diff --git a/secp256k1-sys/Cargo.toml b/secp256k1-sys/Cargo.toml index 45c2edb9a..b11dbe3f5 100644 --- a/secp256k1-sys/Cargo.toml +++ b/secp256k1-sys/Cargo.toml @@ -1,6 +1,6 @@ [package] name = "secp256k1-sys" -version = "0.1.2" +version = "0.1.3" authors = [ "Dawid Ciężarkiewicz ", "Andrew Poelstra ", "Steven Roose " ] @@ -12,7 +12,7 @@ description = "FFI for Pieter Wuille's `libsecp256k1` library." keywords = [ "secp256k1", "libsecp256k1", "ffi" ] readme = "README.md" build = "build.rs" -links = "rustsecp256k1_v0_1_1" +links = "rustsecp256k1_v0_1_2" # Should make docs.rs show all functions, even those behind non-default features [package.metadata.docs.rs] diff --git a/secp256k1-sys/build.rs b/secp256k1-sys/build.rs index 8f54961e2..8660a8a75 100644 --- a/secp256k1-sys/build.rs +++ b/secp256k1-sys/build.rs @@ -52,12 +52,13 @@ fn main() { .include("depend/secp256k1/src") .flag_if_supported("-Wno-unused-function") // some ecmult stuff is defined but not used upstream .define("SECP256K1_BUILD", Some("1")) + .define("ENABLE_MODULE_ECDH", Some("1")) + .define("ECMULT_GEN_PREC_BITS", Some("4")) // TODO these three should be changed to use libgmp, at least until secp PR 290 is merged .define("USE_NUM_NONE", Some("1")) .define("USE_FIELD_INV_BUILTIN", Some("1")) - .define("USE_SCALAR_INV_BUILTIN", Some("1")) - .define("ENABLE_MODULE_ECDH", Some("1")); - + .define("USE_SCALAR_INV_BUILTIN", Some("1")); + if cfg!(feature = "lowmemory") { base_config.define("ECMULT_WINDOW_SIZE", Some("4")); // A low-enough value to consume neglible memory } else { diff --git a/secp256k1-sys/depend/secp256k1-HEAD-revision.txt b/secp256k1-sys/depend/secp256k1-HEAD-revision.txt index 94db77fa7..68f0b4eb9 100644 --- a/secp256k1-sys/depend/secp256k1-HEAD-revision.txt +++ b/secp256k1-sys/depend/secp256k1-HEAD-revision.txt @@ -1,2 +1,2 @@ # This file was automatically created by ./vendor-libsecp.sh -143dc6e9ee31852a60321b23eea407d2006171da +f39f99be0e6add959f534c03b93044cef066fe09 diff --git a/secp256k1-sys/depend/secp256k1/.gitignore b/secp256k1-sys/depend/secp256k1/.gitignore index 55d325aee..cb4331aa9 100644 --- a/secp256k1-sys/depend/secp256k1/.gitignore +++ b/secp256k1-sys/depend/secp256k1/.gitignore @@ -9,6 +9,7 @@ bench_internal tests exhaustive_tests gen_context +valgrind_ctime_test *.exe *.so *.a diff --git a/secp256k1-sys/depend/secp256k1/.travis.yml b/secp256k1-sys/depend/secp256k1/.travis.yml index 74f658f4d..3d315b101 100644 --- a/secp256k1-sys/depend/secp256k1/.travis.yml +++ b/secp256k1-sys/depend/secp256k1/.travis.yml @@ -2,17 +2,16 @@ language: c os: linux addons: apt: - packages: libgmp-dev + packages: + - libgmp-dev + - valgrind + - libtool-bin compiler: - clang - gcc -cache: - directories: - - src/java/guava/ env: global: - - FIELD=auto BIGNUM=auto SCALAR=auto ENDOMORPHISM=no STATICPRECOMPUTATION=yes ASM=no BUILD=check EXTRAFLAGS= HOST= ECDH=no RECOVERY=no EXPERIMENTAL=no JNI=no - - GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar + - FIELD=auto BIGNUM=auto SCALAR=auto ENDOMORPHISM=no STATICPRECOMPUTATION=yes ECMULTGENPRECISION=auto ASM=no BUILD=check EXTRAFLAGS= HOST= ECDH=no RECOVERY=no EXPERIMENTAL=no CTIMETEST=yes BENCH=yes SECP256K1_BENCH_ITERS=2 matrix: - SCALAR=32bit RECOVERY=yes - SCALAR=32bit FIELD=32bit ECDH=yes EXPERIMENTAL=yes @@ -26,10 +25,11 @@ env: - BIGNUM=no - BIGNUM=no ENDOMORPHISM=yes RECOVERY=yes EXPERIMENTAL=yes - BIGNUM=no STATICPRECOMPUTATION=no - - BUILD=distcheck + - BUILD=distcheck CTIMETEST= BENCH= - EXTRAFLAGS=CPPFLAGS=-DDETERMINISTIC - EXTRAFLAGS=CFLAGS=-O0 - - BUILD=check-java JNI=yes ECDH=yes EXPERIMENTAL=yes + - ECMULTGENPRECISION=2 + - ECMULTGENPRECISION=8 matrix: fast_finish: true include: @@ -40,18 +40,27 @@ matrix: packages: - gcc-multilib - libgmp-dev:i386 + - valgrind + - libtool-bin + - libc6-dbg:i386 - compiler: clang env: HOST=i686-linux-gnu addons: apt: packages: - gcc-multilib + - valgrind + - libtool-bin + - libc6-dbg:i386 - compiler: gcc env: HOST=i686-linux-gnu ENDOMORPHISM=yes addons: apt: packages: - gcc-multilib + - valgrind + - libtool-bin + - libc6-dbg:i386 - compiler: gcc env: HOST=i686-linux-gnu addons: @@ -59,10 +68,44 @@ matrix: packages: - gcc-multilib - libgmp-dev:i386 -before_install: mkdir -p `dirname $GUAVA_JAR` -install: if [ ! -f $GUAVA_JAR ]; then wget $GUAVA_URL -O $GUAVA_JAR; fi + - valgrind + - libtool-bin + - libc6-dbg:i386 + - compiler: gcc + env: + - BIGNUM=no ENDOMORPHISM=yes ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes + - VALGRIND=yes EXTRAFLAGS="--disable-openssl-tests CPPFLAGS=-DVALGRIND" BUILD= + - compiler: gcc + env: # The same as above but without endomorphism. + - BIGNUM=no ENDOMORPHISM=no ASM=x86_64 EXPERIMENTAL=yes ECDH=yes RECOVERY=yes + - VALGRIND=yes EXTRAFLAGS="--disable-openssl-tests CPPFLAGS=-DVALGRIND" BUILD= + before_script: ./autogen.sh + script: - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi - - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD + - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-asm=$ASM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --with-ecmult-gen-precision=$ECMULTGENPRECISION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY $EXTRAFLAGS $USE_HOST + - if [ -n "$BUILD" ]; then make -j2 $BUILD; fi + - # travis_wait extends the 10 minutes without output allowed (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received) + - # the `--error-exitcode` is required to make the test fail if valgrind found errors, otherwise it'll return 0 (http://valgrind.org/docs/manual/manual-core.html) + - if [ -n "$VALGRIND" ]; then + make -j2 && + travis_wait 30 valgrind --error-exitcode=42 ./tests 16 && + travis_wait 30 valgrind --error-exitcode=42 ./exhaustive_tests; + fi + - if [ -n "$BENCH" ]; then + if [ -n "$VALGRIND" ]; then EXEC='libtool --mode=execute valgrind --error-exitcode=42'; else EXEC= ; fi && + $EXEC ./bench_ecmult &>> bench.log && $EXEC ./bench_internal &>> bench.log && $EXEC ./bench_sign &>> bench.log && $EXEC ./bench_verify &>> bench.log && + if [ "$RECOVERY" == "yes" ]; then $EXEC ./bench_recover &>> bench.log; fi && + if [ "$ECDH" == "yes" ]; then $EXEC ./bench_ecdh &>> bench.log; fi; + fi + - if [ -n "$CTIMETEST" ]; then + libtool --mode=execute valgrind ./valgrind_ctime_test &> valgrind_ctime_test.log; + fi + +after_script: + - cat ./tests.log + - cat ./exhaustive_tests.log + - cat ./valgrind_ctime_test.log + - cat ./bench.log diff --git a/secp256k1-sys/depend/secp256k1/Makefile.am b/secp256k1-sys/depend/secp256k1/Makefile.am index 2bde765c3..55fb6c257 100644 --- a/secp256k1-sys/depend/secp256k1/Makefile.am +++ b/secp256k1-sys/depend/secp256k1/Makefile.am @@ -1,14 +1,8 @@ ACLOCAL_AMFLAGS = -I build-aux/m4 lib_LTLIBRARIES = libsecp256k1.la -if USE_JNI -JNI_LIB = librustsecp256k1_v0_1_1_jni.la -noinst_LTLIBRARIES = $(JNI_LIB) -else -JNI_LIB = -endif include_HEADERS = include/secp256k1.h -include_HEADERS += include/rustsecp256k1_v0_1_1_preallocated.h +include_HEADERS += include/rustsecp256k1_v0_1_2_preallocated.h noinst_HEADERS = noinst_HEADERS += src/scalar.h noinst_HEADERS += src/scalar_4x64.h @@ -40,8 +34,6 @@ noinst_HEADERS += src/field_5x52.h noinst_HEADERS += src/field_5x52_impl.h noinst_HEADERS += src/field_5x52_int128_impl.h noinst_HEADERS += src/field_5x52_asm_impl.h -noinst_HEADERS += src/java/org_bitcoin_NativeSecp256k1.h -noinst_HEADERS += src/java/org_bitcoin_Secp256k1Context.h noinst_HEADERS += src/util.h noinst_HEADERS += src/scratch.h noinst_HEADERS += src/scratch_impl.h @@ -58,7 +50,7 @@ noinst_HEADERS += contrib/lax_der_privatekey_parsing.h noinst_HEADERS += contrib/lax_der_privatekey_parsing.c if USE_EXTERNAL_ASM -COMMON_LIB = librustsecp256k1_v0_1_1_common.la +COMMON_LIB = librustsecp256k1_v0_1_2_common.la noinst_LTLIBRARIES = $(COMMON_LIB) else COMMON_LIB = @@ -69,22 +61,25 @@ pkgconfig_DATA = libsecp256k1.pc if USE_EXTERNAL_ASM if USE_ASM_ARM -librustsecp256k1_v0_1_1_common_la_SOURCES = src/asm/field_10x26_arm.s +librustsecp256k1_v0_1_2_common_la_SOURCES = src/asm/field_10x26_arm.s endif endif -librustsecp256k1_v0_1_1_la_SOURCES = src/secp256k1.c -librustsecp256k1_v0_1_1_la_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES) -librustsecp256k1_v0_1_1_la_LIBADD = $(JNI_LIB) $(SECP_LIBS) $(COMMON_LIB) +librustsecp256k1_v0_1_2_la_SOURCES = src/secp256k1.c +librustsecp256k1_v0_1_2_la_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/include -I$(top_srcdir)/src $(SECP_INCLUDES) +librustsecp256k1_v0_1_2_la_LIBADD = $(SECP_LIBS) $(COMMON_LIB) -librustsecp256k1_v0_1_1_jni_la_SOURCES = src/java/org_bitcoin_NativeSecp256k1.c src/java/org_bitcoin_Secp256k1Context.c -librustsecp256k1_v0_1_1_jni_la_CPPFLAGS = -DSECP256K1_BUILD $(JNI_INCLUDES) +if VALGRIND_ENABLED +librustsecp256k1_v0_1_2_la_CPPFLAGS += -DVALGRIND +endif noinst_PROGRAMS = if USE_BENCHMARK noinst_PROGRAMS += bench_verify bench_sign bench_internal bench_ecmult bench_verify_SOURCES = src/bench_verify.c bench_verify_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) +# SECP_TEST_INCLUDES are only used here for CRYPTO_CPPFLAGS +bench_verify_CPPFLAGS = -DSECP256K1_BUILD $(SECP_TEST_INCLUDES) bench_sign_SOURCES = src/bench_sign.c bench_sign_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) bench_internal_SOURCES = src/bench_internal.c @@ -100,6 +95,12 @@ if USE_TESTS noinst_PROGRAMS += tests tests_SOURCES = src/tests.c tests_CPPFLAGS = -DSECP256K1_BUILD -I$(top_srcdir)/src -I$(top_srcdir)/include $(SECP_INCLUDES) $(SECP_TEST_INCLUDES) +if VALGRIND_ENABLED +tests_CPPFLAGS += -DVALGRIND +noinst_PROGRAMS += valgrind_ctime_test +valgrind_ctime_test_SOURCES = src/valgrind_ctime_test.c +valgrind_ctime_test_LDADD = libsecp256k1.la $(SECP_LIBS) $(SECP_TEST_LIBS) $(COMMON_LIB) +endif if !ENABLE_COVERAGE tests_CPPFLAGS += -DVERIFY endif @@ -120,48 +121,18 @@ exhaustive_tests_LDFLAGS = -static TESTS += exhaustive_tests endif -JAVAROOT=src/java -JAVAORG=org/bitcoin -JAVA_GUAVA=$(srcdir)/$(JAVAROOT)/guava/guava-18.0.jar -CLASSPATH_ENV=CLASSPATH=$(JAVA_GUAVA) -JAVA_FILES= \ - $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1.java \ - $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Test.java \ - $(JAVAROOT)/$(JAVAORG)/NativeSecp256k1Util.java \ - $(JAVAROOT)/$(JAVAORG)/Secp256k1Context.java - -if USE_JNI - -$(JAVA_GUAVA): - @echo Guava is missing. Fetch it via: \ - wget https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar -O $(@) - @false - -.stamp-java: $(JAVA_FILES) - @echo Compiling $^ - $(AM_V_at)$(CLASSPATH_ENV) javac $^ - @touch $@ - -if USE_TESTS - -check-java: libsecp256k1.la $(JAVA_GUAVA) .stamp-java - $(AM_V_at)java -Djava.library.path="./:./src:./src/.libs:.libs/" -cp "$(JAVA_GUAVA):$(JAVAROOT)" $(JAVAORG)/NativeSecp256k1Test - -endif -endif - if USE_ECMULT_STATIC_PRECOMPUTATION -CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) +CPPFLAGS_FOR_BUILD +=-I$(top_srcdir) -I$(builddir)/src gen_context_OBJECTS = gen_context.o gen_context_BIN = gen_context$(BUILD_EXEEXT) -gen_%.o: src/gen_%.c +gen_%.o: src/gen_%.c src/libsecp256k1-config.h $(CC_FOR_BUILD) $(CPPFLAGS_FOR_BUILD) $(CFLAGS_FOR_BUILD) -c $< -o $@ $(gen_context_BIN): $(gen_context_OBJECTS) $(CC_FOR_BUILD) $(CFLAGS_FOR_BUILD) $(LDFLAGS_FOR_BUILD) $^ -o $@ -$(librustsecp256k1_v0_1_1_la_OBJECTS): src/ecmult_static_context.h +$(librustsecp256k1_v0_1_2_la_OBJECTS): src/ecmult_static_context.h $(tests_OBJECTS): src/ecmult_static_context.h $(bench_internal_OBJECTS): src/ecmult_static_context.h $(bench_ecmult_OBJECTS): src/ecmult_static_context.h @@ -169,10 +140,10 @@ $(bench_ecmult_OBJECTS): src/ecmult_static_context.h src/ecmult_static_context.h: $(gen_context_BIN) ./$(gen_context_BIN) -CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h $(JAVAROOT)/$(JAVAORG)/*.class .stamp-java +CLEANFILES = $(gen_context_BIN) src/ecmult_static_context.h endif -EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h $(JAVA_FILES) +EXTRA_DIST = autogen.sh src/gen_context.c src/basic-config.h if ENABLE_MODULE_ECDH include src/modules/ecdh/Makefile.am.include diff --git a/secp256k1-sys/depend/secp256k1/README.md b/secp256k1-sys/depend/secp256k1/README.md index 8cd344ea8..434178b37 100644 --- a/secp256k1-sys/depend/secp256k1/README.md +++ b/secp256k1-sys/depend/secp256k1/README.md @@ -3,17 +3,22 @@ libsecp256k1 [![Build Status](https://travis-ci.org/bitcoin-core/secp256k1.svg?branch=master)](https://travis-ci.org/bitcoin-core/secp256k1) -Optimized C library for EC operations on curve secp256k1. +Optimized C library for ECDSA signatures and secret/public key operations on curve secp256k1. -This library is a work in progress and is being used to research best practices. Use at your own risk. +This library is intended to be the highest quality publicly available library for cryptography on the secp256k1 curve. However, the primary focus of its development has been for usage in the Bitcoin system and usage unlike Bitcoin's may be less well tested, verified, or suffer from a less well thought out interface. Correct usage requires some care and consideration that the library is fit for your application's purpose. Features: * secp256k1 ECDSA signing/verification and key generation. -* Adding/multiplying private/public keys. -* Serialization/parsing of private keys, public keys, signatures. -* Constant time, constant memory access signing and pubkey generation. -* Derandomized DSA (via RFC6979 or with a caller provided function.) +* Additive and multiplicative tweaking of secret/public keys. +* Serialization/parsing of secret keys, public keys, signatures. +* Constant time, constant memory access signing and public key generation. +* Derandomized ECDSA (via RFC6979 or with a caller provided function.) * Very efficient implementation. +* Suitable for embedded systems. +* Optional module for public key recovery. +* Optional module for ECDH key exchange (experimental). + +Experimental features have not received enough scrutiny to satisfy the standard of quality of this library but are made available for testing and review by the community. The APIs of these features should not be considered stable. Implementation details ---------------------- @@ -23,11 +28,12 @@ Implementation details * Extensive testing infrastructure. * Structured to facilitate review and analysis. * Intended to be portable to any system with a C89 compiler and uint64_t support. + * No use of floating types. * Expose only higher level interfaces to minimize the API surface and improve application security. ("Be difficult to use insecurely.") * Field operations * Optimized implementation of arithmetic modulo the curve's field size (2^256 - 0x1000003D1). * Using 5 52-bit limbs (including hand-optimized assembly for x86_64, by Diederik Huys). - * Using 10 26-bit limbs. + * Using 10 26-bit limbs (including hand-optimized assembly for 32-bit ARM, by Wladimir J. van der Laan). * Field inverses and square roots using a sliding window over blocks of 1s (by Peter Dettman). * Scalar operations * Optimized implementation without data-dependent branches of arithmetic modulo the curve's order. @@ -45,9 +51,11 @@ Implementation details * Optionally (off by default) use secp256k1's efficiently-computable endomorphism to split the P multiplicand into 2 half-sized ones. * Point multiplication for signing * Use a precomputed table of multiples of powers of 16 multiplied with the generator, so general multiplication becomes a series of additions. - * Access the table with branch-free conditional moves so memory access is uniform. - * No data-dependent branches - * The precomputed tables add and eventually subtract points for which no known scalar (private key) is known, preventing even an attacker with control over the private key used to control the data internally. + * Intended to be completely free of timing sidechannels for secret-key operations (on reasonable hardware/toolchains) + * Access the table with branch-free conditional moves so memory access is uniform. + * No data-dependent branches + * Optional runtime blinding which attempts to frustrate differential power analysis. + * The precomputed tables add and eventually subtract points for which no known scalar (secret key) is known, preventing even an attacker with control over the secret key used to control the data internally. Build steps ----------- @@ -57,5 +65,40 @@ libsecp256k1 is built using autotools: $ ./autogen.sh $ ./configure $ make - $ ./tests + $ make check $ sudo make install # optional + +Exhaustive tests +----------- + + $ ./exhaustive_tests + +With valgrind, you might need to increase the max stack size: + + $ valgrind --max-stackframe=2500000 ./exhaustive_tests + +Test coverage +----------- + +This library aims to have full coverage of the reachable lines and branches. + +To create a test coverage report, configure with `--enable-coverage` (use of GCC is necessary): + + $ ./configure --enable-coverage + +Run the tests: + + $ make check + +To create a report, `gcovr` is recommended, as it includes branch coverage reporting: + + $ gcovr --exclude 'src/bench*' --print-summary + +To create a HTML report with coloured and annotated source code: + + $ gcovr --exclude 'src/bench*' --html --html-details -o coverage.html + +Reporting a vulnerability +------------ + +See [SECURITY.md](SECURITY.md) diff --git a/secp256k1-sys/depend/secp256k1/SECURITY.md b/secp256k1-sys/depend/secp256k1/SECURITY.md new file mode 100644 index 000000000..0e4d58803 --- /dev/null +++ b/secp256k1-sys/depend/secp256k1/SECURITY.md @@ -0,0 +1,15 @@ +# Security Policy + +## Reporting a Vulnerability + +To report security issues send an email to secp256k1-security@bitcoincore.org (not for support). + +The following keys may be used to communicate sensitive information to developers: + +| Name | Fingerprint | +|------|-------------| +| Pieter Wuille | 133E AC17 9436 F14A 5CF1 B794 860F EB80 4E66 9320 | +| Andrew Poelstra | 699A 63EF C17A D3A9 A34C FFC0 7AD0 A91C 40BD 0091 | +| Tim Ruffing | 09E0 3F87 1092 E40E 106E 902B 33BC 86AB 80FF 5516 | + +You can import a key by running the following command with that individual’s fingerprint: `gpg --recv-keys ""` Ensure that you put quotes around fingerprints containing spaces. diff --git a/secp256k1-sys/depend/secp256k1/build-aux/m4/ax_jni_include_dir.m4 b/secp256k1-sys/depend/secp256k1/build-aux/m4/ax_jni_include_dir.m4 deleted file mode 100644 index cdc78d87d..000000000 --- a/secp256k1-sys/depend/secp256k1/build-aux/m4/ax_jni_include_dir.m4 +++ /dev/null @@ -1,145 +0,0 @@ -# =========================================================================== -# https://www.gnu.org/software/autoconf-archive/ax_jni_include_dir.html -# =========================================================================== -# -# SYNOPSIS -# -# AX_JNI_INCLUDE_DIR -# -# DESCRIPTION -# -# AX_JNI_INCLUDE_DIR finds include directories needed for compiling -# programs using the JNI interface. -# -# JNI include directories are usually in the Java distribution. This is -# deduced from the value of $JAVA_HOME, $JAVAC, or the path to "javac", in -# that order. When this macro completes, a list of directories is left in -# the variable JNI_INCLUDE_DIRS. -# -# Example usage follows: -# -# AX_JNI_INCLUDE_DIR -# -# for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS -# do -# CPPFLAGS="$CPPFLAGS -I$JNI_INCLUDE_DIR" -# done -# -# If you want to force a specific compiler: -# -# - at the configure.in level, set JAVAC=yourcompiler before calling -# AX_JNI_INCLUDE_DIR -# -# - at the configure level, setenv JAVAC -# -# Note: This macro can work with the autoconf M4 macros for Java programs. -# This particular macro is not part of the original set of macros. -# -# LICENSE -# -# Copyright (c) 2008 Don Anderson -# -# Copying and distribution of this file, with or without modification, are -# permitted in any medium without royalty provided the copyright notice -# and this notice are preserved. This file is offered as-is, without any -# warranty. - -#serial 14 - -AU_ALIAS([AC_JNI_INCLUDE_DIR], [AX_JNI_INCLUDE_DIR]) -AC_DEFUN([AX_JNI_INCLUDE_DIR],[ - -JNI_INCLUDE_DIRS="" - -if test "x$JAVA_HOME" != x; then - _JTOPDIR="$JAVA_HOME" -else - if test "x$JAVAC" = x; then - JAVAC=javac - fi - AC_PATH_PROG([_ACJNI_JAVAC], [$JAVAC], [no]) - if test "x$_ACJNI_JAVAC" = xno; then - AC_MSG_WARN([cannot find JDK; try setting \$JAVAC or \$JAVA_HOME]) - fi - _ACJNI_FOLLOW_SYMLINKS("$_ACJNI_JAVAC") - _JTOPDIR=`echo "$_ACJNI_FOLLOWED" | sed -e 's://*:/:g' -e 's:/[[^/]]*$::'` -fi - -case "$host_os" in - darwin*) # Apple Java headers are inside the Xcode bundle. - macos_version=$(sw_vers -productVersion | sed -n -e 's/^@<:@0-9@:>@*.\(@<:@0-9@:>@*\).@<:@0-9@:>@*/\1/p') - if @<:@ "$macos_version" -gt "7" @:>@; then - _JTOPDIR="$(xcrun --show-sdk-path)/System/Library/Frameworks/JavaVM.framework" - _JINC="$_JTOPDIR/Headers" - else - _JTOPDIR="/System/Library/Frameworks/JavaVM.framework" - _JINC="$_JTOPDIR/Headers" - fi - ;; - *) _JINC="$_JTOPDIR/include";; -esac -_AS_ECHO_LOG([_JTOPDIR=$_JTOPDIR]) -_AS_ECHO_LOG([_JINC=$_JINC]) - -# On Mac OS X 10.6.4, jni.h is a symlink: -# /System/Library/Frameworks/JavaVM.framework/Versions/Current/Headers/jni.h -# -> ../../CurrentJDK/Headers/jni.h. -AC_CACHE_CHECK(jni headers, ac_cv_jni_header_path, -[ - if test -f "$_JINC/jni.h"; then - ac_cv_jni_header_path="$_JINC" - JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path" - else - _JTOPDIR=`echo "$_JTOPDIR" | sed -e 's:/[[^/]]*$::'` - if test -f "$_JTOPDIR/include/jni.h"; then - ac_cv_jni_header_path="$_JTOPDIR/include" - JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $ac_cv_jni_header_path" - else - ac_cv_jni_header_path=none - fi - fi -]) - -# get the likely subdirectories for system specific java includes -case "$host_os" in -bsdi*) _JNI_INC_SUBDIRS="bsdos";; -freebsd*) _JNI_INC_SUBDIRS="freebsd";; -darwin*) _JNI_INC_SUBDIRS="darwin";; -linux*) _JNI_INC_SUBDIRS="linux genunix";; -osf*) _JNI_INC_SUBDIRS="alpha";; -solaris*) _JNI_INC_SUBDIRS="solaris";; -mingw*) _JNI_INC_SUBDIRS="win32";; -cygwin*) _JNI_INC_SUBDIRS="win32";; -*) _JNI_INC_SUBDIRS="genunix";; -esac - -if test "x$ac_cv_jni_header_path" != "xnone"; then - # add any subdirectories that are present - for JINCSUBDIR in $_JNI_INC_SUBDIRS - do - if test -d "$_JTOPDIR/include/$JINCSUBDIR"; then - JNI_INCLUDE_DIRS="$JNI_INCLUDE_DIRS $_JTOPDIR/include/$JINCSUBDIR" - fi - done -fi -]) - -# _ACJNI_FOLLOW_SYMLINKS -# Follows symbolic links on , -# finally setting variable _ACJNI_FOLLOWED -# ---------------------------------------- -AC_DEFUN([_ACJNI_FOLLOW_SYMLINKS],[ -# find the include directory relative to the javac executable -_cur="$1" -while ls -ld "$_cur" 2>/dev/null | grep " -> " >/dev/null; do - AC_MSG_CHECKING([symlink for $_cur]) - _slink=`ls -ld "$_cur" | sed 's/.