bip32: fix Elements pubkey tweaking

- Ensure the resulting tweak is zero if a tweak is not asked for - Make deriving from private keys into public keys apply the tweak - Make bip32_key_from_parent and not just bip32_key_from_parent_path apply the tweak.
ElementsProject · Jul 15, 2024 · e30ddfa · e30ddfa
1 parent a5b32a8
commit e30ddfa
Showing 1 changed file with 20 additions and 23 deletions.
diff --git a/src/bip32.c b/src/bip32.c
@@ -686,15 +686,9 @@ int bip32_key_from_parent(const struct ext_key *hdkey, uint32_t child_num,
          * (NOTE: seckey_tweak_add checks both conditions)
          */
         memcpy(key_out->priv_key, hdkey->priv_key, sizeof(hdkey->priv_key));
-        if (!seckey_tweak_add(key_out->priv_key + 1, sha.u.u8)) {
-            wally_clear(&sha, sizeof(sha));
-            return wipe_key_fail(key_out); /* Out of bounds FIXME: Iterate to the next? */
-        }
-
-        if (key_compute_pub_key(key_out) != WALLY_OK) {
-            wally_clear(&sha, sizeof(sha));
-            return wipe_key_fail(key_out);
-        }
+        if (!seckey_tweak_add(key_out->priv_key + 1, sha.u.u8) ||
+            key_compute_pub_key(key_out) != WALLY_OK)
+            goto fail;
     } else {
         /* The returned child key ki is point(parse256(IL) + kpar)
          * In case parse256(IL) ≥ n or Ki is the point at infinity, the
@@ -709,16 +703,22 @@ int bip32_key_from_parent(const struct ext_key *hdkey, uint32_t child_num,
             !pubkey_tweak_add(ctx, &pub_key, sha.u.u8) ||
             !pubkey_serialize(key_out->pub_key, &len, &pub_key,
                               PUBKEY_COMPRESSED) ||
-            len != sizeof(key_out->pub_key)
-#ifdef BUILD_ELEMENTS
-            || ((flags & BIP32_FLAG_KEY_TWEAK_SUM) &&
-                bip32_seckey_tweak_add(sha.u.u8, SHA256_LEN, key_out) != WALLY_OK)
-#endif /* BUILD_ELEMENTS */
-            ) {
-            wally_clear(&sha, sizeof(sha));
-            return wipe_key_fail(key_out);
+            len != sizeof(key_out->pub_key)) {
+            goto fail;
         }
     }
+#ifndef WALLY_ABI_NO_ELEMENTS
+    memset(key_out->pub_key_tweak_sum, 0,
+           sizeof(key_out->pub_key_tweak_sum));
+#endif /* WALLY_ABI_NO_ELEMENTS */
+#ifdef BUILD_ELEMENTS
+    if (flags & BIP32_FLAG_KEY_TWEAK_SUM) {
+        memcpy(key_out->pub_key_tweak_sum,
+               hdkey->pub_key_tweak_sum, sizeof(hdkey->pub_key_tweak_sum));
+        if (bip32_seckey_tweak_add(sha.u.u8, SHA256_LEN, key_out) != WALLY_OK)
+            goto fail;
+    }
+#endif /* BUILD_ELEMENTS */
 
     if (derive_private) {
         if (version_is_mainnet(hdkey->version))
@@ -746,6 +746,9 @@ int bip32_key_from_parent(const struct ext_key *hdkey, uint32_t child_num,
     }
     wally_clear(&sha, sizeof(sha));
     return WALLY_OK;
+fail:
+    wally_clear(&sha, sizeof(sha));
+    return wipe_key_fail(key_out);
 }
 
 int bip32_key_from_parent_alloc(const struct ext_key *hdkey,
@@ -799,12 +802,6 @@ int bip32_key_from_parent_path(const struct ext_key *hdkey,
         if (i + 2 < child_path_len)
             derivation_flags |= BIP32_FLAG_SKIP_HASH; /* Skip hash for internal keys */
 
-#ifdef BUILD_ELEMENTS
-        if (flags & BIP32_FLAG_KEY_TWEAK_SUM)
-            memcpy(derived->pub_key_tweak_sum,
-                   hdkey->pub_key_tweak_sum, sizeof(hdkey->pub_key_tweak_sum));
-#endif /* BUILD_ELEMENTS */
-
         ret = bip32_key_from_parent(hdkey, child_path[i], derivation_flags, derived);
         if (ret != WALLY_OK)
             break;