7efc9835a9 Fix the false positive of `SECP_64BIT_ASM_CHECK` (Sprite)
Pull request description:
I'm trying to compile this project for RISC-V architecture, and I encountered errors:
```
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r15' in 'asm'
28 | __asm__ __volatile__(
| ^
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r14' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r13' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r12' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r11' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r10' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r9' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%r8' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%rdx' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%rcx' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: unknown register name '%rax' in 'asm'
src/field_5x52_asm_impl.h:28:1: error: output number 0 not directly addressable
src/field_5x52_asm_impl.h: In function 'secp256k1_fe_sqr':
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r15' in 'asm'
298 | __asm__ __volatile__(
| ^
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r14' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r13' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r12' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r11' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r10' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r9' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%r8' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%rdx' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%rcx' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%rbx' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: unknown register name '%rax' in 'asm'
src/field_5x52_asm_impl.h:298:1: error: output number 0 not directly addressable
```
After further investigation I found that for RISC-V, macro `USE_ASM_X86_64` was defined unexpectedly, and `checking for x86_64 assembly availability... yes` appeared in the compilation log file, which means `SECP_64BIT_ASM_CHECK` was not working as expected.
For unknown reasons, `AC_COMPILE_IFELSE` does not check if `__asm__` can be compiled, and an example can verify this point:
```m4
AC_DEFUN([SECP_64BIT_ASM_CHECK],[
AC_MSG_CHECKING(for x86_64 assembly availability)
AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[
#include <stdint.h>]],[[
__asm__ __volatile__("this is obviously wrong");
]])],[has_64bit_asm=yes],[has_64bit_asm=no])
AC_MSG_RESULT([$has_64bit_asm])
])
```
It always gives results: `checking for x86_64 assembly availability... yes`
After testing, replacing `AC_COMPILE_IFELSE` with `AC_LINK_IFELSE` can correctly check if `__asm__` can be compiled and make the project able to compile for RISC-V.
ACKs for top commit:
real-or-random:
ACK 7efc9835a9
Tree-SHA512: 7318dd42004b2930cfcd6541c5a9ce0aa186e2179a668b76089a908bea8d9f70fcfdb264512f971e395a3ce9dc7f9ca24c8f3d46175cad2972a2d713f518ed85
2f984ffc45 Save negations in var-time group addition (Peter Dettman)
Pull request description:
- Updated _gej_add_var, _gej_add_ge_var, _gej_add_zinv_var
- 2 fewer _fe_negate in each method
- Updated operation counts and standardize layout
- Added internal benchmark for _gej_add_zinv_var
benchmark_internal shows about 2% speedup in each method as a result (64bit).
ACKs for top commit:
real-or-random:
ACK 2f984ffc45
jonasnick:
ACK 2f984ffc45
Tree-SHA512: 01366fa23c83a8dd37c9a0a24e0acc53ce38a201607fe4da6672ea5618d82c62d1299f0e0aa50317883821539af739ea52b6561faff230c148e6fdc5bc5af30b
37d36927df tests: Add tests for _read_be32 and _write_be32 (Tim Ruffing)
616b43dd3b util: Remove endianness detection (Tim Ruffing)
8d89b9e6e5 hash: Make code agnostic of endianness (Tim Ruffing)
Pull request description:
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
ACKs for top commit:
sipa:
utACK 37d36927df
robot-dreams:
ACK 37d36927df
Tree-SHA512: b03cec67756fb3c94ca8e7e06f974136050efd5065f392dba6eed4d0dbe61dbf93dad054627267225bac1bb302bb025f86588612ef7d4beeb834466686c70b8f
55512d30b7 doc: clean up module help text in configure.ac (Elliott Jin)
d9d94a9969 doc: mention optional modules in README (Elliott Jin)
Pull request description:
ACKs for top commit:
real-or-random:
utACK 55512d30b7
jonasnick:
ACK 55512d30b7
Tree-SHA512: ae4ec355730983117c5e9a8a8abd17aaf42afe6f8f8f7474a551df6269a62094883e0827d2f3642e3ed6eb26cf71982c20f7ac27498cb4bd7e4aea57ec308d6a
Recent compilers compile the two new functions to very efficient code
on various platforms. In particular, already GCC >= 5 and clang >= 5
understand do this for the read function, which is the one critical
for performance (called 16 times per SHA256 transform).
