LCOV - code coverage report
Current view: top level - src - key.cpp (source / functions) Hit Total Coverage
Test: fuzz_coverage.info Lines: 82 276 29.7 %
Date: 2024-01-03 14:57:27 Functions: 9 24 37.5 %
Branches: 42 232 18.1 %

           Branch data     Line data    Source code
       1                 :            : // Copyright (c) 2009-2022 The Bitcoin Core developers
       2                 :            : // Copyright (c) 2017 The Zcash developers
       3                 :            : // Distributed under the MIT software license, see the accompanying
       4                 :            : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       5                 :            : 
       6                 :            : #include <key.h>
       7                 :            : 
       8                 :            : #include <crypto/common.h>
       9                 :            : #include <crypto/hmac_sha512.h>
      10                 :            : #include <hash.h>
      11                 :            : #include <random.h>
      12                 :            : 
      13                 :            : #include <secp256k1.h>
      14                 :            : #include <secp256k1_ellswift.h>
      15                 :            : #include <secp256k1_extrakeys.h>
      16                 :            : #include <secp256k1_recovery.h>
      17                 :            : #include <secp256k1_schnorrsig.h>
      18                 :            : 
      19                 :            : static secp256k1_context* secp256k1_context_sign = nullptr;
      20                 :            : 
      21                 :            : /** These functions are taken from the libsecp256k1 distribution and are very ugly. */
      22                 :            : 
      23                 :            : /**
      24                 :            :  * This parses a format loosely based on a DER encoding of the ECPrivateKey type from
      25                 :            :  * section C.4 of SEC 1 <https://www.secg.org/sec1-v2.pdf>, with the following caveats:
      26                 :            :  *
      27                 :            :  * * The octet-length of the SEQUENCE must be encoded as 1 or 2 octets. It is not
      28                 :            :  *   required to be encoded as one octet if it is less than 256, as DER would require.
      29                 :            :  * * The octet-length of the SEQUENCE must not be greater than the remaining
      30                 :            :  *   length of the key encoding, but need not match it (i.e. the encoding may contain
      31                 :            :  *   junk after the encoded SEQUENCE).
      32                 :            :  * * The privateKey OCTET STRING is zero-filled on the left to 32 octets.
      33                 :            :  * * Anything after the encoding of the privateKey OCTET STRING is ignored, whether
      34                 :            :  *   or not it is validly encoded DER.
      35                 :            :  *
      36                 :            :  * out32 must point to an output buffer of length at least 32 bytes.
      37                 :            :  */
      38                 :          0 : int ec_seckey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *seckey, size_t seckeylen) {
      39                 :          0 :     const unsigned char *end = seckey + seckeylen;
      40                 :          0 :     memset(out32, 0, 32);
      41                 :            :     /* sequence header */
      42 [ #  # ][ #  # ]:          0 :     if (end - seckey < 1 || *seckey != 0x30u) {
      43                 :          0 :         return 0;
      44                 :            :     }
      45                 :          0 :     seckey++;
      46                 :            :     /* sequence length constructor */
      47 [ #  # ][ #  # ]:          0 :     if (end - seckey < 1 || !(*seckey & 0x80u)) {
      48                 :          0 :         return 0;
      49                 :            :     }
      50                 :          0 :     ptrdiff_t lenb = *seckey & ~0x80u; seckey++;
      51 [ #  # ][ #  # ]:          0 :     if (lenb < 1 || lenb > 2) {
      52                 :          0 :         return 0;
      53                 :            :     }
      54         [ #  # ]:          0 :     if (end - seckey < lenb) {
      55                 :          0 :         return 0;
      56                 :            :     }
      57                 :            :     /* sequence length */
      58         [ #  # ]:          0 :     ptrdiff_t len = seckey[lenb-1] | (lenb > 1 ? seckey[lenb-2] << 8 : 0u);
      59                 :          0 :     seckey += lenb;
