github.com/aquanetwork/aquachain@v1.7.8/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #include "include/secp256k1.h" 8 9 #include "util.h" 10 #include "num_impl.h" 11 #include "field_impl.h" 12 #include "scalar_impl.h" 13 #include "group_impl.h" 14 #include "ecmult_impl.h" 15 #include "ecmult_const_impl.h" 16 #include "ecmult_gen_impl.h" 17 #include "ecdsa_impl.h" 18 #include "eckey_impl.h" 19 #include "hash_impl.h" 20 #include "scratch_impl.h" 21 22 #define ARG_CHECK(cond) do { \ 23 if (EXPECT(!(cond), 0)) { \ 24 secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 25 return 0; \ 26 } \ 27 } while(0) 28 29 static void default_illegal_callback_fn(const char* str, void* data) { 30 (void)data; 31 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); 32 abort(); 33 } 34 35 static const secp256k1_callback default_illegal_callback = { 36 default_illegal_callback_fn, 37 NULL 38 }; 39 40 static void default_error_callback_fn(const char* str, void* data) { 41 (void)data; 42 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); 43 abort(); 44 } 45 46 static const secp256k1_callback default_error_callback = { 47 default_error_callback_fn, 48 NULL 49 }; 50 51 52 struct secp256k1_context_struct { 53 secp256k1_ecmult_context ecmult_ctx; 54 secp256k1_ecmult_gen_context ecmult_gen_ctx; 55 secp256k1_callback illegal_callback; 56 secp256k1_callback error_callback; 57 }; 58 59 secp256k1_context* secp256k1_context_create(unsigned int flags) { 60 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&default_error_callback, sizeof(secp256k1_context)); 61 ret->illegal_callback = default_illegal_callback; 62 ret->error_callback = default_error_callback; 63 64 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { 65 secp256k1_callback_call(&ret->illegal_callback, 66 "Invalid flags"); 67 free(ret); 68 return NULL; 69 } 70 71 secp256k1_ecmult_context_init(&ret->ecmult_ctx); 72 secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx); 73 74 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { 75 secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback); 76 } 77 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { 78 secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback); 79 } 80 81 return ret; 82 } 83 84 secp256k1_context* secp256k1_context_clone(const secp256k1_context* ctx) { 85 secp256k1_context* ret = (secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(secp256k1_context)); 86 ret->illegal_callback = ctx->illegal_callback; 87 ret->error_callback = ctx->error_callback; 88 secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback); 89 secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback); 90 return ret; 91 } 92 93 void secp256k1_context_destroy(secp256k1_context* ctx) { 94 if (ctx != NULL) { 95 secp256k1_ecmult_context_clear(&ctx->ecmult_ctx); 96 secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 97 98 free(ctx); 99 } 100 } 101 102 void secp256k1_context_set_illegal_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 103 if (fun == NULL) { 104 fun = default_illegal_callback_fn; 105 } 106 ctx->illegal_callback.fn = fun; 107 ctx->illegal_callback.data = data; 108 } 109 110 void secp256k1_context_set_error_callback(secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 111 if (fun == NULL) { 112 fun = default_error_callback_fn; 113 } 114 ctx->error_callback.fn = fun; 115 ctx->error_callback.data = data; 116 } 117 118 secp256k1_scratch_space* secp256k1_scratch_space_create(const secp256k1_context* ctx, size_t max_size) { 119 VERIFY_CHECK(ctx != NULL); 120 return secp256k1_scratch_create(&ctx->error_callback, max_size); 121 } 122 123 void secp256k1_scratch_space_destroy(secp256k1_scratch_space* scratch) { 124 secp256k1_scratch_destroy(scratch); 125 } 126 127 static int secp256k1_pubkey_load(const secp256k1_context* ctx, secp256k1_ge* ge, const secp256k1_pubkey* pubkey) { 128 if (sizeof(secp256k1_ge_storage) == 64) { 129 /* When the secp256k1_ge_storage type is exactly 64 byte, use its 130 * representation inside secp256k1_pubkey, as conversion is very fast. 131 * Note that secp256k1_pubkey_save must use the same representation. */ 132 secp256k1_ge_storage s; 133 memcpy(&s, &pubkey->data[0], sizeof(s)); 134 secp256k1_ge_from_storage(ge, &s); 135 } else { 136 /* Otherwise, fall back to 32-byte big endian for X and Y. */ 137 secp256k1_fe x, y; 138 secp256k1_fe_set_b32(&x, pubkey->data); 139 secp256k1_fe_set_b32(&y, pubkey->data + 32); 140 secp256k1_ge_set_xy(ge, &x, &y); 141 } 142 ARG_CHECK(!secp256k1_fe_is_zero(&ge->x)); 143 return 1; 144 } 145 146 static void secp256k1_pubkey_save(secp256k1_pubkey* pubkey, secp256k1_ge* ge) { 147 if (sizeof(secp256k1_ge_storage) == 64) { 148 secp256k1_ge_storage s; 149 secp256k1_ge_to_storage(&s, ge); 150 memcpy(&pubkey->data[0], &s, sizeof(s)); 151 } else { 152 VERIFY_CHECK(!secp256k1_ge_is_infinity(ge)); 153 secp256k1_fe_normalize_var(&ge->x); 154 secp256k1_fe_normalize_var(&ge->y); 155 secp256k1_fe_get_b32(pubkey->data, &ge->x); 156 secp256k1_fe_get_b32(pubkey->data + 32, &ge->y); 157 } 158 } 159 160 int secp256k1_ec_pubkey_parse(const secp256k1_context* ctx, secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 161 secp256k1_ge Q; 162 163 VERIFY_CHECK(ctx != NULL); 164 ARG_CHECK(pubkey != NULL); 165 memset(pubkey, 0, sizeof(*pubkey)); 166 ARG_CHECK(input != NULL); 167 if (!secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) { 168 return 0; 169 } 170 secp256k1_pubkey_save(pubkey, &Q); 171 secp256k1_ge_clear(&Q); 172 return 1; 173 } 174 175 int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey* pubkey, unsigned int flags) { 176 secp256k1_ge Q; 177 size_t len; 178 int ret = 0; 179 180 VERIFY_CHECK(ctx != NULL); 181 ARG_CHECK(outputlen != NULL); 182 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65)); 183 len = *outputlen; 184 *outputlen = 0; 185 ARG_CHECK(output != NULL); 186 memset(output, 0, len); 187 ARG_CHECK(pubkey != NULL); 188 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); 189 if (secp256k1_pubkey_load(ctx, &Q, pubkey)) { 190 ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); 191 if (ret) { 192 *outputlen = len; 193 } 194 } 195 return ret; 196 } 197 198 static void secp256k1_ecdsa_signature_load(const secp256k1_context* ctx, secp256k1_scalar* r, secp256k1_scalar* s, const secp256k1_ecdsa_signature* sig) { 199 (void)ctx; 200 if (sizeof(secp256k1_scalar) == 32) { 201 /* When the secp256k1_scalar type is exactly 32 byte, use its 202 * representation inside secp256k1_ecdsa_signature, as conversion is very fast. 203 * Note that secp256k1_ecdsa_signature_save must use the same representation. */ 204 memcpy(r, &sig->data[0], 32); 205 memcpy(s, &sig->data[32], 32); 206 } else { 207 secp256k1_scalar_set_b32(r, &sig->data[0], NULL); 208 secp256k1_scalar_set_b32(s, &sig->data[32], NULL); 209 } 210 } 211 212 static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature* sig, const secp256k1_scalar* r, const secp256k1_scalar* s) { 213 if (sizeof(secp256k1_scalar) == 32) { 214 memcpy(&sig->data[0], r, 32); 215 memcpy(&sig->data[32], s, 32); 216 } else { 217 secp256k1_scalar_get_b32(&sig->data[0], r); 218 secp256k1_scalar_get_b32(&sig->data[32], s); 219 } 220 } 221 222 int secp256k1_ecdsa_signature_parse_der(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 223 secp256k1_scalar r, s; 224 225 VERIFY_CHECK(ctx != NULL); 226 ARG_CHECK(sig != NULL); 227 ARG_CHECK(input != NULL); 228 229 if (secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) { 230 