* -> //'` - case "$_slink" in - /*) _cur="$_slink";; - # 'X' avoids triggering unwanted echo options. - *) _cur=`echo "X$_cur" | sed -e 's/^X//' -e 's:[[^/]]*$::'`"$_slink";; - esac - AC_MSG_RESULT([$_cur]) -done -_ACJNI_FOLLOWED="$_cur" -])# _ACJNI diff --git a/secp256k1-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 b/secp256k1-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 index 3b3975cbd..1b2b71e6a 100644 --- a/secp256k1-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 +++ b/secp256k1-sys/depend/secp256k1/build-aux/m4/bitcoin_secp.m4 @@ -38,6 +38,8 @@ AC_DEFUN([SECP_OPENSSL_CHECK],[ fi if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then AC_MSG_CHECKING(for EC functions in libcrypto) + CPPFLAGS_TEMP="$CPPFLAGS" + CPPFLAGS="$CRYPTO_CPPFLAGS $CPPFLAGS" AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include #include @@ -51,6 +53,7 @@ if test x"$has_libcrypto" = x"yes" && test x"$has_openssl_ec" = x; then ECDSA_SIG_free(sig_openssl); ]])],[has_openssl_ec=yes],[has_openssl_ec=no]) AC_MSG_RESULT([$has_openssl_ec]) + CPPFLAGS="$CPPFLAGS_TEMP" fi ]) diff --git a/secp256k1-sys/depend/secp256k1/configure.ac b/secp256k1-sys/depend/secp256k1/configure.ac index dc6d50f70..7f762fa31 100644 --- a/secp256k1-sys/depend/secp256k1/configure.ac +++ b/secp256k1-sys/depend/secp256k1/configure.ac @@ -7,6 +7,11 @@ AH_TOP([#ifndef LIBSECP256K1_CONFIG_H]) AH_TOP([#define LIBSECP256K1_CONFIG_H]) AH_BOTTOM([#endif /*LIBSECP256K1_CONFIG_H*/]) AM_INIT_AUTOMAKE([foreign subdir-objects]) + +# Set -g if CFLAGS are not already set, which matches the default autoconf +# behavior (see PROG_CC in the Autoconf manual) with the exception that we don't +# set -O2 here because we set it in any case (see further down). +: ${CFLAGS="-g"} LT_INIT dnl make the compilation flags quiet unless V=1 is used @@ -19,10 +24,6 @@ AC_PATH_TOOL(RANLIB, ranlib) AC_PATH_TOOL(STRIP, strip) AX_PROG_CC_FOR_BUILD -if test "x$CFLAGS" = "x"; then - CFLAGS="-g" -fi - AM_PROG_CC_C_O AC_PROG_CC_C89 @@ -45,6 +46,7 @@ case $host_os in if test x$openssl_prefix != x; then PKG_CONFIG_PATH="$openssl_prefix/lib/pkgconfig:$PKG_CONFIG_PATH" export PKG_CONFIG_PATH + CRYPTO_CPPFLAGS="-I$openssl_prefix/include" fi if test x$gmp_prefix != x; then GMP_CPPFLAGS="-I$gmp_prefix/include" @@ -63,11 +65,11 @@ case $host_os in ;; esac -CFLAGS="$CFLAGS -W" +CFLAGS="-W $CFLAGS" warn_CFLAGS="-std=c89 -pedantic -Wall -Wextra -Wcast-align -Wnested-externs -Wshadow -Wstrict-prototypes -Wno-unused-function -Wno-long-long -Wno-overlength-strings" saved_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS $warn_CFLAGS" +CFLAGS="$warn_CFLAGS $CFLAGS" AC_MSG_CHECKING([if ${CC} supports ${warn_CFLAGS}]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], [ AC_MSG_RESULT([yes]) ], @@ -76,7 +78,7 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], ]) saved_CFLAGS="$CFLAGS" -CFLAGS="$CFLAGS -fvisibility=hidden" +CFLAGS="-fvisibility=hidden $CFLAGS" AC_MSG_CHECKING([if ${CC} supports -fvisibility=hidden]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], [ AC_MSG_RESULT([yes]) ], @@ -135,15 +137,10 @@ AC_ARG_ENABLE(module_recovery, [enable_module_recovery=no]) AC_ARG_ENABLE(external_default_callbacks, - AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions (default is no)]), + AS_HELP_STRING([--enable-external-default-callbacks],[enable external default callback functions [default=no]]), [use_external_default_callbacks=$enableval], [use_external_default_callbacks=no]) -AC_ARG_ENABLE(jni, - AS_HELP_STRING([--enable-jni],[enable librustsecp256k1_v0_1_1_jni [default=no]]), - [use_jni=$enableval], - [use_jni=no]) - AC_ARG_WITH([field], [AS_HELP_STRING([--with-field=64bit|32bit|auto], [finite field implementation to use [default=auto]])],[req_field=$withval], [req_field=auto]) @@ -165,14 +162,25 @@ AC_ARG_WITH([ecmult-window], [AS_HELP_STRING([--with-ecmult-window=SIZE|auto], )], [req_ecmult_window=$withval], [req_ecmult_window=auto]) +AC_ARG_WITH([ecmult-gen-precision], [AS_HELP_STRING([--with-ecmult-gen-precision=2|4|8|auto], +[Precision bits to tune the precomputed table size for signing.] +[The size of the table is 32kB for 2 bits, 64kB for 4 bits, 512kB for 8 bits of precision.] +[A larger table size usually results in possible faster signing.] +["auto" is a reasonable setting for desktop machines (currently 4). [default=auto]] +)], +[req_ecmult_gen_precision=$withval], [req_ecmult_gen_precision=auto]) + AC_CHECK_TYPES([__int128]) +AC_CHECK_HEADER([valgrind/memcheck.h], [enable_valgrind=yes], [enable_valgrind=no], []) +AM_CONDITIONAL([VALGRIND_ENABLED],[test "$enable_valgrind" = "yes"]) + if test x"$enable_coverage" = x"yes"; then AC_DEFINE(COVERAGE, 1, [Define this symbol to compile out all VERIFY code]) - CFLAGS="$CFLAGS -O0 --coverage" - LDFLAGS="$LDFLAGS --coverage" + CFLAGS="-O0 --coverage $CFLAGS" + LDFLAGS="--coverage $LDFLAGS" else - CFLAGS="$CFLAGS -O3" + CFLAGS="-O2 $CFLAGS" fi if test x"$use_ecmult_static_precomputation" != x"no"; then @@ -190,7 +198,7 @@ if test x"$use_ecmult_static_precomputation" != x"no"; then warn_CFLAGS_FOR_BUILD="-Wall -Wextra -Wno-unused-function" saved_CFLAGS="$CFLAGS" - CFLAGS="$CFLAGS $warn_CFLAGS_FOR_BUILD" + CFLAGS="$warn_CFLAGS_FOR_BUILD $CFLAGS" AC_MSG_CHECKING([if native ${CC_FOR_BUILD} supports ${warn_CFLAGS_FOR_BUILD}]) AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])], [ AC_MSG_RESULT([yes]) ], @@ -423,12 +431,28 @@ case $set_ecmult_window in ;; esac +#set ecmult gen precision +if test x"$req_ecmult_gen_precision" = x"auto"; then + set_ecmult_gen_precision=4 +else + set_ecmult_gen_precision=$req_ecmult_gen_precision +fi + +case $set_ecmult_gen_precision in +2|4|8) + AC_DEFINE_UNQUOTED(ECMULT_GEN_PREC_BITS, $set_ecmult_gen_precision, [Set ecmult gen precision bits]) + ;; +*) + AC_MSG_ERROR(['ecmult gen precision not 2, 4, 8 or "auto"']) + ;; +esac + if test x"$use_tests" = x"yes"; then SECP_OPENSSL_CHECK if test x"$has_openssl_ec" = x"yes"; then if test x"$enable_openssl_tests" != x"no"; then AC_DEFINE(ENABLE_OPENSSL_TESTS, 1, [Define this symbol if OpenSSL EC functions are available]) - SECP_TEST_INCLUDES="$SSL_CFLAGS $CRYPTO_CFLAGS" + SECP_TEST_INCLUDES="$SSL_CFLAGS $CRYPTO_CFLAGS $CRYPTO_CPPFLAGS" SECP_TEST_LIBS="$CRYPTO_LIBS" case $host in @@ -448,29 +472,6 @@ else fi fi -if test x"$use_jni" != x"no"; then - AX_JNI_INCLUDE_DIR - have_jni_dependencies=yes - if test x"$enable_module_ecdh" = x"no"; then - have_jni_dependencies=no - fi - if test "x$JNI_INCLUDE_DIRS" = "x"; then - have_jni_dependencies=no - fi - if test "x$have_jni_dependencies" = "xno"; then - if test x"$use_jni" = x"yes"; then - AC_MSG_ERROR([jni support explicitly requested but headers/dependencies were not found. Enable ECDH and try again.]) - fi - AC_MSG_WARN([jni headers/dependencies not found. jni support disabled]) - use_jni=no - else - use_jni=yes - for JNI_INCLUDE_DIR in $JNI_INCLUDE_DIRS; do - JNI_INCLUDES="$JNI_INCLUDES -I$JNI_INCLUDE_DIR" - done - fi -fi - if test x"$set_bignum" = x"gmp"; then SECP_LIBS="$SECP_LIBS $GMP_LIBS" SECP_INCLUDES="$SECP_INCLUDES $GMP_CPPFLAGS" @@ -519,7 +520,6 @@ fi AC_CONFIG_HEADERS([src/libsecp256k1-config.h]) AC_CONFIG_FILES([Makefile libsecp256k1.pc]) -AC_SUBST(JNI_INCLUDES) AC_SUBST(SECP_INCLUDES) AC_SUBST(SECP_LIBS) AC_SUBST(SECP_TEST_LIBS) @@ -531,7 +531,6 @@ AM_CONDITIONAL([USE_BENCHMARK], [test x"$use_benchmark" = x"yes"]) AM_CONDITIONAL([USE_ECMULT_STATIC_PRECOMPUTATION], [test x"$set_precomp" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_ECDH], [test x"$enable_module_ecdh" = x"yes"]) AM_CONDITIONAL([ENABLE_MODULE_RECOVERY], [test x"$enable_module_recovery" = x"yes"]) -AM_CONDITIONAL([USE_JNI], [test x"$use_jni" = x"yes"]) AM_CONDITIONAL([USE_EXTERNAL_ASM], [test x"$use_external_asm" = x"yes"]) AM_CONDITIONAL([USE_ASM_ARM], [test x"$set_asm" = x"arm"]) @@ -547,7 +546,6 @@ echo "Build Options:" echo " with endomorphism = $use_endomorphism" echo " with ecmult precomp = $set_precomp" echo " with external callbacks = $use_external_default_callbacks" -echo " with jni = $use_jni" echo " with benchmarks = $use_benchmark" echo " with coverage = $enable_coverage" echo " module ecdh = $enable_module_ecdh" @@ -558,7 +556,9 @@ echo " bignum = $set_bignum" echo " field = $set_field" echo " scalar = $set_scalar" echo " ecmult window size = $set_ecmult_window" +echo " ecmult gen prec. bits = $set_ecmult_gen_precision" echo +echo " valgrind = $enable_valgrind" echo " CC = $CC" echo " CFLAGS = $CFLAGS" echo " CPPFLAGS = $CPPFLAGS" diff --git a/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.c b/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.c index 7cc772281..1ced2c398 100644 --- a/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.c +++ b/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.c @@ -9,7 +9,7 @@ #include "lax_der_parsing.h" -int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { size_t rpos, rlen, spos, slen; size_t pos = 0; size_t lenbyte; @@ -17,7 +17,7 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_ int overflow = 0; /* Hack to initialize sig with a correctly-parsed but invalid signature. */ - rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig); /* Sequence tag byte */ if (pos == inputlen || input[pos] != 0x30) { @@ -32,7 +32,7 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_ lenbyte = input[pos++]; if (lenbyte & 0x80) { lenbyte -= 0x80; - if (pos + lenbyte > inputlen) { + if (lenbyte > inputlen - pos) { return 0; } pos += lenbyte; @@ -51,7 +51,7 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_ lenbyte = input[pos++]; if (lenbyte & 0x80) { lenbyte -= 0x80; - if (pos + lenbyte > inputlen) { + if (lenbyte > inputlen - pos) { return 0; } while (lenbyte > 0 && input[pos] == 0) { @@ -89,7 +89,7 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_ lenbyte = input[pos++]; if (lenbyte & 0x80) { lenbyte -= 0x80; - if (pos + lenbyte > inputlen) { + if (lenbyte > inputlen - pos) { return 0; } while (lenbyte > 0 && input[pos] == 0) { @@ -139,11 +139,11 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_1_ } if (!overflow) { - overflow = !rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + overflow = !rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig); } if (overflow) { memset(tmpsig, 0, 64); - rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig); + rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig); } return 1; } diff --git a/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.h b/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.h index 01babd91d..a991436ea 100644 --- a/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.h +++ b/secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.h @@ -26,8 +26,8 @@ * certain violations are easily supported. You may need to adapt it. * * Do not use this for new systems. Use well-defined DER or compact signatures - * instead if you have the choice (see rustsecp256k1_v0_1_1_ecdsa_signature_parse_der and - * rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact). + * instead if you have the choice (see rustsecp256k1_v0_1_2_ecdsa_signature_parse_der and + * rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact). * * The supported violations are: * - All numbers are parsed as nonnegative integers, even though X.609-0207 @@ -77,9 +77,9 @@ extern "C" { * encoded numbers are out of range, signature validation with it is * guaranteed to fail for every message and public key. */ -int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature* sig, +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der_lax( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c b/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c index ab0d5cf46..3d06bbe03 100644 --- a/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c +++ b/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c @@ -9,7 +9,7 @@ #include "lax_der_privatekey_parsing.h" -int ec_privkey_import_der(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) { +int ec_privkey_import_der(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) { const unsigned char *end = privkey + privkeylen; int lenb = 0; int len = 0; @@ -46,17 +46,17 @@ int ec_privkey_import_der(const rustsecp256k1_v0_1_1_context* ctx, unsigned char return 0; } memcpy(out32 + 32 - privkey[1], privkey + 2, privkey[1]); - if (!rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, out32)) { + if (!rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, out32)) { memset(out32, 0, 32); return 0; } return 1; } -int ec_privkey_export_der(const rustsecp256k1_v0_1_1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) { - rustsecp256k1_v0_1_1_pubkey pubkey; +int ec_privkey_export_der(const rustsecp256k1_v0_1_2_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) { + rustsecp256k1_v0_1_2_pubkey pubkey; size_t pubkeylen = 0; - if (!rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, key32)) { + if (!rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, key32)) { *privkeylen = 0; return 0; } @@ -80,7 +80,7 @@ int ec_privkey_export_der(const rustsecp256k1_v0_1_1_context *ctx, unsigned char memcpy(ptr, key32, 32); ptr += 32; memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); pubkeylen = 33; - rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED); + rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED); ptr += pubkeylen; *privkeylen = ptr - privkey; } else { @@ -105,7 +105,7 @@ int ec_privkey_export_der(const rustsecp256k1_v0_1_1_context *ctx, unsigned char memcpy(ptr, key32, 32); ptr += 32; memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle); pubkeylen = 65; - rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED); + rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED); ptr += pubkeylen; *privkeylen = ptr - privkey; } diff --git a/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h b/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h index 6a4a30d97..010714389 100644 --- a/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h +++ b/secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h @@ -52,10 +52,10 @@ extern "C" { * simple 32-byte private keys are sufficient. * * Note that this function does not guarantee correct DER output. It is - * guaranteed to be parsable by rustsecp256k1_v0_1_1_ec_privkey_import_der + * guaranteed to be parsable by rustsecp256k1_v0_1_2_ec_privkey_import_der */ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der( - const rustsecp256k1_v0_1_1_context* ctx, + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *seckey, @@ -77,7 +77,7 @@ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der( * key. */ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_import_der( - const rustsecp256k1_v0_1_1_context* ctx, + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *privkey, size_t privkeylen diff --git a/secp256k1-sys/depend/secp256k1/include/secp256k1.h b/secp256k1-sys/depend/secp256k1/include/secp256k1.h index df7f7fa2e..4bf26484e 100644 --- a/secp256k1-sys/depend/secp256k1/include/secp256k1.h +++ b/secp256k1-sys/depend/secp256k1/include/secp256k1.h @@ -14,7 +14,7 @@ extern "C" { * 2. Array lengths always immediately the follow the argument whose length * they describe, even if this violates rule 1. * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated - * later go first. This means: signatures, public nonces, private nonces, + * later go first. This means: signatures, public nonces, secret nonces, * messages, public keys, secret keys, tweaks. * 4. Arguments that are not data pointers go last, from more complex to less * complex: function pointers, algorithm names, messages, void pointers, @@ -35,13 +35,13 @@ extern "C" { * A constructed context can safely be used from multiple threads * simultaneously, but API calls that take a non-const pointer to a context * need exclusive access to it. In particular this is the case for - * rustsecp256k1_v0_1_1_context_destroy, rustsecp256k1_v0_1_1_context_preallocated_destroy, - * and rustsecp256k1_v0_1_1_context_randomize. + * rustsecp256k1_v0_1_2_context_destroy, rustsecp256k1_v0_1_2_context_preallocated_destroy, + * and rustsecp256k1_v0_1_2_context_randomize. * * Regarding randomization, either do it once at creation time (in which case * you do not need any locking for the other calls), or use a read-write lock. */ -typedef struct rustsecp256k1_v0_1_1_context_struct rustsecp256k1_v0_1_1_context; +typedef struct rustsecp256k1_v0_1_2_context_struct rustsecp256k1_v0_1_2_context; /** Opaque data structure that holds rewriteable "scratch space" * @@ -54,7 +54,7 @@ typedef struct rustsecp256k1_v0_1_1_context_struct rustsecp256k1_v0_1_1_context; * Unlike the context object, this cannot safely be shared between threads * without additional synchronization logic. */ -typedef struct rustsecp256k1_v0_1_1_scratch_space_struct rustsecp256k1_v0_1_1_scratch_space; +typedef struct rustsecp256k1_v0_1_2_scratch_space_struct rustsecp256k1_v0_1_2_scratch_space; /** Opaque data structure that holds a parsed and valid public key. * @@ -62,11 +62,11 @@ typedef struct rustsecp256k1_v0_1_1_scratch_space_struct rustsecp256k1_v0_1_1_sc * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use rustsecp256k1_v0_1_1_ec_pubkey_serialize and rustsecp256k1_v0_1_1_ec_pubkey_parse. + * comparison, use rustsecp256k1_v0_1_2_ec_pubkey_serialize and rustsecp256k1_v0_1_2_ec_pubkey_parse. */ typedef struct { unsigned char data[64]; -} rustsecp256k1_v0_1_1_pubkey; +} rustsecp256k1_v0_1_2_pubkey; /** Opaque data structured that holds a parsed ECDSA signature. * @@ -74,12 +74,12 @@ typedef struct { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 64 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage, transmission, or - * comparison, use the rustsecp256k1_v0_1_1_ecdsa_signature_serialize_* and - * rustsecp256k1_v0_1_1_ecdsa_signature_parse_* functions. + * comparison, use the rustsecp256k1_v0_1_2_ecdsa_signature_serialize_* and + * rustsecp256k1_v0_1_2_ecdsa_signature_parse_* functions. */ typedef struct { unsigned char data[64]; -} rustsecp256k1_v0_1_1_ecdsa_signature; +} rustsecp256k1_v0_1_2_ecdsa_signature; /** A pointer to a function to deterministically generate a nonce. * @@ -97,7 +97,7 @@ typedef struct { * Except for test cases, this function should compute some cryptographic hash of * the message, the algorithm, the key and the attempt. */ -typedef int (*rustsecp256k1_v0_1_1_nonce_function)( +typedef int (*rustsecp256k1_v0_1_2_nonce_function)( unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, @@ -162,15 +162,17 @@ typedef int (*rustsecp256k1_v0_1_1_nonce_function)( /** The higher bits contain the actual data. Do not use directly. */ #define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8) #define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9) +#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10) #define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8) -/** Flags to pass to rustsecp256k1_v0_1_1_context_create, rustsecp256k1_v0_1_1_context_preallocated_size, and - * rustsecp256k1_v0_1_1_context_preallocated_create. */ +/** Flags to pass to rustsecp256k1_v0_1_2_context_create, rustsecp256k1_v0_1_2_context_preallocated_size, and + * rustsecp256k1_v0_1_2_context_preallocated_create. */ #define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) #define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN) +#define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY) #define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT) -/** Flag to pass to rustsecp256k1_v0_1_1_ec_pubkey_serialize and rustsecp256k1_v0_1_1_ec_privkey_export. */ +/** Flag to pass to rustsecp256k1_v0_1_2_ec_pubkey_serialize. */ #define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION) #define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION) @@ -186,25 +188,25 @@ typedef int (*rustsecp256k1_v0_1_1_nonce_function)( * API consistency, but currently do not require expensive precomputations or dynamic * allocations. */ -SECP256K1_API extern const rustsecp256k1_v0_1_1_context *rustsecp256k1_v0_1_1_context_no_precomp; +SECP256K1_API extern const rustsecp256k1_v0_1_2_context *rustsecp256k1_v0_1_2_context_no_precomp; /** Create a secp256k1 context object (in dynamically allocated memory). * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1_v0_1_1_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1_v0_1_2_preallocated.h. * * Returns: a newly created context object. * In: flags: which parts of the context to initialize. * - * See also rustsecp256k1_v0_1_1_context_randomize. + * See also rustsecp256k1_v0_1_2_context_randomize. */ /** Copy a secp256k1 context object (into dynamically allocated memory). * * This function uses malloc to allocate memory. It is guaranteed that malloc is * called at most once for every call of this function. If you need to avoid dynamic - * memory allocation entirely, see the functions in rustsecp256k1_v0_1_1_preallocated.h. + * memory allocation entirely, see the functions in rustsecp256k1_v0_1_2_preallocated.h. * * Returns: a newly created context object. * Args: ctx: an existing context to copy (cannot be NULL) @@ -214,14 +216,14 @@ SECP256K1_API extern const rustsecp256k1_v0_1_1_context *rustsecp256k1_v0_1_1_co * * The context pointer may not be used afterwards. * - * The context to destroy must have been created using rustsecp256k1_v0_1_1_context_create - * or rustsecp256k1_v0_1_1_context_clone. If the context has instead been created using - * rustsecp256k1_v0_1_1_context_preallocated_create or rustsecp256k1_v0_1_1_context_preallocated_clone, the - * behaviour is undefined. In that case, rustsecp256k1_v0_1_1_context_preallocated_destroy must + * The context to destroy must have been created using rustsecp256k1_v0_1_2_context_create + * or rustsecp256k1_v0_1_2_context_clone. If the context has instead been created using + * rustsecp256k1_v0_1_2_context_preallocated_create or rustsecp256k1_v0_1_2_context_preallocated_clone, the + * behaviour is undefined. In that case, rustsecp256k1_v0_1_2_context_preallocated_destroy must * be used instead. * * Args: ctx: an existing context to destroy, constructed using - * rustsecp256k1_v0_1_1_context_create or rustsecp256k1_v0_1_1_context_clone + * rustsecp256k1_v0_1_2_context_create or rustsecp256k1_v0_1_2_context_clone */ /** Set a callback function to be called when an illegal argument is passed to @@ -245,11 +247,11 @@ SECP256K1_API extern const rustsecp256k1_v0_1_1_context *rustsecp256k1_v0_1_1_co * USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build * has been configured with --enable-external-default-callbacks. Then the * following two symbols must be provided to link against: - * - void rustsecp256k1_v0_1_1_default_illegal_callback_fn(const char* message, void* data); - * - void rustsecp256k1_v0_1_1_default_error_callback_fn(const char* message, void* data); + * - void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* message, void* data); + * - void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* message, void* data); * The library can call these default handlers even before a proper callback data - * pointer could have been set using rustsecp256k1_v0_1_1_context_set_illegal_callback or - * rustsecp256k1_v0_1_1_context_set_illegal_callback, e.g., when the creation of a context + * pointer could have been set using rustsecp256k1_v0_1_2_context_set_illegal_callback or + * rustsecp256k1_v0_1_2_context_set_error_callback, e.g., when the creation of a context * fails. In this case, the corresponding default handler will be called with * the data pointer argument set to NULL. * @@ -259,10 +261,10 @@ SECP256K1_API extern const rustsecp256k1_v0_1_1_context *rustsecp256k1_v0_1_1_co * (NULL restores the default handler.) * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1_v0_1_1_context_set_error_callback. + * See also rustsecp256k1_v0_1_2_context_set_error_callback. */ -SECP256K1_API void rustsecp256k1_v0_1_1_context_set_illegal_callback( - rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API void rustsecp256k1_v0_1_2_context_set_illegal_callback( + rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -273,21 +275,21 @@ SECP256K1_API void rustsecp256k1_v0_1_1_context_set_illegal_callback( * This can only trigger in case of a hardware failure, miscompilation, * memory corruption, serious bug in the library, or other error would can * otherwise result in undefined behaviour. It will not trigger due to mere - * incorrect usage of the API (see rustsecp256k1_v0_1_1_context_set_illegal_callback + * incorrect usage of the API (see rustsecp256k1_v0_1_2_context_set_illegal_callback * for that). After this callback returns, anything may happen, including * crashing. * * Args: ctx: an existing context object (cannot be NULL) * In: fun: a pointer to a function to call when an internal error occurs, * taking a message and an opaque pointer (NULL restores the - * default handler, see rustsecp256k1_v0_1_1_context_set_illegal_callback + * default handler, see rustsecp256k1_v0_1_2_context_set_illegal_callback * for details). * data: the opaque pointer to pass to fun above. * - * See also rustsecp256k1_v0_1_1_context_set_illegal_callback. + * See also rustsecp256k1_v0_1_2_context_set_illegal_callback. */ -SECP256K1_API void rustsecp256k1_v0_1_1_context_set_error_callback( - rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API void rustsecp256k1_v0_1_2_context_set_error_callback( + rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data ) SECP256K1_ARG_NONNULL(1); @@ -321,9 +323,9 @@ SECP256K1_API void rustsecp256k1_v0_1_1_context_set_error_callback( * 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header * byte 0x06 or 0x07) format public keys. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_parse( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey* pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_parse( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey* pubkey, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -338,16 +340,16 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_pa * In/Out: outputlen: a pointer to an integer which is initially set to the * size of output, and is overwritten with the written * size. - * In: pubkey: a pointer to a rustsecp256k1_v0_1_1_pubkey containing an + * In: pubkey: a pointer to a rustsecp256k1_v0_1_2_pubkey containing an * initialized public key. * flags: SECP256K1_EC_COMPRESSED if serialization should be in * compressed format, otherwise SECP256K1_EC_UNCOMPRESSED. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ec_pubkey_serialize( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API int rustsecp256k1_v0_1_2_ec_pubkey_serialize( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1_v0_1_1_pubkey* pubkey, + const rustsecp256k1_v0_1_2_pubkey* pubkey, unsigned int flags ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -366,9 +368,9 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ec_pubkey_serialize( * S are zero, the resulting sig value is guaranteed to fail validation for any * message and public key. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input64 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -387,9 +389,9 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact( * encoded numbers are out of range, signature validation with it is * guaranteed to fail for every message and public key. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature* sig, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -405,11 +407,11 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der( * if 0 was returned). * In: sig: a pointer to an initialized signature object */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, - const rustsecp256k1_v0_1_1_ecdsa_signature* sig + const rustsecp256k1_v0_1_2_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Serialize an ECDSA signature in compact (64 byte) format. @@ -419,12 +421,12 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der( * Out: output64: a pointer to a 64-byte array to store the compact serialization * In: sig: a pointer to an initialized signature object * - * See rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact for details about the encoding. + * See rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact for details about the encoding. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output64, - const rustsecp256k1_v0_1_1_ecdsa_signature* sig + const rustsecp256k1_v0_1_2_ecdsa_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Verify an ECDSA signature. @@ -440,16 +442,16 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact( * form are accepted. * * If you need to accept ECDSA signatures from sources that do not obey this - * rule, apply rustsecp256k1_v0_1_1_ecdsa_signature_normalize to the signature prior to + * rule, apply rustsecp256k1_v0_1_2_ecdsa_signature_normalize to the signature prior to * validation, but be aware that doing so results in malleable signatures. * * For details, see the comments for that function. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ecdsa_verify( - const rustsecp256k1_v0_1_1_context* ctx, - const rustsecp256k1_v0_1_1_ecdsa_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ecdsa_verify( + const rustsecp256k1_v0_1_2_context* ctx, + const rustsecp256k1_v0_1_2_ecdsa_signature *sig, const unsigned char *msg32, - const rustsecp256k1_v0_1_1_pubkey *pubkey + const rustsecp256k1_v0_1_2_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Convert a signature to a normalized lower-S form. @@ -489,58 +491,63 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ecdsa_verify * accept various non-unique encodings, so care should be taken when this * property is required for an application. * - * The rustsecp256k1_v0_1_1_ecdsa_sign function will by default create signatures in the - * lower-S form, and rustsecp256k1_v0_1_1_ecdsa_verify will not accept others. In case + * The rustsecp256k1_v0_1_2_ecdsa_sign function will by default create signatures in the + * lower-S form, and rustsecp256k1_v0_1_2_ecdsa_verify will not accept others. In case * signatures come from a system that cannot enforce this property, - * rustsecp256k1_v0_1_1_ecdsa_signature_normalize must be called before verification. + * rustsecp256k1_v0_1_2_ecdsa_signature_normalize must be called before verification. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_signature_normalize( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature *sigout, - const rustsecp256k1_v0_1_1_ecdsa_signature *sigin +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_normalize( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature *sigout, + const rustsecp256k1_v0_1_2_ecdsa_signature *sigin ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3); /** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of * extra entropy. */ -SECP256K1_API extern const rustsecp256k1_v0_1_1_nonce_function rustsecp256k1_v0_1_1_nonce_function_rfc6979; +SECP256K1_API extern const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_rfc6979; -/** A default safe nonce generation function (currently equal to rustsecp256k1_v0_1_1_nonce_function_rfc6979). */ -SECP256K1_API extern const rustsecp256k1_v0_1_1_nonce_function rustsecp256k1_v0_1_1_nonce_function_default; +/** A default safe nonce generation function (currently equal to rustsecp256k1_v0_1_2_nonce_function_rfc6979). */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_default; /** Create an ECDSA signature. * * Returns: 1: signature created - * 0: the nonce generation function failed, or the private key was invalid. + * 0: the nonce generation function failed, or the secret key was invalid. * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) * In: msg32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1_v0_1_1_nonce_function_default is used + * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1_v0_1_2_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) * * The created signature is always in lower-S form. See - * rustsecp256k1_v0_1_1_ecdsa_signature_normalize for more details. + * rustsecp256k1_v0_1_2_ecdsa_signature_normalize for more details. */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_sign( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature *sig, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_sign( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, - rustsecp256k1_v0_1_1_nonce_function noncefp, + rustsecp256k1_v0_1_2_nonce_function noncefp, const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Verify an ECDSA secret key. + * + * A secret key is valid if it is not 0 and less than the secp256k1 curve order + * when interpreted as an integer (most significant byte first). The + * probability of choosing a 32-byte string uniformly at random which is an + * invalid secret key is negligible. * * Returns: 1: secret key is valid * 0: secret key is invalid * Args: ctx: pointer to a context object (cannot be NULL) * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_seckey_verify( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_verify( + const rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -550,22 +557,34 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_seckey_ve * 0: secret was invalid, try again * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) * Out: pubkey: pointer to the created public key (cannot be NULL) - * In: seckey: pointer to a 32-byte private key (cannot be NULL) + * In: seckey: pointer to a 32-byte secret key (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_create( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *pubkey, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_create( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Negates a private key in place. +/** Negates a secret key in place. * - * Returns: 1 always - * Args: ctx: pointer to a context object - * In/Out: seckey: pointer to the 32-byte private key to be negated (cannot be NULL) + * Returns: 0 if the given secret key is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify. 1 otherwise + * Args: ctx: pointer to a context object + * In/Out: seckey: pointer to the 32-byte secret key to be negated. If the + * secret key is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0 and + * seckey will be set to some unspecified value. (cannot be + * NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_privkey_negate( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_negate( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_negate, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_negate( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); @@ -575,66 +594,102 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_privkey_n * Args: ctx: pointer to a context object * In/Out: pubkey: pointer to the public key to be negated (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_negate( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *pubkey +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_negate( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); -/** Tweak a private key by adding tweak to it. - * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for - * uniformly random 32-byte arrays, or if the resulting private key - * would be invalid (only when the tweak is the complement of the - * private key). 1 otherwise. - * Args: ctx: pointer to a context object (cannot be NULL). - * In/Out: seckey: pointer to a 32-byte private key. - * In: tweak: pointer to a 32-byte tweak. - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_privkey_tweak_add( - const rustsecp256k1_v0_1_1_context* ctx, +/** Tweak a secret key by adding tweak to it. + * + * Returns: 0 if the arguments are invalid or the resulting secret key would be + * invalid (only when the tweak is the negation of the secret key). 1 + * otherwise. + * Args: ctx: pointer to a context object (cannot be NULL). + * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is + * invalid according to rustsecp256k1_v0_1_2_ec_seckey_verify, this + * function returns 0. seckey will be set to some unspecified + * value if this function returns 0. (cannot be NULL) + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_tweak_add, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Tweak a public key by adding tweak times the generator to it. - * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for - * uniformly random 32-byte arrays, or if the resulting public key - * would be invalid (only when the tweak is the complement of the - * corresponding private key). 1 otherwise. - * Args: ctx: pointer to a context object initialized for validation + * + * Returns: 0 if the arguments are invalid or the resulting public key would be + * invalid (only when the tweak is the negation of the corresponding + * secret key). 1 otherwise. + * Args: ctx: pointer to a context object initialized for validation * (cannot be NULL). - * In/Out: pubkey: pointer to a public key object. - * In: tweak: pointer to a 32-byte tweak. - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_tweak_add( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *pubkey, + * In/Out: pubkey: pointer to a public key object. pubkey will be set to an + * invalid value if this function returns 0 (cannot be NULL). + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); -/** Tweak a private key by multiplying it by a tweak. - * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for - * uniformly random 32-byte arrays, or equal to zero. 1 otherwise. - * Args: ctx: pointer to a context object (cannot be NULL). - * In/Out: seckey: pointer to a 32-byte private key. - * In: tweak: pointer to a 32-byte tweak. - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_privkey_tweak_mul( - const rustsecp256k1_v0_1_1_context* ctx, +/** Tweak a secret key by multiplying it by a tweak. + * + * Returns: 0 if the arguments are invalid. 1 otherwise. + * Args: ctx: pointer to a context object (cannot be NULL). + * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is + * invalid according to rustsecp256k1_v0_1_2_ec_seckey_verify, this + * function returns 0. seckey will be set to some unspecified + * value if this function returns 0. (cannot be NULL) + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Tweak a public key by multiplying it by a tweak value. - * Returns: 0 if the tweak was out of range (chance of around 1 in 2^128 for - * uniformly random 32-byte arrays, or equal to zero. 1 otherwise. - * Args: ctx: pointer to a context object initialized for validation - * (cannot be NULL). - * In/Out: pubkey: pointer to a public key obkect. - * In: tweak: pointer to a 32-byte tweak. - */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *pubkey, + * + * Returns: 0 if the arguments are invalid. 1 otherwise. + * Args: ctx: pointer to a context object initialized for validation + * (cannot be NULL). + * In/Out: pubkey: pointer to a public key object. pubkey will be set to an + * invalid value if this function returns 0 (cannot be NULL). + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -659,16 +714,17 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_tw * guaranteed and may change in the future. It is safe to call this function on * contexts not initialized for signing; then it will have no effect and return 1. * - * You should call this after rustsecp256k1_v0_1_1_context_create or - * rustsecp256k1_v0_1_1_context_clone (and rustsecp256k1_v0_1_1_context_preallocated_create or - * rustsecp256k1_v0_1_1_context_clone, resp.), and you may call this repeatedly afterwards. + * You should call this after rustsecp256k1_v0_1_2_context_create or + * rustsecp256k1_v0_1_2_context_clone (and rustsecp256k1_v0_1_2_context_preallocated_create or + * rustsecp256k1_v0_1_2_context_clone, resp.), and you may call this repeatedly afterwards. */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_context_randomize( - rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_context_randomize( + rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seed32 ) SECP256K1_ARG_NONNULL(1); /** Add a number of public keys together. + * * Returns: 1: the sum of the public keys is valid. * 0: the sum of the public keys is not valid. * Args: ctx: pointer to a context object @@ -677,10 +733,10 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_context_rand * In: ins: pointer to array of pointers to public keys (cannot be NULL) * n: the number of public keys to add together (must be at least 1) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ec_pubkey_combine( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *out, - const rustsecp256k1_v0_1_1_pubkey * const * ins, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_combine( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *out, + const rustsecp256k1_v0_1_2_pubkey * const * ins, size_t n ) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); diff --git a/secp256k1-sys/depend/secp256k1/include/secp256k1.h.orig b/secp256k1-sys/depend/secp256k1/include/secp256k1.h.orig new file mode 100644 index 000000000..a0181d4b9 --- /dev/null +++ b/secp256k1-sys/depend/secp256k1/include/secp256k1.h.orig @@ -0,0 +1,764 @@ +#ifndef SECP256K1_H +#define SECP256K1_H + +#ifdef __cplusplus +extern "C" { +#endif + +#include + +/* These rules specify the order of arguments in API calls: + * + * 1. Context pointers go first, followed by output arguments, combined + * output/input arguments, and finally input-only arguments. + * 2. Array lengths always immediately the follow the argument whose length + * they describe, even if this violates rule 1. + * 3. Within the OUT/OUTIN/IN groups, pointers to data that is typically generated + * later go first. This means: signatures, public nonces, secret nonces, + * messages, public keys, secret keys, tweaks. + * 4. Arguments that are not data pointers go last, from more complex to less + * complex: function pointers, algorithm names, messages, void pointers, + * counts, flags, booleans. + * 5. Opaque data pointers follow the function pointer they are to be passed to. + */ + +/** Opaque data structure that holds context information (precomputed tables etc.). + * + * The purpose of context structures is to cache large precomputed data tables + * that are expensive to construct, and also to maintain the randomization data + * for blinding. + * + * Do not create a new context object for each operation, as construction is + * far slower than all other API calls (~100 times slower than an ECDSA + * verification). + * + * A constructed context can safely be used from multiple threads + * simultaneously, but API calls that take a non-const pointer to a context + * need exclusive access to it. In particular this is the case for + * rustsecp256k1_v0_1_2_context_destroy, rustsecp256k1_v0_1_2_context_preallocated_destroy, + * and rustsecp256k1_v0_1_2_context_randomize. + * + * Regarding randomization, either do it once at creation time (in which case + * you do not need any locking for the other calls), or use a read-write lock. + */ +typedef struct rustsecp256k1_v0_1_2_context_struct rustsecp256k1_v0_1_2_context; + +/** Opaque data structure that holds rewriteable "scratch space" + * + * The purpose of this structure is to replace dynamic memory allocations, + * because we target architectures where this may not be available. It is + * essentially a resizable (within specified parameters) block of bytes, + * which is initially created either by memory allocation or TODO as a pointer + * into some fixed rewritable space. + * + * Unlike the context object, this cannot safely be shared between threads + * without additional synchronization logic. + */ +typedef struct rustsecp256k1_v0_1_2_scratch_space_struct rustsecp256k1_v0_1_2_scratch_space; + +/** Opaque data structure that holds a parsed and valid public key. + * + * The exact representation of data inside is implementation defined and not + * guaranteed to be portable between different platforms or versions. It is + * however guaranteed to be 64 bytes in size, and can be safely copied/moved. + * If you need to convert to a format suitable for storage, transmission, or + * comparison, use rustsecp256k1_v0_1_2_ec_pubkey_serialize and rustsecp256k1_v0_1_2_ec_pubkey_parse. + */ +typedef struct { + unsigned char data[64]; +} rustsecp256k1_v0_1_2_pubkey; + +/** Opaque data structured that holds a parsed ECDSA signature. + * + * The exact representation of data inside is implementation defined and not + * guaranteed to be portable between different platforms or versions. It is + * however guaranteed to be 64 bytes in size, and can be safely copied/moved. + * If you need to convert to a format suitable for storage, transmission, or + * comparison, use the rustsecp256k1_v0_1_2_ecdsa_signature_serialize_* and + * rustsecp256k1_v0_1_2_ecdsa_signature_parse_* functions. + */ +typedef struct { + unsigned char data[64]; +} rustsecp256k1_v0_1_2_ecdsa_signature; + +/** A pointer to a function to deterministically generate a nonce. + * + * Returns: 1 if a nonce was successfully generated. 