Skip to content

Commit

Permalink
Squashed 'src/secp256k1/' changes from b19c000..2ed54da
Browse files Browse the repository at this point in the history
2ed54da Merge dashpay#755: Recovery signing: add to constant time test, and eliminate non ct operators
2860950 Add tests for the cmov implementations
73596a8 Add ecdsa_sign_recoverable to the ctime tests
2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
5e1c885 Merge dashpay#754: Fix uninit values passed into cmov
f79a7ad Add valgrind uninit check to cmovs output
05d315a Merge dashpay#752: autoconf: Use ":" instead of "dnl" as a noop
a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs
3a6fd7f Merge dashpay#750: Add macOS to the CI
5e8747a autoconf: Use ":" instead of "dnl" as a noop
71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute
bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04)
0c5ff90 Add macOS support to travis
b6807d9 Move travis script into a standalone sh file
f39f99b Merge dashpay#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge dashpay#732: Retry if r is zero during signing
59a8de8 Merge dashpay#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge dashpay#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge dashpay#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge dashpay#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge dashpay#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge dashpay#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge dashpay#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge dashpay#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge dashpay#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge dashpay#714: doc: document the length requirements of output parameter.
d72b9e2 Merge dashpay#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge dashpay#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge dashpay#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge dashpay#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge dashpay#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge dashpay#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge dashpay#679: Add SECURITY.md
0db61d2 Merge dashpay#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge dashpay#690: Add valgrind check to travis
544002c Merge dashpay#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge dashpay#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge dashpay#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge dashpay#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge dashpay#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge dashpay#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge dashpay#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge dashpay#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge dashpay#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge dashpay#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge dashpay#654: Fix typo (∞)
ef83281 Merge pull request dashpay#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge dashpay#583: JNI: fix use sig array
e95f8ab Merge dashpay#644: Avoid optimizing out a verify_check
384f556 Merge dashpay#652: README.md: update instruction to run tests
ee56acc Merge dashpay#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge dashpay#640: scalar_impl.h: fix includes
d99bec2 Merge dashpay#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge dashpay#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge dashpay#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge dashpay#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge dashpay#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge dashpay#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge dashpay#627: Guard memcmp in tests against mixed size inputs.
544435f Merge dashpay#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge dashpay#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge dashpay#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge dashpay#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge dashpay#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge dashpay#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge dashpay#626: Revert "Merge dashpay#620: Install headers automatically"
662918c Revert "Merge dashpay#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge dashpay#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge dashpay#620: Install headers automatically
5df77a0 Merge dashpay#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge dashpay#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge dashpay#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge dashpay#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2ed54da
  • Loading branch information
sipa committed Jun 9, 2020
1 parent 5424598 commit 67f232b
Show file tree
Hide file tree
Showing 63 changed files with 2,392 additions and 2,436 deletions.
1 change: 1 addition & 0 deletions .gitignore
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ bench_internal
tests
exhaustive_tests
gen_context
valgrind_ctime_test
*.exe
*.so
*.a
Expand Down
72 changes: 56 additions & 16 deletions .travis.yml
Original file line number Diff line number Diff line change
@@ -1,18 +1,23 @@
language: c
os: linux
os:
- linux
- osx

