Commit Graph

1385 Commits

Author SHA1 Message Date
Tim Ruffing b61f9da54e
Merge #857: docs: fix simple typo, dependecy -> dependency
18aadf9d28 docs: fix simple typo, dependecy -> dependency (Tim Gates)

Pull request description:

  There is a small typo in src/group_impl.h.

  Should read `dependency` rather than `dependecy`.

ACKs for top commit:
  real-or-random:
    ACK 18aadf9d28

Tree-SHA512: 3529f43bcc87ea8940ecf5af765951f61d97d1efa86fd8abc29e32b600fd449165a94a2fa525bc6b3d9a7d8aa6e691cc4d42033537b196ba166a867e6db7f397
2020-12-09 18:05:58 +01:00
Tim Gates 18aadf9d28
docs: fix simple typo, dependecy -> dependency
There is a small typo in src/group_impl.h.

Should read `dependency` rather than `dependecy`.
2020-12-08 21:45:13 +11:00
Jonas Nick 2d9e7175c6
Merge #852: Add sage script for generating scalar_split_lambda constants
329a2e0a3f sage: Add script for generating scalar_split_lambda constants (Tim Ruffing)
f554dfc708 sage: Reorganize files (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 329a2e0a3f

Tree-SHA512: d41fe5eba332f48af0b800778aa076925c4e8e95ec21c4371a500ddd6088b6d52961bdb93f7ce2b127e18095667dbb966a0d14191177f0d0e78dfaf55271d5e2
2020-12-07 21:49:32 +00:00
Tim Ruffing dc6e5c3a5c
Merge #854: Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation
6e85d675aa Rename tweak to tweak32 in public API (Jonas Nick)
f587f04e35 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation (Jonas Nick)

Pull request description:

  This fixes #307 if there's nothing else that's confusing.

ACKs for top commit:
  real-or-random:
    ACK 6e85d675aa I inspected the diff

Tree-SHA512: 1b0dc9dfffd497058dc39c962a512ed6d7f89218020fef9d2c03aaae1aefbf272b918c4fe6503434b62547714855fe1b8b89f2366f3ae6cde16143207c9e6b86
2020-12-07 22:10:47 +01:00
Jonas Nick 6e85d675aa Rename tweak to tweak32 in public API 2020-12-04 14:16:43 +00:00
Jonas Nick f587f04e35 Rename msg32 to msghash32 in ecdsa_sign/verify and add explanation 2020-12-04 14:12:38 +00:00
Tim Ruffing 329a2e0a3f sage: Add script for generating scalar_split_lambda constants 2020-12-03 11:56:09 +01:00
Jonas Nick 8f0c6f1545
Merge #851: make test count iteration configurable by environment variable
f4fa8d226a forbid a test iteration of 0 or less (Andrew Poelstra)
0ce4554881 make test count iteration configurable by environment variable (Andrew Poelstra)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK f4fa8d226a
  real-or-random:
    ACK f4fa8d226a

Tree-SHA512: 087771402c8e9536c07446baa7d02da5104d2b691f40c1dd04737329534422d895d3b692f485990d5791af8ccc124305b4f8b19be75e27b6b04cfb2337b28beb
2020-12-01 08:31:13 +00:00
Andrew Poelstra f4fa8d226a forbid a test iteration of 0 or less 2020-11-30 18:12:31 +00:00
Tim Ruffing f554dfc708 sage: Reorganize files
* Move curve parameters to separate file
 * Rename main prover script for clarity
2020-11-25 13:50:40 +01:00
Jonas Nick 3a106966aa
Merge #849: Convert Sage code to Python 3 (as used by Sage >= 9)
13c88efed0 Convert Sage code to Python 3 (as used by Sage >= 9) (Frédéric Chapoton)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 13c88efed0

Tree-SHA512: 6b8a32c35554b7e881841c17fe21323035014d25003f14e399f03ec017ea1bae1c68eee18a4d0315fc0f3b40d8252b5c8790f6c355d7d074a8ebc5e1ca832795
2020-11-23 20:15:25 +00:00
Frédéric Chapoton 13c88efed0 Convert Sage code to Python 3 (as used by Sage >= 9)
Co-authored-by: Tim Ruffing <crypto@timruffing.de>
2020-11-23 15:56:22 +01:00
Andrew Poelstra 0ce4554881 make test count iteration configurable by environment variable 2020-11-23 01:05:31 +00:00
Pieter Wuille 9e5939d284
Merge #835: Don't use reserved identifiers memczero and benchmark_verify_t
1f4dd03838 Typedef (u)int128_t only when they're not provided by the compiler (Tim Ruffing)
e89278f211 Don't use reserved identifiers memczero and benchmark_verify_t (Tim Ruffing)

Pull request description:

  As identified in #829 and #833. Fixes #829.