0 will cause signing to fail. + * Out: nonce32: pointer to a 32-byte array to be filled by the function. + * In: msg32: the 32-byte message hash being verified (will not be NULL) + * key32: pointer to a 32-byte secret key (will not be NULL) + * algo16: pointer to a 16-byte array describing the signature + * algorithm (will be NULL for ECDSA for compatibility). + * data: Arbitrary data pointer that is passed through. + * attempt: how many iterations we have tried to find a nonce. + * This will almost always be 0, but different attempt values + * are required to result in a different nonce. + * + * Except for test cases, this function should compute some cryptographic hash of + * the message, the algorithm, the key and the attempt. + */ +typedef int (*rustsecp256k1_v0_1_2_nonce_function)( + unsigned char *nonce32, + const unsigned char *msg32, + const unsigned char *key32, + const unsigned char *algo16, + void *data, + unsigned int attempt +); + +# if !defined(SECP256K1_GNUC_PREREQ) +# if defined(__GNUC__)&&defined(__GNUC_MINOR__) +# define SECP256K1_GNUC_PREREQ(_maj,_min) \ + ((__GNUC__<<16)+__GNUC_MINOR__>=((_maj)<<16)+(_min)) +# else +# define SECP256K1_GNUC_PREREQ(_maj,_min) 0 +# endif +# endif + +# if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) ) +# if SECP256K1_GNUC_PREREQ(2,7) +# define SECP256K1_INLINE __inline__ +# elif (defined(_MSC_VER)) +# define SECP256K1_INLINE __inline +# else +# define SECP256K1_INLINE +# endif +# else +# define SECP256K1_INLINE inline +# endif + +#ifndef SECP256K1_API +# if defined(_WIN32) +# ifdef SECP256K1_BUILD +# define SECP256K1_API __declspec(dllexport) +# else +# define SECP256K1_API +# endif +# elif defined(__GNUC__) && defined(SECP256K1_BUILD) +# define SECP256K1_API __attribute__ ((visibility ("default"))) +# else +# define SECP256K1_API +# endif +#endif + +/**Warning attributes + * NONNULL is not used if SECP256K1_BUILD is set to avoid the compiler optimizing out + * some paranoid null checks. */ +# if defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4) +# define SECP256K1_WARN_UNUSED_RESULT __attribute__ ((__warn_unused_result__)) +# else +# define SECP256K1_WARN_UNUSED_RESULT +# endif +# if !defined(SECP256K1_BUILD) && defined(__GNUC__) && SECP256K1_GNUC_PREREQ(3, 4) +# define SECP256K1_ARG_NONNULL(_x) __attribute__ ((__nonnull__(_x))) +# else +# define SECP256K1_ARG_NONNULL(_x) +# endif + +/** All flags' lower 8 bits indicate what they're for. Do not use directly. */ +#define SECP256K1_FLAGS_TYPE_MASK ((1 << 8) - 1) +#define SECP256K1_FLAGS_TYPE_CONTEXT (1 << 0) +#define SECP256K1_FLAGS_TYPE_COMPRESSION (1 << 1) +/** The higher bits contain the actual data. Do not use directly. */ +#define SECP256K1_FLAGS_BIT_CONTEXT_VERIFY (1 << 8) +#define SECP256K1_FLAGS_BIT_CONTEXT_SIGN (1 << 9) +#define SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY (1 << 10) +#define SECP256K1_FLAGS_BIT_COMPRESSION (1 << 8) + +/** Flags to pass to rustsecp256k1_v0_1_2_context_create, rustsecp256k1_v0_1_2_context_preallocated_size, and + * rustsecp256k1_v0_1_2_context_preallocated_create. */ +#define SECP256K1_CONTEXT_VERIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) +#define SECP256K1_CONTEXT_SIGN (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_SIGN) +#define SECP256K1_CONTEXT_DECLASSIFY (SECP256K1_FLAGS_TYPE_CONTEXT | SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY) +#define SECP256K1_CONTEXT_NONE (SECP256K1_FLAGS_TYPE_CONTEXT) + +/** Flag to pass to rustsecp256k1_v0_1_2_ec_pubkey_serialize. */ +#define SECP256K1_EC_COMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION | SECP256K1_FLAGS_BIT_COMPRESSION) +#define SECP256K1_EC_UNCOMPRESSED (SECP256K1_FLAGS_TYPE_COMPRESSION) + +/** Prefix byte used to tag various encoded curvepoints for specific purposes */ +#define SECP256K1_TAG_PUBKEY_EVEN 0x02 +#define SECP256K1_TAG_PUBKEY_ODD 0x03 +#define SECP256K1_TAG_PUBKEY_UNCOMPRESSED 0x04 +#define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06 +#define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07 + +/** A simple secp256k1 context object with no precomputed tables. These are useful for + * type serialization/parsing functions which require a context object to maintain + * API consistency, but currently do not require expensive precomputations or dynamic + * allocations. + */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_context *rustsecp256k1_v0_1_2_context_no_precomp; + +/** Create a secp256k1 context object (in dynamically allocated memory). + * + * This function uses malloc to allocate memory. It is guaranteed that malloc is + * called at most once for every call of this function. If you need to avoid dynamic + * memory allocation entirely, see the functions in rustsecp256k1_v0_1_2_preallocated.h. + * + * Returns: a newly created context object. + * In: flags: which parts of the context to initialize. + * + * See also rustsecp256k1_v0_1_2_context_randomize. + */ +SECP256K1_API rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_create( + unsigned int flags +) SECP256K1_WARN_UNUSED_RESULT; + +/** Copy a secp256k1 context object (into dynamically allocated memory). + * + * This function uses malloc to allocate memory. It is guaranteed that malloc is + * called at most once for every call of this function. If you need to avoid dynamic + * memory allocation entirely, see the functions in rustsecp256k1_v0_1_2_preallocated.h. + * + * Returns: a newly created context object. + * Args: ctx: an existing context to copy (cannot be NULL) + */ +SECP256K1_API rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_clone( + const rustsecp256k1_v0_1_2_context* ctx +) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; + +/** Destroy a secp256k1 context object (created in dynamically allocated memory). + * + * The context pointer may not be used afterwards. + * + * The context to destroy must have been created using rustsecp256k1_v0_1_2_context_create + * or rustsecp256k1_v0_1_2_context_clone. If the context has instead been created using + * rustsecp256k1_v0_1_2_context_preallocated_create or rustsecp256k1_v0_1_2_context_preallocated_clone, the + * behaviour is undefined. In that case, rustsecp256k1_v0_1_2_context_preallocated_destroy must + * be used instead. + * + * Args: ctx: an existing context to destroy, constructed using + * rustsecp256k1_v0_1_2_context_create or rustsecp256k1_v0_1_2_context_clone + */ +SECP256K1_API void rustsecp256k1_v0_1_2_context_destroy( + rustsecp256k1_v0_1_2_context* ctx +); + +/** Set a callback function to be called when an illegal argument is passed to + * an API call. It will only trigger for violations that are mentioned + * explicitly in the header. + * + * The philosophy is that these shouldn't be dealt with through a + * specific return value, as calling code should not have branches to deal with + * the case that this code itself is broken. + * + * On the other hand, during debug stage, one would want to be informed about + * such mistakes, and the default (crashing) may be inadvisable. + * When this callback is triggered, the API function called is guaranteed not + * to cause a crash, though its return value and output arguments are + * undefined. + * + * When this function has not been called (or called with fn==NULL), then the + * default handler will be used. The library provides a default handler which + * writes the message to stderr and calls abort. This default handler can be + * replaced at link time if the preprocessor macro + * USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build + * has been configured with --enable-external-default-callbacks. Then the + * following two symbols must be provided to link against: + * - void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* message, void* data); + * - void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* message, void* data); + * The library can call these default handlers even before a proper callback data + * pointer could have been set using rustsecp256k1_v0_1_2_context_set_illegal_callback or + * rustsecp256k1_v0_1_2_context_set_error_callback, e.g., when the creation of a context + * fails. In this case, the corresponding default handler will be called with + * the data pointer argument set to NULL. + * + * Args: ctx: an existing context object (cannot be NULL) + * In: fun: a pointer to a function to call when an illegal argument is + * passed to the API, taking a message and an opaque pointer. + * (NULL restores the default handler.) + * data: the opaque pointer to pass to fun above. + * + * See also rustsecp256k1_v0_1_2_context_set_error_callback. + */ +SECP256K1_API void rustsecp256k1_v0_1_2_context_set_illegal_callback( + rustsecp256k1_v0_1_2_context* ctx, + void (*fun)(const char* message, void* data), + const void* data +) SECP256K1_ARG_NONNULL(1); + +/** Set a callback function to be called when an internal consistency check + * fails. The default is crashing. + * + * This can only trigger in case of a hardware failure, miscompilation, + * memory corruption, serious bug in the library, or other error would can + * otherwise result in undefined behaviour. It will not trigger due to mere + * incorrect usage of the API (see rustsecp256k1_v0_1_2_context_set_illegal_callback + * for that). After this callback returns, anything may happen, including + * crashing. + * + * Args: ctx: an existing context object (cannot be NULL) + * In: fun: a pointer to a function to call when an internal error occurs, + * taking a message and an opaque pointer (NULL restores the + * default handler, see rustsecp256k1_v0_1_2_context_set_illegal_callback + * for details). + * data: the opaque pointer to pass to fun above. + * + * See also rustsecp256k1_v0_1_2_context_set_illegal_callback. + */ +SECP256K1_API void rustsecp256k1_v0_1_2_context_set_error_callback( + rustsecp256k1_v0_1_2_context* ctx, + void (*fun)(const char* message, void* data), + const void* data +) SECP256K1_ARG_NONNULL(1); + +/** Create a secp256k1 scratch space object. + * + * Returns: a newly created scratch space. + * Args: ctx: an existing context object (cannot be NULL) + * In: size: amount of memory to be available as scratch space. Some extra + * (<100 bytes) will be allocated for extra accounting. + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT rustsecp256k1_v0_1_2_scratch_space* rustsecp256k1_v0_1_2_scratch_space_create( + const rustsecp256k1_v0_1_2_context* ctx, + size_t size +) SECP256K1_ARG_NONNULL(1); + +/** Destroy a secp256k1 scratch space. + * + * The pointer may not be used afterwards. + * Args: ctx: a secp256k1 context object. + * scratch: space to destroy + */ +SECP256K1_API void rustsecp256k1_v0_1_2_scratch_space_destroy( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_scratch_space* scratch +) SECP256K1_ARG_NONNULL(1); + +/** Parse a variable-length public key into the pubkey object. + * + * Returns: 1 if the public key was fully valid. + * 0 if the public key could not be parsed or is invalid. + * Args: ctx: a secp256k1 context object. + * Out: pubkey: pointer to a pubkey object. If 1 is returned, it is set to a + * parsed version of input. If not, its value is undefined. + * In: input: pointer to a serialized public key + * inputlen: length of the array pointed to by input + * + * This function supports parsing compressed (33 bytes, header byte 0x02 or + * 0x03), uncompressed (65 bytes, header byte 0x04), or hybrid (65 bytes, header + * byte 0x06 or 0x07) format public keys. + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_parse( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey* pubkey, + const unsigned char *input, + size_t inputlen +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Serialize a pubkey object into a serialized byte sequence. + * + * Returns: 1 always. + * Args: ctx: a secp256k1 context object. + * Out: output: a pointer to a 65-byte (if compressed==0) or 33-byte (if + * compressed==1) byte array to place the serialized key + * in. + * In/Out: outputlen: a pointer to an integer which is initially set to the + * size of output, and is overwritten with the written + * size. + * In: pubkey: a pointer to a rustsecp256k1_v0_1_2_pubkey containing an + * initialized public key. + * flags: SECP256K1_EC_COMPRESSED if serialization should be in + * compressed format, otherwise SECP256K1_EC_UNCOMPRESSED. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ec_pubkey_serialize( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *output, + size_t *outputlen, + const rustsecp256k1_v0_1_2_pubkey* pubkey, + unsigned int flags +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** Parse an ECDSA signature in compact (64 bytes) format. + * + * Returns: 1 when the signature could be parsed, 0 otherwise. + * Args: ctx: a secp256k1 context object + * Out: sig: a pointer to a signature object + * In: input64: a pointer to the 64-byte array to parse + * + * The signature must consist of a 32-byte big endian R value, followed by a + * 32-byte big endian S value. If R or S fall outside of [0..order-1], the + * encoding is invalid. R and S with value 0 are allowed in the encoding. + * + * After the call, sig will always be initialized. If parsing failed or R or + * S are zero, the resulting sig value is guaranteed to fail validation for any + * message and public key. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, + const unsigned char *input64 +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Parse a DER ECDSA signature. + * + * Returns: 1 when the signature could be parsed, 0 otherwise. + * Args: ctx: a secp256k1 context object + * Out: sig: a pointer to a signature object + * In: input: a pointer to the signature to be parsed + * inputlen: the length of the array pointed to be input + * + * This function will accept any valid DER encoded signature, even if the + * encoded numbers are out of range. + * + * After the call, sig will always be initialized. If parsing failed or the + * encoded numbers are out of range, signature validation with it is + * guaranteed to fail for every message and public key. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, + const unsigned char *input, + size_t inputlen +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Serialize an ECDSA signature in DER format. + * + * Returns: 1 if enough space was available to serialize, 0 otherwise + * Args: ctx: a secp256k1 context object + * Out: output: a pointer to an array to store the DER serialization + * In/Out: outputlen: a pointer to a length integer. Initially, this integer + * should be set to the length of output. After the call + * it will be set to the length of the serialization (even + * if 0 was returned). + * In: sig: a pointer to an initialized signature object + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *output, + size_t *outputlen, + const rustsecp256k1_v0_1_2_ecdsa_signature* sig +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** Serialize an ECDSA signature in compact (64 byte) format. + * + * Returns: 1 + * Args: ctx: a secp256k1 context object + * Out: output64: a pointer to a 64-byte array to store the compact serialization + * In: sig: a pointer to an initialized signature object + * + * See rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact for details about the encoding. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *output64, + const rustsecp256k1_v0_1_2_ecdsa_signature* sig +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Verify an ECDSA signature. + * + * Returns: 1: correct signature + * 0: incorrect or unparseable signature + * Args: ctx: a secp256k1 context object, initialized for verification. + * In: sig: the signature being verified (cannot be NULL) + * msg32: the 32-byte message hash being verified (cannot be NULL) + * pubkey: pointer to an initialized public key to verify with (cannot be NULL) + * + * To avoid accepting malleable signatures, only ECDSA signatures in lower-S + * form are accepted. + * + * If you need to accept ECDSA signatures from sources that do not obey this + * rule, apply rustsecp256k1_v0_1_2_ecdsa_signature_normalize to the signature prior to + * validation, but be aware that doing so results in malleable signatures. + * + * For details, see the comments for that function. + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ecdsa_verify( + const rustsecp256k1_v0_1_2_context* ctx, + const rustsecp256k1_v0_1_2_ecdsa_signature *sig, + const unsigned char *msg32, + const rustsecp256k1_v0_1_2_pubkey *pubkey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** Convert a signature to a normalized lower-S form. + * + * Returns: 1 if sigin was not normalized, 0 if it already was. + * Args: ctx: a secp256k1 context object + * Out: sigout: a pointer to a signature to fill with the normalized form, + * or copy if the input was already normalized. (can be NULL if + * you're only interested in whether the input was already + * normalized). + * In: sigin: a pointer to a signature to check/normalize (cannot be NULL, + * can be identical to sigout) + * + * With ECDSA a third-party can forge a second distinct signature of the same + * message, given a single initial signature, but without knowing the key. This + * is done by negating the S value modulo the order of the curve, 'flipping' + * the sign of the random point R which is not included in the signature. + * + * Forgery of the same message isn't universally problematic, but in systems + * where message malleability or uniqueness of signatures is important this can + * cause issues. This forgery can be blocked by all verifiers forcing signers + * to use a normalized form. + * + * The lower-S form reduces the size of signatures slightly on average when + * variable length encodings (such as DER) are used and is cheap to verify, + * making it a good choice. Security of always using lower-S is assured because + * anyone can trivially modify a signature after the fact to enforce this + * property anyway. + * + * The lower S value is always between 0x1 and + * 0x7FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF5D576E7357A4501DDFE92F46681B20A0, + * inclusive. + * + * No other forms of ECDSA malleability are known and none seem likely, but + * there is no formal proof that ECDSA, even with this additional restriction, + * is free of other malleability. Commonly used serialization schemes will also + * accept various non-unique encodings, so care should be taken when this + * property is required for an application. + * + * The rustsecp256k1_v0_1_2_ecdsa_sign function will by default create signatures in the + * lower-S form, and rustsecp256k1_v0_1_2_ecdsa_verify will not accept others. In case + * signatures come from a system that cannot enforce this property, + * rustsecp256k1_v0_1_2_ecdsa_signature_normalize must be called before verification. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_signature_normalize( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature *sigout, + const rustsecp256k1_v0_1_2_ecdsa_signature *sigin +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3); + +/** An implementation of RFC6979 (using HMAC-SHA256) as nonce generation function. + * If a data pointer is passed, it is assumed to be a pointer to 32 bytes of + * extra entropy. + */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_rfc6979; + +/** A default safe nonce generation function (currently equal to rustsecp256k1_v0_1_2_nonce_function_rfc6979). */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_default; + +/** Create an ECDSA signature. + * + * Returns: 1: signature created + * 0: the nonce generation function failed, or the secret key was invalid. + * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) + * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) + * In: msg32: the 32-byte message hash being signed (cannot be NULL) + * seckey: pointer to a 32-byte secret key (cannot be NULL) + * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1_v0_1_2_nonce_function_default is used + * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) + * + * The created signature is always in lower-S form. See + * rustsecp256k1_v0_1_2_ecdsa_signature_normalize for more details. + */ +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_sign( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature *sig, + const unsigned char *msg32, + const unsigned char *seckey, + rustsecp256k1_v0_1_2_nonce_function noncefp, + const void *ndata +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); + +/** Verify an ECDSA secret key. + * + * A secret key is valid if it is not 0 and less than the secp256k1 curve order + * when interpreted as an integer (most significant byte first). The + * probability of choosing a 32-byte string uniformly at random which is an + * invalid secret key is negligible. + * + * Returns: 1: secret key is valid + * 0: secret key is invalid + * Args: ctx: pointer to a context object (cannot be NULL) + * In: seckey: pointer to a 32-byte secret key (cannot be NULL) + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_verify( + const rustsecp256k1_v0_1_2_context* ctx, + const unsigned char *seckey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + +/** Compute the public key for a secret key. + * + * Returns: 1: secret was valid, public key stores + * 0: secret was invalid, try again + * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) + * Out: pubkey: pointer to the created public key (cannot be NULL) + * In: seckey: pointer to a 32-byte secret key (cannot be NULL) + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_create( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, + const unsigned char *seckey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Negates a secret key in place. + * + * Returns: 0 if the given secret key is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify. 1 otherwise + * Args: ctx: pointer to a context object + * In/Out: seckey: pointer to the 32-byte secret key to be negated. If the + * secret key is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0 and + * seckey will be set to some unspecified value. (cannot be + * NULL) + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_negate( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_negate, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_negate( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + +/** Negates a public key in place. + * + * Returns: 1 always + * Args: ctx: pointer to a context object + * In/Out: pubkey: pointer to the public key to be negated (cannot be NULL) + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_negate( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2); + +/** Tweak a secret key by adding tweak to it. + * + * Returns: 0 if the arguments are invalid or the resulting secret key would be + * invalid (only when the tweak is the negation of the secret key). 1 + * otherwise. + * Args: ctx: pointer to a context object (cannot be NULL). + * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is + * invalid according to rustsecp256k1_v0_1_2_ec_seckey_verify, this + * function returns 0. seckey will be set to some unspecified + * value if this function returns 0. (cannot be NULL) + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_tweak_add, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Tweak a public key by adding tweak times the generator to it. + * + * Returns: 0 if the arguments are invalid or the resulting public key would be + * invalid (only when the tweak is the negation of the corresponding + * secret key). 1 otherwise. + * Args: ctx: pointer to a context object initialized for validation + * (cannot be NULL). + * In/Out: pubkey: pointer to a public key object. pubkey will be set to an + * invalid value if this function returns 0 (cannot be NULL). + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_tweak_add( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Tweak a secret key by multiplying it by a tweak. + * + * Returns: 0 if the arguments are invalid. 1 otherwise. + * Args: ctx: pointer to a context object (cannot be NULL). + * In/Out: seckey: pointer to a 32-byte secret key. If the secret key is + * invalid according to rustsecp256k1_v0_1_2_ec_seckey_verify, this + * function returns 0. seckey will be set to some unspecified + * value if this function returns 0. (cannot be NULL) + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_seckey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Same as rustsecp256k1_v0_1_2_ec_seckey_tweak_mul, but DEPRECATED. Will be removed in + * future versions. */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_privkey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, + unsigned char *seckey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Tweak a public key by multiplying it by a tweak value. + * + * Returns: 0 if the arguments are invalid. 