Squashed 'src/secp256k1/' changes from be8d9c2..0559fc6

0559fc6 Merge bitcoin-core/secp256k1#988: Make signing table fully static
7dfcece build: Remove #undef hack for ASM in the precomputation programs
bb36fe9 ci: Test `make precomp`
d94a37a build: Remove CC_FOR_BUILD stuff
ad63bb4 build: Prebuild and distribute ecmult_gen table
ac49361 prealloc: Get rid of manual memory management for prealloc contexts
6573c08 ecmult_gen: Tidy precomputed file and save space
5eba83f ecmult_gen: Precompute tables for all values of ECMULT_GEN_PREC_BITS
5d0dbef Merge bitcoin-core/secp256k1#942: Verify that secp256k1_ge_set_gej_zinv does not operate on infinity.
486205a Merge bitcoin-core/secp256k1#920: Test all ecmult functions with many j*2^i combinations
fdb33dd refactor: Make PREC_BITS a parameter of ecmult_gen_build_prec_table
5eb519e ci: reduce TEST_ITERS in memcheck run
e2cf773 Test ecmult functions for all i*2^j for j=0..255 and odd i=1..255.
61ae37c Merge bitcoin-core/secp256k1#1022: build: Windows DLL additions
4f01840 Merge bitcoin-core/secp256k1#1027: build: Add a check that Valgrind actually supports a host platform
6ad908a Merge bitcoin-core/secp256k1#1008: bench.c: add `--help` option and ci: move env variables
592661c ci: move test environment variable declaration to .cirrus.yml
dcbe84b bench: add --help option to bench.
099bad9 Comment and check a parameter for inf in secp256k1_ecmult_const.
6c0be85 Verify that secp256k1_ge_set_gej_zinv does not operate on infinity. a->x and a->y should not be used if the infinity flag is set.
4900227 Merge bitcoin-core/secp256k1#1025: build: replace backtick command substitution with $()
7c7ce87 build: Add a check that Valgrind actually supports a host platform
a4875e3 refactor: Move default callbacks to util.h
4c94c55 doc: Remove obsolete hint for valgrind stack size
5106226 exhaustive_tests: Fix with ecmult_gen table with custom generator
e1a7653 refactor: Make generator a parameter of ecmult_gen_create_prec_table
9ad09f6 refactor: Rename program that generates static ecmult_gen table
8ae18f1 refactor: Rename file that contains static ecmult_gen table
00d2fa1 ecmult_gen: Make code consistent with comment
3b0c218 ecmult_gen: Simplify ecmult_gen context after making table static
2b7c749 build: replace backtick command substitution with $()
49f608d Merge bitcoin-core/secp256k1#1004: ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
c0cd7de build: add -no-undefined to libtool LDFLAGS
fe32a79 build: pass win32-dll to LT_INIT
60bf889 ecmult: fix definition of STRAUSS_SCRATCH_OBJECTS
fecf436 Merge bitcoin-core/secp256k1#1019: build: don't append valgrind CPPFLAGS if not installed (macOS)
2e5e4b6 Merge bitcoin-core/secp256k1#1020: doc: remove use of <0xa0> "no break space"
812ff5c doc: remove use of 0xa0 "no break space"
214042a build: don't append valgrind CPPFLAGS if not installed
e43ba02 refactor: Decouple table generation and ecmult_gen context
22dc2c0 ecmult_gen: Move table creation to new file and force static prec
793ad90 Merge bitcoin-core/secp256k1#1010: doc: Minor fixes in safegcd_implementation.md
dc9b685 doc: Minor fixes in safegcd_implementation.md
ea5e8a9 Merge bitcoin-core/secp256k1#1012: Fix typos
2332975 Fix typos
7006f1b Merge bitcoin-core/secp256k1#1011: ci: Enable -g if we set CFLAGS manually
72de135 ci: Enable -g if we set CFLAGS manually
74c34e7 Merge bitcoin-core/secp256k1#1009: refactor: Use (int)&(int) in boolean context to avoid compiler warning
