Commit Graph

67 Commits

Author SHA1 Message Date
Gregory Maxwell 3d2302257f Constant-time behaviour test using valgrind memtest.
Valgrind does bit-level tracking of the "uninitialized" status of memory,
 property tracks memory which is tainted by any uninitialized memory, and
 warns if any branch or array access depends on an uninitialized bit.

That is exactly the verification we need on secret data to test for
 constant-time behaviour. All we need to do is tell valgrind our
 secret key is actually uninitialized memory.

This adds a valgrind_ctime_test which is compiled if valgrind is installed:

Run it with libtool --mode=execute:
$ libtool --mode=execute valgrind ./valgrind_ctime_test
2020-02-24 18:59:30 +00:00
Gregory Maxwell 7b50483ad7 Adds a declassify operation to aid constant-time analysis.
ECDSA signing has a retry loop for the exceptionally unlikely case
 that S==0.  S is not a secret at this point and this case is so
 rare that it will never be observed but branching on it will trip
 up tools analysing if the code is constant time with respect to
 secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
 and while k is a secret these cases are too rare (1:2^255) to
 ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
 sets it up for use with the valgrind memcheck constant-time
 test.
2020-02-20 17:27:26 +00:00
Jonas Nick 642cd062bd Remove Java Native Interface 2020-01-08 09:13:09 +00:00
djb dcb2e3b3ff
variable signing precompute table
make ECMULT_GEN_PREC_BITS configurable

ecmult_static_context.h: add compile time config assertion (#3) - Prevents accidentally using a file which was generated with a
different configuration.

README: mention valgrind issue

With --with-ecmult-gen-precision=8, valgrind needs a max stack size
adjustment to not run into a stack switching heuristic:

http://valgrind.org/docs/manual/manual-core.html

> -max-stackframe= [default: 2000000]
> The maximum size of a stack frame. If the stack pointer moves by more than this amount then Valgrind will assume that the program is switching to a different stack.
You may need to use this option if your program has large stack-allocated arrays.

basic-config: undef ECMULT_WINDOW_SIZE before (re-)defining it
2019-09-05 09:19:41 +02:00
Tim Ruffing 238305fdbb Move _preallocated functions to separate header 2019-05-25 14:01:09 +02:00
ian 662918cb29 Revert "Merge #620: Install headers automatically"
This reverts commit 91fae3ace0, reversing
changes made to 5df77a0eda.

See discussion in https://github.com/bitcoin-core/secp256k1/pull/625

After the change, if we enable any module, `make install` fails because of the
duplicated files in the command line arguments.
2019-05-24 08:35:26 +08:00
Víctor Mayoral Vilches 16e86150d0 Install headers automatically
This fix install all the headers under include/ into
/usr/local/include. The fix solves problems that arise
when building libraries that depend on secp256k1 such
as bitcoin-system which require all the headers
2019-05-15 09:54:35 +02:00
Gregory Maxwell 83483869ac Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build 2019-03-09 06:17:27 +00:00
Tim Ruffing a34bcaadf1 Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker 2019-02-10 11:58:52 +01:00
Tim Ruffing 2d5f4cebdc configure: Use CFLAGS_FOR_BUILD when checking native compiler
This fixes a bug where configure would fail or disable static
ecmult tables because it wrongly checks the native compiler using
the target CFLAGS (instead of the native CFLAGS_FOR_BUILD), and
similar for CPPFLAGS and LDFLAGS.

Moreover, this commit adds tests to figure out whether the native
compiler supports the warning flags passed during the build, and it
contains a few minor improvements to the code that checks the native
compiler.
2019-02-10 11:56:36 +01:00
Pieter Wuille bc65aa794e Add bench_ecmult 2017-12-07 20:13:04 +00:00
Andrew Poelstra 548de42ecf add resizeable scratch space API
Alignment support by Pieter Wuille.
2017-12-07 20:13:04 +00:00
Andrew Poelstra a724d7296d configure: add --enable-coverage to set options for coverage analysis 2016-11-28 03:29:01 +00:00
Andrew Poelstra 83836a9547 Add exhaustive tests for group arithmetic, signing, and ecmult on a small group
If you compile without ./configure --enable-exhaustive-tests=no,
this will create a binary ./exhaustive_tests which will execute
every function possible on a group of small order obtained by
moving to a twist of our curve and locating a generator of small
order.