secp256k1_ecdsa_signature_save(sig, &r, &s); 231 return 1; 232 } else { 233 memset(sig, 0, sizeof(*sig)); 234 return 0; 235 } 236 } 237 238 int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context* ctx, secp256k1_ecdsa_signature* sig, const unsigned char *input64) { 239 secp256k1_scalar r, s; 240 int ret = 1; 241 int overflow = 0; 242 243 VERIFY_CHECK(ctx != NULL); 244 ARG_CHECK(sig != NULL); 245 ARG_CHECK(input64 != NULL); 246 247 secp256k1_scalar_set_b32(&r, &input64[0], &overflow); 248 ret &= !overflow; 249 secp256k1_scalar_set_b32(&s, &input64[32], &overflow); 250 ret &= !overflow; 251 if (ret) { 252 secp256k1_ecdsa_signature_save(sig, &r, &s); 253 } else { 254 memset(sig, 0, sizeof(*sig)); 255 } 256 return ret; 257 } 258 259 int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature* sig) { 260 secp256k1_scalar r, s; 261 262 VERIFY_CHECK(ctx != NULL); 263 ARG_CHECK(output != NULL); 264 ARG_CHECK(outputlen != NULL); 265 ARG_CHECK(sig != NULL); 266 267 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 268 return secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s); 269 } 270 271 int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context* ctx, unsigned char *output64, const secp256k1_ecdsa_signature* sig) { 272 secp256k1_scalar r, s; 273 274 VERIFY_CHECK(ctx != NULL); 275 ARG_CHECK(output64 != NULL); 276 ARG_CHECK(sig != NULL); 277 278 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 279 secp256k1_scalar_get_b32(&output64[0], &r); 280 secp256k1_scalar_get_b32(&output64[32], &s); 281 return 1; 282 } 283 284 int secp256k1_ecdsa_signature_normalize(const secp256k1_context* ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) { 285 secp256k1_scalar r, s; 286 int ret = 0; 287 288 VERIFY_CHECK(ctx != NULL); 289 ARG_CHECK(sigin != NULL); 290 291 secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin); 292 ret = secp256k1_scalar_is_high(&s); 293 if (sigout != NULL) { 294 if (ret) { 295 secp256k1_scalar_negate(&s, &s); 296 } 297 secp256k1_ecdsa_signature_save(sigout, &r, &s); 298 } 299 300 return ret; 301 } 302 303 int secp256k1_ecdsa_verify(const secp256k1_context* ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) { 304 secp256k1_ge q; 305 secp256k1_scalar r, s; 306 secp256k1_scalar m; 307 VERIFY_CHECK(ctx != NULL); 308 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 309 ARG_CHECK(msg32 != NULL); 310 ARG_CHECK(sig != NULL); 311 ARG_CHECK(pubkey != NULL); 312 313 secp256k1_scalar_set_b32(&m, msg32, NULL); 314 secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 315 return (!secp256k1_scalar_is_high(&s) && 316 secp256k1_pubkey_load(ctx, &q, pubkey) && 317 secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); 318 } 319 320 static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { 321 memcpy(buf + *offset, data, len); 322 *offset += len; 323 } 324 325 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 326 unsigned char keydata[112]; 327 unsigned int offset = 0; 328 secp256k1_rfc6979_hmac_sha256 rng; 329 unsigned int i; 330 /* We feed a byte array to the PRNG as input, consisting of: 331 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. 332 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 333 * - optionally 16 extra bytes with the algorithm name. 334 * Because the arguments have distinct fixed lengths it is not possible for 335 * different argument mixtures to emulate each other and result in the same 336 * nonces. 