Improve checks for scalar _get_bits methods #1845
+17
−6
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -54,6 +54,7 @@ SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsig | |
| SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { | ||
| SECP256K1_SCALAR_VERIFY(a); | ||
| VERIFY_CHECK(count > 0 && count <= 32); | ||
| VERIFY_CHECK(offset <= 256 - count); | ||
| VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); | ||
|
|
||
| return (a->d[offset >> 5] >> (offset & 0x1F)) & (0xFFFFFFFF >> (32 - count)); | ||
|
|
@@ -62,7 +63,7 @@ SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k | |
| SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { | ||
| SECP256K1_SCALAR_VERIFY(a); | ||
| VERIFY_CHECK(count > 0 && count <= 32); | ||
| VERIFY_CHECK(offset <= 256 - count); | ||
|
|
||
| if ((offset + count - 1) >> 5 == offset >> 5) { | ||
| return secp256k1_scalar_get_bits_limb32(a, offset, count); | ||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -27,8 +27,10 @@ SECP256K1_INLINE static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsig | |
|
|
||
| SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { | ||
| SECP256K1_SCALAR_VERIFY(a); | ||
| VERIFY_CHECK(count > 0 && count <= 32); | ||
| VERIFY_CHECK(offset <= 256 - count); | ||
| VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); | ||
|
|
||
| if (offset < 32) { | ||
| return (*a >> offset) & (0xFFFFFFFF >> (32 - count)); | ||
| } else { | ||
|
|
@@ -38,8 +40,14 @@ SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k | |
|
|
||
| SECP256K1_INLINE static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count) { | ||
| SECP256K1_SCALAR_VERIFY(a); | ||
| VERIFY_CHECK(count > 0 && count <= 32); | ||
| VERIFY_CHECK(offset <= 256 - count); | ||
|
|
||
| if (offset < 32) { | ||
| return (*a >> offset) & (0xFFFFFFFF >> (32 - count)); | ||
| } else { | ||
| return 0; | ||
| } | ||
| } | ||
|
|
||
| SECP256K1_INLINE static int secp256k1_scalar_check_overflow(const secp256k1_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } | ||
|
|
||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm convinced this will not break things and I like this more after fiddling with the bits.
But feels like the original check combined with line 43 was already sufficient for checking we are not able to cross limbs when trying to collect bits from the scalar.
One such case could be:
offset = 31.With the original check:
RHS:
offset >> 6 = 0LHS:
(31 + count - 1) >> 6=>count < 34so that RHS == LHS.But line 43 already guarantee that
count <= 32. Similar for the other limbs.