Remove the internal secp256k1_ecdsa_sig_t type
This commit is contained in:
Pieter Wuille
parent
74a2acdb8a
commit
18c329c506
14
src/ecdsa.h
14
src/ecdsa.h
|
|
@ -11,14 +11,10 @@
|
|||
#include "group.h"
|
||||
#include "ecmult.h"
|
||||
|
||||
typedef struct {
|
||||
secp256k1_scalar_t r, s;
|
||||
} secp256k1_ecdsa_sig_t;
|
||||
|
||||
static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size);
|
||||
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a);
|
||||
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context_t *ctx, const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message);
|
||||
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid);
|
||||
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid);
|
||||
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar_t *r, secp256k1_scalar_t *s, const unsigned char *sig, int size);
|
||||
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_scalar_t *r, const secp256k1_scalar_t *s);
|
||||
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context_t *ctx, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message);
|
||||
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, secp256k1_scalar_t* r, secp256k1_scalar_t* s, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid);
|
||||
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid);
|
||||
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -46,7 +46,7 @@ static const secp256k1_fe_t secp256k1_ecdsa_const_p_minus_order = SECP256K1_FE_C
|
|||
0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL
|
||||
);
|
||||
|
||||
static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size) {
|
||||
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar_t *rr, secp256k1_scalar_t *rs, const unsigned char *sig, int size) {
|
||||
unsigned char ra[32] = {0}, sa[32] = {0};
|
||||
const unsigned char *rp;
|
||||
const unsigned char *sp;
|
||||
|
|
@ -98,23 +98,23 @@ static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned ch
|
|||
memcpy(ra + 32 - lenr, rp, lenr);
|
||||
memcpy(sa + 32 - lens, sp, lens);
|
||||
overflow = 0;
|
||||
secp256k1_scalar_set_b32(&r->r, ra, &overflow);
|
||||
secp256k1_scalar_set_b32(rr, ra, &overflow);
|
||||
if (overflow) {
|
||||
return 0;
|
||||
}
|
||||
secp256k1_scalar_set_b32(&r->s, sa, &overflow);
|
||||
secp256k1_scalar_set_b32(rs, sa, &overflow);
|
||||
if (overflow) {
|
||||
return 0;
|
||||
}
|
||||
return 1;
|
||||
}
|
||||
|
||||
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a) {
|
||||
static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_scalar_t* ar, const secp256k1_scalar_t* as) {
|
||||
unsigned char r[33] = {0}, s[33] = {0};
|
||||
unsigned char *rp = r, *sp = s;
|
||||
int lenR = 33, lenS = 33;
|
||||
secp256k1_scalar_get_b32(&r[1], &a->r);
|
||||
secp256k1_scalar_get_b32(&s[1], &a->s);
|
||||
secp256k1_scalar_get_b32(&r[1], ar);
|
||||
secp256k1_scalar_get_b32(&s[1], as);
|
||||
while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; }
|
||||
while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; }
|
||||
if (*size < 6+lenS+lenR) {
|
||||
|
|
@ -133,26 +133,26 @@ static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const se
|
|||
return 1;
|
||||
}
|
||||
|
||||
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context_t *ctx, const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
|
||||
