Run UBSAN with both GCC and Clang, on Linux and macOS.
The `halt_on_error=1` option is required to make the build fail if the
sanitizer finds an issue.
If the scratch space is too small when calling
`secp256k1_ecmult_strauss_batch()`, the `state.pre_a` allocation will
fail and the pointer will be `NULL`. This causes `state.pre_a_lam` to be
computed from the `NULL` pointer.
It is also possible that the first allocation to fail is for `state.ps`,
which will cause the failure to occur when in
`secp256k1_ecmult_strauss_wnaf()`.
The issue has been detected by UBSAN using Clang 10:
```
CC=clang \
CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
../configure
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 make check
```
c582abade1c50ef50dc7ee9f7b7af8e06e22065d Consistency improvements to the comments (Pieter Wuille)
63c6b71616816b19bec9cb3ab6b45ae5afd955f0 Reorder comments/function around scalar_split_lambda (Pieter Wuille)
2edc514c90293af8f602e4376e832773779c9426 WNAF of lambda_split output has max size 129 (Pieter Wuille)
4232e5b7da0a68adc14fa4b481f7e106403c200d Rip out non-endomorphism code (Pieter Wuille)
ebad8414b0e68041568d0b5ebe0bd395dbfbed9e Check correctness of lambda split without -DVERIFY (Gregory Maxwell)
fe7fc1fda8675aa9d79dae54a1b8b3cd06abcf81 Make lambda constant accessible (Pieter Wuille)
9d2f2b44d895509e8c4e7831fa917f13fa69f054 Add tests to exercise lambda split near bounds (Pieter Wuille)
9aca2f7f07b0563f8c65fcc22a0a91325cf6273b Add secp256k1_split_lambda_verify (Russell O'Connor)
acab934d24ff26289ab9930587c3fc51c30c6a2f Detailed comments for secp256k1_scalar_split_lambda (Russell O'Connor)
76ed922a5f09d63e0622825ca83d9301c1ef3efe Increase precision of g1 and g2 (Russell O'Connor)
6173839c90553385171d560be8a17cbe167e3bef Switch to our own memcmp function (Tim Ruffing)
Pull request description:
This is a rebased/combined version of the following pull requests/commits with minor changes:
* #825 Switch to our own memcmp function
* Modification: `secp256k1_memcmp_var` is marked static inline
* Modification: also replace `memcmp` with `secp256k1_memcmp_var` in exhaustive tests
* Modification: add reference to GCC bug 95189
* #822 Increase precision of g1 and g2
* Modification: use the new `secp256k1_memcmp_var` function instead of `memcmp` (see https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610361)
* Modification: drop the " Allow secp256k1_split_lambda_verify to pass even in the presence of GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189." commit, as it's dealt with using `secp256k1_memcmp_var`.
* Modification: rename secp256k1_gej_mul_lambda -> secp256k1_ge_mul_lambda
* A new commit that moves the `lambda` constant out of `secp256k1_scalar_split_lambda` and (`_verify`).
* The test commit suggested here: https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610276
* Modification: use the new accessible `secp256k1_const_lambda` instead of duplicating it.
* #826 Rip out non-endomorphism code
* A new commit that reduces the size of the WNAF output to 129, as we now have proof that the split output is always 128 bits or less.
* A new commit to more consistently use input:`k`, integer outputs:`k1`,`k2`, modulo n outputs:`r1`,`r2`
ACKs for top commit:
real-or-random:
ACK c582abade1c50ef50dc7ee9f7b7af8e06e22065d code inspection, some tests, verified the new g1/g2 constants
jonasnick:
ACK c582abade1c50ef50dc7ee9f7b7af8e06e22065d didn't verify the proof
Tree-SHA512: 323a3ee3884b7ac4fa85c8e7b785111b5c0638d718bc1c805a38963c87411e81a746c98e9a42a3e2197ab34a874544de5cc51326955d1c4d0ea45afd418e819f
The VERIFY macro turns on various paranoid consistency checks, but
the complete functionality should still be tested without it.
This also adds a couple of static test points for extremely small
split inputs/outputs. The existing bounds vectors already check
extremely large outputs.