      60         [ #  # ]:          0 :     if (end - seckey < len) {
      61                 :          0 :         return 0;
      62                 :            :     }
      63                 :            :     /* sequence element 0: version number (=1) */
      64 [ #  # ][ #  # ]:          0 :     if (end - seckey < 3 || seckey[0] != 0x02u || seckey[1] != 0x01u || seckey[2] != 0x01u) {
         [ #  # ][ #  # ]
      65                 :          0 :         return 0;
      66                 :            :     }
      67                 :          0 :     seckey += 3;
      68                 :            :     /* sequence element 1: octet string, up to 32 bytes */
      69 [ #  # ][ #  # ]:          0 :     if (end - seckey < 2 || seckey[0] != 0x04u) {
      70                 :          0 :         return 0;
      71                 :            :     }
      72                 :          0 :     ptrdiff_t oslen = seckey[1];
      73                 :          0 :     seckey += 2;
      74 [ #  # ][ #  # ]:          0 :     if (oslen > 32 || end - seckey < oslen) {
      75                 :          0 :         return 0;
      76                 :            :     }
      77                 :          0 :     memcpy(out32 + (32 - oslen), seckey, oslen);
      78         [ #  # ]:          0 :     if (!secp256k1_ec_seckey_verify(ctx, out32)) {
      79                 :          0 :         memset(out32, 0, 32);
      80                 :          0 :         return 0;
      81                 :            :     }
      82                 :          0 :     return 1;
      83                 :          0 : }
      84                 :            : 
      85                 :            : /**
      86                 :            :  * This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1
      87                 :            :  * <https://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are
      88                 :            :  * included.
      89                 :            :  *
      90                 :            :  * seckey must point to an output buffer of length at least CKey::SIZE bytes.
      91                 :            :  * seckeylen must initially be set to the size of the seckey buffer. Upon return it
      92                 :            :  * will be set to the number of bytes used in the buffer.
      93                 :            :  * key32 must point to a 32-byte raw private key.
      94                 :            :  */
      95                 :          0 : int ec_seckey_export_der(const secp256k1_context *ctx, unsigned char *seckey, size_t *seckeylen, const unsigned char *key32, bool compressed) {
      96         [ #  # ]:          0 :     assert(*seckeylen >= CKey::SIZE);
      97                 :            :     secp256k1_pubkey pubkey;
      98                 :          0 :     size_t pubkeylen = 0;
      99         [ #  # ]:          0 :     if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) {
     100                 :          0 :         *seckeylen = 0;
     101                 :          0 :         return 0;
     102                 :            :     }
     103         [ #  # ]:          0 :     if (compressed) {
     104                 :            :         static const unsigned char begin[] = {
     105                 :            :             0x30,0x81,0xD3,0x02,0x01,0x01,0x04,0x20
     106                 :            :         };
     107                 :            :         static const unsigned char middle[] = {
     108                 :            :             0xA0,0x81,0x85,0x30,0x81,0x82,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48,
     109                 :            :             0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     110                 :            :             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     111                 :            :             0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04,
     112                 :            :             0x21,0x02,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87,
     113                 :            :             0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8,
     114                 :            :             0x17,0x98,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     115                 :            :             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
     116                 :            :             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x24,0x03,0x22,0x00
     117                 :            :         };
     118                 :          0 :         unsigned char *ptr = seckey;
