fix and verify compressed argument in _eckey_pubkey_serialize calls

theStack · theStack · commit 19be9a6db90b · 2024-10-26T22:42:23.000+02:00
In several calls of the internal function
`secp256k1_eckey_pubkey_serialize`, the public API flag
`SECP256K1_EC_COMPRESSED` is passed, which is meant to be only used for
the public function `secp256k1_ec_pubkey_serialize`. It works as
intended in all of those cases (it wouldn't for `..._UNCOMPRESSED`
though), but it's still kind of a type mismatch that can't be detected
by the compiler.  To avoid cases like this in the future, a VERIFY_CHECK
is added that the `compressed` parameter needs to be either 0 or 1.
diff --git a/src/eckey_impl.h b/src/eckey_impl.h
@@ -9,6 +9,7 @@
 
 #include "eckey.h"
 
+#include "util.h"
 #include "scalar.h"
 #include "field.h"
 #include "group.h"
@@ -35,6 +36,8 @@ static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char
 }
 
 static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed) {
+    VERIFY_CHECK(compressed == 0 || compressed == 1);
+
     if (secp256k1_ge_is_infinity(elem)) {
         return 0;
     }
diff --git a/src/modules/ecdsa_adaptor/main_impl.h b/src/modules/ecdsa_adaptor/main_impl.h
@@ -339,7 +339,7 @@ int secp256k1_ecdsa_adaptor_recover(const secp256k1_context* ctx, unsigned char
     /* We declassify non-secret enckey_expected_ge to allow using it as a
      * branch point. */
     secp256k1_declassify(ctx, &enckey_expected_ge, sizeof(enckey_expected_ge));
-    if (!secp256k1_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, SECP256K1_EC_COMPRESSED)) {
+    if (!secp256k1_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, 1)) {
         /* Unreachable from tests (and other VERIFY builds) and therefore this
          * branch should be ignored in test coverage analysis.
          *
diff --git a/src/modules/musig/session_impl.h b/src/modules/musig/session_impl.h
@@ -368,7 +368,7 @@ int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secn
     if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {
         return 0;
     }
-    pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, SECP256K1_EC_COMPRESSED);
+    pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, 1);
 
 #ifdef VERIFY
     /* A pubkey cannot be the point at infinity */
diff --git a/src/modules/whitelist/whitelist_impl.h b/src/modules/whitelist/whitelist_impl.h
@@ -18,7 +18,7 @@ static int secp256k1_whitelist_hash_pubkey(secp256k1_scalar* output, secp256k1_g
     secp256k1_ge_set_gej(&ge, pubkey);
 
     secp256k1_sha256_initialize(&sha);
-    if (!secp256k1_eckey_pubkey_serialize(&ge, c, &size, SECP256K1_EC_COMPRESSED)) {
+    if (!secp256k1_eckey_pubkey_serialize(&ge, c, &size, 1)) {
         return 0;
     }
     secp256k1_sha256_write(&sha, c, size);
@@ -94,7 +94,7 @@ static int secp256k1_whitelist_compute_keys_and_message(const secp256k1_context*
     secp256k1_pubkey_load(ctx, &subkey_ge, sub_pubkey);
 
     /* commit to sub-key */
-    if (!secp256k1_eckey_pubkey_serialize(&subkey_ge, c, &size, SECP256K1_EC_COMPRESSED)) {
+    if (!secp256k1_eckey_pubkey_serialize(&subkey_ge, c, &size, 1)) {
         return 0;
     }
     secp256k1_sha256_write(&sha, c, size);
@@ -105,12 +105,12 @@ static int secp256k1_whitelist_compute_keys_and_message(const secp256k1_context*
 