Currently defaults to order 13, though by changing some #ifdefs
you can get a couple other ones. (Currently 199, which will take
forever to run, and 14, which won't work because it's composite.)

TODO exhaustive tests for the various modules
2016-11-26 00:35:00 +00:00
Andrew Poelstra 20b8877be1 Add exhaustive test for group functions on a low-order subgroup
We observe that when changing the b-value in the elliptic curve formula
`y^2 = x^3 + ax + b`, the group law is unchanged. Therefore our functions
for secp256k1 will be correct if and only if they are correct when applied
to the curve defined by `y^2 = x^3 + 4` defined over the same field. This
curve has a point P of order 199.

This commit adds a test which computes the subgroup generated by P and
exhaustively checks that addition of every pair of points gives the correct
result.

Unfortunately we cannot test const-time scalar multiplication by the same
mechanism. The reason is that these ecmult functions both compute a wNAF
representation of the scalar, and this representation is tied to the order
of the group.

Testing with the incomplete version of gej_add_ge (found in 5de4c5dff^)
shows that this detects the incompleteness when adding P - 106P, which
is exactly what we expected since 106 is a cube root of 1 mod 199.
2016-11-25 20:45:29 +00:00
Pieter Wuille e06e878fd7 Remove Schnorr experiment 2016-11-17 18:55:06 -08:00
Andrew Poelstra ac01378c87 build: add -DSECP256K1_BUILD to benchmark_internal build flags
gcc 6 will warn about our non-null checks when SECP256K1_BUILD
our NONNULL marker is nontrivial. This occurs unless SECP256K1_BUILD
is set, which we had forgotten to do for the internal benchmarks,
which compile directly against the library instead of linking.
2016-07-06 11:55:14 +00:00
Wladimir J. van der Laan 001f1763c7 ARM assembly implementation of field_10x26 inner
Rebased-by: Pieter Wuille <pieter.wuille@gmail.com>
2016-05-25 18:27:47 +02:00
GreenAddress 3093576aa4 JNI library
Squashed and rebased. Thanks to @theuni and @faizkhan00 for doing
the majority of work here! Also thanks to @btchip for help with debugging
and review.
2016-02-01 14:07:18 +01:00
Pieter Wuille 419bf7fd9d
Merge pull request #356
03d84a4 Benchmark against OpenSSL verification (Pieter Wuille)
2015-11-24 21:55:33 +01:00
ptschip 445f7f104c Fix for Windows compile issue
Change CPPFLAGS_FOR_BUILD path  (by paveljanik)
2015-11-16 16:40:12 -08:00
Pieter Wuille 03d84a427f Benchmark against OpenSSL verification 2015-11-15 15:47:49 +01:00
Andrew Poelstra eed87af10a Change contrib/laxder from headers-only to files compilable as standalone C
Verified that both programs compile with

    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_privatekey_parsing.c
    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_parsing.c
2015-10-29 18:55:49 -05:00
Gregory Maxwell 4a243da47c Move secp256k1_ec_privkey_import/export to contrib.
These functions are intended for compatibility with legacy software,
 and are not normally needed in new secp256k1 applications.

They also do not obeying any particular standard (and likely cannot
 without without undermining their compatibility), and so are a
 better fit for contrib.
2015-10-22 22:57:33 +00:00
Pieter Wuille fea19e7bb7 Add contrib/lax_der_parsing.h
This shows a snippet of code to do lax DER parsing, without obeying to any
particular standard.
2015-10-21 16:14:35 +02:00
Gregory Maxwell 213aa67397 Do not force benchmarks to be statically linked.
Libtool will do the right thing and use whatever is available
 based on --enable-shared/--enable-static.