     119                 :          0 :         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
     120                 :          0 :         memcpy(ptr, key32, 32); ptr += 32;
     121                 :          0 :         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
     122                 :          0 :         pubkeylen = CPubKey::COMPRESSED_SIZE;
     123                 :          0 :         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
     124                 :          0 :         ptr += pubkeylen;
     125                 :          0 :         *seckeylen = ptr - seckey;
     126         [ #  # ]:          0 :         assert(*seckeylen == CKey::COMPRESSED_SIZE);
     127                 :          0 :     } else {
     128                 :            :         static const unsigned char begin[] = {
     129                 :            :             0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20
     130                 :            :         };
     131                 :            :         static const unsigned char middle[] = {
     132                 :            :             0xA0,0x81,0xA5,0x30,0x81,0xA2,0x02,0x01,0x01,0x30,0x2C,0x06,0x07,0x2A,0x86,0x48,
     133                 :            :             0xCE,0x3D,0x01,0x01,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     134                 :            :             0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     135                 :            :             0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F,0x30,0x06,0x04,0x01,0x00,0x04,0x01,0x07,0x04,
     136                 :            :             0x41,0x04,0x79,0xBE,0x66,0x7E,0xF9,0xDC,0xBB,0xAC,0x55,0xA0,0x62,0x95,0xCE,0x87,
     137                 :            :             0x0B,0x07,0x02,0x9B,0xFC,0xDB,0x2D,0xCE,0x28,0xD9,0x59,0xF2,0x81,0x5B,0x16,0xF8,
     138                 :            :             0x17,0x98,0x48,0x3A,0xDA,0x77,0x26,0xA3,0xC4,0x65,0x5D,0xA4,0xFB,0xFC,0x0E,0x11,
     139                 :            :             0x08,0xA8,0xFD,0x17,0xB4,0x48,0xA6,0x85,0x54,0x19,0x9C,0x47,0xD0,0x8F,0xFB,0x10,
     140                 :            :             0xD4,0xB8,0x02,0x21,0x00,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
     141                 :            :             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
     142                 :            :             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x44,0x03,0x42,0x00
     143                 :            :         };
     144                 :          0 :         unsigned char *ptr = seckey;
     145                 :          0 :         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
     146                 :          0 :         memcpy(ptr, key32, 32); ptr += 32;
     147                 :          0 :         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
     148                 :          0 :         pubkeylen = CPubKey::SIZE;
     149                 :          0 :         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
     150                 :          0 :         ptr += pubkeylen;
     151                 :          0 :         *seckeylen = ptr - seckey;
     152         [ #  # ]:          0 :         assert(*seckeylen == CKey::SIZE);
     153                 :            :     }
     154                 :          0 :     return 1;
     155                 :          0 : }
     156                 :            : 
     157                 :      15006 : bool CKey::Check(const unsigned char *vch) {
     158                 :      15006 :     return secp256k1_ec_seckey_verify(secp256k1_context_sign, vch);
     159                 :            : }
     160                 :            : 
     161                 :          0 : void CKey::MakeNewKey(bool fCompressedIn) {
     162                 :          0 :     MakeKeyData();
     163                 :          0 :     do {
     164                 :          0 :         GetStrongRandBytes(*keydata);
     165         [ #  # ]:          0 :     } while (!Check(keydata->data()));
     166                 :          0 :     fCompressed = fCompressedIn;
     167                 :          0 : }
     168                 :            : 
     169                 :          0 : bool CKey::Negate()
     170                 :            : {
     171         [ #  # ]:          0 :     assert(keydata);
     172                 :          0 :     return secp256k1_ec_seckey_negate(secp256k1_context_sign, keydata->data());
     173                 :            : }
     174                 :            : 
     175                 :          0 : CPrivKey CKey::GetPrivKey() const {
     176         [ #  # ]:          0 :     assert(keydata);
