1 /**********************************************************************
2 * Copyright (c) 2013-2015 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7 #include "include/secp256k1.h"
8
9 #include "util.h"
10 #include "num_impl.h"
11 #include "field_impl.h"
12 #include "scalar_impl.h"
13 #include "group_impl.h"
14 #include "ecmult_impl.h"
15 #include "ecmult_const_impl.h"
16 #include "ecmult_gen_impl.h"
17 #include "ecdsa_impl.h"
18 #include "eckey_impl.h"
19 #include "hash_impl.h"
20
21 #define ARG_CHECK(cond) do { \
22 if (EXPECT(!(cond), 0)) { \
23 secp256k1_callback_call(&ctx->illegal_callback, #cond); \
24 return 0; \
25 } \
26 } while(0)
27
default_illegal_callback_fn(const char * str,void * data)28 static void default_illegal_callback_fn(const char* str, void* data) {
29 (void)data;
30 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
31 abort();
32 }
33
34 static const secp256k1_callback default_illegal_callback = {
35 default_illegal_callback_fn,
36 NULL
37 };
38
default_error_callback_fn(const char * str,void * data)39 static void default_error_callback_fn(const char* str, void* data) {
40 (void)data;
41 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
42 abort();
43 }
44
45 static const secp256k1_callback default_error_callback = {
46 default_error_callback_fn,
47 NULL
48 };
49
50
51 struct secp256k1_context_struct {
52 secp256k1_ecmult_context ecmult_ctx;
53 secp256k1_ecmult_gen_context ecmult_gen_ctx;
54 secp256k1_callback illegal_callback;
55 secp256k1_callback error_callback;
56 };
57
secp256k1_context_create(unsigned int flags)58 secp256k1_context* secp256k1_context_create(unsigned int flags) {
59 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
60 ret->illegal_callback = default_illegal_callback;
61 ret->error_callback = default_error_callback;
62
63 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
64 secp256k1_callback_call(&ret->illegal_callback,
65 "Invalid flags");
66 free(ret);
67 return NULL;
68 }
69
70 secp256k1_ecmult_context_init(&ret->ecmult_ctx);
71 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
72
73 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
74 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
75 }
76 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
77 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
78 }
79
80 return ret;
81 }
82
secp256k1_context_clone(const secp256k1_context * ctx)83 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
84 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context));
85 ret->illegal_callback = ctx->illegal_callback;
86 ret->error_callback = ctx->error_callback;
87 secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
88 secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
89 return ret;
90 }
91
secp256k1_context_destroy(secp256k1_context * ctx)92 void secp256k1_context_destroy(secp256k1_context* ctx) {
93 if (ctx != NULL) {
94 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
95 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
96
97 free(ctx);
98 }
99 }
100
secp256k1_context_set_illegal_callback(secp256k1_context * ctx,void (* fun)(const char * message,void * data),const void * data)101 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
102 if (fun == NULL) {
103 fun = default_illegal_callback_fn;
104 }
105 ctx->illegal_callback.fn = fun;
106 ctx->illegal_callback.data = data;
107 }
108
secp256k1_context_set_error_callback(secp256k1_context * ctx,void (* fun)(const char * message,void * data),const void * data)109 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
110 if (fun == NULL) {
111 fun = default_error_callback_fn;
112 }
113 ctx->error_callback.fn = fun;
114 ctx->error_callback.data = data;
115 }
116
secp256k1_pubkey_load(const secp256k1_context * ctx,secp256k1_ge * ge,const secp256k1_pubkey * pubkey)117 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
118 if (sizeof(secp256k1_ge_storage) == 64) {
119 /* When the secp256k1_ge_storage type is exactly 64 byte, use its
120 * representation inside secp256k1_pubkey, as conversion is very fast.
