Commit Graph

1136 Commits

Author SHA1 Message Date
Jonas Nick 7332d2db6b schnorrsig: Add BIP-340 nonce function 2020-09-06 19:00:03 +00:00
Jonas Nick 7a703fd97d schnorrsig: Init empty experimental module 2020-09-06 19:00:03 +00:00
Jonas Nick eabd9bc46a Allow initializing tagged sha256
This will be used by the schnorrsig module
2020-09-06 19:00:03 +00:00
Jonas Nick 6fcb5b845d extrakeys: Add keypair_xonly_tweak_add 2020-09-06 19:00:00 +00:00
Jonas Nick 58254463f9 extrakeys: Add keypair struct with create, pub and pub_xonly 2020-09-06 18:59:57 +00:00
Jonas Nick f0010349b8 Separate helper functions for pubkey_create and seckey_tweak_add
This is in preparation for allowing code reuse by keypair functions
2020-09-06 18:59:57 +00:00
Jonas Nick 910d9c284c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test 2020-09-06 18:59:57 +00:00
Jonas Nick 176bfb1110 Separate helper function for ec_pubkey_tweak_add
This is in preparation for allowing code reuse by xonly tweak add functions
2020-09-06 18:59:57 +00:00
Jonas Nick 4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey 2020-09-06 18:59:50 +00:00
Jonas Nick 47e6618e11 extrakeys: Init empty experimental module
This is to prepare for xonly_pubkeys and keypairs.
2020-08-26 19:52:55 +00:00
Jonas Nick 3e08b02e2a Make the secp256k1_declassify argument constant
This is required to declassify pointers to constant memory. Declassify should
never modify its argument.
2020-08-26 19:52:03 +00:00
Tim Ruffing 670cdd3f8b
Merge #798: Check assumptions on integer implementation at compile time
7c068998ba Compile-time check assumptions on integer types (Pieter Wuille)
02b6c87b52 Add support for (signed) __int128 (Pieter Wuille)

Pull request description:

  A compile-time check is implemented in a new `src/assumptions.h` which verifies several aspects that are implementation-defined in C:
  * size of bytes
  * conversion between unsigned and (negative) signed types
  * right-shifts of negative signed types.

ACKs for top commit:
  gmaxwell:
    ACK 7c068998ba
  real-or-random:
    ACK 7c068998ba code review and tested

Tree-SHA512: 3903251973681c88d64d4af0f6cb40fde11eb436804c5b6202c3715b78b1a48bcb287f601b394fd0b503437e3832ba011885e992fe65098b33edc430d9b1f67d
2020-08-16 12:02:43 +02:00
Pieter Wuille 7c068998ba Compile-time check assumptions on integer types 2020-08-14 16:12:49 -07:00
Pieter Wuille 02b6c87b52 Add support for (signed) __int128 2020-08-13 11:46:34 -07:00
Tim Ruffing 979961c506
Merge #787: Use preprocessor macros instead of autoconf to detect endianness
0dccf98a21 Use preprocessor macros instead of autoconf to detect endianness (Tim Ruffing)

Pull request description:

  This does not fix any particular issue but it's preferable to not
  rely on autoconf. This avoids endianness mess for users on BE hosts
  if they use their build without autoconf.

  The macros are carefully written to err on the side of the caution,
  e.g., we #error if the user manually configures a different endianness
  than what we detect.

  Supersedes #770 .

ACKs for top commit:
  sipa:
    ACK 0dccf98a21
  gmaxwell:
    ACK 0dccf98a21

Tree-SHA512: 6779458de5cb6eaef2ac37f9d4b8fa6c9b299f58f6e5b72f2b0d7e36c12ea06074e483acfb85085a147e0f4b51cd67d897f61a67250ec1cea284a0f7680eb2e8
2020-08-13 12:36:53 +02:00
Tim Ruffing 887bd1f8b6
Merge #793: Make scalar/field choice depend on C-detected __int128 availability
79f1f7a4f1 Autodetect __int128 availability on the C side (Pieter Wuille)
0d7727f95e Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field (Pieter Wuille)

Pull request description:

  This PR does two things:
  * It removes the ability to select the 5x52 field with a 8x32 scalar, or the 10x26 field with a 4x64 scalar. It's both 128-bit wide versions, or neither.
  * The choice is made automatically by the C code, unless overridden by a USE_FORCE_WIDEMUL_INT{64,128} define (which is available through `configure` with a hidden option --with-test-override-wide-multiplication={auto,int64,int128}).

