Skip to content

ellswift: fix overflow flag handling in secp256k1_ellswift_xdh#1821

Open
SHAKE256 wants to merge 2 commits intobitcoin-core:masterfrom
Bitcoin-Cypherpunk:master
Open

ellswift: fix overflow flag handling in secp256k1_ellswift_xdh#1821
SHAKE256 wants to merge 2 commits intobitcoin-core:masterfrom
Bitcoin-Cypherpunk:master

Conversation

@SHAKE256
Copy link

@SHAKE256 SHAKE256 commented Feb 11, 2026

The secp256k1_ellswift_xdh function uses overflow = secp256k1_scalar_is_zero(&s) which overwrites the overflow flag from the preceding secp256k1_scalar_set_b32 call. This means secret keys >= the curve order are silently accepted (reduced mod n) instead of being rejected.

The fix changes = to |=, matching the correct pattern already used in secp256k1_ecdh (main_impl.h, line 51).

The ECDH module's test suite explicitly tests overflow rejection (passes secp256k1_group_order_bytes as a key and checks the function returns 0). The ellswift test suite has no corresponding test, which is why this went undetected.

Previous PR to the wrong repository: bitcoin/bitcoin#34558

@SHAKE256
ellswift: fix overflow flag handling in secp256k1_ellswift_xdh
db58637 
The secp256k1_ellswift_xdh function uses overflow = secp256k1_scalar_is_zero(&s) which overwrites the overflow flag from the preceding secp256k1_scalar_set_b32 call. This means secret keys >= the curve order are silently accepted (reduced mod n) instead of being rejected.

The fix changes = to |=, matching the correct pattern already used in secp256k1_ecdh (main_impl.h, line 51).

The ECDH module's test suite explicitly tests overflow rejection (passes secp256k1_group_order_bytes as a key and checks the function returns 0). The ellswift test suite has no corresponding test, which is why this went undetected.
theStack
theStack approved these changes Feb 11, 2026
View reviewed changes
Copy link
Contributor

@theStack theStack left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK db58637

Good catch. Would make sense to add a test as well (here or in a follow-up PR).

furszy
furszy reviewed Feb 11, 2026
View reviewed changes
Copy link
Member

@furszy furszy left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK db58637

real-or-random
real-or-random approved these changes Feb 12, 2026
View reviewed changes
Copy link
Contributor

@real-or-random real-or-random left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

utACK db58637

Great catch. This seems to be a genuine bug.

@sipa Can you review this?

sipa
sipa reviewed Feb 12, 2026
View reviewed changes
Copy link
Contributor

@sipa sipa left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ACK db58637. A test to prevent reverting this behavior would be nice.

@SHAKE256
Copy link
Author

SHAKE256 commented Feb 12, 2026

Hi,

AFK right now due to Fasnacht. Today will write the test.

Greetings

@real-or-random
Copy link
Contributor

real-or-random commented Feb 13, 2026

CI failures seem to be unrelated. I emptied the GitHub Actions cache and triggered a rebuild. Let's see if this fixes CI.

@real-or-random
Copy link
Contributor

real-or-random commented Feb 13, 2026

I emptied the GitHub Actions cache and triggered a rebuild. Let's see if this fixes CI.

Unfortunately, no. @hebasto Any ideas?

@hebasto
Copy link
Member

hebasto commented Feb 13, 2026

I emptied the GitHub Actions cache and triggered a rebuild. Let's see if this fixes CI.

Unfortunately, no. @hebasto Any ideas?

No idea, at this moment. I'll look into it thoroughly tomorrow.

@hebasto
Copy link
Member

hebasto commented Feb 13, 2026

I emptied the GitHub Actions cache and triggered a rebuild. Let's see if this fixes CI.

Unfortunately, no. @hebasto Any ideas?

No idea, at this moment. I'll look into it thoroughly tomorrow.

I've reviewed the CI code. One line looks suspicious...

@hebasto hebasto mentioned this pull request Feb 13, 2026
Merged
@hebasto
Copy link
Member

hebasto commented Feb 13, 2026

I emptied the GitHub Actions cache and triggered a rebuild. Let's see if this fixes CI.

Unfortunately, no. @hebasto Any ideas?

No idea, at this moment. I'll look into it thoroughly tomorrow.

I've reviewed the CI code. One line looks suspicious...

Fixed in #1823.

@SHAKE256
Copy link
Author

SHAKE256 commented Feb 14, 2026

@real-or-random Could you update your comment to use my new username?
Can someone merge #1823 from @hebasto and re-run the CI?

@real-or-random
Copy link
Contributor

real-or-random commented Feb 16, 2026

@real-or-random Could you update your comment to use my new username?

I assume you want it to disappear forever, so I'll delete my comment. (Editing keeps a history.)

Can someone merge #1823 from @hebasto and re-run the CI?

Let me see.

real-or-random added a commit that referenced this pull request Feb 16, 2026
@real-or-random
Merge #1823: ci: Load Docker image by ID from builder step
322d0a4 
ed02466 ci: Load Docker image by ID from builder step (Hennadii Stepanov)

Pull request description:

  Fixes loading wrong Docker images. For instance, see #1821 (comment).

ACKs for top commit:
  real-or-random:
    utACK ed02466

Tree-SHA512: 4de31bebe64d2b2adfbc5e1f2cbdea5e609a5640d17949bfe5aef9071948693ae7d8ac81772dd9620b101a72b553f38511b882119987e3c8342b6544571eca93
@hebasto
Copy link
Member

hebasto commented Feb 16, 2026

I'm suggesting to rebase this PR.

@SHAKE256
Copy link
Author

SHAKE256 commented Feb 16, 2026

That's not that easy @hebasto . Both are in master. I think it's fine how it is. I can do but then this will have to be closed, new branch, push, create PR... I will not keep my repository after the merge so the whole process would be just waste.

@hebasto
Copy link
Member

hebasto commented Feb 16, 2026

That's not that easy @hebasto . Both are in master. I think it's fine how it is. I can do but then this will have to be closed, new branch, push, create PR... I will not keep my repository after the merge so the whole process would be just waste.

git fetch https://github.com/bitcoin-core/secp256k1 master
git checkout FETCH_HEAD
git cherry-pick db58637b94f457f03e15d64ee7b79e0c9884ffd6
git cherry-pick d1a1a300cfbc9de148bd13e908bb0c085c101bfc
git branch -f master HEAD
git switch master 
git push --force

@hebasto
Copy link
Member

hebasto commented Feb 16, 2026

@SHAKE256

Btw, you might also want to change commits author's name.

@real-or-random
Copy link
Contributor

real-or-random commented Feb 16, 2026

That's not that easy @hebasto . Both are in master. I think it's fine how it is. I can do but then this will have to be closed, new branch, push, create PR... I will not keep my repository after the merge so the whole process would be just waste.

I think there's a misunderstanding. It's just two commands: :)

git rebase origin/master 
git push --force-with-lease

(assuming origin is this repo)

See also https://github.com/bitcoin/bitcoin/blob/master/CONTRIBUTING.md#rebasing-changes for background.

But if you really don't want to do it, someone else could take over and open a new PR. In general, I think we'd want to avoid merging PRs with failing CI. I don't think it's a super strict rule, but we should follow it unless there's some good reason not to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sipa sipa sipa left review comments

@real-or-random real-or-random real-or-random approved these changes

+2 more reviewers

@furszy furszy furszy left review comments

@theStack theStack theStack approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

bug needs-changelog

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

6 participants

@SHAKE256 @real-or-random @hebasto @theStack @sipa @furszy