150 Commits

Author SHA1 Message Date
Gregory Maxwell
1309c03c45 Fix some compile problems on weird/old compilers.
The visibility attribute is a GCC 4+ feature.
GCC 2.95 also warns about the unsigned/signed comparision.
2020-07-26 05:26:56 +00:00
Jonas Nick
7e3952ae82 Clarify documentation of tweak functions.
In particular, mention that the functions return 0 if seckey or tweak are
invalid (as opposed to saying "should" or "must" be valid).
2020-03-30 20:51:47 +00:00
Jonas Nick
89853a0f2e Make tweak function documentation more consistent.
Do this by adding a newline after the first sentence and aligning the rest.
2020-03-30 20:51:47 +00:00
Jonas Nick
41fc785602 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 2020-03-30 20:51:47 +00:00
Jonas Nick
22911ee6da Rename private key to secret key in public API (with the exception of function names) 2020-03-30 20:51:47 +00:00
Jonas Nick
5a73f14d6c Mention that value is unspecified for In/Out parameters if the function returns 0 2020-03-30 20:51:47 +00:00
Jonas Nick
f03df0e6d7 Define valid ECDSA keys in the documentation of seckey_verify 2020-03-30 20:51:47 +00:00
Jonas Nick
5894e1f1df Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 2020-03-30 20:51:47 +00:00
Tim Ruffing
96d8ccbd16
Merge #710: Eliminate harmless non-constant time operations on secret data.
7b50483ad789081ba158799e5b94330f62932607 Adds a declassify operation to aid constant-time analysis. (Gregory Maxwell)
34a67c773b0871e5797c7ab506d004e80911f120 Eliminate harmless non-constant time operations on secret data. (Gregory Maxwell)

Pull request description:

  There were several places where the code was non-constant time
   for invalid secret inputs.  These are harmless under sane use
   but get in the way of automatic const-time validation.

  (Nonce overflow in signing is not addressed, nor is s==0 in signing)

ACKs for top commit:
  sipa:
    utACK 7b50483ad789081ba158799e5b94330f62932607
  real-or-random:
    ACK 7b50483ad789081ba158799e5b94330f62932607 I read the code carefully and tested it
  jonasnick:
    reACK 7b50483ad789081ba158799e5b94330f62932607

Tree-SHA512: 0776c3a86e723d2f97b9b9cb31d0d0e59dfcf308093b3f46fbc859f73f9957f3fa977d03b57727232040368d058701ef107838f9b1ec98f925ec78ddad495c4e
2020-02-24 14:04:36 +01:00
Gregory Maxwell
7b50483ad7 Adds a declassify operation to aid constant-time analysis.
ECDSA signing has a retry loop for the exceptionally unlikely case
 that S==0.  S is not a secret at this point and this case is so
 rare that it will never be observed but branching on it will trip
 up tools analysing if the code is constant time with respect to
 secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
 and while k is a secret these cases are too rare (1:2^255) to
 ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
 sets it up for use with the valgrind memcheck constant-time
 test.
2020-02-20 17:27:26 +00:00
Tim Ruffing
eb45ef3384 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
and improve style of the ECDH docs.
2020-02-14 16:18:00 +01:00
Rusty Russell
4b48a43106 doc: document the length requirements of output parameter.
It's subtle, since it is actually only touched by hashfp (though
we assert it's non-NULL), but give explicit advice in the default
case.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2020-02-10 11:11:11 +10:30
Jonas Nick
59782c68b4 Remove mention of ec_privkey_export because it doesn't exist 2019-09-15 11:27:17 +00:00
Tim Ruffing
556caad2ca
Fix typo in docs for _context_set_illegal_callback 2019-08-09 11:25:09 +02:00
Jan Xie
b1e68cb8e6
Fix typo in secp256k1_preallocated.h 2019-07-18 08:35:42 +08:00
philsmd
6914c25276
typo in comment for secp256k1_ec_pubkey_tweak_mul ()
Fixes a typo in secp256k1.h documentation
2019-06-01 12:21:20 +02:00
Tim Ruffing
5db782e655 Allow usage of external default callbacks 2019-05-26 22:32:36 +02:00
Andrew Poelstra
a7a164f2c6 scratch: rename max_size to size, document that extra will actually be allocated 2019-05-25 23:01:07 +00:00
Andrew Poelstra
c2b028a281 scratch space: thread error_callback into all scratch space functions
Use it when checking magic bytes
2019-05-25 22:59:50 +00:00
Tim Ruffing
0522caac8f Explain caller's obligations for preallocated memory 2019-05-25 14:01:09 +02:00
Tim Ruffing
238305fdbb Move _preallocated functions to separate header 2019-05-25 14:01:09 +02:00
Tim Ruffing
695feb6fbd Export _preallocated functions 2019-05-25 14:01:09 +02:00
Tim Ruffing
c4fd5dab45 Switch to a single malloc call 2019-05-25 14:01:09 +02:00
Tim Ruffing
6198375218 Make randomization of a non-signing context a noop
Before this commit secp256k1_context_randomize called illegal_callback
when called on a context not initialized for signing. This is not
documented. Moreover, it is not desirable because non-signing contexts
may use randomization in the future.

