Add VERIFY_CHECKs and documentation that flags must be 0 or 1 #1783

pull john-moffett wants to merge 1 commits into bitcoin-core:master from john-moffett:internal_bounds_checks changing 11 files +30 −8
  1. john-moffett commented at 8:54 PM on December 9, 2025: contributor

    Flags for constant-time masking rely on the values being exactly 0 or 1 rather than 0 or true (any nonzero). One function, secp256k1_fe_cmov documents and VERIFY_CHECKs this, but most don't.

    This updates the documentation and adds VERIFY_CHECKs enforcing flag == 0 || flag == 1 for:

    secp256k1_fe_storage_cmov secp256k1_gej_cmov secp256k1_ge_storage_cmov secp256k1_scalar_cadd_bit secp256k1_scalar_cond_negate secp256k1_scalar_cmov secp256k1_int_cmov

  2. furszy commented at 9:01 PM on December 9, 2025: member

    Wondering if it worth adding a macro for this; something like VERIFY_BOOL_ARG.

  3. real-or-random approved
  4. real-or-random commented at 10:10 AM on December 10, 2025: contributor

    utACK 0a6ebe0b24c247aebfa63ccb0017d4de93e2e5a8

    If you want to touch this again: I like "flag must be 0 or 1." because it's so clear. It would be good to add it even to the comments in "If flag is 1..." style.

  5. real-or-random commented at 10:17 AM on December 10, 2025: contributor

    Wondering if it worth adding a macro for this; something like VERIFY_BOOL_ARG.

    Weak Concept NACK for the reasons laid out in #1779. There, it was a Concept ~0, but here I deem the value below 0 because we don't even save lines. VERIFY_BOOL_ARG(flag) is not simpler to read than VERIFY_CHECK(flag == 0 || flag == 1). If anything, it's harder to read because it's less explicit (unless you look up the macro).

    If we really want to improve this, then let's switch to C99 and use bool. But I'm not sure if I really want to have this discussion. :D

    edit: Sorry, Concept NACK. I had typed "Concept ACK" first.

  6. john-moffett force-pushed on Dec 10, 2025
  7. real-or-random approved
  8. real-or-random commented at 2:18 PM on December 10, 2025: contributor

    utACK 9fa11a76eacbe4774ade813f9c25c2c348cb9086

  9. furszy commented at 3:56 PM on December 10, 2025: member

    Wondering if it worth adding a macro for this; something like VERIFY_BOOL_ARG.

    Weak Concept NACK for the reasons laid out in #1779. There, it was a Concept ~0, but here I deem the value below 0 because we don't even save lines. VERIFY_BOOL_ARG(flag) is not simpler to read than VERIFY_CHECK(flag == 0 || flag == 1). If anything, it's harder to read because it's less explicit (unless you look up the macro).

    That's probably because VERIFY_BOOL_ARG is not explicit/readable enough? My broader thought is that argument checks should come from well-named, established helpers at this point, so we don’t have to keep worrying about the raw checks in every function. We should understand what the function does just by reading its name.

    Furthermore, if you push me a bit, I’d even say we should aim for a more generic mechanism for argument validation altogether (some sort of decorator), so validating args becomes a no-brainer entirely.

    If we really want to improve this, then let's switch to C99 and use bool. But I'm not sure if I really want to have this discussion. :D

    hehe, not planning to go that far. I just think we should focus on what actually matters and minimize the time we spend reviewing malformed input-arg checks.

  10. real-or-random commented at 7:55 AM on December 11, 2025: contributor

    That's probably because VERIFY_BOOL_ARG is not explicit/readable enough?

    It's just that spelling out the condition, as in VERIFY_CHECK(flag == 0 || flag == 1) is, by the meaning of the word, more explicit, and it's still short enough to be read with a single glimpse. This gives VERIFY_BOOL_ARG a tiny disadvantage because readers may need to look it up. But this is not about the name of the macro. I like the name. The name is rather explicit and probably as good as it can get.

    My broader thought is that argument checks should come from well-named, established helpers at this point, so we don’t have to keep worrying about the raw checks in every function. We should understand what the function does just by reading its name.

