]>
Git Repo - secp256k1.git/log
Tim Ruffing [Sat, 26 Sep 2020 08:18:17 +0000 (10:18 +0200)]
Merge #818: Add static assertion that uint32_t is unsigned int or wider
c0041b5cfca5efb160aa9a5616350069c89a8c29 Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)
Pull request description:
Solves one item in #792 .
ACKs for top commit:
sipa:
utACK
c0041b5cfca5efb160aa9a5616350069c89a8c29
elichai:
ACK
c0041b5cfca5efb160aa9a5616350069c89a8c29
Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
Pieter Wuille [Sat, 26 Sep 2020 03:41:54 +0000 (20:41 -0700)]
Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests
8b7dcdd955a4f57174f478e36bdae5b84784fb9c Add exhaustive test for extrakeys and schnorrsig (Pieter Wuille)
08d7d89299a6492bf9388b4662b709d268c8ea29 Make pubkey parsing test whether points are in the correct subgroup (Pieter Wuille)
87af00b511f2938b6b4799f94d446a005730515e Abstract out challenge computation in schnorrsig (Pieter Wuille)
63e1b2aa7d396209aa5e26aa540d9593ede312a6 Disable output buffering in tests_exhaustive.c (Pieter Wuille)
39f67dd072fc44c7c0d27b95610ba8912de56db5 Support splitting exhaustive tests across cores (Pieter Wuille)
e99b26fcd54cb4096515ba80cf0f79d147b2683c Give exhaustive_tests count and seed cmdline inputs (Pieter Wuille)
49e6630bca5f6628bd1fd92d70d465273d4d873f refactor: move RNG seeding to testrand (Pieter Wuille)
b110c106fa9704e30f6b0c2ffa6a2697031e89a8 Change exhaustive test groups so they have a point with X=1 (Pieter Wuille)
cec7b18a34e68adb04f31a71a2eb4c5fc97674ce Select exhaustive lambda in function of order (Pieter Wuille)
78f6cdfaae9866694dcb0eee966332688753a8c3 Make the curve B constant a secp256k1_fe (Pieter Wuille)
d7f39ae4b67ea1ac6f085e6262a5f53afc0c5a25 Delete gej_is_valid_var: unused outside tests (Pieter Wuille)
8bcd78cd791fd9209d72d6bce455c8d3cf2c0249 Make secp256k1_scalar_b32 detect overflow in scalar_low (Pieter Wuille)
c498366e5b2d9c60e2e677949cf7373dbe877515 Move exhaustive tests for recovery to module (Pieter Wuille)
be317915436909573733afe3972a9abdee9357f7 Make group order purely compile-time in exhaustive tests (Pieter Wuille)
Pull request description:
A few miscellaneous improvements:
* Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
* Move exhaustive tests for recovery module to the recovery module directory
* Make `secp256k1_scalar_set_b32` detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
* Change the small test groups so that they include a point with X coordinate 1.
* Initialize the RNG seed, allowing configurating from the cmdline, and report it.
* Permit changing the number of iterations (re-randomizing for each).
* Support splitting the work across cores from the cmdline.
And a big one:
* Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).
ACKs for top commit:
real-or-random:
ACK
8b7dcdd955a4f57174f478e36bdae5b84784fb9c
jonasnick:
ACK
8b7dcdd955a4f57174f478e36bdae5b84784fb9c
Tree-SHA512: 18d7f362402085238faaced164c0ca34079717a477001fc0b13448b3529ea2ad705793a13b7a36f34bf12e9231fee11070f88cc51bfc2a83ca82aa13f7aaae71
Jonas Nick [Sat, 19 Sep 2020 08:47:33 +0000 (08:47 +0000)]
Merge #813: Enable configuring Valgrind support
412bf874d09517b559eba4f7addb4c181cc2780b configure: Allow specifying --with[out]-valgrind explicitly (Luke Dashjr)
Pull request description:
ACKs for top commit:
sipa:
ACK
412bf874d09517b559eba4f7addb4c181cc2780b . Tested by running configure on a system with and without valgrind, and with no argument, with `--with-valgrind`, and with `--without-valgrind`.
real-or-random:
ACK
412bf874d09517b559eba4f7addb4c181cc2780b
jonasnick:
ACK
412bf874d09517b559eba4f7addb4c181cc2780b
Tree-SHA512: 92417609751e5af813faff1661055cd37f3d00dbcf109a8f14f8ba59d9f3d620c9c6b67d2b1629b6ab75e2afcd47d2b3898a0427931567fb505bc92fa5ee3532
Jonas Nick [Sat, 19 Sep 2020 08:24:42 +0000 (08:24 +0000)]
Merge #819: Enable -Wundef warning
e73ff309221dcf677e861a49010b93dc6bb0ac48 Enable -Wundef warning (Tim Ruffing)
Pull request description:
ACKs for top commit:
practicalswift:
ACK
e73ff309221dcf677e861a49010b93dc6bb0ac48 -- patch looks correct
sipa:
ACK
e73ff309221dcf677e861a49010b93dc6bb0ac48
jonasnick:
ACK
e73ff309221dcf677e861a49010b93dc6bb0ac48
Tree-SHA512: 1f0d477e41f33276eceb5324162731ba8aacd8d6571d7020344206b31c7f48c31f6bccbed2ce3ffe2e8c13abf98db24d177521b6b36a3087b81b55a253559fe6
Pieter Wuille [Sat, 5 Sep 2020 01:58:25 +0000 (18:58 -0700)]
Add exhaustive test for extrakeys and schnorrsig
Pieter Wuille [Tue, 8 Sep 2020 01:23:52 +0000 (18:23 -0700)]
Make pubkey parsing test whether points are in the correct subgroup
Pieter Wuille [Sat, 5 Sep 2020 00:08:23 +0000 (17:08 -0700)]
Abstract out challenge computation in schnorrsig
Pieter Wuille [Thu, 10 Sep 2020 16:09:15 +0000 (09:09 -0700)]
Disable output buffering in tests_exhaustive.c
Pieter Wuille [Tue, 8 Sep 2020 23:27:04 +0000 (16:27 -0700)]
Support splitting exhaustive tests across cores
Pieter Wuille [Tue, 8 Sep 2020 20:59:02 +0000 (13:59 -0700)]
Give exhaustive_tests count and seed cmdline inputs
Pieter Wuille [Tue, 8 Sep 2020 20:40:26 +0000 (13:40 -0700)]
refactor: move RNG seeding to testrand
Pieter Wuille [Sun, 6 Sep 2020 23:46:41 +0000 (16:46 -0700)]
