Merge commits '8b013fce 485f608f 44c2452f cd470333 accadc94 43756da8 af65d30c 63a3565e 6a873cc4 3efeb9da 9f8a13dc 694ce8fb a43e982b e13fae48 c2ee9175 ' into temp-merge-1146

2023-07-17 13:02:10 +00:00 · 2023-07-17 13:02:10 +00:00 · 64717a7b16
commit 64717a7b16
parent 9a981068ce c2ee9175e9
14 changed files with 66 additions and 42 deletions
--- a/.cirrus.yml
+++ b/.cirrus.yml
@ -42,7 +42,6 @@ cat_logs_snippet: &CAT_LOGS
      - cat valgrind_ctime_test.log || true
    cat_bench_log_script:
      - cat bench.log || true
-  on_failure:
    cat_config_log_script:
      - cat config.log || true
    cat_test_env_script:
--- a/.gitignore
+++ b/.gitignore
@ -18,7 +18,6 @@ schnorr_example
 *.so
 *.a
 *.csv
-!.gitignore
 *.log
 *.trs

@ -39,8 +38,6 @@ libtool
 *.lo
 *.o
 *~
-*.log
-*.trs

 coverage/
 coverage.html
--- a/Makefile.am
+++ b/Makefile.am
@ -60,7 +60,6 @@ noinst_HEADERS += src/hash_impl.h
 noinst_HEADERS += src/field.h
 noinst_HEADERS += src/field_impl.h
 noinst_HEADERS += src/bench.h
-noinst_HEADERS += src/basic-config.h
 noinst_HEADERS += contrib/lax_der_parsing.h
 noinst_HEADERS += contrib/lax_der_parsing.c
 noinst_HEADERS += contrib/lax_der_privatekey_parsing.h
@ -89,7 +88,7 @@ endif
 endif

 libsecp256k1_la_SOURCES = src/secp256k1.c
-libsecp256k1_la_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES)
+libsecp256k1_la_CPPFLAGS = $(SECP_INCLUDES)
 libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) $(PRECOMPUTED_LIB)
 libsecp256k1_la_LDFLAGS = -no-undefined -version-info $(LIB_VERSION_CURRENT):$(LIB_VERSION_REVISION):$(LIB_VERSION_AGE)

@ -114,7 +113,7 @@ TESTS =
 if USE_TESTS
 noinst_PROGRAMS += tests
 tests_SOURCES = src/tests.c
-tests_CPPFLAGS = -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
+tests_CPPFLAGS = $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
 if VALGRIND_ENABLED
 tests_CPPFLAGS += -DVALGRIND
 noinst_PROGRAMS += valgrind_ctime_test
--- a/README.md
+++ b/README.md
@ -2,6 +2,7 @@ libsecp256k1-zkp
 ================

 [![Build Status](https://api.cirrus-ci.com/github/BlockstreamResearch/secp256k1-zkp.svg?branch=master)](https://cirrus-ci.com/github/BlockstreamResearch/secp256k1-zkp)
+![Dependencies: None](https://img.shields.io/badge/dependencies-none-success)

 A fork of [libsecp256k1](https://github.com/bitcoin-core/secp256k1) with support for advanced and experimental features such as Confidential Assets and MuSig2 

@ -30,7 +31,14 @@ To compile optional modules (such as Schnorr signatures), you need to run `./con

 Usage examples
 -----------
-  Usage examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`.
+
+Usage examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`.
+  * [ECDSA example](examples/ecdsa.c)
+  * [Schnorr signatures example](examples/schnorr.c)
+  * [Deriving a shared secret (ECDH) example](examples/ecdh.c)
+  * [MuSig example](examples/musig.c)
+
+To compile the Schnorr signature, ECDH and MuSig examples, you need to enable the corresponding module by providing a flag to the `configure` script, for example `--enable-module-schnorrsig`.

