github.com/SmartMeshFoundation/Spectrum@v0.0.0-20220621030607-452a266fee1e/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about)

     1  /**********************************************************************
     2   * Copyright (c) 2013-2015 Pieter Wuille                              *
     3   * Distributed under the MIT software license, see the accompanying   *
     4   * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
     5   **********************************************************************/
     6  
     7  #include "include/secp256k1.h"
     8  
     9  #include "util.h"
    10  #include "num_impl.h"
    11  #include "field_impl.h"
    12  #include "scalar_impl.h"
    13  #include "group_impl.h"
    14  #include "ecmult_impl.h"
    15  #include "ecmult_const_impl.h"
    16  #include "ecmult_gen_impl.h"
    17  #include "ecdsa_impl.h"
    18  #include "eckey_impl.h"
    19  #include "hash_impl.h"
    20  
    21  #define ARG_CHECK(cond) do { \
    22      if (EXPECT(!(cond), 0)) { \
    23          secp256k1_callback_call(&ctx->illegal_callback, #cond); \
    24          return 0; \
    25      } \
    26  } while(0)
    27  
    28  static void default_illegal_callback_fn(const char* str, void* data) {
    29      (void)data;
    30      fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str);
    31      abort();
    32  }
    33  
    34  static const secp256k1_callback default_illegal_callback = {
    35      default_illegal_callback_fn,
    36      NULL
    37  };
    38  
    39  static void default_error_callback_fn(const char* str, void* data) {
    40      (void)data;
    41      fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str);
    42      abort();
    43  }
    44  
    45  static const secp256k1_callback default_error_callback = {
    46      default_error_callback_fn,
    47      NULL
    48  };
    49  
    50  
    51  struct secp256k1_context_struct {
    52      secp256k1_ecmult_context ecmult_ctx;
    53      secp256k1_ecmult_gen_context ecmult_gen_ctx;
    54      secp256k1_callback illegal_callback;
    55      secp256k1_callback error_callback;
    56  };
    57  
    58  secp256k1_context* secp256k1_context_create(unsigned int flags) {
    59      secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context));
    60      ret->illegal_callback = default_illegal_callback;
    61      ret->error_callback = default_error_callback;
    62  
    63      if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) {
    64              secp256k1_callback_call(&ret->illegal_callback,
    65                                      "Invalid flags");
    66              free(ret);
    67              return NULL;
    68      }
    69  
    70      secp256k1_ecmult_context_init(&ret->ecmult_ctx);
    71      secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx);
    72  
    73      if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) {
    74          secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback);
    75      }
    76      if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) {
    77          secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback);
    78      }
    79  
    80      return ret;
    81  }
    82  
    83  secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) {
    84      secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context));
    85      ret->illegal_callback = ctx->illegal_callback;
    86      ret->error_callback = ctx->error_callback;
    87      secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback);
    88      secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback);
    89      return ret;
    90  }
    91  
    92  void secp256k1_context_destroy(secp256k1_context* ctx) {
    93      if (ctx != NULL) {
    94          secp256k1_ecmult_context_clear(&ctx->ecmult_ctx);
    95          secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx);
    96  
    97          free(ctx);
    98      }
    99  }
   100  
   101  void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
   102      if (fun == NULL) {
   103          fun = default_illegal_callback_fn;
   104      }
   105      ctx->illegal_callback.fn = fun;
   106      ctx->illegal_callback.data = data;
   107  }
   108  
   109  void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) {
   110      if (fun == NULL) {
   111          fun = default_error_callback_fn;
   112      }
   113      ctx->error_callback.fn = fun;
   114      ctx->error_callback.data = data;
   115  }
   116  
   117  static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) {
   118      if (sizeof(secp256k1_ge_storage) == 64) {
   119          /* When the secp256k1_ge_storage type is exactly 64 byte, use its
   120           * representation inside secp256k1_pubkey, as conversion is very fast.
