github.com/luckypickle/go-ethereum-vet@v1.14.2/crypto/secp256k1/libsecp256k1/src/secp256k1.c (about) 1 /********************************************************************** 2 * Copyright (c) 2013-2015 Pieter Wuille * 3 * Distributed under the MIT software license, see the accompanying * 4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.* 5 **********************************************************************/ 6 7 #include "include/secp256k1.h" 8 9 #include "util.h" 10 #include "num_impl.h" 11 #include "field_impl.h" 12 #include "scalar_impl.h" 13 #include "group_impl.h" 14 #include "ecmult_impl.h" 15 #include "ecmult_const_impl.h" 16 #include "ecmult_gen_impl.h" 17 #include "ecdsa_impl.h" 18 #include "eckey_impl.h" 19 #include "hash_impl.h" 20 21 #define ARG_CHECK(cond) do { \ 22 if (EXPECT(!(cond), 0)) { \ 23 vet_secp256k1_callback_call(&ctx->illegal_callback, #cond); \ 24 return 0; \ 25 } \ 26 } while(0) 27 28 static void default_illegal_callback_fn(const char* str, void* data) { 29 fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); 30 abort(); 31 } 32 33 static const vet_secp256k1_callback default_illegal_callback = { 34 default_illegal_callback_fn, 35 NULL 36 }; 37 38 static void default_error_callback_fn(const char* str, void* data) { 39 fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); 40 abort(); 41 } 42 43 static const vet_secp256k1_callback default_error_callback = { 44 default_error_callback_fn, 45 NULL 46 }; 47 48 49 struct vet_secp256k1_context_struct { 50 vet_secp256k1_ecmult_context ecmult_ctx; 51 vet_secp256k1_ecmult_gen_context ecmult_gen_ctx; 52 vet_secp256k1_callback illegal_callback; 53 vet_secp256k1_callback error_callback; 54 }; 55 56 vet_secp256k1_context* vet_secp256k1_context_create(unsigned int flags) { 57 vet_secp256k1_context* ret = (vet_secp256k1_context*)checked_malloc(&default_error_callback, sizeof(vet_secp256k1_context)); 58 ret->illegal_callback = default_illegal_callback; 59 ret->error_callback = default_error_callback; 60 61 if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { 62 vet_secp256k1_callback_call(&ret->illegal_callback, 63 "Invalid flags"); 64 free(ret); 65 return NULL; 66 } 67 68 vet_secp256k1_ecmult_context_init(&ret->ecmult_ctx); 69 vet_secp256k1_ecmult_gen_context_init(&ret->ecmult_gen_ctx); 70 71 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { 72 vet_secp256k1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &ret->error_callback); 73 } 74 if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { 75 vet_secp256k1_ecmult_context_build(&ret->ecmult_ctx, &ret->error_callback); 76 } 77 78 return ret; 79 } 80 81 vet_secp256k1_context* vet_secp256k1_context_clone(const vet_secp256k1_context* ctx) { 82 vet_secp256k1_context* ret = (vet_secp256k1_context*)checked_malloc(&ctx->error_callback, sizeof(vet_secp256k1_context)); 83 ret->illegal_callback = ctx->illegal_callback; 84 ret->error_callback = ctx->error_callback; 85 vet_secp256k1_ecmult_context_clone(&ret->ecmult_ctx, &ctx->ecmult_ctx, &ctx->error_callback); 86 vet_secp256k1_ecmult_gen_context_clone(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx, &ctx->error_callback); 87 return ret; 88 } 89 90 void vet_secp256k1_context_destroy(vet_secp256k1_context* ctx) { 