     177                 :          0 :     CPrivKey seckey;
     178                 :            :     int ret;
     179                 :            :     size_t seckeylen;
     180         [ #  # ]:          0 :     seckey.resize(SIZE);
     181                 :          0 :     seckeylen = SIZE;
     182 [ #  # ][ #  # ]:          0 :     ret = ec_seckey_export_der(secp256k1_context_sign, seckey.data(), &seckeylen, begin(), fCompressed);
     183         [ #  # ]:          0 :     assert(ret);
     184         [ #  # ]:          0 :     seckey.resize(seckeylen);
     185                 :          0 :     return seckey;
     186         [ #  # ]:          0 : }
     187                 :            : 
     188                 :      27134 : CPubKey CKey::GetPubKey() const {
     189         [ +  - ]:      27134 :     assert(keydata);
     190                 :            :     secp256k1_pubkey pubkey;
     191                 :      27134 :     size_t clen = CPubKey::SIZE;
     192                 :      27134 :     CPubKey result;
     193                 :      27134 :     int ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pubkey, begin());
     194         [ +  - ]:      27134 :     assert(ret);
     195                 :      27134 :     secp256k1_ec_pubkey_serialize(secp256k1_context_sign, (unsigned char*)result.begin(), &clen, &pubkey, fCompressed ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED);
     196         [ +  - ]:      27134 :     assert(result.size() == clen);
     197         [ +  - ]:      27134 :     assert(result.IsValid());
     198                 :      27134 :     return result;
     199                 :            : }
     200                 :            : 
     201                 :            : // Check that the sig has a low R value and will be less than 71 bytes
     202                 :          0 : bool SigHasLowR(const secp256k1_ecdsa_signature* sig)
     203                 :            : {
     204                 :            :     unsigned char compact_sig[64];
     205                 :          0 :     secp256k1_ecdsa_signature_serialize_compact(secp256k1_context_sign, compact_sig, sig);
     206                 :            : 
     207                 :            :     // In DER serialization, all values are interpreted as big-endian, signed integers. The highest bit in the integer indicates
     208                 :            :     // its signed-ness; 0 is positive, 1 is negative. When the value is interpreted as a negative integer, it must be converted
     209                 :            :     // to a positive value by prepending a 0x00 byte so that the highest bit is 0. We can avoid this prepending by ensuring that
     210                 :            :     // our highest bit is always 0, and thus we must check that the first byte is less than 0x80.
     211                 :          0 :     return compact_sig[0] < 0x80;
     212                 :            : }
     213                 :            : 
     214                 :          0 : bool CKey::Sign(const uint256 &hash, std::vector<unsigned char>& vchSig, bool grind, uint32_t test_case) const {
     215         [ #  # ]:          0 :     if (!keydata)
     216                 :          0 :         return false;
     217                 :          0 :     vchSig.resize(CPubKey::SIGNATURE_SIZE);
     218                 :          0 :     size_t nSigLen = CPubKey::SIGNATURE_SIZE;
     219                 :          0 :     unsigned char extra_entropy[32] = {0};
     220                 :          0 :     WriteLE32(extra_entropy, test_case);
     221                 :            :     secp256k1_ecdsa_signature sig;
     222                 :          0 :     uint32_t counter = 0;
     223 [ #  # ][ #  # ]:          0 :     int ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), begin(), secp256k1_nonce_function_rfc6979, (!grind && test_case) ? extra_entropy : nullptr);
     224                 :            : 
     225                 :            :     // Grind for low R
     226 [ #  # ][ #  # ]:          0 :     while (ret && !SigHasLowR(&sig) && grind) {
                 [ #  # ]
     227                 :          0 :         WriteLE32(extra_entropy, ++counter);
     228                 :          0 :         ret = secp256k1_ecdsa_sign(secp256k1_context_sign, &sig, hash.begin(), begin(), secp256k1_nonce_function_rfc6979, extra_entropy);
     229                 :            :     }
     230         [ #  # ]:          0 :     assert(ret);
     231                 :          0 :     secp256k1_ecdsa_signature_serialize_der(secp256k1_context_sign, vchSig.data(), &nSigLen, &sig);
     232                 :          0 :     vchSig.resize(nSigLen);