Change exhaustive test groups so they have a point with X=1
Pieter Wuille [Tue, 8 Sep 2020 17:20:31 +0000 (10:20 -0700)]
Select exhaustive lambda in function of order
Pieter Wuille [Sun, 6 Sep 2020 23:24:43 +0000 (16:24 -0700)]
Make the curve B constant a secp256k1_fe
Pieter Wuille [Mon, 7 Sep 2020 00:25:02 +0000 (17:25 -0700)]
Delete gej_is_valid_var: unused outside tests
Pieter Wuille [Sun, 6 Sep 2020 03:51:30 +0000 (20:51 -0700)]
Make secp256k1_scalar_b32 detect overflow in scalar_low
Pieter Wuille [Sat, 5 Sep 2020 01:15:40 +0000 (18:15 -0700)]
Move exhaustive tests for recovery to module
Pieter Wuille [Fri, 4 Sep 2020 20:27:28 +0000 (13:27 -0700)]
Make group order purely compile-time in exhaustive tests
Tim Ruffing [Fri, 18 Sep 2020 11:36:07 +0000 (13:36 +0200)]
Enable -Wundef warning
Tim Ruffing [Thu, 17 Sep 2020 11:29:55 +0000 (13:29 +0200)]
Add static assertion that uint32_t is unsigned int or wider
Jonas Nick [Tue, 15 Sep 2020 17:48:06 +0000 (17:48 +0000)]
Merge #782: Check if variable=yes instead of if var is set in travis.sh
34debf7a6d36bbd9a52e68e079ddfc446faf5bef Modify .travis.yml to explictly pass no in env vars instead of setting to nothing (Elichai Turkel)
ef37761feed0172baa03dd94c842f1547bdf3016 Change travis.sh to check if variables are equal to yes instead of not-empty. Before this, setting `VALGRIND=wat` was considered as true, and to make it evaluate as false you had to unset the variable `VALGRIND=` but not it checks if `VALGRIND=yes` and if it's not `yes` then it's evaluated to false (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK
34debf7a6d36bbd9a52e68e079ddfc446faf5bef
jonasnick:
ACK
34debf7a6d36bbd9a52e68e079ddfc446faf5bef
Tree-SHA512: 91becfbc9cb7587ee55b2bceb604ea0aed8860990d63a5f414b11db92180c090ea8bcc048c2fb67a094e892138e3be46f00562bf78b7c3369232457289cde447
Luke Dashjr [Sat, 12 Sep 2020 19:15:56 +0000 (19:15 +0000)]
configure: Allow specifying --with[out]-valgrind explicitly
Elichai Turkel [Mon, 14 Sep 2020 15:02:25 +0000 (18:02 +0300)]
Modify .travis.yml to explictly pass no in env vars instead of setting to nothing
Tim Ruffing [Sun, 13 Sep 2020 20:45:23 +0000 (22:45 +0200)]
Merge #814: tests: Initialize random group elements fully
5738e8622d8ba02caa984425c23c072a3f14352c tests: Initialize random group elements fully (Tim Ruffing)
Pull request description:
Also fix add a missing comment.
ACKs for top commit:
sipa:
utACK
5738e8622d8ba02caa984425c23c072a3f14352c
Tree-SHA512: c7723e225434e7044379f307b2977a3a5251080793bd87b377a2bbf1d18b39ca05f6fb3b427acec32c3b34f4de678fe7087a2dcca4b5f03ec1fc680a88d82b9a
Tim Ruffing [Sun, 13 Sep 2020 09:27:15 +0000 (11:27 +0200)]
tests: Initialize random group elements fully
Jonas Nick [Sat, 12 Sep 2020 11:38:24 +0000 (11:38 +0000)]
Merge #812: travis: run bench_schnorrsig
a51f2af62bde6e169499308e01ef768c09dd8127 travis: run bench_schnorrsig (Jonas Nick)
Pull request description:
ACKs for top commit:
sipa:
ACK
a51f2af62bde6e169499308e01ef768c09dd8127
elichai:
ACK
a51f2af62bde6e169499308e01ef768c09dd8127
Tree-SHA512: dfe68090fc60cba3cf2ff2f459f8ee47c4de65d28aee64310a7f7d54667daea5e82b907742445fa76b95cc2e67d57605dd260080919d8b805704784618745e29
Jonas Nick [Fri, 11 Sep 2020 22:04:04 +0000 (22:04 +0000)]
travis: run bench_schnorrsig
Tim Ruffing [Fri, 11 Sep 2020 19:22:51 +0000 (21:22 +0200)]
Merge #558: Add schnorrsig module which implements BIP-340 compliant signatures
f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 valgrind_ctime_test: Add schnorrsig_sign (Jonas Nick)
16ffa9d97cef93f49544b016339c107882f9a1c3 schnorrsig: Add taproot test case (Jonas Nick)
8dfd53ee3fa059562483d1867815f78b9e00d947 schnorrsig: Add benchmark for sign and verify (Jonas Nick)
4e43520026f5bcd182d21f0759bac159ef47bb62 schnorrsig: Add BIP-340 compatible signing and verification (Jonas Nick)
7332d2db6b62fda851f9ed8adbfda187a875b84e schnorrsig: Add BIP-340 nonce function (Jonas Nick)
7a703fd97db0161bae07ef84513ddde6e0d27353 schnorrsig: Init empty experimental module (Jonas Nick)
eabd9bc46a31c0da6db6d88840eadbe9006447b1 Allow initializing tagged sha256 (Jonas Nick)
6fcb5b845d2832ce019d60507033f74426290768 extrakeys: Add keypair_xonly_tweak_add (Jonas Nick)
58254463f9a2e96d893157a341c9953c440fdf60 extrakeys: Add keypair struct with create, pub and pub_xonly (Jonas Nick)
f0010349b876bc6b3f0a6ec6c8bad0b12ca17b51 Separate helper functions for pubkey_create and seckey_tweak_add (Jonas Nick)
910d9c284c33b77774a9316d4524f313357d441c extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test (Jonas Nick)
176bfb1110147b5dca1834ea071acc846fb1cab3 Separate helper function for ec_pubkey_tweak_add (Jonas Nick)
4cd2ee474d178bd1b5602486104db346a7562c67 extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey (Jonas Nick)
47e6618e11813cfabe91f0909ca031f960cb7dd4 extrakeys: Init empty experimental module (Jonas Nick)
3e08b02e2a78f2a1fc457efab665db8ab8085373 Make the secp256k1_declassify argument constant (Jonas Nick)
Pull request description:
This PR implements signing, verification and batch verification as described in [BIP-340](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki) in an experimental module named `schnorrsig`. It includes the test vectors and a benchmarking tool.
