From 7d7d43c6dd2741853de4631881d77ae38a14cd23 Mon Sep 17 00:00:00 2001
From: Pieter Wuille <pieter@wuille.net>
Date: Mon, 31 Jan 2022 17:34:36 -0500
Subject: [PATCH] Improve comments/check for fe_equal{,_var}

---
 src/field.h      | 12 ++++++++++--
 src/field_impl.h | 12 ++++++++++++
 2 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/src/field.h b/src/field.h
index 9e517dca80..e7b64e78eb 100644
--- a/src/field.h
+++ b/src/field.h
@@ -150,10 +150,18 @@ static int secp256k1_fe_is_zero(const secp256k1_fe *a);
  */
 static int secp256k1_fe_is_odd(const secp256k1_fe *a);
 
-/** Compare two field elements. Requires magnitude-1 inputs. */
+/** Determine whether two field elements are equal.
+ *
+ * On input, a and b must be valid field elements with magnitudes not exceeding
+ * 1 and 31, respectively.
+ * Returns a = b (mod p).
+ */
 static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b);
 
-/** Same as secp256k1_fe_equal, but may be variable time. */
+/** Determine whether two field elements are equal, without constant-time guarantee.
+ *
+ * Identical in behavior to secp256k1_fe_equal, but not constant time in either a or b.
+ */
 static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b);
 
 /** Compare two field elements. Requires both inputs to be normalized */
diff --git a/src/field_impl.h b/src/field_impl.h
index bd6982033c..dae82aa67e 100644
--- a/src/field_impl.h
+++ b/src/field_impl.h
@@ -20,6 +20,12 @@
 
 SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
     secp256k1_fe na;
+#ifdef VERIFY
+    secp256k1_fe_verify(a);
+    secp256k1_fe_verify(b);
+    VERIFY_CHECK(a->magnitude <= 1);
+    VERIFY_CHECK(b->magnitude <= 31);
+#endif
     secp256k1_fe_negate(&na, a, 1);
     secp256k1_fe_add(&na, b);
     return secp256k1_fe_normalizes_to_zero(&na);
@@ -27,6 +33,12 @@ SECP256K1_INLINE static int secp256k1_fe_equal(const secp256k1_fe *a, const secp
 
 SECP256K1_INLINE static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b) {
     secp256k1_fe na;
+#ifdef VERIFY
+    secp256k1_fe_verify(a);
+    secp256k1_fe_verify(b);
+    VERIFY_CHECK(a->magnitude <= 1);
+    VERIFY_CHECK(b->magnitude <= 31);
+#endif
     secp256k1_fe_negate(&na, a, 1);
     secp256k1_fe_add(&na, b);
     return secp256k1_fe_normalizes_to_zero_var(&na);