16d1322 refactor: Use (int)&(int) in boolean context to avoid compiler warning
c74a7b7 Merge bitcoin-core/secp256k1#1007: doc: Replace apoelstra's GPG key by jonasnick's GPG key
3b157c4 doc: Suggest keys.openpgp.org as keyserver in SECURITY.md
73a7472 doc: Replace apoelstra's GPG key by jonasnick's GPG key
515a5db Merge bitcoin-core/secp256k1#991: Merge all "external" benchmarks into a single bench binary
af6abcb Make bench support selecting which benchmarks to run
9f56bdf Merge bench_schnorrsig into bench
3208557 Merge bench_recover into bench
855e18d Merge bench_ecdh into bench
2a7be67 Combine bench_sign and bench_verify into single bench
8fa4120 Merge bitcoin-core/secp256k1#1002: Make aux_rnd32==NULL behave identical to 0x0000..00.
5324f89 Make aux_rnd32==NULL behave identical to 0x0000..00.
21c188b Merge bitcoin-core/secp256k1#943: VERIFY_CHECK precondition for secp256k1_fe_set_int.
3e7b2ea Merge bitcoin-core/secp256k1#999: bench_ecmult: improve clarity of output
23e2f66 bench: don't return 1 in have_flag() if argc = 1
96b1ad2 bench_ecmult: improve clarity of output
20d791e Merge bitcoin-core/secp256k1#989: Shared benchmark format for command line and CSV outputs
aa1b889 Merge bitcoin-core/secp256k1#996: Fix G.y parity in sage code
044d956 Fix G.y parity in sage code
b4b1306 create csv file from the benchmark output
26a255b Shared benchmark format for command line and CSV outputs
9526874 Merge bitcoin-core/secp256k1#810: Avoid overly-wide multiplications in 5x52 field mul/sqr
920a0e5 Merge bitcoin-core/secp256k1#952: Avoid computing out-of-bounds pointer.
f34b5ca Merge bitcoin-core/secp256k1#983: [RFC] Remove OpenSSL testing support
297ce82 Merge bitcoin-core/secp256k1#966: Make aux_rand32 arg to secp256k1_schnorrsig_sign const
2888640 VERIFY_CHECK precondition for secp256k1_fe_set_int.
d49011f Make _set_fe_int( . , 0 ) set magnitude to 0
bc08599 Remove OpenSSL testing support
10f9bd8 Merge bitcoin-core/secp256k1#987: Fix unused parameter warnings when building without VERIFY
189f6bc Fix unused parameter warnings when building without VERIFY
da0092b Merge bitcoin-core/secp256k1#986: tests: remove `secp256k1_fe_verify` from tests.c and modify `_fe_from_storage` to call `_fe_verify`
d439937 tests: remove `secp256k1_fe_verify` from tests.c and modify `secp256k1_fe_from_storage` to call `secp256k1_fe_verify`
2a3a97c Merge bitcoin-core/secp256k1#976: `secp256k1_schnorrsig_sign_internal` should be static
aa5d34a Merge bitcoin-core/secp256k1#783: Make the public API docs more consistent and explicit
7271387 Add missing static to secp256k1_schnorrsig_sign_internal
db4667d Make aux_rand32 arg to secp256k1_schnorrsig_sign const
9a5a87e Merge bitcoin-core/secp256k1#956: Replace ecmult_context with a generated static array.
20abd52 Add tests for pre_g tables.
6815761 Remove ecmult_context.
f20dcbb Correct typo.
16a3cc0 Generate ecmult_static_pre_g.h
8de2d86 Bump memory limits in advance of making the ecmult context static.
d7ec49a Merge bitcoin-core/secp256k1#969: ci: Fixes after Debian release
5d5c74a tests: Rewrite code to circument potential bug in clang
3d2f492 ci: Install libasan6 (instead of 5) after Debian upgrade
adec5a1 Add missing null check for ctx and input keys in the public API
f4edfc7 Improve consistency for NULL arguments in the public interface
9be7b0f Avoid computing out-of-bounds pointer.
b53e0cd Avoid overly-wide multiplications

