Skip to content

Commit 139a7fa

Browse files
sipasipa
committed
Add more secp256k1_fe_verify checks on entry/exit of functions
1 parent a1ff902 commit 139a7fa

File tree

3 files changed

+80
-2
lines changed

3 files changed

+80
-2
lines changed

src/field_10x26_impl.h

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -78,6 +78,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) {
7878
uint32_t m;
7979
uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
8080

81+
#ifdef VERIFY
82+
secp256k1_fe_verify(r);
83+
#endif
84+
8185
/* The first pass ensures the magnitude is 1, ... */
8286
t0 += x * 0x3D1UL; t1 += (x << 6);
8387
t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -132,6 +136,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) {
132136
/* Reduce t9 at the start so there will be at most a single carry from the first pass */
133137
uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
134138

139+
#ifdef VERIFY
140+
secp256k1_fe_verify(r);
141+
#endif
142+
135143
/* The first pass ensures the magnitude is 1, ... */
136144
t0 += x * 0x3D1UL; t1 += (x << 6);
137145
t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -164,6 +172,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) {
164172
uint32_t m;
165173
uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
166174

175+
#ifdef VERIFY
176+
secp256k1_fe_verify(r);
177+
#endif
178+
167179
/* The first pass ensures the magnitude is 1, ... */
168180
t0 += x * 0x3D1UL; t1 += (x << 6);
169181
t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -222,6 +234,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) {
222234
/* Reduce t9 at the start so there will be at most a single carry from the first pass */
223235
uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
224236

237+
#ifdef VERIFY
238+
secp256k1_fe_verify(r);
239+
#endif
240+
225241
/* The first pass ensures the magnitude is 1, ... */
226242
t0 += x * 0x3D1UL; t1 += (x << 6);
227243
t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; z0 = t0; z1 = t0 ^ 0x3D0UL;
@@ -246,6 +262,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) {
246262
uint32_t z0, z1;
247263
uint32_t x;
248264

265+
#ifdef VERIFY
266+
secp256k1_fe_verify(r);
267+
#endif
268+
249269
t0 = r->n[0];
250270
t9 = r->n[9];
251271

@@ -459,6 +479,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k
459479
}
460480

461481
SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
482+
#ifdef VERIFY
483+
secp256k1_fe_verify(r);
484+
#endif
462485
r->n[0] *= a;
463486
r->n[1] *= a;
464487
r->n[2] *= a;
@@ -1149,6 +1172,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
11491172
static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
11501173
uint32_t mask0, mask1;
11511174
SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
1175+
#ifdef VERIFY
1176+
secp256k1_fe_verify(a);
1177+
secp256k1_fe_verify(r);
1178+
#endif
11521179
mask0 = flag + ~((uint32_t)0);
11531180
mask1 = ~mask0;
11541181
r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -1262,6 +1289,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r,
12621289

12631290
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {
12641291
#ifdef VERIFY
1292+
secp256k1_fe_verify(a);
12651293
VERIFY_CHECK(a->normalized);
12661294
#endif
12671295
r->n[0] = a->n[0] | a->n[1] << 26;
@@ -1334,6 +1362,7 @@ static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp2
13341362
a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9];
13351363

13361364
#ifdef VERIFY
1365+
secp256k1_fe_verify(a);
13371366
VERIFY_CHECK(a->normalized);
13381367
#endif
13391368

@@ -1358,13 +1387,20 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
13581387
secp256k1_fe tmp;
13591388
secp256k1_modinv32_signed30 s;
13601389

1390+
#ifdef VERIFY
1391+
secp256k1_fe_verify(x);
1392+
#endif
1393+
13611394
tmp = *x;
13621395
secp256k1_fe_normalize(&tmp);
13631396
secp256k1_fe_to_signed30(&s, &tmp);
13641397
secp256k1_modinv32(&s, &secp256k1_const_modinfo_fe);
13651398
secp256k1_fe_from_signed30(r, &s);
13661399

1400+
#ifdef VERIFY
1401+
secp256k1_fe_verify(r);
13671402
VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
1403+
#endif
13681404
}
13691405

13701406
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
@@ -1377,7 +1413,10 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
13771413
secp256k1_modinv32_var(&s, &secp256k1_const_modinfo_fe);
13781414
secp256k1_fe_from_signed30(r, &s);
13791415

1416+
#ifdef VERIFY
1417+
secp256k1_fe_verify(r);
13801418
VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
1419+
#endif
13811420
}
13821421

13831422
#endif /* SECP256K1_FIELD_REPR_IMPL_H */

src/field_5x52_impl.h

Lines changed: 39 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -77,6 +77,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) {
7777
uint64_t m;
7878
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
7979