dist: bionic
# Valgrind currently supports upto macOS 10.13, the latest xcode of that version is 10.1
osx_image: xcode10.1
addons:
apt:
packages: libgmp-dev
packages:
- libgmp-dev
- valgrind
- libtool-bin
compiler:
- clang
- gcc
cache:
directories:
- src/java/guava/
env:
global:
- FIELD=auto BIGNUM=auto SCALAR=auto ENDOMORPHISM=no STATICPRECOMPUTATION=yes ASM=no BUILD=check EXTRAFLAGS= HOST= ECDH=no RECOVERY=no EXPERIMENTAL=no JNI=no
- GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar
- FIELD=auto BIGNUM=auto SCALAR=auto ENDOMORPHISM=no STATICPRECOMPUTATION=yes ECMULTGENPRECISION=auto ASM=no BUILD=check EXTRAFLAGS= HOST= ECDH=no RECOVERY=no EXPERIMENTAL=no CTIMETEST=yes BENCH=yes ITERS=2
matrix:
- SCALAR=32bit RECOVERY=yes
- SCALAR=32bit FIELD=32bit ECDH=yes EXPERIMENTAL=yes
Expand All @@ -26,43 +31,78 @@ env:
- BIGNUM=no
- BIGNUM=no ENDOMORPHISM=yes RECOVERY=yes EXPERIMENTAL=yes
- BIGNUM=no STATICPRECOMPUTATION=no
- BUILD=distcheck
- EXTRAFLAGS=CPPFLAGS=-DDETERMINISTIC
- EXTRAFLAGS=CFLAGS=-O0
- BUILD=check-java JNI=yes ECDH=yes EXPERIMENTAL=yes
- BUILD=distcheck CTIMETEST= BENCH=
- CPPFLAGS=-DDETERMINISTIC
- CFLAGS=-O0 CTIMETEST=
- ECMULTGENPRECISION=2
- ECMULTGENPRECISION=8
- VALGRIND=yes ENDOMORPHISM=yes BIGNUM=no ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes EXTRAFLAGS="--disable-openssl-tests" CPPFLAGS=-DVALGRIND BUILD=
- VALGRIND=yes BIGNUM=no ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes EXTRAFLAGS="--disable-openssl-tests" CPPFLAGS=-DVALGRIND BUILD=
matrix:
fast_finish: true
include:
- compiler: clang
os: linux
env: HOST=i686-linux-gnu ENDOMORPHISM=yes
addons:
apt:
packages:
- gcc-multilib
- libgmp-dev:i386
- valgrind
- libtool-bin
- libc6-dbg:i386
- compiler: clang
env: HOST=i686-linux-gnu
os: linux
addons:
apt:
packages:
- gcc-multilib
- valgrind
- libtool-bin
- libc6-dbg:i386
- compiler: gcc
env: HOST=i686-linux-gnu ENDOMORPHISM=yes
os: linux
addons:
apt:
packages:
- gcc-multilib
- valgrind
- libtool-bin
- libc6-dbg:i386
- compiler: gcc
os: linux
env: HOST=i686-linux-gnu
addons:
apt:
packages:
- gcc-multilib
- libgmp-dev:i386
before_install: mkdir -p `dirname $GUAVA_JAR`
install: if [ ! -f $GUAVA_JAR ]; then wget $GUAVA_URL -O $GUAVA_JAR; fi
- valgrind
- libtool-bin
- libc6-dbg:i386

# We use this to install macOS dependencies instead of the built in `homebrew` plugin,
# because in xcode earlier than 11 they have a bug requiring updating the system which overall takes ~8 minutes.
# https://travis-ci.community/t/macos-build-fails-because-of-homebrew-bundle-unknown-command/7296
before_install:
- if [ "${TRAVIS_OS_NAME}" = "osx" ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install gmp valgrind gcc@9; fi

before_script: ./autogen.sh

# travis auto terminates jobs that go for 10 minutes without printing to stdout, but travis_wait doesn't work well with forking programs like valgrind (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received https://github.com/bitcoin-core/secp256k1/pull/750#issuecomment-623476860)
script:
- if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
- if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
- function keep_alive() { while true; do echo -en "\a"; sleep 60; done }
- keep_alive &
- ./contrib/travis.sh
- kill %keep_alive

after_script:
- cat ./tests.log
- cat ./exhaustive_tests.log
- cat ./valgrind_ctime_test.log
- cat ./bench.log
- $CC --version
- valgrind --version
62 changes: 17 additions & 45 deletions Makefile.am
Original file line number Diff line number Diff line change
@@ -1,13 +1,8 @@
ACLOCAL_AMFLAGS = -I build-aux/m4