Fixes#1080.
7f09d0f311 README: mention that ARM assembly is experimental (Jonas Nick)
80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental (Jonas Nick)
Pull request description:
Fixes#992
ACKs for top commit:
real-or-random:
ACK 7f09d0f311
fanquake:
ACK 7f09d0f311 - When this is in, I think we'll do a subtree update in Core, and prune some build cruft on our side.
Tree-SHA512: 13deb82dcca88bacb2cd5c1c589a8d4af2277c4d675262337ae4d7e93eb41d43825dda4945ca1c202c36aaa2e6fd42de9c6d711fe8d71bce578368281db698b2
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs (Tim Ruffing)
f813bb0df3 schnorrsig: Adapt example to new API (Tim Ruffing)
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate (Tim Ruffing)
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions (Tim Ruffing)
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated (Tim Ruffing)
Pull request description:
Should be merged before #995 if we want this.
I suspect the only change here which is debatable on a conceptual level is the renaming. I can drop this of course.
ACKs for top commit:
sipa:
utACK b8f8b99f0f
jonasnick:
ACK b8f8b99f0f
Tree-SHA512: 7c5b9715013002eecbf2e649032673204f6eaffe156f20e3ddf51fab938643847d23068f11b127ef3d7fe759e42a20ecaf2ec98718d901ef9eaadbc9853c1dfe
f8d9174357 Add SHA256 bit counter tests (Tim Ruffing)
9b514ce1d2 Add test vector for very long SHA256 messages (Tim Ruffing)
8e3dde1137 Simplify struct initializer for SHA256 padding (Tim Ruffing)
eb28464a8b Change SHA256 byte counter from size_t to uint64_t (Tim Ruffing)
Pull request description:
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
This also simplifies the struct initializer for the padding.
Since missing elements are initialized with zeros, this change is
purely syntactical.
ACKs for top commit:
sipa:
utACK f8d9174357
jonasnick:
ACK f8d9174357
Tree-SHA512: 4fba64b255ef34bb144e4ac6d796798d620d6a7a0f3be409a46b98a8aedb129be19a6816b07caa4d1a3862a01769b42ce70240690fddc6231d591e6c06252750
_tagged_sha256 simply cannot have invalid inputs.
The other functions could in some sense have invalid inputs but only in
violation of the type system. For example, a pubkey could be invalid but
invalid objects of type secp256k1_pubkey either can't be obtained
via the API or will be caught by an ARG_CHECK when calling pubkey_load.
This is consistent with similar functions in the public API, e.g.,
_ec_pubkey_negate or _ec_pubkey_serialize.
21b2ebaf74 configure: Remove redundant pkg-config code (Tim Ruffing)
Pull request description:
This removes code that detects the pkg-config tool. We used this
back in the days when we had dependencies. ;) It can always be brought
back if we'll need it in the future.
Note that we still deliver a .pc file for this library, and there is
code in Makefile.am to install it. But this does not require the
pkg-config tool; only consumers of the .pc file will need it. This can
be verified by running `make install` (maybe after `mkdir /tmp/pre` and
`./configure --prefix=/tmp/pre` and checking that the .pc file is
installed correctly.
ACKs for top commit:
theuni:
ACK 21b2ebaf74.
fanquake:
ACK 21b2ebaf74
Tree-SHA512: 07affcd0e85f59d10479f279c832b1384208bead2fd152e0d1e3d99167dba4e14dbe87b0bc9c367f0f18da3d37f1d51de064689bff329ee5b01cacfe54e5ede7
This removes code that detects the pkg-config tool. We used this
back in the days when we had dependencies. ;) It can always be brought
back if we'll need it in the future.
Note that we still deliver a .pc file for this library, and there is
code in Makefile.am to install it. But this does not require the
pkg-config tool; only consumers of the .pc file will need it. This can
be verified by running `make install` (maybe after `mkdir /tmp/pre` and
`./configure --prefix=/tmp/pre` and checking that the .pc file is
installed correctly.
0d253d52e8 configure: Use modern way to set AR (Tim Ruffing)
Pull request description:
ACKs for top commit:
jb55:
tACK 0d253d52e8
hebasto:
ACK 0d253d52e8
jonasnick:
ACK 0d253d52e8
Tree-SHA512: c85a068b0b6cd0ae59c796d4493d50b1d92394b8620dd65affb5aaac889a41aa625408062f49fbed761217ab2bc35ec10942684a84487cb81becdadf5f2ae2af
This uses AM_PROG_AR to discover ar, which is the recommended way to do
so. Among other advantages, it honors the AR environment variable (as
set from the outside). The macro has been around since automake 1.11.2
(Dec 2011).