  Since we touch this anyway, this commit additionally makes the
  identifiers in the benchmark files a little bit more consistent.

  This is necessary before we can merge #833. I preferred a separate PR because it makes it easier to see the results of Travis in #833.

ACKs for top commit:
  sipa:
    utACK 1f4dd03838
  jonasnick:
    ACK 1f4dd03838

Tree-SHA512: c0ec92798f3c94f3ef6ac69b3f0f39a39257a32be9d9a068832cece1ebe64c89848b70e44652fc397004b8b240883ac4bc0c8f95abbe4ba4b028de120e6734bf
2020-11-04 15:29:25 -08:00
Jonas Nick d0a83f7328
Merge #839: Prevent arithmetic on NULL pointer if the scratch space is too small
29a299e373 Run the undefined behaviour sanitizer on Travis (Fabien)
7506e064d7 Prevent arithmetic on NULL pointer if the scratch space is too small (Fabien)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 29a299e373. Reviewed the code changes and verified that building with these sanitizer flags catches the existing error, as well as a signed integer overflow if introduced.
  real-or-random:
    ACK 29a299e373 code inspection
  jonasnick:
    utACK 29a299e373

Tree-SHA512: 4d788f12f3d7b48018e884910adb9b530a05d88f504de83dadeab8a22d75da83c05a1518f7317de5f536c4dd243ea7b347b1eaddb2ca1d804c663e41b85db69d
2020-11-04 14:53:04 +00:00
Jonas Nick 903b16aa6c
Merge #840: Return NULL early in context_preallocated_create if flags invalid
ebfa2058e9 Return NULL early in context_preallocated_create if flags invalid (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK ebfa2058e9
  jonasnick:
    ACK ebfa2058e9

Tree-SHA512: 61310539046e015e5c9e6b5702ac7b542fda854a23915ef5dd549361c8ec6e70aa6d509e02b30fd859b24dfaf2250721bb55270767323d6e94854067b7d7e9a6
2020-10-30 17:48:46 +00:00
Tim Ruffing 1f4dd03838 Typedef (u)int128_t only when they're not provided by the compiler 2020-10-27 20:18:18 +01:00
Tim Ruffing 3967d96bf1
Merge #838: Make autotools check for all the used openssl functions
3734b68200 Configure echo if openssl tests are enabled (Elichai Turkel)
e6692778d3 Modify bitcoin_secp.m4's openssl check to call all the functions that we use in the tests/benchmarks. That way linking will fail if those symbols are missing (Elichai Turkel)

Pull request description:

  I added all the openssl functions that we call in `tests.c` and in `bench_verify.c` to the m4 check, that way if any of them are missing it won't enable openssl.
  I also modified it a little to prevent a segmentation fault when running that program (not that it really matters for autotools)

  This should fix #836

ACKs for top commit:
  sipa:
    ACK 3734b68200
  real-or-random:
    ACK 3734b68200

Tree-SHA512: c82aa96a4176061284dfa5fdb87ca874a25aa2e11f75c4ec6d1edebcc8a19e2bc940990f8a5cfa64776fd295b6fd3a140fa2afede29326564504bc8d1a3a6b69
2020-10-27 20:15:33 +01:00
Elichai Turkel 3734b68200
Configure echo if openssl tests are enabled 2020-10-27 16:11:27 +02:00
Tim Ruffing ebfa2058e9 Return NULL early in context_preallocated_create if flags invalid
If the user passes invalid flags to _context_create, and the default
illegal callback does not abort the program (which is possible), then we
work with the result of malloc(0), which may be undefined behavior. This
violates the promise that a library function won't crash after the
illegal callback has been called.

