957 Commits

Author SHA1 Message Date
Jonas Nick
176bfb1110 Separate helper function for ec_pubkey_tweak_add
This is in preparation for allowing code reuse by xonly tweak add functions
2020-09-06 18:59:57 +00:00
Jonas Nick
4cd2ee474d extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey 2020-09-06 18:59:50 +00:00
Tim Ruffing
aabf00c155
Merge #648: Prevent ints from wrapping around in scratch space functions
60f7f2de5de917c2bee32a4cd79cc3818b6a94a0 Don't assume that ALIGNMENT > 1 in tests (Tim Ruffing)
ada6361dece4265823478e0019a8c196e9285a26 Use ROUND_TO_ALIGN in scratch_create (Jonas Nick)
8ecc6ce50ead28a0b8bab2f1fb18a58ee5204a13 Add check preventing rounding to alignment from wrapping around in scratch_alloc (Jonas Nick)
4edaf06fb02a9ac9cd115e0c967bb0ef35cae01d Add check preventing integer multiplication wrapping around in scratch_max_allocation (Jonas Nick)

Pull request description:

  This PR increases the general robustness of scratch spaces. It does not fix an existing vulnerability because scratch spaces aren't used anywhere in master. Additionally,  it must be prevented anyway that an attacker has (indirect) control over the arguments touched in this PR.

ACKs for top commit:
  sipa:
    ACK 60f7f2de5de917c2bee32a4cd79cc3818b6a94a0

Tree-SHA512: ecdd794b55a01d1d6d24098f3abff34cb8bb6f33737ec4ec93714aa631c9d397b213cc3603a916ad79f4b09d6b2f8973bf87fc07b81b25a530cc72c4dbafaba9
2020-09-02 02:20:32 +02:00
Jonas Nick
47e6618e11 extrakeys: Init empty experimental module
This is to prepare for xonly_pubkeys and keypairs.
2020-08-26 19:52:55 +00:00
Jonas Nick
3e08b02e2a Make the secp256k1_declassify argument constant
This is required to declassify pointers to constant memory. Declassify should
never modify its argument.
2020-08-26 19:52:03 +00:00
Pieter Wuille
8bc6aeffa9 Add SHA256 selftest 2020-08-22 16:35:47 -07:00
Pieter Wuille
5e5fb28b4a Use additional system macros to figure out endianness
Also permit it being overridden by explicitly passing SECP256K1_{BIG,LITTLE}_ENDIAN
2020-08-15 20:31:51 -07:00
Pieter Wuille
7c068998ba Compile-time check assumptions on integer types 2020-08-14 16:12:49 -07:00
Pieter Wuille
02b6c87b52 Add support for (signed) __int128 2020-08-13 11:46:34 -07:00
Tim Ruffing
979961c506
Merge #787: Use preprocessor macros instead of autoconf to detect endianness
0dccf98a21beb245f6cd9ed76fb7368529df09c7 Use preprocessor macros instead of autoconf to detect endianness (Tim Ruffing)

Pull request description:

  This does not fix any particular issue but it's preferable to not
  rely on autoconf. This avoids endianness mess for users on BE hosts
  if they use their build without autoconf.

  The macros are carefully written to err on the side of the caution,
  e.g., we #error if the user manually configures a different endianness
  than what we detect.

  Supersedes #770 .

ACKs for top commit:
  sipa:
    ACK 0dccf98a21beb245f6cd9ed76fb7368529df09c7
  gmaxwell:
    ACK 0dccf98a21beb245f6cd9ed76fb7368529df09c7

Tree-SHA512: 6779458de5cb6eaef2ac37f9d4b8fa6c9b299f58f6e5b72f2b0d7e36c12ea06074e483acfb85085a147e0f4b51cd67d897f61a67250ec1cea284a0f7680eb2e8
2020-08-13 12:36:53 +02:00
Tim Ruffing
0dccf98a21 Use preprocessor macros instead of autoconf to detect endianness
This does not fix any particular issue but it's preferable to not
rely on autoconf. This avoids endianness mess for users on BE hosts
if they use their build without autoconf.

