go-ethereum/crypto/secp256k1/ext.h

// Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.
// Use of this source code is governed by a BSD-style license that can be found in
// the LICENSE file.

// secp256k1_context_create_sign_verify creates a context for signing and signature verification.
static secp256k1_context* secp256k1_context_create_sign_verify() {
	return secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
}

// secp256k1_ext_ecdsa_recover recovers the public key of an encoded compact signature.
//
// Returns: 1: recovery was successful
//          0: recovery was not successful
// Args:    ctx:        pointer to a context object (cannot be NULL)
//  Out:    pubkey_out: the serialized 65-byte public key of the signer (cannot be NULL)
//  In:     sigdata:    pointer to a 65-byte signature with the recovery id at the end (cannot be NULL)
//          msgdata:    pointer to a 32-byte message (cannot be NULL)
static int secp256k1_ext_ecdsa_recover(
	const secp256k1_context* ctx,
	unsigned char *pubkey_out,
	const unsigned char *sigdata,
	const unsigned char *msgdata
) {
	secp256k1_ecdsa_recoverable_signature sig;
	secp256k1_pubkey pubkey;

	if (!secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &sig, sigdata, (int)sigdata[64])) {
		return 0;
	}
	if (!secp256k1_ecdsa_recover(ctx, &pubkey, &sig, msgdata)) {
		return 0;
	}
	size_t outputlen = 65;
	return secp256k1_ec_pubkey_serialize(ctx, pubkey_out, &outputlen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
}

// secp256k1_ext_ecdsa_verify verifies an encoded compact signature.
//
// Returns: 1: signature is valid
//          0: signature is invalid
// Args:    ctx:        pointer to a context object (cannot be NULL)
//  In:     sigdata:    pointer to a 64-byte signature (cannot be NULL)
//          msgdata:    pointer to a 32-byte message (cannot be NULL)
//          pubkeydata: pointer to public key data (cannot be NULL)
//          pubkeylen:  length of pubkeydata
static int secp256k1_ext_ecdsa_verify(
	const secp256k1_context* ctx,
	const unsigned char *sigdata,
	const unsigned char *msgdata,
	const unsigned char *pubkeydata,
	size_t pubkeylen
) {
	secp256k1_ecdsa_signature sig;
	secp256k1_pubkey pubkey;

	if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigdata)) {
		return 0;
	}
	if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeydata, pubkeylen)) {
		return 0;
	}
	return secp256k1_ecdsa_verify(ctx, &sig, msgdata, &pubkey);
}

// secp256k1_ext_reencode_pubkey decodes then encodes a public key. It can be used to
// convert between public key formats. The input/output formats are chosen depending on the
// length of the input/output buffers.
//
// Returns: 1: conversion successful
//          0: conversion unsuccessful
// Args:    ctx:        pointer to a context object (cannot be NULL)
//  Out:    out:        output buffer that will contain the reencoded key (cannot be NULL)
//  In:     outlen:     length of out (33 for compressed keys, 65 for uncompressed keys)
//          pubkeydata: the input public key (cannot be NULL)
//          pubkeylen:  length of pubkeydata
static int secp256k1_ext_reencode_pubkey(
	const secp256k1_context* ctx,
	unsigned char *out,
	size_t outlen,
	const unsigned char *pubkeydata,
	size_t pubkeylen
) {
	secp256k1_pubkey pubkey;

	if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeydata, pubkeylen)) {
		return 0;
	}
	unsigned int flag = (outlen == 33) ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED;
	return secp256k1_ec_pubkey_serialize(ctx, out, &outlen, &pubkey, flag);
}

// secp256k1_ext_scalar_mul multiplies a point by a scalar in constant time.
//
// Returns: 1: multiplication was successful
//          0: scalar was invalid (zero or overflow)
// Args:    ctx:      pointer to a context object (cannot be NULL)
//  Out:    point:    the multiplied point (usually secret)
//  In:     point:    pointer to a 64-byte public point,
//                    encoded as two 256bit big-endian numbers.
//          scalar:   a 32-byte scalar with which to multiply the point
int secp256k1_ext_scalar_mul(const secp256k1_context* ctx, unsigned char *point, const unsigned char *scalar) {
	int ret = 0;
	int overflow = 0;
	secp256k1_fe feX, feY;
	secp256k1_gej res;
	secp256k1_ge ge;
	secp256k1_scalar s;
	ARG_CHECK(point != NULL);
	ARG_CHECK(scalar != NULL);
	(void)ctx;

