1444 Commits

Author SHA1 Message Date
Jonas Nick
38a8b20991 musig: fix memory leak in musig test 2020-11-13 16:05:37 +00:00
Jonas Nick
5b4eb18ec5 musig: shorten partial nonce byte array from 33 to 32 bytes 2020-11-13 16:05:37 +00:00
Jonas Nick
62f0b2d867 musig: make musig partial nonces byte arrays instead of "pubkeys" 2020-11-13 16:05:37 +00:00
Jonas Nick
73792e4a27 musig: represent a combined_nonce as an xonly_pubkey 2020-11-13 16:05:36 +00:00
Jonas Nick
2117e7466a musig: improve variable naming and be consistent with schnorrsig module
session_initialize -> session_init
msg_is_set -> is_msg_set
is_negated -> pk_parity
nonce_is_negated -> nonce_parity
2020-11-13 16:05:36 +00:00
Jonas Nick
ebc31f1f9d musig: add ARG_CHECKs to functions to help debuggability 2020-11-13 16:05:36 +00:00
Jonas Nick
ac2d0e6697 musig: add magic to session to detect if session is uninitalized 2020-11-13 16:05:36 +00:00
Jonas Nick
29b4bd85d7 musig: simplify state machine by adding explicit round to session struct 2020-11-13 16:05:36 +00:00
Jonas Nick
e0ced690cf Rename rands64 to testrandi64
This is to make it consistent with upstream changes.
2020-11-05 22:07:30 +00:00
Jonas Nick
b0917f3de1 Merge remote-tracking branch 'upstream/master' into temp-merge-835 2020-11-05 20:21:38 +00:00
Pieter Wuille
9e5939d284
Merge #835: Don't use reserved identifiers memczero and benchmark_verify_t
1f4dd0383807bfb7fef884601357b4c629dfb566 Typedef (u)int128_t only when they're not provided by the compiler (Tim Ruffing)
e89278f211a526062745c391d48a7baf782b4b2b Don't use reserved identifiers memczero and benchmark_verify_t (Tim Ruffing)

Pull request description:

  As identified in #829 and #833. Fixes #829.

  Since we touch this anyway, this commit additionally makes the
  identifiers in the benchmark files a little bit more consistent.

  This is necessary before we can merge #833. I preferred a separate PR because it makes it easier to see the results of Travis in #833.

ACKs for top commit:
  sipa:
    utACK 1f4dd0383807bfb7fef884601357b4c629dfb566
  jonasnick:
    ACK 1f4dd0383807bfb7fef884601357b4c629dfb566

Tree-SHA512: c0ec92798f3c94f3ef6ac69b3f0f39a39257a32be9d9a068832cece1ebe64c89848b70e44652fc397004b8b240883ac4bc0c8f95abbe4ba4b028de120e6734bf
2020-11-04 15:29:25 -08:00
Jonas Nick
23900a0d86 Fix the MuSig module after integrating bip-schnorr updates
1.  using xonly_pubkeys in MuSig for input public keys and the combined
    pk. For that to work we need to store whether the MuSig aggregated point
    has an even y in the session, may need to negate each signers secret
    key and may need to negate each signers public key in
    musig_partial_sig_verify.
2.  using a tagged hash for the message hash.
3.  use !fe_is_odd in place of fe_is_quad_var
2020-11-04 21:47:09 +00:00
Andrew Poelstra
005fe79262 Merge commit '8ab24e8d' into tmp 2020-11-04 21:46:54 +00:00
Andrew Poelstra
a11250330b (actually) remove schnorrsig module 2020-11-04 21:45:18 +00:00
Jonas Nick
d0a83f7328
Merge #839: Prevent arithmetic on NULL pointer if the scratch space is too small
29a299e373d5f0e326be74c514c7c70ddf50cce1 Run the undefined behaviour sanitizer on Travis (Fabien)
7506e064d791e529d2e57bb52c156deb33b897ef Prevent arithmetic on NULL pointer if the scratch space is too small (Fabien)

Pull request description:

ACKs for top commit:
  sipa:
    ACK 29a299e373d5f0e326be74c514c7c70ddf50cce1. Reviewed the code changes and verified that building with these sanitizer flags catches the existing error, as well as a signed integer overflow if introduced.
  real-or-random:
    ACK 29a299e373d5f0e326be74c514c7c70ddf50cce1 code inspection
  jonasnick:
    utACK 29a299e373d5f0e326be74c514c7c70ddf50cce1

