Merge remote-tracking branch 'origin/master' into na-bump-rand

Author: niklasad1

.gitlab-ci.yml

@@ -0,0 +1,78 @@
+# .gitlab-ci.yml
+# rust-secp256k1
+
+
+stages:
+  - test
+  - build
+
+
+
+image:                             parity/rust-builder:latest
+
+variables:
+  GIT_STRATEGY:                    fetch
+  CARGO_HOME:                      "/ci-cache/${CI_PROJECT_NAME}/cargo/${CI_JOB_NAME}"
+  SCCACHE_DIR:                     "/ci-cache/${CI_PROJECT_NAME}/sccache"
+  CI_SERVER_NAME:                  "GitLab CI"
+  DOCKER_OS:                       "debian:stretch"
+  ARCH:                            "x86_64"
+
+
+
+.docker-env:                       &docker-env
+  tags:
+    - linux-docker
+
+.compiler_info:                    &compiler_info
+  before_script:
+    - rustup show
+    - cargo --version
+    - sccache -s
+
+.build-refs:                       &build-refs
+  only:
+    - master
+    - schedules
+    - web
+    - /^v[0-9]+\.[0-9]+.*$/        # i.e. v1.0, v2.1rc1
+
+.test-refs:                        &test-refs
+  only:
+    - master
+    - schedules
+    - web
+    - /^v[0-9]+\.[0-9]+.*$/        # i.e. v1.0, v2.1rc1
+    - /^[0-9]+$/
+
+
+
+
+
+test-linux-stable:                 &test
+  stage:                           test
+  <<:                              *test-refs
+  <<:                              *docker-env
+  <<:                              *compiler_info
+  variables:
+    RUST_TOOLCHAIN: stable
+    RUSTFLAGS: -Cdebug-assertions=y
+    TARGET: native
+  script:
+    - time cargo test --all --release --verbose
+    - sccache -s
+
+
+
+
+build-linux-release:               &build
+  stage:                           build
+  <<:                              *build-refs
+  <<:                              *docker-env
+  <<:                              *compiler_info
+  script:
+    - time cargo build --release --verbose
+    - sccache -s
+
+
+

Cargo.toml

@@ -31,4 +31,5 @@ clippy = {version = "0.0", optional = true}
 rand = "0.7"
 
 [dev-dependencies]
-hex = "0.3.1"
+hex-literal = "0.2"
+rand_core = "0.4.2"

build.rs

@@ -79,30 +79,62 @@ fn setup_android(config: &mut cc::Build) {
 }
 
 fn main() {
+	// Check whether we can use 64-bit compilation
+	let use_64bit_compilation = if env::var("CARGO_CFG_TARGET_POINTER_WIDTH").unwrap() == "64" {
+		let check = cc::Build::new().file("depend/check_uint128_t.c")
+			.cargo_metadata(false)
+			.try_compile("check_uint128_t")
+			.is_ok();
+		if !check {
+			println!("cargo:warning=Compiling in 32-bit mode on a 64-bit architecture due to lack of uint128_t support.");
+		}
+		check
+	} else {
+		false
+	};
+
 	let mut base_config = cc::Build::new();
 	base_config.include("depend/secp256k1/")
 		.include("depend/secp256k1/include")
-		.include("depend/secp256k1/src");
-
-	let target = env::var("TARGET").expect("TARGET env variable is set by cargo; qed");
-	if target.contains("android") {
-		setup_android(&mut base_config);
-	}
-
-	base_config.flag("-g")
+		.include("depend/secp256k1/src")
+		.debug(true)
+		.flag_if_supported("-Wno-unused-function") // some ecmult stuff is defined but not used upstream
+		.define("SECP256K1_BUILD", Some("1"))
+		// Allowed values are 2..24, there is a tradeoff between
+		// memory and cpu time (tuned for best ratio)
+		.define("ECMULT_WINDOW_SIZE", Some("8"))
+		// Allowed values are: 2, 4, and 8 (tuned for best perf)
+		.define("ECMULT_GEN_PREC_BITS", Some("4"))
 		// TODO these three should be changed to use libgmp, at least until secp PR 290 is merged
 		.define("USE_NUM_NONE", Some("1"))
 		.define("USE_FIELD_INV_BUILTIN", Some("1"))
 		.define("USE_SCALAR_INV_BUILTIN", Some("1"))
-		// TODO these should use 64-bit variants on 64-bit systems
-		.define("USE_FIELD_10X26", Some("1"))
-		.define("USE_SCALAR_8X32", Some("1"))
 		.define("USE_ENDOMORPHISM", Some("1"))
-		// These all are OK.
 		.define("ENABLE_MODULE_ECDH", Some("1"))
-		.define("ENABLE_MODULE_SCHNORR", Some("1"))
+		// SCHNORR support was removed in the upstream
+		// .define("ENABLE_MODULE_SCHNORR", Some("1"))
 		.define("ENABLE_MODULE_RECOVERY", Some("1"));
 