lib_LTLIBRARIES = libsecp256k1.la
if USE_JNI
JNI_LIB = libsecp256k1_jni.la
noinst_LTLIBRARIES = $(JNI_LIB)
else
JNI_LIB =
endif
include_HEADERS = include/secp256k1.h
include_HEADERS += include/secp256k1_preallocated.h
noinst_HEADERS =
noinst_HEADERS += src/scalar.h
noinst_HEADERS += src/scalar_4x64.h
Expand Down Expand Up @@ -39,8 +34,6 @@ noinst_HEADERS += src/field_5x52.h
noinst_HEADERS += src/field_5x52_impl.h
noinst_HEADERS += src/field_5x52_int128_impl.h
noinst_HEADERS += src/field_5x52_asm_impl.h
noinst_HEADERS += src/java/org_bitcoin_NativeSecp256k1.h
noinst_HEADERS += src/java/org_bitcoin_Secp256k1Context.h
noinst_HEADERS += src/util.h
noinst_HEADERS += src/scratch.h
noinst_HEADERS += src/scratch_impl.h
Expand Down Expand Up @@ -74,16 +67,19 @@ endif

libsecp256k1_la_SOURCES = src/secp256k1.c
libsecp256k1_la_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES)
libsecp256k1_la_LIBADD = $(JNI_LIB) $(SECP_LIBS) $(COMMON_LIB)
libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB)

libsecp256k1_jni_la_SOURCES = src/java/org_bitcoin_NativeSecp256k1.c src/java/org_bitcoin_Secp256k1Context.c
libsecp256k1_jni_la_CPPFLAGS = -DSECP256K1_BUILD $(JNI_INCLUDES)
if VALGRIND_ENABLED
libsecp256k1_la_CPPFLAGS += -DVALGRIND
endif

noinst_PROGRAMS =
if USE_BENCHMARK
noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult
bench_verify_SOURCES = src/bench_verify.c
bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
# SECP_TEST_INCLUDES are only used here for CRYPTO_CPPFLAGS
bench_verify_CPPFLAGS = -DSECP256K1_BUILD $(SECP_TEST_INCLUDES)
bench_sign_SOURCES = src/bench_sign.c
bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
bench_internal_SOURCES = src/bench_internal.c
Expand All @@ -99,6 +95,12 @@ if USE_TESTS
noinst_PROGRAMS += tests
tests_SOURCES = src/tests.c
tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
if VALGRIND_ENABLED
tests_CPPFLAGS += -DVALGRIND
noinst_PROGRAMS += valgrind_ctime_test
valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c
valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
endif
if !ENABLE_COVERAGE
tests_CPPFLAGS += -DVERIFY
endif
Expand All @@ -119,42 +121,12 @@ exhaustive_tests_LDFLAGS = -static
TESTS += exhaustive_tests
endif

JAVAROOT=src/java
JAVAORG=org/bitcoin
JAVA_GUAVA=$(srcdir)/$(JAVAROOT)/guava/guava-18.0.jar
CLASSPATH_ENV=CLASSPATH=$(JAVA_GUAVA)
JAVA_FILES= \
$(JAVAROOT)/$(JAVAORG)/NativeSecp256k1.java \
$(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Test.java \
$(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Util.java \
$(JAVAROOT)/$(JAVAORG)/Secp256k1Context.java

if USE_JNI

$(JAVA_GUAVA):
@echo Guava is missing. Fetch it via: \
wget https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar -O $(@)
@false

.stamp-java: $(JAVA_FILES)
@echo Compiling $^
$(AM_V_at)$(CLASSPATH_ENV) javac $^
@touch $@

if USE_TESTS

check-java: libsecp256k1.la $(JAVA_GUAVA) .stamp-java
$(AM_V_at)java -Djava.library.path="./:./src:./src/.libs:.libs/" -cp "$(JAVA_GUAVA):$(JAVAROOT)" $(JAVAORG)/NativeSecp256k1Test

endif
endif

if USE_ECMULT_STATIC_PRECOMPUTATION
CPPFLAGS_FOR_BUILD +=-I$(top_srcdir)
CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src

gen_context_OBJECTS = gen_context.o
gen_context_BIN = gen_context$(BUILD_EXEEXT)
gen_%.o: src/gen_%.c
gen_%.o: src/gen_%.c src/libsecp256k1-config.h
$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@

