Squashed 'src/secp256k1/' changes from ad2028f..b0210a9

b0210a9 Merge pull request bitcoin-core#135
ee3eb4b Fix a memory leak and add a number of small tests.
4d879a3 Merge pull request bitcoin-core#134
d5e8362 Merge pull request bitcoin-core#127
7b92cf6 Merge pull request bitcoin-core#132
0bf70a5 Merge pull request bitcoin-core#133
29ae131 Make scalar_add_bit test's overflow detection exact
9048def Avoid undefined shift behaviour
efb7d4b Use constant-time conditional moves instead of byte slicing
d220062 Merge pull request bitcoin-core#131
82f9254 Fix typo
601ca04 Merge pull request bitcoin-core#129
35399e0 Bugfix: b is restricted, not r
c35ff1e Convert lambda splitter to pure scalar code.
cc604e9 Avoid division when decomposing scalars
ff8746d Add secp256k1_scalar_mul_shift_var
bd313f7 Merge pull request bitcoin-core#119
276f987 Merge pull request bitcoin-core#124
25d125e Merge pull request bitcoin-core#126
24b3c65 Add a test case for ECDSA recomputing infinity
32600e5 Add a test for r >= order signature handling
4d4eeea Make secp256k1_fe_mul_inner use the r != property
be82e92 Require that r and b are different for field multiplication.
597128d Make num optional
659b554 Make constant initializers independent from num
0af5b47 Merge pull request bitcoin-core#120
e2e8a36 Merge pull request bitcoin-core#117
c76be9e Remove unused num functions
4285a98 Move lambda-splitting code to scalar.
f24041d Switch all EC/ECDSA logic from num to scalar
6794be6 Add scalar splitting functions
d1502eb Add secp256k1_scalar_inverse_var which delegates to GMP
b5c9ee7 Make test_point_times_order test meaningful again
0b73059 Switch wnaf splitting from num-based to scalar-based
1e6c77c Generalize secp256k1_scalar_get_bits
5213207 Add secp256k1_scalar_add_bit
3c0ae43 Merge pull request bitcoin-core#122
6e05287 Do signature recovery/verification with 4 possible recid case
e3d692f Explain why no y=0 check is necessary for doubling
f7dc1c6 Optimize doubling: secp256k1 has no y=0 point
666d3b5 Merge pull request bitcoin-core#121
2a54f9b Correct typo in comment
9d64145 Merge pull request bitcoin-core#114
99f0728 Fix secp256k1_num_set_bin handling of 0
d907ebc Add bounds checking to field element setters
bb2cd94 Merge pull request bitcoin-core#116
665775b Don't split the g factor when not using endomorphism
9431d6b Merge pull request bitcoin-core#115
e2274c5 build: osx: attempt to work with homebrew keg-only packages

git-subtree-dir: src/secp256k1
git-subtree-split: b0210a95da433e048a11d298efbcc14eb423c95f

Author: sipa

.travis.yml

@@ -18,6 +18,8 @@ env:
     - FIELD=64bit     ENDOMORPHISM=yes
     - FIELD=32bit
     - FIELD=32bit     ENDOMORPHISM=yes
+    - BIGNUM=none
+    - BIGNUM=none     ENDOMORPHISM=yes
     - BUILD=distcheck
     - EXTRAFLAGS=CFLAGS=-DDETERMINISTIC
 before_script: ./autogen.sh

Makefile.am

@@ -68,12 +68,13 @@ bench_sign_LDFLAGS = -static
 bench_inv_SOURCES = src/bench_inv.c
 bench_inv_LDADD = $(COMMON_LIB) $(SECP_LIBS)
 bench_inv_LDFLAGS = -static
+bench_inv_CPPFLAGS = $(SECP_INCLUDES)
 endif
 
 if USE_TESTS
 noinst_PROGRAMS += tests
 tests_SOURCES = src/tests.c
-tests_CPPFLAGS = -DVERIFY $(SECP_TEST_INCLUDES)
+tests_CPPFLAGS = -DVERIFY $(SECP_INCLUDES) $(SECP_TEST_INCLUDES)
 tests_LDADD = $(COMMON_LIB) $(SECP_LIBS) $(SECP_TEST_LIBS)
 tests_LDFLAGS = -static
 TESTS = tests