337 */ 338 buffer_append(keydata, &offset, key32, 32); 339 buffer_append(keydata, &offset, msg32, 32); 340 if (data != NULL) { 341 buffer_append(keydata, &offset, data, 32); 342 } 343 if (algo16 != NULL) { 344 buffer_append(keydata, &offset, algo16, 16); 345 } 346 secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); 347 memset(keydata, 0, sizeof(keydata)); 348 for (i = 0; i <= counter; i++) { 349 secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 350 } 351 secp256k1_rfc6979_hmac_sha256_finalize(&rng); 352 return 1; 353 } 354 355 const secp256k1_nonce_function secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; 356 const secp256k1_nonce_function secp256k1_nonce_function_default = nonce_function_rfc6979; 357 358 int secp256k1_ecdsa_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void* noncedata) { 359 secp256k1_scalar r, s; 360 secp256k1_scalar sec, non, msg; 361 int ret = 0; 362 int overflow = 0; 363 VERIFY_CHECK(ctx != NULL); 364 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 365 ARG_CHECK(msg32 != NULL); 366 ARG_CHECK(signature != NULL); 367 ARG_CHECK(seckey != NULL); 368 if (noncefp == NULL) { 369 noncefp = secp256k1_nonce_function_default; 370 } 371 372 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 373 /* Fail if the secret key is invalid. */ 374 if (!overflow && !secp256k1_scalar_is_zero(&sec)) { 375 unsigned char nonce32[32]; 376 unsigned int count = 0; 377 secp256k1_scalar_set_b32(&msg, msg32, NULL); 378 while (1) { 379 ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 380 if (!ret) { 381 break; 382 } 383 secp256k1_scalar_set_b32(&non, nonce32, &overflow); 384 if (!overflow && !secp256k1_scalar_is_zero(&non)) { 385 if (secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) { 386 break; 387 } 388 } 389 count++; 390 } 391 memset(nonce32, 0, 32); 392 secp256k1_scalar_clear(&msg); 393 secp256k1_scalar_clear(&non); 394 secp256k1_scalar_clear(&sec); 395 } 396 if (ret) { 397 secp256k1_ecdsa_signature_save(signature, &r, &s); 398 } else { 399 memset(signature, 0, sizeof(*signature)); 400 } 401 return ret; 402 } 403 404 int secp256k1_ec_seckey_verify(const secp256k1_context* ctx, const unsigned char *seckey) { 405 secp256k1_scalar sec; 406 int ret; 407 int overflow; 408 VERIFY_CHECK(ctx != NULL); 409 ARG_CHECK(seckey != NULL); 410 411 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 412 ret = !overflow && !secp256k1_scalar_is_zero(&sec); 413 secp256k1_scalar_clear(&sec); 414 return ret; 415 } 416 417 int secp256k1_ec_pubkey_create(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) { 418 secp256k1_gej pj; 419 secp256k1_ge p; 420 secp256k1_scalar sec; 421 int overflow; 422 int ret = 0; 423 VERIFY_CHECK(ctx != NULL); 424 ARG_CHECK(pubkey != NULL); 425 memset(pubkey, 0, sizeof(*pubkey)); 426 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 427 ARG_CHECK(seckey != NULL); 428 429 secp256k1_scalar_set_b32(&sec, seckey, &overflow); 430 ret = (!overflow) & (!secp256k1_scalar_is_zero(&sec)); 431 if (ret) { 432 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); 433 secp256k1_ge_set_gej(&p, &pj); 434 secp256k1_pubkey_save(pubkey, &p); 435 } 436 secp256k1_scalar_clear(&sec); 437 return ret; 438 } 439 440 int secp256k1_ec_privkey_negate(const secp256k1_context* ctx, unsigned char *seckey) { 441 secp256k1_scalar sec; 442 VERIFY_CHECK(ctx != NULL); 443 ARG_CHECK(seckey != NULL); 444 445 secp256k1_scalar_set_b32(&sec, seckey, NULL); 446 secp256k1_scalar_negate(&sec, &sec); 447 secp256k1_scalar_get_b32(seckey, &sec); 448 449 return 1; 450 } 451 452 int secp256k1_ec_pubkey_negate(const secp256k1_context* ctx, secp256k1_pubkey *pubkey) { 453 int ret = 0; 454 secp256k1_ge p; 455 VERIFY_CHECK(ctx != NULL); 456 ARG_CHECK(pubkey != NULL); 457 458 ret = secp256k1_pubkey_load(ctx, &p, pubkey); 459 memset(pubkey, 0, sizeof(*pubkey)); 460 if (ret) { 461 secp256k1_ge_neg(&p, &p); 462 secp256k1_pubkey_save(pubkey, &p); 463 } 464 return ret; 465 } 466 467 int secp256k1_ec_privkey_tweak_add(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 468 