121 * Note that secp256k1_pubkey_save must use the same representation. */
122 secp256k1_ge_storage s;
123 memcpy(&s, &pubkey->data[0], 64);
124 secp256k1_ge_from_storage(ge, &s);
125 } else {
126 /* Otherwise, fall back to 32-byte big endian for X and Y. */
127 secp256k1_fe x, y;
128 secp256k1_fe_set_b32(&x, pubkey->data);
129 secp256k1_fe_set_b32(&y, pubkey->data + 32);
130 secp256k1_ge_set_xy(ge, &x, &y);
131 }
132 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
133 return 1;
134 }
135
secp256k1_pubkey_save(secp256k1_pubkey * pubkey,secp256k1_ge * ge)136 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
137 if (sizeof(secp256k1_ge_storage) == 64) {
138 secp256k1_ge_storage s;
139 secp256k1_ge_to_storage(&s, ge);
140 memcpy(&pubkey->data[0], &s, 64);
141 } else {
142 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
143 secp256k1_fe_normalize_var(&ge->x);
144 secp256k1_fe_normalize_var(&ge->y);
145 secp256k1_fe_get_b32(pubkey->data, &ge->x);
146 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
147 }
148 }
149
secp256k1_ec_pubkey_parse(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * input,size_t inputlen)150 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
151 secp256k1_ge Q;
152
153 VERIFY_CHECK(ctx != NULL);
154 ARG_CHECK(pubkey != NULL);
155 memset(pubkey, 0, sizeof(*pubkey));
156 ARG_CHECK(input != NULL);
157 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
158 return 0;
159 }
160 secp256k1_pubkey_save(pubkey, &Q);
161 secp256k1_ge_clear(&Q);
162 return 1;
163 }
164
secp256k1_ec_pubkey_serialize(const secp256k1_context * ctx,unsigned char * output,size_t * outputlen,const secp256k1_pubkey * pubkey,unsigned int flags)165 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
166 secp256k1_ge Q;
167 size_t len;
168 int ret = 0;
169
170 VERIFY_CHECK(ctx != NULL);
171 ARG_CHECK(outputlen != NULL);
172 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
173 len = *outputlen;
174 *outputlen = 0;
175 ARG_CHECK(output != NULL);
176 memset(output, 0, len);
177 ARG_CHECK(pubkey != NULL);
178 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
179 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
180 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
181 if (ret) {
182 *outputlen = len;
183 }
184 }
185 return ret;
186 }
187
secp256k1_ecdsa_signature_load(const secp256k1_context * ctx,secp256k1_scalar * r,secp256k1_scalar * s,const secp256k1_ecdsa_signature * sig)188 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
189 (void)ctx;
190 if (sizeof(secp256k1_scalar) == 32) {
191 /* When the secp256k1_scalar type is exactly 32 byte, use its
192 * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
193 * Note that secp256k1_ecdsa_signature_save must use the same representation. */
194 memcpy(r, &sig->data[0], 32);
195 memcpy(s, &sig->data[32], 32);
196 } else {
197 secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
198 secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
199 }
200 }
201
secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature * sig,const secp256k1_scalar * r,const secp256k1_scalar * s)202 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
203 if (sizeof(secp256k1_scalar) == 32) {
204 memcpy(&sig->data[0], r, 32);
205 memcpy(&sig->data[32], s, 32);
206 } else {
207 secp256k1_scalar_get_b32(&sig->data[0], r);
208 secp256k1_scalar_get_b32(&sig->data[32], s);
209 }
210 }
211
secp256k1_ecdsa_signature_parse_der(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sig,const unsigned char * input,size_t inputlen)212 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
213 secp256k1_scalar r, s;
214
215 VERIFY_CHECK(ctx != NULL);
216 ARG_CHECK(sig != NULL);
217 ARG_CHECK(input != NULL);
218
219 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