build-aux/m4/bitcoin_secp.m4

@@ -78,7 +78,13 @@ fi
 dnl
 AC_DEFUN([SECP_GMP_CHECK],[
 if test x"$has_gmp" != x"yes"; then
-  AC_CHECK_HEADER(gmp.h,[AC_CHECK_LIB(gmp, __gmpz_init,[has_gmp=yes; GMP_LIBS=-lgmp; AC_DEFINE(HAVE_LIBGMP,1,[Define this symbol if libgmp is installed])])])
+  CPPFLAGS_TEMP="$CPPFLAGS"
+  CPPFLAGS="$GMP_CPPFLAGS $CPPFLAGS"
+  LIBS_TEMP="$LIBS"
+  LIBS="$GMP_LIBS $LIBS"
+  AC_CHECK_HEADER(gmp.h,[AC_CHECK_LIB(gmp, __gmpz_init,[has_gmp=yes; GMP_LIBS="$GMP_LIBS -lgmp"; AC_DEFINE(HAVE_LIBGMP,1,[Define this symbol if libgmp is installed])])])
+  CPPFLAGS="$CPPFLAGS_TEMP"
+  LIBS="$LIBS_TEMP"
 fi
 if test x"$set_field" = x"gmp" && test x"$has_gmp" != x"yes"; then
     AC_MSG_ERROR([$set_field field support explicitly requested but libgmp was not found])

configure.ac

@@ -33,10 +33,35 @@ case $host in
 esac
 
 case $host_os in
-  darwin*)
-     CPPFLAGS="$CPPFLAGS -I/opt/local/include"
-     LDFLAGS="$LDFLAGS -L/opt/local/lib"
-     ;;
+  *darwin*)
+     if  test x$cross_compiling != xyes; then
+       AC_PATH_PROG([BREW],brew,)
+       if test x$BREW != x; then
+         dnl These Homebrew packages may be keg-only, meaning that they won't be found
+         dnl in expected paths because they may conflict with system files. Ask
+         dnl Homebrew where each one is located, then adjust paths accordingly.
+
+         openssl_prefix=`$BREW --prefix openssl 2>/dev/null`
+         gmp_prefix=`$BREW --prefix gmp 2>/dev/null`
+         if test x$openssl_prefix != x; then
+           PKG_CONFIG_PATH="$openssl_prefix/lib/pkgconfig:$PKG_CONFIG_PATH"
+           export PKG_CONFIG_PATH
+         fi
+         if test x$gmp_prefix != x; then
+           GMP_CPPFLAGS="-I$gmp_prefix/include"
+           GMP_LIBS="-L$gmp_prefix/lib"
+         fi
+       else
+         AC_PATH_PROG([PORT],port,)
+         dnl if homebrew isn't installed and macports is, add the macports default paths
+         dnl as a last resort.
+         if test x$PORT != x; then
+           CPPFLAGS="$CPPFLAGS -isystem /opt/local/include"
+           LDFLAGS="$LDFLAGS -L/opt/local/lib"
+         fi
+       fi
+     fi
+   ;;
 esac
 
 CFLAGS="$CFLAGS -W"
@@ -70,7 +95,7 @@ AC_ARG_ENABLE(endomorphism,
 AC_ARG_WITH([field], [AS_HELP_STRING([--with-field=gmp|64bit|64bit_asm|32bit|auto],
 [Specify Field Implementation. Default is auto])],[req_field=$withval], [req_field=auto])
 
-AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|auto],
+AC_ARG_WITH([bignum], [AS_HELP_STRING([--with-bignum=gmp|none|auto],
 [Specify Bignum Implementation. Default is auto])],[req_bignum=$withval], [req_bignum=auto])
 
 AC_ARG_WITH([scalar], [AS_HELP_STRING([--with-scalar=64bit|32bit|auto],
@@ -154,16 +179,15 @@ if test x"$req_bignum" = x"auto"; then
   fi
 