This PR also adds a module `extrakeys` that allows [BIP-341](https://github.com/bitcoin/bips/blob/master/bip-0341.mediawiki)-style key tweaking.
(Adding ChaCha20 as a CSPRNG and batch verification was moved to PR #760).
In order to enable the module run `./configure` with `--enable-experimental --enable-module-schnorrsig`.
Based on apoelstra's work.
ACKs for top commit:
gmaxwell:
ACK
f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 (exactly matches the previous post-fixup version which I have already reviewed and tested)
sipa:
ACK
f431b3f28ac95a3645ad5a6dc96b878fa30a1de3
real-or-random:
ACK
f431b3f28ac95a3645ad5a6dc96b878fa30a1de3 careful code review
Tree-SHA512: e15e849c7bb65cdc5d7b1d6874678e275a71e4514de9d5432ec1700de3ba92aa9f381915813f4729057af152d90eea26aabb976ed297019c5767e59cf0bbc693
Jonas Nick [Thu, 10 Sep 2020 11:37:53 +0000 (11:37 +0000)]
Merge #797: Fix Jacobi benchmarks and other benchmark improvements
cb5524adc589d3ae5066a1aa2f818bbfb91d0b1d Add benchmark for secp256k1_ge_set_gej_var (Pieter Wuille)
5c6af60ec5f1f4bc7883737ba34dd1789f1e9bd8 Make jacobi benchmarks vary inputs (Pieter Wuille)
d0fdd5f00969861ebe3e48d39be6d5f706b9b17c Randomize the Z coordinates in bench_internal (Pieter Wuille)
c7a3424c5f45a538ef141402a653b038e050a1ac Rename bench_internal variables (Pieter Wuille)
Pull request description:
ACKs for top commit:
real-or-random:
ACK
cb5524adc589d3ae5066a1aa2f818bbfb91d0b1d
jonasnick:
ACK
cb5524adc589d3ae5066a1aa2f818bbfb91d0b1d
Tree-SHA512: 0cbcfffebebf563cf9a1bd951394a0419503ffd43a2d0df4c99e4a839c89c8454925314f7e7eee0c01bce94b6dfeab935f36cc27f9bfc878f702313d455db7e1
Pieter Wuille [Tue, 11 Aug 2020 18:30:16 +0000 (11:30 -0700)]
Add benchmark for secp256k1_ge_set_gej_var
Pieter Wuille [Tue, 11 Aug 2020 18:25:50 +0000 (11:25 -0700)]
Make jacobi benchmarks vary inputs
Pieter Wuille [Tue, 11 Aug 2020 18:02:16 +0000 (11:02 -0700)]
Randomize the Z coordinates in bench_internal
Pieter Wuille [Tue, 11 Aug 2020 17:50:01 +0000 (10:50 -0700)]
Rename bench_internal variables
Tim Ruffing [Wed, 9 Sep 2020 14:00:12 +0000 (16:00 +0200)]
Merge #699: Initialize field elements when resulting in infinity
47a7b8382fd6f1458d859b315cf3bcd3b9790b68 Clear field elements when writing infinity (Elichai Turkel)
61d1ecb02847be9d65ffe9df2d2408d85f3a0711 Added test with additions resulting in infinity (Elichai Turkel)
Pull request description:
Currently if `secp256k1_gej_add_var` / `secp256k1_gej_add_ge_var` /` secp256k1_gej_add_zinv_var` receive `P + (-P)` it will set `gej->infinity = 1` but doesn't call initialize the field elements.
Notice that this is the only branch in the function that results in an uninitialized output.
By using `secp256k1_gej_set_infinity()` it will set the field elements to zero while also setting the infinity flag.
I also added a test that fails with valgrind on current master but passes with the fix.
EDIT: This isn't a bug or something necessary, I just personally found this helpful.
ACKs for top commit:
real-or-random:
ACK
47a7b8382fd6f1458d859b315cf3bcd3b9790b68
Tree-SHA512: cdc2efc242a1b04b4f081183c07d4b2602cdba705e6b30b548df4e115e54fb97691f4b1a28f142f02d5e523c020721337a297b17d732acde147b910f5c53bd0a
Tim Ruffing [Wed, 9 Sep 2020 13:54:16 +0000 (15:54 +0200)]
Merge #799: Add fallback LE/BE for architectures with known endianness + SHA256 selftest
8bc6aeffa9a191e677cb9e3a22fff130f16990f3 Add SHA256 selftest (Pieter Wuille)
5e5fb28b4a45d7e35e55b5f5feead2be07bccc28 Use additional system macros to figure out endianness (Pieter Wuille)
Pull request description:
These are all the architecture macros I could find with known endianness. Use those as a fallback when __BYTE_ORDER__ isn't available.