This allows us to shift by 256+128 = 384 bits, which is a multiple of the limb size of
the scalar representation. This also happens to be the most precision possible for g2
that still fits into a 256-bit value.
a45c1fa63cb3020225d72049ef9c1cf300014795 Rename testrand functions to have test in name (Pieter Wuille)
Pull request description:
Suggested here: https://github.com/bitcoin-core/secp256k1/pull/808#discussion_r488871913
ACKs for top commit:
real-or-random:
ACK a45c1fa63cb3020225d72049ef9c1cf300014795 diff looks good
elichai:
utACK a45c1fa63cb3020225d72049ef9c1cf300014795
Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
4eecb4d6ef6d4f18be8870a5929feb1dae376d15 travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND (Jonas Nick)
66a765c7752b76d99be02d0f84dc05105bf4e70d travis: Explicitly set --with-valgrind (Jonas Nick)
Pull request description:
Also remove CPPFLAGS=-DVALGRIND because that's redundant with when
configured with --enable-valgrind.
ACKs for top commit:
real-or-random:
ACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15 diff and travis output look good
sipa:
utACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15
elichai:
ACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15
Tree-SHA512: c22d79fccaa926a074272b63a61f052f4bec3b1e5a871e3f08a4f6c19046da575779126a7008eb8a7513e70997b32d1dc6565dfb7aa41c57c0b6ef15ebbc8303
c0041b5cfca5efb160aa9a5616350069c89a8c29 Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)
Pull request description:
Solves one item in #792 .
ACKs for top commit:
sipa:
utACK c0041b5cfca5efb160aa9a5616350069c89a8c29
elichai:
ACK c0041b5cfca5efb160aa9a5616350069c89a8c29
Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
8b7dcdd955a4f57174f478e36bdae5b84784fb9c Add exhaustive test for extrakeys and schnorrsig (Pieter Wuille)
08d7d89299a6492bf9388b4662b709d268c8ea29 Make pubkey parsing test whether points are in the correct subgroup (Pieter Wuille)
87af00b511f2938b6b4799f94d446a005730515e Abstract out challenge computation in schnorrsig (Pieter Wuille)
63e1b2aa7d396209aa5e26aa540d9593ede312a6 Disable output buffering in tests_exhaustive.c (Pieter Wuille)
39f67dd072fc44c7c0d27b95610ba8912de56db5 Support splitting exhaustive tests across cores (Pieter Wuille)
e99b26fcd54cb4096515ba80cf0f79d147b2683c Give exhaustive_tests count and seed cmdline inputs (Pieter Wuille)
49e6630bca5f6628bd1fd92d70d465273d4d873f refactor: move RNG seeding to testrand (Pieter Wuille)
b110c106fa9704e30f6b0c2ffa6a2697031e89a8 Change exhaustive test groups so they have a point with X=1 (Pieter Wuille)
cec7b18a34e68adb04f31a71a2eb4c5fc97674ce Select exhaustive lambda in function of order (Pieter Wuille)
78f6cdfaae9866694dcb0eee966332688753a8c3 Make the curve B constant a secp256k1_fe (Pieter Wuille)
d7f39ae4b67ea1ac6f085e6262a5f53afc0c5a25 Delete gej_is_valid_var: unused outside tests (Pieter Wuille)
8bcd78cd791fd9209d72d6bce455c8d3cf2c0249 Make secp256k1_scalar_b32 detect overflow in scalar_low (Pieter Wuille)
c498366e5b2d9c60e2e677949cf7373dbe877515 Move exhaustive tests for recovery to module (Pieter Wuille)
be317915436909573733afe3972a9abdee9357f7 Make group order purely compile-time in exhaustive tests (Pieter Wuille)
Pull request description:
A few miscellaneous improvements:
* Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
* Move exhaustive tests for recovery module to the recovery module directory
* Make `secp256k1_scalar_set_b32` detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
* Change the small test groups so that they include a point with X coordinate 1.
* Initialize the RNG seed, allowing configurating from the cmdline, and report it.
* Permit changing the number of iterations (re-randomizing for each).
* Support splitting the work across cores from the cmdline.
And a big one:
* Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).
ACKs for top commit:
real-or-random:
ACK 8b7dcdd955a4f57174f478e36bdae5b84784fb9c
jonasnick:
ACK 8b7dcdd955a4f57174f478e36bdae5b84784fb9c
Tree-SHA512: 18d7f362402085238faaced164c0ca34079717a477001fc0b13448b3529ea2ad705793a13b7a36f34bf12e9231fee11070f88cc51bfc2a83ca82aa13f7aaae71
412bf874d09517b559eba4f7addb4c181cc2780b configure: Allow specifying --with[out]-valgrind explicitly (Luke Dashjr)
Pull request description:
ACKs for top commit:
sipa:
ACK 412bf874d09517b559eba4f7addb4c181cc2780b. Tested by running configure on a system with and without valgrind, and with no argument, with `--with-valgrind`, and with `--without-valgrind`.
real-or-random:
ACK 412bf874d09517b559eba4f7addb4c181cc2780b
jonasnick:
ACK 412bf874d09517b559eba4f7addb4c181cc2780b
Tree-SHA512: 92417609751e5af813faff1661055cd37f3d00dbcf109a8f14f8ba59d9f3d620c9c6b67d2b1629b6ab75e2afcd47d2b3898a0427931567fb505bc92fa5ee3532
This enables testing overflow is correctly encoded in the recid, and
likely triggers more edge cases.