   121           * Note that secp256k1_pubkey_save must use the same representation. */
   122          secp256k1_ge_storage s;
   123          memcpy(&s, &pubkey->data[0], 64);
   124          secp256k1_ge_from_storage(ge, &s);
   125      } else {
   126          /* Otherwise, fall back to 32-byte big endian for X and Y. */
   127          secp256k1_fe x, y;
   128          secp256k1_fe_set_b32(&x, pubkey->data);
   129          secp256k1_fe_set_b32(&y, pubkey->data + 32);
   130          secp256k1_ge_set_xy(ge, &x, &y);
   131      }
   132      ARG_CHECK(!secp256k1_fe_is_zero(&ge->x));
   133      return 1;
   134  }
   135  
   136  static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) {
   137      if (sizeof(secp256k1_ge_storage) == 64) {
   138          secp256k1_ge_storage s;
   139          secp256k1_ge_to_storage(&s, ge);
   140          memcpy(&pubkey->data[0], &s, 64);
   141      } else {
   142          VERIFY_CHECK(!secp256k1_ge_is_infinity(ge));
   143          secp256k1_fe_normalize_var(&ge->x);
   144          secp256k1_fe_normalize_var(&ge->y);
   145          secp256k1_fe_get_b32(pubkey->data, &ge->x);
   146          secp256k1_fe_get_b32(pubkey->data + 32, &ge->y);
   147      }
   148  }
   149  
   150  int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) {
   151      secp256k1_ge Q;
   152  
   153      VERIFY_CHECK(ctx != NULL);
   154      ARG_CHECK(pubkey != NULL);
   155      memset(pubkey, 0, sizeof(*pubkey));
   156      ARG_CHECK(input != NULL);
   157      if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) {
   158          return 0;
   159      }
   160      secp256k1_pubkey_save(pubkey, &Q);
   161      secp256k1_ge_clear(&Q);
   162      return 1;
   163  }
   164  
   165  int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) {
   166      secp256k1_ge Q;
   167      size_t len;
   168      int ret = 0;
   169  
   170      VERIFY_CHECK(ctx != NULL);
   171      ARG_CHECK(outputlen != NULL);
   172      ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65));
   173      len = *outputlen;
   174      *outputlen = 0;
   175      ARG_CHECK(output != NULL);
   176      memset(output, 0, len);
   177      ARG_CHECK(pubkey != NULL);
   178      ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
   179      if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
   180          ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
   181          if (ret) {
   182              *outputlen = len;
   183          }
   184      }
   185      return ret;
   186  }
   187  
   188  static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) {
   189      (void)ctx;
   190      if (sizeof(secp256k1_scalar) == 32) {
   191          /* When the secp256k1_scalar type is exactly 32 byte, use its
   192           * representation inside secp256k1_ecdsa_signature, as conversion is very fast.