+	let target = env::var("TARGET").expect("TARGET env variable is set by cargo; qed");
+	if target.contains("android") {
+		setup_android(&mut base_config);
+	}
+
+	if let Ok(target_endian) = env::var("CARGO_CFG_TARGET_ENDIAN") {
+		if target_endian == "big" {
+			base_config.define("WORDS_BIGENDIAN", Some("1"));
+		}
+	}
+
+	if use_64bit_compilation {
+		base_config.define("USE_FIELD_5X52", Some("1"))
+			.define("USE_SCALAR_4X64", Some("1"))
+			.define("HAVE___INT128", Some("1"));
+	} else {
+		base_config.define("USE_FIELD_10X26", Some("1"))
+			.define("USE_SCALAR_8X32", Some("1"));
+	}
+
 	// secp256k1
 	base_config.file("depend/secp256k1/contrib/lax_der_parsing.c")
 		.file("depend/secp256k1/src/ext.c")

depend/check_uint128_t.c

@@ -0,0 +1,14 @@
+#include <stdint.h>
+
+int main(void) {
+    __uint128_t var_128;
+    uint64_t var_64;
+
+    /* Try to shut up "unused variable" warnings */
+    var_64 = 100;
+    var_128 = 100;
+    if (var_64 == var_128) {
+        var_64 = 20;
+    }
+    return 0;
+}

depend/secp256k1/Makefile.am

@@ -8,6 +8,7 @@ else
 JNI_LIB =
 endif
 include_HEADERS = include/secp256k1.h
+include_HEADERS += include/secp256k1_preallocated.h
 noinst_HEADERS =
 noinst_HEADERS += src/scalar.h
 noinst_HEADERS += src/scalar_4x64.h
@@ -42,6 +43,8 @@ noinst_HEADERS += src/field_5x52_asm_impl.h
 noinst_HEADERS += src/java/org_bitcoin_NativeSecp256k1.h
 noinst_HEADERS += src/java/org_bitcoin_Secp256k1Context.h
 noinst_HEADERS += src/util.h
+noinst_HEADERS += src/scratch.h
+noinst_HEADERS += src/scratch_impl.h
 noinst_HEADERS += src/testrand.h
 noinst_HEADERS += src/testrand_impl.h
 noinst_HEADERS += src/hash.h
@@ -79,14 +82,17 @@ libsecp256k1_jni_la_CPPFLAGS = -DSECP256K1_BUILD $(JNI_INCLUDES)
 
 noinst_PROGRAMS =
 if USE_BENCHMARK
-noinst_PROGRAMS += bench_verify bench_sign bench_internal
+noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult
 bench_verify_SOURCES = src/bench_verify.c
 bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
 bench_sign_SOURCES = src/bench_sign.c
 bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
 bench_internal_SOURCES = src/bench_internal.c
 bench_internal_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 bench_internal_CPPFLAGS = -DSECP256K1_BUILD $(SECP_INCLUDES)
+bench_ecmult_SOURCES = src/bench_ecmult.c
+bench_ecmult_LDADD = $(SECP_LIBS) $(COMMON_LIB)
+bench_ecmult_CPPFLAGS = -DSECP256K1_BUILD $(SECP_INCLUDES)
 endif
 