git-subtree-dir: src/secp256k1
git-subtree-split: 0559fc6

.cirrus.yml

@@ -19,9 +19,9 @@ env:
   RECOVERY: no
   SCHNORRSIG: no
   ### test options
-  TEST_ITERS:
+  SECP256K1_TEST_ITERS:
   BENCH: yes
-  BENCH_ITERS: 2
+  SECP256K1_BENCH_ITERS: 2
   CTIMETEST: yes
 
 cat_logs_snippet: &CAT_LOGS
@@ -171,7 +171,7 @@ task:
     memory: 1G
   env:
     WRAPPER_CMD: qemu-s390x
-    TEST_ITERS: 16
+    SECP256K1_TEST_ITERS: 16
     HOST: s390x-linux-gnu
     WITH_VALGRIND: no
     ECDH: yes
@@ -194,7 +194,7 @@ task:
     memory: 1G
   env:
     WRAPPER_CMD: qemu-arm
-    TEST_ITERS: 16
+    SECP256K1_TEST_ITERS: 16
     HOST: arm-linux-gnueabihf
     WITH_VALGRIND: no
     ECDH: yes
@@ -218,7 +218,7 @@ task:
     memory: 1G
   env:
     WRAPPER_CMD: qemu-aarch64
-    TEST_ITERS: 16
+    SECP256K1_TEST_ITERS: 16
     HOST: aarch64-linux-gnu
     WITH_VALGRIND: no
     ECDH: yes
@@ -239,7 +239,7 @@ task:
     memory: 1G
   env:
     WRAPPER_CMD: qemu-ppc64le
-    TEST_ITERS: 16
+    SECP256K1_TEST_ITERS: 16
     HOST: powerpc64le-linux-gnu
     WITH_VALGRIND: no
     ECDH: yes
@@ -260,7 +260,7 @@ task:
     memory: 1G
   env:
     WRAPPER_CMD: wine64-stable
-    TEST_ITERS: 16
+    SECP256K1_TEST_ITERS: 16
     HOST: x86_64-w64-mingw32
     WITH_VALGRIND: no
     ECDH: yes
@@ -278,28 +278,26 @@ task:
   container:
     dockerfile: ci/linux-debian.Dockerfile
     cpu: 1
-    memory: 1G
+    memory: 2G
   env:
     ECDH: yes
     RECOVERY: yes
     EXPERIMENTAL: yes
     SCHNORRSIG: yes
     CTIMETEST: no
-    EXTRAFLAGS: "--disable-openssl-tests"
   matrix:
     - name: "Valgrind (memcheck)"
       env:
         # The `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (https://www.valgrind.org/docs/manual/manual-core.html)
         WRAPPER_CMD: "valgrind --error-exitcode=42"
-        TEST_ITERS: 16
+        SECP256K1_TEST_ITERS: 2
     - name: "UBSan, ASan, LSan"
       env:
-        CFLAGS: "-fsanitize=undefined,address"
-        CFLAGS_FOR_BUILD: "-fsanitize=undefined,address"
+        CFLAGS: "-fsanitize=undefined,address -g"
         UBSAN_OPTIONS: "print_stacktrace=1:halt_on_error=1"
         ASAN_OPTIONS: "strict_string_checks=1:detect_stack_use_after_return=1:detect_leaks=1"
         LSAN_OPTIONS: "use_unaligned=1"
-        TEST_ITERS: 32
+        SECP256K1_TEST_ITERS: 32
   # Try to cover many configurations with just a tiny matrix.
   matrix:
     - env:
@@ -330,7 +328,7 @@ task:
     # ./configure correctly errors out when given CC=g++.
     # We hack around this by passing CC=g++ only to make.
     CC: gcc
-    MAKEFLAGS: -j2 CC=g++ CFLAGS=-fpermissive
+    MAKEFLAGS: -j2 CC=g++ CFLAGS=-fpermissive\ -g
     WERROR_CFLAGS:
     EXPERIMENTAL: yes
     ECDH: yes

.gitattributes

@@ -0,0 +1,2 @@
+src/ecmult_static_pre_g.h linguist-generated
+src/ecmult_gen_static_prec_table.h linguist-generated

.gitignore

@@ -1,18 +1,15 @@
-bench_inv
-bench_ecdh
+bench
 bench_ecmult
-bench_schnorrsig
-bench_sign
-bench_verify
-bench_recover
 bench_internal
 tests
 exhaustive_tests
-gen_context
+gen_ecmult_gen_static_prec_table
+gen_ecmult_static_pre_g
 valgrind_ctime_test
 *.exe
 *.so
 *.a
+*.csv
 !.gitignore
 
 Makefile
@@ -44,7 +41,6 @@ coverage.*.html
 
 src/libsecp256k1-config.h
 src/libsecp256k1-config.h.in
-src/ecmult_static_context.h
 build-aux/config.guess
 build-aux/config.sub
 build-aux/depcomp

