Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Specifying -datadir= to a non existent path creates directories or fails to stderr #337

Closed
jburkle opened this issue Jun 21, 2011 · 1 comment

Comments

@jburkle
Copy link
Contributor

jburkle commented Jun 21, 2011

I experienced this while testing out testnet-in-a-box. If I specify a path to a directory that does not exist, but is 1 directory level lower than an actual path, I get a "missing bitcoin.conf" error:

candide@candide-VirtualBox:/code/bitcoin_testinbox$ bitcoin -datadir=/home/candide/code/bitcoin_testinbox/asdf/ -daemon
candide@candide-VirtualBox:
/code/bitcoin_testinbox$ bitcoin server starting

candide@candide-VirtualBox:~/code/bitcoin_testinbox$ Warning: To use the "-daemon" option, you must set rpcpassword=
in the configuration file: /home/candide/code/bitcoin_testinbox/asdf/bitcoin.conf
If the file does not exist, create it with owner-readable-only file permissions.

10:58:06 PM: Debug: In file ./src/unix/threadpsx.cpp at line 253: 'pthread_mutex_destroy()' failed with error 0x00000010 (Device or resource busy).

Also, the program actually creates the non existent directory.

Additionally, If I specify a path more than 1 directory level lower than an existing path, I get a much more verbose error to stderr:

candide@candide-VirtualBox:/code/bitcoin_testinbox$ bitcoin -datadir=/home/candide/code/bitcoin_testinbox/asdf/new/dir -daemon
candide@candide-VirtualBox:
/code/bitcoin_testinbox$


EXCEPTION: N5boost16exception_detail10clone_implINS0_19error_info_injectorINS_10filesystem22basic_filesystem_errorINS3_10basic_pathISsNS3_11path_traitsEEEEEEEEE
boost::filesystem::create_directory: No such file or directory: "/home/candide/code/bitcoin_testinbox/asdf/new/dir"
bitcoin in AppInit()


EXCEPTION: >N5boost16exception_detail10clone_implINS0_19error_info_injectorINS_10filesystem22basic_filesystem_errorINS3_10basic_pathISsNS3_11path_traitsEEEEEEEEE
boost::filesystem::create_directory: No such file or directory: "/home/candide/code/bitcoin_testinbox/asdf/new/dir"
bitcoin in CMyApp::OnUnhandledException()

terminate called after throwing an instance of '>boost::exception_detail::clone_impl<boost::exception_detail::error_info_injector<boost::filesystem::basic_filesystem_error<boost::filesystem::basic_path<std::string, boost::filesystem::path_traits> > > >'
what(): boost::filesystem::create_directory: No such file or directory: "/home/candide/code/bitcoin_testinbox/asdf/new/dir"

I have some thoughts on this. Number 1, the code should check if the datadir being specified actually exists before it continues. If the datadir does not exist, the program should probably exit with a "specified datadir does not exist" error. Further, when passing the -daemon flag, the bitcoin program should create a log file automatically in the datadir directory, or allow a -logdir at the command line (if one is not specified, default to datadir for logdir, or syslog, or anything other than screen dumps). All stderr should be directed to the log file instead of the terminal.

@jgarzik
Copy link
Contributor

jgarzik commented Jun 24, 2011

merging your pull for this...