     233                 :            :     // Additional verification step to prevent using a potentially corrupted signature
     234                 :            :     secp256k1_pubkey pk;
     235                 :          0 :     ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &pk, begin());
     236         [ #  # ]:          0 :     assert(ret);
     237                 :          0 :     ret = secp256k1_ecdsa_verify(secp256k1_context_static, &sig, hash.begin(), &pk);
     238         [ #  # ]:          0 :     assert(ret);
     239                 :          0 :     return true;
     240                 :          0 : }
     241                 :            : 
     242                 :          0 : bool CKey::VerifyPubKey(const CPubKey& pubkey) const {
     243         [ #  # ]:          0 :     if (pubkey.IsCompressed() != fCompressed) {
     244                 :          0 :         return false;
     245                 :            :     }
     246                 :            :     unsigned char rnd[8];
     247         [ #  # ]:          0 :     std::string str = "Bitcoin key verification\n";
     248                 :          0 :     GetRandBytes(rnd);
     249         [ #  # ]:          0 :     uint256 hash{Hash(str, rnd)};
     250                 :          0 :     std::vector<unsigned char> vchSig;
     251         [ #  # ]:          0 :     Sign(hash, vchSig);
     252         [ #  # ]:          0 :     return pubkey.Verify(hash, vchSig);
     253                 :          0 : }
     254                 :            : 
     255                 :          0 : bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig) const {
     256         [ #  # ]:          0 :     if (!keydata)
     257                 :          0 :         return false;
     258                 :          0 :     vchSig.resize(CPubKey::COMPACT_SIGNATURE_SIZE);
     259                 :          0 :     int rec = -1;
     260                 :            :     secp256k1_ecdsa_recoverable_signature rsig;
     261                 :          0 :     int ret = secp256k1_ecdsa_sign_recoverable(secp256k1_context_sign, &rsig, hash.begin(), begin(), secp256k1_nonce_function_rfc6979, nullptr);
     262         [ #  # ]:          0 :     assert(ret);
     263                 :          0 :     ret = secp256k1_ecdsa_recoverable_signature_serialize_compact(secp256k1_context_sign, &vchSig[1], &rec, &rsig);
     264         [ #  # ]:          0 :     assert(ret);
     265         [ #  # ]:          0 :     assert(rec != -1);
     266                 :          0 :     vchSig[0] = 27 + rec + (fCompressed ? 4 : 0);
     267                 :            :     // Additional verification step to prevent using a potentially corrupted signature
     268                 :            :     secp256k1_pubkey epk, rpk;
     269                 :          0 :     ret = secp256k1_ec_pubkey_create(secp256k1_context_sign, &epk, begin());
     270         [ #  # ]:          0 :     assert(ret);
     271                 :          0 :     ret = secp256k1_ecdsa_recover(secp256k1_context_static, &rpk, &rsig, hash.begin());
     272         [ #  # ]:          0 :     assert(ret);
     273                 :          0 :     ret = secp256k1_ec_pubkey_cmp(secp256k1_context_static, &epk, &rpk);
     274         [ #  # ]:          0 :     assert(ret == 0);
     275                 :          0 :     return true;
     276                 :          0 : }
     277                 :            : 
     278                 :          0 : bool CKey::SignSchnorr(const uint256& hash, Span<unsigned char> sig, const uint256* merkle_root, const uint256& aux) const
     279                 :            : {
     280         [ #  # ]:          0 :     assert(sig.size() == 64);
     281                 :            :     secp256k1_keypair keypair;
     282         [ #  # ]:          0 :     if (!secp256k1_keypair_create(secp256k1_context_sign, &keypair, begin())) return false;
     283         [ #  # ]:          0 :     if (merkle_root) {
     284                 :            :         secp256k1_xonly_pubkey pubkey;
     285         [ #  # ]:          0 :         if (!secp256k1_keypair_xonly_pub(secp256k1_context_sign, &pubkey, nullptr, &keypair)) return false;
     286                 :            :         unsigned char pubkey_bytes[32];
     287         [ #  # ]:          0 :         if (!secp256k1_xonly_pubkey_serialize(secp256k1_context_sign, pubkey_bytes, &pubkey)) return false;
     288         [ #  # ]:          0 :         uint256 tweak = XOnlyPubKey(pubkey_bytes).ComputeTapTweakHash(merkle_root->IsNull() ? nullptr : merkle_root);
     289         [ #  # ]:          0 :         if (!secp256k1_keypair_xonly_tweak_add(secp256k1_context_static, &keypair, tweak.data())) return false;