secp256k1_scalar term; 469 secp256k1_scalar sec; 470 int ret = 0; 471 int overflow = 0; 472 VERIFY_CHECK(ctx != NULL); 473 ARG_CHECK(seckey != NULL); 474 ARG_CHECK(tweak != NULL); 475 476 secp256k1_scalar_set_b32(&term, tweak, &overflow); 477 secp256k1_scalar_set_b32(&sec, seckey, NULL); 478 479 ret = !overflow && secp256k1_eckey_privkey_tweak_add(&sec, &term); 480 memset(seckey, 0, 32); 481 if (ret) { 482 secp256k1_scalar_get_b32(seckey, &sec); 483 } 484 485 secp256k1_scalar_clear(&sec); 486 secp256k1_scalar_clear(&term); 487 return ret; 488 } 489 490 int secp256k1_ec_pubkey_tweak_add(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 491 secp256k1_ge p; 492 secp256k1_scalar term; 493 int ret = 0; 494 int overflow = 0; 495 VERIFY_CHECK(ctx != NULL); 496 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 497 ARG_CHECK(pubkey != NULL); 498 ARG_CHECK(tweak != NULL); 499 500 secp256k1_scalar_set_b32(&term, tweak, &overflow); 501 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey); 502 memset(pubkey, 0, sizeof(*pubkey)); 503 if (ret) { 504 if (secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { 505 secp256k1_pubkey_save(pubkey, &p); 506 } else { 507 ret = 0; 508 } 509 } 510 511 return ret; 512 } 513 514 int secp256k1_ec_privkey_tweak_mul(const secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 515 secp256k1_scalar factor; 516 secp256k1_scalar sec; 517 int ret = 0; 518 int overflow = 0; 519 VERIFY_CHECK(ctx != NULL); 520 ARG_CHECK(seckey != NULL); 521 ARG_CHECK(tweak != NULL); 522 523 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 524 secp256k1_scalar_set_b32(&sec, seckey, NULL); 525 ret = !overflow && secp256k1_eckey_privkey_tweak_mul(&sec, &factor); 526 memset(seckey, 0, 32); 527 if (ret) { 528 secp256k1_scalar_get_b32(seckey, &sec); 529 } 530 531 secp256k1_scalar_clear(&sec); 532 secp256k1_scalar_clear(&factor); 533 return ret; 534 } 535 536 int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context* ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) { 537 secp256k1_ge p; 538 secp256k1_scalar factor; 539 int ret = 0; 540 int overflow = 0; 541 VERIFY_CHECK(ctx != NULL); 542 ARG_CHECK(secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 543 ARG_CHECK(pubkey != NULL); 544 ARG_CHECK(tweak != NULL); 545 546 secp256k1_scalar_set_b32(&factor, tweak, &overflow); 547 ret = !overflow && secp256k1_pubkey_load(ctx, &p, pubkey); 548 memset(pubkey, 0, sizeof(*pubkey)); 549 if (ret) { 550 if (secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { 551 secp256k1_pubkey_save(pubkey, &p); 552 } else { 553 ret = 0; 554 } 555 } 556 557 return ret; 558 } 559 560 int secp256k1_context_randomize(secp256k1_context* ctx, const unsigned char *seed32) { 561 VERIFY_CHECK(ctx != NULL); 562 ARG_CHECK(secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 563 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 564 return 1; 565 } 566 567 int secp256k1_ec_pubkey_combine(const secp256k1_context* ctx, secp256k1_pubkey *pubnonce, const secp256k1_pubkey * const *pubnonces, size_t n) { 568 size_t i; 569 secp256k1_gej Qj; 570 secp256k1_ge Q; 571 572 ARG_CHECK(pubnonce != NULL); 573 memset(pubnonce, 0, sizeof(*pubnonce)); 574 ARG_CHECK(n >= 1); 575 ARG_CHECK(pubnonces != NULL); 576 577 secp256k1_gej_set_infinity(&Qj); 578 579 for (i = 0; i < n; i++) { 580 secp256k1_pubkey_load(ctx, &Q, pubnonces[i]); 581 secp256k1_gej_add_ge(&Qj, &Qj, &Q); 582 } 583 if (secp256k1_gej_is_infinity(&Qj)) { 584 return 0; 585 } 586 secp256k1_ge_set_gej(&Q, &Qj); 587 secp256k1_pubkey_save(pubnonce, &Q); 588 return 1; 589 } 590 591 #ifdef ENABLE_MODULE_ECDH 592 # include "modules/ecdh/main_impl.h" 593 #endif 594 595 #ifdef ENABLE_MODULE_RECOVERY 596 # include "modules/recovery/main_impl.h" 597 #endif