@jgarzik jgarzik closed this as completed Jun 24, 2011
ptschip pushed a commit to ptschip/bitcoin that referenced this issue Mar 7, 2017
ptschip pushed a commit to ptschip/bitcoin that referenced this issue Apr 24, 2017
classesjack pushed a commit to classesjack/bitcoin that referenced this issue Jan 2, 2018
Fix inconsistent EVM coinbase between staking and validation
sipa added a commit to sipa/bitcoin that referenced this issue Sep 24, 2019
2e4ed392e1 f add tweak functions for xonly_pubkeys
add8e78542 f use xonly_pubkeys in schnorrsig sign and verify
7eeb3aa498 f add xonly pubkey struct which is serialized as 32 byte and whose Y coordinate is a quadratic residue
2e76c5dc6d f don't allow counter != 0 in nonce function
639a8599ec f use tagged hashes in nonce derivation and signature hash
6bd94240b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
8fcee9ab05 add chacha20 function
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2e4ed392e1fd8cb7c64787bde9b67ddc0b463e3d
sipa added a commit to sipa/bitcoin that referenced this issue Nov 6, 2019
9d5373307c f add new bip-schnorr test vector 14
44881b21e3 f rename is_positive in schnorrsig module to has_square_y
affa6e87e9 f rename is_positive in xonly_pubkey api to has_square_y
b5fcf54149 f uninitialized memory in tests
7e4ea97582 f trigger travis
538052c950 f reenable test vectors
26f95c556a f feed seckey that is actually signed with (i.e. perhaps negated) into nonce functions
2b36bf7db3 f sign -> is_positive
dfce048bde f remove xonly_pubkey_to_pubkey
74bb3b4318 f don't use secp256k1_pubkeys in xonly_tweak api and instead use is_positive flag
5764b2b2b7 f test that pubkey is zeroed after xonly_pubkey_parse returned 0
e28b61c290 f const casting
84fe42737d f address some of pieter's comments
2e4ed392e1 f add tweak functions for xonly_pubkeys
add8e78542 f use xonly_pubkeys in schnorrsig sign and verify
7eeb3aa498 f add xonly pubkey struct which is serialized as 32 byte and whose Y coordinate is a quadratic residue
2e76c5dc6d f don't allow counter != 0 in nonce function
639a8599ec f use tagged hashes in nonce derivation and signature hash
6bd94240b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification.
8fcee9ab05 add chacha20 function
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 9d5373307cfad5fa1b53820d417a8155d2d557dc
sipa added a commit to sipa/bitcoin that referenced this issue Nov 19, 2019
c86c6cff66 Fixup rename
41b7be1dac f rename xonly_pubkey_tweak_verify to xonly_pubkey_tweak_test and add a few notes that this does not verify anything cryptographically
a36d45d597 f don't use ec_pubkey_parse indirection in xonly_pubkey_parse
a8686b9670 f don't use ec_pubkey_parse indirection in xonly_pubkey_parse
19c144ccca f rename schnorrsig_real_verify because it doesn't verify
7dbb2e8f9b f add macro SECP256K1_LEN_XONLY_PUBKEY equal to 32 to allow reducing magic numbers in calling code
a87a0576dc f Move most of ec_pubkey_absolute into ge_absolute to make it available to functions which don't operate on pubkeys but on group elements.
d727cb31c0 Add taproot test case to schnorrsig module
e8b8e794b7 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
69f1e8923d Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
641ba4a238 Add chacha20 function
4d84cb8fdc Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
0a3a7f9b6c Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: c86c6cff663e6c928c668623da2fced18e338ff5
sipa added a commit to sipa/bitcoin that referenced this issue Jan 21, 2020
df8c69879 f rename private to secret key to be compatible with PR 701
59f2fd7c1 f add test that xonly_add zeroes the output on failure
af3f0e52a f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
6e0290679 f is_negated and added test
1901f3bf9 Add taproot test case to schnorrsig module
6a7ee8a86 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
c6473591a Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
fd9609d7c Add chacha20 function
1abbe1bb6 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
9eb303a0f Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: df8c698793a51639b6fdb5b908b1ddfaedbe1fd5
sipa added a commit to sipa/bitcoin that referenced this issue Jan 23, 2020