$(gen_context_BIN): $(gen_context_OBJECTS)
Expand All @@ -168,10 +140,10 @@ $(bench_ecmult_OBJECTS): src/ecmult_static_context.h
src/ecmult_static_context.h: $(gen_context_BIN)
./$(gen_context_BIN)

CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h $(JAVAROOT)/$(JAVAORG)/*.class .stamp-java
CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h
endif

EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h $(JAVA_FILES)
EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h

if ENABLE_MODULE_ECDH
include src/modules/ecdh/Makefile.am.include
Expand Down
65 changes: 54 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -3,17 +3,22 @@ libsecp256k1

[![Build Status](https://travis-ci.org/bitcoin-core/secp256k1.svg?branch=master)](https://travis-ci.org/bitcoin-core/secp256k1)

Optimized C library for EC operations on curve secp256k1.
Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1.

This library is a work in progress and is being used to research best practices. Use at your own risk.
This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose.

Features:
* secp256k1 ECDSA signing/verification and key generation.
* Adding/multiplying private/public keys.
* Serialization/parsing of private keys, public keys, signatures.
* Constant time, constant memory access signing and pubkey generation.
* Derandomized DSA (via RFC6979 or with a caller provided function.)
* Additive and multiplicative tweaking of secret/public keys.
* Serialization/parsing of secret keys, public keys, signatures.
* Constant time, constant memory access signing and public key generation.
* Derandomized ECDSA (via RFC6979 or with a caller provided function.)
* Very efficient implementation.
* Suitable for embedded systems.
* Optional module for public key recovery.
* Optional module for ECDH key exchange (experimental).

Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable.

Implementation details
----------------------
Expand All @@ -23,11 +28,12 @@ Implementation details
* Extensive testing infrastructure.
* Structured to facilitate review and analysis.
* Intended to be portable to any system with a C89 compiler and uint64_t support.
* No use of floating types.
* Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.")
* Field operations
* Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1).
* Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys).
* Using 10 26-bit limbs.
* Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan).
* Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman).
* Scalar operations
* Optimized implementation without data-dependent branches of arithmetic modulo the curve's order.
Expand All @@ -45,9 +51,11 @@ Implementation details
* Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
* Point multiplication for signing
* Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
* Access the table with branch-free conditional moves so memory access is uniform.
* No data-dependent branches
* The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
* Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
* Access the table with branch-free conditional moves so memory access is uniform.
* No data-dependent branches
* Optional runtime blinding which attempts to frustrate differential power analysis.
* The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally.

Build steps
-----------
Expand All @@ -57,5 +65,40 @@ libsecp256k1 is built using autotools:
$ ./autogen.sh
$ ./configure
$ make
$ ./tests
$ make check
$ sudo make install # optional

Exhaustive tests
-----------

$ ./exhaustive_tests

With valgrind, you might need to increase the max stack size:

$ valgrind --max-stackframe=2500000 ./exhaustive_tests

Test coverage
-----------

This library aims to have full coverage of the reachable lines and branches.

To create a test coverage report, configure with `--enable-coverage` (use of GCC is necessary):

$ ./configure --enable-coverage

Run the tests:

$ make check

To create a report, `gcovr` is recommended, as it includes branch coverage reporting:

$ gcovr --exclude 'src/bench*' --print-summary

To create a HTML report with coloured and annotated source code:

$ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html

Reporting a vulnerability
------------

See [SECURITY.md](SECURITY.md)
15 changes: 15 additions & 0 deletions SECURITY.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,15 @@
# Security Policy

## Reporting a Vulnerability

To report security issues send an email to secp256k1-security@bitcoincore.org (not for support).

The following keys may be used to communicate sensitive information to developers:

| Name | Fingerprint |
|------|-------------|
| Pieter Wuille | 133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320 |
| Andrew Poelstra | 699A 63EF C17A D3A9 A34C FFC0 7AD0 A91C 40BD 0091 |
| Tim Ruffing | 09E0 3F87 1092 E40E 106E 902B 33BC 86AB 80FF 5516 |

You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints containing spaces.
Loading

0 comments on commit 67f232b

Please sign in to comment.