See https://github.com/bitcoin-core/secp256k1/pull/787#issuecomment-
673764652
It also adds a SHA256 selftest, so that improperly overriding the endianness detection will be detected at runtime.
ACKs for top commit:
real-or-random:
ACK
8bc6aeffa9a191e677cb9e3a22fff130f16990f3 I read the diff, and tested that the self-test passes/fails with/without the correct endianness setting
gmaxwell:
ACK
8bc6aeffa9a191e677cb9e3a22fff130f16990f3 looks good and I also ran the tests on MIPS-BE and verified that forcing it to LE makes the runtime test fail.
Tree-SHA512: aca4cebcd0715dcf5b58f5763cb4283af238987f43bd83a650e38e127f348131692b2eed7ae5b2ae96046d9b971fc77c6ab44467689399fe470a605c3458ecc5
Jonas Nick [Thu, 12 Mar 2020 20:05:07 +0000 (20:05 +0000)]
valgrind_ctime_test: Add schnorrsig_sign
Jonas Nick [Thu, 14 Nov 2019 13:34:51 +0000 (13:34 +0000)]
schnorrsig: Add taproot test case
Jonas Nick [Tue, 12 May 2020 21:24:38 +0000 (21:24 +0000)]
schnorrsig: Add benchmark for sign and verify
Jonas Nick [Tue, 12 May 2020 16:17:59 +0000 (16:17 +0000)]
schnorrsig: Add BIP-340 compatible signing and verification
Jonas Nick [Tue, 12 May 2020 21:23:22 +0000 (21:23 +0000)]
schnorrsig: Add BIP-340 nonce function
Jonas Nick [Tue, 12 May 2020 21:19:03 +0000 (21:19 +0000)]
schnorrsig: Init empty experimental module
Jonas Nick [Thu, 14 Nov 2019 13:53:46 +0000 (13:53 +0000)]
Allow initializing tagged sha256
Jonas Nick [Wed, 22 Jul 2020 09:09:34 +0000 (09:09 +0000)]
extrakeys: Add keypair_xonly_tweak_add
Jonas Nick [Tue, 12 May 2020 14:52:34 +0000 (14:52 +0000)]
extrakeys: Add keypair struct with create, pub and pub_xonly
Jonas Nick [Tue, 12 May 2020 14:43:48 +0000 (14:43 +0000)]
Separate helper functions for pubkey_create and seckey_tweak_add
Jonas Nick [Tue, 12 May 2020 14:49:12 +0000 (14:49 +0000)]
extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test
Jonas Nick [Tue, 12 May 2020 14:45:22 +0000 (14:45 +0000)]
Separate helper function for ec_pubkey_tweak_add
Jonas Nick [Tue, 12 May 2020 14:40:28 +0000 (14:40 +0000)]
extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey
Tim Ruffing [Wed, 2 Sep 2020 00:21:17 +0000 (02:21 +0200)]
Merge #806: Trivial: Add test logs to gitignore
bceefd6547635132ba17f022a52db18f17e00df6 Add test logs to gitignore (Jake Rawsthorne)
Pull request description:
Was just running the tests for https://github.com/bitcoin-core/secp256k1/pull/558 and noticed these logs weren't ignored
ACKs for top commit:
real-or-random:
ACK https://github.com/bitcoin-core/secp256k1/pull/806/commits/
bceefd6547635132ba17f022a52db18f17e00df6
sipa:
ACK
bceefd6547635132ba17f022a52db18f17e00df6
Tree-SHA512: 690906bc80abc547e1ef78d8654900c2f4054fd8cb8c2e0a6f6b95a5875930b8e1e3a69a5dca86b198e4a2601788f584c8b2ff6f5a85da230b12954e07aeff37
Tim Ruffing [Wed, 2 Sep 2020 00:19:16 +0000 (02:19 +0200)]
Merge #648: Prevent ints from wrapping around in scratch space functions
60f7f2de5de917c2bee32a4cd79cc3818b6a94a0 Don't assume that ALIGNMENT > 1 in tests (Tim Ruffing)
ada6361dece4265823478e0019a8c196e9285a26 Use ROUND_TO_ALIGN in scratch_create (Jonas Nick)
8ecc6ce50ead28a0b8bab2f1fb18a58ee5204a13 Add check preventing rounding to alignment from wrapping around in scratch_alloc (Jonas Nick)
4edaf06fb02a9ac9cd115e0c967bb0ef35cae01d Add check preventing integer multiplication wrapping around in scratch_max_allocation (Jonas Nick)
Pull request description:
This PR increases the general robustness of scratch spaces. It does not fix an existing vulnerability because scratch spaces aren't used anywhere in master. Additionally, it must be prevented anyway that an attacker has (indirect) control over the arguments touched in this PR.
ACKs for top commit:
sipa:
ACK
60f7f2de5de917c2bee32a4cd79cc3818b6a94a0
Tree-SHA512: ecdd794b55a01d1d6d24098f3abff34cb8bb6f33737ec4ec93714aa631c9d397b213cc3603a916ad79f4b09d6b2f8973bf87fc07b81b25a530cc72c4dbafaba9
Tim Ruffing [Tue, 1 Sep 2020 08:45:28 +0000 (10:45 +0200)]
Merge #805: Remove the extremely outdated TODO file.
1c325199d590e018cdfb5ea2ab541774009bf7f7 Remove the extremely outdated TODO file. (Gregory Maxwell)
Pull request description:
This had two things in it-- tests for the scalar/field code and
constant time signing and keygen.
The signing and keygen have been thoroughly constant time for years
and there are now powerful tests to verify it... no further work
on constant-time is needed at least on ordinary platforms (other
sidechannels-- sure).
The scalar and field code have extensive tests. They could use
better static test vectors but they're well tested.
TODOs for the project are currently better documented on github
right now. This file could return in the future with current
info, if needed.