    Furthermore, if you push me a bit, I’d even say we should aim for a more generic mechanism for argument validation altogether (some sort of decorator), so validating args becomes a no-brainer entirely.

    This is a different direction, of course. If we had macros for almost every type (or even some more clever thing, but that seems difficult in C89), then the tiny disadvantage of VERIFY_BOOL_ARG would most likely be outweighed by the advantage of having a consistent framework. Curious to see proposals if you have something in mind!

    Still, the raw checks are mostly easy to read, and they keep the advantage of being very explicit. So I think in the current state of the code base, they make sense.

  11. furszy commented at 11:54 PM on December 14, 2025: member

    ACK 9fa11a76eacbe4774ade813f9c25c2c348cb9086

    It seems you could also do it for secp256k1_musig_secnonce_invalidate (at least the comment update).

  12. real-or-random added the label assurance on Dec 15, 2025
  13. real-or-random added the label tweak/refactor on Dec 15, 2025
  14. hebasto approved
  15. hebasto commented at 1:46 PM on December 15, 2025: member

    ACK 9fa11a76eacbe4774ade813f9c25c2c348cb9086, I have reviewed the code and it looks OK.

    We should understand what the function does just by reading its name.

    Perhaps this would be a good time to rename secp256k1_scalar_cond_negate to reflect its constant-time behaviour?

  16. Add VERIFY_CHECKs that flags are 0 or 1
    Flags for constant-time masking rely
on the values being exactly 0 or 1 rather
than 0 or true. Add VERIFY_CHECKs to enforce
in VERIFY builds as a preventative
measure and add documentation where relevant.
    ae00c552df
  17. john-moffett force-pushed on Dec 15, 2025
  18. furszy commented at 2:14 PM on December 15, 2025: member

    ACK ae00c55

  19. hebasto approved
  20. hebasto commented at 2:21 PM on December 15, 2025: member

    re-ACK ae00c552df55f4d170175903855901d640b92761.

  21. john-moffett commented at 2:22 PM on December 15, 2025: contributor

    Thank you for the reviews. @furszy thanks for the catch; I updated the docs for that function. @hebasto, my impression is that most functions don't have their constant-time-ness included in the function name, eg - secp256k1_scalar_add, secp256k1_scalar_mul, secp256k1_scalar_cond_negate. It seems like only variable-time ones are marked as such with a _var suffix. Let me know if you had something else in mind, though.

  22. real-or-random merged this on Dec 15, 2025
  23. real-or-random closed this on Dec 15, 2025
  24. Eunovo referenced this in commit b065787ddb on Jan 19, 2026
  25. fanquake referenced this in commit c4c4e04ca1 on Jan 26, 2026
  26. fanquake referenced this in commit 2fccbea3c8 on Jan 27, 2026
  27. fjahr referenced this in commit 182197f98a on Jan 29, 2026
  28. fjahr referenced this in commit ea9a84ab3c on Jan 31, 2026
  29. fjahr referenced this in commit 23c2527f12 on Feb 8, 2026
  30. Sjors referenced this in commit d5660d3a13 on Feb 16, 2026
  31. github-actions[bot] referenced this in commit c3f80fff5f on Mar 1, 2026
  32. github-actions[bot] referenced this in commit 4aeff8400e on Mar 1, 2026
  33. github-actions[bot] referenced this in commit 5f15eb0c55 on Mar 1, 2026
  34. 0x000000000019d6689c085ae165831e934ff76 referenced this in commit d54574beca on Mar 2, 2026
  35. csjones referenced this in commit fb3e16af04 on Mar 2, 2026
  36. real-or-random referenced this in commit 459eab20f2 on Mar 3, 2026
  37. vmta referenced this in commit 1ddc2f947f on Apr 26, 2026
  38. vmta referenced this in commit 56c40fe100 on Apr 27, 2026
Contributors
john-moffettfurszyreal-or-randomhebasto
Labels
assurancetweak/refactor
github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2026-05-19 06:52 UTC