1 otherwise. + * Args: ctx: pointer to a context object initialized for validation + * (cannot be NULL). + * In/Out: pubkey: pointer to a public key object. pubkey will be set to an + * invalid value if this function returns 0 (cannot be NULL). + * In: tweak: pointer to a 32-byte tweak. If the tweak is invalid according to + * rustsecp256k1_v0_1_2_ec_seckey_verify, this function returns 0. For + * uniformly random 32-byte arrays the chance of being invalid + * is negligible (around 1 in 2^128) (cannot be NULL). + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, + const unsigned char *tweak +) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +/** Updates the context randomization to protect against side-channel leakage. + * Returns: 1: randomization successfully updated or nothing to randomize + * 0: error + * Args: ctx: pointer to a context object (cannot be NULL) + * In: seed32: pointer to a 32-byte random seed (NULL resets to initial state) + * + * While secp256k1 code is written to be constant-time no matter what secret + * values are, it's possible that a future compiler may output code which isn't, + * and also that the CPU may not emit the same radio frequencies or draw the same + * amount power for all values. + * + * This function provides a seed which is combined into the blinding value: that + * blinding value is added before each multiplication (and removed afterwards) so + * that it does not affect function results, but shields against attacks which + * rely on any input-dependent behaviour. + * + * This function has currently an effect only on contexts initialized for signing + * because randomization is currently used only for signing. However, this is not + * guaranteed and may change in the future. It is safe to call this function on + * contexts not initialized for signing; then it will have no effect and return 1. + * + * You should call this after rustsecp256k1_v0_1_2_context_create or + * rustsecp256k1_v0_1_2_context_clone (and rustsecp256k1_v0_1_2_context_preallocated_create or + * rustsecp256k1_v0_1_2_context_clone, resp.), and you may call this repeatedly afterwards. + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_context_randomize( + rustsecp256k1_v0_1_2_context* ctx, + const unsigned char *seed32 +) SECP256K1_ARG_NONNULL(1); + +/** Add a number of public keys together. + * + * Returns: 1: the sum of the public keys is valid. + * 0: the sum of the public keys is not valid. + * Args: ctx: pointer to a context object + * Out: out: pointer to a public key object for placing the resulting public key + * (cannot be NULL) + * In: ins: pointer to array of pointers to public keys (cannot be NULL) + * n: the number of public keys to add together (must be at least 1) + */ +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ec_pubkey_combine( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *out, + const rustsecp256k1_v0_1_2_pubkey * const * ins, + size_t n +) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); + +#ifdef __cplusplus +} +#endif + +#endif /* SECP256K1_H */ diff --git a/secp256k1-sys/depend/secp256k1/include/secp256k1_ecdh.h b/secp256k1-sys/depend/secp256k1/include/secp256k1_ecdh.h index 6eaca50a3..6842cfab4 100644 --- a/secp256k1-sys/depend/secp256k1/include/secp256k1_ecdh.h +++ b/secp256k1-sys/depend/secp256k1/include/secp256k1_ecdh.h @@ -7,44 +7,51 @@ extern "C" { #endif -/** A pointer to a function that applies hash function to a point +/** A pointer to a function that hashes an EC point to obtain an ECDH secret * - * Returns: 1 if a point was successfully hashed. 0 will cause ecdh to fail - * Out: output: pointer to an array to be filled by the function - * In: x: pointer to a 32-byte x coordinate - * y: pointer to a 32-byte y coordinate - * data: Arbitrary data pointer that is passed through + * Returns: 1 if the point was successfully hashed. + * 0 will cause rustsecp256k1_v0_1_2_ecdh to fail and return 0. + * Other return values are not allowed, and the behaviour of + * rustsecp256k1_v0_1_2_ecdh is undefined for other return values. + * Out: output: pointer to an array to be filled by the function + * In: x32: pointer to a 32-byte x coordinate + * y32: pointer to a 32-byte y coordinate + * data: arbitrary data pointer that is passed through */ -typedef int (*rustsecp256k1_v0_1_1_ecdh_hash_function)( +typedef int (*rustsecp256k1_v0_1_2_ecdh_hash_function)( unsigned char *output, - const unsigned char *x, - const unsigned char *y, + const unsigned char *x32, + const unsigned char *y32, void *data ); -/** An implementation of SHA256 hash function that applies to compressed public key. */ -SECP256K1_API extern const rustsecp256k1_v0_1_1_ecdh_hash_function rustsecp256k1_v0_1_1_ecdh_hash_function_sha256; +/** An implementation of SHA256 hash function that applies to compressed public key. + * Populates the output parameter with 32 bytes. */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_ecdh_hash_function rustsecp256k1_v0_1_2_ecdh_hash_function_sha256; -/** A default ecdh hash function (currently equal to rustsecp256k1_v0_1_1_ecdh_hash_function_sha256). */ -SECP256K1_API extern const rustsecp256k1_v0_1_1_ecdh_hash_function rustsecp256k1_v0_1_1_ecdh_hash_function_default; +/** A default ECDH hash function (currently equal to rustsecp256k1_v0_1_2_ecdh_hash_function_sha256). + * Populates the output parameter with 32 bytes. */ +SECP256K1_API extern const rustsecp256k1_v0_1_2_ecdh_hash_function rustsecp256k1_v0_1_2_ecdh_hash_function_default; /** Compute an EC Diffie-Hellman secret in constant time + * * Returns: 1: exponentiation was successful - * 0: scalar was invalid (zero or overflow) + * 0: scalar was invalid (zero or overflow) or hashfp returned 0 * Args: ctx: pointer to a context object (cannot be NULL) - * Out: output: pointer to an array to be filled by the function - * In: pubkey: a pointer to a rustsecp256k1_v0_1_1_pubkey containing an + * Out: output: pointer to an array to be filled by hashfp + * In: pubkey: a pointer to a rustsecp256k1_v0_1_2_pubkey containing an * initialized public key - * privkey: a 32-byte scalar with which to multiply the point - * hashfp: pointer to a hash function. If NULL, rustsecp256k1_v0_1_1_ecdh_hash_function_sha256 is used - * data: Arbitrary data pointer that is passed through + * seckey: a 32-byte scalar with which to multiply the point + * hashfp: pointer to a hash function. If NULL, rustsecp256k1_v0_1_2_ecdh_hash_function_sha256 is used + * (in which case, 32 bytes will be written to output) + * data: arbitrary data pointer that is passed through to hashfp */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ecdh( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ecdh( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, - const rustsecp256k1_v0_1_1_pubkey *pubkey, - const unsigned char *privkey, - rustsecp256k1_v0_1_1_ecdh_hash_function hashfp, + const rustsecp256k1_v0_1_2_pubkey *pubkey, + const unsigned char *seckey, + rustsecp256k1_v0_1_2_ecdh_hash_function hashfp, void *data ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-sys/depend/secp256k1/include/secp256k1_preallocated.h b/secp256k1-sys/depend/secp256k1/include/secp256k1_preallocated.h index fd071537f..fd8f7ef71 100644 --- a/secp256k1-sys/depend/secp256k1/include/secp256k1_preallocated.h +++ b/secp256k1-sys/depend/secp256k1/include/secp256k1_preallocated.h @@ -14,12 +14,12 @@ extern "C" { * * Context objects created by functions in this module can be used like contexts * objects created by functions in secp256k1.h, i.e., they can be passed to any - * API function that excepts a context object (see secp256k1.h for details). The + * API function that expects a context object (see secp256k1.h for details). The * only exception is that context objects created by functions in this module - * must be destroyed using rustsecp256k1_v0_1_1_context_preallocated_destroy (in this - * module) instead of rustsecp256k1_v0_1_1_context_destroy (in secp256k1.h). + * must be destroyed using rustsecp256k1_v0_1_2_context_preallocated_destroy (in this + * module) instead of rustsecp256k1_v0_1_2_context_destroy (in secp256k1.h). * - * It is guaranteed that functions in by this module will not call malloc or its + * It is guaranteed that functions in this module will not call malloc or its * friends realloc, calloc, and free. */ @@ -27,24 +27,24 @@ extern "C" { * caller-provided memory. * * The purpose of this function is to determine how much memory must be provided - * to rustsecp256k1_v0_1_1_context_preallocated_create. + * to rustsecp256k1_v0_1_2_context_preallocated_create. * * Returns: the required size of the caller-provided memory block * In: flags: which parts of the context to initialize. */ -SECP256K1_API size_t rustsecp256k1_v0_1_1_context_preallocated_size( +SECP256K1_API size_t rustsecp256k1_v0_1_2_context_preallocated_size( unsigned int flags ) SECP256K1_WARN_UNUSED_RESULT; /** Create a secp256k1 context object in caller-provided memory. * * The caller must provide a pointer to a rewritable contiguous block of memory - * of size at least rustsecp256k1_v0_1_1_context_preallocated_size(flags) bytes, suitably + * of size at least rustsecp256k1_v0_1_2_context_preallocated_size(flags) bytes, suitably * aligned to hold an object of any type. * * The block of memory is exclusively owned by the created context object during * the lifetime of this context object, which begins with the call to this - * function and ends when a call to rustsecp256k1_v0_1_1_context_preallocated_destroy + * function and ends when a call to rustsecp256k1_v0_1_2_context_preallocated_destroy * (which destroys the context object again) returns. During the lifetime of the * context object, the caller is obligated not to access this block of memory, * i.e., the caller may not read or write the memory, e.g., by copying the memory @@ -54,14 +54,14 @@ SECP256K1_API size_t rustsecp256k1_v0_1_1_context_preallocated_size( * * Returns: a newly created context object. * In: prealloc: a pointer to a rewritable contiguous block of memory of - * size at least rustsecp256k1_v0_1_1_context_preallocated_size(flags) + * size at least rustsecp256k1_v0_1_2_context_preallocated_size(flags) * bytes, as detailed above (cannot be NULL) * flags: which parts of the context to initialize. * - * See also rustsecp256k1_v0_1_1_context_randomize (in secp256k1.h) - * and rustsecp256k1_v0_1_1_context_preallocated_destroy. + * See also rustsecp256k1_v0_1_2_context_randomize (in secp256k1.h) + * and rustsecp256k1_v0_1_2_context_preallocated_destroy. */ -SECP256K1_API rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallocated_create( +SECP256K1_API rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_create( void* prealloc, unsigned int flags ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; @@ -72,28 +72,28 @@ SECP256K1_API rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallo * Returns: the required size of the caller-provided memory block. * In: ctx: an existing context to copy (cannot be NULL) */ -SECP256K1_API size_t rustsecp256k1_v0_1_1_context_preallocated_clone_size( - const rustsecp256k1_v0_1_1_context* ctx +SECP256K1_API size_t rustsecp256k1_v0_1_2_context_preallocated_clone_size( + const rustsecp256k1_v0_1_2_context* ctx ) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT; /** Copy a secp256k1 context object into caller-provided memory. * * The caller must provide a pointer to a rewritable contiguous block of memory - * of size at least rustsecp256k1_v0_1_1_context_preallocated_size(flags) bytes, suitably + * of size at least rustsecp256k1_v0_1_2_context_preallocated_size(flags) bytes, suitably * aligned to hold an object of any type. * * The block of memory is exclusively owned by the created context object during * the lifetime of this context object, see the description of - * rustsecp256k1_v0_1_1_context_preallocated_create for details. + * rustsecp256k1_v0_1_2_context_preallocated_create for details. * * Returns: a newly created context object. * Args: ctx: an existing context to copy (cannot be NULL) * In: prealloc: a pointer to a rewritable contiguous block of memory of - * size at least rustsecp256k1_v0_1_1_context_preallocated_size(flags) + * size at least rustsecp256k1_v0_1_2_context_preallocated_size(flags) * bytes, as detailed above (cannot be NULL) */ -SECP256K1_API rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallocated_clone( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_clone( + const rustsecp256k1_v0_1_2_context* ctx, void* prealloc ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT; @@ -103,22 +103,22 @@ SECP256K1_API rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallo * The context pointer may not be used afterwards. * * The context to destroy must have been created using - * rustsecp256k1_v0_1_1_context_preallocated_create or rustsecp256k1_v0_1_1_context_preallocated_clone. - * If the context has instead been created using rustsecp256k1_v0_1_1_context_create or - * rustsecp256k1_v0_1_1_context_clone, the behaviour is undefined. In that case, - * rustsecp256k1_v0_1_1_context_destroy must be used instead. + * rustsecp256k1_v0_1_2_context_preallocated_create or rustsecp256k1_v0_1_2_context_preallocated_clone. + * If the context has instead been created using rustsecp256k1_v0_1_2_context_create or + * rustsecp256k1_v0_1_2_context_clone, the behaviour is undefined. In that case, + * rustsecp256k1_v0_1_2_context_destroy must be used instead. * * If required, it is the responsibility of the caller to deallocate the block * of memory properly after this function returns, e.g., by calling free on the - * preallocated pointer given to rustsecp256k1_v0_1_1_context_preallocated_create or - * rustsecp256k1_v0_1_1_context_preallocated_clone. + * preallocated pointer given to rustsecp256k1_v0_1_2_context_preallocated_create or + * rustsecp256k1_v0_1_2_context_preallocated_clone. * * Args: ctx: an existing context to destroy, constructed using - * rustsecp256k1_v0_1_1_context_preallocated_create or - * rustsecp256k1_v0_1_1_context_preallocated_clone (cannot be NULL) + * rustsecp256k1_v0_1_2_context_preallocated_create or + * rustsecp256k1_v0_1_2_context_preallocated_clone (cannot be NULL) */ -SECP256K1_API void rustsecp256k1_v0_1_1_context_preallocated_destroy( - rustsecp256k1_v0_1_1_context* ctx +SECP256K1_API void rustsecp256k1_v0_1_2_context_preallocated_destroy( + rustsecp256k1_v0_1_2_context* ctx ); #ifdef __cplusplus diff --git a/secp256k1-sys/depend/secp256k1/include/secp256k1_recovery.h b/secp256k1-sys/depend/secp256k1/include/secp256k1_recovery.h index b3a3d747b..3c16b4053 100644 --- a/secp256k1-sys/depend/secp256k1/include/secp256k1_recovery.h +++ b/secp256k1-sys/depend/secp256k1/include/secp256k1_recovery.h @@ -14,8 +14,8 @@ extern "C" { * guaranteed to be portable between different platforms or versions. It is * however guaranteed to be 65 bytes in size, and can be safely copied/moved. * If you need to convert to a format suitable for storage or transmission, use - * the rustsecp256k1_v0_1_1_ecdsa_signature_serialize_* and - * rustsecp256k1_v0_1_1_ecdsa_signature_parse_* functions. + * the rustsecp256k1_v0_1_2_ecdsa_signature_serialize_* and + * rustsecp256k1_v0_1_2_ecdsa_signature_parse_* functions. * * Furthermore, it is guaranteed that identical signatures (including their * recoverability) will have identical representation, so they can be @@ -23,7 +23,7 @@ extern "C" { */ typedef struct { unsigned char data[65]; -} rustsecp256k1_v0_1_1_ecdsa_recoverable_signature; +} rustsecp256k1_v0_1_2_ecdsa_recoverable_signature; /** Parse a compact ECDSA signature (64 bytes + recovery id). * @@ -33,9 +33,9 @@ typedef struct { * In: input64: a pointer to a 64-byte compact signature * recid: the recovery id (0, 1, 2 or 3) */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); @@ -46,10 +46,10 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact * Out: sig: a pointer to a normal signature (cannot be NULL). * In: sigin: a pointer to a recoverable signature (cannot be NULL). */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_signature* sig, - const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sigin +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_signature* sig, + const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sigin ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3); /** Serialize an ECDSA signature in compact format (64 bytes + recovery id). @@ -60,30 +60,30 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert( * recid: a pointer to an integer to hold the recovery id (can be NULL). * In: sig: a pointer to an initialized signature object (cannot be NULL) */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact( - const rustsecp256k1_v0_1_1_context* ctx, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact( + const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output64, int *recid, - const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig + const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); /** Create a recoverable ECDSA signature. * * Returns: 1: signature created - * 0: the nonce generation function failed, or the private key was invalid. + * 0: the nonce generation function failed, or the secret key was invalid. * Args: ctx: pointer to a context object, initialized for signing (cannot be NULL) * Out: sig: pointer to an array where the signature will be placed (cannot be NULL) * In: msg32: the 32-byte message hash being signed (cannot be NULL) * seckey: pointer to a 32-byte secret key (cannot be NULL) - * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1_v0_1_1_nonce_function_default is used + * noncefp:pointer to a nonce generation function. If NULL, rustsecp256k1_v0_1_2_nonce_function_default is used * ndata: pointer to arbitrary data used by the nonce generation function (can be NULL) */ -SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_sign_recoverable( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature *sig, +SECP256K1_API int rustsecp256k1_v0_1_2_ecdsa_sign_recoverable( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature *sig, const unsigned char *msg32, const unsigned char *seckey, - rustsecp256k1_v0_1_1_nonce_function noncefp, + rustsecp256k1_v0_1_2_nonce_function noncefp, const void *ndata ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); @@ -96,10 +96,10 @@ SECP256K1_API int rustsecp256k1_v0_1_1_ecdsa_sign_recoverable( * In: sig: pointer to initialized signature that supports pubkey recovery (cannot be NULL) * msg32: the 32-byte message hash assumed to be signed (cannot be NULL) */ -SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_1_ecdsa_recover( - const rustsecp256k1_v0_1_1_context* ctx, - rustsecp256k1_v0_1_1_pubkey *pubkey, - const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature *sig, +SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int rustsecp256k1_v0_1_2_ecdsa_recover( + const rustsecp256k1_v0_1_2_context* ctx, + rustsecp256k1_v0_1_2_pubkey *pubkey, + const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature *sig, const unsigned char *msg32 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4); diff --git a/secp256k1-sys/depend/secp256k1/sage/secp256k1.sage b/secp256k1-sys/depend/secp256k1/sage/secp256k1.sage index 8e79c02b1..bbf3aedc2 100644 --- a/secp256k1-sys/depend/secp256k1/sage/secp256k1.sage +++ b/secp256k1-sys/depend/secp256k1/sage/secp256k1.sage @@ -5,8 +5,8 @@ import sys load("group_prover.sage") load("weierstrass_prover.sage") -def formula_rustsecp256k1_v0_1_1_gej_double_var(a): - """libsecp256k1's rustsecp256k1_v0_1_1_gej_double_var, used by various addition functions""" +def formula_rustsecp256k1_v0_1_2_gej_double_var(a): + """libsecp256k1's rustsecp256k1_v0_1_2_gej_double_var, used by various addition functions""" rz = a.Z * a.Y rz = rz * 2 t1 = a.X^2 @@ -29,8 +29,8 @@ def formula_rustsecp256k1_v0_1_1_gej_double_var(a): ry = ry + t2 return jacobianpoint(rx, ry, rz) -def formula_rustsecp256k1_v0_1_1_gej_add_var(branch, a, b): - """libsecp256k1's rustsecp256k1_v0_1_1_gej_add_var""" +def formula_rustsecp256k1_v0_1_2_gej_add_var(branch, a, b): + """libsecp256k1's rustsecp256k1_v0_1_2_gej_add_var""" if branch == 0: return (constraints(), constraints(nonzero={a.Infinity : 'a_infinite'}), b) if branch == 1: @@ -48,7 +48,7 @@ def formula_rustsecp256k1_v0_1_1_gej_add_var(branch, a, b): i = -s1 i = i + s2 if branch == 2: - r = formula_rustsecp256k1_v0_1_1_gej_double_var(a) + r = formula_rustsecp256k1_v0_1_2_gej_double_var(a) return (constraints(), constraints(zero={h : 'h=0', i : 'i=0', a.Infinity : 'a_finite', b.Infinity : 'b_finite'}), r) if branch == 3: return (constraints(), constraints(zero={h : 'h=0', a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -71,8 +71,8 @@ def formula_rustsecp256k1_v0_1_1_gej_add_var(branch, a, b): ry = ry + h3 return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1_v0_1_1_gej_add_ge_var(branch, a, b): - """libsecp256k1's rustsecp256k1_v0_1_1_gej_add_ge_var, which assume bz==1""" +def formula_rustsecp256k1_v0_1_2_gej_add_ge_var(branch, a, b): + """libsecp256k1's rustsecp256k1_v0_1_2_gej_add_ge_var, which assume bz==1""" if branch == 0: return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(nonzero={a.Infinity : 'a_infinite'}), b) if branch == 1: @@ -88,7 +88,7 @@ def formula_rustsecp256k1_v0_1_1_gej_add_ge_var(branch, a, b): i = -s1 i = i + s2 if (branch == 2): - r = formula_rustsecp256k1_v0_1_1_gej_double_var(a) + r = formula_rustsecp256k1_v0_1_2_gej_double_var(a) return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0', i : 'i=0'}), r) if (branch == 3): return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -110,8 +110,8 @@ def formula_rustsecp256k1_v0_1_1_gej_add_ge_var(branch, a, b): ry = ry + h3 return (constraints(zero={b.Z - 1 : 'b.z=1'}), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1_v0_1_1_gej_add_zinv_var(branch, a, b): - """libsecp256k1's rustsecp256k1_v0_1_1_gej_add_zinv_var""" +def formula_rustsecp256k1_v0_1_2_gej_add_zinv_var(branch, a, b): + """libsecp256k1's rustsecp256k1_v0_1_2_gej_add_zinv_var""" bzinv = b.Z^(-1) if branch == 0: return (constraints(), constraints(nonzero={b.Infinity : 'b_infinite'}), a) @@ -134,7 +134,7 @@ def formula_rustsecp256k1_v0_1_1_gej_add_zinv_var(branch, a, b): i = -s1 i = i + s2 if branch == 2: - r = formula_rustsecp256k1_v0_1_1_gej_double_var(a) + r = formula_rustsecp256k1_v0_1_2_gej_double_var(a) return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0', i : 'i=0'}), r) if branch == 3: return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite', h : 'h=0'}, nonzero={i : 'i!=0'}), point_at_infinity()) @@ -157,8 +157,8 @@ def formula_rustsecp256k1_v0_1_1_gej_add_zinv_var(branch, a, b): ry = ry + h3 return (constraints(), constraints(zero={a.Infinity : 'a_finite', b.Infinity : 'b_finite'}, nonzero={h : 'h!=0'}), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1_v0_1_1_gej_add_ge(branch, a, b): - """libsecp256k1's rustsecp256k1_v0_1_1_gej_add_ge""" +def formula_rustsecp256k1_v0_1_2_gej_add_ge(branch, a, b): + """libsecp256k1's rustsecp256k1_v0_1_2_gej_add_ge""" zeroes = {} nonzeroes = {} a_infinity = False @@ -229,8 +229,8 @@ def formula_rustsecp256k1_v0_1_1_gej_add_ge(branch, a, b): return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zeroes, nonzero=nonzeroes), point_at_infinity()) return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zeroes, nonzero=nonzeroes), jacobianpoint(rx, ry, rz)) -def formula_rustsecp256k1_v0_1_1_gej_add_ge_old(branch, a, b): - """libsecp256k1's old rustsecp256k1_v0_1_1_gej_add_ge, which fails when ay+by=0 but ax!=bx""" +def formula_rustsecp256k1_v0_1_2_gej_add_ge_old(branch, a, b): + """libsecp256k1's old rustsecp256k1_v0_1_2_gej_add_ge, which fails when ay+by=0 but ax!