 TESTS =
@@ -109,7 +115,7 @@ exhaustive_tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src $(SECP_INCLUDE
 if !ENABLE_COVERAGE
 exhaustive_tests_CPPFLAGS += -DVERIFY
 endif
-exhaustive_tests_LDADD = $(SECP_LIBS)
+exhaustive_tests_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif
@@ -145,20 +151,20 @@ endif
 endif
 
 if USE_ECMULT_STATIC_PRECOMPUTATION
-CPPFLAGS_FOR_BUILD +=-I$(top_srcdir)
-CFLAGS_FOR_BUILD += -Wall -Wextra -Wno-unused-function
+CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src
 
 gen_context_OBJECTS = gen_context.o
 gen_context_BIN = gen_context$(BUILD_EXEEXT)
-gen_%.o: src/gen_%.c
+gen_%.o: src/gen_%.c src/libsecp256k1-config.h
 	$(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@
 
 $(gen_context_BIN): $(gen_context_OBJECTS)
-	$(CC_FOR_BUILD) $^ -o $@
+	$(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@
 
 $(libsecp256k1_la_OBJECTS): src/ecmult_static_context.h
 $(tests_OBJECTS): src/ecmult_static_context.h
 $(bench_internal_OBJECTS): src/ecmult_static_context.h
+$(bench_ecmult_OBJECTS): src/ecmult_static_context.h
 
 src/ecmult_static_context.h: $(gen_context_BIN)
 	./$(gen_context_BIN)
@@ -172,10 +178,6 @@ if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include
 endif
 
-if ENABLE_MODULE_SCHNORR
-include src/modules/schnorr/Makefile.am.include
-endif
-
 if ENABLE_MODULE_RECOVERY
 include src/modules/recovery/Makefile.am.include
 endif

depend/secp256k1/README.md

@@ -45,8 +45,10 @@ Implementation details
   * Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones.
 * Point multiplication for signing
   * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions.
-  * Access the table with branch-free conditional moves so memory access is uniform.
-  * No data-dependent branches
+  * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains)
+    * Access the table with branch-free conditional moves so memory access is uniform.
+    * No data-dependent branches
+  * Optional runtime blinding which attempts to frustrate differential power analysis.
   * The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally.
 
 Build steps
@@ -57,5 +59,14 @@ libsecp256k1 is built using autotools:
     $ ./autogen.sh
     $ ./configure
     $ make
-    $ ./tests
+    $ make check
     $ sudo make install  # optional
+
+Exhaustive tests
+-----------
+
+    $ ./exhaustive_tests
+
+With valgrind, you might need to increase the max stack size:
+
+    $ valgrind --max-stackframe=2500000 ./exhaustive_tests

depend/secp256k1/build-aux/m4/ax_jni_include_dir.m4

@@ -1,5 +1,5 @@
 # ===========================================================================
-#    http://www.gnu.org/software/autoconf-archive/ax_jni_include_dir.html
+#    https://www.gnu.org/software/autoconf-archive/ax_jni_include_dir.html
 # ===========================================================================
 #
 # SYNOPSIS
@@ -44,7 +44,7 @@
 #   and this notice are preserved. This file is offered as-is, without any
 #   warranty.
 