         /* commit to fixed keys */
         secp256k1_pubkey_load(ctx, &offline_ge, &offline_pubkeys[i]);
-        if (!secp256k1_eckey_pubkey_serialize(&offline_ge, c, &size, SECP256K1_EC_COMPRESSED)) {
+        if (!secp256k1_eckey_pubkey_serialize(&offline_ge, c, &size, 1)) {
             return 0;
         }
         secp256k1_sha256_write(&sha, c, size);
         secp256k1_pubkey_load(ctx, &online_ge, &online_pubkeys[i]);
-        if (!secp256k1_eckey_pubkey_serialize(&online_ge, c, &size, SECP256K1_EC_COMPRESSED)) {
+        if (!secp256k1_eckey_pubkey_serialize(&online_ge, c, &size, 1)) {
             return 0;
         }
         secp256k1_sha256_write(&sha, c, size);
diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -300,7 +300,7 @@ int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *o
     ARG_CHECK(pubkey != NULL);
     ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);
     if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {
-        ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);
+        ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, !!(flags & SECP256K1_FLAGS_BIT_COMPRESSION));
         if (ret) {
             *outputlen = len;
         }

Original file line number	Diff line number	Diff line change
`@@ -9,6 +9,7 @@`
`9`	`9`
`10`	`10`	`#include "eckey.h"`
`11`	`11`
	`12`	`+#include "util.h"`
`12`	`13`	`#include "scalar.h"`
`13`	`14`	`#include "field.h"`
`14`	`15`	`#include "group.h"`
`@@ -35,6 +36,8 @@ static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char`
`35`	`36`	`}`
`36`	`37`
`37`	`38`	`static int secp256k1_eckey_pubkey_serialize(secp256k1_ge elem, unsigned char pub, size_t *size, int compressed) {`
	`39`	`+ VERIFY_CHECK(compressed == 0 \|\| compressed == 1);`
	`40`	`+`
`38`	`41`	`if (secp256k1_ge_is_infinity(elem)) {`
`39`	`42`	`return 0;`
`40`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -339,7 +339,7 @@ int secp256k1_ecdsa_adaptor_recover(const secp256k1_context* ctx, unsigned char`
`339`	`339`	`/* We declassify non-secret enckey_expected_ge to allow using it as a`
`340`	`340`	`* branch point. */`
`341`	`341`	`secp256k1_declassify(ctx, &enckey_expected_ge, sizeof(enckey_expected_ge));`
`342`		`- if (!secp256k1_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, SECP256K1_EC_COMPRESSED)) {`
	`342`	`+ if (!secp256k1_eckey_pubkey_serialize(&enckey_expected_ge, enckey_expected33, &size, 1)) {`
`343`	`343`	`/* Unreachable from tests (and other VERIFY builds) and therefore this`
`344`	`344`	`* branch should be ignored in test coverage analysis.`
`345`	`345`	`*`
Original file line number	Diff line number	Diff line change
`@@ -368,7 +368,7 @@ int secp256k1_musig_nonce_gen(const secp256k1_context* ctx, secp256k1_musig_secn`
`368`	`368`	`if (!secp256k1_pubkey_load(ctx, &pk, pubkey)) {`
`369`	`369`	`return 0;`
`370`	`370`	`}`
`371`		`- pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, SECP256K1_EC_COMPRESSED);`
	`371`	`+ pk_serialize_success = secp256k1_eckey_pubkey_serialize(&pk, pk_ser, &pk_ser_len, 1);`
`372`	`372`
`373`	`373`	`#ifdef VERIFY`
`374`	`374`	`/* A pubkey cannot be the point at infinity */`
Original file line number	Diff line number	Diff line change
`@@ -300,7 +300,7 @@ int secp256k1_ec_pubkey_serialize(const secp256k1_context* ctx, unsigned char *o`
`300`	`300`	`ARG_CHECK(pubkey != NULL);`
`301`	`301`	`ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION);`
`302`	`302`	`if (secp256k1_pubkey_load(ctx, &Q, pubkey)) {`
`303`		`- ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION);`
	`303`	`+ ret = secp256k1_eckey_pubkey_serialize(&Q, output, &len, !!(flags & SECP256K1_FLAGS_BIT_COMPRESSION));`
`304`	`304`	`if (ret) {`
`305`	`305`	`*outputlen = len;`
`306`	`306`	`}`