df8c698793 f rename private to secret key to be compatible with PR 701
59f2fd7c19 f add test that xonly_add zeroes the output on failure
af3f0e52aa f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
6e0290679c f is_negated and added test
1901f3bf9c Add taproot test case to schnorrsig module
6a7ee8a862 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
c6473591a1 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
fd9609d7c5 Add chacha20 function
1abbe1bb6e Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
9eb303a0fa Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: df8c698793a51639b6fdb5b908b1ddfaedbe1fd5
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Mar 17, 2020
819c3a6c1 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdca f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d669 f remove remnants of square Y
8439ce171 f improve nonce_function_bip340 tests
3bb12e339 f reenable test vectors
29bdda7ef f mask key in bip340 nonce function
4650ae812 f add tagged hash for bip340 auxiliary random data
593ceddf2 f add comment about overflowing schnorrsig challenge hashes
23c3b0050 f need to serialize internal pk for tweak in taproot test
4c8cdc644 f use updated schnorrsig BIP340 challenge tag
32dfe512e f update schnorr signing to updated bip 340 nonce tag
92205468c f update bip 340 nonce function tag
3bb25272e f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6b f use extended nonce function in schnorrsigs
7c9f51c18 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c606 f switch from squareness to evenness in schnorrsig sign
ef38b0ca5 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e043 f disable test vectors for now
04c0cf9a6 f typos
c149dbf37 f rename bip-schnorr to BIP-340 and fix links
bb252f13c f rename private to secret key to be compatible with PR 701
8be18c0ac f add test that xonly_add zeroes the output on failure
fc45a12d6 f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d f is_negated and added test
f90656db7 Add taproot test case to schnorrsig module
a61d98658 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6f Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e Add chacha20 function
cb4a86089 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 18, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 18, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 19, 2020
819c3a6c15 f update schnorrsig test to new secp256k1_xonly_pubkey_tweak_test api
56d83fdcad f secp256k1_xonly_pubkey_tweak_test avoids decompressing output pubkey
e63c4d6692 f remove remnants of square Y
8439ce1719 f improve nonce_function_bip340 tests
3bb12e3391 f reenable test vectors
29bdda7ef3 f mask key in bip340 nonce function
4650ae812e f add tagged hash for bip340 auxiliary random data
593ceddf23 f add comment about overflowing schnorrsig challenge hashes
23c3b0050e f need to serialize internal pk for tweak in taproot test
4c8cdc6440 f use updated schnorrsig BIP340 challenge tag
32dfe512e4 f update schnorr signing to updated bip 340 nonce tag
92205468c3 f update bip 340 nonce function tag
3bb25272e8 f no need to allow NULL algo16 in the BIP-340 nonce because the nonce function is incompatible with ecdsa anyway
fa8d65e6bd f use extended nonce function in schnorrsigs
7c9f51c183 f add pubkey argument to "extended" nonce function and make bip340 instantiation of that
90384c6061 f switch from squareness to evenness in schnorrsig sign
ef38b0ca53 f switch from squareness to evenness as tiebreaker in xonly keys
aacf9e0433 f disable test vectors for now
04c0cf9a6f f typos
c149dbf37b f rename bip-schnorr to BIP-340 and fix links
bb252f13cd f rename private to secret key to be compatible with PR 701
8be18c0ac9 f add test that xonly_add zeroes the output on failure
fc45a12d6c f do xonly_pubkey_tweak_add in place to be consistent with ec_pubkey_tweak_add
cb1be064d6 f is_negated and added test
f90656db7a Add taproot test case to schnorrsig module
a61d986587 Add schnorrsig module which implements BIP-schnorr [0] compatible signing, verification and batch verification
e72ce1b6fb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
72ebc184e7 Add chacha20 function
cb4a86089d Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