=bx""" a_infinity = (branch & 1) != 0 zero = {} nonzero = {} @@ -292,15 +292,15 @@ def formula_rustsecp256k1_v0_1_1_gej_add_ge_old(branch, a, b): return (constraints(zero={b.Z - 1 : 'b.z=1', b.Infinity : 'b_finite'}), constraints(zero=zero, nonzero=nonzero), jacobianpoint(rx, ry, rz)) if __name__ == "__main__": - check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_ge_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_zinv_var) - check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge", 0, 7, 16, formula_rustsecp256k1_v0_1_1_gej_add_ge) - check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1_v0_1_1_gej_add_ge_old) + check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_ge_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_zinv_var) + check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge", 0, 7, 16, formula_rustsecp256k1_v0_1_2_gej_add_ge) + check_symbolic_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1_v0_1_2_gej_add_ge_old) if len(sys.argv) >= 2 and sys.argv[1] == "--exhaustive": - check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_ge_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1_v0_1_1_gej_add_zinv_var, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge", 0, 7, 16, formula_rustsecp256k1_v0_1_1_gej_add_ge, 43) - check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_1_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1_v0_1_1_gej_add_ge_old, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_ge_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_zinv_var", 0, 7, 5, formula_rustsecp256k1_v0_1_2_gej_add_zinv_var, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge", 0, 7, 16, formula_rustsecp256k1_v0_1_2_gej_add_ge, 43) + check_exhaustive_jacobian_weierstrass("rustsecp256k1_v0_1_2_gej_add_ge_old [should fail]", 0, 7, 4, formula_rustsecp256k1_v0_1_2_gej_add_ge_old, 43) diff --git a/secp256k1-sys/depend/secp256k1/src/asm/field_10x26_arm.s b/secp256k1-sys/depend/secp256k1/src/asm/field_10x26_arm.s index 1d5139228..a486de1b2 100644 --- a/secp256k1-sys/depend/secp256k1/src/asm/field_10x26_arm.s +++ b/secp256k1-sys/depend/secp256k1/src/asm/field_10x26_arm.s @@ -27,8 +27,8 @@ Note: .set field_not_M, 0xfc000000 @ ~M = ~0x3ffffff .align 2 - .global rustsecp256k1_v0_1_1_fe_mul_inner - .type rustsecp256k1_v0_1_1_fe_mul_inner, %function + .global rustsecp256k1_v0_1_2_fe_mul_inner + .type rustsecp256k1_v0_1_2_fe_mul_inner, %function @ Arguments: @ r0 r Restrict: can overlap with a, not with b @ r1 a @@ -36,7 +36,7 @@ Note: @ Stack (total 4+10*4 = 44) @ sp + #0 saved 'r' pointer @ sp + #4 + 4*X t0,t1,t2,t3,t4,t5,t6,t7,u8,t9 -rustsecp256k1_v0_1_1_fe_mul_inner: +rustsecp256k1_v0_1_2_fe_mul_inner: stmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, r14} sub sp, sp, #48 @ frame=44 + alignment str r0, [sp, #0] @ save result address, we need it only at the end @@ -511,18 +511,18 @@ rustsecp256k1_v0_1_1_fe_mul_inner: add sp, sp, #48 ldmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} - .size rustsecp256k1_v0_1_1_fe_mul_inner, .-rustsecp256k1_v0_1_1_fe_mul_inner + .size rustsecp256k1_v0_1_2_fe_mul_inner, .-rustsecp256k1_v0_1_2_fe_mul_inner .align 2 - .global rustsecp256k1_v0_1_1_fe_sqr_inner - .type rustsecp256k1_v0_1_1_fe_sqr_inner, %function + .global rustsecp256k1_v0_1_2_fe_sqr_inner + .type rustsecp256k1_v0_1_2_fe_sqr_inner, %function @ Arguments: @ r0 r Can overlap with a @ r1 a @ Stack (total 4+10*4 = 44) @ sp + #0 saved 'r' pointer @ sp + #4 + 4*X t0,t1,t2,t3,t4,t5,t6,t7,u8,t9 -rustsecp256k1_v0_1_1_fe_sqr_inner: +rustsecp256k1_v0_1_2_fe_sqr_inner: stmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, r14} sub sp, sp, #48 @ frame=44 + alignment str r0, [sp, #0] @ save result address, we need it only at the end @@ -909,5 +909,5 @@ rustsecp256k1_v0_1_1_fe_sqr_inner: add sp, sp, #48 ldmfd sp!, {r4, r5, r6, r7, r8, r9, r10, r11, pc} - .size rustsecp256k1_v0_1_1_fe_sqr_inner, .-rustsecp256k1_v0_1_1_fe_sqr_inner + .size rustsecp256k1_v0_1_2_fe_sqr_inner, .-rustsecp256k1_v0_1_2_fe_sqr_inner diff --git a/secp256k1-sys/depend/secp256k1/src/basic-config.h b/secp256k1-sys/depend/secp256k1/src/basic-config.h index 3a3969d30..e9be39d4c 100644 --- a/secp256k1-sys/depend/secp256k1/src/basic-config.h +++ b/secp256k1-sys/depend/secp256k1/src/basic-config.h @@ -24,6 +24,7 @@ #undef USE_SCALAR_8X32 #undef USE_SCALAR_INV_BUILTIN #undef USE_SCALAR_INV_NUM +#undef ECMULT_WINDOW_SIZE #define USE_NUM_NONE 1 #define USE_FIELD_INV_BUILTIN 1 diff --git a/secp256k1-sys/depend/secp256k1/src/bench.h b/secp256k1-sys/depend/secp256k1/src/bench.h index 5b59783f6..9bfed903e 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench.h +++ b/secp256k1-sys/depend/secp256k1/src/bench.h @@ -7,45 +7,87 @@ #ifndef SECP256K1_BENCH_H #define SECP256K1_BENCH_H +#include #include #include -#include #include "sys/time.h" -static double gettimedouble(void) { +static int64_t gettime_i64(void) { struct timeval tv; gettimeofday(&tv, NULL); - return tv.tv_usec * 0.000001 + tv.tv_sec; + return (int64_t)tv.tv_usec + (int64_t)tv.tv_sec * 1000000LL; } -void print_number(double x) { - double y = x; - int c = 0; - if (y < 0.0) { - y = -y; +#define FP_EXP (6) +#define FP_MULT (1000000LL) + +/* Format fixed point number. */ +void print_number(const int64_t x) { + int64_t x_abs, y; + int c, i, rounding; + size_t ptr; + char buffer[30]; + + if (x == INT64_MIN) { + /* Prevent UB. */ + printf("ERR"); + return; } - while (y > 0 && y < 100.0) { - y *= 10.0; + x_abs = x < 0 ? -x : x; + + /* Determine how many decimals we want to show (more than FP_EXP makes no + * sense). */ + y = x_abs; + c = 0; + while (y > 0LL && y < 100LL * FP_MULT && c < FP_EXP) { + y *= 10LL; c++; } - printf("%.*f", c, x); + + /* Round to 'c' decimals. */ + y = x_abs; + rounding = 0; + for (i = c; i < FP_EXP; ++i) { + rounding = (y % 10) >= 5; + y /= 10; + } + y += rounding; + + /* Format and print the number. */ + ptr = sizeof(buffer) - 1; + buffer[ptr] = 0; + if (c != 0) { + for (i = 0; i < c; ++i) { + buffer[--ptr] = '0' + (y % 10); + y /= 10; + } + buffer[--ptr] = '.'; + } + do { + buffer[--ptr] = '0' + (y % 10); + y /= 10; + } while (y != 0); + if (x < 0) { + buffer[--ptr] = '-'; + } + printf("%s", &buffer[ptr]); } -void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), void (*teardown)(void*), void* data, int count, int iter) { +void run_benchmark(char *name, void (*benchmark)(void*, int), void (*setup)(void*), void (*teardown)(void*, int), void* data, int count, int iter) { int i; - double min = HUGE_VAL; - double sum = 0.0; - double max = 0.0; + int64_t min = INT64_MAX; + int64_t sum = 0; + int64_t max = 0; for (i = 0; i < count; i++) { - double begin, total; + int64_t begin, total; if (setup != NULL) { setup(data); } - begin = gettimedouble(); - benchmark(data); - total = gettimedouble() - begin; + begin = gettime_i64(); + benchmark(data, iter); + total = gettime_i64() - begin; if (teardown != NULL) { - teardown(data); + teardown(data, iter); } if (total < min) { min = total; @@ -56,11 +98,11 @@ void run_benchmark(char *name, void (*benchmark)(void*), void (*setup)(void*), v sum += total; } printf("%s: min ", name); - print_number(min * 1000000.0 / iter); + print_number(min * FP_MULT / iter); printf("us / avg "); - print_number((sum / count) * 1000000.0 / iter); + print_number(((sum * FP_MULT) / count) / iter); printf("us / max "); - print_number(max * 1000000.0 / iter); + print_number(max * FP_MULT / iter); printf("us\n"); } @@ -79,4 +121,13 @@ int have_flag(int argc, char** argv, char *flag) { return 0; } +int get_iters(int default_iters) { + char* env = getenv("SECP256K1_BENCH_ITERS"); + if (env) { + return strtol(env, NULL, 0); + } else { + return default_iters; + } +} + #endif /* SECP256K1_BENCH_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/bench_ecdh.c b/secp256k1-sys/depend/secp256k1/src/bench_ecdh.c index ff3d7cd93..759f02a50 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_ecdh.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_ecdh.c @@ -12,8 +12,8 @@ #include "bench.h" typedef struct { - rustsecp256k1_v0_1_1_context *ctx; - rustsecp256k1_v0_1_1_pubkey point; + rustsecp256k1_v0_1_2_context *ctx; + rustsecp256k1_v0_1_2_pubkey point; unsigned char scalar[32]; } bench_ecdh_data; @@ -28,27 +28,32 @@ static void bench_ecdh_setup(void* arg) { 0xa2, 0xba, 0xd1, 0x84, 0xf8, 0x83, 0xc6, 0x9f }; - /* create a context with no capabilities */ - data->ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_FLAGS_TYPE_CONTEXT); for (i = 0; i < 32; i++) { data->scalar[i] = i + 1; } - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(data->ctx, &data->point, point, sizeof(point)) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(data->ctx, &data->point, point, sizeof(point)) == 1); } -static void bench_ecdh(void* arg) { +static void bench_ecdh(void* arg, int iters) { int i; unsigned char res[32]; bench_ecdh_data *data = (bench_ecdh_data*)arg; - for (i = 0; i < 20000; i++) { - CHECK(rustsecp256k1_v0_1_1_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1); + for (i = 0; i < iters; i++) { + CHECK(rustsecp256k1_v0_1_2_ecdh(data->ctx, res, &data->point, data->scalar, NULL, NULL) == 1); } } int main(void) { bench_ecdh_data data; - run_benchmark("ecdh", bench_ecdh, bench_ecdh_setup, NULL, &data, 10, 20000); + int iters = get_iters(20000); + + /* create a context with no capabilities */ + data.ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_FLAGS_TYPE_CONTEXT); + + run_benchmark("ecdh", bench_ecdh, bench_ecdh_setup, NULL, &data, 10, iters); + + rustsecp256k1_v0_1_2_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/bench_ecmult.c b/secp256k1-sys/depend/secp256k1/src/bench_ecmult.c index c96974ac5..19e102d6c 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_ecmult.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_ecmult.c @@ -18,17 +18,16 @@ #include "secp256k1.c" #define POINTS 32768 -#define ITERS 10000 typedef struct { /* Setup once in advance */ - rustsecp256k1_v0_1_1_context* ctx; - rustsecp256k1_v0_1_1_scratch_space* scratch; - rustsecp256k1_v0_1_1_scalar* scalars; - rustsecp256k1_v0_1_1_ge* pubkeys; - rustsecp256k1_v0_1_1_scalar* seckeys; - rustsecp256k1_v0_1_1_gej* expected_output; - rustsecp256k1_v0_1_1_ecmult_multi_func ecmult_multi; + rustsecp256k1_v0_1_2_context* ctx; + rustsecp256k1_v0_1_2_scratch_space* scratch; + rustsecp256k1_v0_1_2_scalar* scalars; + rustsecp256k1_v0_1_2_ge* pubkeys; + rustsecp256k1_v0_1_2_scalar* seckeys; + rustsecp256k1_v0_1_2_gej* expected_output; + rustsecp256k1_v0_1_2_ecmult_multi_func ecmult_multi; /* Changes per test */ size_t count; @@ -39,15 +38,15 @@ typedef struct { size_t offset2; /* Test output. */ - rustsecp256k1_v0_1_1_gej* output; + rustsecp256k1_v0_1_2_gej* output; } bench_data; -static int bench_callback(rustsecp256k1_v0_1_1_scalar* sc, rustsecp256k1_v0_1_1_ge* ge, size_t idx, void* arg) { +static int bench_callback(rustsecp256k1_v0_1_2_scalar* sc, rustsecp256k1_v0_1_2_ge* ge, size_t idx, void* arg) { bench_data* data = (bench_data*)arg; if (data->includes_g) ++idx; if (idx == 0) { *sc = data->scalars[data->offset1]; - *ge = rustsecp256k1_v0_1_1_ge_const_g; + *ge = rustsecp256k1_v0_1_2_ge_const_g; } else { *sc = data->scalars[(data->offset1 + idx) % POINTS]; *ge = data->pubkeys[(data->offset2 + idx - 1) % POINTS]; @@ -55,13 +54,13 @@ static int bench_callback(rustsecp256k1_v0_1_1_scalar* sc, rustsecp256k1_v0_1_1_ return 1; } -static void bench_ecmult(void* arg) { +static void bench_ecmult(void* arg, int iters) { bench_data* data = (bench_data*)arg; - size_t count = data->count; int includes_g = data->includes_g; - size_t iters = 1 + ITERS / count; - size_t iter; + int iter; + int count = data->count; + iters = iters / data->count; for (iter = 0; iter < iters; ++iter) { data->ecmult_multi(&data->ctx->error_callback, &data->ctx->ecmult_ctx, data->scratch, &data->output[iter], data->includes_g ? &data->scalars[data->offset1] : NULL, bench_callback, arg, count - includes_g); @@ -76,20 +75,20 @@ static void bench_ecmult_setup(void* arg) { data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS; } -static void bench_ecmult_teardown(void* arg) { +static void bench_ecmult_teardown(void* arg, int iters) { bench_data* data = (bench_data*)arg; - size_t iters = 1 + ITERS / data->count; - size_t iter; + int iter; + iters = iters / data->count; /* Verify the results in teardown, to avoid doing comparisons while benchmarking. */ for (iter = 0; iter < iters; ++iter) { - rustsecp256k1_v0_1_1_gej tmp; - rustsecp256k1_v0_1_1_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&tmp)); + rustsecp256k1_v0_1_2_gej tmp; + rustsecp256k1_v0_1_2_gej_add_var(&tmp, &data->output[iter], &data->expected_output[iter], NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&tmp)); } } -static void generate_scalar(uint32_t num, rustsecp256k1_v0_1_1_scalar* scalar) { - rustsecp256k1_v0_1_1_sha256 sha256; +static void generate_scalar(uint32_t num, rustsecp256k1_v0_1_2_scalar* scalar) { + rustsecp256k1_v0_1_2_sha256 sha256; unsigned char c[11] = {'e', 'c', 'm', 'u', 'l', 't', 0, 0, 0, 0}; unsigned char buf[32]; int overflow = 0; @@ -97,17 +96,17 @@ static void generate_scalar(uint32_t num, rustsecp256k1_v0_1_1_scalar* scalar) { c[7] = num >> 8; c[8] = num >> 16; c[9] = num >> 24; - rustsecp256k1_v0_1_1_sha256_initialize(&sha256); - rustsecp256k1_v0_1_1_sha256_write(&sha256, c, sizeof(c)); - rustsecp256k1_v0_1_1_sha256_finalize(&sha256, buf); - rustsecp256k1_v0_1_1_scalar_set_b32(scalar, buf, &overflow); + rustsecp256k1_v0_1_2_sha256_initialize(&sha256); + rustsecp256k1_v0_1_2_sha256_write(&sha256, c, sizeof(c)); + rustsecp256k1_v0_1_2_sha256_finalize(&sha256, buf); + rustsecp256k1_v0_1_2_scalar_set_b32(scalar, buf, &overflow); CHECK(!overflow); } -static void run_test(bench_data* data, size_t count, int includes_g) { +static void run_test(bench_data* data, size_t count, int includes_g, int num_iters) { char str[32]; - static const rustsecp256k1_v0_1_1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - size_t iters = 1 + ITERS / count; + static const rustsecp256k1_v0_1_2_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + size_t iters = 1 + num_iters / count; size_t iter; data->count = count; @@ -117,44 +116,46 @@ static void run_test(bench_data* data, size_t count, int includes_g) { data->offset1 = (data->count * 0x537b7f6f + 0x8f66a481) % POINTS; data->offset2 = (data->count * 0x7f6f537b + 0x6a1a8f49) % POINTS; for (iter = 0; iter < iters; ++iter) { - rustsecp256k1_v0_1_1_scalar tmp; - rustsecp256k1_v0_1_1_scalar total = data->scalars[(data->offset1++) % POINTS]; + rustsecp256k1_v0_1_2_scalar tmp; + rustsecp256k1_v0_1_2_scalar total = data->scalars[(data->offset1++) % POINTS]; size_t i = 0; for (i = 0; i + 1 < count; ++i) { - rustsecp256k1_v0_1_1_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]); - rustsecp256k1_v0_1_1_scalar_add(&total, &total, &tmp); + rustsecp256k1_v0_1_2_scalar_mul(&tmp, &data->seckeys[(data->offset2++) % POINTS], &data->scalars[(data->offset1++) % POINTS]); + rustsecp256k1_v0_1_2_scalar_add(&total, &total, &tmp); } - rustsecp256k1_v0_1_1_scalar_negate(&total, &total); - rustsecp256k1_v0_1_1_ecmult(&data->ctx->ecmult_ctx, &data->expected_output[iter], NULL, &zero, &total); + rustsecp256k1_v0_1_2_scalar_negate(&total, &total); + rustsecp256k1_v0_1_2_ecmult(&data->ctx->ecmult_ctx, &data->expected_output[iter], NULL, &zero, &total); } /* Run the benchmark. */ sprintf(str, includes_g ? "ecmult_%ig" : "ecmult_%i", (int)count); - run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * (1 + ITERS / count)); + run_benchmark(str, bench_ecmult, bench_ecmult_setup, bench_ecmult_teardown, data, 10, count * iters); } int main(int argc, char **argv) { bench_data data; int i, p; - rustsecp256k1_v0_1_1_gej* pubkeys_gej; + rustsecp256k1_v0_1_2_gej* pubkeys_gej; size_t scratch_size; - data.ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - scratch_size = rustsecp256k1_v0_1_1_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16; - data.scratch = rustsecp256k1_v0_1_1_scratch_space_create(data.ctx, scratch_size); - data.ecmult_multi = rustsecp256k1_v0_1_1_ecmult_multi_var; + int iters = get_iters(10000); + + data.ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + scratch_size = rustsecp256k1_v0_1_2_strauss_scratch_size(POINTS) + STRAUSS_SCRATCH_OBJECTS*16; + data.scratch = rustsecp256k1_v0_1_2_scratch_space_create(data.ctx, scratch_size); + data.ecmult_multi = rustsecp256k1_v0_1_2_ecmult_multi_var; if (argc > 1) { if(have_flag(argc, argv, "pippenger_wnaf")) { printf("Using pippenger_wnaf:\n"); - data.ecmult_multi = rustsecp256k1_v0_1_1_ecmult_pippenger_batch_single; + data.ecmult_multi = rustsecp256k1_v0_1_2_ecmult_pippenger_batch_single; } else if(have_flag(argc, argv, "strauss_wnaf")) { printf("Using strauss_wnaf:\n"); - data.ecmult_multi = rustsecp256k1_v0_1_1_ecmult_strauss_batch_single; + data.ecmult_multi = rustsecp256k1_v0_1_2_ecmult_strauss_batch_single; } else if(have_flag(argc, argv, "simple")) { printf("Using simple algorithm:\n"); - data.ecmult_multi = rustsecp256k1_v0_1_1_ecmult_multi_var; - rustsecp256k1_v0_1_1_scratch_space_destroy(data.ctx, data.scratch); + data.ecmult_multi = rustsecp256k1_v0_1_2_ecmult_multi_var; + rustsecp256k1_v0_1_2_scratch_space_destroy(data.ctx, data.scratch); data.scratch = NULL; } else { fprintf(stderr, "%s: unrecognized argument '%s'.\n", argv[0], argv[1]); @@ -164,39 +165,45 @@ int main(int argc, char **argv) { } /* Allocate stuff */ - data.scalars = malloc(sizeof(rustsecp256k1_v0_1_1_scalar) * POINTS); - data.seckeys = malloc(sizeof(rustsecp256k1_v0_1_1_scalar) * POINTS); - data.pubkeys = malloc(sizeof(rustsecp256k1_v0_1_1_ge) * POINTS); - data.expected_output = malloc(sizeof(rustsecp256k1_v0_1_1_gej) * (ITERS + 1)); - data.output = malloc(sizeof(rustsecp256k1_v0_1_1_gej) * (ITERS + 1)); + data.scalars = malloc(sizeof(rustsecp256k1_v0_1_2_scalar) * POINTS); + data.seckeys = malloc(sizeof(rustsecp256k1_v0_1_2_scalar) * POINTS); + data.pubkeys = malloc(sizeof(rustsecp256k1_v0_1_2_ge) * POINTS); + data.expected_output = malloc(sizeof(rustsecp256k1_v0_1_2_gej) * (iters + 1)); + data.output = malloc(sizeof(rustsecp256k1_v0_1_2_gej) * (iters + 1)); /* Generate a set of scalars, and private/public keypairs. */ - pubkeys_gej = malloc(sizeof(rustsecp256k1_v0_1_1_gej) * POINTS); - rustsecp256k1_v0_1_1_gej_set_ge(&pubkeys_gej[0], &rustsecp256k1_v0_1_1_ge_const_g); - rustsecp256k1_v0_1_1_scalar_set_int(&data.seckeys[0], 1); + pubkeys_gej = malloc(sizeof(rustsecp256k1_v0_1_2_gej) * POINTS); + rustsecp256k1_v0_1_2_gej_set_ge(&pubkeys_gej[0], &rustsecp256k1_v0_1_2_ge_const_g); + rustsecp256k1_v0_1_2_scalar_set_int(&data.seckeys[0], 1); for (i = 0; i < POINTS; ++i) { generate_scalar(i, &data.scalars[i]); if (i) { - rustsecp256k1_v0_1_1_gej_double_var(&pubkeys_gej[i], &pubkeys_gej[i - 1], NULL); - rustsecp256k1_v0_1_1_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]); + rustsecp256k1_v0_1_2_gej_double_var(&pubkeys_gej[i], &pubkeys_gej[i - 1], NULL); + rustsecp256k1_v0_1_2_scalar_add(&data.seckeys[i], &data.seckeys[i - 1], &data.seckeys[i - 1]); } } - rustsecp256k1_v0_1_1_ge_set_all_gej_var(data.pubkeys, pubkeys_gej, POINTS); + rustsecp256k1_v0_1_2_ge_set_all_gej_var(data.pubkeys, pubkeys_gej, POINTS); free(pubkeys_gej); for (i = 1; i <= 8; ++i) { - run_test(&data, i, 1); + run_test(&data, i, 1, iters); } - for (p = 0; p <= 11; ++p) { - for (i = 9; i <= 16; ++i) { - run_test(&data, i << p, 1); + /* This is disabled with low count of iterations because the loop runs 77 times even with iters=1 + * and the higher it goes the longer the computation takes(more points) + * So we don't run this benchmark with low iterations to prevent slow down */ + if (iters > 2) { + for (p = 0; p <= 11; ++p) { + for (i = 9; i <= 16; ++i) { + run_test(&data, i << p, 1, iters); + } } } + if (data.scratch != NULL) { - rustsecp256k1_v0_1_1_scratch_space_destroy(data.ctx, data.scratch); + rustsecp256k1_v0_1_2_scratch_space_destroy(data.ctx, data.scratch); } - rustsecp256k1_v0_1_1_context_destroy(data.ctx); + rustsecp256k1_v0_1_2_context_destroy(data.ctx); free(data.scalars); free(data.pubkeys); free(data.seckeys); diff --git a/secp256k1-sys/depend/secp256k1/src/bench_internal.c b/secp256k1-sys/depend/secp256k1/src/bench_internal.c index ff2f35ca5..e3cbb8e5e 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_internal.