164 Commits

Author SHA1 Message Date
Peter Dettman
efd953a7a7 Add Jacobi symbol test via GMP
Also add native Jacobi symbol test (Andrew)

Rebased-by: Andrew Poelstra
Rebased-by: Pieter Wuille
2016-07-04 13:16:35 +02:00
Andrew Poelstra
c6191fded8 ecmult_const: unify endomorphism and non-endomorphism skew cases
We now do a skew correction even without the endomorphism optimization,
which costs one additional group addition but unifies a lot of code.
2016-06-30 13:28:47 +00:00
Pieter Wuille
43097a44ef
Merge #390: Update bitcoin-core GitHub links
faa2a11 Update bitcoin-core GitHub links (MarcoFalke)
2016-05-08 19:56:34 +02:00
Jonas Nick
093a497ac9 Add testcase which hits additional branch in secp256k1_scalar_sqr 2016-05-02 20:19:00 -07:00
MarcoFalke
faa2a11ce5 Update bitcoin-core GitHub links 2016-04-29 23:14:45 +02:00
Gregory Maxwell
5d4c5a31b9 Prevent damage_array in the signature test from going out of bounds. 2015-11-26 21:02:27 +00:00
Pieter Wuille
646662517f Improvements for coordinate decompression 2015-11-05 00:04:39 +01:00
Gregory Maxwell
8e48787d97 Change secp256k1_ec_pubkey_combine's count argument to size_t. 2015-10-31 19:04:34 +00:00
Gregory Maxwell
c69dea025a Clear output in more cases for pubkey_combine, adds tests.
Also corrects an outdated comment and adds an additional
 secp256k1_ecdsa_signature_parse_compact test.
2015-10-31 09:52:30 +00:00
Gregory Maxwell
269d422703 Comment copyediting. 2015-10-31 08:31:15 +00:00
Pieter Wuille
b4d17da903
Merge pull request #344
26abce7 Adds 32 static test vectors for scalar mul, sqr, inv. (Gregory Maxwell)
2015-10-31 02:21:35 +01:00
Gregory Maxwell
26abce75ea Adds 32 static test vectors for scalar mul, sqr, inv.
These were generated by testing more than 10^12 random test vectors
 for coverage on instrumented (comparison operator outcomes) 32-bit
 and 64-bit code, plus additional edge condition requirements (e.g.
 inputs of 0, 1, -1) and then solving a minimum set cover problem.

The required responses were generated with Sage.

This significantly improves the lcov branch coverage report and
 makes the tests much more sensitive to mutation testing of the
 scalar code.

The challenges and responses are in the form of pairs of scalars:
  C1 * C2 == R1
  (C1 * C2) * (1 / C2) == C1
  C2 * (1 / C2) == 1
  C1 * C1 == R2
  C1^2    == R2
2015-10-30 21:17:19 +00:00
Gregory Maxwell
5b71a3f460 Better error case handling for pubkey_create & pubkey_serialize, more tests.
Makes secp256k1_ec_pubkey_serialize set the length to zero on failure,
 also makes secp256k1_ec_pubkey_create set the pubkey to zeros when
 the key argument is NULL.

Also adds many additional ARGCHECK tests.
2015-10-30 09:16:40 +00:00
Andrew Poelstra
eed87af10a Change contrib/laxder from headers-only to files compilable as standalone C
Verified that both programs compile with

    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_privatekey_parsing.c
    gcc -I. -I../include -lsecp256k1 -c -W -Wextra -Wall -Werror -ansi -pedantic lax_der_parsing.c
2015-10-29 18:55:49 -05:00
Pieter Wuille
7914a6ebae Make lax_der_privatekey_parsing.h not depend on internal code 2015-10-26 02:53:06 +01:00
Pieter Wuille
9234391ed4 Overhaul flags handling 2015-10-24 19:47:13 +02:00
Rusty Russell
1a368980c8 Make flags more explicit, add runtime checks.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2015-10-24 19:39:44 +02:00
Gregory Maxwell
96be20463f Add additional tests for eckey and arg-checks.
This gets branch coverage up over 90% for me.
2015-10-22 22:57:33 +00:00
Gregory Maxwell
4a243da47c Move secp256k1_ec_privkey_import/export to contrib.
These functions are intended for compatibility with legacy software,
 and are not normally needed in new secp256k1 applications.

