normalize(&r.y);
|
|
|
|
secp256k1_fe_get_b32(b, &r.x);
|
|
|
|
secp256k1_fe_get_b32(b, &r.x);
|
|
|
|
int overflow = 0;
|
|
|
|
|
|
|
|
secp256k1_scalar_set_b32(&sig->r, b, &overflow);
|
|
|
|
secp256k1_scalar_set_b32(&sig->r, b, &overflow);
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r)) {
|
|
|
|
if (secp256k1_scalar_is_zero(&sig->r)) {
|
|
|
|
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
|
|
|
|
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
|
|
|
|
@ -178,7 +189,6 @@ static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (recid)
|
|
|
|
if (recid)
|
|
|
|
*recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
|
|
|
|
*recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
|
|
|
|
secp256k1_scalar_t n;
|
|
|
|
|
|
|
|
secp256k1_scalar_mul(&n, &sig->r, seckey);
|
|
|
|
secp256k1_scalar_mul(&n, &sig->r, seckey);
|
|
|
|
secp256k1_scalar_add(&n, &n, message);
|
|
|
|
secp256k1_scalar_add(&n, &n, message);
|
|
|
|
secp256k1_scalar_inverse(&sig->s, nonce);
|
|
|
|
secp256k1_scalar_inverse(&sig->s, nonce);
|
|
|
|
|
Gregory Maxwell
10 years ago