Separate secp256k1_fe_set_int( . , 0 ) from secp256k1_fe_clear()

real-or-random · isle2983 · real-or-random · commit 6a2c7b18ee24 · 2019-06-12T16:13:22.000+02:00
There are two uses of the secp256k1_fe_clear() function that are now separated
into these two functions in order to reflect the intent:

1) initializing the memory prior to being used -&gt; converted to fe_set_int( . , 0 )
2) zeroing the memory after being used such that no sensitive data remains. -&gt;
    remains as fe_clear()

In the latter case, 'magnitude' and 'normalized' need to be overwritten when
VERIFY is enabled.

Co-Authored-By: isle2983 &lt;isle2983@yahoo.com&gt;
diff --git a/src/ecmult_const_impl.h b/src/ecmult_const_impl.h
@@ -21,8 +21,8 @@
     VERIFY_CHECK(((n) & 1) == 1); \
     VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \
     VERIFY_CHECK((n) <=  ((1 << ((w)-1)) - 1)); \
-    VERIFY_SETUP(secp256k1_fe_clear(&(r)->x)); \
-    VERIFY_SETUP(secp256k1_fe_clear(&(r)->y)); \
+    VERIFY_SETUP(secp256k1_fe_set_int(&(r)->x, 0)); \
+    VERIFY_SETUP(secp256k1_fe_set_int(&(r)->y, 0)); \
     for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \
         /* This loop is used to avoid secret data in array indices. See
          * the comment in ecmult_gen_impl.h for rationale. */ \
diff --git a/src/field.h b/src/field.h
@@ -53,7 +53,7 @@ static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r);
  *  magnitude 0 if a == 0, and magnitude 1 otherwise. */
 static void secp256k1_fe_set_int(secp256k1_fe *r, int a);
 
-/** Sets a field element equal to zero, initializing all fields. */
+/** Clear a field element to prevent leaking sensitive information. */
 static void secp256k1_fe_clear(secp256k1_fe *a);
 
 /** Verify whether a field element is zero. Requires the input to be normalized. */
diff --git a/src/field_10x26_impl.h b/src/field_10x26_impl.h
@@ -293,7 +293,7 @@ SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) {
     int i;
 #ifdef VERIFY
     a->magnitude = 0;
-    a->normalized = 1;
+    a->normalized = 0;
 #endif
     for (i=0; i<10; i++) {
         a->n[i] = 0;
diff --git a/src/field_5x52_impl.h b/src/field_5x52_impl.h
@@ -256,7 +256,7 @@ SECP256K1_INLINE static void secp256k1_fe_clear(secp256k1_fe *a) {
     int i;
 #ifdef VERIFY
     a->magnitude = 0;
-    a->normalized = 1;
+    a->normalized = 0;
 #endif
     for (i=0; i<5; i++) {
         a->n[i] = 0;
diff --git a/src/group_impl.h b/src/group_impl.h
@@ -194,15 +194,15 @@ static void secp256k1_ge_globalz_set_table_gej(size_t len, secp256k1_ge *r, secp
 
 static void secp256k1_gej_set_infinity(secp256k1_gej *r) {
     r->infinity = 1;
-    secp256k1_fe_clear(&r->x);
-    secp256k1_fe_clear(&r->y);
-    secp256k1_fe_clear(&r->z);
+    secp256k1_fe_set_int(&r->x, 0);
+    secp256k1_fe_set_int(&r->y, 0);
+    secp256k1_fe_set_int(&r->z, 0);
 }
 
 static void secp256k1_ge_set_infinity(secp256k1_ge *r) {
     r->infinity = 1;
-    secp256k1_fe_clear(&r->x);
-    secp256k1_fe_clear(&r->y);
+    secp256k1_fe_set_int(&r->x, 0);
+    secp256k1_fe_set_int(&r->y, 0);
 }
 
 static void secp256k1_gej_clear(secp256k1_gej *r) {
diff --git a/src/tests.c b/src/tests.c
@@ -79,7 +79,7 @@ void random_field_element_magnitude(secp256k1_fe *fe) {
     if (n == 0) {
         return;
     }
-    secp256k1_fe_clear(&zero);
+    secp256k1_fe_set_int(&zero, 0);
     secp256k1_fe_negate(&zero, &zero, 0);
     secp256k1_fe_mul_int(&zero, n - 1);
     secp256k1_fe_add(fe, &zero);

Original file line number	Diff line number	Diff line change
`@@ -79,7 +79,7 @@ void random_field_element_magnitude(secp256k1_fe *fe) {`
`79`	`79`	`if (n == 0) {`
`80`	`80`	`return;`
`81`	`81`	`}`
`82`		`- secp256k1_fe_clear(&zero);`
	`82`	`+ secp256k1_fe_set_int(&zero, 0);`
`83`	`83`	`secp256k1_fe_negate(&zero, &zero, 0);`
`84`	`84`	`secp256k1_fe_mul_int(&zero, n - 1);`
`85`	`85`	`secp256k1_fe_add(fe, &zero);`