220 secp256k1_ecdsa_signature_save(sig, &r, &s);
221 return 1;
222 } else {
223 memset(sig, 0, sizeof(*sig));
224 return 0;
225 }
226 }
227
secp256k1_ecdsa_signature_parse_compact(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sig,const unsigned char * input64)228 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
229 secp256k1_scalar r, s;
230 int ret = 1;
231 int overflow = 0;
232
233 VERIFY_CHECK(ctx != NULL);
234 ARG_CHECK(sig != NULL);
235 ARG_CHECK(input64 != NULL);
236
237 secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
238 ret &= !overflow;
239 secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
240 ret &= !overflow;
241 if (ret) {
242 secp256k1_ecdsa_signature_save(sig, &r, &s);
243 } else {
244 memset(sig, 0, sizeof(*sig));
245 }
246 return ret;
247 }
248
secp256k1_ecdsa_signature_serialize_der(const secp256k1_context * ctx,unsigned char * output,size_t * outputlen,const secp256k1_ecdsa_signature * sig)249 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
250 secp256k1_scalar r, s;
251
252 VERIFY_CHECK(ctx != NULL);
253 ARG_CHECK(output != NULL);
254 ARG_CHECK(outputlen != NULL);
255 ARG_CHECK(sig != NULL);
256
257 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
258 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
259 }
260
secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context * ctx,unsigned char * output64,const secp256k1_ecdsa_signature * sig)261 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
262 secp256k1_scalar r, s;
263
264 VERIFY_CHECK(ctx != NULL);
265 ARG_CHECK(output64 != NULL);
266 ARG_CHECK(sig != NULL);
267
268 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
269 secp256k1_scalar_get_b32(&output64[0], &r);
270 secp256k1_scalar_get_b32(&output64[32], &s);
271 return 1;
272 }
273
secp256k1_ecdsa_signature_normalize(const secp256k1_context * ctx,secp256k1_ecdsa_signature * sigout,const secp256k1_ecdsa_signature * sigin)274 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
275 secp256k1_scalar r, s;
276 int ret = 0;
277
278 VERIFY_CHECK(ctx != NULL);
279 ARG_CHECK(sigin != NULL);
280
281 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
282 ret = secp256k1_scalar_is_high(&s);
283 if (sigout != NULL) {
284 if (ret) {
285 secp256k1_scalar_negate(&s, &s);
286 }
287 secp256k1_ecdsa_signature_save(sigout, &r, &s);
288 }
289
290 return ret;
291 }
292
secp256k1_ecdsa_verify(const secp256k1_context * ctx,const secp256k1_ecdsa_signature * sig,const unsigned char * msg32,const secp256k1_pubkey * pubkey)293 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
294 secp256k1_ge q;
295 secp256k1_scalar r, s;
296 secp256k1_scalar m;
297 VERIFY_CHECK(ctx != NULL);
298 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
299 ARG_CHECK(msg32 != NULL);
300 ARG_CHECK(sig != NULL);
301 ARG_CHECK(pubkey != NULL);
302
303 secp256k1_scalar_set_b32(&m, msg32, NULL);
304 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
305 return (!secp256k1_scalar_is_high(&s) &&
306 secp256k1_pubkey_load(ctx, &q, pubkey) &&
307 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
308 }
309
nonce_function_rfc6979(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)310 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
311 unsigned char keydata[112];
312 int keylen = 64;
313 secp256k1_rfc6979_hmac_sha256_t rng;
314 unsigned int i;
315 /* We feed a byte array to the PRNG as input, consisting of:
316 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
317 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
318 * - optionally 16 extra bytes with the algorithm name.
319 * Because the arguments have distinct fixed lengths it is not possible for
320 * different argument mixtures to emulate each other and result in the same
321 * nonces.