-#serial 10
+#serial 14
 
 AU_ALIAS([AC_JNI_INCLUDE_DIR], [AX_JNI_INCLUDE_DIR])
 AC_DEFUN([AX_JNI_INCLUDE_DIR],[
@@ -66,40 +66,45 @@ else
 fi
 
 case "$host_os" in
-        darwin*)        _JTOPDIR=`echo "$_JTOPDIR" | sed -e 's:/[[^/]]*$::'`
-                        _JINC="$_JTOPDIR/Headers";;
-        *)              _JINC="$_JTOPDIR/include";;
+        darwin*)        # Apple Java headers are inside the Xcode bundle.
+            macos_version=$(sw_vers -productVersion | sed -n -e 's/^@<:@0-9@:>@*.\(@<:@0-9@:>@*\).@<:@0-9@:>@*/\1/p')
+            if @<:@ "$macos_version" -gt "7" @:>@; then
+                _JTOPDIR="$(xcrun --show-sdk-path)/System/Library/Frameworks/JavaVM.framework"
+                _JINC="$_JTOPDIR/Headers"
+            else
+                _JTOPDIR="/System/Library/Frameworks/JavaVM.framework"
+                _JINC="$_JTOPDIR/Headers"
+            fi
+            ;;
+        *) _JINC="$_JTOPDIR/include";;
 esac
 _AS_ECHO_LOG([_JTOPDIR=$_JTOPDIR])
 _AS_ECHO_LOG([_JINC=$_JINC])
 
 # On Mac OS X 10.6.4, jni.h is a symlink:
 # /System/Library/Frameworks/JavaVM.framework/Versions/Current/Headers/jni.h
 # -> ../../CurrentJDK/Headers/jni.h.
-
 AC_CACHE_CHECK(jni headers, ac_cv_jni_header_path,
 [
-if test -f "$_JINC/jni.h"; then
-  ac_cv_jni_header_path="$_JINC"
-  JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path"
-else
-  _JTOPDIR=`echo "$_JTOPDIR" | sed -e 's:/[[^/]]*$::'`
-  if test -f "$_JTOPDIR/include/jni.h"; then
-    ac_cv_jni_header_path="$_JTOPDIR/include"
+  if test -f "$_JINC/jni.h"; then
+    ac_cv_jni_header_path="$_JINC"
     JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path"
   else
-    ac_cv_jni_header_path=none
+    _JTOPDIR=`echo "$_JTOPDIR" | sed -e 's:/[[^/]]*$::'`
+    if test -f "$_JTOPDIR/include/jni.h"; then
+      ac_cv_jni_header_path="$_JTOPDIR/include"
+      JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path"
+    else
+      ac_cv_jni_header_path=none
+    fi
   fi
-fi
 ])
 
-
-
 # get the likely subdirectories for system specific java includes
 case "$host_os" in
 bsdi*)          _JNI_INC_SUBDIRS="bsdos";;
-darwin*)        _JNI_INC_SUBDIRS="darwin";;
 freebsd*)       _JNI_INC_SUBDIRS="freebsd";;
+darwin*)        _JNI_INC_SUBDIRS="darwin";;
 linux*)         _JNI_INC_SUBDIRS="linux genunix";;
 osf*)           _JNI_INC_SUBDIRS="alpha";;
 solaris*)       _JNI_INC_SUBDIRS="solaris";;
@@ -112,9 +117,9 @@ if test "x$ac_cv_jni_header_path" != "xnone"; then
   # add any subdirectories that are present
   for JINCSUBDIR in $_JNI_INC_SUBDIRS
   do
-      if test -d "$_JTOPDIR/include/$JINCSUBDIR"; then
-           JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $_JTOPDIR/include/$JINCSUBDIR"
-      fi
+    if test -d "$_JTOPDIR/include/$JINCSUBDIR"; then
+         JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $_JTOPDIR/include/$JINCSUBDIR"
+    fi
   done
 fi
 ])

depend/secp256k1/build-aux/m4/bitcoin_secp.m4

@@ -48,7 +48,6 @@ if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then
     EC_KEY_free(eckey);
     ECDSA_SIG *sig_openssl;
     sig_openssl = ECDSA_SIG_new();
-    (void)sig_openssl->r;
     ECDSA_SIG_free(sig_openssl);
   ]])],[has_openssl_ec=yes],[has_openssl_ec=no])
   AC_MSG_RESULT([$has_openssl_ec])