@@ -73,9 +73,9 @@ static int point_negate(const point_t *P, point_t *out) {
7373 set_point_infinite (out );
7474 return 0 ;
7575 }
76- memmove (out -> x , P -> x , 32 );
76+ memmove (out -> x , P -> x , sizeof ( out -> x ) );
7777
78- if (CX_OK != cx_math_sub_no_throw (out -> y , secp256k1_p , P -> y , 32 )) return -1 ;
78+ if (CX_OK != cx_math_sub_no_throw (out -> y , secp256k1_p , P -> y , sizeof ( out -> y ) )) return -1 ;
7979
8080 out -> prefix = 4 ;
8181 return 0 ;
@@ -114,9 +114,9 @@ static bool is_array_zero(const uint8_t buffer[], size_t buffer_len) {
114114 return acc == 0 ;
115115}
116116
117- int cpoint_ext (const uint8_t x [static 33 ], point_t * out ) {
117+ static int cpoint_ext (const uint8_t x [static sizeof ( plain_pk_t ) ], point_t * out ) {
118118 // Check if the point is at infinity (all bytes zero)
119- if (is_array_zero (x , 33 )) {
119+ if (is_array_zero (x , sizeof ( plain_pk_t ) )) {
120120 set_point_infinite (out );
121121 return 0 ;
122122 }
@@ -135,15 +135,17 @@ static void musig_get_second_key(const plain_pk_t pubkeys[], size_t n_keys, plai
135135 memset (out , 0 , sizeof (plain_pk_t ));
136136}
137137
138- static void musig_hash_keys (const plain_pk_t pubkeys [], size_t n_keys , uint8_t out [static 32 ]) {
138+ static void musig_hash_keys (const plain_pk_t pubkeys [],
139+ size_t n_keys ,
140+ uint8_t out [static CX_SHA256_SIZE ]) {
139141 cx_sha256_t hash_context ;
140142 crypto_tr_tagged_hash_init (& hash_context ,
141143 BIP0327_keyagg_list_tag ,
142144 sizeof (BIP0327_keyagg_list_tag ));
143145 for (size_t i = 0 ; i < n_keys ; i ++ ) {
144146 crypto_hash_update (& hash_context .header , pubkeys [i ], sizeof (plain_pk_t ));
145147 }
146- crypto_hash_digest (& hash_context .header , out , 32 );
148+ crypto_hash_digest (& hash_context .header , out , CX_SHA256_SIZE );
147149}
148150
149151static void musig_key_agg_coeff_internal (const plain_pk_t pubkeys [],
@@ -207,13 +209,20 @@ int musig_key_agg(const plain_pk_t pubkeys[], size_t n_keys, musig_keyagg_contex
207209
208210 point_add (& ctx -> Q , & P , & ctx -> Q );
209211 }
212+
213+ if (is_point_infinite (& ctx -> Q )) {
214+ PRINTF ("Musig key aggregation resulted in an infinite point\n" );
215+ return -1 ;
216+ }
217+
210218 memset (ctx -> tacc , 0 , sizeof (ctx -> tacc ));
211219 memset (ctx -> gacc , 0 , sizeof (ctx -> gacc ));
212220 ctx -> gacc [31 ] = 1 ;
213221 return 0 ;
214222}
215223
216224static void musig_nonce_hash (const uint8_t * rand ,
225+ size_t rand_len ,
217226 const plain_pk_t pk ,
218227 const xonly_pk_t aggpk ,
219228 uint8_t i ,
@@ -226,7 +235,7 @@ static void musig_nonce_hash(const uint8_t *rand,
226235 crypto_tr_tagged_hash_init (& hash_context , BIP0327_nonce_tag , sizeof (BIP0327_nonce_tag ));
227236
228237 // rand
229- crypto_hash_update (& hash_context .header , rand , 32 );
238+ crypto_hash_update (& hash_context .header , rand , rand_len );
230239
231240 // len(pk) + pk
232241 crypto_hash_update_u8 (& hash_context .header , sizeof (plain_pk_t ));
@@ -252,19 +261,26 @@ static void musig_nonce_hash(const uint8_t *rand,