ACKs for top commit:
real-or-random:
ACK https://github.com/bitcoin-core/secp256k1/pull/805/commits/
1c325199d590e018cdfb5ea2ab541774009bf7f7
Tree-SHA512: 65c730ad2816b28991cdb74df6da4671abe76a74a0d0b306f13612b4bbe9b54f9a623b18fc288e0ec13572d9fdbab6f376ce7aafc9fe601644239629b84fb15c
Jake Rawsthorne [Mon, 31 Aug 2020 23:35:47 +0000 (00:35 +0100)]
Add test logs to gitignore
Gregory Maxwell [Mon, 31 Aug 2020 23:11:41 +0000 (23:11 +0000)]
Remove the extremely outdated TODO file.
Jonas Nick [Tue, 12 May 2020 13:58:47 +0000 (13:58 +0000)]
extrakeys: Init empty experimental module
Jonas Nick [Mon, 30 Mar 2020 14:51:38 +0000 (14:51 +0000)]
Make the secp256k1_declassify argument constant
Pieter Wuille [Mon, 17 Aug 2020 20:48:22 +0000 (13:48 -0700)]
Add SHA256 selftest
Tim Ruffing [Sun, 16 Aug 2020 10:01:05 +0000 (12:01 +0200)]
Merge #798: Check assumptions on integer implementation at compile time
7c068998bac3e4a254d8542458b2068e38fca435 Compile-time check assumptions on integer types (Pieter Wuille)
02b6c87b52dbac1557b689ab2ebc8b91d67fd0f3 Add support for (signed) __int128 (Pieter Wuille)
Pull request description:
A compile-time check is implemented in a new `src/assumptions.h` which verifies several aspects that are implementation-defined in C:
* size of bytes
* conversion between unsigned and (negative) signed types
* right-shifts of negative signed types.
ACKs for top commit:
gmaxwell:
ACK
7c068998bac3e4a254d8542458b2068e38fca435
real-or-random:
ACK
7c068998bac3e4a254d8542458b2068e38fca435 code review and tested
Tree-SHA512: 3903251973681c88d64d4af0f6cb40fde11eb436804c5b6202c3715b78b1a48bcb287f601b394fd0b503437e3832ba011885e992fe65098b33edc430d9b1f67d
Pieter Wuille [Fri, 14 Aug 2020 18:49:34 +0000 (11:49 -0700)]
Use additional system macros to figure out endianness
Pieter Wuille [Wed, 12 Aug 2020 22:52:20 +0000 (15:52 -0700)]
Compile-time check assumptions on integer types
Pieter Wuille [Thu, 13 Aug 2020 00:41:08 +0000 (17:41 -0700)]
Add support for (signed) __int128
Tim Ruffing [Thu, 13 Aug 2020 10:25:29 +0000 (12:25 +0200)]
Merge #787: Use preprocessor macros instead of autoconf to detect endianness
0dccf98a21beb245f6cd9ed76fb7368529df09c7 Use preprocessor macros instead of autoconf to detect endianness (Tim Ruffing)
Pull request description:
This does not fix any particular issue but it's preferable to not
rely on autoconf. This avoids endianness mess for users on BE hosts
if they use their build without autoconf.
The macros are carefully written to err on the side of the caution,
e.g., we #error if the user manually configures a different endianness
than what we detect.
Supersedes #770 .
ACKs for top commit:
sipa:
ACK
0dccf98a21beb245f6cd9ed76fb7368529df09c7
gmaxwell:
ACK
0dccf98a21beb245f6cd9ed76fb7368529df09c7
Tree-SHA512: 6779458de5cb6eaef2ac37f9d4b8fa6c9b299f58f6e5b72f2b0d7e36c12ea06074e483acfb85085a147e0f4b51cd67d897f61a67250ec1cea284a0f7680eb2e8
Tim Ruffing [Wed, 12 Aug 2020 13:24:06 +0000 (15:24 +0200)]
Merge #793: Make scalar/field choice depend on C-detected __int128 availability
79f1f7a4f123765cf07be92ae894d882c5845191 Autodetect __int128 availability on the C side (Pieter Wuille)
0d7727f95e52d99c13f55c64e9d1f799ba7d7967 Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field (Pieter Wuille)
Pull request description:
This PR does two things:
* It removes the ability to select the 5x52 field with a 8x32 scalar, or the 10x26 field with a 4x64 scalar. It's both 128-bit wide versions, or neither.
* The choice is made automatically by the C code, unless overridden by a USE_FORCE_WIDEMUL_INT{64,128} define (which is available through `configure` with a hidden option --with-test-override-wide-multiplication={auto,int64,int128}).
This reduces the reliance on autoconf for this performance-critical configuration option, and also reduces the number of different combinations to test.
This removes one theoretically useful combination: if you had x86_64 asm but no __int128 support in your compiler, it was possible to use the 64-bit field before but the 32-bit scalar. I think this doesn't matter as all compilers/systems that support (our) x86_64 asm also support __int128. Furthermore, #767 will break this.
As an unexpected side effect, this also means the `gen_context` static precomputation tool will now use __int128 based implementations when available (which required an addition to the 5x52 field; see first commit).
ACKs for top commit:
real-or-random:
ACK
79f1f7a4f123765cf07be92ae894d882c5845191 diff looks good and tests pass
elichai:
tACK
79f1f7a4f123765cf07be92ae894d882c5845191
Tree-SHA512: 4171732668e5c9cae5230e3a43dd6df195567e1232b89c12c5db429986b6519bb4d77334cb0bac8ce13a00a24dfffdff69b46c89b4d59bc6d297a996ea4efd3d
Tim Ruffing [Tue, 21 Jul 2020 12:05:56 +0000 (14:05 +0200)]
Use preprocessor macros instead of autoconf to detect endianness
Tim Ruffing [Tue, 11 Aug 2020 09:20:23 +0000 (11:20 +0200)]
Merge #795: Avoid linking libcrypto in the valgrind ct test.