	secp256k1_fe_set_b32(&feX, point);
	secp256k1_fe_set_b32(&feY, point+32);
	secp256k1_ge_set_xy(&ge, &feX, &feY);
	secp256k1_scalar_set_b32(&s, scalar, &overflow);
	if (overflow || secp256k1_scalar_is_zero(&s)) {
		ret = 0;
	} else {
		secp256k1_ecmult_const(&res, &ge, &s);
		secp256k1_ge_set_gej(&ge, &res);
		/* Note: can't use secp256k1_pubkey_save here because it is not constant time. */
		secp256k1_fe_normalize(&ge.x);
		secp256k1_fe_normalize(&ge.y);
		secp256k1_fe_get_b32(point, &ge.x);
		secp256k1_fe_get_b32(point+32, &ge.y);
		ret = 1;
	}
	secp256k1_scalar_clear(&s);
	return ret;
}
crypto/secp256k1: unify the package license to 3-Clause BSD (#17225) Our original wrapper code had two parts. One taken from a third party repository (who took it from upstream Go) licensed under BSD-3. The second written by Jeff, Felix and Gustav, licensed under LGPL. This made this package problematic to use from the outside. With the agreement of the original copyright holders, this commit changes the license of the LGPL portions of the code to BSD-3: --- I agree changing from LGPL to a BSD style license. Jeff --- Hey guys, My preference would be to relicense to GNUBL, but I'm also OK with BSD. Cheers, Gustav --- Felix Lange (fjl): I would approve anything that makes our licensing less complicated --- 2018-07-24 03:47:47 +03:00			`// Copyright 2015 Jeffrey Wilcke, Felix Lange, Gustav Simonsson. All rights reserved.`
			`// Use of this source code is governed by a BSD-style license that can be found in`
			`// the LICENSE file.`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00
			`// secp256k1_context_create_sign_verify creates a context for signing and signature verification.`
			`static secp256k1_context* secp256k1_context_create_sign_verify() {`
			`return secp256k1_context_create(SECP256K1_CONTEXT_SIGN \| SECP256K1_CONTEXT_VERIFY);`
			`}`

crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// secp256k1_ext_ecdsa_recover recovers the public key of an encoded compact signature.`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`//`
			`// Returns: 1: recovery was successful`
			`// 0: recovery was not successful`
			`// Args: ctx: pointer to a context object (cannot be NULL)`
			`// Out: pubkey_out: the serialized 65-byte public key of the signer (cannot be NULL)`
			`// In: sigdata: pointer to a 65-byte signature with the recovery id at the end (cannot be NULL)`
			`// msgdata: pointer to a 32-byte message (cannot be NULL)`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`static int secp256k1_ext_ecdsa_recover(`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`const secp256k1_context* ctx,`
			`unsigned char *pubkey_out,`
			`const unsigned char *sigdata,`
			`const unsigned char *msgdata`
			`) {`
			`secp256k1_ecdsa_recoverable_signature sig;`
			`secp256k1_pubkey pubkey;`

			`if (!secp256k1_ecdsa_recoverable_signature_parse_compact(ctx, &sig, sigdata, (int)sigdata[64])) {`
			`return 0;`
			`}`
			`if (!secp256k1_ecdsa_recover(ctx, &pubkey, &sig, msgdata)) {`
			`return 0;`
			`}`
			`size_t outputlen = 65;`
			`return secp256k1_ec_pubkey_serialize(ctx, pubkey_out, &outputlen, &pubkey, SECP256K1_EC_UNCOMPRESSED);`
			`}`

crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// secp256k1_ext_ecdsa_verify verifies an encoded compact signature.`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`//`
			`// Returns: 1: signature is valid`
			`// 0: signature is invalid`
			`// Args: ctx: pointer to a context object (cannot be NULL)`
			`// In: sigdata: pointer to a 64-byte signature (cannot be NULL)`
			`// msgdata: pointer to a 32-byte message (cannot be NULL)`
			`// pubkeydata: pointer to public key data (cannot be NULL)`
			`// pubkeylen: length of pubkeydata`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`static int secp256k1_ext_ecdsa_verify(`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`const secp256k1_context* ctx,`
			`const unsigned char *sigdata,`
			`const unsigned char *msgdata,`
			`const unsigned char *pubkeydata,`
			`size_t pubkeylen`
			`) {`
			`secp256k1_ecdsa_signature sig;`
			`secp256k1_pubkey pubkey;`

