27504d5c94 ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe (Tim Ruffing)
Pull request description:
Don't ask me why this makes a difference. It may be some permission problem even though everything in Cirrus CI runs as root anyway. In any case, I'll probably get mad if I investigate this further.
Fixes#1326.
ACKs for top commit:
hebasto:
ACK 27504d5c94, tested in my personal Cirrus account.
Tree-SHA512: 08bb1734827579b59c705a44ee8fad6d504031eb5659c2743649be95fb048794b95ac0869a994bfa732f7f0714b4d12674c325637fe079b2266f18a3c14bbec0
Don't ask me why this makes a difference. It may be some permission
problem even though everything in Cirrus CI runs as root anyway. In
any case, I'll probably get mad if I investigate this further.
Fixes#1326.
6433175ffe Do not invoke fe_is_zero on failed set_b32_limit (Pieter Wuille)
Pull request description:
Noticed in the CI output of #1313 (https://cirrus-ci.com/task/5117786435878912)
The code violates the field element contract that states that a field element that comes out of a failed `secp256k1_fe_set_b32_limit` call cannot be used before overwriting it. This is not an issue in practice, as such failure can only occur with negligible probability, but the experimental compiler in that CI setting is technically correct in detecting this possibility.
Fix it by setting it to 1 based on a `secp256k1_fe_normalizes_to_zero` test rather than a `secp256k1_fe_is_zero` one (which does not require normalization).
ACKs for top commit:
stratospher:
ACK 6433175
real-or-random:
utACK 6433175ffe
Tree-SHA512: 49da4535181c4607c1f4d23d1fd7cd65e7751c7cfa68643f1da77f3ec7961754fc8553bb415137fd61d86c805fe69f5adf97c05b9dc4d3bf357ae7c6409cc51a
5768b50229 build: Enable -DVERIFY for precomputation binaries (Tim Ruffing)
Pull request description:
because... why not?!
I realized that this can't hurt when working on #1313.
ACKs for top commit:
sipa:
ACK 5768b50229
Tree-SHA512: 2412cb93097f5c7904cfded6816bc5cdc69d958b4023ddaffd6e7575615ac5bfcd3a7cfc9ce2c0b0e6526a6f000dd84ecd32909d9d207a3644aadb5d34905911
31b4bbee1e Make fe_cmov take max of magnitudes (Pieter Wuille)
Pull request description:
This addresses part of #1001.
The magnitude and normalization of the output of `secp256k1_fe_cmov` should not depend on the runtime value of `flag`.
ACKs for top commit:
real-or-random:
utACK 31b4bbee1e
stratospher:
ACK 31b4bbe.
Tree-SHA512: 08bef9f63797cb8a1f3ea63c716c09aaa267dfee285b74ef5fbb47d614569d2787ec73d21bce080214872dfe70246f73cea42ad3c24e6baccecabe3312f71433
3ad1027a40 Revert "Remove unused scratch space from API" (Jonas Nick)
Pull request description:
This reverts commit 712e7f8722.
Removing the scratch space from the API may break bindings to the library.
ACKs for top commit:
sipa:
ACK 3ad1027a40
real-or-random:
ACK 3ad1027a40
Tree-SHA512: ad394c0a2f83fe3a5f400c0e8f2b9bf40037ce4141d4414e6345918f5e6003c61da02a538425a49bdeb5700f5ecb713bd58f5752c0715fb1fcc4950099fdc0e6
8c9ae37a5a Add release note (Pieter Wuille)
350b4bd6e6 Mark stack variables as early clobber for technical correctness (Pieter Wuille)
0c729ba70d Bugfix: mark outputs as early clobber in scalar x86_64 asm (Pieter Wuille)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 8c9ae37a5a
jonasnick:
ACK 8c9ae37a5a
Tree-SHA512: 874d01f5540d14b5188aec25f6441dbc6631f8d3980416040a3e250f1aef75150068415e7a458a9a3fb0d7cbdeb97f5c7e089b187d6d3dd79aa6e45274c241b6
c6bb29b303 build: Rename `64bit` to `x86_64` (Hennadii Stepanov)
03246457a8 autotools: Add `SECP_ARM32_ASM_CHECK` macro (Hennadii Stepanov)
ed4ba238e2 cmake: Add `check_arm32_assembly` function (Hennadii Stepanov)
e5cf4bf3ff build: Rename `arm` to `arm32` (Hennadii Stepanov)
Pull request description:
Closes https://github.com/bitcoin-core/secp256k1/issues/1034.
Solves one item in https://github.com/bitcoin-core/secp256k1/issues/1235.
ACKs for top commit:
real-or-random:
ACK c6bb29b303 tested on x86_64 but not on ARM
Tree-SHA512: c3615a18cfa30bb2cc53be18c09ccab08fc800b84444d8c6b333347b4db039a3981da61e7da5086dd9f4472838d7c031d554be9ddc7c435ba906852bba593982
In the field 5x52 asm for x86_64, stack variables are provided as outputs.
