Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Allow to use external default callbacks #595

Merged
merged 5 commits into from
May 27, 2019

Conversation

real-or-random
Copy link
Contributor

This is intended for environments without implementations for abort(), fprintf(), and stderr. e.g., embedded systems. Those can provide their own implementations of default_illegal_callback_fn and default_error_callback_fn at compile time.

If you want to use your own default callback, things will be somewhat inconsistent unfortunately: We cannot make the callback data extern too, because then the initialization lists for default_illegal_callback won't contain only constants. (const variables are not compile-time constants). So you cannot take callback data in your own default callback function.

As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it. Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss.

Note that abort(), fprintf(), and stderr are also used in CHECK, which is still used in production code if we rely on gmp for scalar and field inversions (e.g., https://github.com/bitcoin-core/secp256k1/blob/master/src/scalar_impl.h#L240). This is not an issue for embedded system which probably don't want to use gmp anyway, but it is probably an issue for the reasons explained in #566 (comment).

(related downstream: rust-bitcoin/rust-secp256k1#100 @elichai)

@gmaxwell
Copy link
Contributor

gmaxwell commented Mar 4, 2019

The kinds of enviroments where you couldn't use the defaults are also ones where you're going to be custom compiling this and not using it as a system library.

Having a compile mode where the callbacks get converted to static dispatches to a compile time specified function sounds good to me (function pointers in structs on the stack the #2 way for stack overwrites to get escalated into attacker control of execution flow (#1 is smashing a return address)).

@real-or-random
Copy link
Contributor Author

As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it. Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss.

Another advantage of this will be that we could call the error functions from everywhere without carrying around the context. This would make it easier to replace the CHECKs in scalar and field inversions without passing the context deeply (and somewhat arbitrarily) into arithmetic functions.

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

So the idea is that you link your own implementations of default_{illegal,error}_callback_fn if libsecp is configured with --enable-external-default-callback. CHECK is replaced by ARG_CHECK_NO_RETURN because CHECK requires abort, fprintf, stderr. ARG_CHECK doesn't work because the functions it's used in return void.

@real-or-random The remaining use of CHECK in secp256k1_fe_inv_var isn't a problem?

As far as I can evaluate LGTM but I haven't tried to link against my own implementation.

configure.ac Outdated Show resolved Hide resolved
@real-or-random
Copy link
Contributor Author

Thanks for adding a better description of the changes!

@real-or-random The remaining use of CHECK in secp256k1_fe_inv_var isn't a problem?

It's not great but it's not a problem if you want to get rid of the standard library symbols: all the remaining uses of CHECK can be turned off by appropriate defines such as USE_FIELD_INV_BUILTIN.

Yes, I also haven't tried to link against my own implementation. I should test this before this PR can be considered ready.

@gmaxwell
Copy link
Contributor

gmaxwell commented Mar 7, 2019

Any reason to not change the optional internal use of CHECK to work like malloc failure does?

(FWIW, those inverse things should go away because we should get an internal fast inverse and ditch GMP... but thats a lot more than a couple line change :) )

@real-or-random
Copy link
Contributor Author

Any reason to not change the optional internal use of CHECK to work like malloc failure does?

I think then you need the callback, which means that you need to pass the context or the callback pointer into these arithmetic functions, probably multiple levels deep. It's doable but it does not seem to be a great solution.

@real-or-random
Copy link
Contributor Author

As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it. Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss.

What's your opinion on this? Too breaking? If the callbacks were not configurable that, we could replace the internal CHECKs easily.

@real-or-random
Copy link
Contributor Author

Interfacing this with external callback functions works but it feels indeed somewhat cumbersome:

  • the functions don't have a secp256_ prefix (fixed with latest commit)
  • the functions take a data pointer but they need to be prepared ignore it because at least before calling one of the set_x_callback functions, it will always be NULL (see previous comment). I don't think it's a showstopper though.

@sipa
Copy link
Contributor

sipa commented Mar 13, 2019

If you want to use your own default callback, things will be somewhat inconsistent unfortunately: We cannot make the callback data extern too, because then the initialization lists for default_illegal_callback won't contain only constants. (const variables are not compile-time constants). So you cannot take callback data in your own default callback function.

I don't think this is a problem. The reason for the data pointer is so that you can pass runtime dependent data into the callback. In cases where such runtime data exist, it's always possible to call secp256k1_context_set_illegal_callback/secp256k1_context_set_error_callback.

As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it.

Having searched around a bit, I think this is fine. I'm a bit unclear about how to roll it out - do we just start ignoring the data argument (and cause failure (?) when it's non-null in the set_*_callback functions), or do we break the API and rip out the arguments? It's unclear what kind of breaks downstream library tolerate here. There is at least one place I found that actually does call the set_*_callback outside of tests: https://github.com/ethereum/go-ethereum/blob/master/crypto/secp256k1/secp256.go .

Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss.

I think that's going too far. There are some places where the library is used in a shared library context, where anything but runtime-set callbacks is unclear at least. Also in situations where the library is used by different layers of a program (say, indrectly through a library like libwally, but also directly for network ECDH negotiations) and those layers want to have distinct behavior.

(FWIW, those inverse things should go away because we should get an internal fast inverse and ditch GMP... but thats a lot more than a couple line change :) )

That would be great.

@gmaxwell
Copy link
Contributor

Also in situations where the library is used by different layers of a program (say, indrectly through a library like libwally, but also directly for network ECDH negotiations) and those layers want to have distinct behavior.