Tree-SHA512: 4d788f12f3d7b48018e884910adb9b530a05d88f504de83dadeab8a22d75da83c05a1518f7317de5f536c4dd243ea7b347b1eaddb2ca1d804c663e41b85db69d
2020-11-04 14:53:04 +00:00
Jonas Nick
903b16aa6c
Merge #840: Return NULL early in context_preallocated_create if flags invalid
ebfa2058e9cc2999dada47d2f1e1e5c0f4bcf619 Return NULL early in context_preallocated_create if flags invalid (Tim Ruffing)

Pull request description:

ACKs for top commit:
  sipa:
    ACK ebfa2058e9cc2999dada47d2f1e1e5c0f4bcf619
  jonasnick:
    ACK ebfa2058e9cc2999dada47d2f1e1e5c0f4bcf619

Tree-SHA512: 61310539046e015e5c9e6b5702ac7b542fda854a23915ef5dd549361c8ec6e70aa6d509e02b30fd859b24dfaf2250721bb55270767323d6e94854067b7d7e9a6
2020-10-30 17:48:46 +00:00
Tim Ruffing
1f4dd03838 Typedef (u)int128_t only when they're not provided by the compiler 2020-10-27 20:18:18 +01:00
Tim Ruffing
ebfa2058e9 Return NULL early in context_preallocated_create if flags invalid
If the user passes invalid flags to _context_create, and the default
illegal callback does not abort the program (which is possible), then we
work with the result of malloc(0), which may be undefined behavior. This
violates the promise that a library function won't crash after the
illegal callback has been called.

This commit fixes this issue by returning NULL early in _context_create
in that case.
2020-10-27 15:03:21 +01:00
Fabien
7506e064d7 Prevent arithmetic on NULL pointer if the scratch space is too small
If the scratch space is too small when calling
`secp256k1_ecmult_strauss_batch()`, the `state.pre_a` allocation will
fail and the pointer will be `NULL`. This causes `state.pre_a_lam` to be
computed from the `NULL` pointer.

It is also possible that the first allocation to fail is for `state.ps`,
which will cause the failure to occur when in
`secp256k1_ecmult_strauss_wnaf()`.

The issue has been detected by UBSAN using Clang 10:
```
CC=clang \
CFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
LDFLAGS="-fsanitize=undefined -fno-omit-frame-pointer" \
../configure

UBSAN_OPTIONS=print_stacktrace=1:halt_on_error=1 make check
```
2020-10-27 08:41:14 +01:00
Tim Ruffing
8893f42438 Avoids a potentially shortening size_t to int cast in strauss_wnaf_
Fixes #834.
2020-10-27 02:17:23 +01:00
Tim Ruffing
e89278f211 Don't use reserved identifiers memczero and benchmark_verify_t
As identified in #829 and #833. Fixes #829.

Since we touch this anyway, this commit additionally makes the
identifiers in the benchmark files a little bit more consistent.
2020-10-20 15:00:19 +02:00
Pieter Wuille
c582abade1 Consistency improvements to the comments 2020-10-13 13:21:50 -07:00
Pieter Wuille
63c6b71616 Reorder comments/function around scalar_split_lambda 2020-10-13 13:21:45 -07:00
Pieter Wuille
2edc514c90 WNAF of lambda_split output has max size 129 2020-10-13 11:31:13 -07:00
Pieter Wuille
4232e5b7da Rip out non-endomorphism code 2020-10-13 11:31:13 -07:00
Gregory Maxwell
ebad8414b0 Check correctness of lambda split without -DVERIFY
The VERIFY macro turns on various paranoid consistency checks, but
 the complete functionality should still be tested without it.

