@@ -452,7 +452,14 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
452
452
* 0: incorrect or unparseable signature
453
453
* Args: ctx: a secp256k1 context object, initialized for verification.
454
454
* In: sig: the signature being verified (cannot be NULL)
455
- * msg32: the 32-byte message hash being verified (cannot be NULL)
455
+ * msghash32: the 32-byte message hash being verified (cannot be NULL).
456
+ * The verifier must make sure to apply a cryptographic
457
+ * hash function to the message by itself and not accept an
458
+ * msghash32 value directly. Otherwise, it would be easy to
459
+ * create a "valid" signature without knowledge of the
460
+ * secret key. See also
461
+ * https://bitcoin.stackexchange.com/a/81116/35586 for more
462
+ * background on this topic.
456
463
* pubkey: pointer to an initialized public key to verify with (cannot be NULL)
457
464
*
458
465
* To avoid accepting malleable signatures, only ECDSA signatures in lower-S
@@ -467,7 +474,7 @@ SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(
467
474
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify (
468
475
const secp256k1_context * ctx ,
469
476
const secp256k1_ecdsa_signature * sig ,
470
- const unsigned char * msg32 ,
477
+ const unsigned char * msghash32 ,
471
478
const secp256k1_pubkey * pubkey
472
479
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 ) SECP256K1_ARG_NONNULL (4 );
473
480
@@ -532,20 +539,20 @@ SECP256K1_API extern const secp256k1_nonce_function secp256k1_nonce_function_def
532
539
*
533
540
* Returns: 1: signature created
534
541
* 0: the nonce generation function failed, or the secret key was invalid.
535
- * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
536
- * Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
537
- * In: msg32: the 32-byte message hash being signed (cannot be NULL)
538
- * seckey: pointer to a 32-byte secret key (cannot be NULL)
539
- * noncefp:pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
540
- * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
542
+ * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL)
543
+ * Out: sig: pointer to an array where the signature will be placed (cannot be NULL)
544
+ * In: msghash32: the 32-byte message hash being signed (cannot be NULL)
545
+ * seckey: pointer to a 32-byte secret key (cannot be NULL)
546
+ * noncefp: pointer to a nonce generation function. If NULL, secp256k1_nonce_function_default is used
547
+ * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL)
541
548
*
542
549
* The created signature is always in lower-S form. See
543
550
* secp256k1_ecdsa_signature_normalize for more details.
544
551
*/
545
552
SECP256K1_API int secp256k1_ecdsa_sign (
546
553
const secp256k1_context * ctx ,
547
554
secp256k1_ecdsa_signature * sig ,
548
- const unsigned char * msg32 ,
555
+ const unsigned char * msghash32 ,
549
556
const unsigned char * seckey ,
550
557
secp256k1_nonce_function noncefp ,
551
558
const void * ndata
@@ -626,23 +633,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(
626
633
* invalid according to secp256k1_ec_seckey_verify, this
627
634
* function returns 0. seckey will be set to some unspecified
628
635
* value if this function returns 0. (cannot be NULL)
629
- * In: tweak : pointer to a 32-byte tweak. If the tweak is invalid according to
636
+ * In: tweak32 : pointer to a 32-byte tweak. If the tweak is invalid according to
630
637
* secp256k1_ec_seckey_verify, this function returns 0. For
631
638
* uniformly random 32-byte arrays the chance of being invalid
632
639
* is negligible (around 1 in 2^128) (cannot be NULL).
633
640
*/
634
641
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add (
635
642
const secp256k1_context * ctx ,
636
643
unsigned char * seckey ,
637
- const unsigned char * tweak
644
+ const unsigned char * tweak32
638
645
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
639
646
640
647
/** Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED. Will be removed in
641
648
* future versions. */
642
649
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add (
643
650
const secp256k1_context * ctx ,
644
651
unsigned char * seckey ,
645
- const unsigned char * tweak
652
+ const unsigned char * tweak32
646
653
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
647
654
648
655
/** Tweak a public key by adding tweak times the generator to it.
@@ -654,15 +661,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(
654
661
* (cannot be NULL).
655
662
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
656
663
* invalid value if this function returns 0 (cannot be NULL).
657
- * In: tweak : pointer to a 32-byte tweak. If the tweak is invalid according to
664
+ * In: tweak32 : pointer to a 32-byte tweak. If the tweak is invalid according to
658
665
* secp256k1_ec_seckey_verify, this function returns 0. For
659
666
* uniformly random 32-byte arrays the chance of being invalid
660
667
* is negligible (around 1 in 2^128) (cannot be NULL).
661
668
*/
662
669
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add (
663
670
const secp256k1_context * ctx ,
664
671
secp256k1_pubkey * pubkey ,
665
- const unsigned char * tweak
672
+ const unsigned char * tweak32
666
673
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
667
674
668
675
/** Tweak a secret key by multiplying it by a tweak.
@@ -673,23 +680,23 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(
673
680
* invalid according to secp256k1_ec_seckey_verify, this
674
681
* function returns 0. seckey will be set to some unspecified
675
682
* value if this function returns 0. (cannot be NULL)
676
- * In: tweak : pointer to a 32-byte tweak. If the tweak is invalid according to
683
+ * In: tweak32 : pointer to a 32-byte tweak. If the tweak is invalid according to
677
684
* secp256k1_ec_seckey_verify, this function returns 0. For
678
685
* uniformly random 32-byte arrays the chance of being invalid
679
686
* is negligible (around 1 in 2^128) (cannot be NULL).
680
687
*/
681
688
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul (
682
689
const secp256k1_context * ctx ,
683
690
unsigned char * seckey ,
684
- const unsigned char * tweak
691
+ const unsigned char * tweak32
685
692
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
686
693
687
694
/** Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in
688
695
* future versions. */
689
696
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul (
690
697
const secp256k1_context * ctx ,
691
698
unsigned char * seckey ,
692
- const unsigned char * tweak
699
+ const unsigned char * tweak32
693
700
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
694
701
695
702
/** Tweak a public key by multiplying it by a tweak value.
@@ -699,15 +706,15 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(
699
706
* (cannot be NULL).
700
707
* In/Out: pubkey: pointer to a public key object. pubkey will be set to an
701
708
* invalid value if this function returns 0 (cannot be NULL).
702
- * In: tweak : pointer to a 32-byte tweak. If the tweak is invalid according to
709
+ * In: tweak32 : pointer to a 32-byte tweak. If the tweak is invalid according to
703
710
* secp256k1_ec_seckey_verify, this function returns 0. For
704
711
* uniformly random 32-byte arrays the chance of being invalid
705
712
* is negligible (around 1 in 2^128) (cannot be NULL).
706
713
*/
707
714
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul (
708
715
const secp256k1_context * ctx ,
709
716
secp256k1_pubkey * pubkey ,
710
- const unsigned char * tweak
717
+ const unsigned char * tweak32
711
718
) SECP256K1_ARG_NONNULL (1 ) SECP256K1_ARG_NONNULL (2 ) SECP256K1_ARG_NONNULL (3 );
712
719
713
720
/** Updates the context randomization to protect against side-channel leakage.
0 commit comments