252261
253262// same as nonce_gen_internal from the reference, removing the optional arguments sk, msg and
254263// extra_in, and making aggpk compulsory
255- int musig_nonce_gen (const uint8_t rand [32 ],
264+ int musig_nonce_gen (const uint8_t * rand ,
265+ size_t rand_len ,
256266 const plain_pk_t pk ,
257267 const xonly_pk_t aggpk ,
258268 musig_secnonce_t * secnonce ,
259269 musig_pubnonce_t * pubnonce ) {
260270 uint8_t msg [] = {0x00 };
261271
262- musig_nonce_hash (rand , pk , aggpk , 0 , msg , 1 , NULL , 0 , secnonce -> k_1 );
272+ musig_nonce_hash (rand , rand_len , pk , aggpk , 0 , msg , 1 , NULL , 0 , secnonce -> k_1 );
263273 if (CX_OK != cx_math_modm_no_throw (secnonce -> k_1 , 32 , secp256k1_n , 32 )) return -1 ;
264- musig_nonce_hash (rand , pk , aggpk , 1 , msg , 1 , NULL , 0 , secnonce -> k_2 );
274+ musig_nonce_hash (rand , rand_len , pk , aggpk , 1 , msg , 1 , NULL , 0 , secnonce -> k_2 );
265275 if (CX_OK != cx_math_modm_no_throw (secnonce -> k_2 , 32 , secp256k1_n , 32 )) return -1 ;
266276
267- memcpy (secnonce -> pk , pk , 33 );
277+ if (is_array_zero (secnonce -> k_1 , sizeof (secnonce -> k_1 )) ||
278+ is_array_zero (secnonce -> k_2 , sizeof (secnonce -> k_2 ))) {
279+ // this can only happen with negligible probability
280+ return -1 ;
281+ }
282+
283+ memcpy (secnonce -> pk , pk , sizeof (secnonce -> pk ));
268284
269285 point_t R_s1 , R_s2 ;
270286
@@ -283,17 +299,17 @@ int musig_nonce_agg(const musig_pubnonce_t pubnonces[], size_t n_keys, musig_pub
283299 set_point_infinite (& R_j );
284300 for (size_t i = 0 ; i < n_keys ; i ++ ) {
285301 point_t R_ij ;
286- if (0 > cpoint (& pubnonces [i ].raw [(j - 1 ) * 33 ], & R_ij )) {
302+ if (0 > cpoint (& pubnonces [i ].raw [(j - 1 ) * sizeof ( plain_pk_t ) ], & R_ij )) {
287303 PRINTF ("Musig2 nonce aggregation: invalid contribution from cosigner %d\n" , i );
288304 return - i - 1 ;
289305 }
290306 point_add (& R_j , & R_ij , & R_j );
291307 }
292308
293309 if (is_point_infinite (& R_j )) {
294- memset (& out -> raw [(j - 1 ) * 33 ], 0 , 33 );
310+ memset (& out -> raw [(j - 1 ) * sizeof ( plain_pk_t ) ], 0 , sizeof ( plain_pk_t ) );
295311 } else {
296- crypto_get_compressed_pubkey (R_j .raw , & out -> raw [(j - 1 ) * 33 ]);
312+ crypto_get_compressed_pubkey (R_j .raw , & out -> raw [(j - 1 ) * sizeof ( plain_pk_t ) ]);
297313 }
298314 }
299315 return 0 ;
@@ -362,14 +378,18 @@ static int musig_get_session_values(const musig_session_context_t *session_ctx,
362378 point_t * Q ,
363379 uint8_t gacc [static 32 ],
364380 uint8_t tacc [static 32 ],
365- uint8_t b [static 32 ],
381+ uint8_t b [static CX_SHA256_SIZE ],
366382 point_t * R ,
367- uint8_t e [static 32 ]) {
383+ uint8_t e [static CX_SHA256_SIZE ]) {
368384 cx_sha256_t hash_context ;
369385
370386 // Perform key aggregation and tweaking
371387 musig_keyagg_context_t keyagg_ctx ;
372- musig_key_agg (session_ctx -> pubkeys , session_ctx -> n_keys , & keyagg_ctx );
388+
389+ if (0 > musig_key_agg (session_ctx -> pubkeys , session_ctx -> n_keys , & keyagg_ctx )) {