91 if (ctx != NULL) { 92 vet_secp256k1_ecmult_context_clear(&ctx->ecmult_ctx); 93 vet_secp256k1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); 94 95 free(ctx); 96 } 97 } 98 99 void vet_secp256k1_context_set_illegal_callback(vet_secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 100 if (fun == NULL) { 101 fun = default_illegal_callback_fn; 102 } 103 ctx->illegal_callback.fn = fun; 104 ctx->illegal_callback.data = data; 105 } 106 107 void vet_secp256k1_context_set_error_callback(vet_secp256k1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { 108 if (fun == NULL) { 109 fun = default_error_callback_fn; 110 } 111 ctx->error_callback.fn = fun; 112 ctx->error_callback.data = data; 113 } 114 115 static int vet_secp256k1_pubkey_load(const vet_secp256k1_context* ctx, vet_secp256k1_ge* ge, const vet_secp256k1_pubkey* pubkey) { 116 if (sizeof(vet_secp256k1_ge_storage) == 64) { 117 /* When the secp256k1_ge_storage type is exactly 64 byte, use its 118 * representation inside secp256k1_pubkey, as conversion is very fast. 119 * Note that secp256k1_pubkey_save must use the same representation. */ 120 vet_secp256k1_ge_storage s; 121 memcpy(&s, &pubkey->data[0], 64); 122 vet_secp256k1_ge_from_storage(ge, &s); 123 } else { 124 /* Otherwise, fall back to 32-byte big endian for X and Y. */ 125 vet_secp256k1_fe x, y; 126 vet_secp256k1_fe_set_b32(&x, pubkey->data); 127 vet_secp256k1_fe_set_b32(&y, pubkey->data + 32); 128 vet_secp256k1_ge_set_xy(ge, &x, &y); 129 } 130 ARG_CHECK(!vet_secp256k1_fe_is_zero(&ge->x)); 131 return 1; 132 } 133 134 static void vet_secp256k1_pubkey_save(vet_secp256k1_pubkey* pubkey, vet_secp256k1_ge* ge) { 135 if (sizeof(vet_secp256k1_ge_storage) == 64) { 136 vet_secp256k1_ge_storage s; 137 vet_secp256k1_ge_to_storage(&s, ge); 138 memcpy(&pubkey->data[0], &s, 64); 139 } else { 140 VERIFY_CHECK(!vet_secp256k1_ge_is_infinity(ge)); 141 vet_secp256k1_fe_normalize_var(&ge->x); 142 vet_secp256k1_fe_normalize_var(&ge->y); 143 vet_secp256k1_fe_get_b32(pubkey->data, &ge->x); 144 vet_secp256k1_fe_get_b32(pubkey->data + 32, &ge->y); 145 } 146 } 147 148 int vet_secp256k1_ec_pubkey_parse(const vet_secp256k1_context* ctx, vet_secp256k1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { 149 vet_secp256k1_ge Q; 150 151 VERIFY_CHECK(ctx != NULL); 152 ARG_CHECK(pubkey != NULL); 153 memset(pubkey, 0, sizeof(*pubkey)); 154 ARG_CHECK(input != NULL); 155 if (!vet_secp256k1_eckey_pubkey_parse(&Q, input, inputlen)) { 156 return 0; 157 } 158 vet_secp256k1_pubkey_save(pubkey, &Q); 159 vet_secp256k1_ge_clear(&Q); 160 return 1; 161 } 162 163 int vet_secp256k1_ec_pubkey_serialize(const vet_secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const vet_secp256k1_pubkey* pubkey, unsigned int flags) { 164 vet_secp256k1_ge Q; 165 size_t len; 166 int ret = 0; 167 168 VERIFY_CHECK(ctx != NULL); 169 ARG_CHECK(outputlen != NULL); 170 ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65)); 171 len = *outputlen; 172 *outputlen = 0; 173 ARG_CHECK(output != NULL); 174 memset(output, 0, len); 175 ARG_CHECK(pubkey != NULL); 176 ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); 177 if (vet_secp256k1_pubkey_load(ctx, &Q, pubkey)) { 178 ret = vet_secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); 