The macros are carefully written to err on the side of the caution,
e.g., we #error if the user manually configures a different endianness
than what we detect.
2020-08-11 11:25:39 +02:00
Pieter Wuille
79f1f7a4f1 Autodetect __int128 availability on the C side
Instead of supporting configuration of the field and scalar size independently,
both are now controlled by the availability of a 64x64->128 bit multiplication
(currently only through __int128). This is autodetected from the C code through
__SIZEOF_INT128__, but can be overridden using configure's
--with-test-override-wide-multiply, or by defining
USE_FORCE_WIDEMUL_{INT64,INT128} manually.
2020-08-10 14:56:39 -07:00
Pieter Wuille
0d7727f95e Add SECP256K1_FE_STORAGE_CONST_GET to 5x52 field
So far this has not been needed, as it's only used by the static precomputation
which always builds with 32-bit fields.

This prepares for the ability to have __int128 detected on the C side, breaking
that restriction.
2020-08-10 14:34:01 -07:00
Pieter Wuille
18d36327fd secp256k1_gej_double_nonzero supports infinity 2020-07-28 18:12:30 -07:00
Tim Ruffing
214cb3c321
Merge #772: Improve constant-timeness on PowerPC
67a429f31fd3d1b37c5365cc58b70588b8645d62 Suppress a harmless variable-time optimization by clang in _int_cmov (Tim Ruffing)
5b196338f0c8dc07bf0eece37b46d8686c4da3ce Remove redundant "? 1 : 0" after comparisons in scalar code (Tim Ruffing)

Pull request description:

  Attempt at resolving #771 .

  This surprisingly seems to improve the situation at least for the compilers available on godbolt.

ACKs for top commit:
  gmaxwell:
    ACK 67a429f31fd3d1b37c5365cc58b70588b8645d62
  elichai:
    tACK 67a429f31fd3d1b37c5365cc58b70588b8645d62

Tree-SHA512: ee8b0c86831ec8c3d5a9abcad773ed8a0f267e5c47012e4e1423b10a64c26b4cf6e3c466c3df765ba7e636787a3fe134d633926d67b599287f12c51be924f478
2020-07-28 16:12:24 +02:00
Tim Ruffing
2e1b9e0458 tests: Abort if malloc() fails during context cloning tests
Found by the clang static analyzer.

This is the worst true positive that it found. I feel somewhat proud.
2020-07-28 10:24:44 +02:00
Tim Ruffing
67a429f31f Suppress a harmless variable-time optimization by clang in _int_cmov
Follow up on 52a03512c1d800603b5c923c1a28bdba12dadb30
2020-07-27 14:35:05 +02:00
Tim Ruffing
5b196338f0 Remove redundant "? 1 : 0" after comparisons in scalar code
This prevents GCC from generating branches on PowerPC in certain
cases.

Fixes #771.
2020-07-26 14:59:56 +02:00
Tim Ruffing
3e5cfc5c73
Merge #741: Remove unnecessary sign variable from wnaf_const
37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0 Remove unnecessary sign variable from wnaf_const (Jonas Nick)
6bb0b77e158fc2f9e56e4b65b08bcb660d4c588b Fix test_constant_wnaf for -1 and add a test for it. (Jonas Nick)

Pull request description:

  There currently is a single branch in the `ecmul_const` function that is not being exercised by the tests. This branch is unreachable and therefore I'm suggesting to remove it.

  For your convenience the paper the wnaf algorithm can be found [here (The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar Multiplications Secure against Side Channel Attacks)](http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.563.1267&rep=rep1&type=pdf). Similarly, unless I'm missing something important, I don't see how their algorithm needs to consider `sign(u[i-1])` unless `d` can be negative - which doesn't make much sense to me either.

ACKs for top commit:
  real-or-random:
    ACK 37dba329c6cb0f7a4228a11dc26aa3a342a3a5d0 I verified the correctness of the change and claimed invariant by manual inspection. I tested the code, both with 32bit and 64bit scalars.