 Test coverage
 -----------
--- a/ci/cirrus.sh
+++ b/ci/cirrus.sh
@ -16,9 +16,16 @@ esac

 env >> test_env.log

-$CC -v || true
-valgrind --version || true
-$WRAPPER_CMD --version || true
+if [ -n "$CC" ]; then
+    # The MSVC compiler "cl" doesn't understand "-v"
+    $CC -v || true
+fi
+if [ "$WITH_VALGRIND" = "yes" ]; then
+    valgrind --version
+fi
+if [ -n "$WRAPPER_CMD" ]; then
+    $WRAPPER_CMD --version
+fi

 ./autogen.sh

--- a/configure.ac
+++ b/configure.ac
@ -43,8 +43,6 @@ AS_UNSET(ac_cv_prog_AR)
 AS_UNSET(ac_cv_prog_ac_ct_AR)
 LT_INIT([win32-dll])

-PKG_PROG_PKG_CONFIG
-
 build_windows=no

 case $host_os in
--- a/src/basic-config.h
+++ b/src/basic-config.h
@ -1,17 +0,0 @@
-/***********************************************************************
- * Copyright (c) 2013, 2014 Pieter Wuille                              *
- * Distributed under the MIT software license, see the accompanying    *
- * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
- ***********************************************************************/
-
-#ifndef SECP256K1_BASIC_CONFIG_H
-#define SECP256K1_BASIC_CONFIG_H
-
-#ifdef USE_BASIC_CONFIG
-
-#define ECMULT_WINDOW_SIZE 15
-#define ECMULT_GEN_PREC_BITS 4
-
-#endif /* USE_BASIC_CONFIG */
-
-#endif /* SECP256K1_BASIC_CONFIG_H */
--- a/src/ecmult.h
+++ b/src/ecmult.h
@ -11,6 +11,17 @@
 #include "scalar.h"
 #include "scratch.h"

+#ifndef ECMULT_WINDOW_SIZE
+#  define ECMULT_WINDOW_SIZE 15
+#  ifdef DEBUG_CONFIG
+#     pragma message DEBUG_CONFIG_MSG("ECMULT_WINDOW_SIZE undefined, assuming default value")
+#  endif
+#endif
+
+#ifdef DEBUG_CONFIG
+#  pragma message DEBUG_CONFIG_DEF(ECMULT_WINDOW_SIZE)
+#endif
+
 /* Noone will ever need more than a window size of 24. The code might
 * be correct for larger values of ECMULT_WINDOW_SIZE but this is not
 * tested.
--- a/src/ecmult_gen.h
+++ b/src/ecmult_gen.h
@ -10,9 +10,21 @@
 #include "scalar.h"
 #include "group.h"

+#ifndef ECMULT_GEN_PREC_BITS
+#  define ECMULT_GEN_PREC_BITS 4
+#  ifdef DEBUG_CONFIG
+#     pragma message DEBUG_CONFIG_MSG("ECMULT_GEN_PREC_BITS undefined, assuming default value")
+#  endif
+#endif
+
+#ifdef DEBUG_CONFIG
+#  pragma message DEBUG_CONFIG_DEF(ECMULT_GEN_PREC_BITS)
+#endif
+
 #if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8
 #  error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8."
 #endif
+
 #define ECMULT_GEN_PREC_G(bits) (1 << bits)
 #define ECMULT_GEN_PREC_N(bits) (256 / bits)