The existing inputs are all forcibly allocated to registers, so cannot
coincide, but mark them as early clobber anyway to make this clearer.
In the existing code, the compiler is allowed to allocate the RSI register
for outputs m0, m1, or m2, which are written to before the input in RSI is
read from. Fix this by marking them as early clobber.
Reported by ehoffman2 in https://github.com/bitcoin-core/secp256k1/issues/766
5b32602295 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille)
Pull request description:
Follow-up to #1205.
This splits the `secp256k1_fe_set_b32` function into two variants:
* `secp256k1_fe_set_b32_mod`, which returns `void`, reduces modulo the curve order, and only promises weakly normalized output.
* `secp256k1_fe_set_b32_limit`, which returns `int` indicating success/failure, and only promises valid output in case the input is in range (but guarantees it's strongly normalized in this case).
This removes one of the few cases in the codebase where normalization status depends on runtime values, making it fixed at compile-time instead.
ACKs for top commit:
real-or-random:
ACK 5b32602295
jonasnick:
ACK 5b32602295
Tree-SHA512: 4b93502272638c6ecdef4d74afa629e7ee540c0a20b377dccedbe567857b56c4684fad3af4b4293ed7ba35fed4aa5d0beaacdd77a903f44f24e8d87305919b61
cd54ac7c1c schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing)
28687b0312 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing)
97a98bed1e schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK cd54ac7c1c. I didn't verify the included test vectors match the BIP.
jonasnick:
ACK cd54ac7c1c
Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816
17fa21733a ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing)
5fb336f9ce ct: Use volatile trick in scalar_cond_negate (Tim Ruffing)
Pull request description:
ACKs for top commit:
sipa:
ACK 17fa21733a
jonasnick:
ACK 17fa21733a
Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121
712e7f8722 Remove unused scratch space from API (Jonas Nick)
Pull request description:
Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff.
ACKs for top commit:
sipa:
ACK 712e7f8722
real-or-random:
utACK 712e7f8722
Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44
- secp256k1_scalar_cadd_bit
- secp256k1_modinvXX_normalize_YY
- secp256k1_modinvXX_divsteps_ZZ
- ECMULT_CONST_TABLE_GET_GE
Even though those code loations are not problematic right now
(with current compilers).
97c63b9039 Avoid normalize conditional on VERIFY (Pieter Wuille)
Pull request description:
In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not.
ACKs for top commit:
real-or-random:
utACK 97c63b9039 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed
jonasnick:
ACK 97c63b9039
Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f
7fc642fa25 Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille)
4e176ad5b9 Abstract out verify logic for fe_is_square_var (Pieter Wuille)
4371f98346 Abstract out verify logic for fe_add_int (Pieter Wuille)
89e324c6b9 Abstract out verify logic for fe_half (Pieter Wuille)
283cd80ab4 Abstract out verify logic for fe_get_bounds (Pieter Wuille)
d5aa2f0358 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille)
3167646072 Abstract out verify logic for fe_from_storage (Pieter Wuille)
76d31e5047 Abstract out verify logic for fe_to_storage (Pieter Wuille)
1e6894bdd7 Abstract out verify logic for fe_cmov (Pieter Wuille)
be82bd8e03 Improve comments/checks for fe_sqrt (Pieter Wuille)
6ab35082ef Abstract out verify logic for fe_sqr (Pieter Wuille)
4c25f6efbd Abstract out verify logic for fe_mul (Pieter Wuille)
e179e651cb Abstract out verify logic for fe_add (Pieter Wuille)
7e7ad7ff57 Abstract out verify logic for fe_mul_int (Pieter Wuille)
65d82a3445 Abstract out verify logic for fe_negate (Pieter Wuille)
144670893e Abstract out verify logic for fe_get_b32 (Pieter Wuille)
f7a7666aeb Abstract out verify logic for fe_set_b32 (Pieter Wuille)
ce4d2093e8 Abstract out verify logic for fe_cmp_var (Pieter Wuille)
7d7d43c6dd Improve comments/check for fe_equal{,_var} (Pieter Wuille)
c5e788d672 Abstract out verify logic for fe_is_odd (Pieter Wuille)
d3f3fe8616 Abstract out verify logic for fe_is_zero (Pieter Wuille)
c701d9a471 Abstract out verify logic for fe_clear (Pieter Wuille)
19a2bfeeea Abstract out verify logic for fe_set_int (Pieter Wuille)
864f9db491 Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille)
6c31371120 Abstract out verify logic for fe_normalize_var (Pieter Wuille)
e28b51f522 Abstract out verify logic for fe_normalize_weak (Pieter Wuille)
b6b6f9cb97 Abstract out verify logic for fe_normalize (Pieter Wuille)
7fa5195559 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille)
b29566c51b Merge magnitude/normalized fields, move/improve comments (Pieter Wuille)
Pull request description:
Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field.
This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation.
Fixes#1060.
ACKs for top commit:
jonasnick:
ACK 7fc642fa25
real-or-random:
ACK 7fc642fa25
Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4