  This reduces the reliance on autoconf for this performance-critical configuration option, and also reduces the number of different combinations to test.

  This removes one theoretically useful combination: if you had x86_64 asm but no __int128 support in your compiler, it was possible to use the 64-bit field before but the 32-bit scalar. I think this doesn't matter as all compilers/systems that support (our)  x86_64 asm also support __int128. Furthermore, #767 will break this.

  As an unexpected side effect, this also means the `gen_context` static precomputation tool will now use __int128 based implementations when available (which required an addition to the 5x52 field; see first commit).

ACKs for top commit:
  real-or-random:
    ACK 79f1f7a4f1 diff looks good and tests pass
  elichai:
    tACK  79f1f7a4f1

Tree-SHA512: 4171732668e5c9cae5230e3a43dd6df195567e1232b89c12c5db429986b6519bb4d77334cb0bac8ce13a00a24dfffdff69b46c89b4d59bc6d297a996ea4efd3d
2020-08-12 15:27:32 +02:00
Tim Ruffing 0dccf98a21 Use preprocessor macros instead of autoconf to detect endianness
This does not fix any particular issue but it's preferable to not
rely on autoconf. This avoids endianness mess for users on BE hosts
if they use their build without autoconf.

The macros are carefully written to err on the side of the caution,
e.g., we #error if the user manually configures a different endianness
than what we detect.
2020-08-11 11:25:39 +02:00
Tim Ruffing b2c8c42cf1
Merge #795: Avoid linking libcrypto in the valgrind ct test.
57d3a3c64c Avoid linking libcrypto in the valgrind ct test. (Gregory Maxwell)

Pull request description:

  Libcrypto isn't useful here and on some systems UB in OpenSSL's
   init causes failures.

  Fixes #775.

ACKs for top commit:
  real-or-random:
    ACK 57d3a3c64c
  elichai:
    tACK 57d3a3c64c

Tree-SHA512: 0b10b3e9cc0871a9a93271c72be9d1663ea163745071cb4951a99664c048ab5b6f46bb7cff36e7000e8fb26df7ee164f536f61210bece376478f9f774f34e83d
2020-08-11 11:22:58 +02:00
Gregory Maxwell 57d3a3c64c Avoid linking libcrypto in the valgrind ct test.
Libcrypto isn't useful here and on some systems UB in OpenSSL's
 init causes failures.

Fixes #775.
2020-08-10 22:13:43 +00:00
Pieter Wuille 79f1f7a4f1 Autodetect __int128 availability on the C side
Instead of supporting configuration of the field and scalar size independently,
both are now controlled by the availability of a 64x64->128 bit multiplication
(currently only through __int128). This is autodetected from the C code through
__SIZEOF_INT128__, but can be overridden using configure's
--with-test-override-wide-multiply, or by defining
USE_FORCE_WIDEMUL_{INT64,INT128} manually.
2020-08-10 14:56:39 -07:00
Pieter Wuille 0d7727f95e Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field
So far this has not been needed, as it's only used by the static precomputation
which always builds with 32-bit fields.

This prepares for the ability to have __int128 detected on the C side, breaking
that restriction.
2020-08-10 14:34:01 -07:00
Tim Ruffing 805082de11
Merge #696: Run a Travis test on s390x (big endian)
39295362cf Test travis s390x (big endian) (Pieter Wuille)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 39295362cf Travis works and says it's big endian

Tree-SHA512: 939b98fe369e575e8bf56899a28cb5aafdb9ccfaaee3cb611027e053edc8220d2787c34359cd01508899b8b7e105c89853a4ab44c382252538c797d00c09345b
2020-08-07 12:51:59 +02:00
Pieter Wuille 39295362cf Test travis s390x (big endian) 2020-08-07 12:46:22 +02:00
Tim Ruffing 6034a04fb1
Merge #778: secp256k1_gej_double_nonzero supports infinity
18d36327fd secp256k1_gej_double_nonzero supports infinity (Pieter Wuille)

Pull request description:

  Our existing function `secp256k1_gej_double_nonzero` actually supports infinity if only it wouldn't check that the input isn't infinity.

  Drop the check, rename it to `secp256k1_gej_double`, and adapt the tests.