This also means that some of the things we build actually
 test the dynamic library.
2015-09-29 19:03:51 +00:00
Cory Fields 6da1446dcf build: fix parallel build 2015-08-31 23:22:13 -04:00
Pieter Wuille 9f443be086 Move pubkey recovery code to separate module 2015-08-28 01:51:52 +02:00
Pieter Wuille ff3a5dfc97
Merge pull request #284
e4ce393 build: fix hard-coded usage of "gen_context" (Cory Fields)
b8e39ac build: don't use BUILT_SOURCES for the static context header (Cory Fields)
2015-08-03 22:37:27 +02:00
Pieter Wuille a5a66c70b6 Add support for custom EC-Schnorr-SHA256 signatures 2015-08-03 20:08:51 +02:00
Andrew Poelstra 0739bbb6f0 Add ECDH module which works by hashing the output of ecmult_const 2015-08-01 10:57:33 -05:00
Andrew Poelstra 4401500060 Add constant-time multiply `secp256k1_ecmult_const` for ECDH
Designed with clear separation of the wNAF conversion, precomputation
and exponentiation (since the precomp at least we will probably want
to separate in the API for users who reuse points a lot.

Future work:
  - actually separate precomp in the API
  - do multiexp rather than single exponentiation
2015-07-31 12:39:09 -05:00
Cory Fields e4ce393683 build: fix hard-coded usage of "gen_context"
The binary needs an extension on some platforms.
2015-07-31 13:34:01 -04:00
Cory Fields b8e39ac5e4 build: don't use BUILT_SOURCES for the static context header
BUILT_SOURCES simply forces the header to be built first.

Use real dependencies instead. This fixes builds with dependency tracking
disabled where a real target is specified.

As a bonus, this also fixes the issue of gen_context and the header not being
rebuilt when gen_context.c is touched.
2015-07-31 13:26:30 -04:00
Gregory Maxwell c37812f54c Add gen_context src/ecmult_static_context.h to CLEANFILES to fix distclean. 2015-07-16 00:05:32 +00:00
Gregory Maxwell 76f67697ec Fix build with static ecmult altroot and make dist.
Gen_context was unable to find the required headers without some
 autotools fixups.  Make dist was also broken without the extra
 sources for the host side table builder utility.
2015-07-15 22:08:00 +00:00
Thomas Daede fbecc38a89 Add ability to use a statically generated ecmult context.
This vastly shrinks the size of the context required for signing on devices with
memory-mapped Flash.

Tables are generated by the new gen_context tool into a header.
2015-07-13 18:00:03 -07:00
Pieter Wuille 039723d5da Benchmarks for all internal operations 2015-02-02 20:02:39 -08:00
Pieter Wuille bbd5ba7cfa Use rfc6979 as default nonce generation function 2014-12-20 14:36:13 +01:00
Pieter Wuille 7277fd76e2 Remove GMP field implementation 2014-12-17 12:41:31 +01:00
Pieter Wuille 6558a26770 Make the benchmarks print out stats 2014-12-09 01:27:39 +01:00
Pieter Wuille 000bdf6dc3 Rename bench_verify to bench_recovery 2014-12-09 00:12:02 +01:00
Pieter Wuille 67935050e1 Convert YASM code into inline assembly 2014-12-04 13:54:01 +01:00
Cory Fields e2274c58e6 build: osx: attempt to work with homebrew keg-only packages 2014-11-24 11:49:22 -05:00
Gregory Maxwell 861f9a59cc field_gmp's negate doesn't need to use the magnitude argument. 2014-11-13 01:45:56 -08:00
kiwigb 6fac238f03 Use same build template as bitcoin. Add bitcoin_secp.m4. 2014-11-07 01:55:27 +13:00
kiwigb f9aac5b034 Remove INCLUDES. Obsolete, appears unused anyway. 2014-11-06 22:35:41 +13:00
Pieter Wuille 1d52a8b155 Implementations for scalar without data-dependent branches. 2014-11-04 03:01:55 -08:00
Peter Dettman e2d66a2c62 Fix build for 64bit field under OSX
- caused by 8881212ebc
- OSX's ar tool doesn't work for empty archives ("ar: no archive members specified")
- introduce COMMON_LIB variable; leave empty when not using asm
2014-11-03 09:50:05 +07:00
Pieter Wuille fa5c13ff4c Add bench_sign tool 2014-10-31 08:23:34 -07:00