2757437fd4 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 819c3a6c1599ae35a0b6d163393d2030a2162a5b
sipa added a commit to sipa/bitcoin that referenced this issue Mar 21, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Mar 22, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Mar 27, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Apr 16, 2020
372c4555c Add schnorrsig_sign to the valgrind ctime test
bf2df4428 f make schnorrsig_sign constant time in edge cases
7178b4430 f add test for overflowing nonce (which is fine)
925e95994 Add taproot test case to schnorrsig module
9971d6ce8 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbaf Add BIP-340 nonce function
a2a1b2cbb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df Add chacha20 function
f59da5a6f Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee8467 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
jnewbery added a commit to jnewbery/bitcoin that referenced this issue Apr 19, 2020
372c4555c Add schnorrsig_sign to the valgrind ctime test
bf2df4428 f make schnorrsig_sign constant time in edge cases
7178b4430 f add test for overflowing nonce (which is fine)
925e95994 Add taproot test case to schnorrsig module
9971d6ce8 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbaf Add BIP-340 nonce function
a2a1b2cbb Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df Add chacha20 function
f59da5a6f Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee8467 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue Apr 19, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue May 2, 2020
372c4555ca Add schnorrsig_sign to the valgrind ctime test
bf2df44284 f make schnorrsig_sign constant time in edge cases
7178b4430e f add test for overflowing nonce (which is fine)
925e959946 Add taproot test case to schnorrsig module
9971d6ce89 Add schnorrsig module which implements BIP-340 compatible signing, verification and batch verification
e85b0bbafc Add BIP-340 nonce function
a2a1b2cbb9 Add initialize_tagged to sha256 which initializes and writes the 64 byte string SHA256(tag)||SHA256(tag) into it.
1771840df4 Add chacha20 function
f59da5a6f0 Add tweak functions for xonly_pubkeys that allow to add a tweak to a secret key, xonly_public key and verify a tweak.
43aee84671 Add xonly_pubkeys which are serialized as 32 byte and whose Y coordinate is a quadratic residue
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 372c4555cac1d2cba747ea691006876818c6adef
sipa added a commit to sipa/bitcoin that referenced this issue May 22, 2020
ccb23e329d valgrind_ctime_test: Add schnorrsig_sign
682a113f3a schnorrsig: Add taproot test case
a0a01a4915 schnorrsig: Add benchmark for sign and verify
fa5b11cbb4 schnorrsig: Add BIP-340 compatible signing and verification
bb888e4f63 schnorrsig: Add BIP-340 nonce function
07963e8843 schnorrsig: Init empty experimental module
87d98a4756 Allow initializing tagged sha256
6f4d0d86a9 extrakeys: Add keypair_xonly_tweak_add
37be855167 extrakeys: Add keypair struct with create, pub and pub_xonly
96ed0dd9d3 Separate helper functions for pubkey_create and seckey_tweak_add
7a3acdcef9 extrakeys: Add xonly_pubkey_tweak_add & xonly_pubkey_tweak_add_test
6d6f3e5fdf Separate helper function for ec_pubkey_tweak_add
4b2febf8fc extrakeys: Add xonly_pubkey with serialize, parse and from_pubkey
d2d45afc16 extrakeys: Init empty experimental module
8f247275a0 Make the secp256k1_declassify argument constant
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: ccb23e329d34e6717528c81c3bed76c7a45c547b
sipa added a commit to sipa/bitcoin that referenced this issue Jun 9, 2020
2ed54da Merge bitcoin#755: Recovery signing: add to constant time test, and eliminate non ct operators
2860950 Add tests for the cmov implementations
73596a8 Add ecdsa_sign_recoverable to the ctime tests
2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
5e1c885 Merge bitcoin#754: Fix uninit values passed into cmov
f79a7ad Add valgrind uninit check to cmovs output
05d315a Merge bitcoin#752: autoconf: Use ":" instead of "dnl" as a noop
a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs
3a6fd7f Merge bitcoin#750: Add macOS to the CI
5e8747a autoconf: Use ":" instead of "dnl" as a noop