Tree-SHA512: 9db45f76bd881d00a81923b6d2ae1c3e0f49a82a5d55347f01e1ce4e924d9a3bf55483a0697f25039c327e33edca6796ba3205c068d9f2f99aa5d655e46b15be
2020-07-26 12:21:14 +02:00
Gregory Maxwell
1309c03c45 Fix some compile problems on weird/old compilers.
The visibility attribute is a GCC 4+ feature.
GCC 2.95 also warns about the unsigned/signed comparision.
2020-07-26 05:26:56 +00:00
Tim Ruffing
22e578bb11 Undef HAVE___INT128 in basic-config.h to fix gen_context compilation
Fixes #768.
2020-07-21 11:09:23 +02:00
Jonas Nick
2e7fc5b537 Fix uninitialized variables in ecmult_multi test 2020-06-15 09:02:54 +00:00
Elichai Turkel
28609507e7
Add tests for the cmov implementations 2020-06-03 13:19:12 +03:00
Elichai Turkel
73596a85a2
Add ecdsa_sign_recoverable to the ctime tests 2020-06-03 13:19:11 +03:00
Elichai Turkel
2876af4f8d
Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery 2020-06-03 13:19:09 +03:00
Elichai Turkel
f79a7adcf5
Add valgrind uninit check to cmovs output 2020-05-26 23:30:56 +03:00
Elichai Turkel
a39c2b09de
Fixed UB(arithmetics on uninit values) in cmovs 2020-05-22 13:25:26 +03:00
Tim Ruffing
f39f99be0e
Merge #701: Make ec_ arithmetic more consistent and add documentation
7e3952ae82af2a98619de74614f2d3f0ff072941 Clarify documentation of tweak functions. (Jonas Nick)
89853a0f2e2b324bd32e78641aeaad6d1e427e81 Make tweak function documentation more consistent. (Jonas Nick)
41fc78560223aa035d9fe2cbeedb3ee632c740e2 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul (Jonas Nick)
22911ee6da7197c45226ab4bcd84b8c2773baf9f Rename private key to secret key in public API (with the exception of function names) (Jonas Nick)
5a73f14d6cfab043f94b2032d6958e15f84065fe Mention that value is unspecified for In/Out parameters if the function returns 0 (Jonas Nick)
f03df0e6d7d272808c9d27df40bb92716b341d03 Define valid ECDSA keys in the documentation of seckey_verify (Jonas Nick)
5894e1f1df74b23435cfd1e9a8b25f22ac631ebe Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul (Jonas Nick)
8f814cddb94f4018646569143d10ebbb98daa454 Add test for boundary conditions of scalar_set_b32 with respect to overflows (Jonas Nick)
3fec9826086aa45ebbac1ff6fc3bb7b25ca78b1d Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify (Jonas Nick)
9ab2cbe0ebf8dfafd5499ea7a79c35f0d0cfe5e2 Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key (Jonas Nick)

Pull request description:

  Fixes #671. Supersedes #668.

  This PR unifies handling of invalid secret keys by introducing a new function `scalar_set_b32_secret` which returns false if the b32 overflows or is 0. By using this in `privkey_{negate, tweak_add, tweak_mul}` these function will now return 0 if the secret key is invalid which matches the behavior of `ecdsa_sign` and `pubkey_create`.

  Instead of deciding whether to zeroize the secret key on failure, I only added documentation for now that the value is undefined on failure.

ACKs for top commit:
  real-or-random:
    ACK 7e3952ae82af2a98619de74614f2d3f0ff072941 I read the diff carefully and tested the changes
  apoelstra:
    ACK 7e3952ae82af2a98619de74614f2d3f0ff072941

Tree-SHA512: 8e9a66799cd3b6ec1c3acb731d6778035417e3dca9300d840e2437346ff0ac94f0c9be4de20aa2fac9bb4ae2f8a36d4e6a34795a640b9cfbfee8311decb102f0
2020-04-30 18:13:55 +02:00
Jonas Nick
37dba329c6 Remove unnecessary sign variable from wnaf_const 2020-04-29 12:38:23 +00:00
Jonas Nick
6bb0b77e15 Fix test_constant_wnaf for -1 and add a test for it.
Before, test_constant_wnaf used scalar_cadd_bit to correct for the skew. But
this function does not correctly deal with overflows which is why num = -1
couldn't be tested.

