Skip to content

Commit f587f04

Browse files
committed
Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
1 parent 8f0c6f1 commit f587f04

File tree

4 files changed

+40
-33
lines changed

4 files changed

+40
-33
lines changed

include/secp256k1.h

+16-9
Original file line numberDiff line numberDiff line change
@@ -452,7 +452,14 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
452452
* 0: incorrect or unparseable signature
453453
* Args: ctx: a secp256k1 context object, initialized for verification.
454454
* In: sig: the signature being verified (cannot be NULL)
455-
* msg32: the 32-byte message hash being verified (cannot be NULL)
455+
* msghash32: the 32-byte message hash being verified (cannot be NULL).
456+
* The verifier must make sure to apply a cryptographic
457+
* hash function to the message by itself and not accept an
458+
* msghash32 value directly. Otherwise, it would be easy to
459+
* create a "valid" signature without knowledge of the
460+
* secret key. See also
461+
* https://bitcoin.stackexchange.com/a/81116/35586 for more
462+
* background on this topic.
456463
* pubkey: pointer to an initialized public key to verify with (cannot be NULL)
457464
*
458465
* To avoid accepting malleable signatures, only ECDSA signatures in lower-S
@@ -467,7 +474,7 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
467474
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(
468475
const secp256k1_context* ctx,
469476
const secp256k1_ecdsa_signature *sig,
470-
const unsigned char *msg32,
477+
const unsigned char *msghash32,
471478
const secp256k1_pubkey *pubkey
472479
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
473480

@@ -532,20 +539,20 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_def
532539
*
533540
* Returns: 1: signature created
534541
* 0: the nonce generation function failed, or the secret key was invalid.
535-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
536-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
537-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
538-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
539-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
540-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
542+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
543+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
544+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
545+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
546+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
547+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
541548
*
542549
* The created signature is always in lower-S form. See
543550
* secp256k1_ecdsa_signature_normalize for more details.
544551
*/
545552
SECP256K1_API int secp256k1_ecdsa_sign(
546553
const secp256k1_context* ctx,
547554
secp256k1_ecdsa_signature *sig,
548-
const unsigned char *msg32,
555+
const unsigned char *msghash32,
549556
const unsigned char *seckey,
550557
secp256k1_nonce_function noncefp,
551558
const void *ndata

include/secp256k1_recovery.h

+12-12
Original file line numberDiff line numberDiff line change
@@ -71,17 +71,17 @@ SECP256K1_API int secp256k1_ecdsa_recoverable_signature_serialize_compact(
7171
*
7272
* Returns: 1: signature created
7373
* 0: the nonce generation function failed, or the secret key was invalid.
74-
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75-
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76-
* In: msg32: the 32-byte message hash being signed (cannot be NULL)
77-
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78-
* noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79-
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
74+
* Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
75+
* Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
76+
* In: msghash32: the 32-byte message hash being signed (cannot be NULL)
77+
* seckey: pointer to a 32-byte secret key (cannot be NULL)
78+
* noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
79+
* ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
8080
*/
8181
SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
8282
const secp256k1_context* ctx,
8383
secp256k1_ecdsa_recoverable_signature *sig,
84-
const unsigned char *msg32,
84+
const unsigned char *msghash32,
8585
const unsigned char *seckey,
8686
secp256k1_nonce_function noncefp,
8787
const void *ndata
@@ -91,16 +91,16 @@ SECP256K1_API int secp256k1_ecdsa_sign_recoverable(
9191
*
9292
* Returns: 1: public key successfully recovered (which guarantees a correct signature).
9393
* 0: otherwise.
94-
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95-
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96-
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97-
* msg32: the 32-byte message hash assumed to be signed (cannot be NULL)
94+
* Args: ctx: pointer to a context object, initialized for verification (cannot be NULL)
95+
* Out: pubkey: pointer to the recovered public key (cannot be NULL)
96+
* In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL)
97+
* msghash32: the 32-byte message hash assumed to be signed (cannot be NULL)
9898
*/
9999
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_recover(
100100
const secp256k1_context* ctx,
101101
secp256k1_pubkey *pubkey,
102102
const secp256k1_ecdsa_recoverable_signature *sig,
103-
const unsigned char *msg32
103+
const unsigned char *msghash32
104104
) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
105105