--- a/src/ecmult_gen_impl.h
+++ b/src/ecmult_gen_impl.h
@ -88,31 +88,31 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
    unsigned char nonce32[32];
    secp256k1_rfc6979_hmac_sha256 rng;
    int overflow;
-    unsigned char keydata[64] = {0};
+    unsigned char keydata[64];
    if (seed32 == NULL) {
        /* When seed is NULL, reset the initial point and blinding value. */
        secp256k1_gej_set_ge(&ctx->initial, &secp256k1_ge_const_g);
        secp256k1_gej_neg(&ctx->initial, &ctx->initial);
        secp256k1_scalar_set_int(&ctx->blind, 1);
+        return;
    }
    /* The prior blinding value (if not reset) is chained forward by including it in the hash. */
-    secp256k1_scalar_get_b32(nonce32, &ctx->blind);
+    secp256k1_scalar_get_b32(keydata, &ctx->blind);
    /** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data,
     *   and guards against weak or adversarial seeds.  This is a simpler and safer interface than
     *   asking the caller for blinding values directly and expecting them to retry on failure.
     */
-    memcpy(keydata, nonce32, 32);
-    if (seed32 != NULL) {
-        memcpy(keydata + 32, seed32, 32);
-    }
-    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32);
+    VERIFY_CHECK(seed32 != NULL);
+    memcpy(keydata + 32, seed32, 32);
+    secp256k1_rfc6979_hmac_sha256_initialize(&rng, keydata, 64);
    memset(keydata, 0, sizeof(keydata));
    /* Accept unobservably small non-uniformity. */
    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
    overflow = !secp256k1_fe_set_b32(&s, nonce32);
    overflow |= secp256k1_fe_is_zero(&s);
    secp256k1_fe_cmov(&s, &secp256k1_fe_one, overflow);
-    /* Randomize the projection to defend against multiplier sidechannels. */
+    /* Randomize the projection to defend against multiplier sidechannels.
+       Do this before our own call to secp256k1_ecmult_gen below. */
    secp256k1_gej_rescale(&ctx->initial, &s);
    secp256k1_fe_clear(&s);
    secp256k1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32);
@ -121,6 +121,7 @@ static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const
    secp256k1_scalar_cmov(&b, &secp256k1_scalar_one, secp256k1_scalar_is_zero(&b));
    secp256k1_rfc6979_hmac_sha256_finalize(&rng);
    memset(nonce32, 0, 32);
+    /* The random projection in ctx->initial ensures that gb will have a random projection. */
    secp256k1_ecmult_gen(ctx, &gb, &b);
    secp256k1_scalar_negate(&b, &b);
    ctx->blind = b;
--- a/src/modules/ecdh/bench_impl.h
+++ b/src/modules/ecdh/bench_impl.h
@ -7,7 +7,7 @@
 #ifndef SECP256K1_MODULE_ECDH_BENCH_H
 #define SECP256K1_MODULE_ECDH_BENCH_H

-#include "../include/secp256k1_ecdh.h"
+#include "../../../include/secp256k1_ecdh.h"

 typedef struct {
    secp256k1_context *ctx;
--- a/src/modules/recovery/bench_impl.h
+++ b/src/modules/recovery/bench_impl.h
@ -7,7 +7,7 @@
 #ifndef SECP256K1_MODULE_RECOVERY_BENCH_H
 #define SECP256K1_MODULE_RECOVERY_BENCH_H

-#include "../include/secp256k1_recovery.h"
+#include "../../../include/secp256k1_recovery.h"

 typedef struct {
    secp256k1_context *ctx;
--- a/src/tests.c
+++ b/src/tests.c
@ -7394,11 +7394,15 @@ int main(int argc, char **argv) {
    run_context_tests(0);
    run_context_tests(1);
    run_scratch_tests();
+
    ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
-    if (secp256k1_testrand_bits(1)) {
+    /* Randomize the context only with probability 15/16
+       to make sure we test without context randomization from time to time.
+       TODO Reconsider this when recalibrating the tests. */
+    if (secp256k1_testrand_bits(4)) {
        unsigned char rand32[32];
        secp256k1_testrand256(rand32);
-        CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
+        CHECK(secp256k1_context_randomize(ctx, rand32));
    }

    run_rand_bits();
--- a/src/util.h
+++ b/src/util.h
@ -16,6 +16,11 @@
 #include <stdio.h>
 #include <limits.h>

+#define STR_(x) #x
+#define STR(x) STR_(x)
+#define DEBUG_CONFIG_MSG(x) "DEBUG_CONFIG: " x
+#define DEBUG_CONFIG_DEF(x) DEBUG_CONFIG_MSG(#x "=" STR(x))
+
 typedef struct {
    void (*fn)(const char *text, void* data);
    const void* data;