390+ return -1 ;
391+ }
392+
373393 for (size_t i = 0 ; i < session_ctx -> n_tweaks ; i ++ ) {
374394 if (0 > apply_tweak (& keyagg_ctx , session_ctx -> tweaks [i ], session_ctx -> is_xonly [i ])) {
375395 return -1 ;
@@ -383,10 +403,12 @@ static int musig_get_session_values(const musig_session_context_t *session_ctx,
383403
384404 // Calculate b
385405 crypto_tr_tagged_hash_init (& hash_context , BIP0327_noncecoef_tag , sizeof (BIP0327_noncecoef_tag ));
386- crypto_hash_update (& hash_context .header , session_ctx -> aggnonce -> raw , 66 );
387- crypto_hash_update (& hash_context .header , Q -> x , 32 );
406+ crypto_hash_update (& hash_context .header ,
407+ session_ctx -> aggnonce -> raw ,
408+ sizeof (session_ctx -> aggnonce -> raw ));
409+ crypto_hash_update (& hash_context .header , Q -> x , sizeof (Q -> x ));
388410 crypto_hash_update (& hash_context .header , session_ctx -> msg , session_ctx -> msg_len );
389- crypto_hash_digest (& hash_context .header , b , 32 );
411+ crypto_hash_digest (& hash_context .header , b , CX_SHA256_SIZE );
390412
391413 // Calculate R
392414 point_t R_1 , R_2 ;
@@ -411,10 +433,10 @@ static int musig_get_session_values(const musig_session_context_t *session_ctx,
411433
412434 // Calculate e
413435 crypto_tr_tagged_hash_init (& hash_context , BIP0340_challenge_tag , sizeof (BIP0340_challenge_tag ));
414- crypto_hash_update (& hash_context .header , R -> x , 32 );
415- crypto_hash_update (& hash_context .header , Q -> x , 32 );
436+ crypto_hash_update (& hash_context .header , R -> x , sizeof ( R -> x ) );
437+ crypto_hash_update (& hash_context .header , Q -> x , sizeof ( Q -> x ) );
416438 crypto_hash_update (& hash_context .header , session_ctx -> msg , session_ctx -> msg_len );
417- crypto_hash_digest (& hash_context .header , e , 32 );
439+ crypto_hash_digest (& hash_context .header , e , CX_SHA256_SIZE );
418440 return 0 ;
419441}
420442
@@ -448,9 +470,9 @@ int musig_sign(musig_secnonce_t *secnonce,
448470 point_t Q ;
449471 uint8_t gacc [32 ];
450472 uint8_t tacc [32 ];
451- uint8_t b [32 ];
473+ uint8_t b [CX_SHA256_SIZE ];
452474 point_t R ;
453- uint8_t e [32 ];
475+ uint8_t e [CX_SHA256_SIZE ];
454476
455477 int diff ;
456478
@@ -460,8 +482,8 @@ int musig_sign(musig_secnonce_t *secnonce,
460482
461483 uint8_t k_1 [32 ];
462484 uint8_t k_2 [32 ];
463- memcpy (k_1 , secnonce -> k_1 , 32 );
464- memcpy (k_2 , secnonce -> k_2 , 32 );
485+ memcpy (k_1 , secnonce -> k_1 , sizeof ( k_1 ) );
486+ memcpy (k_2 , secnonce -> k_2 , sizeof ( k_2 ) );
465487
466488 // paranoia: since reusing nonces is catastrophic, we make sure that they are zeroed out and
467489 // work with a local copy instead
@@ -522,7 +544,7 @@ int musig_sign(musig_secnonce_t *secnonce,
522544 plain_pk_t pk ;
523545 crypto_get_compressed_pubkey (secrets .P .raw , pk );
524546
525- if (memcmp (pk , secnonce -> pk , 33 ) != 0 ) {
547+ if (memcmp (pk , secnonce -> pk , sizeof ( pk ) ) != 0 ) {
526548 err = true;
527549 PRINTF ("Public key does not match nonce_gen argument\n" );
528550 break ;
0 commit comments