9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small (Jonas Nick)
Pull request description:
`ecmult_multi` already selects the trivial algorithm if the scratch space is NULL. With this PR the trivial algorithm is also selected if the scratch space is too small to use pippenger or strauss instead of returning 0. That makes it more easier to avoid consensus relevant inconsistencies just because scratch space construction was messed up.
ACKs for commit 9ab96f:
real-or-random:
utACK 9ab96f7
Tree-SHA512: aa451adf8880af15cf167a59cb07fc411edc43f26c8eb0873bdae2774382ba182e2a1c54487912f8f2999cb0402d554b9d293e2fb9483234471348a1f43c6653
Broken by 3f3964e4.
It's important that the tests are also run without -DVERIFY due to
the possibility that side-effects of a VERIFY_CHECK fix a bug that
would otherwise be detected.
Use of the verify_check macro in tests isn't sufficient.
This makes WINDOW_G a configurable value in the range of [2..24].
The upper limit of 24 is a defensive choice. The code is probably
correct for values up to 27 but those larger values yield in huge
tables (>= 256MiB), which are i) unlikely to be really beneficial
in practice and ii) increasingly difficult to test.
This changes pointer calculations in size comparions to a form that
ensures that no out-of-bound pointers are computed, because even their
computation yields undefined behavior.
Also, this changes size comparions to a form that ensures that neither
the left-hand side nor the right-hand side can overflow.
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config (DesWurstes)
310111e Keep LDFLAGS if `--coverage` (DesWurstes)
Pull request description:
Update: **This is a trimmed pull request with strong rationale.**
- Adding `--coverage` shouldn't reset `LDFLAGS`, this is definitely a typo
- The basic configuration should undefine `STATIC_PRECOMPUTATION`, as generating it is not supported and it complicates #549
Tree-SHA512: 29f0dd4c870ec60d535346446b453da459ca843ed1265c2bc966bf0fcbdf3c5c79f9e48a419662e81d790a7003f8877a16e2a5a74aa5c0b79645e15ad56a0f66
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...) (practicalswift)
Pull request description:
Make sure we're not using an uninitialized variable in `secp256k1_wnaf_const(...)`:
```
In file included from src/secp256k1.c:15:0,
from src/tests.c:17:
src/ecmult_const_impl.h: In function ‘secp256k1_wnaf_const’:
src/ecmult_const_impl.h:117:20: warning: ‘u’ may be used uninitialized in this function [-Wmaybe-uninitialized]
wnaf[word] = u * global_sign;
^
```
**Note to reviewers:** Perhaps an `assert(…);` is a bit drastic. What would be a more graceful way to handle this? :-)
Tree-SHA512: 536cd7cc5b87a84fbaac578cecbba81b8d82e4672a30a2db9a674b82856132e79b0158a6a88609bc24942ebdbf1fcd2c4399a4c31ab0654b88ace9c0e6f1eaf3
8979ec0 Pass scalar by reference in secp256k1_wnaf_const() (Tim Ruffing)
Pull request description:
After this change, no struct or union is passed by value in the
entire codebase. This makes it easier to compile the library with
CompCert.
Tree-SHA512: 6b23e2b39701c3eeb6ae8c8d660cabe8872ac8f13141504c1ec55c47f2009e206129b34b31796e618114b60350598187df6df4c2be0e5c1b138a6126ad6a7484
The constraint "n" is a more obscure setting which is needed for
special cases that don't apply to our use.
Use of "n" exposed some bugs in pre-release versions of clang.
This fixes#594
be40c4d Fixup for C90 mixed declarations. (Gregory Maxwell)
8b3841c fix bug in fread() failure check (Don Viszneki)
cddef0c tests: add warning message when /dev/urandom fails (Don Viszneki)
Pull request description:
I've made two small changes to `src/tests.c` circa random seed generation.
Added a warning when `/dev/urandom` fails, mostly to defend against the case that someone should use the code verbatim, but also to enhance its illustrative power.
Also I fixed a bug with how the return value of `fread()` was being evaluated. In fact, `/dev/urandom` was never being applied before as the check on the return value of `fread()` always failed!
Tree-SHA512: 239dbe8316220c2f0e5b370bf9a18f78196e96cc4a7edea58cf2521b2c9cbc8da065be96aa859f90324d57e388d30f7670ce6bc1cca52e5162e5ca66b1a55b34
d3cb1f9 Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse (Ben Woosley)
Pull request description:
This results in more self-documenting code.
Constants defined here:
1e6f1f5ad5/include/secp256k1.h (L175-L180)
Tree-SHA512: 2026103c487a5ebdea9a2f5ec2be96d74e38d5b2269b4df11e354bb54aba2925b47c3185f530205019840b00fc3501121acfa5234faf1d095d71777826414f69
0f05173 Fix algorithm selection in bench_ecmult (Jonas Nick)
Pull request description:
Without this commit using an unknown argument results in a segmentation fault.
Tree-SHA512: 85b8f977e62fa360ff6dc923bd86f08725c30e178d58f43d33cbd8eb69e54fa4ec76e4407624611a80554cf9961689bce6b216da735ac95b256d0d2f60fe3328
6198375 Make randomization of a non-signing context a noop (Tim Ruffing)
Pull request description:
Before this commit secp256k1_context_randomize called illegal_callback
when called on a context not initialized for signing. This is not
documented. Moreover, it is not desirable because non-signing contexts
may use randomization in the future.
This commit makes secp256k1_context_randomize a noop in this case. This
is safe because the context cannot be used for signing anyway.
This fixes#573 and it fixesrust-bitcoin/rust-secp256k1#82.
Tree-SHA512: 34ddfeb004d9da8f4a77c739fa2110544c28939378e779226da52f410a0e36b3aacb3ebd2e3f3918832a9027684c161789cfdc27a133f2f0e0f1c47e8363029c
52ab96f clean dependendies in field_*_impl.h (Russell O'Connor)
deff5ed Correct math typos in field_*.h (Russell O'Connor)
4efb3f8 Add check that restrict pointers don't alias with all parameters. (Russell O'Connor)
Pull request description:
* add more checks for restrict pointers.
* correct math typos.
* refine dependencies on "num.h"
Tree-SHA512: c368f577927db2ace3e7f46850cb2fdf9d7d169b698a9697767e1f82e9e7091f2b2fea0f7cf173048eb4c1bb56824c884fa849c04c595ee97766c01f346a54ec
9bd89c8 Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead. (Russell O'Connor)
Pull request description:
Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
Tree-SHA512: 7bbb1aca8e37a268a26d7061bd1f390db129e697792f1d5ddd10ea34927616edc26ef118b500c3e5e14d1d463196033ef64e4d34b765380325c24835458b7a9b
Before this commit secp256k1_context_randomize called illegal_callback
when called on a context not initialized for signing. This is not
documented. Moreover, it is not desirable because non-signing contexts
may use randomization in the future.
This commit makes secp256k1_context_randomize a noop in this case. This
is safe because the context cannot be used for signing anyway.
This fixes#573 and it fixesrust-bitcoin/rust-secp256k1#82.
If we’re in the last loop iteration, then `lenleft == 1` and it could
be the case that `ret == MAX_SIZE`, and so `ret + lenleft` will
overflow to 0 and the sanity check will not catch it. Then we will
return `(int) MAX_SIZE`, which should be avoided because this value is
implementation-defined. (However, this is harmless because
`(int) MAX_SIZE == -1` on all supported platforms.)