This commit fixes this issue by returning NULL early in _context_create
in that case.
2020-10-27 15:03:21 +01:00
Jonas Nick 6f54e69f03
Merge #841: Avoids a potentially shortening size_t to int cast in strauss_wnaf_
8893f42438 Avoids a potentially shortening size_t to int cast in strauss_wnaf_ (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 8893f42438. `np` and `no` shouldn't ever take on negative values.
  jonasnick:
    ACK 8893f42438
  elichai:
    ACK 8893f42438

Tree-SHA512: 431a6b88c8db8c8883b35c9bc03c90e37ecd0b06c7ee01c5d83cca4a7f6fc1f3cfbbaa871a4a23374ce4cc5bcfb9502c7f2e2540f9f9db9535e47e48827b6af6
2020-10-27 13:24:33 +00:00
Fabien 29a299e373 Run the undefined behaviour sanitizer on Travis
Run UBSAN with both GCC and Clang, on Linux and macOS.
The `halt_on_error=1` option is required to make the build fail if the
sanitizer finds an issue.
2020-10-27 08:45:21 +01:00
Fabien 7506e064d7 Prevent arithmetic on NULL pointer if the scratch space is too small
If the scratch space is too small when calling
`secp256k1_ecmult_strauss_batch()`, the `state.pre_a` allocation will
fail and the pointer will be `NULL`. This causes `state.pre_a_lam` to be
computed from the `NULL` pointer.

It is also possible that the first allocation to fail is for `state.ps`,
which will cause the failure to occur when in
`secp256k1_ecmult_strauss_wnaf()`.

The issue has been detected by UBSAN using Clang 10:
```
CC=clang \
CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
../configure

UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 make check
```
2020-10-27 08:41:14 +01:00
Tim Ruffing 8893f42438 Avoids a potentially shortening size_t to int cast in strauss_wnaf_
Fixes #834.
2020-10-27 02:17:23 +01:00
Elichai Turkel e6692778d3
Modify bitcoin_secp.m4's openssl check to call all the functions that we
use in the tests/benchmarks.
That way linking will fail if those symbols are missing
2020-10-25 13:42:25 +02:00
Tim Ruffing ac05f61fcf
Merge #809: Stop treating ECDH as experimental
e6e3d5da2f travis: add schnorrsig to valgrind and big endian platform test (Jonas Nick)
353dff156f Stop treating ECDH as experimental (Jonas Nick)

Pull request description:

  Fixes #665

ACKs for top commit:
  real-or-random:
    ACK e6e3d5da2f
  elichai:
    ACK e6e3d5d

Tree-SHA512: 07379429ee159aad011c7cefcea35423602e9d119d994e11c78a89fcc74c2c65835b3d55f6f781fe28b4e3622db9ee470e48a223037a20baf94c0263b1c60105
2020-10-21 10:00:28 +02:00
Jonas Nick e6e3d5da2f travis: add schnorrsig to valgrind and big endian platform test 2020-10-20 17:51:17 +00:00
Jonas Nick 353dff156f Stop treating ECDH as experimental 2020-10-20 17:49:33 +00:00
Tim Ruffing e89278f211 Don't use reserved identifiers memczero and benchmark_verify_t
As identified in #829 and #833. Fixes #829.

Since we touch this anyway, this commit additionally makes the
identifiers in the benchmark files a little bit more consistent.
2020-10-20 15:00:19 +02:00
Pieter Wuille c6b6b8f1bb
Merge #830: Rip out non-endomorphism code + dependencies
c582abade1 Consistency improvements to the comments (Pieter Wuille)
63c6b71616 Reorder comments/function around scalar_split_lambda (Pieter Wuille)
2edc514c90 WNAF of lambda_split output has max size 129 (Pieter Wuille)
4232e5b7da Rip out non-endomorphism code (Pieter Wuille)
ebad8414b0 Check correctness of lambda split without -DVERIFY (Gregory Maxwell)
fe7fc1fda8 Make lambda constant accessible (Pieter Wuille)
9d2f2b44d8 Add tests to exercise lambda split near bounds (Pieter Wuille)
9aca2f7f07 Add secp256k1_split_lambda_verify (Russell O'Connor)
acab934d24 Detailed comments for secp256k1_scalar_split_lambda (Russell O'Connor)
76ed922a5f Increase precision of g1 and g2 (Russell O'Connor)
6173839c90 Switch to our own memcmp function (Tim Ruffing)

Pull request description:

  This is a rebased/combined version of the following pull requests/commits with minor changes:
  * #825 Switch to our own memcmp function
    * Modification: `secp256k1_memcmp_var` is marked static inline
    * Modification: also replace `memcmp` with `secp256k1_memcmp_var` in exhaustive tests
    * Modification: add reference to GCC bug 95189
  * #822 Increase precision of g1 and g2
    * Modification: use the new `secp256k1_memcmp_var` function instead of `memcmp` (see https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610361)
    * Modification: drop the " Allow secp256k1_split_lambda_verify to pass even in the presence of GCC bug https://gcc.gnu.org/bugzilla/show_bug.cgi?id=95189." commit, as it's dealt with using `secp256k1_memcmp_var`.
    * Modification: rename secp256k1_gej_mul_lambda -> secp256k1_ge_mul_lambda
  * A new commit that moves the `lambda` constant out of `secp256k1_scalar_split_lambda` and (`_verify`).
  * The test commit suggested here: https://github.com/bitcoin-core/secp256k1/pull/822#issuecomment-706610276
    * Modification: use the new accessible `secp256k1_const_lambda` instead of duplicating it.
  * #826 Rip out non-endomorphism code
  * A new commit that reduces the size of the WNAF output to 129, as we now have proof that the split output is always 128 bits or less.
  * A new commit to more consistently use input:`k`, integer outputs:`k1`,`k2`, modulo n outputs:`r1`,`r2`

ACKs for top commit:
  real-or-random:
    ACK c582abade1 code inspection, some tests, verified the new g1/g2 constants
  jonasnick:
    ACK c582abade1 didn't verify the proof

Tree-SHA512: 323a3ee3884b7ac4fa85c8e7b785111b5c0638d718bc1c805a38963c87411e81a746c98e9a42a3e2197ab34a874544de5cc51326955d1c4d0ea45afd418e819f
2020-10-14 11:11:15 -07:00
Pieter Wuille c582abade1 Consistency improvements to the comments 2020-10-13 13:21:50 -07:00
Pieter Wuille 63c6b71616 Reorder comments/function around scalar_split_lambda 2020-10-13 13:21:45 -07:00
Pieter Wuille 2edc514c90 WNAF of lambda_split output has max size 129 2020-10-13 11:31:13 -07:00
Pieter Wuille 4232e5b7da Rip out non-endomorphism code 2020-10-13 11:31:13 -07:00
Gregory Maxwell ebad8414b0 Check correctness of lambda split without -DVERIFY
The VERIFY macro turns on various paranoid consistency checks, but
 the complete functionality should still be tested without it.

This also adds a couple of static test points for extremely small
 split inputs/outputs.  The existing bounds vectors already check
 extremely large outputs.
2020-10-13 11:31:13 -07:00
Pieter Wuille fe7fc1fda8 Make lambda constant accessible 2020-10-13 11:31:13 -07:00
Pieter Wuille 9d2f2b44d8 Add tests to exercise lambda split near bounds 2020-10-13 11:31:13 -07:00
Russell O'Connor 9aca2f7f07 Add secp256k1_split_lambda_verify 2020-10-13 11:31:13 -07:00
Russell O'Connor acab934d24 Detailed comments for secp256k1_scalar_split_lambda 2020-10-13 11:31:13 -07:00
Russell O'Connor 76ed922a5f Increase precision of g1 and g2
This allows us to shift by 256+128 = 384 bits, which is a multiple of the limb size of
the scalar representation. This also happens to be the most precision possible for g2
that still fits into a 256-bit value.
2020-10-11 10:39:59 -07:00
Tim Ruffing 6173839c90 Switch to our own memcmp function
Fixes #823.
2020-10-11 10:39:20 -07:00
Tim Ruffing 63150ab4da
Merge #827: Rename testrand functions to have test in name
a45c1fa63c Rename testrand functions to have test in name (Pieter Wuille)

Pull request description:

  Suggested here: https://github.com/bitcoin-core/secp256k1/pull/808#discussion_r488871913

ACKs for top commit:
  real-or-random:
    ACK a45c1fa63c diff looks good
  elichai:
    utACK a45c1fa63c

Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
2020-09-27 11:15:14 +02:00
Tim Ruffing c5257aed0b
Merge #821: travis: Explicitly set --with-valgrind
4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND (Jonas Nick)
66a765c775 travis: Explicitly set --with-valgrind (Jonas Nick)

Pull request description:

  Also remove CPPFLAGS=-DVALGRIND because that's redundant with when
  configured with --enable-valgrind.

ACKs for top commit:
  real-or-random:
    ACK 4eecb4d6ef diff and travis output look good
  sipa:
    utACK 4eecb4d6ef
  elichai:
    ACK 4eecb4d6ef

Tree-SHA512: c22d79fccaa926a074272b63a61f052f4bec3b1e5a871e3f08a4f6c19046da575779126a7008eb8a7513e70997b32d1dc6565dfb7aa41c57c0b6ef15ebbc8303
2020-09-26 11:14:47 +02:00
Tim Ruffing bb1f54280f
Merge #818: Add static assertion that uint32_t is unsigned int or wider
c0041b5cfc Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)

Pull request description:

  Solves one item in #792 .

