@@ -162,10 +162,17 @@ pub fn expand_msg_xmd(msg: &[u8], dst: &[u8], len_in_bytes: usize) -> Vec<u8> {
162162 const S_IN_BYTES : usize = 64 ; // SHA-256 block size
163163
164164 let ell = len_in_bytes. div_ceil ( B_IN_BYTES ) ;
165- debug_assert ! ( ell <= 255 && len_in_bytes <= 65535 && dst. len( ) <= 255 ) ;
165+ assert ! ( ell <= 255 , "RFC 9380: ell must be at most 255" ) ;
166+ assert ! (
167+ len_in_bytes <= 65535 ,
168+ "RFC 9380: len_in_bytes must fit in 2 bytes"
169+ ) ;
170+ assert ! ( dst. len( ) <= 255 , "RFC 9380: DST must be at most 255 bytes" ) ;
166171
167- let dst_prime_suffix = [ dst. len ( ) as u8 ] ;
168- let l_i_b_str = [ ( len_in_bytes >> 8 ) as u8 , ( len_in_bytes & 0xff ) as u8 ] ;
172+ let dst_prime_suffix = [ u8:: try_from ( dst. len ( ) ) . expect ( "asserted above" ) ] ;
173+ let l_i_b_str = u16:: try_from ( len_in_bytes)
174+ . expect ( "asserted above" )
175+ . to_be_bytes ( ) ;
169176
170177 // b_0 = H(Z_pad || msg || l_i_b_str || I2OSP(0,1) || DST_prime)
171178 let mut h0 = Sha256 :: new ( ) ;
@@ -196,7 +203,7 @@ pub fn expand_msg_xmd(msg: &[u8], dst: &[u8], len_in_bytes: usize) -> Vec<u8> {
196203 }
197204 let mut hi = Sha256 :: new ( ) ;
198205 hi. update ( xored) ;
199- hi. update ( [ i as u8 ] ) ;
206+ hi. update ( [ u8 :: try_from ( i ) . expect ( "ell <= 255 asserted above" ) ] ) ;
200207 hi. update ( dst) ;
201208 hi. update ( dst_prime_suffix) ;
202209 let b_i: [ u8 ; 32 ] = hi. finalize ( ) . into ( ) ;
@@ -307,7 +314,8 @@ pub fn round1<R: RngCore + CryptoRng>(
307314 }
308315 } ;
309316 let r_point = G1Projective :: generator ( ) * k;
310- let ci = kryptology_challenge ( id as u8 , ctx, & commitment_points[ 0 ] , & r_point) ;
317+ let id_u8 = u8:: try_from ( id) . expect ( "id <= max_signers <= u8::MAX validated above" ) ;
318+ let ci = kryptology_challenge ( id_u8, ctx, & commitment_points[ 0 ] , & r_point) ;
311319 let wi = k + coefficients[ 0 ] * ci;
312320
313321 // Pre-compute Shamir shares for every other participant
@@ -389,7 +397,9 @@ pub fn round2(
389397
390398 // Reconstruct R' = Wi*G - Ci*A_{j,0}
391399 let r_reconstructed = G1Projective :: generator ( ) * wi - a0 * ci;
392- let ci_check = kryptology_challenge ( sender_id as u8 , secret. ctx , & a0, & r_reconstructed) ;
400+ let sender_id_u8 =
401+ u8:: try_from ( sender_id) . map_err ( |_| DkgError :: InvalidParticipantId ( sender_id) ) ?;
402+ let ci_check = kryptology_challenge ( sender_id_u8, secret. ctx , & a0, & r_reconstructed) ;
393403 if ci_check != ci {
394404 return Err ( DkgError :: InvalidProof { culprit : sender_id } ) ;
395405 }
0 commit comments