This commit also removes code that discovers ranlib and strip. ranlib
has been obsolete for decades (ar does its task now automatically), and
anyway LT_INIT takes care of discovering it. The code we used to set
STRIP was last mentioned in the automake 1.5 manual. Since automake 1.6
(Mar 2002), strip is discovered automatically when necessary (look for
the *private* macro AM_PROG_INSTALL_STRIP in the automake manual).
The vector has been taken from https://www.di-mgt.com.au/sha_testvectors.html.
It can be independently verified using the following Python code.
```
h = hashlib.sha256()
for i in range(1_000_000):
h.update(b'a')
print(h.hexdigest())
```
This avoids that the SHA256 implementation would produce wrong paddings
and thus wrong digests for messages of length >= 2^32 bytes on 32-bit
platforms.
This is not exploitable in any way since the SHA256 API is an internal
API and we never call it with that long messages.
7c9502cece Add a copy of the CC0 license to the examples (Elichai Turkel)
42e03432e6 Add usage examples to the readme (Elichai Turkel)
517644eab1 Optionally compile the examples in autotools, compile+run in travis (Elichai Turkel)
422a7cc86a Add a ecdh shared secret example (Elichai Turkel)
b0cfbcc143 Add a Schnorr signing and verifying example (Elichai Turkel)
fee7d4bf9e Add an ECDSA signing and verifying example (Elichai Turkel)
Pull request description:
ACKs for top commit:
real-or-random:
ACK 7c9502cece
jonasnick:
ACK 7c9502cece
Tree-SHA512: c475cfd5b324b1e2d7126aa5bb1e7da25183b50adb7357d464c140de83d9097cb1bdc027d09aeadf167dbf9c8afd123235b0a1a742c5795089862418fafa1964
e848c3799c Update sage files for new formulae (Peter Dettman)
d64bb5d4f3 Add fe_half tests for worst-case inputs (Peter Dettman)
4eb8b932ff Further improve doubling formula using fe_half (Peter Dettman)
557b31fac3 Doubling formula using fe_half (Pieter Wuille)
2cbb4b1a42 Run more iterations of run_field_misc (Pieter Wuille)
9cc5c257ed Add test for secp256k1_fe_half (Pieter Wuille)
925f78d55e Add _fe_half and use in _gej_add_ge (Peter Dettman)
Pull request description:
- Trades 1 _half for 3 _mul_int and 2 _normalize_weak
Gives around 2-3% faster signing and ECDH, depending on compiler/platform.
ACKs for top commit:
sipa:
utACK e848c3799c
jonasnick:
ACK e848c3799c
real-or-random:
ACK e848c3799c
Tree-SHA512: 81a6c93b3d983f1b48ec8e8b6f262ba914215045a95415147f41ee6e85296aa4d0cbbad9f370cdf475571447baad861d2cc8e0b04a71202d48959cb8a098f584
3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count (Tim Ruffing)
c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK 3531a43b5b
Tree-SHA512: 5a2e47bad7ec5b3fd9033283fe00e54563b7b1655baf2b8ca39718deceddcc816bb8fcda0d07af6f1f8a785642da5dc69b7df52a1ddd445a3a98a5d5ecff6780
e51ad3b737 ci: Retry `brew update` a few times to avoid random failures (Tim Ruffing)
b1cb969e8a ci: Revert "Attempt to make macOS builds more reliable" (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK e51ad3b737
Tree-SHA512: cb0b81ac8d81fe8ea58afa7382d3f922bd4eb713645c5d0b99f9de963c9906273f5d573a9272e8f6cdb16ffcca5e162c088cc2b0772278f68930f8cb726824be
d9396a56da ci: Attempt to make macOS builds more reliable (Tim Ruffing)
Pull request description:
ACKs for top commit:
jonasnick:
ACK d9396a56da
Tree-SHA512: 68df44107d74671de148e9c3e6dbc6b16bec937137d7d9771efce10f5d66459559b372346d05ecc23237b2e3af9479156f733219717cb93f5204f9ea5b2636a9