Makefile.am

@@ -1,3 +1,5 @@
+.PHONY: clean-precomp precomp
+
 ACLOCAL_AMFLAGS = -I build-aux/m4
 
 # AM_CFLAGS will be automatically prepended to CFLAGS by Automake when compiling some foo
@@ -28,6 +30,8 @@ noinst_HEADERS += src/ecmult_const.h
 noinst_HEADERS += src/ecmult_const_impl.h
 noinst_HEADERS += src/ecmult_gen.h
 noinst_HEADERS += src/ecmult_gen_impl.h
+noinst_HEADERS += src/ecmult_gen_prec.h
+noinst_HEADERS += src/ecmult_gen_prec_impl.h
 noinst_HEADERS += src/field_10x26.h
 noinst_HEADERS += src/field_10x26_impl.h
 noinst_HEADERS += src/field_5x52.h
@@ -50,6 +54,7 @@ noinst_HEADERS += src/hash_impl.h
 noinst_HEADERS += src/field.h
 noinst_HEADERS += src/field_impl.h
 noinst_HEADERS += src/bench.h
+noinst_HEADERS += src/basic-config.h
 noinst_HEADERS += contrib/lax_der_parsing.h
 noinst_HEADERS += contrib/lax_der_parsing.c
 noinst_HEADERS += contrib/lax_der_privatekey_parsing.h
@@ -74,20 +79,17 @@ endif
 libsecp256k1_la_SOURCES = src/secp256k1.c
 libsecp256k1_la_CPPFLAGS = -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES)
 libsecp256k1_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB)
+libsecp256k1_la_LDFLAGS = -no-undefined
 
 if VALGRIND_ENABLED
 libsecp256k1_la_CPPFLAGS += -DVALGRIND
 endif
 
 noinst_PROGRAMS =
 if USE_BENCHMARK
-noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult
-bench_verify_SOURCES = src/bench_verify.c
-bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
-# SECP_TEST_INCLUDES are only used here for CRYPTO_CPPFLAGS
-bench_verify_CPPFLAGS = $(SECP_TEST_INCLUDES)
-bench_sign_SOURCES = src/bench_sign.c
-bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
+noinst_PROGRAMS += bench bench_internal bench_ecmult
+bench_SOURCES = src/bench.c
+bench_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB)
 bench_internal_SOURCES = src/bench_internal.c
 bench_internal_LDADD = $(SECP_LIBS) $(COMMON_LIB)
 bench_internal_CPPFLAGS = $(SECP_INCLUDES)
@@ -118,7 +120,7 @@ endif
 if USE_EXHAUSTIVE_TESTS
 noinst_PROGRAMS += exhaustive_tests
 exhaustive_tests_SOURCES = src/tests_exhaustive.c
-exhaustive_tests_CPPFLAGS = -I$(top_srcdir)/src $(SECP_INCLUDES)
+exhaustive_tests_CPPFLAGS = $(SECP_INCLUDES)
 if !ENABLE_COVERAGE
 exhaustive_tests_CPPFLAGS += -DVERIFY
 endif
@@ -127,29 +129,45 @@ exhaustive_tests_LDFLAGS = -static
 TESTS += exhaustive_tests
 endif
 