This also adds a couple of static test points for extremely small
 split inputs/outputs.  The existing bounds vectors already check
 extremely large outputs.
2020-10-13 11:31:13 -07:00
Pieter Wuille
fe7fc1fda8 Make lambda constant accessible 2020-10-13 11:31:13 -07:00
Pieter Wuille
9d2f2b44d8 Add tests to exercise lambda split near bounds 2020-10-13 11:31:13 -07:00
Russell O'Connor
9aca2f7f07 Add secp256k1_split_lambda_verify 2020-10-13 11:31:13 -07:00
Russell O'Connor
acab934d24 Detailed comments for secp256k1_scalar_split_lambda 2020-10-13 11:31:13 -07:00
Andrew Poelstra
8b70795b5e Fix BE platforms by updating endianness macros to match upstream 2020-10-12 13:44:16 +00:00
Russell O'Connor
76ed922a5f Increase precision of g1 and g2
This allows us to shift by 256+128 = 384 bits, which is a multiple of the limb size of
the scalar representation. This also happens to be the most precision possible for g2
that still fits into a 256-bit value.
2020-10-11 10:39:59 -07:00
Tim Ruffing
6173839c90 Switch to our own memcmp function
Fixes #823.
2020-10-11 10:39:20 -07:00
Jonas Nick
d1b13b0014 Merge commit 'f3733c54' into temp-merge-797 2020-09-29 13:29:58 +00:00
Jonas Nick
0a5b60d8b0 Merge commit '6034a04f' into temp-merge-778 2020-09-28 21:59:46 +00:00
Andrew Poelstra
1789183cba Merge commit '40412b19' into temp-merge-774 2020-09-28 13:33:09 +00:00
Tim Ruffing
63150ab4da
Merge #827: Rename testrand functions to have test in name
a45c1fa63cb3020225d72049ef9c1cf300014795 Rename testrand functions to have test in name (Pieter Wuille)

Pull request description:

  Suggested here: https://github.com/bitcoin-core/secp256k1/pull/808#discussion_r488871913

ACKs for top commit:
  real-or-random:
    ACK a45c1fa63cb3020225d72049ef9c1cf300014795 diff looks good
  elichai:
    utACK a45c1fa63cb3020225d72049ef9c1cf300014795

Tree-SHA512: a15c29b88877e0f1a099acab90cbfa1e70420527e07348a69c8a5b539319a3131b771b86852e772a669a1eb3475d508d0f7e10f37eec363dc6640d4eaf967536
2020-09-27 11:15:14 +02:00
Tim Ruffing
bb1f54280f
Merge #818: Add static assertion that uint32_t is unsigned int or wider
c0041b5cfca5efb160aa9a5616350069c89a8c29 Add static assertion that uint32_t is unsigned int or wider (Tim Ruffing)

Pull request description:

  Solves one item in #792 .

ACKs for top commit:
  sipa:
    utACK c0041b5cfca5efb160aa9a5616350069c89a8c29
  elichai:
    ACK c0041b5cfca5efb160aa9a5616350069c89a8c29

Tree-SHA512: 9f700e89be39e15983260da94642593d16b9c437171e10377837ac73731ca7ba5dd7e328b3d93d0a24d143fb9e73abd11c578f6b58e2f94c82b783e977173b0c
2020-09-26 10:22:32 +02:00
Pieter Wuille
a45c1fa63c Rename testrand functions to have test in name 2020-09-25 20:50:43 -07:00
Pieter Wuille
5006895bd6
Merge #808: Exhaustive test improvements + exhaustive schnorrsig tests
8b7dcdd955a4f57174f478e36bdae5b84784fb9c Add exhaustive test for extrakeys and schnorrsig (Pieter Wuille)
08d7d89299a6492bf9388b4662b709d268c8ea29 Make pubkey parsing test whether points are in the correct subgroup (Pieter Wuille)
87af00b511f2938b6b4799f94d446a005730515e Abstract out challenge computation in schnorrsig (Pieter Wuille)
63e1b2aa7d396209aa5e26aa540d9593ede312a6 Disable output buffering in tests_exhaustive.c (Pieter Wuille)
39f67dd072fc44c7c0d27b95610ba8912de56db5 Support splitting exhaustive tests across cores (Pieter Wuille)
e99b26fcd54cb4096515ba80cf0f79d147b2683c Give exhaustive_tests count and seed cmdline inputs (Pieter Wuille)
49e6630bca5f6628bd1fd92d70d465273d4d873f refactor: move RNG seeding to testrand (Pieter Wuille)
b110c106fa9704e30f6b0c2ffa6a2697031e89a8 Change exhaustive test groups so they have a point with X=1 (Pieter Wuille)
cec7b18a34e68adb04f31a71a2eb4c5fc97674ce Select exhaustive lambda in function of order (Pieter Wuille)
78f6cdfaae9866694dcb0eee966332688753a8c3 Make the curve B constant a secp256k1_fe (Pieter Wuille)
d7f39ae4b67ea1ac6f085e6262a5f53afc0c5a25 Delete gej_is_valid_var: unused outside tests (Pieter Wuille)
8bcd78cd791fd9209d72d6bce455c8d3cf2c0249 Make secp256k1_scalar_b32 detect overflow in scalar_low (Pieter Wuille)
c498366e5b2d9c60e2e677949cf7373dbe877515 Move exhaustive tests for recovery to module (Pieter Wuille)
be317915436909573733afe3972a9abdee9357f7 Make group order purely compile-time in exhaustive tests (Pieter Wuille)