They also do not obeying any particular standard (and likely cannot
 without without undermining their compatibility), and so are a
 better fit for contrib.
2015-10-22 22:57:33 +00:00
Gregory Maxwell
b30fc85c9e Avoid nonce_function_rfc6979 algo16 argument emulation.
This avoids data=NULL and data = zeros to producing the same nonce.

Previously the code tried to avoid the case where some data inputs
 aliased algo16 inputs by always padding out the data.

But because algo16 and data are different lengths they cannot
 emulate each other, and the padding would match a data value of
 all zeros.
2015-10-22 22:57:33 +00:00
Pieter Wuille
0c6ab2ff18 Introduce explicit lower-S normalization
ECDSA signature verification now requires normalized signatures (with S in the
lower half of the range). In case the input cannot be guaranteed to provide this,
a new function secp256k1_ecdsa_signature_normalize is provided to preprocess it.
2015-10-21 16:14:42 +02:00
Pieter Wuille
fea19e7bb7 Add contrib/lax_der_parsing.h
This shows a snippet of code to do lax DER parsing, without obeying to any
particular standard.
2015-10-21 16:14:35 +02:00
Pieter Wuille
3bb9c44719 Rewrite ECDSA signature parsing code
There are now 2 encoding formats supported: 64-byte "compact" and DER.
The latter is strict: the data has to be exact DER, though the values
inside don't need to be valid.
2015-10-21 16:13:37 +02:00
Pieter Wuille
fa57f1bdf1 Use secp256k1_rand_int and secp256k1_rand_bits more
Update the unit tests to make use of the new RNG functions.
2015-10-21 16:13:37 +02:00
Pieter Wuille
49b374985d Add new tests for the extra testrand functions 2015-10-21 16:13:37 +02:00
Gregory Maxwell
67f7da4087 Extensive interface and operations tests for secp256k1_ec_pubkey_parse.
This also makes use of optional valgrind instrumentation if -DVALGRIND
 is set.

This also moves secp256k1.c above secp256k1.h in tests.c or otherwise
 we get non-null macros on the public functions which may defeat some
 of the VERIFY checks.
2015-10-13 19:47:55 +00:00
Pieter Wuille
1f414378b8
Merge pull request #316
2b199de Use the explicit NULL macro for pointer comparisons. (Gregory Maxwell)
2015-09-24 19:36:54 +02:00
Gregory Maxwell
cfe0ed916a Fix miscellaneous style nits that irritate overactive static analysis.
Also increase consistency with how overflow && zero is tested, and
 avoid some mixed declarations and code that GCC wasn't detecting.
2015-09-24 08:42:37 +00:00
Gregory Maxwell
2b199de888 Use the explicit NULL macro for pointer comparisons.
This makes it more clear that a null check is intended. Avoiding the
 use of a pointer as a test condition alse increases the type-safety
 of the comparisons.

