18aadf9d288a54533376cb94f655d059eb1f098e docs: fix simple typo, dependecy -> dependency (Tim Gates)
Pull request description:
There is a small typo in src/group_impl.h.
Should read `dependency` rather than `dependecy`.
ACKs for top commit:
real-or-random:
ACK 18aadf9d288a54533376cb94f655d059eb1f098e
Tree-SHA512: 3529f43bcc87ea8940ecf5af765951f61d97d1efa86fd8abc29e32b600fd449165a94a2fa525bc6b3d9a7d8aa6e691cc4d42033537b196ba166a867e6db7f397
6e85d675aaf9dc17842096f9cbf8cfab216c9331 Rename tweak to tweak32 in public API (Jonas Nick)
f587f04e35719883546afd54cb491ead18eb6fc7 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation (Jonas Nick)
Pull request description:
This fixes#307 if there's nothing else that's confusing.
ACKs for top commit:
real-or-random:
ACK 6e85d675aaf9dc17842096f9cbf8cfab216c9331 I inspected the diff
Tree-SHA512: 1b0dc9dfffd497058dc39c962a512ed6d7f89218020fef9d2c03aaae1aefbf272b918c4fe6503434b62547714855fe1b8b89f2366f3ae6cde16143207c9e6b86
f4fa8d226a95e42b252c07edb425c446370e01c0 forbid a test iteration of 0 or less (Andrew Poelstra)
0ce45548813709d828cb3abcc7db4c9ce6e26907 make test count iteration configurable by environment variable (Andrew Poelstra)
Pull request description:
ACKs for top commit:
jonasnick:
ACK f4fa8d226a95e42b252c07edb425c446370e01c0
real-or-random:
ACK f4fa8d226a95e42b252c07edb425c446370e01c0
Tree-SHA512: 087771402c8e9536c07446baa7d02da5104d2b691f40c1dd04737329534422d895d3b692f485990d5791af8ccc124305b4f8b19be75e27b6b04cfb2337b28beb
1f4dd0383807bfb7fef884601357b4c629dfb566 Typedef (u)int128_t only when they're not provided by the compiler (Tim Ruffing)
e89278f211a526062745c391d48a7baf782b4b2b Don't use reserved identifiers memczero and benchmark_verify_t (Tim Ruffing)
Pull request description:
As identified in #829 and #833. Fixes#829.
Since we touch this anyway, this commit additionally makes the
identifiers in the benchmark files a little bit more consistent.
This is necessary before we can merge #833. I preferred a separate PR because it makes it easier to see the results of Travis in #833.
ACKs for top commit:
sipa:
utACK 1f4dd0383807bfb7fef884601357b4c629dfb566
jonasnick:
ACK 1f4dd0383807bfb7fef884601357b4c629dfb566
Tree-SHA512: c0ec92798f3c94f3ef6ac69b3f0f39a39257a32be9d9a068832cece1ebe64c89848b70e44652fc397004b8b240883ac4bc0c8f95abbe4ba4b028de120e6734bf
29a299e373d5f0e326be74c514c7c70ddf50cce1 Run the undefined behaviour sanitizer on Travis (Fabien)
7506e064d791e529d2e57bb52c156deb33b897ef Prevent arithmetic on NULL pointer if the scratch space is too small (Fabien)
Pull request description:
ACKs for top commit:
sipa:
ACK 29a299e373d5f0e326be74c514c7c70ddf50cce1. Reviewed the code changes and verified that building with these sanitizer flags catches the existing error, as well as a signed integer overflow if introduced.
real-or-random:
ACK 29a299e373d5f0e326be74c514c7c70ddf50cce1 code inspection
jonasnick:
utACK 29a299e373d5f0e326be74c514c7c70ddf50cce1
Tree-SHA512: 4d788f12f3d7b48018e884910adb9b530a05d88f504de83dadeab8a22d75da83c05a1518f7317de5f536c4dd243ea7b347b1eaddb2ca1d804c663e41b85db69d
3734b68200ee37f5eea80f47d611e9b5a65548fe Configure echo if openssl tests are enabled (Elichai Turkel)
e6692778d3f6507eb1325785cdd424073a945ff7 Modify bitcoin_secp.m4's openssl check to call all the functions that we use in the tests/benchmarks. That way linking will fail if those symbols are missing (Elichai Turkel)
Pull request description:
I added all the openssl functions that we call in `tests.c` and in `bench_verify.c` to the m4 check, that way if any of them are missing it won't enable openssl.