ACKs for top commit:
  real-or-random:
    ACK 18d36327fd I looked at the diff and ran tests locally
  gmaxwell:
    ACK 18d36327fd

Tree-SHA512: 79dc42099c318f0bdfe7961495ab3fbbe87551c3cc373557a371914bb65638b129ddfd360e694959349f184e2d71a540abdbef04211e7eb70ee17b691632b915
2020-07-29 15:20:29 +02:00
Jonas Nick f60915906d
Merge #779: travis: Fix argument quoting for ./configure
9e49a9b255 travis: Fix argument quoting for ./configure (Tim Ruffing)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 9e49a9b255

Tree-SHA512: 53efa7134de978912d604bc9685bc779f98e2d72e5f77636595676aa420c04fc934a6bb9d560d74b58197943ab86708d3b913e79bc3dfb856681b26dda8724b3
2020-07-29 13:06:25 +00:00
Tim Ruffing 9e49a9b255 travis: Fix argument quoting for ./configure
When $USE_HOST or $EXTRAFLAGS are empty, we pass (due to quoting) an
empty string as a parameter to ./configure, which then believes we want
to use a deprecated syntax for specifing a host or a target and yells at us:
> configure: WARNING: you should use --build, --host, --target

The fixes are:
 - $EXTRAFLAGS could contain multiple flags and should not be quoted at all.
 - We can get rid of $USE_HOST by specifying --host="$HOST" directly.
2020-07-29 08:50:42 +02:00
Pieter Wuille 18d36327fd secp256k1_gej_double_nonzero supports infinity 2020-07-28 18:12:30 -07:00
Tim Ruffing 214cb3c321
Merge #772: Improve constant-timeness on PowerPC
67a429f31f Suppress a harmless variable-time optimization by clang in _int_cmov (Tim Ruffing)
5b196338f0 Remove redundant "? 1 : 0" after comparisons in scalar code (Tim Ruffing)

Pull request description:

  Attempt at resolving #771 .

  This surprisingly seems to improve the situation at least for the compilers available on godbolt.

ACKs for top commit:
  gmaxwell:
    ACK 67a429f31f
  elichai:
    tACK 67a429f31f

Tree-SHA512: ee8b0c86831ec8c3d5a9abcad773ed8a0f267e5c47012e4e1423b10a64c26b4cf6e3c466c3df765ba7e636787a3fe134d633926d67b599287f12c51be924f478
2020-07-28 16:12:24 +02:00
Tim Ruffing 40412b1930
Merge #774: tests: Abort if malloc() fails during context cloning tests
2e1b9e0458 tests: Abort if malloc() fails during context cloning tests (Tim Ruffing)

Pull request description:

  Found by the clang static analyzer.

  This is the worst true positive that it found. I feel somewhat proud.

ACKs for top commit:
  elichai:
    tACK 2e1b9e0458

Tree-SHA512: bf9a3b6c2b8beaafd230ece00a9a69dd884a35b6d2243502ebfded3f77a454e80ef922791bd48c17aa4814a275550957071c045912080a616dd5ed704a70aab7
2020-07-28 12:35:54 +02:00
Tim Ruffing 2e1b9e0458 tests: Abort if malloc() fails during context cloning tests
Found by the clang static analyzer.

This is the worst true positive that it found. I feel somewhat proud.
2020-07-28 10:24:44 +02:00
Tim Ruffing 67a429f31f Suppress a harmless variable-time optimization by clang in _int_cmov
Follow up on 52a03512c1
2020-07-27 14:35:05 +02:00
Tim Ruffing 5b196338f0 Remove redundant "? 1 : 0" after comparisons in scalar code
This prevents GCC from generating branches on PowerPC in certain
cases.

Fixes #771.
2020-07-26 14:59:56 +02:00
Tim Ruffing 3e5cfc5c73
Merge #741: Remove unnecessary sign variable from wnaf_const
37dba329c6 Remove unnecessary sign variable from wnaf_const (Jonas Nick)
6bb0b77e15 Fix test_constant_wnaf for -1 and add a test for it. (Jonas Nick)

Pull request description:

  There currently is a single branch in the `ecmul_const` function that is not being exercised by the tests. This branch is unreachable and therefore I'm suggesting to remove it.

