Commit Graph

138 Commits

Author SHA1 Message Date
Cory Fields 6f6cab9989 abi: Don't export symbols in static Windows libraries
libtool takes care of building both object versions, we just need to pick the
right one to export symbols.
2022-05-04 20:12:21 +00:00
Tim Ruffing b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs
_tagged_sha256 simply cannot have invalid inputs.

The other functions could in some sense have invalid inputs but only in
violation of the type system. For example, a pubkey could be invalid but
invalid objects of type secp256k1_pubkey either can't be obtained
via the API or will be caught by an ARG_CHECK when calling pubkey_load.

This is consistent with similar functions in the public API, e.g.,
_ec_pubkey_negate or _ec_pubkey_serialize.
2022-03-18 11:33:23 +01:00
Tim Ruffing 99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate 2022-03-17 22:41:36 +01:00
Tim Ruffing fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions 2022-03-17 22:41:36 +01:00
Tim Ruffing 3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated 2022-03-17 22:41:36 +01:00
fanquake 812ff5c747
doc: remove use of 0xa0 "no break space" 2021-11-24 08:11:49 +08:00
Pieter Wuille 5324f8942d Make aux_rnd32==NULL behave identical to 0x0000..00.
BIP340's default signing algorithm always requires an aux_rnd argument,
but permits using an all-zero one when no randomness is available.

Make secp256k1_schnorrsig_sign follow this even when aux_rnd32==NULL,
by treating the same as if an all-zero byte array was provided as
input.
2021-10-30 13:03:55 -04:00
Jonas Nick 297ce82091
Merge bitcoin-core/secp256k1#966: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const (Pieter Wuille)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK db4667d5e0 diff looks good
  jonasnick:
    ACK db4667d5e0

Tree-SHA512: 6f003c856b0e11f3f41f6d8007470129f02f9075416c6a5d3904f8efb5fa461f38e600a6b31d326314b2961946c8c6b3bca1a8e9b333b52e099a6f023a04c698
2021-10-15 15:57:23 +00:00
Tim Ruffing aa5d34a8fe
Merge bitcoin-core/secp256k1#783: Make the public API docs more consistent and explicit
adec5a1638 Add missing null check for ctx and input keys in the public API (Elichai Turkel)
f4edfc7581 Improve consistency for NULL arguments in the public interface (Elichai Turkel)

Pull request description:

  I went over the public API and added missing explanations on when a pointer can be null and when it cannot,
  and added some missing checks for null ctx and null pubkey pointers.

  Open questions IMHO:
  1. Can `secp256k1_context_create` return NULL? right now it could return null if you replaced the callbacks at compile time to ones that do return(unlike the default ones which never return).
  2. Related to the first, should we document that the callbacks should never return? (in the tests we use returning callbacks but we can violate our own API) right now we say the following:

  > After this callback returns, anything may happen, including crashing.

  Is this enough to document answer `no` for the first question and just saying that if the callback returned then you violated the API so `secp256k1_context_create` can return NULL even though it is promised not to?
  Right now we AFAICT we never check if it returns null

  Another nit I'm not sure about is wording `(does nothing if NULL)`/`(ignored if NULL)`/`(can be NULL)`

  More missing docs:
  1. Documenting the `data` argument to the default nonce functions

ACKs for top commit:
  ariard:
    ACK adec5a16
  jonasnick:
    ACK adec5a1638

Tree-SHA512: 6fe785776b7e451e9e8cae944987f927b1eb2e2d404dfcb1b0ceb0a30bda4ce16469708920269417e5ada09739723a430e270dea1868fe7d12ccd5699dde5976
2021-09-15 16:36:11 +02:00
Pieter Wuille db4667d5e0 Make aux_rand32 arg to secp256k1_schnorrsig_sign const 2021-09-11 10:05:14 -04:00
Elichai Turkel adec5a1638 Add missing null check for ctx and input keys in the public API 2021-07-04 12:47:46 +03:00
Elichai Turkel f4edfc7581 Improve consistency for NULL arguments in the public interface 2021-07-04 12:47:45 +03:00
Tim Ruffing 769528f307 Don't use string literals for char arrays without NUL termination
unsigned char foo[4] = "abcd" is not valid C++ because the string
literal "abcd" does not fit into foo due to the terminating NUL
character. This is valid in C, it will just omit the NUL character.

Fixes #962.
2021-07-04 10:40:30 +02:00
Jonas Nick d8d806aaf3 schnorrsig: add extra parameter struct for sign_custom
This simplifies the interface of sign_custom and allows adding more parameters
later in a backward compatible way.
2021-06-27 20:26:15 +00:00
Jonas Nick a0c3fc177f schnorrsig: allow signing and verification of variable length msgs
Varlen message support for the default sign function comes from recommending
tagged_sha256. sign_custom on the other hand gets the ability to directly sign
message of any length. This also implies signing and verification support for
the empty message (NULL) with msglen 0.

Tests for variable lengths follow in a later commit.
2021-06-27 20:26:15 +00:00
Jonas Nick 5a8e4991ad Add secp256k1_tagged_sha256 as defined in BIP-340
Gives users the ability to hash messages to 32 byte before they are signed while
allowing efficient domain separation through the tag.
2021-06-27 20:26:15 +00:00
Jonas Nick b6c0b72fb0 schnorrsig: remove noncefp args from sign; add sign_custom function
This makes the default sign function easier to use while allowing more granular
control through sign_custom.

Tests for sign_custom follow in a later commit.
2021-06-27 20:26:15 +00:00
Jonas Nick 442cee5baf schnorrsig: add algolen argument to nonce_function_hardened
This avoids having to remove trailing NUL bytes in the nonce function
2021-05-28 11:40:52 +00:00
Jonas Nick df3bfa12c3 schnorrsig: clarify result of calling nonce_function_bip340 without data 2021-05-28 11:40:52 +00:00
Jonas Nick 202a030f7d
Merge #850: add `secp256k1_ec_pubkey_cmp` method
6eceec6d56 add `secp256k1_xonly_pubkey_cmp` method (Andrew Poelstra)
0d9561ae87 add `secp256k1_ec_pubkey_cmp` method (Andrew Poelstra)

Pull request description:

ACKs for top commit:
  elichai:
    Code review ACK 6eceec6d56
  jonasnick:
    ACK 6eceec6d56
  real-or-random:
    ACK 6eceec6d56

Tree-SHA512: f95cbf65f16c88a4adfa1ea7cc6ddabab14baa3b68fa069e78e6faad4852cdbfaea42ee72590d2e0b8f3159cf9b37969511550eb6b2d256b101e2147711cc817
2021-05-13 19:17:53 +00:00
Tim Ruffing 69394879b6
Merge #926: secp256k1.h: clarify that by default arguments must be != NULL
0881633dfd secp256k1.h: clarify that by default arguments must be != NULL (Jonas Nick)

Pull request description:

  The same file says that the illegal callback will only triger for violations
  explicitly mentioned, which is not true without this commit because we often
  don't mention that an argument is not allowed to be NULL.

  This line is extracted from #783 in the hope that it gets merged faster because other PRs depend on it.

ACKs for top commit:
  gmaxwell:
    ACK 0881633dfd
  real-or-random:
    ACK 0881633dfd

Tree-SHA512: ecdc6954a1c21c333da5b03db51f50a0e53984aaef69cc697adaddc96b276da23e342037f476d21742632f6ec02bfa0574f837a5b5791f5985f4c355037176fa
2021-05-07 23:21:19 +02:00
Andrew Poelstra 6eceec6d56 add `secp256k1_xonly_pubkey_cmp` method 2021-05-06 18:36:44 +00:00
Andrew Poelstra 0d9561ae87 add `secp256k1_ec_pubkey_cmp` method 2021-05-06 18:36:41 +00:00
Gregory Maxwell ae9e648526 Define SECP256K1_BUILD in secp256k1.c directly.
This avoids building without it and makes it safer to use a custom
 building environment.  Test harnesses need to #include secp256k1.c
 first now.
2021-05-01 19:27:27 +00:00
Jonas Nick 0881633dfd secp256k1.h: clarify that by default arguments must be != NULL
The same file says that the illegal callback will only triger for violations
explicitly mentioned, which is not true without this commit because we often
don't mention that an argument is not allowed to be NULL.
2021-04-29 10:21:26 +00:00
Tim Ruffing 328aaef22a
Merge #845: Extract the secret key from a keypair
33cb3c2b1f Add secret key extraction from keypair to constant time tests (Elichai Turkel)
36d9dc1e8e Add seckey extraction from keypair to the extrakeys tests (Elichai Turkel)
fc96aa73f5 Add a function to extract the secretkey from a keypair (Elichai Turkel)

Pull request description:

  With schnorrsig if you need to tweak the secret key (for BIP32) you must use the keypair API to get compatible secret/public keys which you do by calling `secp256k1_keypair_xonly_tweak_add()`, but after that there's no currently a way to extract the secret key back for storage.
  so I added a `secp256k1_keypair_seckey` function to extract the key

ACKs for top commit:
  jonasnick:
    ACK 33cb3c2b1f
  real-or-random:
    ACK 33cb3c2b1f code inspection, tests pass