I also modified it a little to prevent a segmentation fault when running that program (not that it really matters for autotools)
This should fix#836
ACKs for top commit:
sipa:
ACK 3734b68200ee37f5eea80f47d611e9b5a65548fe
real-or-random:
ACK 3734b68200ee37f5eea80f47d611e9b5a65548fe
Tree-SHA512: c82aa96a4176061284dfa5fdb87ca874a25aa2e11f75c4ec6d1edebcc8a19e2bc940990f8a5cfa64776fd295b6fd3a140fa2afede29326564504bc8d1a3a6b69
If the user passes invalid flags to _context_create, and the default
illegal callback does not abort the program (which is possible), then we
work with the result of malloc(0), which may be undefined behavior. This
violates the promise that a library function won't crash after the
illegal callback has been called.
This commit fixes this issue by returning NULL early in _context_create
in that case.
8893f42438ac75838a9dc7df7e98b29e9a1a085f Avoids a potentially shortening size_t to int cast in strauss_wnaf_ (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK 8893f42438ac75838a9dc7df7e98b29e9a1a085f. `np` and `no` shouldn't ever take on negative values.
jonasnick:
ACK 8893f42438ac75838a9dc7df7e98b29e9a1a085f
elichai:
ACK 8893f42438ac75838a9dc7df7e98b29e9a1a085f
Tree-SHA512: 431a6b88c8db8c8883b35c9bc03c90e37ecd0b06c7ee01c5d83cca4a7f6fc1f3cfbbaa871a4a23374ce4cc5bcfb9502c7f2e2540f9f9db9535e47e48827b6af6
Run UBSAN with both GCC and Clang, on Linux and macOS.
The `halt_on_error=1` option is required to make the build fail if the
sanitizer finds an issue.
If the scratch space is too small when calling
`secp256k1_ecmult_strauss_batch()`, the `state.pre_a` allocation will
fail and the pointer will be `NULL`. This causes `state.pre_a_lam` to be
computed from the `NULL` pointer.
It is also possible that the first allocation to fail is for `state.ps`,
which will cause the failure to occur when in
`secp256k1_ecmult_strauss_wnaf()`.
The issue has been detected by UBSAN using Clang 10:
```
CC=clang \
CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
../configure
UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 make check
```
As identified in #829 and #833. Fixes#829.
Since we touch this anyway, this commit additionally makes the
identifiers in the benchmark files a little bit more consistent.
c582abade1c50ef50dc7ee9f7b7af8e06e22065d Consistency improvements to the comments (Pieter Wuille)
63c6b71616816b19bec9cb3ab6b45ae5afd955f0 Reorder comments/function around scalar_split_lambda (Pieter Wuille)
2edc514c90293af8f602e4376e832773779c9426 WNAF of lambda_split output has max size 129 (Pieter Wuille)
4232e5b7da0a68adc14fa4b481f7e106403c200d Rip out non-endomorphism code (Pieter Wuille)
ebad8414b0e68041568d0b5ebe0bd395dbfbed9e Check correctness of lambda split without -DVERIFY (Gregory Maxwell)
fe7fc1fda8675aa9d79dae54a1b8b3cd06abcf81 Make lambda constant accessible (Pieter Wuille)
9d2f2b44d895509e8c4e7831fa917f13fa69f054 Add tests to exercise lambda split near bounds (Pieter Wuille)
9aca2f7f07b0563f8c65fcc22a0a91325cf6273b Add secp256k1_split_lambda_verify (Russell O'Connor)
acab934d24ff26289ab9930587c3fc51c30c6a2f Detailed comments for secp256k1_scalar_split_lambda (Russell O'Connor)
76ed922a5f09d63e0622825ca83d9301c1ef3efe Increase precision of g1 and g2 (Russell O'Connor)
6173839c90553385171d560be8a17cbe167e3bef Switch to our own memcmp function (Tim Ruffing)
Pull request description:
This is a rebased/combined version of the following pull requests/commits with minor changes:
* #825 Switch to our own memcmp function
* Modification: `secp256k1_memcmp_var` is marked static inline
* Modification: also replace `memcmp` with `secp256k1_memcmp_var` in exhaustive tests
* Modification: add reference to GCC bug 95189
* #822 Increase precision of g1 and g2
* Modification: use the new `secp256k1_memcmp_var` function instead of `memcmp` (see https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610361)
* Modification: drop the " Allow secp256k1_split_lambda_verify to pass even in the presence of GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189." commit, as it's dealt with using `secp256k1_memcmp_var`.