     290                 :          0 :     }
     291                 :          0 :     bool ret = secp256k1_schnorrsig_sign32(secp256k1_context_sign, sig.data(), hash.data(), &keypair, aux.data());
     292         [ #  # ]:          0 :     if (ret) {
     293                 :            :         // Additional verification step to prevent using a potentially corrupted signature
     294                 :            :         secp256k1_xonly_pubkey pubkey_verify;
     295                 :          0 :         ret = secp256k1_keypair_xonly_pub(secp256k1_context_static, &pubkey_verify, nullptr, &keypair);
     296                 :          0 :         ret &= secp256k1_schnorrsig_verify(secp256k1_context_static, sig.data(), hash.begin(), 32, &pubkey_verify);
     297                 :          0 :     }
     298         [ #  # ]:          0 :     if (!ret) memory_cleanse(sig.data(), sig.size());
     299                 :          0 :     memory_cleanse(&keypair, sizeof(keypair));
     300                 :          0 :     return ret;
     301                 :          0 : }
     302                 :            : 
     303                 :          0 : bool CKey::Load(const CPrivKey &seckey, const CPubKey &vchPubKey, bool fSkipCheck=false) {
     304                 :          0 :     MakeKeyData();
     305         [ #  # ]:          0 :     if (!ec_seckey_import_der(secp256k1_context_sign, (unsigned char*)begin(), seckey.data(), seckey.size())) {
     306                 :          0 :         ClearKeyData();
     307                 :          0 :         return false;
     308                 :            :     }
     309                 :          0 :     fCompressed = vchPubKey.IsCompressed();
     310                 :            : 
     311         [ #  # ]:          0 :     if (fSkipCheck)
     312                 :          0 :         return true;
     313                 :            : 
     314                 :          0 :     return VerifyPubKey(vchPubKey);
     315                 :          0 : }
     316                 :            : 
     317                 :       5862 : bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const ChainCode& cc) const {
     318         [ +  - ]:       5862 :     assert(IsValid());
     319         [ +  - ]:       5862 :     assert(IsCompressed());
     320                 :       5862 :     std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
     321         [ +  + ]:       5862 :     if ((nChild >> 31) == 0) {
     322         [ +  - ]:       3335 :         CPubKey pubkey = GetPubKey();
     323 [ +  - ][ -  + ]:       3335 :         assert(pubkey.size() == CPubKey::COMPRESSED_SIZE);
     324 [ +  - ][ +  - ]:       3335 :         BIP32Hash(cc, nChild, *pubkey.begin(), pubkey.begin()+1, vout.data());
                 [ +  - ]
     325                 :       3335 :     } else {
     326 [ +  - ][ +  - ]:       2527 :         assert(size() == 32);
     327 [ +  - ][ +  - ]:       2527 :         BIP32Hash(cc, nChild, 0, begin(), vout.data());
     328                 :            :     }
     329         [ +  - ]:       5862 :     memcpy(ccChild.begin(), vout.data()+32, 32);
     330 [ +  - ][ +  - ]:       5862 :     keyChild.Set(begin(), begin() + 32, true);
                 [ +  - ]
     331 [ +  - ][ +  - ]:       5862 :     bool ret = secp256k1_ec_seckey_tweak_add(secp256k1_context_sign, (unsigned char*)keyChild.begin(), vout.data());
     332 [ -  + ][ #  # ]:       5862 :     if (!ret) keyChild.ClearKeyData();
     333                 :       5862 :     return ret;
     334                 :       5862 : }
     335                 :            : 
     336                 :          0 : EllSwiftPubKey CKey::EllSwiftCreate(Span<const std::byte> ent32) const
     337                 :            : {
     338         [ #  # ]:          0 :     assert(keydata);
     339         [ #  # ]:          0 :     assert(ent32.size() == 32);
     340                 :            :     std::array<std::byte, EllSwiftPubKey::size()> encoded_pubkey;
     341                 :            : 
     342                 :          0 :     auto success = secp256k1_ellswift_create(secp256k1_context_sign,
     343                 :          0 :                                              UCharCast(encoded_pubkey.data()),
     344                 :          0 :                                              keydata->data(),
     345                 :          0 :                                              UCharCast(ent32.data()));
     346                 :            : 
     347                 :            :     // Should always succeed for valid keys (asserted above).