This commit also adds tests for 0, 1/2 and 1/2-1 as they are corner cases
in constant_wnaf.
2020-04-29 12:38:23 +00:00
Jonas Nick
39198a03ea
Merge #732: Retry if r is zero during signing
37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4 Make ecdsa_sig_sign constant-time again after reverting 25e3cfb (Tim Ruffing)
93d343bfc5323e56f6a60cb41d60b96368cc09c7 Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign" (Tim Ruffing)

Pull request description:

ACKs for top commit:
  elichai:
    ACK 37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4 makes sense.
  jonasnick:
    ACK 37ed51a7eafa5fd9955ceb66213251cdd8b8b8c4

Tree-SHA512: 82b5b8e29f48e84fd7a0681b62923d3bd87d724b38ef18e8c7969b0dcc5a405ebb26c14b5c5f4c7ba0ccabd152d1531d217809d1daf40872fe0c1e079b55c64b
2020-04-18 12:23:05 +00:00
f-daniel
4e284655d9
Fix typo in ecmult_const_impl.h
Fix small typo in the reference given for the wNAF method
2020-04-18 12:53:06 +02:00
Elichai Turkel
ffef45c98a
Make recovery/main_impl.h non-executable 2020-04-15 23:14:06 +03:00
Tim Ruffing
37ed51a7ea Make ecdsa_sig_sign constant-time again after reverting 25e3cfb 2020-03-31 15:03:58 +02:00
Tim Ruffing
93d343bfc5 Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
This reverts commit 25e3cfbf9b52d2f5afa543f967a73aa8850d2038. The reverted
commit was probably based on the assumption that this is about the touched
checks cover the secret nonce k instead of r, which is the x-coord of the public
nonce. A signature with a zero r is invalid by the spec, so we should return 0
to make the caller retry with a different nonce. Overflow is not an issue.

Fixes #720.
2020-03-31 14:58:58 +02:00
Jonas Nick
41fc785602 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul 2020-03-30 20:51:47 +00:00
Jonas Nick
5894e1f1df Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul 2020-03-30 20:51:47 +00:00
Jonas Nick
8f814cddb9 Add test for boundary conditions of scalar_set_b32 with respect to overflows 2020-03-30 20:51:47 +00:00
Jonas Nick
3fec982608 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify 2020-03-30 20:51:47 +00:00
Jonas Nick
9ab2cbe0eb Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key 2020-03-30 20:51:47 +00:00
Tim Ruffing
01993878bb Add test for memczero() 2020-03-27 11:07:10 +01:00
Tim Ruffing
52a03512c1 Suppress a harmless variable-time optimization by clang in memczero
This has been not been caught by the new constant-time tests because
valgrind currently gives us a zero exit code even if finds errors, see
https://github.com/bitcoin-core/secp256k1/pull/723#discussion_r388246806 .

This commit also simplifies the arithmetic in memczero.

Note that the timing leak here was the bit whether a secret key was
out of range. This leak is harmless and not exploitable. It is just
our overcautious practice to prefer constant-time code even here.
2020-03-27 10:23:45 +01:00
Elichai Turkel
ca4906b02e
Pass num of iters to benchmarks as variable, and define envvar 2020-03-13 11:48:01 +02:00
Elichai Turkel
02dd5f1bbb
free the ctx at the end of bench_ecdh 2020-03-04 14:14:51 +02:00
Gregory Maxwell
3d2302257f Constant-time behaviour test using valgrind memtest.
Valgrind does bit-level tracking of the "uninitialized" status of memory,
 property tracks memory which is tainted by any uninitialized memory, and
 warns if any branch or array access depends on an uninitialized bit.

That is exactly the verification we need on secret data to test for
 constant-time behaviour. All we need to do is tell valgrind our
 secret key is actually uninitialized memory.