* Modification: rename secp256k1_gej_mul_lambda -> secp256k1_ge_mul_lambda
* A new commit that moves the `lambda` constant out of `secp256k1_scalar_split_lambda` and (`_verify`).
* The test commit suggested here: https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610276
* Modification: use the new accessible `secp256k1_const_lambda` instead of duplicating it.
* #826 Rip out non-endomorphism code
* A new commit that reduces the size of the WNAF output to 129, as we now have proof that the split output is always 128 bits or less.
* A new commit to more consistently use input:`k`, integer outputs:`k1`,`k2`, modulo n outputs:`r1`,`r2`
ACKs for top commit:
real-or-random:
ACK c582abade1c50ef50dc7ee9f7b7af8e06e22065d code inspection, some tests, verified the new g1/g2 constants
jonasnick:
ACK c582abade1c50ef50dc7ee9f7b7af8e06e22065d didn't verify the proof
Tree-SHA512: 323a3ee3884b7ac4fa85c8e7b785111b5c0638d718bc1c805a38963c87411e81a746c98e9a42a3e2197ab34a874544de5cc51326955d1c4d0ea45afd418e819f
The VERIFY macro turns on various paranoid consistency checks, but
the complete functionality should still be tested without it.
This also adds a couple of static test points for extremely small
split inputs/outputs. The existing bounds vectors already check
extremely large outputs.
This allows us to shift by 256+128 = 384 bits, which is a multiple of the limb size of
the scalar representation. This also happens to be the most precision possible for g2
that still fits into a 256-bit value.
a45c1fa63cb3020225d72049ef9c1cf300014795 Rename testrand functions to have test in name (Pieter Wuille)
Pull request description:
Suggested here: https://github.com/bitcoin-core/secp256k1/pull/808#discussion_r488871913
ACKs for top commit:
real-or-random:
ACK a45c1fa63cb3020225d72049ef9c1cf300014795 diff looks good
elichai:
utACK a45c1fa63cb3020225d72049ef9c1cf300014795
Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
4eecb4d6ef6d4f18be8870a5929feb1dae376d15 travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND (Jonas Nick)
66a765c7752b76d99be02d0f84dc05105bf4e70d travis: Explicitly set --with-valgrind (Jonas Nick)
Pull request description:
Also remove CPPFLAGS=-DVALGRIND because that's redundant with when
configured with --enable-valgrind.
ACKs for top commit:
real-or-random:
ACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15 diff and travis output look good
sipa:
utACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15
elichai:
ACK 4eecb4d6ef6d4f18be8870a5929feb1dae376d15
Tree-SHA512: c22d79fccaa926a074272b63a61f052f4bec3b1e5a871e3f08a4f6c19046da575779126a7008eb8a7513e70997b32d1dc6565dfb7aa41c57c0b6ef15ebbc8303
c0041b5cfca5efb160aa9a5616350069c89a8c29 Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)
Pull request description:
Solves one item in #792 .
ACKs for top commit:
sipa:
utACK c0041b5cfca5efb160aa9a5616350069c89a8c29
elichai:
ACK c0041b5cfca5efb160aa9a5616350069c89a8c29
Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