(This is also MISRA C 2012 rules 14.4 and 11.9)
2015-09-23 22:00:43 +00:00
Pieter Wuille
dd891e0ed5 Get rid of _t as it is POSIX reserved 2015-09-21 21:03:37 +02:00
Gregory Maxwell
912f203fc5 Eliminate a few unbraced statements that crept into the code.
Also avoids some easily avoided multiple-returns.
2015-09-21 17:21:35 +00:00
Pieter Wuille
eeab823b70
Merge pull request #299
486b9bb Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export (Luke Dashjr)
05732c5 Callback data: Accept pointers to either const or non-const data (Luke Dashjr)
1973c73 Bugfix: Reinitialise buffer lengths that have been used as outputs (Luke Dashjr)
788038d Use size_t for lengths (at least in external API) (Luke Dashjr)
c9d7c2a secp256k1_context_set_{error,illegal}_callback: Restore default handler by passing NULL as function argument (Luke Dashjr)
9aac008 secp256k1_context_destroy: Allow NULL argument as a no-op (Luke Dashjr)
64b730b secp256k1_context_create: Use unsigned type for flags bitfield (Luke Dashjr)
2015-09-20 04:59:30 +02:00
Luke Dashjr
486b9bb8ce Use a flags bitfield for compressed option to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export 2015-09-19 19:33:30 +00:00
Luke Dashjr
05732c5a5f Callback data: Accept pointers to either const or non-const data 2015-09-19 19:33:28 +00:00
Luke Dashjr
1973c7379e Bugfix: Reinitialise buffer lengths that have been used as outputs 2015-09-19 19:33:24 +00:00
Luke Dashjr
788038d323 Use size_t for lengths (at least in external API) 2015-09-19 19:33:21 +00:00
Pieter Wuille
a55166950f
Merge pull request #295
c996d53 Print success (Pieter Wuille)
2015-09-19 21:24:31 +02:00
Pieter Wuille
dc0ce9fc41 [API BREAK] Change argument order to out/outin/in 2015-09-04 17:45:57 +02:00
Pieter Wuille
c996d53ab1 Print success 2015-08-28 02:29:08 +02:00
Pieter Wuille
9f443be086 Move pubkey recovery code to separate module 2015-08-28 01:51:52 +02:00
Pieter Wuille
d49abbd5a0 Separate ECDSA recovery tests 2015-08-27 22:47:24 +02:00
Pieter Wuille
439d34adc6 Separate recoverable and normal signatures 2015-08-27 22:47:24 +02:00
Pieter Wuille
a5a66c70b6 Add support for custom EC-Schnorr-SHA256 signatures 2015-08-03 20:08:51 +02:00
Andrew Poelstra
92e53fc4c8 Implement endomorphism optimization for secp256k1_ecmult_const 2015-08-01 10:57:36 -05:00
Andrew Poelstra
ed35d43a0c Make secp256k1_scalar_add_bit conditional; make secp256k1_scalar_split_lambda_var constant time
This has the effect of making `secp256k1_scalar_mul_shift_var` constant
time in both input scalars. Keep the _var name because it is NOT constant
time in the shift amount.

As used in `secp256k1_scalar_split_lambda_var`, the shift is always
the constant 272, so this function becomes constant time, and it
loses the `_var` suffix.
2015-08-01 10:57:36 -05:00
Andrew Poelstra
0739bbb6f0 Add ECDH module which works by hashing the output of ecmult_const 2015-08-01 10:57:33 -05:00
Andrew Poelstra
4401500060 Add constant-time multiply secp256k1_ecmult_const for ECDH
Designed with clear separation of the wNAF conversion, precomputation
and exponentiation (since the precomp at least we will probably want
to separate in the API for users who reuse points a lot.

Future work:
  - actually separate precomp in the API
  - do multiexp rather than single exponentiation
2015-07-31 12:39:09 -05:00
Andrew Poelstra
baa75da59d tests: add a couple tests
- Add zero/one sanity check tests for ecmult

  - Add unit test for secp256k1_scalar_split_lambda_var

  - Typo fix in `ge_equals_ge`; was comparing b->y to itself, should
    have been comparing a->y to b->y

  - Normalize y-coordinate in `random_group_element_test`; this is
    needed to pass random group elements as the first argument to
    `ge_equals_ge`, which I will do in a future commit.
2015-07-29 13:26:12 -05:00
Pieter Wuille
995c548771 Introduce callback functions for dealing with errors. 2015-07-26 18:08:38 +02:00
Pieter Wuille
18c329c506 Remove the internal secp256k1_ecdsa_sig_t type 2015-07-26 16:52:17 +02:00