57d3a3c64cf3d435d5d45e323cf9cbe21da8c6cf Avoid linking libcrypto in the valgrind ct test. (Gregory Maxwell)
Pull request description:
Libcrypto isn't useful here and on some systems UB in OpenSSL's
init causes failures.
Fixes #775.
ACKs for top commit:
real-or-random:
ACK
57d3a3c64cf3d435d5d45e323cf9cbe21da8c6cf
elichai:
tACK
57d3a3c64cf3d435d5d45e323cf9cbe21da8c6cf
Tree-SHA512: 0b10b3e9cc0871a9a93271c72be9d1663ea163745071cb4951a99664c048ab5b6f46bb7cff36e7000e8fb26df7ee164f536f61210bece376478f9f774f34e83d
Gregory Maxwell [Mon, 10 Aug 2020 22:13:43 +0000 (22:13 +0000)]
Avoid linking libcrypto in the valgrind ct test.
Pieter Wuille [Sun, 9 Aug 2020 17:58:40 +0000 (10:58 -0700)]
Autodetect __int128 availability on the C side
Pieter Wuille [Mon, 10 Aug 2020 21:32:28 +0000 (14:32 -0700)]
Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field
Tim Ruffing [Fri, 7 Aug 2020 10:50:43 +0000 (12:50 +0200)]
Merge #696: Run a Travis test on s390x (big endian)
39295362cfc856aae1c37cc1194c2f6d53fd6f25 Test travis s390x (big endian) (Pieter Wuille)
Pull request description:
ACKs for top commit:
real-or-random:
ACK
39295362cfc856aae1c37cc1194c2f6d53fd6f25 Travis works and says it's big endian
Tree-SHA512: 939b98fe369e575e8bf56899a28cb5aafdb9ccfaaee3cb611027e053edc8220d2787c34359cd01508899b8b7e105c89853a4ab44c382252538c797d00c09345b
Pieter Wuille [Wed, 29 Jul 2020 00:41:07 +0000 (17:41 -0700)]
Test travis s390x (big endian)
Elichai Turkel [Thu, 30 Jul 2020 08:18:07 +0000 (11:18 +0300)]
Change travis.sh to check if variables are equal to yes instead of
Tim Ruffing [Wed, 29 Jul 2020 13:18:30 +0000 (15:18 +0200)]
Merge #778: secp256k1_gej_double_nonzero supports infinity
18d36327fddad18ba81af2cf7fe6c8a16952dc22 secp256k1_gej_double_nonzero supports infinity (Pieter Wuille)
Pull request description:
Our existing function `secp256k1_gej_double_nonzero` actually supports infinity if only it wouldn't check that the input isn't infinity.
Drop the check, rename it to `secp256k1_gej_double`, and adapt the tests.
ACKs for top commit:
real-or-random:
ACK
18d36327fddad18ba81af2cf7fe6c8a16952dc22 I looked at the diff and ran tests locally
gmaxwell:
ACK
18d36327fddad18ba81af2cf7fe6c8a16952dc22
Tree-SHA512: 79dc42099c318f0bdfe7961495ab3fbbe87551c3cc373557a371914bb65638b129ddfd360e694959349f184e2d71a540abdbef04211e7eb70ee17b691632b915
Jonas Nick [Wed, 29 Jul 2020 13:06:12 +0000 (13:06 +0000)]
Merge #779: travis: Fix argument quoting for ./configure
9e49a9b2552b7b865ebc43cfd13c9767de65cb4b travis: Fix argument quoting for ./configure (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK
9e49a9b2552b7b865ebc43cfd13c9767de65cb4b
Tree-SHA512: 53efa7134de978912d604bc9685bc779f98e2d72e5f77636595676aa420c04fc934a6bb9d560d74b58197943ab86708d3b913e79bc3dfb856681b26dda8724b3
Tim Ruffing [Wed, 29 Jul 2020 06:50:42 +0000 (08:50 +0200)]
travis: Fix argument quoting for ./configure
Pieter Wuille [Wed, 29 Jul 2020 01:12:14 +0000 (18:12 -0700)]
secp256k1_gej_double_nonzero supports infinity
Tim Ruffing [Tue, 28 Jul 2020 14:10:58 +0000 (16:10 +0200)]
Merge #772: Improve constant-timeness on PowerPC
67a429f31fd3d1b37c5365cc58b70588b8645d62 Suppress a harmless variable-time optimization by clang in _int_cmov (Tim Ruffing)
5b196338f0c8dc07bf0eece37b46d8686c4da3ce Remove redundant "? 1 : 0" after comparisons in scalar code (Tim Ruffing)
Pull request description:
Attempt at resolving #771 .
This surprisingly seems to improve the situation at least for the compilers available on godbolt.
ACKs for top commit:
gmaxwell:
ACK
67a429f31fd3d1b37c5365cc58b70588b8645d62
elichai:
tACK
67a429f31fd3d1b37c5365cc58b70588b8645d62
Tree-SHA512: ee8b0c86831ec8c3d5a9abcad773ed8a0f267e5c47012e4e1423b10a64c26b4cf6e3c466c3df765ba7e636787a3fe134d633926d67b599287f12c51be924f478
Tim Ruffing [Tue, 28 Jul 2020 10:34:35 +0000 (12:34 +0200)]
Merge #774: tests: Abort if malloc() fails during context cloning tests
2e1b9e0458317d03b682c1f5dd63aedb52c86b04 tests: Abort if malloc() fails during context cloning tests (Tim Ruffing)
Pull request description:
Found by the clang static analyzer.
This is the worst true positive that it found. I feel somewhat proud.