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context_t *ctx, const secp256k1_scalar_t *sigr, const secp256k1_scalar_t *sigs, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message) {
|
||||
unsigned char c[32];
|
||||
secp256k1_scalar_t sn, u1, u2;
|
||||
secp256k1_fe_t xr;
|
||||
secp256k1_gej_t pubkeyj;
|
||||
secp256k1_gej_t pr;
|
||||
|
||||
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s)) {
|
||||
if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
secp256k1_scalar_inverse_var(&sn, &sig->s);
|
||||
secp256k1_scalar_inverse_var(&sn, sigs);
|
||||
secp256k1_scalar_mul(&u1, &sn, message);
|
||||
secp256k1_scalar_mul(&u2, &sn, &sig->r);
|
||||
secp256k1_scalar_mul(&u2, &sn, sigr);
|
||||
secp256k1_gej_set_ge(&pubkeyj, pubkey);
|
||||
secp256k1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1);
|
||||
if (secp256k1_gej_is_infinity(&pr)) {
|
||||
return 0;
|
||||
}
|
||||
secp256k1_scalar_get_b32(c, &sig->r);
|
||||
secp256k1_scalar_get_b32(c, sigr);
|
||||
secp256k1_fe_set_b32(&xr, c);
|
||||
|
||||
/** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n)
|
||||
|
|
@ -187,7 +187,7 @@ static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context_t *ctx, con
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid) {
|
||||
static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, const secp256k1_scalar_t *sigr, const secp256k1_scalar_t* sigs, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid) {
|
||||
unsigned char brx[32];
|
||||
secp256k1_fe_t fx;
|
||||
secp256k1_ge_t x;
|
||||
|
|
@ -195,11 +195,11 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, co
|
|||
secp256k1_scalar_t rn, u1, u2;
|
||||
secp256k1_gej_t qj;
|
||||
|
||||
if (secp256k1_scalar_is_zero(&sig->r) || secp256k1_scalar_is_zero(&sig->s)) {
|
||||
if (secp256k1_scalar_is_zero(sigr) || secp256k1_scalar_is_zero(sigs)) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
secp256k1_scalar_get_b32(brx, &sig->r);
|
||||
secp256k1_scalar_get_b32(brx, sigr);
|
||||
VERIFY_CHECK(secp256k1_fe_set_b32(&fx, brx)); /* brx comes from a scalar, so is less than the order; certainly less than p */
|
||||
if (recid & 2) {
|
||||
if (secp256k1_fe_cmp_var(&fx, &secp256k1_ecdsa_const_p_minus_order) >= 0) {
|
||||
|
|
@ -211,16 +211,16 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context_t *ctx, co
|
|||
return 0;
|
||||
}
|
||||
secp256k1_gej_set_ge(&xj, &x);
|
||||
secp256k1_scalar_inverse_var(&rn, &sig->r);
|
||||
secp256k1_scalar_inverse_var(&rn, sigr);
|
||||
secp256k1_scalar_mul(&u1, &rn, message);
|
||||
secp256k1_scalar_negate(&u1, &u1);
|
||||
secp256k1_scalar_mul(&u2, &rn, &sig->s);
|
||||
secp256k1_scalar_mul(&u2, &rn, sigs);
|
||||
secp256k1_ecmult(ctx, &qj, &xj, &u2, &u1);
|
||||
secp256k1_ge_set_gej_var(pubkey, &qj);
|
||||
return !secp256k1_gej_is_infinity(&qj);
|
||||
}
|
||||
|
||||
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid) {
|
||||
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, secp256k1_scalar_t *sigr, secp256k1_scalar_t *sigs, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid) {
|
||||
unsigned char b[32];
|
||||
secp256k1_gej_t rp;
|
||||
secp256k1_ge_t r;
|
||||
|
|
@ -232,8 +232,8 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, s
|
|||
secp256k1_fe_normalize(&r.x);
|
||||
secp256k1_fe_normalize(&r.y);
|
||||
secp256k1_fe_get_b32(b, &r.x);
|
||||