This commit makes secp256k1_context_randomize a noop in this case. This
is safe because the context cannot be used for signing anyway.

This fixes #573 and it fixes rust-bitcoin/rust-secp256k1#82.
2019-01-27 13:33:52 +01:00
Pieter Wuille
314a61d724
Merge #553: add static context object which has no capabilities
40fde61 prevent attempts to modify `secp256k1_context_no_precomp` (Andrew Poelstra)
ed7c084 add static context object which has no capabilities (Andrew Poelstra)

Pull request description:

Tree-SHA512: a843ed7ba00a00a46eec3146ce428d4b49eb440af766f44d731b1f51553d08de8cc9a0af5ed114d0dfdca6f4bf4a2ede4dbd6a37d6bd818b81630089424a0ba5
2018-11-05 18:25:56 -08:00
Andrew Poelstra
ed7c08417a add static context object which has no capabilities 2018-10-04 15:16:34 +00:00
Kirill Fomichev
c8fbc3c397 [ECDH API change] Allow pass arbitrary data to hash function 2018-05-17 00:38:58 +03:00
Kirill Fomichev
b00be65056 [ECDH API change] Support custom hash function 2018-05-17 00:05:09 +03:00
Andrew Poelstra
6fe50439ae scratch: add stack frame support 2018-04-05 22:49:29 +00:00
Thomas Kerin
1646ace4d5
secp256k1_ec_privkey_negate - fix documentation 2018-02-28 14:10:07 +01:00
Andrew Poelstra
548de42ecf add resizeable scratch space API
Alignment support by Pieter Wuille.
2017-12-07 20:13:04 +00:00
Dan Raviv
abe2d3e84b Fix header guards using reserved identifiers
Identifiers starting with an underscore and followed immediately by a capital letter are reserved by the C++ standard.

The only header guards not fixed are those in the headers auto-generated from java.
2017-08-26 18:44:21 +03:00
Pieter Wuille
f532bdc9f7
Merge #459: Add pubkey prefix constants to include/secp256k1.h
bc61b91 add pubkey prefix constants to include/secp256k1.h (Andrew Poelstra)

Pull request description:

  In future multisig implementations we will need to pass nonces around, which are algebraically pubkeys but should not be decodable as pubkeys. The way to do this is to change the prefix byte from the ordinary 0x02/0x03 to something else. However, some forks (notably `secp256k1-zkp`) have started using some bytes for their own encodings, and if we continue to use hardcoded constants the risk of conflict is increased.