Tree-SHA512: 11212db38c8b87a87e2dc35c4d6993716867b45215b94b20522b1b3164ca63d4c6bf5192a6bff0e9267b333779cc8164844c56669a94e9be72df9ef025ffcfd4
2021-01-12 10:56:14 +01:00
Ferdinando M. Ametrano b7bc3a4aaa
fixed typo 2020-12-22 22:31:29 +01:00
Elichai Turkel fc96aa73f5
Add a function to extract the secretkey from a keypair 2020-12-19 11:00:25 +02:00
Jonas Nick 6e85d675aa Rename tweak to tweak32 in public API 2020-12-04 14:16:43 +00:00
Jonas Nick f587f04e35 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 2020-12-04 14:12:38 +00:00
Jonas Nick 4e43520026 schnorrsig: Add BIP-340 compatible signing and verification 2020-09-06 19:00:03 +00:00
Jonas Nick 7332d2db6b schnorrsig: Add BIP-340 nonce function 2020-09-06 19:00:03 +00:00
Jonas Nick 7a703fd97d schnorrsig: Init empty experimental module 2020-09-06 19:00:03 +00:00
Jonas Nick 6fcb5b845d extrakeys: Add keypair_xonly_tweak_add 2020-09-06 19:00:00 +00:00
Jonas Nick 58254463f9 extrakeys: Add keypair struct with create, pub and pub_xonly 2020-09-06 18:59:57 +00:00
Jonas Nick 910d9c284c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test 2020-09-06 18:59:57 +00:00
Jonas Nick 4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey 2020-09-06 18:59:50 +00:00
Jonas Nick 47e6618e11 extrakeys: Init empty experimental module
This is to prepare for xonly_pubkeys and keypairs.
2020-08-26 19:52:55 +00:00
Gregory Maxwell 1309c03c45 Fix some compile problems on weird/old compilers.
The visibility attribute is a GCC 4+ feature.
GCC 2.95 also warns about the unsigned/signed comparision.
2020-07-26 05:26:56 +00:00
Jonas Nick 7e3952ae82 Clarify documentation of tweak functions.
In particular, mention that the functions return 0 if seckey or tweak are
invalid (as opposed to saying "should" or "must" be valid).
2020-03-30 20:51:47 +00:00
Jonas Nick 89853a0f2e Make tweak function documentation more consistent.
Do this by adding a newline after the first sentence and aligning the rest.
2020-03-30 20:51:47 +00:00
Jonas Nick 41fc785602 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 2020-03-30 20:51:47 +00:00
Jonas Nick 22911ee6da Rename private key to secret key in public API (with the exception of function names) 2020-03-30 20:51:47 +00:00
Jonas Nick 5a73f14d6c Mention that value is unspecified for In/Out parameters if the function returns 0 2020-03-30 20:51:47 +00:00
Jonas Nick f03df0e6d7 Define valid ECDSA keys in the documentation of seckey_verify 2020-03-30 20:51:47 +00:00
Jonas Nick 5894e1f1df Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 2020-03-30 20:51:47 +00:00
Tim Ruffing 96d8ccbd16
Merge #710: Eliminate harmless non-constant time operations on secret data.
7b50483ad7 Adds a declassify operation to aid constant-time analysis. (Gregory Maxwell)
34a67c773b Eliminate harmless non-constant time operations on secret data. (Gregory Maxwell)

Pull request description:

  There were several places where the code was non-constant time
   for invalid secret inputs.  These are harmless under sane use
   but get in the way of automatic const-time validation.

  (Nonce overflow in signing is not addressed, nor is s==0 in signing)

ACKs for top commit:
  sipa:
    utACK 7b50483ad7
  real-or-random:
    ACK 7b50483ad7 I read the code carefully and tested it
  jonasnick:
    reACK 7b50483ad7

Tree-SHA512: 0776c3a86e723d2f97b9b9cb31d0d0e59dfcf308093b3f46fbc859f73f9957f3fa977d03b57727232040368d058701ef107838f9b1ec98f925ec78ddad495c4e
2020-02-24 14:04:36 +01:00
Gregory Maxwell 7b50483ad7 Adds a declassify operation to aid constant-time analysis.
ECDSA signing has a retry loop for the exceptionally unlikely case
 that S==0.  S is not a secret at this point and this case is so
 rare that it will never be observed but branching on it will trip
 up tools analysing if the code is constant time with respect to
 secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
 and while k is a secret these cases are too rare (1:2^255) to
 ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
 sets it up for use with the valgrind memcheck constant-time
 test.
2020-02-20 17:27:26 +00:00
Tim Ruffing eb45ef3384 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
and improve style of the ECDH docs.
2020-02-14 16:18:00 +01:00
Rusty Russell 4b48a43106 doc: document the length requirements of output parameter.
It's subtle, since it is actually only touched by hashfp (though
we assert it's non-NULL), but give explicit advice in the default
case.

Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2020-02-10 11:11:11 +10:30