secp256k1_scalar_set_b32(&sig->r, b, &overflow);
|
||||
if (secp256k1_scalar_is_zero(&sig->r)) {
|
||||
secp256k1_scalar_set_b32(sigr, b, &overflow);
|
||||
if (secp256k1_scalar_is_zero(sigr)) {
|
||||
/* P.x = order is on the curve, so technically sig->r could end up zero, which would be an invalid signature. */
|
||||
secp256k1_gej_clear(&rp);
|
||||
secp256k1_ge_clear(&r);
|
||||
|
|
@ -242,18 +242,18 @@ static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context_t *ctx, s
|
|||
if (recid) {
|
||||
*recid = (overflow ? 2 : 0) | (secp256k1_fe_is_odd(&r.y) ? 1 : 0);
|
||||
}
|
||||
secp256k1_scalar_mul(&n, &sig->r, seckey);
|
||||
secp256k1_scalar_mul(&n, sigr, seckey);
|
||||
secp256k1_scalar_add(&n, &n, message);
|
||||
secp256k1_scalar_inverse(&sig->s, nonce);
|
||||
secp256k1_scalar_mul(&sig->s, &sig->s, &n);
|
||||
secp256k1_scalar_inverse(sigs, nonce);
|
||||
secp256k1_scalar_mul(sigs, sigs, &n);
|
||||
secp256k1_scalar_clear(&n);
|
||||
secp256k1_gej_clear(&rp);
|
||||
secp256k1_ge_clear(&r);
|
||||
if (secp256k1_scalar_is_zero(&sig->s)) {
|
||||
if (secp256k1_scalar_is_zero(sigs)) {
|
||||
return 0;
|
||||
}
|
||||
if (secp256k1_scalar_is_high(&sig->s)) {
|
||||
secp256k1_scalar_negate(&sig->s, &sig->s);
|
||||
if (secp256k1_scalar_is_high(sigs)) {
|
||||
secp256k1_scalar_negate(sigs, sigs);
|
||||
if (recid) {
|
||||
*recid ^= 1;
|
||||
}
|
||||
|
|
|
|||
|
|
@ -108,42 +108,42 @@ int secp256k1_ec_pubkey_serialize(const secp256k1_context_t* ctx, unsigned char
|
|||
return secp256k1_eckey_pubkey_serialize(&Q, output, outputlen, compressed);
|
||||
}
|
||||
|
||||
static void secp256k1_ecdsa_signature_load(secp256k1_ecdsa_sig_t* s, int* recid, const secp256k1_ecdsa_signature_t* sig) {
|
||||
static void secp256k1_ecdsa_signature_load(secp256k1_scalar_t* r, secp256k1_scalar_t* s, int* recid, const secp256k1_ecdsa_signature_t* sig) {
|
||||
if (sizeof(secp256k1_scalar_t) == 32) {
|
||||
/* When the secp256k1_scalar_t type is exactly 32 byte, use its
|
||||
* representation inside secp256k1_ecdsa_signature_t, as conversion is very fast.
|
||||
* Note that secp256k1_ecdsa_signature_save must use the same representation. */
|
||||
memcpy(&s->r, &sig->data[0], 32);
|
||||
memcpy(&s->s, &sig->data[32], 32);
|
||||
memcpy(r, &sig->data[0], 32);
|
||||
memcpy(s, &sig->data[32], 32);
|
||||
} else {
|
||||
secp256k1_scalar_set_b32(&s->r, &sig->data[0], NULL);
|
||||
secp256k1_scalar_set_b32(&s->s, &sig->data[32], NULL);
|
||||
secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
|
||||
secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
|
||||
}
|
||||
if (recid) {
|
||||
*recid = sig->data[64];
|
||||
}
|
||||
}
|
||||
|
||||
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature_t* sig, const secp256k1_ecdsa_sig_t* s, int recid) {
|
||||
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature_t* sig, const secp256k1_scalar_t* r, const secp256k1_scalar_t* s, int recid) {
|
||||
if (sizeof(secp256k1_scalar_t) == 32) {
|
||||
memcpy(&sig->data[0], &s->r, 32);
|
||||
memcpy(&sig->data[32], &s->s, 32);
|
||||
memcpy(&sig->data[0], r, 32);
|
||||
memcpy(&sig->data[32], s, 32);
|
||||
} else {
|
||||
secp256k1_scalar_get_b32(&sig->data[0], &s->r);
|
||||
secp256k1_scalar_get_b32(&sig->data[32], &s->s);
|
||||
secp256k1_scalar_get_b32(&sig->data[0], r);
|
||||
secp256k1_scalar_get_b32(&sig->data[32], s);
|
||||
}
|
||||
sig->data[64] = recid;
|
||||
}
|
||||
|
||||
int secp256k1_ecdsa_signature_parse_der(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input, int inputlen) {
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_t r, s;
|
||||
|
||||
(void)ctx;
|
||||
DEBUG_CHECK(sig != NULL);
|
||||
DEBUG_CHECK(input != NULL);
|
||||
|
||||
if (secp256k1_ecdsa_sig_parse(&s, input, inputlen)) {
|
||||
secp256k1_ecdsa_signature_save(sig, &s, -1);
|
||||
if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
|
||||
secp256k1_ecdsa_signature_save(sig, &r, &s, -1);
|
||||
return 1;
|
||||
} else {
|
||||
memset(sig, 0, sizeof(*sig));
|
||||
|
|
@ -152,7 +152,7 @@ int secp256k1_ecdsa_signature_parse_der(const secp256k1_context_t* ctx, secp256k
|
|||
}
|
||||
|
||||
int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context_t* ctx, secp256k1_ecdsa_signature_t* sig, const unsigned char *input64, int recid) {
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_t r, s;
|
||||
int ret = 1;
|
||||
int overflow = 0;
|
||||
|
||||
|
|
@ -160,13 +160,13 @@ int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context_t* ctx, secp
|
|||
DEBUG_CHECK(sig != NULL);
|
||||
DEBUG_CHECK(input64 != NULL);
|
||||
|
||||
secp256k1_scalar_set_b32(&s.r, &input64[0], &overflow);
|
||||
secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
|
||||
ret &= !overflow;
|
||||
secp256k1_scalar_set_b32(&s.s, &input64[32], &overflow);
|
||||
secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
|
||||
ret &= !overflow;
|
||||
ret &= (recid == -1 || (recid >= 0 && recid < 4));
|
||||
if (ret) {
|
||||
secp256k1_ecdsa_signature_save(sig, &s, recid);
|
||||
secp256k1_ecdsa_signature_save(sig, &r, &s, recid);
|
||||
} else {
|
||||
memset(sig, 0, sizeof(*sig));
|
||||
}
|
||||
|
|
@ -174,28 +174,28 @@ int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context_t* ctx, secp
|
|||
}
|
||||
|
||||
int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context_t* ctx, unsigned char *output, int *outputlen, const secp256k1_ecdsa_signature_t* sig) {
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_t r, s;
|
||||
|
||||
(void)ctx;
|
||||
DEBUG_CHECK(output != NULL);
|
||||
DEBUG_CHECK(outputlen != NULL);
|
||||
DEBUG_CHECK(sig != NULL);
|
||||
|
||||
secp256k1_ecdsa_signature_load(&s, NULL, sig);
|
||||
return secp256k1_ecdsa_sig_serialize(output, outputlen, &s);
|
||||
secp256k1_ecdsa_signature_load(&r, &s, NULL, sig);
|
||||
return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
|
||||
}
|
||||
|
||||
int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context_t* ctx, unsigned char *output64, int *recid, const secp256k1_ecdsa_signature_t* sig) {
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_t r, s;
|
||||
int rec;
|
||||
|
||||
(void)ctx;
|
||||
DEBUG_CHECK(output64 != NULL);
|
||||
DEBUG_CHECK(sig != NULL);
|
||||
|
||||
secp256k1_ecdsa_signature_load(&s, &rec, sig);
|
||||
secp256k1_scalar_get_b32(&output64[0], &s.r);
|
||||
secp256k1_scalar_get_b32(&output64[32], &s.s);
|
||||
secp256k1_ecdsa_signature_load(&r, &s, &rec, sig);
|
||||
secp256k1_scalar_get_b32(&output64[0], &r);
|
||||
secp256k1_scalar_get_b32(&output64[32], &s);
|
||||
if (recid) {
|
||||
DEBUG_CHECK(rec >= 0 && rec < 4);
|
||||
*recid = rec;
|
||||
|
|
@ -205,7 +205,7 @@ int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context_t* ctx,
|
|||
|
||||
