diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h index 00631643b0..edf0fa4625 100644 --- a/src/field_10x26_impl.h +++ b/src/field_10x26_impl.h @@ -78,6 +78,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) { uint32_t m; uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x3D1UL; t1 += (x << 6); t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; @@ -132,6 +136,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) { /* Reduce t9 at the start so there will be at most a single carry from the first pass */ uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x3D1UL; t1 += (x << 6); t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; @@ -164,6 +172,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) { uint32_t m; uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x3D1UL; t1 += (x << 6); t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; @@ -222,6 +234,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) { /* Reduce t9 at the start so there will be at most a single carry from the first pass */ uint32_t x = t9 >> 22; t9 &= 0x03FFFFFUL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x3D1UL; t1 += (x << 6); t1 += (t0 >> 26); t0 &= 0x3FFFFFFUL; z0 = t0; z1 = t0 ^ 0x3D0UL; @@ -246,6 +262,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) { uint32_t z0, z1; uint32_t x; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + t0 = r->n[0]; t9 = r->n[9]; @@ -459,6 +479,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k } SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) { +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -1149,6 +1172,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) { static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { uint32_t mask0, mask1; SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n)); +#ifdef VERIFY + secp256k1_fe_verify(a); + secp256k1_fe_verify(r); +#endif mask0 = flag + ~((uint32_t)0); mask1 = ~mask0; r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); @@ -1262,6 +1289,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) { #ifdef VERIFY + secp256k1_fe_verify(a); VERIFY_CHECK(a->normalized); #endif r->n[0] = a->n[0] | a->n[1] << 26; @@ -1334,6 +1362,7 @@ static void secp256k1_fe_to_signed30(secp256k1_modinv32_signed30 *r, const secp2 a5 = a->n[5], a6 = a->n[6], a7 = a->n[7], a8 = a->n[8], a9 = a->n[9]; #ifdef VERIFY + secp256k1_fe_verify(a); VERIFY_CHECK(a->normalized); #endif @@ -1358,13 +1387,20 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_fe tmp; secp256k1_modinv32_signed30 s; +#ifdef VERIFY + secp256k1_fe_verify(x); +#endif + tmp = *x; secp256k1_fe_normalize(&tmp); secp256k1_fe_to_signed30(&s, &tmp); secp256k1_modinv32(&s, &secp256k1_const_modinfo_fe); secp256k1_fe_from_signed30(r, &s); +#ifdef VERIFY + secp256k1_fe_verify(r); VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp)); +#endif } static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { @@ -1377,7 +1413,10 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_modinv32_var(&s, &secp256k1_const_modinfo_fe); secp256k1_fe_from_signed30(r, &s); +#ifdef VERIFY + secp256k1_fe_verify(r); VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp)); +#endif } #endif /* SECP256K1_FIELD_REPR_IMPL_H */ diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h index 9ad0c213cc..106545bf2a 100644 --- a/src/field_5x52_impl.h +++ b/src/field_5x52_impl.h @@ -77,6 +77,10 @@ static void secp256k1_fe_normalize(secp256k1_fe *r) { uint64_t m; uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x1000003D1ULL; t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; @@ -119,6 +123,10 @@ static void secp256k1_fe_normalize_weak(secp256k1_fe *r) { /* Reduce t4 at the start so there will be at most a single carry from the first pass */ uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x1000003D1ULL; t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; @@ -144,6 +152,10 @@ static void secp256k1_fe_normalize_var(secp256k1_fe *r) { uint64_t m; uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x1000003D1ULL; t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; @@ -190,6 +202,10 @@ static int secp256k1_fe_normalizes_to_zero(const secp256k1_fe *r) { /* Reduce t4 at the start so there will be at most a single carry from the first pass */ uint64_t x = t4 >> 48; t4 &= 0x0FFFFFFFFFFFFULL; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + /* The first pass ensures the magnitude is 1, ... */ t0 += x * 0x1000003D1ULL; t1 += (t0 >> 52); t0 &= 0xFFFFFFFFFFFFFULL; z0 = t0; z1 = t0 ^ 0x1000003D0ULL; @@ -209,6 +225,10 @@ static int secp256k1_fe_normalizes_to_zero_var(const secp256k1_fe *r) { uint64_t z0, z1; uint64_t x; +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif + t0 = r->n[0]; t4 = r->n[4]; @@ -429,6 +449,9 @@ SECP256K1_INLINE static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k } SECP256K1_INLINE static void secp256k1_fe_mul_int(secp256k1_fe *r, int a) { +#ifdef VERIFY + secp256k1_fe_verify(r); +#endif r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -490,6 +513,10 @@ static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a) { static SECP256K1_INLINE void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag) { uint64_t mask0, mask1; SECP256K1_CHECKMEM_CHECK_VERIFY(r->n, sizeof(r->n)); +#ifdef VERIFY + secp256k1_fe_verify(a); + secp256k1_fe_verify(r); +#endif mask0 = flag + ~((uint64_t)0); mask1 = ~mask0; r->n[0] = (r->n[0] & mask0) | (a->n[0] & mask1); @@ -584,6 +611,7 @@ static SECP256K1_INLINE void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); + secp256k1_fe_verify(a); #endif r->n[0] = a->n[0] | a->n[1] << 52; r->n[1] = a->n[1] >> 12 | a->n[2] << 40; @@ -635,6 +663,7 @@ static void secp256k1_fe_to_signed62(secp256k1_modinv64_signed62 *r, const secp2 const uint64_t a0 = a->n[0], a1 = a->n[1], a2 = a->n[2], a3 = a->n[3], a4 = a->n[4]; #ifdef VERIFY + secp256k1_fe_verify(a); VERIFY_CHECK(a->normalized); #endif @@ -654,6 +683,10 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_fe tmp; secp256k1_modinv64_signed62 s; +#ifdef VERIFY + secp256k1_fe_verify(x); +#endif + tmp = *x; secp256k1_fe_normalize(&tmp); secp256k1_fe_to_signed62(&s, &tmp); @@ -661,6 +694,7 @@ static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_fe_from_signed62(r, &s); #ifdef VERIFY + secp256k1_fe_verify(r); VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp)); #endif } @@ -669,6 +703,10 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_fe tmp; secp256k1_modinv64_signed62 s; +#ifdef VERIFY + secp256k1_fe_verify(x); +#endif + tmp = *x; secp256k1_fe_normalize_var(&tmp); secp256k1_fe_to_signed62(&s, &tmp); @@ -676,6 +714,7 @@ static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *x) { secp256k1_fe_from_signed62(r, &s); #ifdef VERIFY + secp256k1_fe_verify(r); VERIFY_CHECK(secp256k1_fe_normalizes_to_zero(r) == secp256k1_fe_normalizes_to_zero(&tmp)); #endif } diff --git a/src/tests.c b/src/tests.c index ca56ee7795..62c8232a7b 100644 --- a/src/tests.c +++ b/src/tests.c @@ -7389,7 +7389,7 @@ static void fe_cmov_test(void) { static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); static const secp256k1_fe max = SECP256K1_FE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, - 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL + 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL ); secp256k1_fe r = max; secp256k1_fe a = zero; @@ -7419,7 +7419,7 @@ static void fe_storage_cmov_test(void) { static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1); static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, - 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL + 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFEFUL, 0xFFFFFFFFUL ); secp256k1_fe_storage r = max; secp256k1_fe_storage a = zero;