Add more secp256k1_fe_verify checks on entry/exit of functions

bitcoin-core · Feb 6, 2023 · 2a5718d · 2a5718d
1 parent 0c90af0
commit 2a5718d
Show file tree

Hide file tree

Showing 3 changed files with 80 additions and 2 deletions.
diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
@@ -78,6 +78,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) {
     uint32_t m;
     uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x3D1UL; t1 += (x << 6);
     t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -132,6 +136,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) {
     /* Reduce t9 at the start so there will be at most a single carry from the first pass */
     uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x3D1UL; t1 += (x << 6);
     t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -164,6 +172,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) {
     uint32_t m;
     uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x3D1UL; t1 += (x << 6);
     t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL;
@@ -222,6 +234,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) {
     /* Reduce t9 at the start so there will be at most a single carry from the first pass */
     uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x3D1UL; t1 += (x << 6);
     t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; z0  = t0; z1  = t0 ^ 0x3D0UL;
@@ -246,6 +262,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) {
     uint32_t z0, z1;
     uint32_t x;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     t0 = r->n[0];
     t9 = r->n[9];
 
@@ -459,6 +479,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k
 }
 
 SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
     r->n[0] *= a;
     r->n[1] *= a;
     r->n[2] *= a;
@@ -1149,6 +1172,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
     uint32_t mask0, mask1;
     SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
+#ifdef VERIFY
+    secp256k1_fe_verify(a);
+    secp256k1_fe_verify(r);
+#endif
     mask0 = flag + ~((uint32_t)0);
     mask1 = ~mask0;
     r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -1262,6 +1289,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r,
 
 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {
 #ifdef VERIFY
+    secp256k1_fe_verify(a);
     VERIFY_CHECK(a->normalized);
 #endif
     r->n[0] = a->n[0] | a->n[1] << 26;
@@ -1334,6 +1362,7 @@ static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp2
                    a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9];
 
 #ifdef VERIFY
+    secp256k1_fe_verify(a);
     VERIFY_CHECK(a->normalized);
 #endif
 
@@ -1358,13 +1387,20 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
     secp256k1_fe tmp;
     secp256k1_modinv32_signed30 s;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(x);
+#endif
+
     tmp = *x;
     secp256k1_fe_normalize(&tmp);
     secp256k1_fe_to_signed30(&s, &tmp);
     secp256k1_modinv32(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed30(r, &s);
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
+#endif
 }
 
 static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
@@ -1377,7 +1413,10 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
     secp256k1_modinv32_var(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed30(r, &s);
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
+#endif
 }
 
 #endif /* SECP256K1_FIELD_REPR_IMPL_H */
diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
@@ -77,6 +77,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) {
     uint64_t m;
     uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x1000003D1ULL;
     t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -119,6 +123,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) {
     /* Reduce t4 at the start so there will be at most a single carry from the first pass */
     uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x1000003D1ULL;
     t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -144,6 +152,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) {
     uint64_t m;
     uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x1000003D1ULL;
     t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL;
@@ -190,6 +202,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) {
     /* Reduce t4 at the start so there will be at most a single carry from the first pass */
     uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     /* The first pass ensures the magnitude is 1, ... */
     t0 += x * 0x1000003D1ULL;
     t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0  = t0; z1  = t0 ^ 0x1000003D0ULL;
@@ -209,6 +225,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) {
     uint64_t z0, z1;
     uint64_t x;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
+
     t0 = r->n[0];
     t4 = r->n[4];
 
@@ -429,6 +449,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k
 }
 
 SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) {
+#ifdef VERIFY
+    secp256k1_fe_verify(r);
+#endif
     r->n[0] *= a;
     r->n[1] *= a;
     r->n[2] *= a;
@@ -490,6 +513,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) {
 static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) {
     uint64_t mask0, mask1;
     SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n));
+#ifdef VERIFY
+    secp256k1_fe_verify(a);
+    secp256k1_fe_verify(r);
+#endif
     mask0 = flag + ~((uint64_t)0);
     mask1 = ~mask0;
     r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1);
@@ -584,6 +611,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r,
 static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) {
 #ifdef VERIFY
     VERIFY_CHECK(a->normalized);
+    secp256k1_fe_verify(a);
 #endif
     r->n[0] = a->n[0] | a->n[1] << 52;
     r->n[1] = a->n[1] >> 12 | a->n[2] << 40;
@@ -635,6 +663,7 @@ static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp2
     const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4];
 
 #ifdef VERIFY
+    secp256k1_fe_verify(a);
     VERIFY_CHECK(a->normalized);
 #endif
 
@@ -654,13 +683,18 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) {
     secp256k1_fe tmp;
     secp256k1_modinv64_signed62 s;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(x);
+#endif
+
     tmp = *x;
     secp256k1_fe_normalize(&tmp);
     secp256k1_fe_to_signed62(&s, &tmp);
     secp256k1_modinv64(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed62(r, &s);
 
 #ifdef VERIFY
+    secp256k1_fe_verify(r);
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
 #endif
 }
@@ -669,13 +703,18 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) {
     secp256k1_fe tmp;
     secp256k1_modinv64_signed62 s;
 
+#ifdef VERIFY
+    secp256k1_fe_verify(x);
+#endif
+
     tmp = *x;
     secp256k1_fe_normalize_var(&tmp);
     secp256k1_fe_to_signed62(&s, &tmp);
     secp256k1_modinv64_var(&s, &secp256k1_const_modinfo_fe);
     secp256k1_fe_from_signed62(r, &s);
 
 #ifdef VERIFY
+    secp256k1_fe_verify(r);
     VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp));
 #endif
 }

diff --git a/src/tests.c b/src/tests.c
@@ -7389,7 +7389,7 @@ static void fe_cmov_test(void) {
     static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
     static const secp256k1_fe max = SECP256K1_FE_CONST(
         0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
-        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
+        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL
     );
     secp256k1_fe r = max;
     secp256k1_fe a = zero;
@@ -7419,7 +7419,7 @@ static void fe_storage_cmov_test(void) {
     static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
     static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
         0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
-        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
+        0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL
     );
     secp256k1_fe_storage r = max;
     secp256k1_fe_storage a = zero;