Is that actually the case? I think that for the cases where the callbacks are called, only something terrible has happened and you're going to want to shut down ... even if the context was some totally boring network facing thing. Simply because it means that your memory might be corrupted and attempting to continue could be bad.

@real-or-random
Copy link
Contributor Author

real-or-random commented Mar 13, 2019

I see the point with the shared library context (no matter if we different layers need different callbacks). But given that, I think we should keep the API as it is. After playing around with the code, I'm rather convinced that having data pointers in default callbacks is fine; it just needs to be documented properly that the default callbacks always need to be prepared to get a NULL pointer. I'll add a commit that updates the header file.

By the way, I've experimented also with a branch that allows external pointers to callback data too (in the end the stupid C99 restriction is not essential and can be worked around). But I don't think it's very helpful. It just adds complexity to the API for no real benefit.

@real-or-random
Copy link
Contributor Author

Force-pushed. All the changes are in comments in secp256k1.h, which hasn't been touched before.

@real-or-random
Copy link
Contributor Author

I've added a commit that adds this as #undef to base-config.h (and a few more which were missing).

Copy link
Contributor

@jonasnick jonasnick left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I can confirm that linking external default callbacks works. ACK mod nit.

include/secp256k1.h Outdated Show resolved Hide resolved
@gmaxwell
Copy link
Contributor

gmaxwell commented May 22, 2019

The only use for the data argument that I'm aware of is the use that we have in the tests: carrying in a counter for test instrumentation. This could be replaced in our tests by providing a callback function that modifies a global.

Is anyone aware of anything else?

Regarding compatibility, removing an argument is the most minor of API changes. I don't think we should let that hold us back if we think its the right change.

@real-or-random
Copy link
Contributor Author

I force-pushed to address @jonasnick's nit.

@gmaxwell
As I said above, I don't think that the data pointer is a real issue in the current version of this PR, so this is fine as it is. If someone replaces the default callbacks, then he know what he's doing and has read the docs.

@gmaxwell
Copy link
Contributor

utACK

gmaxwell added a commit that referenced this pull request May 25, 2019
a61a93f Clean up ./configure help strings (Tim Ruffing)
2842dc5 Make WINDOW_G configurable (Tim Ruffing)

Pull request description:

  This makes WINDOW_G a configurable value in the range of [2..24].
  The upper limit of 24 is a defensive choice. The code is probably
  correct for values up to 33 but those larger values yield in huge
  tables (>= 256MiB), which are i) unlikely to be really beneficial
  in practice and ii) increasingly difficult to test.

  The main point of this is not to make the window size configurable (using ./configure) but rather to use an external #define for the window size, which makes it configurable for embedded system that rely on their own build system (like in #595).

ACKs for commit a61a93:

Tree-SHA512: 0d58fdf4763340ddab992e95f6302a33d891476a7ac1748202ee99808e72b20754bb6935cbeaf0bb36077abaaff7d65f4848b1af64f1a0a5258239ba0d27020c
@gmaxwell
Copy link
Contributor

Needs rebase (sorry!)

@real-or-random
Copy link
Contributor Author

rebased

@gmaxwell gmaxwell merged commit e49f799 into bitcoin-core:master May 27, 2019
gmaxwell added a commit that referenced this pull request May 27, 2019
e49f799 Add missing #(un)defines to base-config.h (Tim Ruffing)
77defd2 Add secp256k1_ prefix to default callback functions (Tim Ruffing)
908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c (Tim Ruffing)
5db782e Allow usage of external default callbacks (Tim Ruffing)
6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return (Tim Ruffing)

Pull request description:

  This is intended for environments without implementations for `abort()`, `fprintf()`, and `stderr`. e.g., embedded systems. Those can provide their own implementations of `default_illegal_callback_fn` and `default_error_callback_fn` at compile time.

  If you want to use your own default callback, things will be somewhat inconsistent unfortunately: We cannot make the callback data `extern` too, because then the initialization lists for `default_illegal_callback` won't contain only constants. (`const` variables are not compile-time constants). So you cannot take callback data in your own default callback function.

  As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it. Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss.

  Note that `abort()`, `fprintf()`, and `stderr` are also used in `CHECK`, which is still used in production code if we rely on gmp for scalar and field inversions (e.g.,  https://github.com/bitcoin-core/secp256k1/blob/master/src/scalar_impl.h#L240). This is not an issue for embedded system which probably don't want to use gmp anyway, but it is probably an issue for the reasons explained in #566 (comment).

  (related downstream: rust-bitcoin/rust-secp256k1#100 @elichai)

ACKs for commit e49f79:

Tree-SHA512: 4dec0821eef4156cbe162bd8cdf0531c1fae8c98cd9db8438170ff1aa0e59b199739eeab293695bb582246812bea5309959f02f1fb74bb57872da54ebc52313f
fanquake added a commit to bitcoin/bitcoin that referenced this pull request Jun 13, 2020
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
sidhujag pushed a commit to syscoin/syscoin that referenced this pull request Jun 13, 2020
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
ComputerCraftr pushed a commit to ComputerCraftr/bitcoin that referenced this pull request Jun 16, 2020
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
UdjinM6 pushed a commit to UdjinM6/dash that referenced this pull request Aug 10, 2021
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
5tefan pushed a commit to 5tefan/dash that referenced this pull request Aug 12, 2021
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
@elichai elichai mentioned this pull request Nov 3, 2021
gades pushed a commit to cosanta/cosanta-core that referenced this pull request May 8, 2022
e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants