Commit Graph

63 Commits

Author SHA1 Message Date
Dan Raviv abe2d3e84b Fix header guards using reserved identifiers
Identifiers starting with an underscore and followed immediately by a capital letter are reserved by the C++ standard.

The only header guards not fixed are those in the headers auto-generated from java.
2017-08-26 18:44:21 +03:00
Pieter Wuille f532bdc9f7
Merge #459: Add pubkey prefix constants to include/secp256k1.h
bc61b91 add pubkey prefix constants to include/secp256k1.h (Andrew Poelstra)

Pull request description:

  In future multisig implementations we will need to pass nonces around, which are algebraically pubkeys but should not be decodable as pubkeys. The way to do this is to change the prefix byte from the ordinary 0x02/0x03 to something else. However, some forks (notably `secp256k1-zkp`) have started using some bytes for their own encodings, and if we continue to use hardcoded constants the risk of conflict is increased.

  This commit puts the prefixes used by the main library into the `include/secp256k1.h` so that the constants we're using will at least be in a standard easy-to-reference place.

Tree-SHA512: 37fa25be5074b7c519a9c69421320a62f32a3818f144254eb57f96c6657b993fc01962a5c670574275d1c59b095a6c89e60736123f032d6736907284eac526d7
2017-08-10 16:42:01 -07:00
Andrew Poelstra bc61b91aca
add pubkey prefix constants to include/secp256k1.h 2017-06-27 14:05:26 +00:00
Tim Ruffing b0452e664b Fix typo in API documentation 2017-06-05 19:17:53 +02:00
Pieter Wuille 119949232a
Merge #408: Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate`
8e48aa6 Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate` (Andrew Poelstra)

Tree-SHA512: 28eeca0b04001958ad86b3c802e33a13273514e9e9802d5b358fd577dc95421a2cffb5591716bea10300717f742f0941c465b9df71dbb4c66d174c643887e06f
2017-03-21 17:54:06 -07:00
Rusty Russell 72d952c9c4 FIXUP: Missing "is"
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-02-21 14:43:09 +10:30
Rusty Russell 70ff29b6a7 secp256k1_context_randomize: document.
I think I summarized it correctly after IRC discussion with gmaxwell
and andytoshi; I didn't know it existed :(

It's regrettable to expose this level of detail, but users need to know
this to make a decision about how to use it.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-02-14 15:29:33 +10:30
Andrew Poelstra 8e48aa60dc Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate` 2016-12-20 00:37:37 +00:00
Andrew Poelstra 91219a1cc0 Remove guarantees about memcmp-ability 2016-08-26 18:03:48 +00:00
Pieter Wuille 06aeea555e Turn secp256k1_ec_pubkey_serialize outlen to in/out 2015-11-05 06:01:56 +01:00
Gregory Maxwell 8e48787d97 Change secp256k1_ec_pubkey_combine's count argument to size_t. 2015-10-31 19:04:34 +00:00
Gregory Maxwell c69dea025a Clear output in more cases for pubkey_combine, adds tests.
Also corrects an outdated comment and adds an additional
 secp256k1_ecdsa_signature_parse_compact test.
2015-10-31 09:52:30 +00:00
Gregory Maxwell 269d422703 Comment copyediting. 2015-10-31 08:31:15 +00:00
Pieter Wuille 9234391ed4 Overhaul flags handling 2015-10-24 19:47:13 +02:00
Rusty Russell 1a368980c8 Make flags more explicit, add runtime checks.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2015-10-24 19:39:44 +02:00
Gregory Maxwell 4a243da47c Move secp256k1_ec_privkey_import/export to contrib.
These functions are intended for compatibility with legacy software,
 and are not normally needed in new secp256k1 applications.

They also do not obeying any particular standard (and likely cannot
 without without undermining their compatibility), and so are a
 better fit for contrib.
2015-10-22 22:57:33 +00:00
Pieter Wuille 0c6ab2ff18 Introduce explicit lower-S normalization
ECDSA signature verification now requires normalized signatures (with S in the
lower half of the range). In case the input cannot be guaranteed to provide this,
a new function secp256k1_ecdsa_signature_normalize is provided to preprocess it.
2015-10-21 16:14:42 +02:00
Pieter Wuille 3bb9c44719 Rewrite ECDSA signature parsing code
There are now 2 encoding formats supported: 64-byte "compact" and DER.
The latter is strict: the data has to be exact DER, though the values
inside don't need to be valid.
2015-10-21 16:13:37 +02:00
Gregory Maxwell 338fc8bd71 Add API exports to secp256k1_nonce_function_default and secp256k1_nonce_function_rfc6979. 2015-09-29 18:56:21 +00:00
Gregory Maxwell 118cd8210f Use explicit symbol visibility.
The use of static makes this somewhat redundant currently, though if
 we later have multiple compilation units it will be needed.