80+
#ifdef VERIFY
81+
secp256k1_fe_verify(r);
82+
#endif
83+
8084
/* The first pass ensures the magnitude is 1, ... */
8185
t0 += x * 0x1000003D1ULL;
8286
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -119,6 +123,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) {
119123
/* Reduce t4 at the start so there will be at most a single carry from the first pass */
120124
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
121125

126+
#ifdef VERIFY
127+
secp256k1_fe_verify(r);
128+
#endif
129+
122130
/* The first pass ensures the magnitude is 1, ... */
123131
t0 += x * 0x1000003D1ULL;
124132
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -144,6 +152,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) {
144152
uint64_t m;
145153
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
146154

155+
#ifdef VERIFY
156+
secp256k1_fe_verify(r);
157+
#endif
158+
147159
/* The first pass ensures the magnitude is 1, ... */
148160
t0 += x * 0x1000003D1ULL;
149161
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -190,6 +202,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) {
190202
/* Reduce t4 at the start so there will be at most a single carry from the first pass */
191203
uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
192204

205+
#ifdef VERIFY
206+
secp256k1_fe_verify(r);
207+
#endif
208+
193209
/* The first pass ensures the magnitude is 1, ... */
194210
t0 += x * 0x1000003D1ULL;
195211
t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL;
@@ -209,6 +225,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) {
209225
uint64_t z0, z1;
210226
uint64_t x;
211227

228+
#ifdef VERIFY
229+
secp256k1_fe_verify(r);
230+
#endif
231+
212232
t0 = r->n[0];
213233
t4 = r->n[4];
214234

@@ -429,6 +449,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k
429449
}
430450

431451
SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
452+
#ifdef VERIFY
453+
secp256k1_fe_verify(r);
454+
#endif
432455
r->n[0] *= a;
433456
r->n[1] *= a;
434457
r->n[2] *= a;
@@ -490,6 +513,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
490513
static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
491514
uint64_t mask0, mask1;
492515
SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
516+
#ifdef VERIFY
517+
secp256k1_fe_verify(a);
518+
secp256k1_fe_verify(r);
519+
#endif
493520
mask0 = flag + ~((uint64_t)0);
494521
mask1 = ~mask0;
495522
r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -584,6 +611,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r,
584611
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {
585612
#ifdef VERIFY
586613
VERIFY_CHECK(a->normalized);
614+
secp256k1_fe_verify(a);
587615
#endif
588616
r->n[0] = a->n[0] | a->n[1] << 52;
589617
r->n[1] = a->n[1] >> 12 | a->n[2] << 40;
@@ -635,6 +663,7 @@ static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp2
635663
const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
636664

637665
#ifdef VERIFY
666+
secp256k1_fe_verify(a);
638667
VERIFY_CHECK(a->normalized);
639668
#endif
640669

@@ -654,13 +683,18 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
654683
secp256k1_fe tmp;
655684
secp256k1_modinv64_signed62 s;
656685

686+
#ifdef VERIFY
687+
secp256k1_fe_verify(x);
688+
#endif
689+
657690
tmp = *x;
658691
secp256k1_fe_normalize(&tmp);
659692
secp256k1_fe_to_signed62(&s, &tmp);
660693
secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe);
661694
secp256k1_fe_from_signed62(r, &s);
662695

663696
#ifdef VERIFY
697+
secp256k1_fe_verify(r);
664698
VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
665699
#endif
666700
}
@@ -669,13 +703,18 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
669703
secp256k1_fe tmp;
670704
secp256k1_modinv64_signed62 s;
671705

706+
#ifdef VERIFY
707+
secp256k1_fe_verify(x);
708+
#endif
709+
672710
tmp = *x;
673711
secp256k1_fe_normalize_var(&tmp);
674712
secp256k1_fe_to_signed62(&s, &tmp);
675713
secp256k1_modinv64_var(&s, &secp256k1_const_modinfo_fe);
676714
secp256k1_fe_from_signed62(r, &s);
677715

678716
#ifdef VERIFY
717+
secp256k1_fe_verify(r);
679718
VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
680719
#endif
681720
}

src/tests.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -7389,7 +7389,7 @@ static void fe_cmov_test(void) {
73897389
static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
73907390
static const secp256k1_fe max = SECP256K1_FE_CONST(
73917391
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7392-
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7392+
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL
73937393
);
73947394
secp256k1_fe r = max;
73957395
secp256k1_fe a = zero;
@@ -7419,7 +7419,7 @@ static void fe_storage_cmov_test(void) {
74197419
static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
74207420
static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
74217421
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7422-
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7422+
0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL
74237423
);
74247424
secp256k1_fe_storage r = max;
74257425
secp256k1_fe_storage a = zero;

0 commit comments

Comments
 (0)