			`if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigdata)) {`
			`return 0;`
			`}`
			`if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeydata, pubkeylen)) {`
			`return 0;`
			`}`
			`return secp256k1_ecdsa_verify(ctx, &sig, msgdata, &pubkey);`
			`}`

crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// secp256k1_ext_reencode_pubkey decodes then encodes a public key. It can be used to`
			`// convert between public key formats. The input/output formats are chosen depending on the`
			`// length of the input/output buffers.`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`//`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// Returns: 1: conversion successful`
			`// 0: conversion unsuccessful`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`// Args: ctx: pointer to a context object (cannot be NULL)`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// Out: out: output buffer that will contain the reencoded key (cannot be NULL)`
			`// In: outlen: length of out (33 for compressed keys, 65 for uncompressed keys)`
			`// pubkeydata: the input public key (cannot be NULL)`
			`// pubkeylen: length of pubkeydata`
			`static int secp256k1_ext_reencode_pubkey(`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`const secp256k1_context* ctx,`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`unsigned char *out,`
			`size_t outlen,`
			`const unsigned char *pubkeydata,`
			`size_t pubkeylen`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`) {`
			`secp256k1_pubkey pubkey;`

crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`if (!secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeydata, pubkeylen)) {`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`return 0;`
			`}`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`unsigned int flag = (outlen == 33) ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED;`
			`return secp256k1_ec_pubkey_serialize(ctx, out, &outlen, &pubkey, flag);`
crypto: add DecompressPubkey, VerifySignature (#15615) We need those operations for p2p/enr. Also upgrade github.com/btcsuite/btcd/btcec to the latest version and improve BenchmarkSha3. The benchmark printed extra output that confused tools like benchstat and ignored N. 2017-12-06 16:07:08 +01:00			`}`

crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`// secp256k1_ext_scalar_mul multiplies a point by a scalar in constant time.`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`//`
			`// Returns: 1: multiplication was successful`
			`// 0: scalar was invalid (zero or overflow)`
			`// Args: ctx: pointer to a context object (cannot be NULL)`
			`// Out: point: the multiplied point (usually secret)`
			`// In: point: pointer to a 64-byte public point,`
			`// encoded as two 256bit big-endian numbers.`
			`// scalar: a 32-byte scalar with which to multiply the point`
crypto, crypto/secp256k1: add CompressPubkey (#15626) This adds the inverse to DecompressPubkey and improves a few minor details in crypto/secp256k1. 2017-12-15 10:40:09 +01:00			`int secp256k1_ext_scalar_mul(const secp256k1_context* ctx, unsigned char point, const unsigned char scalar) {`
crypto/secp256k1: update to github.com/bitcoin-core/secp256k1 @ 9d560f9 (#3544) - Use defined constants instead of hard-coding their integer value. - Allocate secp256k1 structs on the C stack instead of converting []byte - Remove dead code 2017-01-12 21:29:11 +01:00			`int ret = 0;`
			`int overflow = 0;`
			`secp256k1_fe feX, feY;`
			`secp256k1_gej res;`
			`secp256k1_ge ge;`
			`secp256k1_scalar s;`
			`ARG_CHECK(point != NULL);`
			`ARG_CHECK(scalar != NULL);`
			`(void)ctx;`

			`secp256k1_fe_set_b32(&feX, point);`
			`secp256k1_fe_set_b32(&feY, point+32);`
			`secp256k1_ge_set_xy(&ge, &feX, &feY);`
			`secp256k1_scalar_set_b32(&s, scalar, &overflow);`
			`if (overflow \|\| secp256k1_scalar_is_zero(&s)) {`
			`ret = 0;`
			`} else {`
			`secp256k1_ecmult_const(&res, &ge, &s);`
			`secp256k1_ge_set_gej(&ge, &res);`
			`/* Note: can't use secp256k1_pubkey_save here because it is not constant time. */`
			`secp256k1_fe_normalize(&ge.x);`
			`secp256k1_fe_normalize(&ge.y);`
			`secp256k1_fe_get_b32(point, &ge.x);`
			`secp256k1_fe_get_b32(point+32, &ge.y);`
			`ret = 1;`
			`}`
			`secp256k1_scalar_clear(&s);`
			`return ret;`
			`}`