71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute
bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04)
0c5ff90 Add macOS support to travis
b6807d9 Move travis script into a standalone sh file
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2ed54da
stackman27 pushed a commit to stackman27/bitcoin that referenced this issue Jun 26, 2020
2ed54da Merge bitcoin#755: Recovery signing: add to constant time test, and eliminate non ct operators
2860950 Add tests for the cmov implementations
73596a8 Add ecdsa_sign_recoverable to the ctime tests
2876af4 Split ecdsa_sign logic into a new function and use it from ecdsa_sign and recovery
5e1c885 Merge bitcoin#754: Fix uninit values passed into cmov
f79a7ad Add valgrind uninit check to cmovs output
05d315a Merge bitcoin#752: autoconf: Use ":" instead of "dnl" as a noop
a39c2b0 Fixed UB(arithmetics on uninit values) in cmovs
3a6fd7f Merge bitcoin#750: Add macOS to the CI
5e8747a autoconf: Use ":" instead of "dnl" as a noop
71757da Explictly pass SECP256K1_BENCH_ITERS to the benchmarks in travis.sh
99bd661 Replace travis_wait with a loop printing "\a" to stdout every minute
bc818b1 Bump travis Ubuntu from xenial(16.04) to bionic(18.04)
0c5ff90 Add macOS support to travis
b6807d9 Move travis script into a standalone sh file
f39f99b Merge bitcoin#701: Make ec_ arithmetic more consistent and add documentation
39198a0 Merge bitcoin#732: Retry if r is zero during signing
59a8de8 Merge bitcoin#742: Fix typo in ecmult_const_impl.h
4e28465 Fix typo in ecmult_const_impl.h
f862b4c Merge bitcoin#740: Make recovery/main_impl.h non-executable
ffef45c Make recovery/main_impl.h non-executable
2361b37 Merge bitcoin#735: build: fix OpenSSL EC detection on macOS
3b7d26b build: add SECP_TEST_INCLUDES to bench_verify CPPFLAGS
84b5fc5 build: fix OpenSSL EC detection on macOS
37ed51a Make ecdsa_sig_sign constant-time again after reverting 25e3cfb
93d343b Revert "ecdsa_impl: replace scalar if-checks with VERIFY_CHECKs in ecdsa_sig_sign"
7e3952a Clarify documentation of tweak functions.
89853a0 Make tweak function documentation more consistent.
41fc785 Make ec_privkey functions aliases for ec_seckey_negate, ec_seckey_tweak_add and ec_seckey_mul
22911ee Rename private key to secret key in public API (with the exception of function names)
5a73f14 Mention that value is unspecified for In/Out parameters if the function returns 0
f03df0e Define valid ECDSA keys in the documentation of seckey_verify
5894e1f Return 0 if the given seckey is invalid in privkey_negate, privkey_tweak_add and privkey_tweak_mul
8f814cd Add test for boundary conditions of scalar_set_b32 with respect to overflows
3fec982 Use scalar_set_b32_seckey in ecdsa_sign, pubkey_create and seckey_verify
9ab2cbe Add scalar_set_b32_seckey which does the same as scalar_set_b32 and also returns whether it's a valid secret key
4f27e34 Merge bitcoin#728: Suppress a harmless variable-time optimization by clang in memczero
0199387 Add test for memczero()
52a0351 Suppress a harmless variable-time optimization by clang in memczero
8f78e20 Merge bitcoin#722: Context isn't freed in the ECDH benchmark
ed1b911 Merge bitcoin#700: Allow overriding default flags
85b35af Add running benchmarks regularly and under valgrind in travis
ca4906b Pass num of iters to benchmarks as variable, and define envvar
02dd5f1 free the ctx at the end of bench_ecdh
e9fccd4 Merge bitcoin#708: Constant-time behaviour test using valgrind memtest.
08fb6c4 Run valgrind_ctime_test in travis
3d23022 Constant-time behaviour test using valgrind memtest.
96d8ccb Merge bitcoin#710: Eliminate harmless non-constant time operations on secret data.
0585b8b Merge bitcoin#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
7b50483 Adds a declassify operation to aid constant-time analysis.
34a67c7 Eliminate harmless non-constant time operations on secret data.
ca739cb Compile with optimization flag -O2 by default instead of -O3
eb45ef3 Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
856a01d Merge bitcoin#714: doc: document the length requirements of output parameter.
d72b9e2 Merge bitcoin#682: Remove Java Native Interface
4b48a43 doc: document the length requirements of output parameter.