   if test x"$set_bignum" = x; then
-    AC_MSG_ERROR([no working bignum implementation found])
+    set_bignum=none
   fi
 else
   set_bignum=$req_bignum
   case $set_bignum in
   gmp)
     SECP_GMP_CHECK
     ;;
-  openssl)
-    SECP_OPENSSL_CHECK
+  none)
     ;;
   *)
     AC_MSG_ERROR([invalid bignum implementation selection])
@@ -196,9 +220,15 @@ esac
 # select bignum implementation
 case $set_bignum in
 gmp)
-  AC_DEFINE(HAVE_LIBGMP,1,[Define this symbol if libgmp is installed])
-  AC_DEFINE(USE_NUM_GMP, 1, [Define this symbol to use the gmp implementation])
-  AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the USE_FIELD_INV_NUM implementation])
+  AC_DEFINE(HAVE_LIBGMP, 1, [Define this symbol if libgmp is installed])
+  AC_DEFINE(USE_NUM_GMP, 1, [Define this symbol to use the gmp implementation for num])
+  AC_DEFINE(USE_FIELD_INV_NUM, 1, [Define this symbol to use the num-based field inverse implementation])
+  AC_DEFINE(USE_SCALAR_INV_NUM, 1, [Define this symbol to use the num-based scalar inverse implementation])
+  ;;
+none)
+  AC_DEFINE(USE_NUM_NONE, 1, [Define this symbol to use no num implementation])
+  AC_DEFINE(USE_FIELD_INV_BUILTIN, 1, [Define this symbol to use the native field inverse implementation])
+  AC_DEFINE(USE_SCALAR_INV_BUILTIN, 1, [Define this symbol to use the native scalar inverse implementation])
   ;;
 *)
   AC_MSG_ERROR([invalid bignum implementation])
@@ -236,10 +266,11 @@ fi
 
 if test x"$set_field" = x"gmp" || test x"$set_bignum" = x"gmp"; then
   SECP_LIBS="$SECP_LIBS $GMP_LIBS"
+  SECP_INCLUDES="$SECP_INCLUDES $GMP_CPPFLAGS"
 fi
 
 if test x"$use_endomorphism" = x"yes"; then
-  AC_DEFINE(USE_ENDOMORPHISM, 1, [Define this symbol to use endomorphism])
+  AC_DEFINE(USE_ENDOMORPHISM, 1, [Define this symbol to use endomorphism optimization])
 fi
 
 AC_MSG_NOTICE([Using field implementation: $set_field])
@@ -256,4 +287,10 @@ AC_SUBST(YASM_BINFMT)
 AM_CONDITIONAL([USE_ASM], [test x"$set_field" == x"64bit_asm"])
 AM_CONDITIONAL([USE_TESTS], [test x"$use_tests" != x"no"])
 AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" != x"no"])
+
+dnl make sure nothing new is exported so that we don't break the cache
+PKGCONFIG_PATH_TEMP="$PKG_CONFIG_PATH"
+unset PKG_CONFIG_PATH
+PKG_CONFIG_PATH="$PKGCONFIG_PATH_TEMP"
+
 AC_OUTPUT

include/secp256k1.h

@@ -14,18 +14,6 @@ extern "C" {
 #  endif
 # endif
 
-# if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) )
-#  if SECP256K1_GNUC_PREREQ(3,0)
-#   define SECP256K1_RESTRICT __restrict__
-#  elif (defined(_MSC_VER) && _MSC_VER >= 1400)
-#   define SECP256K1_RESTRICT __restrict
-#  else
-#   define SECP256K1_RESTRICT
-#  endif
-# else
-#  define SECP256K1_RESTRICT restrict
-# endif
-
 # if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) )
 #  if SECP256K1_GNUC_PREREQ(2,7)
 #   define SECP256K1_INLINE __inline__

src/ecdsa.h

@@ -7,17 +7,21 @@
 #ifndef _SECP256K1_ECDSA_
 #define _SECP256K1_ECDSA_
 
-#include "num.h"
+#include "scalar.h"
+#include "group.h"
+
+static void secp256k1_ecsda_start(void);
+static void secp256k1_ecdsa_stop(void);
 
 typedef struct {
-    secp256k1_num_t r, s;
+    secp256k1_scalar_t r, s;
 } secp256k1_ecdsa_sig_t;
 
 static int secp256k1_ecdsa_sig_parse(secp256k1_ecdsa_sig_t *r, const unsigned char *sig, int size);
 static int secp256k1_ecdsa_sig_serialize(unsigned char *sig, int *size, const secp256k1_ecdsa_sig_t *a);
-static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_num_t *message);
+static int secp256k1_ecdsa_sig_verify(const secp256k1_ecdsa_sig_t *sig, const secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message);
 static int secp256k1_ecdsa_sig_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *seckey, const secp256k1_scalar_t *message, const secp256k1_scalar_t *nonce, int *recid);
-static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_num_t *message, int recid);
-static void secp256k1_ecdsa_sig_set_rs(secp256k1_ecdsa_sig_t *sig, const secp256k1_num_t *r, const secp256k1_num_t *s);
+static int secp256k1_ecdsa_sig_recover(const secp256k1_ecdsa_sig_t *sig, secp256k1_ge_t *pubkey, const secp256k1_scalar_t *message, int recid);
+static void secp256k1_ecdsa_sig_set_rs(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *r, const secp256k1_scalar_t *s);
 
 #endif