     348         [ #  # ]:          0 :     assert(success);
     349                 :          0 :     return {encoded_pubkey};
     350                 :            : }
     351                 :            : 
     352                 :          0 : ECDHSecret CKey::ComputeBIP324ECDHSecret(const EllSwiftPubKey& their_ellswift, const EllSwiftPubKey& our_ellswift, bool initiating) const
     353                 :            : {
     354         [ #  # ]:          0 :     assert(keydata);
     355                 :            : 
     356                 :            :     ECDHSecret output;
     357                 :            :     // BIP324 uses the initiator as party A, and the responder as party B. Remap the inputs
     358                 :            :     // accordingly:
     359                 :          0 :     bool success = secp256k1_ellswift_xdh(secp256k1_context_sign,
     360                 :          0 :                                           UCharCast(output.data()),
     361         [ #  # ]:          0 :                                           UCharCast(initiating ? our_ellswift.data() : their_ellswift.data()),
     362         [ #  # ]:          0 :                                           UCharCast(initiating ? their_ellswift.data() : our_ellswift.data()),
     363                 :          0 :                                           keydata->data(),
     364                 :          0 :                                           initiating ? 0 : 1,
     365                 :          0 :                                           secp256k1_ellswift_xdh_hash_function_bip324,
     366                 :            :                                           nullptr);
     367                 :            :     // Should always succeed for valid keys (assert above).
     368         [ #  # ]:          0 :     assert(success);
     369                 :          0 :     return output;
     370                 :            : }
     371                 :            : 
     372                 :       5862 : bool CExtKey::Derive(CExtKey &out, unsigned int _nChild) const {
     373         [ -  + ]:       5862 :     if (nDepth == std::numeric_limits<unsigned char>::max()) return false;
     374                 :       5862 :     out.nDepth = nDepth + 1;
     375                 :       5862 :     CKeyID id = key.GetPubKey().GetID();
     376                 :       5862 :     memcpy(out.vchFingerprint, &id, 4);
     377                 :       5862 :     out.nChild = _nChild;
     378                 :       5862 :     return key.Derive(out.key, out.chaincode, _nChild, chaincode);
     379                 :       5862 : }
     380                 :            : 
     381                 :         84 : void CExtKey::SetSeed(Span<const std::byte> seed)
     382                 :            : {
     383                 :            :     static const unsigned char hashkey[] = {'B','i','t','c','o','i','n',' ','s','e','e','d'};
     384                 :         84 :     std::vector<unsigned char, secure_allocator<unsigned char>> vout(64);
     385 [ +  - ][ +  - ]:         84 :     CHMAC_SHA512{hashkey, sizeof(hashkey)}.Write(UCharCast(seed.data()), seed.size()).Finalize(vout.data());
         [ +  - ][ +  - ]
     386         [ +  - ]:         84 :     key.Set(vout.data(), vout.data() + 32, true);
     387         [ +  - ]:         84 :     memcpy(chaincode.begin(), vout.data() + 32, 32);
     388                 :         84 :     nDepth = 0;
     389                 :         84 :     nChild = 0;
     390                 :         84 :     memset(vchFingerprint, 0, sizeof(vchFingerprint));
     391                 :         84 : }
     392                 :            : 
     393                 :       8146 : CExtPubKey CExtKey::Neuter() const {
     394                 :       8146 :     CExtPubKey ret;
     395                 :       8146 :     ret.nDepth = nDepth;