This also sets the dllexport needed for shared libraries on win32.
2015-09-25 05:42:20 +00:00
Pieter Wuille dd891e0ed5 Get rid of _t as it is POSIX reserved 2015-09-21 21:03:37 +02:00
Luke Dashjr 486b9bb8ce Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 2015-09-19 19:33:30 +00:00
Luke Dashjr 05732c5a5f Callback data: Accept pointers to either const or non-const data 2015-09-19 19:33:28 +00:00
Luke Dashjr 788038d323 Use size_t for lengths (at least in external API) 2015-09-19 19:33:21 +00:00
Luke Dashjr c9d7c2a484 secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument 2015-09-19 19:32:52 +00:00
Luke Dashjr 9aac008038 secp256k1_context_destroy: Allow NULL argument as a no-op 2015-09-19 19:32:48 +00:00
Luke Dashjr 64b730bc3f secp256k1_context_create: Use unsigned type for flags bitfield 2015-09-19 19:32:21 +00:00
Pieter Wuille dc0ce9fc41 [API BREAK] Change argument order to out/outin/in 2015-09-04 17:45:57 +02:00
Pieter Wuille 9f443be086 Move pubkey recovery code to separate module 2015-08-28 01:51:52 +02:00
Pieter Wuille 439d34adc6 Separate recoverable and normal signatures 2015-08-27 22:47:24 +02:00
Pieter Wuille f66907f220 Improve/reformat API documentation secp256k1.h 2015-08-27 01:14:28 +02:00
Pieter Wuille a5a66c70b6 Add support for custom EC-Schnorr-SHA256 signatures 2015-08-03 20:08:51 +02:00
Pieter Wuille 995c548771 Introduce callback functions for dealing with errors. 2015-07-26 18:08:38 +02:00
Pieter Wuille 74a2acdb8a Add a secp256k1_ecdsa_signature_t type 2015-07-26 16:02:20 +02:00
Pieter Wuille 23cfa914d2 Introduce secp256k1_pubkey_t type 2015-07-26 15:59:07 +02:00
Thomas Kerin 99fd963bd5
Add secp256k1_ec_pubkey_compress(), with test similar to the related decompress() function. 2015-07-13 13:09:00 +01:00
Andrew Poelstra 210ffed5cd Use separate in and out pointers in `secp256k1_ec_pubkey_decompress`
Right now `secp256k1_ec_pubkey_decompress` takes an in/out pointer to
a public key and replaces the input key with its decompressed variant.
This forces users who store compressed keys in small (<65 byte) fixed
size buffers (for example, the Rust bindings do this) to explicitly
and wastefully copy their key to a larger buffer.

[API BREAK]
2015-05-13 17:07:34 -05:00
Gregory Maxwell d2275795ff Add scalar blinding and a secp256k1_context_randomize() call.
This computes (n-b)G + bG with random value b, in place of nG in
 ecmult_gen() for signing.

This is intended to reduce exposure to potential power/EMI sidechannels
 during signing and pubkey generation by blinding the secret value with
 another value which is hopefully unknown to the attacker.

It may not be very helpful if the attacker is able to observe the setup
 or if even the scalar addition has an unacceptable leak, but it has low
 overhead in any case and the security should be purely additive on top
 of the existing defenses against sidechannels.
2015-04-22 19:25:16 +00:00
Andrew Poelstra d899b5b67c Expose ability to deep-copy a context 2015-04-11 22:16:03 -05:00
Pieter Wuille a9b6595ef8 [API BREAK] Introduce explicit contexts 2015-04-11 01:01:10 -07:00
Daniel Cousens 5098f62571 Improve documentation formatting consistency 2015-04-10 16:33:33 +10:00
Pieter Wuille 1573a102c0 Add ability to pass extra entropy to rfc6979
Suggested by Greg Maxwell.
2015-03-23 05:39:56 -07:00
Pieter Wuille 8030d7c0e5 Improve signing API documentation & specification 2015-02-14 15:38:27 -08:00
Gregory Maxwell 6cc8425c91 Include a comment on secp256k1_ecdsa_sign explaining low-s.
This was suggested by DavidEGrayson.
2015-02-02 02:47:24 +00:00
Pieter Wuille bbd5ba7cfa Use rfc6979 as default nonce generation function 2014-12-20 14:36:13 +01:00
Pieter Wuille c6e7f4e8d8 [API BREAK] Use a nonce-generation function instead of a nonce 2014-12-20 14:36:11 +01:00
Pieter Wuille cf7b2b4647 Fix ECDSA message hashes to 32 bytes 2014-12-09 12:50:47 +01:00
Pieter Wuille be82e92fc4 Require that r and b are different for field multiplication.
Suggested by Peter Dettman, this prepares for slightly faster muitiplication
which writes results immediately to r before finishing reading b.
2014-12-01 13:40:34 +01:00
Gregory Maxwell 8563713a4f Add non-null and unused-result warnings for the external API.
GCC (and clang) supports extensions to annotate functions so that their
 results must be used and so that their arguments can't be statically
 provable to be null. If a caller violates these requirements they
 get a warning, so this helps them write correct code.

I deployed this in libopus a couple years ago with good success, and
 the implementation here is basically copied straight from that.

One consideration is that the non-null annotation teaches the optimizer
 and will actually compile out runtime non-nullness checks as dead-code.
 Since this is usually not whats wanted, the non-null annotations are
 disabled when compiling the library itself.

The commit also removes some dead inclusions of assert.h and introduces
 compatibility macros for restrict and inline in preparation for some
 portability improvements.
2014-11-12 12:23:09 -08:00
Pieter Wuille c27fdc0b97 Document some preconditions 2014-11-12 03:20:15 -08:00