Accomidate GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189

roconnor-blockstream · roconnor-blockstream · commit a765e357b11b · 2020-09-23T12:57:39.000-04:00
diff --git a/src/scalar_impl.h b/src/scalar_impl.h
@@ -424,39 +424,48 @@ static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar
 #ifdef VERIFY
 static void secp256k1_scalar_split_lambda_verify(const secp256k1_scalar *r1, const secp256k1_scalar *r2, const secp256k1_scalar *k) {
     secp256k1_scalar s;
-    unsigned char buf1[32];
-    unsigned char buf2[32];
+    unsigned char buf[32];
 
     static const secp256k1_scalar lambda = SECP256K1_SCALAR_CONST(
         0x5363AD4CUL, 0xC05C30E0UL, 0xA5261C02UL, 0x8812645AUL,
         0x122E22EAUL, 0x20816678UL, 0xDF02967CUL, 0x1B23BD72UL
     );
 
-    /* (a1 + a2 + 1)/2 is 0xa2a8918ca85bafe22016d0b917e4dd77 */
-    static const unsigned char k1_bound[32] = {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0xa2, 0xa8, 0x91, 0x8c, 0xa8, 0x5b, 0xaf, 0xe2, 0x20, 0x16, 0xd0, 0xb9, 0x17, 0xe4, 0xdd, 0x77
+    /* lambda + (a1 + a2 + 1)/2 is 0x5363ad4cc05c30e0a5261c028812645ab4d6b476c8dd165aff19673533089ae9 */
+    static const unsigned char k1_upper_bound[32] = {
+        0x53, 0x63, 0xad, 0x4c, 0xc0, 0x5c, 0x30, 0xe0, 0xa5, 0x26, 0x1c, 0x02, 0x88, 0x12, 0x64, 0x5a,
+        0xb4, 0xd6, 0xb4, 0x76, 0xc8, 0xdd, 0x16, 0x5a, 0xff, 0x19, 0x67, 0x35, 0x33, 0x08, 0x9a, 0xe9
     };
 
-    /* (-b1 + b2)/2 + 1 is 0x8a65287bd47179fb2be08846cea267ed */
-    static const unsigned char k2_bound[32] = {
-        0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
-        0x8a, 0x65, 0x28, 0x7b, 0xd4, 0x71, 0x79, 0xfb, 0x2b, 0xe0, 0x88, 0x46, 0xce, 0xa2, 0x67, 0xed
+    /* lambda - (a1 + a2 + 1)/2 is 0x5363ad4cc05c30e0a5261c02881264596f85915d7825b696beebc5c3033edffb */
+    static const unsigned char k1_lower_bound[32] = {
+        0x53, 0x63, 0xad, 0x4c, 0xc0, 0x5c, 0x30, 0xe0, 0xa5, 0x26, 0x1c, 0x02, 0x88, 0x12, 0x64, 0x59,
+        0x6f, 0x85, 0x91, 0x5d, 0x78, 0x25, 0xb6, 0x96, 0xbe, 0xeb, 0xc5, 0xc3, 0x03, 0x3e, 0xdf, 0xfb
+    };
+
+    /* lambda + ((-b1 + b2)/2 + 1) is 0x5363ad4cc05c30e0a5261c028812645a9c934b65f4f2e0740ae31ec2e9c6255f */
+    static const unsigned char k2_upper_bound[32] = {
+        0x53, 0x63, 0xad, 0x4c, 0xc0, 0x5c, 0x30, 0xe0, 0xa5, 0x26, 0x1c, 0x02, 0x88, 0x12, 0x64, 0x5a,
+        0x9c, 0x93, 0x4b, 0x65, 0xf4, 0xf2, 0xe0, 0x74, 0x0a, 0xe3, 0x1e, 0xc2, 0xe9, 0xc6, 0x25, 0x5f
+    };
+
+    /* lambda - ((-b1 + b2)/2 + 1) is 0x5363ad4cc05c30e0a5261c028812645987c8fa6e4c0fec7db3220e354c815585 */
+    static const unsigned char k2_lower_bound[32] = {
+        0x53, 0x63, 0xad, 0x4c, 0xc0, 0x5c, 0x30, 0xe0, 0xa5, 0x26, 0x1c, 0x02, 0x88, 0x12, 0x64, 0x59,
+        0x87, 0xc8, 0xfa, 0x6e, 0x4c, 0x0f, 0xec, 0x7d, 0xb3, 0x22, 0x0e, 0x35, 0x4c, 0x81, 0x55, 0x85
     };
 
     secp256k1_scalar_mul(&s, &lambda, r2);
     secp256k1_scalar_add(&s, &s, r1);
     VERIFY_CHECK(secp256k1_scalar_eq(&s, k));
 
-    secp256k1_scalar_negate(&s, r1);
-    secp256k1_scalar_get_b32(buf1, r1);
-    secp256k1_scalar_get_b32(buf2, &s);
-    VERIFY_CHECK(memcmp(buf1, k1_bound, 32) < 0 || memcmp(buf2, k1_bound, 32) < 0);
+    secp256k1_scalar_add(&s, &lambda, r1);
+    secp256k1_scalar_get_b32(buf, &s);
+    VERIFY_CHECK(memcmp(buf, k1_upper_bound, 32) < 0 && 0 < memcmp(buf, k1_lower_bound, 32) );
 
-    secp256k1_scalar_negate(&s, r2);
-    secp256k1_scalar_get_b32(buf1, r2);
-    secp256k1_scalar_get_b32(buf2, &s);
-    VERIFY_CHECK(memcmp(buf1, k2_bound, 32) < 0 || memcmp(buf2, k2_bound, 32) < 0);
+    secp256k1_scalar_add(&s, &lambda, r2);
+    secp256k1_scalar_get_b32(buf, &s);
+    VERIFY_CHECK(memcmp(buf, k2_upper_bound, 32) < 0 && 0 < memcmp(buf, k2_lower_bound, 32) );
 }
 #endif
 