   193           * Note that secp256k1_ecdsa_signature_save must use the same representation. */
   194          memcpy(r, &sig->data[0], 32);
   195          memcpy(s, &sig->data[32], 32);
   196      } else {
   197          secp256k1_scalar_set_b32(r, &sig->data[0], NULL);
   198          secp256k1_scalar_set_b32(s, &sig->data[32], NULL);
   199      }
   200  }
   201  
   202  static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) {
   203      if (sizeof(secp256k1_scalar) == 32) {
   204          memcpy(&sig->data[0], r, 32);
   205          memcpy(&sig->data[32], s, 32);
   206      } else {
   207          secp256k1_scalar_get_b32(&sig->data[0], r);
   208          secp256k1_scalar_get_b32(&sig->data[32], s);
   209      }
   210  }
   211  
   212  int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
   213      secp256k1_scalar r, s;
   214  
   215      VERIFY_CHECK(ctx != NULL);
   216      ARG_CHECK(sig != NULL);
   217      ARG_CHECK(input != NULL);
   218  
   219      if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) {
   220          secp256k1_ecdsa_signature_save(sig, &r, &s);
   221          return 1;
   222      } else {
   223          memset(sig, 0, sizeof(*sig));
   224          return 0;
   225      }
   226  }
   227  
   228  int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) {
   229      secp256k1_scalar r, s;
   230      int ret = 1;
   231      int overflow = 0;
   232  
   233      VERIFY_CHECK(ctx != NULL);
   234      ARG_CHECK(sig != NULL);
   235      ARG_CHECK(input64 != NULL);
   236  
   237      secp256k1_scalar_set_b32(&r, &input64[0], &overflow);
   238      ret &= !overflow;
   239      secp256k1_scalar_set_b32(&s, &input64[32], &overflow);
   240      ret &= !overflow;
   241      if (ret) {
   242          secp256k1_ecdsa_signature_save(sig, &r, &s);
   243      } else {
   244          memset(sig, 0, sizeof(*sig));
   245      }
   246      return ret;
   247  }
   248  
   249  int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) {
   250      secp256k1_scalar r, s;
   251  
   252      VERIFY_CHECK(ctx != NULL);
   253      ARG_CHECK(output != NULL);
   254      ARG_CHECK(outputlen != NULL);
   255      ARG_CHECK(sig != NULL);
   256  
   257      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   258      return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s);
   259  }
   260  
   261  int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) {
   262      secp256k1_scalar r, s;
   263  
   264      VERIFY_CHECK(ctx != NULL);
   265      ARG_CHECK(output64 != NULL);
   266      ARG_CHECK(sig != NULL);
   267  
   268      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   269      secp256k1_scalar_get_b32(&output64[0], &r);
   270      secp256k1_scalar_get_b32(&output64[32], &s);
   271      return 1;
   272  }
   273  
   274  int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) {
   275      secp256k1_scalar r, s;
   276      int ret = 0;
   277  
   278      VERIFY_CHECK(ctx != NULL);
   279      ARG_CHECK(sigin != NULL);
   280  
   281      secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin);
   282      ret = secp256k1_scalar_is_high(&s);
   283      if (sigout != NULL) {
   284          if (ret) {
   285              secp256k1_scalar_negate(&s, &s);
   286          }
   287          secp256k1_ecdsa_signature_save(sigout, &r, &s);
   288      }
   289  
   290      return ret;
   291  }
   292  
   293  int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) {
   294      secp256k1_ge q;
   295      secp256k1_scalar r, s;
   296      secp256k1_scalar m;
   297      VERIFY_CHECK(ctx != NULL);
   298      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   299      ARG_CHECK(msg32 != NULL);
   300      ARG_CHECK(sig != NULL);
   301      ARG_CHECK(pubkey != NULL);
   302  
   303      secp256k1_scalar_set_b32(&m, msg32, NULL);
   304      secp256k1_ecdsa_signature_load(ctx, &r, &s, sig);
   305      return (!secp256k1_scalar_is_high(&s) &&
   306              secp256k1_pubkey_load(ctx, &q, pubkey) &&
   307              secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m));
   308  }
   309  
   310  static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
   311     unsigned char keydata[112];
   312     int keylen = 64;
   313     secp256k1_rfc6979_hmac_sha256_t rng;
   314     unsigned int i;
   315     /* We feed a byte array to the PRNG as input, consisting of:
   316      * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d.
   317      * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data.
   318      * - optionally 16 extra bytes with the algorithm name.
   319      * Because the arguments have distinct fixed lengths it is not possible for
   320      *  different argument mixtures to emulate each other and result in the same
   321      *  nonces.