int secp256k1_ecdsa_verify(const secp256k1_context_t* ctx, const unsigned char *msg32, const secp256k1_ecdsa_signature_t *sig, const secp256k1_pubkey_t *pubkey) {
|
||||
secp256k1_ge_t q;
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_t r, s;
|
||||
secp256k1_scalar_t m;
|
||||
DEBUG_CHECK(ctx != NULL);
|
||||
DEBUG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
|
||||
|
|
@ -215,8 +215,8 @@ int secp256k1_ecdsa_verify(const secp256k1_context_t* ctx, const unsigned char *
|
|||
|
||||
secp256k1_scalar_set_b32(&m, msg32, NULL);
|
||||
secp256k1_pubkey_load(&q, pubkey);
|
||||
secp256k1_ecdsa_signature_load(&s, NULL, sig);
|
||||
return secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &s, &q, &m);
|
||||
secp256k1_ecdsa_signature_load(&r, &s, NULL, sig);
|
||||
return secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m);
|
||||
}
|
||||
|
||||
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
|
||||
|
|
@ -245,7 +245,7 @@ const secp256k1_nonce_function_t secp256k1_nonce_function_rfc6979 = nonce_functi
|
|||
const secp256k1_nonce_function_t secp256k1_nonce_function_default = nonce_function_rfc6979;
|
||||
|
||||
int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char *msg32, secp256k1_ecdsa_signature_t *signature, const unsigned char *seckey, secp256k1_nonce_function_t noncefp, const void* noncedata) {
|
||||
secp256k1_ecdsa_sig_t sig;
|
||||
secp256k1_scalar_t r, s;
|
||||
secp256k1_scalar_t sec, non, msg;
|
||||
int recid;
|
||||
int ret = 0;
|
||||
|
|
@ -273,7 +273,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char *ms
|
|||
secp256k1_scalar_set_b32(&non, nonce32, &overflow);
|
||||
memset(nonce32, 0, 32);
|
||||
if (!secp256k1_scalar_is_zero(&non) && !overflow) {
|
||||
if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &sig, &sec, &msg, &non, &recid)) {
|
||||
if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) {
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
|
@ -284,7 +284,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char *ms
|
|||
secp256k1_scalar_clear(&sec);
|
||||
}
|
||||
if (ret) {
|
||||
secp256k1_ecdsa_signature_save(signature, &sig, recid);
|
||||
secp256k1_ecdsa_signature_save(signature, &r, &s, recid);
|
||||
} else {
|
||||
memset(signature, 0, sizeof(*signature));
|
||||
}
|
||||
|
|
@ -293,7 +293,7 @@ int secp256k1_ecdsa_sign(const secp256k1_context_t* ctx, const unsigned char *ms
|
|||
|
||||
int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char *msg32, const secp256k1_ecdsa_signature_t *signature, secp256k1_pubkey_t *pubkey) {
|
||||
secp256k1_ge_t q;
|
||||
secp256k1_ecdsa_sig_t sig;
|
||||
secp256k1_scalar_t r, s;
|
||||
secp256k1_scalar_t m;
|
||||
int recid;
|
||||
DEBUG_CHECK(ctx != NULL);
|
||||
|
|
@ -302,10 +302,10 @@ int secp256k1_ecdsa_recover(const secp256k1_context_t* ctx, const unsigned char
|
|||
DEBUG_CHECK(signature != NULL);
|
||||
DEBUG_CHECK(pubkey != NULL);
|
||||
|
||||
secp256k1_ecdsa_signature_load(&sig, &recid, signature);
|
||||
secp256k1_ecdsa_signature_load(&r, &s, &recid, signature);
|
||||
DEBUG_CHECK(recid >= 0 && recid < 4);
|
||||
secp256k1_scalar_set_b32(&m, msg32, NULL);
|
||||
if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &sig, &q, &m, recid)) {
|
||||
if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
|
||||
secp256k1_pubkey_save(pubkey, &q);
|
||||
return 1;
|
||||
} else {