Also introduce a Sage script to generate the parameters.
34debf7a6d36bbd9a52e68e079ddfc446faf5bef Modify .travis.yml to explictly pass no in env vars instead of setting to nothing (Elichai Turkel)
ef37761feed0172baa03dd94c842f1547bdf3016 Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 34debf7a6d36bbd9a52e68e079ddfc446faf5bef
jonasnick:
ACK 34debf7a6d36bbd9a52e68e079ddfc446faf5bef
Tree-SHA512: 91becfbc9cb7587ee55b2bceb604ea0aed8860990d63a5f414b11db92180c090ea8bcc048c2fb67a094e892138e3be46f00562bf78b7c3369232457289cde447
5738e8622d8ba02caa984425c23c072a3f14352c tests: Initialize random group elements fully (Tim Ruffing)
Pull request description:
Also fix add a missing comment.
ACKs for top commit:
sipa:
utACK 5738e8622d8ba02caa984425c23c072a3f14352c
Tree-SHA512: c7723e225434e7044379f307b2977a3a5251080793bd87b377a2bbf1d18b39ca05f6fb3b427acec32c3b34f4de678fe7087a2dcca4b5f03ec1fc680a88d82b9a
f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 valgrind_ctime_test: Add schnorrsig_sign (Jonas Nick)
16ffa9d97cef93f49544b016339c107882f9a1c3 schnorrsig: Add taproot test case (Jonas Nick)
8dfd53ee3fa059562483d1867815f78b9e00d947 schnorrsig: Add benchmark for sign and verify (Jonas Nick)
4e43520026f5bcd182d21f0759bac159ef47bb62 schnorrsig: Add BIP-340 compatible signing and verification (Jonas Nick)
7332d2db6b62fda851f9ed8adbfda187a875b84e schnorrsig: Add BIP-340 nonce function (Jonas Nick)
7a703fd97db0161bae07ef84513ddde6e0d27353 schnorrsig: Init empty experimental module (Jonas Nick)
eabd9bc46a31c0da6db6d88840eadbe9006447b1 Allow initializing tagged sha256 (Jonas Nick)
6fcb5b845d2832ce019d60507033f74426290768 extrakeys: Add keypair_xonly_tweak_add (Jonas Nick)
58254463f9a2e96d893157a341c9953c440fdf60 extrakeys: Add keypair struct with create, pub and pub_xonly (Jonas Nick)
f0010349b876bc6b3f0a6ec6c8bad0b12ca17b51 Separate helper functions for pubkey_create and seckey_tweak_add (Jonas Nick)
910d9c284c33b77774a9316d4524f313357d441c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test (Jonas Nick)
176bfb1110147b5dca1834ea071acc846fb1cab3 Separate helper function for ec_pubkey_tweak_add (Jonas Nick)
4cd2ee474d178bd1b5602486104db346a7562c67 extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey (Jonas Nick)
47e6618e11813cfabe91f0909ca031f960cb7dd4 extrakeys: Init empty experimental module (Jonas Nick)
3e08b02e2a78f2a1fc457efab665db8ab8085373 Make the secp256k1_declassify argument constant (Jonas Nick)
Pull request description:
This PR implements signing, verification and batch verification as described in [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki) in an experimental module named `schnorrsig`. It includes the test vectors and a benchmarking tool.
This PR also adds a module `extrakeys` that allows [BIP-341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)-style key tweaking.
(Adding ChaCha20 as a CSPRNG and batch verification was moved to PR #760).
In order to enable the module run `./configure` with `--enable-experimental --enable-module-schnorrsig`.
Based on apoelstra's work.
ACKs for top commit:
gmaxwell:
ACK f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 (exactly matches the previous post-fixup version which I have already reviewed and tested)
sipa:
ACK f431b3f28ac95a3645ad5a6dc96b878fa30a1de3
real-or-random:
ACK f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 careful code review
Tree-SHA512: e15e849c7bb65cdc5d7b1d6874678e275a71e4514de9d5432ec1700de3ba92aa9f381915813f4729057af152d90eea26aabb976ed297019c5767e59cf0bbc693