179 if (ret) { 180 *outputlen = len; 181 } 182 } 183 return ret; 184 } 185 186 static void vet_secp256k1_ecdsa_signature_load(const vet_secp256k1_context* ctx, vet_secp256k1_scalar* r, vet_secp256k1_scalar* s, const vet_secp256k1_ecdsa_signature* sig) { 187 (void)ctx; 188 if (sizeof(vet_secp256k1_scalar) == 32) { 189 /* When the secp256k1_scalar type is exactly 32 byte, use its 190 * representation inside secp256k1_ecdsa_signature, as conversion is very fast. 191 * Note that secp256k1_ecdsa_signature_save must use the same representation. */ 192 memcpy(r, &sig->data[0], 32); 193 memcpy(s, &sig->data[32], 32); 194 } else { 195 vet_secp256k1_scalar_set_b32(r, &sig->data[0], NULL); 196 vet_secp256k1_scalar_set_b32(s, &sig->data[32], NULL); 197 } 198 } 199 200 static void vet_secp256k1_ecdsa_signature_save(vet_secp256k1_ecdsa_signature* sig, const vet_secp256k1_scalar* r, const vet_secp256k1_scalar* s) { 201 if (sizeof(vet_secp256k1_scalar) == 32) { 202 memcpy(&sig->data[0], r, 32); 203 memcpy(&sig->data[32], s, 32); 204 } else { 205 vet_secp256k1_scalar_get_b32(&sig->data[0], r); 206 vet_secp256k1_scalar_get_b32(&sig->data[32], s); 207 } 208 } 209 210 int vet_secp256k1_ecdsa_signature_parse_der(const vet_secp256k1_context* ctx, vet_secp256k1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { 211 vet_secp256k1_scalar r, s; 212 213 VERIFY_CHECK(ctx != NULL); 214 ARG_CHECK(sig != NULL); 215 ARG_CHECK(input != NULL); 216 217 if (vet_secp256k1_ecdsa_sig_parse(&r, &s, input, inputlen)) { 218 vet_secp256k1_ecdsa_signature_save(sig, &r, &s); 219 return 1; 220 } else { 221 memset(sig, 0, sizeof(*sig)); 222 return 0; 223 } 224 } 225 226 int vet_secp256k1_ecdsa_signature_parse_compact(const vet_secp256k1_context* ctx, vet_secp256k1_ecdsa_signature* sig, const unsigned char *input64) { 227 vet_secp256k1_scalar r, s; 228 int ret = 1; 229 int overflow = 0; 230 231 VERIFY_CHECK(ctx != NULL); 232 ARG_CHECK(sig != NULL); 233 ARG_CHECK(input64 != NULL); 234 235 vet_secp256k1_scalar_set_b32(&r, &input64[0], &overflow); 236 ret &= !overflow; 237 vet_secp256k1_scalar_set_b32(&s, &input64[32], &overflow); 238 ret &= !overflow; 239 if (ret) { 240 vet_secp256k1_ecdsa_signature_save(sig, &r, &s); 241 } else { 242 memset(sig, 0, sizeof(*sig)); 243 } 244 return ret; 245 } 246 247 int vet_secp256k1_ecdsa_signature_serialize_der(const vet_secp256k1_context* ctx, unsigned char *output, size_t *outputlen, const vet_secp256k1_ecdsa_signature* sig) { 248 vet_secp256k1_scalar r, s; 249 250 VERIFY_CHECK(ctx != NULL); 251 ARG_CHECK(output != NULL); 252 ARG_CHECK(outputlen != NULL); 253 ARG_CHECK(sig != NULL); 254 255 vet_secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 256 return vet_secp256k1_ecdsa_sig_serialize(output, outputlen, &r, &s); 257 } 258 259 int vet_secp256k1_ecdsa_signature_serialize_compact(const vet_secp256k1_context* ctx, unsigned char *output64, const vet_secp256k1_ecdsa_signature* sig) { 260 vet_secp256k1_scalar r, s; 261 262 VERIFY_CHECK(ctx != NULL); 263 ARG_CHECK(output64 != NULL); 264 ARG_CHECK(sig != NULL); 265 266 vet_secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 267 vet_secp256k1_scalar_get_b32(&output64[0], &r); 268 vet_secp256k1_scalar_get_b32(&output64[32], &s); 