From 5046c1cc1a24b754fec983045a048f6ae4a5f858 Mon Sep 17 00:00:00 2001 From: Brian Smith Date: Sat, 7 Dec 2024 19:41:44 -0800 Subject: [PATCH] ec/curve25519: Range check scalars directly. Replace the circuitous range validation with simpler code. --- src/ec/curve25519/scalar.rs | 21 +++++++++------------ 1 file changed, 9 insertions(+), 12 deletions(-) diff --git a/src/ec/curve25519/scalar.rs b/src/ec/curve25519/scalar.rs index 23ea97179..a4c055862 100644 --- a/src/ec/curve25519/scalar.rs +++ b/src/ec/curve25519/scalar.rs @@ -12,7 +12,8 @@ // OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN // CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -use crate::{arithmetic::limbs_from_hex, digest, error, limb}; +use crate::{arithmetic::limbs_from_hex, digest, error, limb, polyfill::slice}; +use core::array; #[repr(transparent)] pub struct Scalar([u8; SCALAR_LEN]); @@ -27,17 +28,13 @@ impl Scalar { limbs_from_hex("1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed"); let order = ORDER.map(limb::Limb::from); - // `bytes` is in little-endian order. - let mut reversed = bytes; - reversed.reverse(); - - let mut limbs = [0; SCALAR_LEN / limb::LIMB_BYTES]; - limb::parse_big_endian_in_range_and_pad_consttime( - untrusted::Input::from(&reversed), - limb::AllowZero::Yes, - &order, - &mut limbs, - )?; + let (limbs_as_bytes, _empty): (&[[u8; limb::LIMB_BYTES]], _) = slice::as_chunks(&bytes); + debug_assert!(_empty.is_empty()); + let limbs: [limb::Limb; SCALAR_LEN / limb::LIMB_BYTES] = + array::from_fn(|i| limb::Limb::from_le_bytes(limbs_as_bytes[i])); + if !limb::limbs_less_than_limbs_consttime(&limbs, &order).leak() { + return Err(error::Unspecified); + } Ok(Self(bytes)) }