|
||||
|
|
|
|||
62
src/tests.c
62
src/tests.c
|
|
@ -111,7 +111,7 @@ void run_context_tests(void) {
|
|||
secp256k1_gej_t pubj;
|
||||
secp256k1_ge_t pub;
|
||||
secp256k1_scalar_t msg, key, nonce;
|
||||
secp256k1_ecdsa_sig_t sig;
|
||||
secp256k1_scalar_t sigr, sigs;
|
||||
|
||||
/*** clone and destroy all of them to make sure cloning was complete ***/
|
||||
{
|
||||
|
|
@ -132,15 +132,15 @@ void run_context_tests(void) {
|
|||
/* obtain a working nonce */
|
||||
do {
|
||||
random_scalar_order_test(&nonce);
|
||||
} while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sig, &key, &msg, &nonce, NULL));
|
||||
} while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
|
||||
|
||||
/* try signing */
|
||||
CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sig, &key, &msg, &nonce, NULL));
|
||||
CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sig, &key, &msg, &nonce, NULL));
|
||||
CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
|
||||
CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
|
||||
|
||||
/* try verifying */
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sig, &pub, &msg));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sig, &pub, &msg));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
|
||||
|
||||
/* cleanup */
|
||||
secp256k1_context_destroy(none);
|
||||
|
|
@ -1488,11 +1488,11 @@ void run_ecmult_gen_blind(void) {
|
|||
}
|
||||
|
||||
|
||||
void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
|
||||
void random_sign(secp256k1_scalar_t *sigr, secp256k1_scalar_t *sigs, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
|
||||
secp256k1_scalar_t nonce;
|
||||
do {
|
||||
random_scalar_order_test(&nonce);
|
||||
} while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sig, key, msg, &nonce, recid));
|
||||
} while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
|
||||
}
|
||||
|
||||
void test_ecdsa_sign_verify(void) {
|
||||
|
|
@ -1500,7 +1500,7 @@ void test_ecdsa_sign_verify(void) {
|
|||
secp256k1_ge_t pub;
|
||||
secp256k1_scalar_t one;
|
||||
secp256k1_scalar_t msg, key;
|
||||
secp256k1_ecdsa_sig_t sig;
|
||||
secp256k1_scalar_t sigr, sigs;
|
||||
int recid;
|
||||
int getrec;
|
||||
random_scalar_order_test(&msg);
|
||||
|
|
@ -1508,14 +1508,14 @@ void test_ecdsa_sign_verify(void) {
|
|||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
|
||||
secp256k1_ge_set_gej(&pub, &pubj);
|
||||
getrec = secp256k1_rand32()&1;
|
||||
random_sign(&sig, &key, &msg, getrec?&recid:NULL);
|
||||
random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
|
||||
if (getrec) {
|
||||
CHECK(recid >= 0 && recid < 4);
|
||||
}
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sig, &pub, &msg));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
|
||||
secp256k1_scalar_set_int(&one, 1);
|
||||
secp256k1_scalar_add(&msg, &msg, &one);
|
||||
CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sig, &pub, &msg));
|
||||
CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
|
||||
}
|
||||
|
||||
void run_ecdsa_sign_verify(void) {
|
||||
|
|
@ -1926,15 +1926,15 @@ void test_ecdsa_edge_cases(void) {
|
|||
secp256k1_gej_t keyj;
|
||||
secp256k1_ge_t key;
|
||||
secp256k1_scalar_t msg;
|
||||
secp256k1_ecdsa_sig_t s;
|
||||
secp256k1_scalar_set_int(&s.s, 1);
|
||||
secp256k1_scalar_negate(&s.s, &s.s);
|
||||
secp256k1_scalar_inverse(&s.s, &s.s);
|