-if USE_ECMULT_STATIC_PRECOMPUTATION
-CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src
-
-gen_context_OBJECTS = gen_context.o
-gen_context_BIN = gen_context$(BUILD_EXEEXT)
-gen_%.o: src/gen_%.c src/libsecp256k1-config.h
-	$(CC_FOR_BUILD) $(DEFS) $(CPPFLAGS_FOR_BUILD) $(SECP_CFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@
-
-$(gen_context_BIN): $(gen_context_OBJECTS)
-	$(CC_FOR_BUILD) $(SECP_CFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@
-
-$(libsecp256k1_la_OBJECTS): src/ecmult_static_context.h
-$(tests_OBJECTS): src/ecmult_static_context.h
-$(bench_internal_OBJECTS): src/ecmult_static_context.h
-$(bench_ecmult_OBJECTS): src/ecmult_static_context.h
-
-src/ecmult_static_context.h: $(gen_context_BIN)
-	./$(gen_context_BIN)
-
-CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h
-endif
-
-EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h
+### Precomputed tables
+EXTRA_PROGRAMS = gen_ecmult_static_pre_g gen_ecmult_gen_static_prec_table
+CLEANFILES = $(EXTRA_PROGRAMS)
+
+gen_ecmult_static_pre_g_SOURCES = src/gen_ecmult_static_pre_g.c
+gen_ecmult_static_pre_g_CPPFLAGS = $(SECP_INCLUDES)
+gen_ecmult_static_pre_g_LDADD = $(SECP_LIBS) $(COMMON_LIB)
+
+gen_ecmult_gen_static_prec_table_SOURCES = src/gen_ecmult_gen_static_prec_table.c
+gen_ecmult_gen_static_prec_table_CPPFLAGS = $(SECP_INCLUDES)
+gen_ecmult_gen_static_prec_table_LDADD = $(SECP_LIBS) $(COMMON_LIB)
+
+# See Automake manual, Section "Errors with distclean".
+# We don't list any dependencies for the prebuilt files here because
+# otherwise make's decision whether to rebuild them (even in the first
+# build by a normal user) depends on mtimes, and thus is very fragile.
+# This means that rebuilds of the prebuilt files always need to be
+# forced by deleting them, e.g., by invoking `make clean-precomp`.
+src/ecmult_static_pre_g.h:
+	$(MAKE) $(AM_MAKEFLAGS) gen_ecmult_static_pre_g$(EXEEXT)
+	./gen_ecmult_static_pre_g$(EXEEXT)
+src/ecmult_gen_static_prec_table.h:
+	$(MAKE) $(AM_MAKEFLAGS) gen_ecmult_gen_static_prec_table$(EXEEXT)
+	./gen_ecmult_gen_static_prec_table$(EXEEXT)
+
+PRECOMP = src/ecmult_gen_static_prec_table.h src/ecmult_static_pre_g.h
+noinst_HEADERS += $(PRECOMP)
+precomp: $(PRECOMP)
+
+# Ensure the prebuilt files will be build first (only if they don't exist,
+# e.g., after `make maintainer-clean`).
+BUILT_SOURCES = $(PRECOMP)
+
+maintainer-clean-local: clean-precomp
+
+clean-precomp:
+	rm -f $(PRECOMP)
+
+EXTRA_DIST = autogen.sh SECURITY.md
 
 if ENABLE_MODULE_ECDH
 include src/modules/ecdh/Makefile.am.include

README.md

@@ -66,18 +66,9 @@ libsecp256k1 is built using autotools:
     $ ./autogen.sh
     $ ./configure
     $ make
-    $ make check
+    $ make check  # run the test suite
     $ sudo make install  # optional
 
-Exhaustive tests
------------
-
-    $ ./exhaustive_tests
-
-With valgrind, you might need to increase the max stack size:
-
-    $ valgrind --max-stackframe=2500000 ./exhaustive_tests
-
 Test coverage
 -----------
 
@@ -100,6 +91,18 @@ To create a HTML report with coloured and annotated source code:
     $ mkdir -p coverage
     $ gcovr --exclude 'src/bench*' --html --html-details -o coverage/coverage.html
 
+Benchmark
+------------
+If configured with `--enable-benchmark` (which is the default), binaries for benchmarking the libsecp256k1 functions will be present in the root directory after the build.
+
+To print the benchmark result to the command line:
+
+    $ ./bench_name
+
+To create a CSV file for the benchmark result :
+
+    $ ./bench_name | sed '2d;s/ \{1,\}//g' > bench_name.csv
+
 Reporting a vulnerability
 ------------
 

SECURITY.md

@@ -9,7 +9,7 @@ The following keys may be used to communicate sensitive information to developer
 | Name | Fingerprint |
 |------|-------------|
 | Pieter Wuille | 133E AC17 9436 F14A 5CF1  B794 860F EB80 4E66 9320 |
-| Andrew Poelstra | 699A 63EF C17A D3A9 A34C  FFC0 7AD0 A91C 40BD 0091 |
+| Jonas Nick | 36C7 1A37 C9D9 88BD E825  08D9 B1A7 0E4F 8DCD 0366 |
 | Tim Ruffing | 09E0 3F87 1092 E40E 106E  902B 33BC 86AB 80FF 5516 |
 
-You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints containing spaces.
+You can import a key by running the following command with that individual’s fingerprint: `gpg --keyserver hkps://keys.openpgp.org --recv-keys "<fingerprint>"` Ensure that you put quotes around fingerprints containing spaces.