Merge bitcoin-core/secp256k1#1373: Add invariant checking for scalars
d23da6d557use secp256k1_scalar_verify checks (stratospher)c7d0454932add verification for scalars (stratospher)ad152151b0update max scalar in scalar_cmov_test and fix schnorrsig_verify exhaustive test (stratospher) Pull request description: From #1360. This PR: 1. adds `secp256k1_scalar_verify` to make sure scalars are reduced mod the group order in VERIFY mode 2. uses `secp256k1_scalar_verify` in all the scalar functions except `secp256k1_scalar_clear`, `secp256k1_scalar_reduce_512`, `secp256k1_scalar_mul_512` and `secp256k1_scalar_*_var` functions in `scalar_low_impl.h` ACKs for top commit: real-or-random: utACKd23da6d557theStack: Code-review ACKd23da6d557Tree-SHA512: a371b319d948198c4038d35c9ea58f4b94de4dc312215e2b78a323c2acd4ae1355d97935c558b388774832d6d0058b97ff8ca50c3aab40b9ede5307760d0a505
This commit is contained in:
Tim Ruffing
@@ -110,15 +110,15 @@ static void test_exhaustive_schnorrsig_verify(const secp256k1_context *ctx, cons
|
||||
if (!e_done[e]) {
|
||||
/* Iterate over the possible valid last 32 bytes in the signature.
|
||||
0..order=that s value; order+1=random bytes */
|
||||
int count_valid = 0, s;
|
||||
int count_valid = 0;
|
||||
unsigned int s;
|
||||
for (s = 0; s <= EXHAUSTIVE_TEST_ORDER + 1; ++s) {
|
||||
int expect_valid, valid;
|
||||
if (s <= EXHAUSTIVE_TEST_ORDER) {
|
||||
secp256k1_scalar s_s;
|
||||
secp256k1_scalar_set_int(&s_s, s);
|
||||
secp256k1_scalar_get_b32(sig64 + 32, &s_s);
|
||||
memset(sig64 + 32, 0, 32);
|
||||
secp256k1_write_be32(sig64 + 60, s);
|
||||
expect_valid = actual_k != -1 && s != EXHAUSTIVE_TEST_ORDER &&
|
||||
(s_s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER);
|
||||
(s == (actual_k + actual_d * e) % EXHAUSTIVE_TEST_ORDER);
|
||||
} else {
|
||||
secp256k1_testrand256(sig64 + 32);
|
||||
expect_valid = 0;
|
||||
|
||||
Reference in New Issue
Block a user