322 */
323 memcpy(keydata, key32, 32);
324 memcpy(keydata + 32, msg32, 32);
325 if (data != NULL) {
326 memcpy(keydata + 64, data, 32);
327 keylen = 96;
328 }
329 if (algo16 != NULL) {
330 memcpy(keydata + keylen, algo16, 16);
331 keylen += 16;
332 }
333 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen);
334 memset(keydata, 0, sizeof(keydata));
335 for (i = 0; i <= counter; i++) {
336 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
337 }
338 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
339 return 1;
340 }
341
342 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
343 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
344
secp256k1_ecdsa_sign(const secp256k1_context * ctx,secp256k1_ecdsa_signature * signature,const unsigned char * msg32,const unsigned char * seckey,secp256k1_nonce_function noncefp,const void * noncedata)345 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
346 secp256k1_scalar r, s;
347 secp256k1_scalar sec, non, msg;
348 int ret = 0;
349 int overflow = 0;
350 VERIFY_CHECK(ctx != NULL);
351 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
352 ARG_CHECK(msg32 != NULL);
353 ARG_CHECK(signature != NULL);
354 ARG_CHECK(seckey != NULL);
355 if (noncefp == NULL) {
356 noncefp = secp256k1_nonce_function_default;
357 }
358
359 secp256k1_scalar_set_b32(&sec, seckey, &overflow);
360 /* Fail if the secret key is invalid. */
361 if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
362 unsigned char nonce32[32];
363 unsigned int count = 0;
364 secp256k1_scalar_set_b32(&msg, msg32, NULL);
365 while (1) {
366 ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
367 if (!ret) {
368 break;
369 }
370 secp256k1_scalar_set_b32(&non, nonce32, &overflow);
371 if (!overflow && !secp256k1_scalar_is_zero(&non)) {
372 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
373 break;
374 }
375 }
376 count++;
377 }
378 memset(nonce32, 0, 32);
379 secp256k1_scalar_clear(&msg);
380 secp256k1_scalar_clear(&non);
381 secp256k1_scalar_clear(&sec);
382 }
383 if (ret) {
384 secp256k1_ecdsa_signature_save(signature, &r, &s);
385 } else {
386 memset(signature, 0, sizeof(*signature));
387 }
388 return ret;
389 }
390
secp256k1_ec_seckey_verify(const secp256k1_context * ctx,const unsigned char * seckey)391 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
392 secp256k1_scalar sec;
393 int ret;
394 int overflow;
395 VERIFY_CHECK(ctx != NULL);
396 ARG_CHECK(seckey != NULL);
397
398 secp256k1_scalar_set_b32(&sec, seckey, &overflow);
399 ret = !overflow && !secp256k1_scalar_is_zero(&sec);
400 secp256k1_scalar_clear(&sec);
401 return ret;
402 }
403
secp256k1_ec_pubkey_create(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * seckey)404 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
405 secp256k1_gej pj;
406 secp256k1_ge p;
407 secp256k1_scalar sec;
408 int overflow;
409 int ret = 0;
410 VERIFY_CHECK(ctx != NULL);
411 ARG_CHECK(pubkey != NULL);
412 memset(pubkey, 0, sizeof(*pubkey));
413 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
414 ARG_CHECK(seckey != NULL);
415
416 secp256k1_scalar_set_b32(&sec, seckey, &overflow);
417 ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec));
418 if (ret) {
419 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
420 secp256k1_ge_set_gej(&p, &pj);
421 secp256k1_pubkey_save(pubkey, &p);
422 }
423 secp256k1_scalar_clear(&sec);
424 return ret;
425 }
426
secp256k1_ec_privkey_negate(const secp256k1_context * ctx,unsigned char * seckey)427 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) {
428 secp256k1_scalar sec;
429 VERIFY_CHECK(ctx != NULL);
430 ARG_CHECK(seckey != NULL);
431
432 secp256k1_scalar_set_b32(&sec, seckey, NULL);
433 secp256k1_scalar_negate(&sec, &sec);
434 secp256k1_scalar_get_b32(seckey, &sec);
435
436 return 1;
437 }
438
secp256k1_ec_pubkey_negate(const secp256k1_context * ctx,secp256k1_pubkey * pubkey)439 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) {
440 int ret = 0;
441 secp256k1_ge p;
442 VERIFY_CHECK(ctx != NULL);
443 ARG_CHECK(pubkey != NULL);
444
445 ret = secp256k1_pubkey_load(ctx, &p, pubkey);
446 memset(pubkey, 0, sizeof(*pubkey));
447 if (ret) {
448 secp256k1_ge_neg(&p, &p);