  For your convenience the paper the wnaf algorithm can be found [here (The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks)](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.563.1267&rep=rep1&type=pdf). Similarly, unless I'm missing something important, I don't see how their algorithm needs to consider `sign(u[i-1])` unless `d` can be negative - which doesn't make much sense to me either.

ACKs for top commit:
  real-or-random:
    ACK 37dba329c6 I verified the correctness of the change and claimed invariant by manual inspection. I tested the code, both with 32bit and 64bit scalars.

Tree-SHA512: 9db45f76bd881d00a81923b6d2ae1c3e0f49a82a5d55347f01e1ce4e924d9a3bf55483a0697f25039c327e33edca6796ba3205c068d9f2f99aa5d655e46b15be
2020-07-26 12:21:14 +02:00
Tim Ruffing 66bb9320c0
Merge #773: Fix some compile problems on weird/old compilers.
1309c03c45 Fix some compile problems on weird/old compilers. (Gregory Maxwell)

Pull request description:

  The visibility attribute is a GCC 4+ feature.
  GCC 2.95 also warns about the unsigned/signed comparision.

ACKs for top commit:
  real-or-random:
    ACK 1309c03c45 I inspected the diff

Tree-SHA512: b5a5175416b67b2619f68ad82a208052ad678955e59c2f3457799abd1dd6fd817c40f6bc2941b2bda207c6f58ad0fbe46221a2f92b726e824702c4c0b177377c
2020-07-26 11:06:33 +02:00
Gregory Maxwell 1309c03c45 Fix some compile problems on weird/old compilers.
The visibility attribute is a GCC 4+ feature.
GCC 2.95 also warns about the unsigned/signed comparision.
2020-07-26 05:26:56 +00:00
Jonas Nick 2309c7dd4a
Merge #769: Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
22e578bb11 Undef HAVE___INT128 in basic-config.h to fix gen_context compilation (Tim Ruffing)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 22e578bb11

Tree-SHA512: 91e11c3feade13923a01c30025b7f01d0cb6d7d88cd7a19d490373d2fb4552f2ca1ab0d9138096268999bcbfd51ef3c9af64ec8ab0dc8ee2fa60be16d2b5af64
2020-07-21 19:12:49 +00:00
Tim Ruffing 22e578bb11 Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
Fixes #768.
2020-07-21 11:09:23 +02:00
Jonas Nick 3f4a5a10e4
Merge #765: remove dead store in ecdsa_signature_parse_der_lax
f00d6575ca remove dead store in ecdsa_signature_parse_der_lax (fanquake)

Pull request description:

ACKs for top commit:
  elichai:
    utACK f00d6575ca, it does look like we don't use that assignment
  jonasnick:
    ACK f00d6575ca

Tree-SHA512: 9aa54c901f299341c309411b0247720f5152a131dd346c19be7ee21865e3a822e8cf91b869e28ef6288adaf31660bc2e18874e304052468a9be6b7027674af30
2020-06-29 08:38:35 +00:00
fanquake f00d6575ca
remove dead store in ecdsa_signature_parse_der_lax
This change was made in bitcoin/bitcoin without upstreaming. So this is
a followup to the comment here:
https://github.com/bitcoin/bitcoin/pull/19228#issuecomment-641795558.

See also: https://github.com/bitcoin/bitcoin/pull/11073.
2020-06-29 13:23:26 +08:00
Tim Ruffing dbd41db16a
Merge #759: Fix uninitialized variables in ecmult_multi test
2e7fc5b537 Fix uninitialized variables in ecmult_multi test (Jonas Nick)

Pull request description:

  Fixes #756

ACKs for top commit:
  real-or-random:
    ACK 2e7fc5b537 I inspected the diff. I did not test it and I did not check whether if makes the warning go away
  elichai:
    tACK 2e7fc5b537

Tree-SHA512: 674400134f5487236f5b6e8b3020b346d43662511628cdf6dd1bd7ba1de985bf93f5be11f5650f250ff37b5f87eb4b01d90ed53d41193c05a420d3f5a2d63470
2020-06-15 16:07:12 +02:00
Jonas Nick 2e7fc5b537 Fix uninitialized variables in ecmult_multi test 2020-06-15 09:02:54 +00:00
Tim Ruffing 2ed54da18a
Merge #755: Recovery signing: add to constant time test, and eliminate non ct operators
28609507e7 Add tests for the cmov implementations (Elichai Turkel)
73596a85a2 Add ecdsa_sign_recoverable to the ctime tests (Elichai Turkel)
2876af4f8d Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery (Elichai Turkel)

Pull request description:

  Hi,
  The recovery module was overlooked in #708 and #710, so this adds it to the `valgrind_ctime_test` and replaces the secret dependent branching with the cmovs,
  I created a new function `secp256k1_ecdsa_sign_inner` (feel free to bikeshed) which does the logic both for ecdsa_sign and for ecdsa_sign_recoverable, such that next time when things get changed/improved in ecdsa it will affect the recoverable signing too.