106106
#ifdef __cplusplus

src/modules/recovery/main_impl.h

+6-6
Original file line numberDiff line numberDiff line change
@@ -120,34 +120,34 @@ static int secp256k1_ecdsa_sig_recover(const secp256k1_ecmult_context *ctx, cons
120120
return !secp256k1_gej_is_infinity(&qj);
121121
}
122122

123-
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
123+
int secp256k1_ecdsa_sign_recoverable(const secp256k1_context* ctx, secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
124124
secp256k1_scalar r, s;
125125
int ret, recid;
126126
VERIFY_CHECK(ctx != NULL);
127127
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
128-
ARG_CHECK(msg32 != NULL);
128+
ARG_CHECK(msghash32 != NULL);
129129
ARG_CHECK(signature != NULL);
130130
ARG_CHECK(seckey != NULL);
131131

132-
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msg32, seckey, noncefp, noncedata);
132+
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, &recid, msghash32, seckey, noncefp, noncedata);
133133
secp256k1_ecdsa_recoverable_signature_save(signature, &r, &s, recid);
134134
return ret;
135135
}
136136

137-
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) {
137+
int secp256k1_ecdsa_recover(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const secp256k1_ecdsa_recoverable_signature *signature, const unsigned char *msghash32) {
138138
secp256k1_ge q;
139139
secp256k1_scalar r, s;
140140
secp256k1_scalar m;
141141
int recid;
142142
VERIFY_CHECK(ctx != NULL);
143143
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
144-
ARG_CHECK(msg32 != NULL);
144+
ARG_CHECK(msghash32 != NULL);
145145
ARG_CHECK(signature != NULL);
146146
ARG_CHECK(pubkey != NULL);
147147

148148
secp256k1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature);
149149
VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */
150-
secp256k1_scalar_set_b32(&m, msg32, NULL);
150+
secp256k1_scalar_set_b32(&m, msghash32, NULL);
151151
if (secp256k1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) {
152152
secp256k1_pubkey_save(pubkey, &q);
153153
return 1;

src/secp256k1.c

+6-6
Original file line numberDiff line numberDiff line change
@@ -422,17 +422,17 @@ int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_
422422
return ret;
423423
}
424424

425-
int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
425+
int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) {
426426
secp256k1_ge q;
427427
secp256k1_scalar r, s;
428428
secp256k1_scalar m;
429429
VERIFY_CHECK(ctx != NULL);
430430
ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
431-
ARG_CHECK(msg32 != NULL);
431+
ARG_CHECK(msghash32 != NULL);
432432
ARG_CHECK(sig != NULL);
433433
ARG_CHECK(pubkey != NULL);
434434

435-
secp256k1_scalar_set_b32(&m, msg32, NULL);
435+
secp256k1_scalar_set_b32(&m, msghash32, NULL);
436436
secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
437437
return (!secp256k1_scalar_is_high(&s) &&
438438
secp256k1_pubkey_load(ctx, &q, pubkey) &&
@@ -533,16 +533,16 @@ static int secp256k1_ecdsa_sign_inner(const secp256k1_context* ctx, secp256k1_sc
533533
return ret;
534534
}
535535

536-
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
536+
int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
537537
secp256k1_scalar r, s;
538538
int ret;
539539
VERIFY_CHECK(ctx != NULL);
540540
ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
541-
ARG_CHECK(msg32 != NULL);
541+
ARG_CHECK(msghash32 != NULL);
542542
ARG_CHECK(signature != NULL);
543543
ARG_CHECK(seckey != NULL);
544544

545-
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msg32, seckey, noncefp, noncedata);
545+
ret = secp256k1_ecdsa_sign_inner(ctx, &r, &s, NULL, msghash32, seckey, noncefp, noncedata);
546546
secp256k1_ecdsa_signature_save(signature, &r, &s);
547547
return ret;
548548
}

0 commit comments

Comments
 (0)