1b4d256 Merge bitcoin#713: Docstrings
dabfea7 field: extend docstring of secp256k1_fe_normalize
dc7d8fd scalar: extend docstring of secp256k1_scalar_set_b32
074ab58 Merge bitcoin#704: README: add a section for test coverage
acb7f97 README: add a section for test coverage
227a4f2 Merge bitcoin#709: Remove secret-dependant non-constant time operation in ecmult_const.
d567b77 Clarify comments about use of rzr on ge functions and abs function.
2241ae6 Remove secret-dependant non-constant time operation in ecmult_const.
642cd06 Remove Java Native Interface
83fb1bc Remove -O2 from default CFLAGS because this would override the -O3 flag (see AC_PROG_CC in the Autoconf manual)
ecba813 Append instead of Prepend user-CFLAGS to default CFLAGS allowing the user to override default variables
613c34c Remove test in configure.ac because it doesn't have an effect
f45d897 Merge bitcoin#703: Overhaul README.md
2e759ec Overhaul README.md
d644dda Merge bitcoin#689: Remove "except in benchmarks" exception for fp math
bde2a32 Convert bench.h to fixed-point math
387d723 Merge bitcoin#679: Add SECURITY.md
0db61d2 Merge bitcoin#685: Fix issue where travis does not show the ./tests seed…
a0771d1 Explicitly disable buffering for stderr in tests
fb424fb Make travis show the ./tests seed by removing stdout buffering and always cat tests.log after a travis run.
22a6031 Merge bitcoin#690: Add valgrind check to travis
544002c Merge bitcoin#678: Preventing compiler optimizations in benchmarks without a memory fence
dd98cc9 travis: Added a valgrind test without endro and enabled recovery+ecdh
b4c1382 Add valgrind check to travis
0c774d8 Merge bitcoin#688: Fix ASM setting in travis
5c5f71e Fix ASM setting in travis
e2625f8 Merge bitcoin#684: Make no-float policy explicit
bae1bea Make no-float policy explicit
78c3836 Add SECURITY.md
362bb25 Modified bench_scalar_split so it won't get optimized out
73a30c6 Added accumulators and checks on benchmarks so they won't get optimized out
770b3dc Merge bitcoin#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
b76142f Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var which was removed in 4704527
137d304 Merge bitcoin#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
0d9540b Merge bitcoin#664: Remove mention of ec_privkey_export because it doesn't exist
59782c6 Remove mention of ec_privkey_export because it doesn't exist
96cd94e Merge bitcoin#337: variable sized precomputed table for signing
dcb2e3b variable signing precompute table
b4bff99 Merge bitcoin#661: Make ./configure string consistent
a467047 Make ./configure string consistent
e729cc7 Merge bitcoin#657: Fix a nit in the recovery tests
b64a2e2 Fix a nit in the recovery tests
e028aa3 Merge bitcoin#650: secp256k1/src/tests.c:  Properly handle sscanf return value
f1e11d3 Merge bitcoin#654: Fix typo (∞)
ef83281 Merge pull request bitcoin#656 from real-or-random/patch-1
556caad Fix typo in docs for _context_set_illegal_callback
0d82732 Improve VERIFY_CHECK of overflow in secp256k1_scalar_cadd_bit. This added check ensures that any curve order overflow doesn't go undetected due a uint32_t overflow.
786dfb4 Merge bitcoin#583: JNI: fix use sig array
e95f8ab Merge bitcoin#644: Avoid optimizing out a verify_check
384f556 Merge bitcoin#652: README.md: update instruction to run tests
ee56acc Merge bitcoin#651: Fix typo in secp256k1_preallocated.h
7b9b117 Merge bitcoin#640: scalar_impl.h: fix includes
d99bec2 Merge bitcoin#655: jni: Use only Guava for hex encoding and decoding
2abcf95 jni: Use only Guava for hex encoding and decoding
271582b Fix typo
ce6d438 README.md: update instruction to run tests
b1e68cb Fix typo in secp256k1_preallocated.h
a11c76c secp256k1/src/tests.c:  Properly handle sscanf return value
8fe63e5 Increase robustness against UB. Thanks to elichai2 who noted that the literal '1' is a signed integer, and that shifting a signed 32-bit integer by 31 bits causes an overflow and yields undefined behaviour. While 'scalar_low_impl''s 'secp256k1_scalar_cadd_bit' is only used for testing purposes and currently the 'bit' parameter is only 0 or 1, it is better to avoid undefined behaviour in case the used domain of 'secp256k1_scalar_cadd_bit' expands.