ACKs for top commit:
  sipa:
    utACK c0041b5cfc
  elichai:
    ACK c0041b5cfc

Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
2020-09-26 10:22:32 +02:00
Pieter Wuille a45c1fa63c Rename testrand functions to have test in name 2020-09-25 20:50:43 -07:00
Pieter Wuille 5006895bd6
Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests
8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig (Pieter Wuille)
08d7d89299 Make pubkey parsing test whether points are in the correct subgroup (Pieter Wuille)
87af00b511 Abstract out challenge computation in schnorrsig (Pieter Wuille)
63e1b2aa7d Disable output buffering in tests_exhaustive.c (Pieter Wuille)
39f67dd072 Support splitting exhaustive tests across cores (Pieter Wuille)
e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs (Pieter Wuille)
49e6630bca refactor: move RNG seeding to testrand (Pieter Wuille)
b110c106fa Change exhaustive test groups so they have a point with X=1 (Pieter Wuille)
cec7b18a34 Select exhaustive lambda in function of order (Pieter Wuille)
78f6cdfaae Make the curve B constant a secp256k1_fe (Pieter Wuille)
d7f39ae4b6 Delete gej_is_valid_var: unused outside tests (Pieter Wuille)
8bcd78cd79 Make secp256k1_scalar_b32 detect overflow in scalar_low (Pieter Wuille)
c498366e5b Move exhaustive tests for recovery to module (Pieter Wuille)
be31791543 Make group order purely compile-time in exhaustive tests (Pieter Wuille)

Pull request description:

  A few miscellaneous improvements:
  * Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
  * Move exhaustive tests for recovery module to the recovery module directory
  * Make `secp256k1_scalar_set_b32` detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
  * Change the small test groups so that they include a point with X coordinate 1.
  * Initialize the RNG seed, allowing configurating from the cmdline, and report it.
  * Permit changing the number of iterations (re-randomizing for each).
  * Support splitting the work across cores from the cmdline.

  And a big one:
  * Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).

ACKs for top commit:
  real-or-random:
    ACK 8b7dcdd955
  jonasnick:
    ACK 8b7dcdd955

Tree-SHA512: 18d7f362402085238faaced164c0ca34079717a477001fc0b13448b3529ea2ad705793a13b7a36f34bf12e9231fee11070f88cc51bfc2a83ca82aa13f7aaae71
2020-09-25 20:44:03 -07:00
Jonas Nick 4eecb4d6ef travis: VALGRIND->RUN_VALGRIND to avoid confusion with WITH_VALGRIND
Also remove CPPFLAGS=-DVALGRIND because that's redundant when
configured with --with-valgrind.
2020-09-21 09:08:29 +00:00
Jonas Nick 66a765c775 travis: Explicitly set --with-valgrind
Also set --with-valgrind=no once
2020-09-21 07:53:41 +00:00
Jonas Nick d7838ba6a6
Merge #813: Enable configuring Valgrind support
412bf874d0 configure: Allow specifying --with[out]-valgrind explicitly (Luke Dashjr)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 412bf874d0. Tested by running configure on a system with and without valgrind, and with no argument, with `--with-valgrind`, and with `--without-valgrind`.
  real-or-random:
    ACK 412bf874d0
  jonasnick:
    ACK 412bf874d0

Tree-SHA512: 92417609751e5af813faff1661055cd37f3d00dbcf109a8f14f8ba59d9f3d620c9c6b67d2b1629b6ab75e2afcd47d2b3898a0427931567fb505bc92fa5ee3532
2020-09-19 08:48:14 +00:00
Jonas Nick 7ceb0b7611
Merge #819: Enable -Wundef warning
e73ff30922 Enable -Wundef warning (Tim Ruffing)

Pull request description:

ACKs for top commit:
  practicalswift:
    ACK e73ff30922 -- patch looks correct
  sipa:
    ACK e73ff30922
  jonasnick:
    ACK e73ff30922

Tree-SHA512: 1f0d477e41f33276eceb5324162731ba8aacd8d6571d7020344206b31c7f48c31f6bccbed2ce3ffe2e8c13abf98db24d177521b6b36a3087b81b55a253559fe6
2020-09-19 08:25:03 +00:00