   322      */
   323     memcpy(keydata, key32, 32);
   324     memcpy(keydata + 32, msg32, 32);
   325     if (data != NULL) {
   326         memcpy(keydata + 64, data, 32);
   327         keylen = 96;
   328     }
   329     if (algo16 != NULL) {
   330         memcpy(keydata + keylen, algo16, 16);
   331         keylen += 16;
   332     }
   333     secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen);
   334     memset(keydata, 0, sizeof(keydata));
   335     for (i = 0; i <= counter; i++) {
   336         secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
   337     }
   338     secp256k1_rfc6979_hmac_sha256_finalize(&rng);
   339     return 1;
   340  }
   341  
   342  const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979;
   343  const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979;
   344  
   345  int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) {
   346      secp256k1_scalar r, s;
   347      secp256k1_scalar sec, non, msg;
   348      int ret = 0;
   349      int overflow = 0;
   350      VERIFY_CHECK(ctx != NULL);
   351      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   352      ARG_CHECK(msg32 != NULL);
   353      ARG_CHECK(signature != NULL);
   354      ARG_CHECK(seckey != NULL);
   355      if (noncefp == NULL) {
   356          noncefp = secp256k1_nonce_function_default;
   357      }
   358  
   359      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   360      /* Fail if the secret key is invalid. */
   361      if (!overflow && !secp256k1_scalar_is_zero(&sec)) {
   362          unsigned char nonce32[32];
   363          unsigned int count = 0;
   364          secp256k1_scalar_set_b32(&msg, msg32, NULL);
   365          while (1) {
   366              ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count);
   367              if (!ret) {
   368                  break;
   369              }
   370              secp256k1_scalar_set_b32(&non, nonce32, &overflow);
   371              if (!overflow && !secp256k1_scalar_is_zero(&non)) {
   372                  if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) {
   373                      break;
   374                  }
   375              }
   376              count++;
   377          }
   378          memset(nonce32, 0, 32);
   379          secp256k1_scalar_clear(&msg);
   380          secp256k1_scalar_clear(&non);
   381          secp256k1_scalar_clear(&sec);
   382      }
   383      if (ret) {
   384          secp256k1_ecdsa_signature_save(signature, &r, &s);
   385      } else {
   386          memset(signature, 0, sizeof(*signature));
   387      }
   388      return ret;
   389  }
   390  
   391  int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) {
   392      secp256k1_scalar sec;
   393      int ret;
   394      int overflow;
   395      VERIFY_CHECK(ctx != NULL);
   396      ARG_CHECK(seckey != NULL);
   397  
   398      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   399      ret = !overflow && !secp256k1_scalar_is_zero(&sec);
   400      secp256k1_scalar_clear(&sec);
   401      return ret;
   402  }
   403  
   404  int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) {
   405      secp256k1_gej pj;
   406      secp256k1_ge p;
   407      secp256k1_scalar sec;
   408      int overflow;
   409      int ret = 0;
   410      VERIFY_CHECK(ctx != NULL);
   411      ARG_CHECK(pubkey != NULL);
   412      memset(pubkey, 0, sizeof(*pubkey));
   413      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   414      ARG_CHECK(seckey != NULL);
   415  
   416      secp256k1_scalar_set_b32(&sec, seckey, &overflow);
   417      ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec));
   418      if (ret) {
   419          secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec);
   420          secp256k1_ge_set_gej(&p, &pj);
   421          secp256k1_pubkey_save(pubkey, &p);
   422      }
   423      secp256k1_scalar_clear(&sec);
   424      return ret;
   425  }
   426  
   427  int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
   428      secp256k1_scalar term;
   429      secp256k1_scalar sec;
   430      int ret = 0;
   431      int overflow = 0;
   432      VERIFY_CHECK(ctx != NULL);
   433      ARG_CHECK(seckey != NULL);
   434      ARG_CHECK(tweak != NULL);
   435  