ACKs for top commit:
elichai:
tACK
2e1b9e0458317d03b682c1f5dd63aedb52c86b04
Tree-SHA512: bf9a3b6c2b8beaafd230ece00a9a69dd884a35b6d2243502ebfded3f77a454e80ef922791bd48c17aa4814a275550957071c045912080a616dd5ed704a70aab7
Tim Ruffing [Mon, 27 Jul 2020 11:43:28 +0000 (13:43 +0200)]
tests: Abort if malloc() fails during context cloning tests
Tim Ruffing [Mon, 27 Jul 2020 12:35:05 +0000 (14:35 +0200)]
Suppress a harmless variable-time optimization by clang in _int_cmov
Follow up on
52a03512c1d800603b5c923c1a28bdba12dadb30
Tim Ruffing [Fri, 24 Jul 2020 22:28:10 +0000 (00:28 +0200)]
Remove redundant "? 1 : 0" after comparisons in scalar code
Tim Ruffing [Sun, 26 Jul 2020 10:18:17 +0000 (12:18 +0200)]
Merge #741: Remove unnecessary sign variable from wnaf_const
37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0 Remove unnecessary sign variable from wnaf_const (Jonas Nick)
6bb0b77e158fc2f9e56e4b65b08bcb660d4c588b Fix test_constant_wnaf for -1 and add a test for it. (Jonas Nick)
Pull request description:
There currently is a single branch in the `ecmul_const` function that is not being exercised by the tests. This branch is unreachable and therefore I'm suggesting to remove it.
For your convenience the paper the wnaf algorithm can be found [here (The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks)](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.563.1267&rep=rep1&type=pdf). Similarly, unless I'm missing something important, I don't see how their algorithm needs to consider `sign(u[i-1])` unless `d` can be negative - which doesn't make much sense to me either.
ACKs for top commit:
real-or-random:
ACK
37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0 I verified the correctness of the change and claimed invariant by manual inspection. I tested the code, both with 32bit and 64bit scalars.
Tree-SHA512: 9db45f76bd881d00a81923b6d2ae1c3e0f49a82a5d55347f01e1ce4e924d9a3bf55483a0697f25039c327e33edca6796ba3205c068d9f2f99aa5d655e46b15be
Tim Ruffing [Sun, 26 Jul 2020 09:05:08 +0000 (11:05 +0200)]
Merge #773: Fix some compile problems on weird/old compilers.
1309c03c45beece646a7d21fdb6a0e3d38adee2b Fix some compile problems on weird/old compilers. (Gregory Maxwell)
Pull request description:
The visibility attribute is a GCC 4+ feature.
GCC 2.95 also warns about the unsigned/signed comparision.
ACKs for top commit:
real-or-random:
ACK
1309c03c45beece646a7d21fdb6a0e3d38adee2b I inspected the diff
Tree-SHA512: b5a5175416b67b2619f68ad82a208052ad678955e59c2f3457799abd1dd6fd817c40f6bc2941b2bda207c6f58ad0fbe46221a2f92b726e824702c4c0b177377c
Gregory Maxwell [Sun, 26 Jul 2020 05:25:14 +0000 (05:25 +0000)]
Fix some compile problems on weird/old compilers.
Jonas Nick [Tue, 21 Jul 2020 19:12:43 +0000 (19:12 +0000)]
Merge #769: Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
22e578bb11fe62d3e8ac05b5278a076bf7f2fa2e Undef HAVE___INT128 in basic-config.h to fix gen_context compilation (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK
22e578bb11fe62d3e8ac05b5278a076bf7f2fa2e
Tree-SHA512: 91e11c3feade13923a01c30025b7f01d0cb6d7d88cd7a19d490373d2fb4552f2ca1ab0d9138096268999bcbfd51ef3c9af64ec8ab0dc8ee2fa60be16d2b5af64
Tim Ruffing [Tue, 21 Jul 2020 09:09:23 +0000 (11:09 +0200)]
Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
Jonas Nick [Mon, 29 Jun 2020 08:38:20 +0000 (08:38 +0000)]
Merge #765: remove dead store in ecdsa_signature_parse_der_lax
f00d6575ca0dcca11e085b20afa4d73dc8742ddc remove dead store in ecdsa_signature_parse_der_lax (fanquake)
Pull request description:
ACKs for top commit:
elichai:
utACK
f00d6575ca0dcca11e085b20afa4d73dc8742ddc , it does look like we don't use that assignment
jonasnick:
ACK
f00d6575ca0dcca11e085b20afa4d73dc8742ddc
Tree-SHA512: 9aa54c901f299341c309411b0247720f5152a131dd346c19be7ee21865e3a822e8cf91b869e28ef6288adaf31660bc2e18874e304052468a9be6b7027674af30
fanquake [Mon, 29 Jun 2020 05:17:24 +0000 (13:17 +0800)]
remove dead store in ecdsa_signature_parse_der_lax
This change was made in bitcoin/bitcoin without upstreaming. So this is
a followup to the comment here:
https://github.com/bitcoin/bitcoin/pull/19228#issuecomment-
641795558 .
See also: https://github.com/bitcoin/bitcoin/pull/11073.
Tim Ruffing [Mon, 15 Jun 2020 14:00:10 +0000 (16:00 +0200)]
Merge #759: Fix uninitialized variables in ecmult_multi test
2e7fc5b5372067ecd33b2304e8c88ed6de98ff13 Fix uninitialized variables in ecmult_multi test (Jonas Nick)
Pull request description:
Fixes #756
ACKs for top commit:
real-or-random:
ACK
2e7fc5b5372067ecd33b2304e8c88ed6de98ff13 I inspected the diff. I did not test it and I did not check whether if makes the warning go away
elichai:
tACK
2e7fc5b5372067ecd33b2304e8c88ed6de98ff13
Tree-SHA512: 674400134f5487236f5b6e8b3020b346d43662511628cdf6dd1bd7ba1de985bf93f5be11f5650f250ff37b5f87eb4b01d90ed53d41193c05a420d3f5a2d63470
Jonas Nick [Mon, 15 Jun 2020 09:02:14 +0000 (09:02 +0000)]
Fix uninitialized variables in ecmult_multi test
Tim Ruffing [Mon, 8 Jun 2020 13:44:06 +0000 (15:44 +0200)]
Merge #755: Recovery signing: add to constant time test, and eliminate non ct operators
28609507e70a172dd8f39de4aa55f851452fc0b4 Add tests for the cmov implementations (Elichai Turkel)
73596a85a2ab9c885e58a7a2a8876355a6ae68e4 Add ecdsa_sign_recoverable to the ctime tests (Elichai Turkel)
2876af4f8da952e39c06bc229d68cd4892ea2c85 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery (Elichai Turkel)
Pull request description:
Hi,
The recovery module was overlooked in #708 and #710, so this adds it to the `valgrind_ctime_test` and replaces the secret dependent branching with the cmovs,
I created a new function `secp256k1_ecdsa_sign_inner` (feel free to bikeshed) which does the logic both for ecdsa_sign and for ecdsa_sign_recoverable, such that next time when things get changed/improved in ecdsa it will affect the recoverable signing too.