  This commit puts the prefixes used by the main library into the `include/secp256k1.h` so that the constants we're using will at least be in a standard easy-to-reference place.

Tree-SHA512: 37fa25be5074b7c519a9c69421320a62f32a3818f144254eb57f96c6657b993fc01962a5c670574275d1c59b095a6c89e60736123f032d6736907284eac526d7
2017-08-10 16:42:01 -07:00
Andrew Poelstra
bc61b91aca
add pubkey prefix constants to include/secp256k1.h 2017-06-27 14:05:26 +00:00
Tim Ruffing
b0452e664b Fix typo in API documentation 2017-06-05 19:17:53 +02:00
Pieter Wuille
119949232a
Merge #408: Add secp256k1_ec_pubkey_negate and secp256k1_ec_privkey_negate
8e48aa6 Add `secp256k1_ec_pubkey_negate` and `secp256k1_ec_privkey_negate` (Andrew Poelstra)

Tree-SHA512: 28eeca0b04001958ad86b3c802e33a13273514e9e9802d5b358fd577dc95421a2cffb5591716bea10300717f742f0941c465b9df71dbb4c66d174c643887e06f
2017-03-21 17:54:06 -07:00
Rusty Russell
72d952c9c4 FIXUP: Missing "is"
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-02-21 14:43:09 +10:30
Rusty Russell
70ff29b6a7 secp256k1_context_randomize: document.
I think I summarized it correctly after IRC discussion with gmaxwell
and andytoshi; I didn't know it existed :(

It's regrettable to expose this level of detail, but users need to know
this to make a decision about how to use it.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2017-02-14 15:29:33 +10:30
Andrew Poelstra
8e48aa60dc Add secp256k1_ec_pubkey_negate and secp256k1_ec_privkey_negate 2016-12-20 00:37:37 +00:00
Pieter Wuille
e06e878fd7 Remove Schnorr experiment 2016-11-17 18:55:06 -08:00
Andrew Poelstra
91219a1cc0 Remove guarantees about memcmp-ability 2016-08-26 18:03:48 +00:00
Pieter Wuille
06aeea555e Turn secp256k1_ec_pubkey_serialize outlen to in/out 2015-11-05 06:01:56 +01:00
Gregory Maxwell
8e48787d97 Change secp256k1_ec_pubkey_combine's count argument to size_t. 2015-10-31 19:04:34 +00:00
Gregory Maxwell
c69dea025a Clear output in more cases for pubkey_combine, adds tests.
Also corrects an outdated comment and adds an additional
 secp256k1_ecdsa_signature_parse_compact test.
2015-10-31 09:52:30 +00:00
Gregory Maxwell
269d422703 Comment copyediting. 2015-10-31 08:31:15 +00:00
Pieter Wuille
9234391ed4 Overhaul flags handling 2015-10-24 19:47:13 +02:00
Rusty Russell
1a368980c8 Make flags more explicit, add runtime checks.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2015-10-24 19:39:44 +02:00
Gregory Maxwell
4a243da47c Move secp256k1_ec_privkey_import/export to contrib.
These functions are intended for compatibility with legacy software,
 and are not normally needed in new secp256k1 applications.

They also do not obeying any particular standard (and likely cannot
 without without undermining their compatibility), and so are a
 better fit for contrib.
2015-10-22 22:57:33 +00:00
Pieter Wuille
0c6ab2ff18 Introduce explicit lower-S normalization
ECDSA signature verification now requires normalized signatures (with S in the
lower half of the range). In case the input cannot be guaranteed to provide this,
a new function secp256k1_ecdsa_signature_normalize is provided to preprocess it.
2015-10-21 16:14:42 +02:00
Pieter Wuille
3bb9c44719 Rewrite ECDSA signature parsing code
There are now 2 encoding formats supported: 64-byte "compact" and DER.
The latter is strict: the data has to be exact DER, though the values
inside don't need to be valid.
2015-10-21 16:13:37 +02:00