||||
secp256k1_scalar_set_int(&s.r, 1);
|
||||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &s.r);
|
||||
secp256k1_scalar_t sr, ss;
|
||||
secp256k1_scalar_set_int(&ss, 1);
|
||||
secp256k1_scalar_negate(&ss, &ss);
|
||||
secp256k1_scalar_inverse(&ss, &ss);
|
||||
secp256k1_scalar_set_int(&sr, 1);
|
||||
secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
|
||||
secp256k1_ge_set_gej(&key, &keyj);
|
||||
msg = s.s;
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &s, &key, &msg) == 0);
|
||||
msg = ss;
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
|
||||
}
|
||||
|
||||
/* Test r/s equal to zero */
|
||||
|
|
@ -2018,7 +2018,7 @@ void test_ecdsa_edge_cases(void) {
|
|||
unsigned char key[32];
|
||||
unsigned char msg[32];
|
||||
secp256k1_ecdsa_signature_t sig2;
|
||||
secp256k1_ecdsa_sig_t s[512];
|
||||
secp256k1_scalar_t sr[512], ss;
|
||||
const unsigned char *extra;
|
||||
extra = t == 0 ? NULL : zero;
|
||||
memset(msg, 0, 32);
|
||||
|
|
@ -2051,9 +2051,9 @@ void test_ecdsa_edge_cases(void) {
|
|||
msg[0] = i;
|
||||
CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, NULL, extra) == 1);
|
||||
CHECK(!is_empty_signature(&sig2));
|
||||
secp256k1_ecdsa_signature_load(&s[i], NULL, &sig2);
|
||||
secp256k1_ecdsa_signature_load(&sr[i], &ss, NULL, &sig2);
|
||||
for (j = 0; j < i; j++) {
|
||||
CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
|
||||
CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
|
||||
}
|
||||
}
|
||||
msg[0] = 0;
|
||||
|
|
@ -2064,9 +2064,9 @@ void test_ecdsa_edge_cases(void) {
|
|||
key[0] = i - 256;
|
||||
CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, NULL, extra) == 1);
|
||||
CHECK(!is_empty_signature(&sig2));
|
||||
secp256k1_ecdsa_signature_load(&s[i], NULL, &sig2);
|
||||
secp256k1_ecdsa_signature_load(&sr[i], &ss, NULL, &sig2);
|
||||
for (j = 0; j < i; j++) {
|
||||
CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
|
||||
CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
|
||||
}
|
||||
}
|
||||
key[0] = 0;
|
||||
|
|
@ -2107,7 +2107,7 @@ EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
|
|||
void test_ecdsa_openssl(void) {
|
||||
secp256k1_gej_t qj;
|
||||
secp256k1_ge_t q;
|
||||
secp256k1_ecdsa_sig_t sig;
|
||||
secp256k1_scalar_t sigr, sigs;
|
||||
secp256k1_scalar_t one;
|
||||
secp256k1_scalar_t msg2;
|
||||
secp256k1_scalar_t key, msg;
|
||||
|
|
@ -2124,14 +2124,14 @@ void test_ecdsa_openssl(void) {
|
|||
ec_key = get_openssl_key(&key);
|
||||
CHECK(ec_key);
|
||||
CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
|
||||
CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sig, &q, &msg));
|
||||
CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
|
||||
CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
|
||||
secp256k1_scalar_set_int(&one, 1);
|
||||
secp256k1_scalar_add(&msg2, &msg, &one);
|
||||
CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sig, &q, &msg2));
|
||||
CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
|
||||
|
||||
random_sign(&sig, &key, &msg, NULL);
|
||||
CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
|
||||
random_sign(&sigr, &sigs, &key, &msg, NULL);
|
||||
CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
|
||||
CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
|
||||
|
||||
EC_KEY_free(ec_key);
|
||||
|
|
|
|||
Loading…
Reference in New Issue