ACKs for top commit:
jonasnick:
ACK
28609507e70a172dd8f39de4aa55f851452fc0b4
real-or-random:
ACK
28609507e70a172dd8f39de4aa55f851452fc0b4 read the diff, tested with valgrind including ctime tests
Tree-SHA512: 4730301dcb62241d79f18eb8fed7e9ab0e20d1663a788832cb6cf4126baa7075807dc31896764b6f82d52742fdb636abc6b75e4344c6f117305904c628a5ad59
Elichai Turkel [Sun, 31 May 2020 11:14:05 +0000 (14:14 +0300)]
Add tests for the cmov implementations
Elichai Turkel [Tue, 26 May 2020 21:38:46 +0000 (00:38 +0300)]
Add ecdsa_sign_recoverable to the ctime tests
Elichai Turkel [Tue, 26 May 2020 21:37:59 +0000 (00:37 +0300)]
Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
Tim Ruffing [Tue, 2 Jun 2020 16:03:42 +0000 (18:03 +0200)]
Merge #754: Fix uninit values passed into cmov
f79a7adcf555ccc78b591850ea15c64fbfbca152 Add valgrind uninit check to cmovs output (Elichai Turkel)
a39c2b09de304b8f24716b59219ae37c2538c242 Fixed UB(arithmetics on uninit values) in cmovs (Elichai Turkel)
Pull request description:
This should fix #753.
Used @peterdettman's solution here for the `ECMULT_CONST_TABLE_GET_GE` https://github.com/bitcoin-core/secp256k1/issues/753#issuecomment-
631316091
and in ecdsa_sign I initialize `s` and `r` to a zero scalar.
The second commit adds a valgrind check to the cmovs that could've caught this (in ecdsa_sign, not in ecmult_const because there's a scalar clear there under `VERIFY_SETUP`)
ACKs for top commit:
sipa:
utACK
f79a7adcf555ccc78b591850ea15c64fbfbca152
jonasnick:
ACK
f79a7adcf555ccc78b591850ea15c64fbfbca152
real-or-random:
ACK
f79a7adcf555ccc78b591850ea15c64fbfbca152
Tree-SHA512: 6fd7b7c84f392bda733a973f4dcfc12bf1478aac2591e2c87b69e637847d3b063c4243cc8feccaffc3a5824c18183a5e66bd4251c2322abaf63bb6439b38defe
Elichai Turkel [Wed, 20 May 2020 12:12:09 +0000 (15:12 +0300)]
Add valgrind uninit check to cmovs output
Tim Ruffing [Fri, 22 May 2020 11:30:25 +0000 (13:30 +0200)]
Merge #752: autoconf: Use ":" instead of "dnl" as a noop
5e8747ae2a0c915d079837d238f8b84841a4ce5c autoconf: Use ":" instead of "dnl" as a noop (Tim Ruffing)
Pull request description:
Fixes #424.
Top commit has no ACKs.
Tree-SHA512: a83664afbc6ca1254c4767161bfbec82f3489a8a248ba7a5a46ed9ec2a39232cf92f504accadd4dbb1a6ea4791dbf7f0e1f030e51f02f49eb9a38a2e509ee6c2
Elichai Turkel [Wed, 20 May 2020 12:09:13 +0000 (15:09 +0300)]
Fixed UB(arithmetics on uninit values) in cmovs
Jonas Nick [Mon, 18 May 2020 19:38:41 +0000 (19:38 +0000)]
Merge #750: Add macOS to the CI
71757da5ccece100b1eca6c70b4d87e2542cff97 Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh (Elichai Turkel)
99bd661d71fe17be7b3de4707a0264c41a63ebe8 Replace travis_wait with a loop printing "\a" to stdout every minute (Elichai Turkel)
bc818b160cdaaccff2162206cc15915fa5f0cca8 Bump travis Ubuntu from xenial(16.04) to bionic(18.04) (Elichai Turkel)
0c5ff9066e6fa41b1fbd5d0b8c2f02e8a04e96ea Add macOS support to travis (Elichai Turkel)
b6807d91d83e9597ffecec999eb761b8571a1f26 Move travis script into a standalone sh file (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK
71757da5ccece100b1eca6c70b4d87e2542cff97 I inspected the diff
jonasnick:
ACK
71757da5ccece100b1eca6c70b4d87e2542cff97
Tree-SHA512: e8fab725ef5ed98c795f39d7f26b5d967a6bd730d40eb7d9793986858bf34770b0350c1b7b1d14ae608dfff9375a0750ec67c8e6d0d4b562ab917f5e645aa67b
Tim Ruffing [Mon, 18 May 2020 10:27:14 +0000 (12:27 +0200)]
autoconf: Use ":" instead of "dnl" as a noop
Elichai Turkel [Thu, 7 May 2020 13:07:37 +0000 (16:07 +0300)]
Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
Elichai Turkel [Sun, 3 May 2020 15:01:28 +0000 (18:01 +0300)]
Replace travis_wait with a loop printing "\a" to stdout every minute
This page took 0.08264 seconds and 4 git commands to generate.
projects / secp256k1.git / log