449 secp256k1_pubkey_save(pubkey, &p);
450 }
451 return ret;
452 }
453
secp256k1_ec_privkey_tweak_add(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak)454 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
455 secp256k1_scalar term;
456 secp256k1_scalar sec;
457 int ret = 0;
458 int overflow = 0;
459 VERIFY_CHECK(ctx != NULL);
460 ARG_CHECK(seckey != NULL);
461 ARG_CHECK(tweak != NULL);
462
463 secp256k1_scalar_set_b32(&term, tweak, &overflow);
464 secp256k1_scalar_set_b32(&sec, seckey, NULL);
465
466 ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
467 memset(seckey, 0, 32);
468 if (ret) {
469 secp256k1_scalar_get_b32(seckey, &sec);
470 }
471
472 secp256k1_scalar_clear(&sec);
473 secp256k1_scalar_clear(&term);
474 return ret;
475 }
476
secp256k1_ec_pubkey_tweak_add(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * tweak)477 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
478 secp256k1_ge p;
479 secp256k1_scalar term;
480 int ret = 0;
481 int overflow = 0;
482 VERIFY_CHECK(ctx != NULL);
483 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
484 ARG_CHECK(pubkey != NULL);
485 ARG_CHECK(tweak != NULL);
486
487 secp256k1_scalar_set_b32(&term, tweak, &overflow);
488 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
489 memset(pubkey, 0, sizeof(*pubkey));
490 if (ret) {
491 if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
492 secp256k1_pubkey_save(pubkey, &p);
493 } else {
494 ret = 0;
495 }
496 }
497
498 return ret;
499 }
500
secp256k1_ec_privkey_tweak_mul(const secp256k1_context * ctx,unsigned char * seckey,const unsigned char * tweak)501 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
502 secp256k1_scalar factor;
503 secp256k1_scalar sec;
504 int ret = 0;
505 int overflow = 0;
506 VERIFY_CHECK(ctx != NULL);
507 ARG_CHECK(seckey != NULL);
508 ARG_CHECK(tweak != NULL);
509
510 secp256k1_scalar_set_b32(&factor, tweak, &overflow);
511 secp256k1_scalar_set_b32(&sec, seckey, NULL);
512 ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
513 memset(seckey, 0, 32);
514 if (ret) {
515 secp256k1_scalar_get_b32(seckey, &sec);
516 }
517
518 secp256k1_scalar_clear(&sec);
519 secp256k1_scalar_clear(&factor);
520 return ret;
521 }
522
secp256k1_ec_pubkey_tweak_mul(const secp256k1_context * ctx,secp256k1_pubkey * pubkey,const unsigned char * tweak)523 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
524 secp256k1_ge p;
525 secp256k1_scalar factor;
526 int ret = 0;
527 int overflow = 0;
528 VERIFY_CHECK(ctx != NULL);
529 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
530 ARG_CHECK(pubkey != NULL);
531 ARG_CHECK(tweak != NULL);
532
533 secp256k1_scalar_set_b32(&factor, tweak, &overflow);
534 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
535 memset(pubkey, 0, sizeof(*pubkey));
536 if (ret) {
537 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
538 secp256k1_pubkey_save(pubkey, &p);
539 } else {
540 ret = 0;
541 }
542 }
543
544 return ret;
545 }
546
secp256k1_context_randomize(secp256k1_context * ctx,const unsigned char * seed32)547 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
548 VERIFY_CHECK(ctx != NULL);
549 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
550 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
551 return 1;
552 }
553
secp256k1_ec_pubkey_combine(const secp256k1_context * ctx,secp256k1_pubkey * pubnonce,const secp256k1_pubkey * const * pubnonces,size_t n)554 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
555 size_t i;
556 secp256k1_gej Qj;
557 secp256k1_ge Q;
558
559 ARG_CHECK(pubnonce != NULL);
560 memset(pubnonce, 0, sizeof(*pubnonce));
561 ARG_CHECK(n >= 1);
562 ARG_CHECK(pubnonces != NULL);
563
564 secp256k1_gej_set_infinity(&Qj);
565
566 for (i = 0; i < n; i++) {
567 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
568 secp256k1_gej_add_ge(&Qj, &Qj, &Q);
569 }
570 if (secp256k1_gej_is_infinity(&Qj)) {
571 return 0;
572 }
573 secp256k1_ge_set_gej(&Q, &Qj);
574 secp256k1_pubkey_save(pubnonce, &Q);
575 return 1;
576 }
577
578 #ifdef ENABLE_MODULE_ECDH
579 # include "modules/ecdh/main_impl.h"
580 #endif
581
582 #ifdef ENABLE_MODULE_RECOVERY
583 # include "modules/recovery/main_impl.h"
584 #endif
585