   436      secp256k1_scalar_set_b32(&term, tweak, &overflow);
   437      secp256k1_scalar_set_b32(&sec, seckey, NULL);
   438  
   439      ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term);
   440      memset(seckey, 0, 32);
   441      if (ret) {
   442          secp256k1_scalar_get_b32(seckey, &sec);
   443      }
   444  
   445      secp256k1_scalar_clear(&sec);
   446      secp256k1_scalar_clear(&term);
   447      return ret;
   448  }
   449  
   450  int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
   451      secp256k1_ge p;
   452      secp256k1_scalar term;
   453      int ret = 0;
   454      int overflow = 0;
   455      VERIFY_CHECK(ctx != NULL);
   456      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   457      ARG_CHECK(pubkey != NULL);
   458      ARG_CHECK(tweak != NULL);
   459  
   460      secp256k1_scalar_set_b32(&term, tweak, &overflow);
   461      ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
   462      memset(pubkey, 0, sizeof(*pubkey));
   463      if (ret) {
   464          if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) {
   465              secp256k1_pubkey_save(pubkey, &p);
   466          } else {
   467              ret = 0;
   468          }
   469      }
   470  
   471      return ret;
   472  }
   473  
   474  int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) {
   475      secp256k1_scalar factor;
   476      secp256k1_scalar sec;
   477      int ret = 0;
   478      int overflow = 0;
   479      VERIFY_CHECK(ctx != NULL);
   480      ARG_CHECK(seckey != NULL);
   481      ARG_CHECK(tweak != NULL);
   482  
   483      secp256k1_scalar_set_b32(&factor, tweak, &overflow);
   484      secp256k1_scalar_set_b32(&sec, seckey, NULL);
   485      ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor);
   486      memset(seckey, 0, 32);
   487      if (ret) {
   488          secp256k1_scalar_get_b32(seckey, &sec);
   489      }
   490  
   491      secp256k1_scalar_clear(&sec);
   492      secp256k1_scalar_clear(&factor);
   493      return ret;
   494  }
   495  
   496  int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) {
   497      secp256k1_ge p;
   498      secp256k1_scalar factor;
   499      int ret = 0;
   500      int overflow = 0;
   501      VERIFY_CHECK(ctx != NULL);
   502      ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx));
   503      ARG_CHECK(pubkey != NULL);
   504      ARG_CHECK(tweak != NULL);
   505  
   506      secp256k1_scalar_set_b32(&factor, tweak, &overflow);
   507      ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey);
   508      memset(pubkey, 0, sizeof(*pubkey));
   509      if (ret) {
   510          if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) {
   511              secp256k1_pubkey_save(pubkey, &p);
   512          } else {
   513              ret = 0;
   514          }
   515      }
   516  
   517      return ret;
   518  }
   519  
   520  int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) {
   521      VERIFY_CHECK(ctx != NULL);
   522      ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx));
   523      secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
   524      return 1;
   525  }
   526  
   527  int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) {
   528      size_t i;
   529      secp256k1_gej Qj;
   530      secp256k1_ge Q;
   531  
   532      ARG_CHECK(pubnonce != NULL);
   533      memset(pubnonce, 0, sizeof(*pubnonce));
   534      ARG_CHECK(n >= 1);
   535      ARG_CHECK(pubnonces != NULL);
   536  
   537      secp256k1_gej_set_infinity(&Qj);
   538  
   539      for (i = 0; i < n; i++) {
   540          secp256k1_pubkey_load(ctx, &Q, pubnonces[i]);
   541          secp256k1_gej_add_ge(&Qj, &Qj, &Q);
   542      }
   543      if (secp256k1_gej_is_infinity(&Qj)) {
   544          return 0;
   545      }
   546      secp256k1_ge_set_gej(&Q, &Qj);
   547      secp256k1_pubkey_save(pubnonce, &Q);
   548      return 1;
   549  }
   550  
   551  #ifdef ENABLE_MODULE_ECDH
   552  # include "modules/ecdh/main_impl.h"
   553  #endif
   554  
   555  #ifdef ENABLE_MODULE_SCHNORR
   556  # include "modules/schnorr/main_impl.h"
   557  #endif
   558  
   559  #ifdef ENABLE_MODULE_RECOVERY
   560  # include "modules/recovery/main_impl.h"
   561  #endif