94ae7cb Moved a dereference so the null check will be before the dereferencing
2cb73b1 scalar_impl.h: fix includes
fa33017 Merge bitcoin#634: Add a descriptive comment for secp256k1_ecmult_const.
ee9e68c Add a descriptive comment for secp256k1_ecmult_const.
d0d738d Merge bitcoin#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
6914c25 typo in comment for secp256k1_ec_pubkey_tweak_mul ()
e541a90 Merge bitcoin#629: Avoid calling _is_zero when _set_b32 fails.
f34b0c3 Merge bitcoin#630: Note intention of timing sidechannel freeness.
8d1563b Note intention of timing sidechannel freeness.
1669bb2 Merge bitcoin#628: Fix ability to compile tests without -DVERIFY.
ecc94ab Merge bitcoin#627: Guard memcmp in tests against mixed size inputs.
544435f Merge bitcoin#578: Avoid implementation-defined and undefined behavior when dealing with sizes
143dc6e Merge bitcoin#595: Allow to use external default callbacks
e49f799 Add missing #(un)defines to base-config.h
77defd2 Add secp256k1_ prefix to default callback functions
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c
5db782e Allow usage of external default callbacks
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return
cd473e0 Avoid calling secp256k1_*_is_zero when secp256k1_*_set_b32 fails.
6c36de7 Merge bitcoin#600: scratch space: use single allocation
98836b1 scratch: replace frames with "checkpoint" system
7623cf2 scratch: save a couple bytes of unnecessarily-allocated memory
a7a164f scratch: rename `max_size` to `size`, document that extra will actually be allocated
5a4bc0b scratch: unify allocations
c2b028a scratch space: thread `error_callback` into all scratch space functions
0be1a4a scratch: add magic bytes to beginning of structure
92a48a7 scratch space: use single allocation
40839e2 Merge bitcoin#592: Use trivial algorithm in ecmult_multi if scratch space is small
dcf3920 Fix ability to compile tests without -DVERIFY.
a484e00 Merge bitcoin#566: Enable context creation in preallocated memory
0522caa Explain caller's obligations for preallocated memory
238305f Move _preallocated functions to separate header
695feb6 Export _preallocated functions
814cc78 Add tests for contexts in preallocated memory
ba12dd0 Check arguments of _preallocated functions
5feadde Support cloning a context into preallocated memory
c4fd5da Switch to a single malloc call
ef020de Add size constants for preallocated memory
1bf7c05 Prepare for manual memory management in preallocated memory
248bffb Guard memcmp in tests against mixed size inputs.
36698dc Merge bitcoin#596: Make WINDOW_G configurable
a61a93f Clean up ./configure help strings
2842dc5 Make WINDOW_G configurable
1a02d6c Merge bitcoin#626: Revert "Merge bitcoin#620: Install headers automatically"
662918c Revert "Merge bitcoin#620: Install headers automatically"
14c7dbd Simplify control flow in DER parsing
ec8f20b Avoid out-of-bound pointers and integer overflows in size comparisons
01ee1b3 Parse DER-enconded length into a size_t instead of an int
912680e Merge bitcoin#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
91fae3a Merge bitcoin#620: Install headers automatically
5df77a0 Merge bitcoin#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
975e51e Merge bitcoin#617: Pass scalar by reference in secp256k1_wnaf_const()
735fbde Merge bitcoin#619: Clear a copied secret key after negation
16e8615 Install headers automatically
069870d Clear a copied secret key after negation
8979ec0 Pass scalar by reference in secp256k1_wnaf_const()
84a8085 Merge bitcoin#612: Allow field_10x26_arm.s to compile for ARMv7 architecture
d4d270a Allow field_10x26_arm.s to compile for ARMv7 architecture
248f046 Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
9ab96f7 Use trivial algorithm in ecmult_multi if scratch space is small
dbed75d Undefine `STATIC_PRECOMPUTATION` if using the basic config
310111e Keep LDFLAGS if `--coverage`
74e2dbd JNI: fix use sig array
3cb057f Fix possible integer overflow in DER parsing

git-subtree-dir: src/secp256k1
git-subtree-split: 2ed54da
@bitcoin bitcoin locked as resolved and limited conversation to collaborators Sep 8, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants