From bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Tue, 9 May 2023 13:10:56 -0400 Subject: [PATCH] Avoid secp256k1_ge_set_gej_zinv with uninitialized z --- src/group_impl.h | 26 ++++++++++++++++++-------- 1 file changed, 18 insertions(+), 8 deletions(-) diff --git a/src/group_impl.h b/src/group_impl.h index 48357a1c5d..f1b62e3689 100644 --- a/src/group_impl.h +++ b/src/group_impl.h @@ -92,12 +92,26 @@ static void secp256k1_gej_verify(const secp256k1_gej *a) { (void)a; } +/* Set r to the affine coordinates of Jacobian point (a.x, a.y, 1/zi). */ static void secp256k1_ge_set_gej_zinv(secp256k1_ge *r, const secp256k1_gej *a, const secp256k1_fe *zi) { secp256k1_fe zi2; secp256k1_fe zi3; - /* Do not call secp256k1_ge_verify, as we do not require a->z to be initialized. */ - secp256k1_fe_verify(&a->x); - secp256k1_fe_verify(&a->y); + secp256k1_gej_verify(a); + secp256k1_fe_verify(zi); + VERIFY_CHECK(!a->infinity); + secp256k1_fe_sqr(&zi2, zi); + secp256k1_fe_mul(&zi3, &zi2, zi); + secp256k1_fe_mul(&r->x, &a->x, &zi2); + secp256k1_fe_mul(&r->y, &a->y, &zi3); + r->infinity = a->infinity; + secp256k1_ge_verify(r); +} + +/* Set r to the affine coordinates of Jacobian point (a.x, a.y, 1/zi). */ +static void secp256k1_ge_set_ge_zinv(secp256k1_ge *r, const secp256k1_ge *a, const secp256k1_fe *zi) { + secp256k1_fe zi2; + secp256k1_fe zi3; + secp256k1_ge_verify(a); secp256k1_fe_verify(zi); VERIFY_CHECK(!a->infinity); secp256k1_fe_sqr(&zi2, zi); @@ -221,7 +235,6 @@ static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const se /* Work our way backwards, using the z-ratios to scale the x/y values. */ while (i > 0) { - secp256k1_gej tmpa; /* Verify all inputs a[i] and zr[i]. */ secp256k1_fe_verify(&zr[i]); secp256k1_ge_verify(&a[i]); @@ -229,10 +242,7 @@ static void secp256k1_ge_table_set_globalz(size_t len, secp256k1_ge *a, const se secp256k1_fe_mul(&zs, &zs, &zr[i]); } i--; - tmpa.x = a[i].x; - tmpa.y = a[i].y; - tmpa.infinity = 0; - secp256k1_ge_set_gej_zinv(&a[i], &tmpa, &zs); + secp256k1_ge_set_ge_zinv(&a[i], &a[i], &zs); /* Verify the output a[i]. */ secp256k1_ge_verify(&a[i]); }