Commit 9adee806e3

Frank Denis <124872+jedisct1@users.noreply.github.com>
2023-04-14 06:06:00
secp256k1: Endormorphism.splitScalar() can return an error (#15270)
Fixes #15267
master
1 parent 4a0508e
Changed files (2)
lib
std
crypto
pcurves
secp256k1.zig
ecdsa.zig
lib/std/crypto/pcurves/secp256k1.zig
@@ -51,7 +51,7 @@ pub const Secp256k1 = struct {
         };
 
         /// Compute r1 and r2 so that k = r1 + r2*lambda (mod L).
-        pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) SplitScalar {
+        pub fn splitScalar(s: [32]u8, endian: std.builtin.Endian) NonCanonicalError!SplitScalar {
             const b1_neg_s = comptime s: {
                 var buf: [32]u8 = undefined;
                 mem.writeIntLittle(u256, &buf, 303414439467246543595250775667605759171);
@@ -73,15 +73,15 @@ pub const Secp256k1 = struct {
             var buf: [32]u8 = undefined;
 
             mem.writeIntLittle(u256, &buf, c1);
-            const c1x = scalar.mul(buf, b1_neg_s, .Little) catch unreachable;
+            const c1x = try scalar.mul(buf, b1_neg_s, .Little);
 
             mem.writeIntLittle(u256, &buf, c2);
-            const c2x = scalar.mul(buf, b2_neg_s, .Little) catch unreachable;
+            const c2x = try scalar.mul(buf, b2_neg_s, .Little);
 
-            const r2 = scalar.add(c1x, c2x, .Little) catch unreachable;
+            const r2 = try scalar.add(c1x, c2x, .Little);
 
-            var r1 = scalar.mul(r2, lambda_s, .Little) catch unreachable;
-            r1 = scalar.sub(s, r1, .Little) catch unreachable;
+            var r1 = try scalar.mul(r2, lambda_s, .Little);
+            r1 = try scalar.sub(s, r1, .Little);
 
             return SplitScalar{ .r1 = r1, .r2 = r2 };
         }
@@ -435,7 +435,7 @@ pub const Secp256k1 = struct {
 
     /// Multiply an elliptic curve point by a *PUBLIC* scalar *IN VARIABLE TIME*
     /// This can be used for signature verification.
-    pub fn mulPublic(p: Secp256k1, s_: [32]u8, endian: std.builtin.Endian) IdentityElementError!Secp256k1 {
+    pub fn mulPublic(p: Secp256k1, s_: [32]u8, endian: std.builtin.Endian) (IdentityElementError || NonCanonicalError)!Secp256k1 {
         const s = if (endian == .Little) s_ else Fe.orderSwap(s_);
         const zero = comptime scalar.Scalar.zero.toBytes(.Little);
         if (mem.eql(u8, &zero, &s)) {
@@ -443,7 +443,7 @@ pub const Secp256k1 = struct {
         }
         const pc = precompute(p, 8);
         var lambda_p = try pcMul(&pc, Endormorphism.lambda_s, true);
-        var split_scalar = Endormorphism.splitScalar(s, .Little);
+        var split_scalar = try Endormorphism.splitScalar(s, .Little);
         var px = p;
 
         // If a key is negative, flip the sign to keep it half-sized,
lib/std/crypto/ecdsa.zig
@@ -249,7 +249,7 @@ pub fn Ecdsa(comptime Curve: type, comptime Hash: type) type {
             }
 
             /// Verify that the signature is valid for the entire message.
-            pub fn verify(self: *Verifier) (IdentityElementError || SignatureVerificationError)!void {
+            pub fn verify(self: *Verifier) (IdentityElementError || NonCanonicalError || SignatureVerificationError)!void {
                 const ht = Curve.scalar.encoded_length;
                 const h_len = @max(Hash.digest_length, ht);
                 var h: [h_len]u8 = [_]u8{0} ** h_len;