Pull request description:

  A few miscellaneous improvements:
  * Just use EXHAUSTIVE_TEST_ORDER as order everywhere, rather than a variable
  * Move exhaustive tests for recovery module to the recovery module directory
  * Make `secp256k1_scalar_set_b32` detect overflow correctly for scalar_low (a comment in the recovery exhaustive test indicated why this was the case, but this looks incorrect).
  * Change the small test groups so that they include a point with X coordinate 1.
  * Initialize the RNG seed, allowing configurating from the cmdline, and report it.
  * Permit changing the number of iterations (re-randomizing for each).
  * Support splitting the work across cores from the cmdline.

  And a big one:
  * Add exhaustive tests for schnorrsig module (and limited ones for extrakeys).

ACKs for top commit:
  real-or-random:
    ACK 8b7dcdd955a4f57174f478e36bdae5b84784fb9c
  jonasnick:
    ACK 8b7dcdd955a4f57174f478e36bdae5b84784fb9c

Tree-SHA512: 18d7f362402085238faaced164c0ca34079717a477001fc0b13448b3529ea2ad705793a13b7a36f34bf12e9231fee11070f88cc51bfc2a83ca82aa13f7aaae71
2020-09-25 20:44:03 -07:00
Jonas Nick
a39b08d672
Merge #95: [upstream PR #741]: Remove unnecessary sign variable from wnaf_const
37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0 Remove unnecessary sign variable from wnaf_const (Jonas Nick)
6bb0b77e158fc2f9e56e4b65b08bcb660d4c588b Fix test_constant_wnaf for -1 and add a test for it. (Jonas Nick)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0

Tree-SHA512: 4a529579f04dfa8d5abded16cbc0ad2747ccdbef41501c984c348ffd154afdd28333d739db60c869410211187850e3c05dfe91dfb184ad8dca8d5c59b3a158ed
2020-09-25 21:17:22 +00:00
Andrew Poelstra
a3a3a17f47
Merge pull request #94 from apoelstra/temp-merge-1309c03c45beece646a7d21fdb6a0e3d38adee2b
[upstream PR #773]: Fix some compile problems on weird/old compilers.
2020-09-25 14:23:54 +00:00
Pieter Wuille
8b7dcdd955 Add exhaustive test for extrakeys and schnorrsig 2020-09-18 14:11:38 -07:00
Pieter Wuille
08d7d89299 Make pubkey parsing test whether points are in the correct subgroup 2020-09-18 14:11:38 -07:00
Pieter Wuille
87af00b511 Abstract out challenge computation in schnorrsig 2020-09-18 14:11:38 -07:00
Pieter Wuille
63e1b2aa7d Disable output buffering in tests_exhaustive.c 2020-09-18 14:11:37 -07:00
Pieter Wuille
39f67dd072 Support splitting exhaustive tests across cores 2020-09-18 14:11:02 -07:00
Pieter Wuille
e99b26fcd5 Give exhaustive_tests count and seed cmdline inputs 2020-09-18 14:10:59 -07:00
Pieter Wuille
49e6630bca refactor: move RNG seeding to testrand 2020-09-18 14:01:15 -07:00
Pieter Wuille
b110c106fa Change exhaustive test groups so they have a point with X=1
This enables testing overflow is correctly encoded in the recid, and
likely triggers more edge cases.

Also introduce a Sage script to generate the parameters.
2020-09-18 14:01:15 -07:00