     396                 :       8146 :     memcpy(ret.vchFingerprint, vchFingerprint, 4);
     397                 :       8146 :     ret.nChild = nChild;
     398                 :       8146 :     ret.pubkey = key.GetPubKey();
     399                 :       8146 :     ret.chaincode = chaincode;
     400                 :       8146 :     return ret;
     401                 :            : }
     402                 :            : 
     403                 :        714 : void CExtKey::Encode(unsigned char code[BIP32_EXTKEY_SIZE]) const {
     404                 :        714 :     code[0] = nDepth;
     405                 :        714 :     memcpy(code+1, vchFingerprint, 4);
     406                 :        714 :     WriteBE32(code+5, nChild);
     407                 :        714 :     memcpy(code+9, chaincode.begin(), 32);
     408                 :        714 :     code[41] = 0;
     409         [ +  - ]:        714 :     assert(key.size() == 32);
     410                 :        714 :     memcpy(code+42, key.begin(), 32);
     411                 :        714 : }
     412                 :            : 
     413                 :       5316 : void CExtKey::Decode(const unsigned char code[BIP32_EXTKEY_SIZE]) {
     414                 :       5316 :     nDepth = code[0];
     415                 :       5316 :     memcpy(vchFingerprint, code+1, 4);
     416                 :       5316 :     nChild = ReadBE32(code+5);
     417                 :       5316 :     memcpy(chaincode.begin(), code+9, 32);
     418                 :       5316 :     key.Set(code+42, code+BIP32_EXTKEY_SIZE, true);
     419 [ +  - ][ +  - ]:       5316 :     if ((nDepth == 0 && (nChild != 0 || ReadLE32(vchFingerprint) != 0)) || code[41] != 0) key = CKey();
                 [ +  + ]
     420                 :       5316 : }
     421                 :            : 
     422                 :          0 : bool ECC_InitSanityCheck() {
     423                 :          0 :     CKey key;
     424         [ #  # ]:          0 :     key.MakeNewKey(true);
     425         [ #  # ]:          0 :     CPubKey pubkey = key.GetPubKey();
     426         [ #  # ]:          0 :     return key.VerifyPubKey(pubkey);
     427                 :          0 : }
     428                 :            : 
     429                 :          1 : void ECC_Start() {
     430         [ +  - ]:          1 :     assert(secp256k1_context_sign == nullptr);
     431                 :            : 
     432                 :          1 :     secp256k1_context *ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
     433         [ +  - ]:          1 :     assert(ctx != nullptr);
     434                 :            : 
     435                 :            :     {
     436                 :            :         // Pass in a random blinding seed to the secp256k1 context.
     437                 :          1 :         std::vector<unsigned char, secure_allocator<unsigned char>> vseed(32);
     438         [ +  - ]:          1 :         GetRandBytes(vseed);
     439         [ +  - ]:          1 :         bool ret = secp256k1_context_randomize(ctx, vseed.data());
     440         [ +  - ]:          1 :         assert(ret);
     441                 :          1 :     }
     442                 :            : 
     443                 :          1 :     secp256k1_context_sign = ctx;
     444                 :          1 : }
     445                 :            : 
     446                 :          0 : void ECC_Stop() {
     447                 :          0 :     secp256k1_context *ctx = secp256k1_context_sign;
     448                 :          0 :     secp256k1_context_sign = nullptr;
     449                 :            : 
     450         [ #  # ]:          0 :     if (ctx) {
     451                 :          0 :         secp256k1_context_destroy(ctx);
     452                 :          0 :     }
     453                 :          0 : }

Generated by: LCOV version 1.14