ACKs for top commit:
  jonasnick:
    ACK 28609507e7
  real-or-random:
    ACK 28609507e7 read the diff, tested with valgrind including ctime tests

Tree-SHA512: 4730301dcb62241d79f18eb8fed7e9ab0e20d1663a788832cb6cf4126baa7075807dc31896764b6f82d52742fdb636abc6b75e4344c6f117305904c628a5ad59
2020-06-08 15:45:58 +02:00
Elichai Turkel 28609507e7
Add tests for the cmov implementations 2020-06-03 13:19:12 +03:00
Elichai Turkel 73596a85a2
Add ecdsa_sign_recoverable to the ctime tests 2020-06-03 13:19:11 +03:00
Elichai Turkel 2876af4f8d
Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery 2020-06-03 13:19:09 +03:00
Tim Ruffing 5e1c885efb
Merge #754: Fix uninit values passed into cmov
f79a7adcf5 Add valgrind uninit check to cmovs output (Elichai Turkel)
a39c2b09de Fixed UB(arithmetics on uninit values) in cmovs (Elichai Turkel)

Pull request description:

  This should fix #753.
  Used @peterdettman's solution here for the `ECMULT_CONST_TABLE_GET_GE` https://github.com/bitcoin-core/secp256k1/issues/753#issuecomment-631316091
  and in ecdsa_sign I initialize `s` and `r` to a zero scalar.

  The second commit adds a valgrind check to the cmovs that could've caught this (in ecdsa_sign, not in ecmult_const because there's a scalar clear there under `VERIFY_SETUP`)

ACKs for top commit:
  sipa:
    utACK f79a7adcf5
  jonasnick:
    ACK f79a7adcf5
  real-or-random:
    ACK f79a7adcf5

Tree-SHA512: 6fd7b7c84f392bda733a973f4dcfc12bf1478aac2591e2c87b69e637847d3b063c4243cc8feccaffc3a5824c18183a5e66bd4251c2322abaf63bb6439b38defe
2020-06-02 18:06:44 +02:00
Elichai Turkel f79a7adcf5
Add valgrind uninit check to cmovs output 2020-05-26 23:30:56 +03:00
Tim Ruffing 05d315affe
Merge #752: autoconf: Use ":" instead of "dnl" as a noop
5e8747ae2a autoconf: Use ":" instead of "dnl" as a noop (Tim Ruffing)

Pull request description:

  Fixes #424.

Top commit has no ACKs.

Tree-SHA512: a83664afbc6ca1254c4767161bfbec82f3489a8a248ba7a5a46ed9ec2a39232cf92f504accadd4dbb1a6ea4791dbf7f0e1f030e51f02f49eb9a38a2e509ee6c2
2020-05-22 13:31:45 +02:00
Elichai Turkel a39c2b09de
Fixed UB(arithmetics on uninit values) in cmovs 2020-05-22 13:25:26 +03:00
Jonas Nick 3a6fd7f636
Merge #750: Add macOS to the CI
71757da5cc Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh (Elichai Turkel)
99bd661d71 Replace travis_wait with a loop printing "\a" to stdout every minute (Elichai Turkel)
bc818b160c Bump travis Ubuntu from xenial(16.04) to bionic(18.04) (Elichai Turkel)
0c5ff9066e Add macOS support to travis (Elichai Turkel)
b6807d91d8 Move travis script into a standalone sh file (Elichai Turkel)

Pull request description:

ACKs for top commit:
  real-or-random:
    ACK 71757da5cc I inspected the diff
  jonasnick:
    ACK 71757da5cc

Tree-SHA512: e8fab725ef5ed98c795f39d7f26b5d967a6bd730d40eb7d9793986858bf34770b0350c1b7b1d14ae608dfff9375a0750ec67c8e6d0d4b562ab917f5e645aa67b
2020-05-18 19:38:47 +00:00