269 return 1; 270 } 271 272 int vet_secp256k1_ecdsa_signature_normalize(const vet_secp256k1_context* ctx, vet_secp256k1_ecdsa_signature *sigout, const vet_secp256k1_ecdsa_signature *sigin) { 273 vet_secp256k1_scalar r, s; 274 int ret = 0; 275 276 VERIFY_CHECK(ctx != NULL); 277 ARG_CHECK(sigin != NULL); 278 279 vet_secp256k1_ecdsa_signature_load(ctx, &r, &s, sigin); 280 ret = vet_secp256k1_scalar_is_high(&s); 281 if (sigout != NULL) { 282 if (ret) { 283 vet_secp256k1_scalar_negate(&s, &s); 284 } 285 vet_secp256k1_ecdsa_signature_save(sigout, &r, &s); 286 } 287 288 return ret; 289 } 290 291 int vet_secp256k1_ecdsa_verify(const vet_secp256k1_context* ctx, const vet_secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const vet_secp256k1_pubkey *pubkey) { 292 vet_secp256k1_ge q; 293 vet_secp256k1_scalar r, s; 294 vet_secp256k1_scalar m; 295 VERIFY_CHECK(ctx != NULL); 296 ARG_CHECK(vet_secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 297 ARG_CHECK(msg32 != NULL); 298 ARG_CHECK(sig != NULL); 299 ARG_CHECK(pubkey != NULL); 300 301 vet_secp256k1_scalar_set_b32(&m, msg32, NULL); 302 vet_secp256k1_ecdsa_signature_load(ctx, &r, &s, sig); 303 return (!vet_secp256k1_scalar_is_high(&s) && 304 vet_secp256k1_pubkey_load(ctx, &q, pubkey) && 305 vet_secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); 306 } 307 308 static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { 309 unsigned char keydata[112]; 310 int keylen = 64; 311 vet_secp256k1_rfc6979_hmac_sha256_t rng; 312 unsigned int i; 313 /* We feed a byte array to the PRNG as input, consisting of: 314 * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. 315 * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. 316 * - optionally 16 extra bytes with the algorithm name. 317 * Because the arguments have distinct fixed lengths it is not possible for 318 * different argument mixtures to emulate each other and result in the same 319 * nonces. 320 */ 321 memcpy(keydata, key32, 32); 322 memcpy(keydata + 32, msg32, 32); 323 if (data != NULL) { 324 memcpy(keydata + 64, data, 32); 325 keylen = 96; 326 } 327 if (algo16 != NULL) { 328 memcpy(keydata + keylen, algo16, 16); 329 keylen += 16; 330 } 331 vet_secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, keylen); 332 memset(keydata, 0, sizeof(keydata)); 333 for (i = 0; i <= counter; i++) { 334 vet_secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); 335 } 336 vet_secp256k1_rfc6979_hmac_sha256_finalize(&rng); 337 return 1; 338 } 339 340 const vet_secp256k1_nonce_function vet_secp256k1_nonce_function_rfc6979 = nonce_function_rfc6979; 341 const vet_secp256k1_nonce_function vet_secp256k1_nonce_function_default = nonce_function_rfc6979; 342 343 int vet_secp256k1_ecdsa_sign(const vet_secp256k1_context* ctx, vet_secp256k1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, vet_secp256k1_nonce_function noncefp, const void* noncedata) { 344 vet_secp256k1_scalar r, s; 345 vet_secp256k1_scalar sec, non, msg; 346 int ret = 0; 347 int overflow = 0; 348 VERIFY_CHECK(ctx != NULL); 349 ARG_CHECK(vet_secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 350 ARG_CHECK(msg32 != NULL); 351 ARG_CHECK(signature != NULL); 352 ARG_CHECK(seckey != NULL); 353 if (noncefp == NULL) { 354 noncefp = vet_secp256k1_nonce_function_default; 355 } 356 357 vet_secp256k1_scalar_set_b32(&sec, seckey, &overflow); 358 /* Fail if the secret key is invalid. */ 359 if (!overflow && !vet_secp256k1_scalar_is_zero(&sec)) { 360 unsigned char nonce32[32]; 361 unsigned int count = 0; 362 vet_secp256k1_scalar_set_b32(&msg, msg32, NULL); 363 while (1) { 364 ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); 365 if (!ret) { 366 break; 367 } 368 vet_secp256k1_scalar_set_b32(&non, nonce32, &overflow); 369 if (!overflow && !vet_secp256k1_scalar_is_zero(&non)) { 370 if (vet_secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) { 371 break; 372 } 373 } 374 count++; 375 } 376 memset(nonce32, 0, 32); 377 vet_secp256k1_scalar_clear(&msg); 378 vet_secp256k1_scalar_clear(&non); 379 vet_secp256k1_scalar_clear(&sec); 380 } 381 if (ret) { 382 vet_secp256k1_ecdsa_signature_save(signature, &r, &s); 383 } else { 384 memset(signature, 0, sizeof(*signature)); 385 } 386 return ret; 387 } 388 389 int vet_secp256k1_ec_seckey_verify(const vet_secp256k1_context* ctx, const unsigned char *seckey) { 390 vet_secp256k1_scalar sec; 391 int ret; 392 int overflow; 393 VERIFY_CHECK(ctx != NULL); 394 ARG_CHECK(seckey != NULL); 395 396 vet_secp256k1_scalar_set_b32(&sec, seckey, &overflow); 397 ret = !overflow && !vet_secp256k1_scalar_is_zero(&sec); 398 vet_secp256k1_scalar_clear(&sec); 399 return ret; 400 } 401 402 int vet_secp256k1_ec_pubkey_create(const vet_secp256k1_context* ctx, vet_secp256k1_pubkey *pubkey, const unsigned char *seckey) { 403 vet_secp256k1_gej pj; 404 vet_secp256k1_ge p; 405 vet_secp256k1_scalar sec; 406 int overflow; 407 int ret = 0; 408 VERIFY_CHECK(ctx != NULL); 409 ARG_CHECK(pubkey != NULL); 410 memset(pubkey, 0, sizeof(*pubkey)); 411 ARG_CHECK(vet_secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 412 ARG_CHECK(seckey != NULL); 413 414 vet_secp256k1_scalar_set_b32(&sec, seckey, &overflow); 415 ret = (!overflow) & (!vet_secp256k1_scalar_is_zero(&sec)); 416 if (ret) { 417 vet_secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); 418 vet_secp256k1_ge_set_gej(&p, &pj); 419 vet_secp256k1_pubkey_save(pubkey, &p); 420 } 421 vet_secp256k1_scalar_clear(&sec); 422 return ret; 423 } 424 425 int vet_secp256k1_ec_privkey_tweak_add(const vet_secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 426 vet_secp256k1_scalar term; 427 vet_secp256k1_scalar sec; 428 int ret = 0; 429 int overflow = 0; 430 VERIFY_CHECK(ctx != NULL); 431 ARG_CHECK(seckey != NULL); 432 ARG_CHECK(tweak != NULL); 433 434 vet_secp256k1_scalar_set_b32(&term, tweak, &overflow); 435 vet_secp256k1_scalar_set_b32(&sec, seckey, NULL); 436 437 ret = !overflow && vet_secp256k1_eckey_privkey_tweak_add(&sec, &term); 438 memset(seckey, 0, 32); 439 if (ret) { 440 vet_secp256k1_scalar_get_b32(seckey, &sec); 441 } 442 443 vet_secp256k1_scalar_clear(&sec); 444 vet_secp256k1_scalar_clear(&term); 445 return ret; 446 } 447 448 int vet_secp256k1_ec_pubkey_tweak_add(const vet_secp256k1_context* ctx, vet_secp256k1_pubkey *pubkey, const unsigned char *tweak) { 449 vet_secp256k1_ge p; 450 vet_secp256k1_scalar term; 451 int ret = 0; 452 int overflow = 0; 453 VERIFY_CHECK(ctx != NULL); 454 ARG_CHECK(vet_secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 