This adds a valgrind_ctime_test which is compiled if valgrind is installed:

Run it with libtool --mode=execute:
$ libtool --mode=execute valgrind ./valgrind_ctime_test
2020-02-24 18:59:30 +00:00
Tim Ruffing
96d8ccbd16
Merge #710: Eliminate harmless non-constant time operations on secret data.
7b50483ad789081ba158799e5b94330f62932607 Adds a declassify operation to aid constant-time analysis. (Gregory Maxwell)
34a67c773b0871e5797c7ab506d004e80911f120 Eliminate harmless non-constant time operations on secret data. (Gregory Maxwell)

Pull request description:

  There were several places where the code was non-constant time
   for invalid secret inputs.  These are harmless under sane use
   but get in the way of automatic const-time validation.

  (Nonce overflow in signing is not addressed, nor is s==0 in signing)

ACKs for top commit:
  sipa:
    utACK 7b50483ad789081ba158799e5b94330f62932607
  real-or-random:
    ACK 7b50483ad789081ba158799e5b94330f62932607 I read the code carefully and tested it
  jonasnick:
    reACK 7b50483ad789081ba158799e5b94330f62932607

Tree-SHA512: 0776c3a86e723d2f97b9b9cb31d0d0e59dfcf308093b3f46fbc859f73f9957f3fa977d03b57727232040368d058701ef107838f9b1ec98f925ec78ddad495c4e
2020-02-24 14:04:36 +01:00
Gregory Maxwell
7b50483ad7 Adds a declassify operation to aid constant-time analysis.
ECDSA signing has a retry loop for the exceptionally unlikely case
 that S==0.  S is not a secret at this point and this case is so
 rare that it will never be observed but branching on it will trip
 up tools analysing if the code is constant time with respect to
 secrets.

Derandomized ECDSA can also loop on k being zero or overflowing,
 and while k is a secret these cases are too rare (1:2^255) to
 ever observe and are also of no concern.

This adds a function for marking memory as no-longer-secret and
 sets it up for use with the valgrind memcheck constant-time
 test.
2020-02-20 17:27:26 +00:00
Gregory Maxwell
34a67c773b Eliminate harmless non-constant time operations on secret data.
There were several places where the code was non-constant time
 for invalid secret inputs.  These are harmless under sane use
 but get in the way of automatic const-time validation.

(Nonce overflow in signing is not addressed, nor is s==0 in
 signing)
2020-02-20 17:27:03 +00:00
Tim Ruffing
eb45ef3384 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
and improve style of the ECDH docs.
2020-02-14 16:18:00 +01:00
Tim Ruffing
d72b9e2483
Merge #682: Remove Java Native Interface
642cd062bdd2d28a8a84d4cb6dedbfe435ee5869 Remove Java Native Interface (Jonas Nick)

Pull request description:

  This was discussed in #508. The main reasons are that the existing Java Native Interface (JNI) bindings would need way more work to remain useful to Java developers but the maintainers and regular contributors of libsecp are not very familiar with Java (and evidently are motivated enough to improve the situation). We don't know who relies on these bindings with the exception of ACINQ who have their own fork at https://github.com/ACINQ/secp256k1/tree/jni-embed/src/java (@sstone). Bitcoinj can optionally use the libsecp bindings.

  Ideally, there would be a separate repository owned by Java developers with just the bindings. Until this exists, Java developers relying on libsecp can use ACINQs fork or an older commit of libsecp.

ACKs for top commit:
  real-or-random:
    ACK 642cd062bdd2d28a8a84d4cb6dedbfe435ee5869 I read the diff
  real-or-random:
    ACK 642cd062bdd2d28a8a84d4cb6dedbfe435ee5869 I read the diff, and I verified that the diff to 7d9066a66c0f13cabb0c4f71aca30edd3494f0d5, which has been ACKed by sipa, is only the additonal removal of ax_jni_include_dir.m4

Tree-SHA512: 9e573f2b01897bd5f301707062b41de53424517b537ce0834d9049d003cfd73fa1bcc024b543256016e4c9a1126f7c7fef559b84dc4914083b5a2d0ad5e57ea8
2020-02-10 12:00:35 +01:00