455 ARG_CHECK(pubkey != NULL); 456 ARG_CHECK(tweak != NULL); 457 458 vet_secp256k1_scalar_set_b32(&term, tweak, &overflow); 459 ret = !overflow && vet_secp256k1_pubkey_load(ctx, &p, pubkey); 460 memset(pubkey, 0, sizeof(*pubkey)); 461 if (ret) { 462 if (vet_secp256k1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { 463 vet_secp256k1_pubkey_save(pubkey, &p); 464 } else { 465 ret = 0; 466 } 467 } 468 469 return ret; 470 } 471 472 int vet_secp256k1_ec_privkey_tweak_mul(const vet_secp256k1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { 473 vet_secp256k1_scalar factor; 474 vet_secp256k1_scalar sec; 475 int ret = 0; 476 int overflow = 0; 477 VERIFY_CHECK(ctx != NULL); 478 ARG_CHECK(seckey != NULL); 479 ARG_CHECK(tweak != NULL); 480 481 vet_secp256k1_scalar_set_b32(&factor, tweak, &overflow); 482 vet_secp256k1_scalar_set_b32(&sec, seckey, NULL); 483 ret = !overflow && vet_secp256k1_eckey_privkey_tweak_mul(&sec, &factor); 484 memset(seckey, 0, 32); 485 if (ret) { 486 vet_secp256k1_scalar_get_b32(seckey, &sec); 487 } 488 489 vet_secp256k1_scalar_clear(&sec); 490 vet_secp256k1_scalar_clear(&factor); 491 return ret; 492 } 493 494 int vet_secp256k1_ec_pubkey_tweak_mul(const vet_secp256k1_context* ctx, vet_secp256k1_pubkey *pubkey, const unsigned char *tweak) { 495 vet_secp256k1_ge p; 496 vet_secp256k1_scalar factor; 497 int ret = 0; 498 int overflow = 0; 499 VERIFY_CHECK(ctx != NULL); 500 ARG_CHECK(vet_secp256k1_ecmult_context_is_built(&ctx->ecmult_ctx)); 501 ARG_CHECK(pubkey != NULL); 502 ARG_CHECK(tweak != NULL); 503 504 vet_secp256k1_scalar_set_b32(&factor, tweak, &overflow); 505 ret = !overflow && vet_secp256k1_pubkey_load(ctx, &p, pubkey); 506 memset(pubkey, 0, sizeof(*pubkey)); 507 if (ret) { 508 if (vet_secp256k1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { 509 vet_secp256k1_pubkey_save(pubkey, &p); 510 } else { 511 ret = 0; 512 } 513 } 514 515 return ret; 516 } 517 518 int vet_secp256k1_context_randomize(vet_secp256k1_context* ctx, const unsigned char *seed32) { 519 VERIFY_CHECK(ctx != NULL); 520 ARG_CHECK(vet_secp256k1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); 521 vet_secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); 522 return 1; 523 } 524 525 int vet_secp256k1_ec_pubkey_combine(const vet_secp256k1_context* ctx, vet_secp256k1_pubkey *pubnonce, const vet_secp256k1_pubkey * const *pubnonces, size_t n) { 526 size_t i; 527 vet_secp256k1_gej Qj; 528 vet_secp256k1_ge Q; 529 530 ARG_CHECK(pubnonce != NULL); 531 memset(pubnonce, 0, sizeof(*pubnonce)); 532 ARG_CHECK(n >= 1); 533 ARG_CHECK(pubnonces != NULL); 534 535 vet_secp256k1_gej_set_infinity(&Qj); 536 537 for (i = 0; i < n; i++) { 538 vet_secp256k1_pubkey_load(ctx, &Q, pubnonces[i]); 539 vet_secp256k1_gej_add_ge(&Qj, &Qj, &Q); 540 } 541 if (vet_secp256k1_gej_is_infinity(&Qj)) { 542 return 0; 543 } 544 vet_secp256k1_ge_set_gej(&Q, &Qj); 545 vet_secp256k1_pubkey_save(pubnonce, &Q); 546 return 1; 547 } 548 549 #ifdef ENABLE_MODULE_ECDH 550 # include "modules/ecdh/main_impl.h" 551 #endif 552 553 #ifdef ENABLE_MODULE_SCHNORR 554 # include "modules/schnorr/main_impl.h" 555 #endif 556 557 #ifdef ENABLE_MODULE_RECOVERY 558 # include "modules/recovery/main_impl.h" 559 #endif