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_internal.c @@ -19,10 +19,10 @@ #include "secp256k1.c" typedef struct { - rustsecp256k1_v0_1_1_scalar scalar_x, scalar_y; - rustsecp256k1_v0_1_1_fe fe_x, fe_y; - rustsecp256k1_v0_1_1_ge ge_x, ge_y; - rustsecp256k1_v0_1_1_gej gej_x, gej_y; + rustsecp256k1_v0_1_2_scalar scalar_x, scalar_y; + rustsecp256k1_v0_1_2_fe fe_x, fe_y; + rustsecp256k1_v0_1_2_ge ge_x, ge_y; + rustsecp256k1_v0_1_2_gej gej_x, gej_y; unsigned char data[64]; int wnaf[256]; } bench_inv; @@ -44,326 +44,338 @@ void bench_setup(void* arg) { 0x11, 0x15, 0x17, 0x1b, 0x1d, 0xb1, 0xbf, 0xd3 }; - rustsecp256k1_v0_1_1_scalar_set_b32(&data->scalar_x, init_x, NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&data->scalar_y, init_y, NULL); - rustsecp256k1_v0_1_1_fe_set_b32(&data->fe_x, init_x); - rustsecp256k1_v0_1_1_fe_set_b32(&data->fe_y, init_y); - CHECK(rustsecp256k1_v0_1_1_ge_set_xo_var(&data->ge_x, &data->fe_x, 0)); - CHECK(rustsecp256k1_v0_1_1_ge_set_xo_var(&data->ge_y, &data->fe_y, 1)); - rustsecp256k1_v0_1_1_gej_set_ge(&data->gej_x, &data->ge_x); - rustsecp256k1_v0_1_1_gej_set_ge(&data->gej_y, &data->ge_y); + rustsecp256k1_v0_1_2_scalar_set_b32(&data->scalar_x, init_x, NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(&data->scalar_y, init_y, NULL); + rustsecp256k1_v0_1_2_fe_set_b32(&data->fe_x, init_x); + rustsecp256k1_v0_1_2_fe_set_b32(&data->fe_y, init_y); + CHECK(rustsecp256k1_v0_1_2_ge_set_xo_var(&data->ge_x, &data->fe_x, 0)); + CHECK(rustsecp256k1_v0_1_2_ge_set_xo_var(&data->ge_y, &data->fe_y, 1)); + rustsecp256k1_v0_1_2_gej_set_ge(&data->gej_x, &data->ge_x); + rustsecp256k1_v0_1_2_gej_set_ge(&data->gej_y, &data->ge_y); memcpy(data->data, init_x, 32); memcpy(data->data + 32, init_y, 32); } -void bench_scalar_add(void* arg) { - int i; +void bench_scalar_add(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000000; i++) { - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + j += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(j <= iters); } -void bench_scalar_negate(void* arg) { +void bench_scalar_negate(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000000; i++) { - rustsecp256k1_v0_1_1_scalar_negate(&data->scalar_x, &data->scalar_x); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_negate(&data->scalar_x, &data->scalar_x); } } -void bench_scalar_sqr(void* arg) { +void bench_scalar_sqr(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&data->scalar_x, &data->scalar_x); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_sqr(&data->scalar_x, &data->scalar_x); } } -void bench_scalar_mul(void* arg) { +void bench_scalar_mul(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_scalar_mul(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_mul(&data->scalar_x, &data->scalar_x, &data->scalar_y); } } #ifdef USE_ENDOMORPHISM -void bench_scalar_split(void* arg) { - int i; +void bench_scalar_split(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_scalar l, r; - rustsecp256k1_v0_1_1_scalar_split_lambda(&l, &r, &data->scalar_x); - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_split_lambda(&data->scalar_x, &data->scalar_y, &data->scalar_x); + j += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(j <= iters); } #endif -void bench_scalar_inverse(void* arg) { - int i; +void bench_scalar_inverse(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000; i++) { - rustsecp256k1_v0_1_1_scalar_inverse(&data->scalar_x, &data->scalar_x); - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_inverse(&data->scalar_x, &data->scalar_x); + j += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(j <= iters); } -void bench_scalar_inverse_var(void* arg) { - int i; +void bench_scalar_inverse_var(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000; i++) { - rustsecp256k1_v0_1_1_scalar_inverse_var(&data->scalar_x, &data->scalar_x); - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_scalar_inverse_var(&data->scalar_x, &data->scalar_x); + j += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(j <= iters); } -void bench_field_normalize(void* arg) { +void bench_field_normalize(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000000; i++) { - rustsecp256k1_v0_1_1_fe_normalize(&data->fe_x); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_normalize(&data->fe_x); } } -void bench_field_normalize_weak(void* arg) { +void bench_field_normalize_weak(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 2000000; i++) { - rustsecp256k1_v0_1_1_fe_normalize_weak(&data->fe_x); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_normalize_weak(&data->fe_x); } } -void bench_field_mul(void* arg) { +void bench_field_mul(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_fe_mul(&data->fe_x, &data->fe_x, &data->fe_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_mul(&data->fe_x, &data->fe_x, &data->fe_y); } } -void bench_field_sqr(void* arg) { +void bench_field_sqr(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_fe_sqr(&data->fe_x, &data->fe_x); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_sqr(&data->fe_x, &data->fe_x); } } -void bench_field_inverse(void* arg) { +void bench_field_inverse(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_fe_inv(&data->fe_x, &data->fe_x); - rustsecp256k1_v0_1_1_fe_add(&data->fe_x, &data->fe_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_inv(&data->fe_x, &data->fe_x); + rustsecp256k1_v0_1_2_fe_add(&data->fe_x, &data->fe_y); } } -void bench_field_inverse_var(void* arg) { +void bench_field_inverse_var(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_fe_inv_var(&data->fe_x, &data->fe_x); - rustsecp256k1_v0_1_1_fe_add(&data->fe_x, &data->fe_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_fe_inv_var(&data->fe_x, &data->fe_x); + rustsecp256k1_v0_1_2_fe_add(&data->fe_x, &data->fe_y); } } -void bench_field_sqrt(void* arg) { - int i; +void bench_field_sqrt(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - rustsecp256k1_v0_1_1_fe t; + rustsecp256k1_v0_1_2_fe t; - for (i = 0; i < 20000; i++) { + for (i = 0; i < iters; i++) { t = data->fe_x; - rustsecp256k1_v0_1_1_fe_sqrt(&data->fe_x, &t); - rustsecp256k1_v0_1_1_fe_add(&data->fe_x, &data->fe_y); + j += rustsecp256k1_v0_1_2_fe_sqrt(&data->fe_x, &t); + rustsecp256k1_v0_1_2_fe_add(&data->fe_x, &data->fe_y); } + CHECK(j <= iters); } -void bench_group_double_var(void* arg) { +void bench_group_double_var(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_gej_double_var(&data->gej_x, &data->gej_x, NULL); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_gej_double_var(&data->gej_x, &data->gej_x, NULL); } } -void bench_group_add_var(void* arg) { +void bench_group_add_var(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_gej_add_var(&data->gej_x, &data->gej_x, &data->gej_y, NULL); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_gej_add_var(&data->gej_x, &data->gej_x, &data->gej_y, NULL); } } -void bench_group_add_affine(void* arg) { +void bench_group_add_affine(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_gej_add_ge(&data->gej_x, &data->gej_x, &data->ge_y); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_gej_add_ge(&data->gej_x, &data->gej_x, &data->ge_y); } } -void bench_group_add_affine_var(void* arg) { +void bench_group_add_affine_var(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_gej_add_ge_var(&data->gej_x, &data->gej_x, &data->ge_y, NULL); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_gej_add_ge_var(&data->gej_x, &data->gej_x, &data->ge_y, NULL); } } -void bench_group_jacobi_var(void* arg) { - int i; +void bench_group_jacobi_var(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_gej_has_quad_y_var(&data->gej_x); + for (i = 0; i < iters; i++) { + j += rustsecp256k1_v0_1_2_gej_has_quad_y_var(&data->gej_x); } + CHECK(j == iters); } -void bench_ecmult_wnaf(void* arg) { - int i; +void bench_ecmult_wnaf(void* arg, int iters) { + int i, bits = 0, overflow = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_ecmult_wnaf(data->wnaf, 256, &data->scalar_x, WINDOW_A); - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + bits += rustsecp256k1_v0_1_2_ecmult_wnaf(data->wnaf, 256, &data->scalar_x, WINDOW_A); + overflow += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(overflow >= 0); + CHECK(bits <= 256*iters); } -void bench_wnaf_const(void* arg) { - int i; +void bench_wnaf_const(void* arg, int iters) { + int i, bits = 0, overflow = 0; bench_inv *data = (bench_inv*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_wnaf_const(data->wnaf, &data->scalar_x, WINDOW_A, 256); - rustsecp256k1_v0_1_1_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); + for (i = 0; i < iters; i++) { + bits += rustsecp256k1_v0_1_2_wnaf_const(data->wnaf, &data->scalar_x, WINDOW_A, 256); + overflow += rustsecp256k1_v0_1_2_scalar_add(&data->scalar_x, &data->scalar_x, &data->scalar_y); } + CHECK(overflow >= 0); + CHECK(bits <= 256*iters); } -void bench_sha256(void* arg) { +void bench_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1_v0_1_1_sha256 sha; + rustsecp256k1_v0_1_2_sha256 sha; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_sha256_initialize(&sha); - rustsecp256k1_v0_1_1_sha256_write(&sha, data->data, 32); - rustsecp256k1_v0_1_1_sha256_finalize(&sha, data->data); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_sha256_initialize(&sha); + rustsecp256k1_v0_1_2_sha256_write(&sha, data->data, 32); + rustsecp256k1_v0_1_2_sha256_finalize(&sha, data->data); } } -void bench_hmac_sha256(void* arg) { +void bench_hmac_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1_v0_1_1_hmac_sha256 hmac; + rustsecp256k1_v0_1_2_hmac_sha256 hmac; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, data->data, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, data->data, 32); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, data->data); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, data->data, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, data->data, 32); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, data->data); } } -void bench_rfc6979_hmac_sha256(void* arg) { +void bench_rfc6979_hmac_sha256(void* arg, int iters) { int i; bench_inv *data = (bench_inv*)arg; - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 rng; + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rng; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, data->data, 64); - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, data->data, 32); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, data->data, 64); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, data->data, 32); } } -void bench_context_verify(void* arg) { +void bench_context_verify(void* arg, int iters) { int i; (void)arg; - for (i = 0; i < 20; i++) { - rustsecp256k1_v0_1_1_context_destroy(rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_VERIFY)); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_context_destroy(rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_VERIFY)); } } -void bench_context_sign(void* arg) { +void bench_context_sign(void* arg, int iters) { int i; (void)arg; - for (i = 0; i < 200; i++) { - rustsecp256k1_v0_1_1_context_destroy(rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN)); + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_context_destroy(rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN)); } } #ifndef USE_NUM_NONE -void bench_num_jacobi(void* arg) { - int i; +void bench_num_jacobi(void* arg, int iters) { + int i, j = 0; bench_inv *data = (bench_inv*)arg; - rustsecp256k1_v0_1_1_num nx, norder; + rustsecp256k1_v0_1_2_num nx, norder; - rustsecp256k1_v0_1_1_scalar_get_num(&nx, &data->scalar_x); - rustsecp256k1_v0_1_1_scalar_order_get_num(&norder); - rustsecp256k1_v0_1_1_scalar_get_num(&norder, &data->scalar_y); + rustsecp256k1_v0_1_2_scalar_get_num(&nx, &data->scalar_x); + rustsecp256k1_v0_1_2_scalar_order_get_num(&norder); + rustsecp256k1_v0_1_2_scalar_get_num(&norder, &data->scalar_y); - for (i = 0; i < 200000; i++) { - rustsecp256k1_v0_1_1_num_jacobi(&nx, &norder); + for (i = 0; i < iters; i++) { + j += rustsecp256k1_v0_1_2_num_jacobi(&nx, &norder); } + CHECK(j <= iters); } #endif int main(int argc, char **argv) { bench_inv data; - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "add")) run_benchmark("scalar_add", bench_scalar_add, bench_setup, NULL, &data, 10, 2000000); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "negate")) run_benchmark("scalar_negate", bench_scalar_negate, bench_setup, NULL, &data, 10, 2000000); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "sqr")) run_benchmark("scalar_sqr", bench_scalar_sqr, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "mul")) run_benchmark("scalar_mul", bench_scalar_mul, bench_setup, NULL, &data, 10, 200000); + int iters = get_iters(20000); + + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "add")) run_benchmark("scalar_add", bench_scalar_add, bench_setup, NULL, &data, 10, iters*100); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "negate")) run_benchmark("scalar_negate", bench_scalar_negate, bench_setup, NULL, &data, 10, iters*100); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "sqr")) run_benchmark("scalar_sqr", bench_scalar_sqr, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "mul")) run_benchmark("scalar_mul", bench_scalar_mul, bench_setup, NULL, &data, 10, iters*10); #ifdef USE_ENDOMORPHISM - if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "split")) run_benchmark("scalar_split", bench_scalar_split, bench_setup, NULL, &data, 10, 20000); + if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "split")) run_benchmark("scalar_split", bench_scalar_split, bench_setup, NULL, &data, 10, iters); #endif if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse", bench_scalar_inverse, bench_setup, NULL, &data, 10, 2000); if (have_flag(argc, argv, "scalar") || have_flag(argc, argv, "inverse")) run_benchmark("scalar_inverse_var", bench_scalar_inverse_var, bench_setup, NULL, &data, 10, 2000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize", bench_field_normalize, bench_setup, NULL, &data, 10, 2000000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize_weak", bench_field_normalize_weak, bench_setup, NULL, &data, 10, 2000000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqr")) run_benchmark("field_sqr", bench_field_sqr, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "mul")) run_benchmark("field_mul", bench_field_mul, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse", bench_field_inverse, bench_setup, NULL, &data, 10, 20000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse_var", bench_field_inverse_var, bench_setup, NULL, &data, 10, 20000); - if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqrt")) run_benchmark("field_sqrt", bench_field_sqrt, bench_setup, NULL, &data, 10, 20000); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize", bench_field_normalize, bench_setup, NULL, &data, 10, iters*100); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "normalize")) run_benchmark("field_normalize_weak", bench_field_normalize_weak, bench_setup, NULL, &data, 10, iters*100); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqr")) run_benchmark("field_sqr", bench_field_sqr, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "mul")) run_benchmark("field_mul", bench_field_mul, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse", bench_field_inverse, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "inverse")) run_benchmark("field_inverse_var", bench_field_inverse_var, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "field") || have_flag(argc, argv, "sqrt")) run_benchmark("field_sqrt", bench_field_sqrt, bench_setup, NULL, &data, 10, iters); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "double")) run_benchmark("group_double_var", bench_group_double_var, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_var", bench_group_add_var, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, 200000); - if (have_flag(argc, argv, "group") || have_flag(argc, argv, "jacobi")) run_benchmark("group_jacobi_var", bench_group_jacobi_var, bench_setup, NULL, &data, 10, 20000); + if (have_flag(argc, argv, "group") || have_flag(argc, argv, "double")) run_benchmark("group_double_var", bench_group_double_var, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_var", bench_group_add_var, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine", bench_group_add_affine, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "group") || have_flag(argc, argv, "add")) run_benchmark("group_add_affine_var", bench_group_add_affine_var, bench_setup, NULL, &data, 10, iters*10); + if (have_flag(argc, argv, "group") || have_flag(argc, argv, "jacobi")) run_benchmark("group_jacobi_var", bench_group_jacobi_var, bench_setup, NULL, &data, 10, iters); - if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, 20000); - if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, 20000); + if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("wnaf_const", bench_wnaf_const, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "ecmult") || have_flag(argc, argv, "wnaf")) run_benchmark("ecmult_wnaf", bench_ecmult_wnaf, bench_setup, NULL, &data, 10, iters); - if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, 20000); - if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "hmac")) run_benchmark("hash_hmac_sha256", bench_hmac_sha256, bench_setup, NULL, &data, 10, 20000); - if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "rng6979")) run_benchmark("hash_rfc6979_hmac_sha256", bench_rfc6979_hmac_sha256, bench_setup, NULL, &data, 10, 20000); + if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "sha256")) run_benchmark("hash_sha256", bench_sha256, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "hmac")) run_benchmark("hash_hmac_sha256", bench_hmac_sha256, bench_setup, NULL, &data, 10, iters); + if (have_flag(argc, argv, "hash") || have_flag(argc, argv, "rng6979")) run_benchmark("hash_rfc6979_hmac_sha256", bench_rfc6979_hmac_sha256, bench_setup, NULL, &data, 10, iters); - if (have_flag(argc, argv, "context") || have_flag(argc, argv, "verify")) run_benchmark("context_verify", bench_context_verify, bench_setup, NULL, &data, 10, 20); - if (have_flag(argc, argv, "context") || have_flag(argc, argv, "sign")) run_benchmark("context_sign", bench_context_sign, bench_setup, NULL, &data, 10, 200); + if (have_flag(argc, argv, "context") || have_flag(argc, argv, "verify")) run_benchmark("context_verify", bench_context_verify, bench_setup, NULL, &data, 10, 1 + iters/1000); + if (have_flag(argc, argv, "context") || have_flag(argc, argv, "sign")) run_benchmark("context_sign", bench_context_sign, bench_setup, NULL, &data, 10, 1 + iters/100); #ifndef USE_NUM_NONE - if (have_flag(argc, argv, "num") || have_flag(argc, argv, "jacobi")) run_benchmark("num_jacobi", bench_num_jacobi, bench_setup, NULL, &data, 10, 200000); + if (have_flag(argc, argv, "num") || have_flag(argc, argv, "jacobi")) run_benchmark("num_jacobi", bench_num_jacobi, bench_setup, NULL, &data, 10, iters*10); #endif return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/bench_recover.c b/secp256k1-sys/depend/secp256k1/src/bench_recover.c index e71ae32af..102b6a52d 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_recover.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_recover.c @@ -10,24 +10,24 @@ #include "bench.h" typedef struct { - rustsecp256k1_v0_1_1_context *ctx; + rustsecp256k1_v0_1_2_context *ctx; unsigned char msg[32]; unsigned char sig[64]; } bench_recover_data; -void bench_recover(void* arg) { +void bench_recover(void* arg, int iters) { int i; bench_recover_data *data = (bench_recover_data*)arg; - rustsecp256k1_v0_1_1_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey pubkey; unsigned char pubkeyc[33]; - for (i = 0; i < 20000; i++) { + for (i = 0; i < iters; i++) { int j; size_t pubkeylen = 33; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature sig; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(data->ctx, &sig, data->sig, i % 2)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(data->ctx, &pubkey, &sig, data->msg)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED)); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature sig; + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(data->ctx, &sig, data->sig, i % 2)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(data->ctx, &pubkey, &sig, data->msg)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(data->ctx, pubkeyc, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED)); for (j = 0; j < 32; j++) { data->sig[j + 32] = data->msg[j]; /* Move former message to S. */ data->msg[j] = data->sig[j]; /* Move former R to message. */ @@ -51,10 +51,12 @@ void bench_recover_setup(void* arg) { int main(void) { bench_recover_data data; - data.ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_VERIFY); + int iters = get_iters(20000); - run_benchmark("ecdsa_recover", bench_recover, bench_recover_setup, NULL, &data, 10, 20000); + data.ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1_v0_1_1_context_destroy(data.ctx); + run_benchmark("ecdsa_recover", bench_recover, bench_recover_setup, NULL, &data, 10, iters); + + rustsecp256k1_v0_1_2_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/bench_sign.c b/secp256k1-sys/depend/secp256k1/src/bench_sign.c index a7e5f9d5f..28b84413c 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_sign.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_sign.c @@ -9,7 +9,7 @@ #include "bench.h" typedef struct { - rustsecp256k1_v0_1_1_context* ctx; + rustsecp256k1_v0_1_2_context* ctx; unsigned char msg[32]; unsigned char key[32]; } bench_sign; @@ -26,17 +26,17 @@ static void bench_sign_setup(void* arg) { } } -static void bench_sign_run(void* arg) { +static void bench_sign_run(void* arg, int iters) { int i; bench_sign *data = (bench_sign*)arg; unsigned char sig[74]; - for (i = 0; i < 20000; i++) { + for (i = 0; i < iters; i++) { size_t siglen = 74; int j; - rustsecp256k1_v0_1_1_ecdsa_signature signature; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(data->ctx, &signature, data->msg, data->key, NULL, NULL)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(data->ctx, sig, &siglen, &signature)); + rustsecp256k1_v0_1_2_ecdsa_signature signature; + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(data->ctx, &signature, data->msg, data->key, NULL, NULL)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(data->ctx, sig, &siglen, &signature)); for (j = 0; j < 32; j++) { data->msg[j] = sig[j]; data->key[j] = sig[j + 32]; @@ -47,10 +47,12 @@ static void bench_sign_run(void* arg) { int main(void) { bench_sign data; - data.ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN); + int iters = get_iters(20000); - run_benchmark("ecdsa_sign", bench_sign_run, bench_sign_setup, NULL, &data, 10, 20000); + data.ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1_v0_1_1_context_destroy(data.ctx); + run_benchmark("ecdsa_sign", bench_sign_run, bench_sign_setup, NULL, &data, 10, iters); + + rustsecp256k1_v0_1_2_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/bench_verify.c b/secp256k1-sys/depend/secp256k1/src/bench_verify.c index 696da767e..ab9eac01c 100644 --- a/secp256k1-sys/depend/secp256k1/src/bench_verify.c +++ b/secp256k1-sys/depend/secp256k1/src/bench_verify.c @@ -17,8 +17,9 @@ #include #endif + typedef struct { - rustsecp256k1_v0_1_1_context *ctx; + rustsecp256k1_v0_1_2_context *ctx; unsigned char msg[32]; unsigned char key[32]; unsigned char sig[72]; @@ -30,19 +31,19 @@ typedef struct { #endif } benchmark_verify_t; -static void benchmark_verify(void* arg) { +static void benchmark_verify(void* arg, int iters) { int i; benchmark_verify_t* data = (benchmark_verify_t*)arg; - for (i = 0; i < 20000; i++) { - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_ecdsa_signature sig; + for (i = 0; i < iters; i++) { + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_ecdsa_signature sig; data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(data->ctx, &pubkey, data->pubkey, data->pubkeylen) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(data->ctx, &sig, data->sig, data->siglen) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(data->ctx, &sig, data->msg, &pubkey) == (i == 0)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(data->ctx, &pubkey, data->pubkey, data->pubkeylen) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(data->ctx, &sig, data->sig, data->siglen) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(data->ctx, &sig, data->msg, &pubkey) == (i == 0)); data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); @@ -50,11 +51,11 @@ static void benchmark_verify(void* arg) { } #ifdef ENABLE_OPENSSL_TESTS -static void benchmark_verify_openssl(void* arg) { +static void benchmark_verify_openssl(void* arg, int iters) { int i; benchmark_verify_t* data = (benchmark_verify_t*)arg; - for (i = 0; i < 20000; i++) { + for (i = 0; i < iters; i++) { data->sig[data->siglen - 1] ^= (i & 0xFF); data->sig[data->siglen - 2] ^= ((i >> 8) & 0xFF); data->sig[data->siglen - 3] ^= ((i >> 16) & 0xFF); @@ -81,11 +82,13 @@ static void benchmark_verify_openssl(void* arg) { int main(void) { int i; - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_ecdsa_signature sig; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_ecdsa_signature sig; benchmark_verify_t data; - data.ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + int iters = get_iters(20000); + + data.ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); for (i = 0; i < 32; i++) { data.msg[i] = 1 + i; @@ -94,19 +97,19 @@ int main(void) { data.key[i] = 33 + i; } data.siglen = 72; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(data.ctx, &sig, data.msg, data.key, NULL, NULL)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(data.ctx, data.sig, &data.siglen, &sig)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(data.ctx, &pubkey, data.key)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(data.ctx, &sig, data.msg, data.key, NULL, NULL)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(data.ctx, data.sig, &data.siglen, &sig)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(data.ctx, &pubkey, data.key)); data.pubkeylen = 33; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(data.ctx, data.pubkey, &data.pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); - run_benchmark("ecdsa_verify", benchmark_verify, NULL, NULL, &data, 10, 20000); + run_benchmark("ecdsa_verify", benchmark_verify, NULL, NULL, &data, 10, iters); #ifdef ENABLE_OPENSSL_TESTS data.ec_group = EC_GROUP_new_by_curve_name(NID_secp256k1); - run_benchmark("ecdsa_verify_openssl", benchmark_verify_openssl, NULL, NULL, &data, 10, 20000); + run_benchmark("ecdsa_verify_openssl", benchmark_verify_openssl, NULL, NULL, &data, 10, iters); EC_GROUP_free(data.ec_group); #endif - rustsecp256k1_v0_1_1_context_destroy(data.ctx); + rustsecp256k1_v0_1_2_context_destroy(data.ctx); return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/ecdsa.h b/secp256k1-sys/depend/secp256k1/src/ecdsa.h index 3d3bbdfd0..8130bb244 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecdsa.h +++ b/secp256k1-sys/depend/secp256k1/src/ecdsa.h @@ -13,9 +13,9 @@ #include "group.h" #include "ecmult.h" -static int rustsecp256k1_v0_1_1_ecdsa_sig_parse(rustsecp256k1_v0_1_1_scalar *r, rustsecp256k1_v0_1_1_scalar *s, const unsigned char *sig, size_t size); -static int rustsecp256k1_v0_1_1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *s); -static int rustsecp256k1_v0_1_1_ecdsa_sig_verify(const rustsecp256k1_v0_1_1_ecmult_context *ctx, const rustsecp256k1_v0_1_1_scalar* r, const rustsecp256k1_v0_1_1_scalar* s, const rustsecp256k1_v0_1_1_ge *pubkey, const rustsecp256k1_v0_1_1_scalar *message); -static int rustsecp256k1_v0_1_1_ecdsa_sig_sign(const rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, rustsecp256k1_v0_1_1_scalar* r, rustsecp256k1_v0_1_1_scalar* s, const rustsecp256k1_v0_1_1_scalar *seckey, const rustsecp256k1_v0_1_1_scalar *message, const rustsecp256k1_v0_1_1_scalar *nonce, int *recid); +static int rustsecp256k1_v0_1_2_ecdsa_sig_parse(rustsecp256k1_v0_1_2_scalar *r, rustsecp256k1_v0_1_2_scalar *s, const unsigned char *sig, size_t size); +static int rustsecp256k1_v0_1_2_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *s); +static int rustsecp256k1_v0_1_2_ecdsa_sig_verify(const rustsecp256k1_v0_1_2_ecmult_context *ctx, const rustsecp256k1_v0_1_2_scalar* r, const rustsecp256k1_v0_1_2_scalar* s, const rustsecp256k1_v0_1_2_ge *pubkey, const rustsecp256k1_v0_1_2_scalar *message); +static int rustsecp256k1_v0_1_2_ecdsa_sig_sign(const rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, rustsecp256k1_v0_1_2_scalar* r, rustsecp256k1_v0_1_2_scalar* s, const rustsecp256k1_v0_1_2_scalar *seckey, const rustsecp256k1_v0_1_2_scalar *message, const rustsecp256k1_v0_1_2_scalar *nonce, int *recid); #endif /* SECP256K1_ECDSA_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/ecdsa_impl.h b/secp256k1-sys/depend/secp256k1/src/ecdsa_impl.h index 5d239fe04..e48ad70ce 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecdsa_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/ecdsa_impl.h @@ -28,7 +28,7 @@ * sage: '%x' % (EllipticCurve ([F (a), F (b)]).order()) * 'fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141' */ -static const rustsecp256k1_v0_1_1_fe rustsecp256k1_v0_1_1_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( +static const rustsecp256k1_v0_1_2_fe rustsecp256k1_v0_1_2_ecdsa_const_order_as_fe = SECP256K1_FE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL ); @@ -42,72 +42,77 @@ static const rustsecp256k1_v0_1_1_fe rustsecp256k1_v0_1_1_ecdsa_const_order_as_f * sage: '%x' % (p - EllipticCurve ([F (a), F (b)]).order()) * '14551231950b75fc4402da1722fc9baee' */ -static const rustsecp256k1_v0_1_1_fe rustsecp256k1_v0_1_1_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( +static const rustsecp256k1_v0_1_2_fe rustsecp256k1_v0_1_2_ecdsa_const_p_minus_order = SECP256K1_FE_CONST( 0, 0, 0, 1, 0x45512319UL, 0x50B75FC4UL, 0x402DA172UL, 0x2FC9BAEEUL ); -static int rustsecp256k1_v0_1_1_der_read_len(const unsigned char **sigp, const unsigned char *sigend) { - int lenleft, b1; - size_t ret = 0; +static int rustsecp256k1_v0_1_2_der_read_len(size_t *len, const unsigned char **sigp, const unsigned char *sigend) { + size_t lenleft; + unsigned char b1; + VERIFY_CHECK(len != NULL); + *len = 0; if (*sigp >= sigend) { - return -1; + return 0; } b1 = *((*sigp)++); if (b1 == 0xFF) { /* X.690-0207 8.1.3.5.c the value 0xFF shall not be used. */ - return -1; + return 0; } if ((b1 & 0x80) == 0) { /* X.690-0207 8.1.3.4 short form length octets */ - return b1; + *len = b1; + return 1; } if (b1 == 0x80) { /* Indefinite length is not allowed in DER. */ - return -1; + return 0; } /* X.690-207 8.1.3.5 long form length octets */ - lenleft = b1 & 0x7F; - if (lenleft > sigend - *sigp) { - return -1; + lenleft = b1 & 0x7F; /* lenleft is at least 1 */ + if (lenleft > (size_t)(sigend - *sigp)) { + return 0; } if (**sigp == 0) { /* Not the shortest possible length encoding. */ - return -1; + return 0; } - if ((size_t)lenleft > sizeof(size_t)) { + if (lenleft > sizeof(size_t)) { /* The resulting length would exceed the range of a size_t, so * certainly longer than the passed array size. */ - return -1; + return 0; } while (lenleft > 0) { - ret = (ret << 8) | **sigp; - if (ret + lenleft > (size_t)(sigend - *sigp)) { - /* Result exceeds the length of the passed array. */ - return -1; - } + *len = (*len << 8) | **sigp; (*sigp)++; lenleft--; } - if (ret < 128) { + if (*len > (size_t)(sigend - *sigp)) { + /* Result exceeds the length of the passed array. */ + return 0; + } + if (*len < 128) { /* Not the shortest possible length encoding. */ - return -1; + return 0; } - return ret; + return 1; } -static int rustsecp256k1_v0_1_1_der_parse_integer(rustsecp256k1_v0_1_1_scalar *r, const unsigned char **sig, const unsigned char *sigend) { +static int rustsecp256k1_v0_1_2_der_parse_integer(rustsecp256k1_v0_1_2_scalar *r, const unsigned char **sig, const unsigned char *sigend) { int overflow = 0; unsigned char ra[32] = {0}; - int rlen; + size_t rlen; if (*sig == sigend || **sig != 0x02) { /* Not a primitive integer (X.690-0207 8.3.1). */ return 0; } (*sig)++; - rlen = rustsecp256k1_v0_1_1_der_read_len(sig, sigend); - if (rlen <= 0 || (*sig) + rlen > sigend) { + if (rustsecp256k1_v0_1_2_der_read_len(&rlen, sig, sigend) == 0) { + return 0; + } + if (rlen == 0 || *sig + rlen > sigend) { /* Exceeds bounds or not at least length 1 (X.690-0207 8.3.1). */ return 0; } @@ -123,8 +128,11 @@ static int rustsecp256k1_v0_1_1_der_parse_integer(rustsecp256k1_v0_1_1_scalar *r /* Negative. */ overflow = 1; } - while (rlen > 0 && **sig == 0) { - /* Skip leading zero bytes */ + /* There is at most one leading zero byte: + * if there were two leading zero bytes, we would have failed and returned 0 + * because of excessive 0x00 padding already. */ + if (rlen > 0 && **sig == 0) { + /* Skip leading zero byte */ rlen--; (*sig)++; } @@ -133,36 +141,34 @@ static int rustsecp256k1_v0_1_1_der_parse_integer(rustsecp256k1_v0_1_1_scalar *r } if (!overflow) { memcpy(ra + 32 - rlen, *sig, rlen); - rustsecp256k1_v0_1_1_scalar_set_b32(r, ra, &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(r, ra, &overflow); } if (overflow) { - rustsecp256k1_v0_1_1_scalar_set_int(r, 0); + rustsecp256k1_v0_1_2_scalar_set_int(r, 0); } (*sig) += rlen; return 1; } -static int rustsecp256k1_v0_1_1_ecdsa_sig_parse(rustsecp256k1_v0_1_1_scalar *rr, rustsecp256k1_v0_1_1_scalar *rs, const unsigned char *sig, size_t size) { +static int rustsecp256k1_v0_1_2_ecdsa_sig_parse(rustsecp256k1_v0_1_2_scalar *rr, rustsecp256k1_v0_1_2_scalar *rs, const unsigned char *sig, size_t size) { const unsigned char *sigend = sig + size; - int rlen; + size_t rlen; if (sig == sigend || *(sig++) != 0x30) { /* The encoding doesn't start with a constructed sequence (X.690-0207 8.9.1). */ return 0; } - rlen = rustsecp256k1_v0_1_1_der_read_len(&sig, sigend); - if (rlen < 0 || sig + rlen > sigend) { - /* Tuple exceeds bounds */ + if (rustsecp256k1_v0_1_2_der_read_len(&rlen, &sig, sigend) == 0) { return 0; } - if (sig + rlen != sigend) { - /* Garbage after tuple. */ + if (rlen != (size_t)(sigend - sig)) { + /* Tuple exceeds bounds or garage after tuple. */ return 0; } - if (!rustsecp256k1_v0_1_1_der_parse_integer(rr, &sig, sigend)) { + if (!rustsecp256k1_v0_1_2_der_parse_integer(rr, &sig, sigend)) { return 0; } - if (!rustsecp256k1_v0_1_1_der_parse_integer(rs, &sig, sigend)) { + if (!rustsecp256k1_v0_1_2_der_parse_integer(rs, &sig, sigend)) { return 0; } @@ -174,12 +180,12 @@ static int rustsecp256k1_v0_1_1_ecdsa_sig_parse(rustsecp256k1_v0_1_1_scalar *rr, return 1; } -static int rustsecp256k1_v0_1_1_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1_v0_1_1_scalar* ar, const rustsecp256k1_v0_1_1_scalar* as) { +static int rustsecp256k1_v0_1_2_ecdsa_sig_serialize(unsigned char *sig, size_t *size, const rustsecp256k1_v0_1_2_scalar* ar, const rustsecp256k1_v0_1_2_scalar* as) { unsigned char r[33] = {0}, s[33] = {0}; unsigned char *rp = r, *sp = s; size_t lenR = 33, lenS = 33; - rustsecp256k1_v0_1_1_scalar_get_b32(&r[1], ar); - rustsecp256k1_v0_1_1_scalar_get_b32(&s[1], as); + rustsecp256k1_v0_1_2_scalar_get_b32(&r[1], ar); + rustsecp256k1_v0_1_2_scalar_get_b32(&s[1], as); while (lenR > 1 && rp[0] == 0 && rp[1] < 0x80) { lenR--; rp++; } while (lenS > 1 && sp[0] == 0 && sp[1] < 0x80) { lenS--; sp++; } if (*size < 6+lenS+lenR) { @@ -198,42 +204,42 @@ static int rustsecp256k1_v0_1_1_ecdsa_sig_serialize(unsigned char *sig, size_t * return 1; } -static int rustsecp256k1_v0_1_1_ecdsa_sig_verify(const rustsecp256k1_v0_1_1_ecmult_context *ctx, const rustsecp256k1_v0_1_1_scalar *sigr, const rustsecp256k1_v0_1_1_scalar *sigs, const rustsecp256k1_v0_1_1_ge *pubkey, const rustsecp256k1_v0_1_1_scalar *message) { +static int rustsecp256k1_v0_1_2_ecdsa_sig_verify(const rustsecp256k1_v0_1_2_ecmult_context *ctx, const rustsecp256k1_v0_1_2_scalar *sigr, const rustsecp256k1_v0_1_2_scalar *sigs, const rustsecp256k1_v0_1_2_ge *pubkey, const rustsecp256k1_v0_1_2_scalar *message) { unsigned char c[32]; - rustsecp256k1_v0_1_1_scalar sn, u1, u2; + rustsecp256k1_v0_1_2_scalar sn, u1, u2; #if !defined(EXHAUSTIVE_TEST_ORDER) - rustsecp256k1_v0_1_1_fe xr; + rustsecp256k1_v0_1_2_fe xr; #endif - rustsecp256k1_v0_1_1_gej pubkeyj; - rustsecp256k1_v0_1_1_gej pr; + rustsecp256k1_v0_1_2_gej pubkeyj; + rustsecp256k1_v0_1_2_gej pr; - if (rustsecp256k1_v0_1_1_scalar_is_zero(sigr) || rustsecp256k1_v0_1_1_scalar_is_zero(sigs)) { + if (rustsecp256k1_v0_1_2_scalar_is_zero(sigr) || rustsecp256k1_v0_1_2_scalar_is_zero(sigs)) { return 0; } - rustsecp256k1_v0_1_1_scalar_inverse_var(&sn, sigs); - rustsecp256k1_v0_1_1_scalar_mul(&u1, &sn, message); - rustsecp256k1_v0_1_1_scalar_mul(&u2, &sn, sigr); - rustsecp256k1_v0_1_1_gej_set_ge(&pubkeyj, pubkey); - rustsecp256k1_v0_1_1_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); - if (rustsecp256k1_v0_1_1_gej_is_infinity(&pr)) { + rustsecp256k1_v0_1_2_scalar_inverse_var(&sn, sigs); + rustsecp256k1_v0_1_2_scalar_mul(&u1, &sn, message); + rustsecp256k1_v0_1_2_scalar_mul(&u2, &sn, sigr); + rustsecp256k1_v0_1_2_gej_set_ge(&pubkeyj, pubkey); + rustsecp256k1_v0_1_2_ecmult(ctx, &pr, &pubkeyj, &u2, &u1); + if (rustsecp256k1_v0_1_2_gej_is_infinity(&pr)) { return 0; } #if defined(EXHAUSTIVE_TEST_ORDER) { - rustsecp256k1_v0_1_1_scalar computed_r; - rustsecp256k1_v0_1_1_ge pr_ge; - rustsecp256k1_v0_1_1_ge_set_gej(&pr_ge, &pr); - rustsecp256k1_v0_1_1_fe_normalize(&pr_ge.x); + rustsecp256k1_v0_1_2_scalar computed_r; + rustsecp256k1_v0_1_2_ge pr_ge; + rustsecp256k1_v0_1_2_ge_set_gej(&pr_ge, &pr); + rustsecp256k1_v0_1_2_fe_normalize(&pr_ge.x); - rustsecp256k1_v0_1_1_fe_get_b32(c, &pr_ge.x); - rustsecp256k1_v0_1_1_scalar_set_b32(&computed_r, c, NULL); - return rustsecp256k1_v0_1_1_scalar_eq(sigr, &computed_r); + rustsecp256k1_v0_1_2_fe_get_b32(c, &pr_ge.x); + rustsecp256k1_v0_1_2_scalar_set_b32(&computed_r, c, NULL); + return rustsecp256k1_v0_1_2_scalar_eq(sigr, &computed_r); } #else - rustsecp256k1_v0_1_1_scalar_get_b32(c, sigr); - rustsecp256k1_v0_1_1_fe_set_b32(&xr, c); + rustsecp256k1_v0_1_2_scalar_get_b32(c, sigr); + rustsecp256k1_v0_1_2_fe_set_b32(&xr, c); /** We now have the recomputed R point in pr, and its claimed x coordinate (modulo n) * in xr. Naively, we would extract the x coordinate from pr (requiring a inversion modulo p), @@ -249,18 +255,18 @@ static int rustsecp256k1_v0_1_1_ecdsa_sig_verify(const rustsecp256k1_v0_1_1_ecmu * <=> (xr * pr.z^2 mod p == pr.x) || (xr + n < p && (xr + n) * pr.z^2 mod p == pr.x) * * Thus, we can avoid the inversion, but we have to check both cases separately. - * rustsecp256k1_v0_1_1_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. + * rustsecp256k1_v0_1_2_gej_eq_x implements the (xr * pr.z^2 mod p == pr.x) test. */ - if (rustsecp256k1_v0_1_1_gej_eq_x_var(&xr, &pr)) { + if (rustsecp256k1_v0_1_2_gej_eq_x_var(&xr, &pr)) { /* xr * pr.z^2 mod p == pr.x, so the signature is valid. */ return 1; } - if (rustsecp256k1_v0_1_1_fe_cmp_var(&xr, &rustsecp256k1_v0_1_1_ecdsa_const_p_minus_order) >= 0) { + if (rustsecp256k1_v0_1_2_fe_cmp_var(&xr, &rustsecp256k1_v0_1_2_ecdsa_const_p_minus_order) >= 0) { /* xr + n >= p, so we can skip testing the second case. */ return 0; } - rustsecp256k1_v0_1_1_fe_add(&xr, &rustsecp256k1_v0_1_1_ecdsa_const_order_as_fe); - if (rustsecp256k1_v0_1_1_gej_eq_x_var(&xr, &pr)) { + rustsecp256k1_v0_1_2_fe_add(&xr, &rustsecp256k1_v0_1_2_ecdsa_const_order_as_fe); + if (rustsecp256k1_v0_1_2_gej_eq_x_var(&xr, &pr)) { /* (xr + n) * pr.z^2 mod p == pr.x, so the signature is valid. */ return 1; } @@ -268,46 +274,42 @@ static int rustsecp256k1_v0_1_1_ecdsa_sig_verify(const rustsecp256k1_v0_1_1_ecmu #endif } -static int rustsecp256k1_v0_1_1_ecdsa_sig_sign(const rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, rustsecp256k1_v0_1_1_scalar *sigr, rustsecp256k1_v0_1_1_scalar *sigs, const rustsecp256k1_v0_1_1_scalar *seckey, const rustsecp256k1_v0_1_1_scalar *message, const rustsecp256k1_v0_1_1_scalar *nonce, int *recid) { +static int rustsecp256k1_v0_1_2_ecdsa_sig_sign(const rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, rustsecp256k1_v0_1_2_scalar *sigr, rustsecp256k1_v0_1_2_scalar *sigs, const rustsecp256k1_v0_1_2_scalar *seckey, const rustsecp256k1_v0_1_2_scalar *message, const rustsecp256k1_v0_1_2_scalar *nonce, int *recid) { unsigned char b[32]; - rustsecp256k1_v0_1_1_gej rp; - rustsecp256k1_v0_1_1_ge r; - rustsecp256k1_v0_1_1_scalar n; + rustsecp256k1_v0_1_2_gej rp; + rustsecp256k1_v0_1_2_ge r; + rustsecp256k1_v0_1_2_scalar n; int overflow = 0; + int high; - rustsecp256k1_v0_1_1_ecmult_gen(ctx, &rp, nonce); - rustsecp256k1_v0_1_1_ge_set_gej(&r, &rp); - rustsecp256k1_v0_1_1_fe_normalize(&r.x); - rustsecp256k1_v0_1_1_fe_normalize(&r.y); - rustsecp256k1_v0_1_1_fe_get_b32(b, &r.x); - rustsecp256k1_v0_1_1_scalar_set_b32(sigr, b, &overflow); - /* These two conditions should be checked before calling */ - VERIFY_CHECK(!rustsecp256k1_v0_1_1_scalar_is_zero(sigr)); - VERIFY_CHECK(overflow == 0); - + rustsecp256k1_v0_1_2_ecmult_gen(ctx, &rp, nonce); + rustsecp256k1_v0_1_2_ge_set_gej(&r, &rp); + rustsecp256k1_v0_1_2_fe_normalize(&r.x); + rustsecp256k1_v0_1_2_fe_normalize(&r.y); + rustsecp256k1_v0_1_2_fe_get_b32(b, &r.x); + rustsecp256k1_v0_1_2_scalar_set_b32(sigr, b, &overflow); if (recid) { /* The overflow condition is cryptographically unreachable as hitting it requires finding the discrete log * of some P where P.x >= order, and only 1 in about 2^127 points meet this criteria. */ - *recid = (overflow ? 2 : 0) | (rustsecp256k1_v0_1_1_fe_is_odd(&r.y) ? 1 : 0); - } - rustsecp256k1_v0_1_1_scalar_mul(&n, sigr, seckey); - rustsecp256k1_v0_1_1_scalar_add(&n, &n, message); - rustsecp256k1_v0_1_1_scalar_inverse(sigs, nonce); - rustsecp256k1_v0_1_1_scalar_mul(sigs, sigs, &n); - rustsecp256k1_v0_1_1_scalar_clear(&n); - rustsecp256k1_v0_1_1_gej_clear(&rp); - rustsecp256k1_v0_1_1_ge_clear(&r); - if (rustsecp256k1_v0_1_1_scalar_is_zero(sigs)) { - return 0; - } - if (rustsecp256k1_v0_1_1_scalar_is_high(sigs)) { - rustsecp256k1_v0_1_1_scalar_negate(sigs, sigs); - if (recid) { - *recid ^= 1; - } + *recid = (overflow << 1) | rustsecp256k1_v0_1_2_fe_is_odd(&r.y); + } + rustsecp256k1_v0_1_2_scalar_mul(&n, sigr, seckey); + rustsecp256k1_v0_1_2_scalar_add(&n, &n, message); + rustsecp256k1_v0_1_2_scalar_inverse(sigs, nonce); + rustsecp256k1_v0_1_2_scalar_mul(sigs, sigs, &n); + rustsecp256k1_v0_1_2_scalar_clear(&n); + rustsecp256k1_v0_1_2_gej_clear(&rp); + rustsecp256k1_v0_1_2_ge_clear(&r); + high = rustsecp256k1_v0_1_2_scalar_is_high(sigs); + rustsecp256k1_v0_1_2_scalar_cond_negate(sigs, high); + if (recid) { + *recid ^= high; } - return 1; + /* P.x = order is on the curve, so technically sig->r could end up being zero, which would be an invalid signature. + * This is cryptographically unreachable as hitting it requires finding the discrete log of P.x = N. + */ + return !rustsecp256k1_v0_1_2_scalar_is_zero(sigr) & !rustsecp256k1_v0_1_2_scalar_is_zero(sigs); } #endif /* SECP256K1_ECDSA_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/eckey.h b/secp256k1-sys/depend/secp256k1/src/eckey.h index 008aea4b5..f3aa013f5 100644 --- a/secp256k1-sys/depend/secp256k1/src/eckey.h +++ b/secp256k1-sys/depend/secp256k1/src/eckey.h @@ -14,12 +14,12 @@ #include "ecmult.h" #include "ecmult_gen.h" -static int rustsecp256k1_v0_1_1_eckey_pubkey_parse(rustsecp256k1_v0_1_1_ge *elem, const unsigned char *pub, size_t size); -static int rustsecp256k1_v0_1_1_eckey_pubkey_serialize(rustsecp256k1_v0_1_1_ge *elem, unsigned char *pub, size_t *size, int compressed); +static int rustsecp256k1_v0_1_2_eckey_pubkey_parse(rustsecp256k1_v0_1_2_ge *elem, const unsigned char *pub, size_t size); +static int rustsecp256k1_v0_1_2_eckey_pubkey_serialize(rustsecp256k1_v0_1_2_ge *elem, unsigned char *pub, size_t *size, int compressed); -static int rustsecp256k1_v0_1_1_eckey_privkey_tweak_add(rustsecp256k1_v0_1_1_scalar *key, const rustsecp256k1_v0_1_1_scalar *tweak); -static int rustsecp256k1_v0_1_1_eckey_pubkey_tweak_add(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_ge *key, const rustsecp256k1_v0_1_1_scalar *tweak); -static int rustsecp256k1_v0_1_1_eckey_privkey_tweak_mul(rustsecp256k1_v0_1_1_scalar *key, const rustsecp256k1_v0_1_1_scalar *tweak); -static int rustsecp256k1_v0_1_1_eckey_pubkey_tweak_mul(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_ge *key, const rustsecp256k1_v0_1_1_scalar *tweak); +static int rustsecp256k1_v0_1_2_eckey_privkey_tweak_add(rustsecp256k1_v0_1_2_scalar *key, const rustsecp256k1_v0_1_2_scalar *tweak); +static int rustsecp256k1_v0_1_2_eckey_pubkey_tweak_add(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_ge *key, const rustsecp256k1_v0_1_2_scalar *tweak); +static int rustsecp256k1_v0_1_2_eckey_privkey_tweak_mul(rustsecp256k1_v0_1_2_scalar *key, const rustsecp256k1_v0_1_2_scalar *tweak); +static int rustsecp256k1_v0_1_2_eckey_pubkey_tweak_mul(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_ge *key, const rustsecp256k1_v0_1_2_scalar *tweak); #endif /* SECP256K1_ECKEY_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/eckey_impl.h b/secp256k1-sys/depend/secp256k1/src/eckey_impl.h index eb2d65d84..9f01fae67 100644 --- a/secp256k1-sys/depend/secp256k1/src/eckey_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/eckey_impl.h @@ -14,86 +14,82 @@ #include "group.h" #include "ecmult_gen.h" -static int rustsecp256k1_v0_1_1_eckey_pubkey_parse(rustsecp256k1_v0_1_1_ge *elem, const unsigned char *pub, size_t size) { +static int rustsecp256k1_v0_1_2_eckey_pubkey_parse(rustsecp256k1_v0_1_2_ge *elem, const unsigned char *pub, size_t size) { if (size == 33 && (pub[0] == SECP256K1_TAG_PUBKEY_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_ODD)) { - rustsecp256k1_v0_1_1_fe x; - return rustsecp256k1_v0_1_1_fe_set_b32(&x, pub+1) && rustsecp256k1_v0_1_1_ge_set_xo_var(elem, &x, pub[0] == SECP256K1_TAG_PUBKEY_ODD); + rustsecp256k1_v0_1_2_fe x; + return rustsecp256k1_v0_1_2_fe_set_b32(&x, pub+1) && rustsecp256k1_v0_1_2_ge_set_xo_var(elem, &x, pub[0] == SECP256K1_TAG_PUBKEY_ODD); } else if (size == 65 && (pub[0] == SECP256K1_TAG_PUBKEY_UNCOMPRESSED || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { - rustsecp256k1_v0_1_1_fe x, y; - if (!rustsecp256k1_v0_1_1_fe_set_b32(&x, pub+1) || !rustsecp256k1_v0_1_1_fe_set_b32(&y, pub+33)) { + rustsecp256k1_v0_1_2_fe x, y; + if (!rustsecp256k1_v0_1_2_fe_set_b32(&x, pub+1) || !rustsecp256k1_v0_1_2_fe_set_b32(&y, pub+33)) { return 0; } - rustsecp256k1_v0_1_1_ge_set_xy(elem, &x, &y); + rustsecp256k1_v0_1_2_ge_set_xy(elem, &x, &y); if ((pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_EVEN || pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD) && - rustsecp256k1_v0_1_1_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { + rustsecp256k1_v0_1_2_fe_is_odd(&y) != (pub[0] == SECP256K1_TAG_PUBKEY_HYBRID_ODD)) { return 0; } - return rustsecp256k1_v0_1_1_ge_is_valid_var(elem); + return rustsecp256k1_v0_1_2_ge_is_valid_var(elem); } else { return 0; } } -static int rustsecp256k1_v0_1_1_eckey_pubkey_serialize(rustsecp256k1_v0_1_1_ge *elem, unsigned char *pub, size_t *size, int compressed) { - if (rustsecp256k1_v0_1_1_ge_is_infinity(elem)) { +static int rustsecp256k1_v0_1_2_eckey_pubkey_serialize(rustsecp256k1_v0_1_2_ge *elem, unsigned char *pub, size_t *size, int compressed) { + if (rustsecp256k1_v0_1_2_ge_is_infinity(elem)) { return 0; } - rustsecp256k1_v0_1_1_fe_normalize_var(&elem->x); - rustsecp256k1_v0_1_1_fe_normalize_var(&elem->y); - rustsecp256k1_v0_1_1_fe_get_b32(&pub[1], &elem->x); + rustsecp256k1_v0_1_2_fe_normalize_var(&elem->x); + rustsecp256k1_v0_1_2_fe_normalize_var(&elem->y); + rustsecp256k1_v0_1_2_fe_get_b32(&pub[1], &elem->x); if (compressed) { *size = 33; - pub[0] = rustsecp256k1_v0_1_1_fe_is_odd(&elem->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; + pub[0] = rustsecp256k1_v0_1_2_fe_is_odd(&elem->y) ? SECP256K1_TAG_PUBKEY_ODD : SECP256K1_TAG_PUBKEY_EVEN; } else { *size = 65; pub[0] = SECP256K1_TAG_PUBKEY_UNCOMPRESSED; - rustsecp256k1_v0_1_1_fe_get_b32(&pub[33], &elem->y); + rustsecp256k1_v0_1_2_fe_get_b32(&pub[33], &elem->y); } return 1; } -static int rustsecp256k1_v0_1_1_eckey_privkey_tweak_add(rustsecp256k1_v0_1_1_scalar *key, const rustsecp256k1_v0_1_1_scalar *tweak) { - rustsecp256k1_v0_1_1_scalar_add(key, key, tweak); - if (rustsecp256k1_v0_1_1_scalar_is_zero(key)) { - return 0; - } - return 1; +static int rustsecp256k1_v0_1_2_eckey_privkey_tweak_add(rustsecp256k1_v0_1_2_scalar *key, const rustsecp256k1_v0_1_2_scalar *tweak) { + rustsecp256k1_v0_1_2_scalar_add(key, key, tweak); + return !rustsecp256k1_v0_1_2_scalar_is_zero(key); } -static int rustsecp256k1_v0_1_1_eckey_pubkey_tweak_add(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_ge *key, const rustsecp256k1_v0_1_1_scalar *tweak) { - rustsecp256k1_v0_1_1_gej pt; - rustsecp256k1_v0_1_1_scalar one; - rustsecp256k1_v0_1_1_gej_set_ge(&pt, key); - rustsecp256k1_v0_1_1_scalar_set_int(&one, 1); - rustsecp256k1_v0_1_1_ecmult(ctx, &pt, &pt, &one, tweak); +static int rustsecp256k1_v0_1_2_eckey_pubkey_tweak_add(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_ge *key, const rustsecp256k1_v0_1_2_scalar *tweak) { + rustsecp256k1_v0_1_2_gej pt; + rustsecp256k1_v0_1_2_scalar one; + rustsecp256k1_v0_1_2_gej_set_ge(&pt, key); + rustsecp256k1_v0_1_2_scalar_set_int(&one, 1); + rustsecp256k1_v0_1_2_ecmult(ctx, &pt, &pt, &one, tweak); - if (rustsecp256k1_v0_1_1_gej_is_infinity(&pt)) { + if (rustsecp256k1_v0_1_2_gej_is_infinity(&pt)) { return 0; } - rustsecp256k1_v0_1_1_ge_set_gej(key, &pt); + rustsecp256k1_v0_1_2_ge_set_gej(key, &pt); return 1; } -static int rustsecp256k1_v0_1_1_eckey_privkey_tweak_mul(rustsecp256k1_v0_1_1_scalar *key, const rustsecp256k1_v0_1_1_scalar *tweak) { - if (rustsecp256k1_v0_1_1_scalar_is_zero(tweak)) { - return 0; - } +static int rustsecp256k1_v0_1_2_eckey_privkey_tweak_mul(rustsecp256k1_v0_1_2_scalar *key, const rustsecp256k1_v0_1_2_scalar *tweak) { + int ret; + ret = !rustsecp256k1_v0_1_2_scalar_is_zero(tweak); - rustsecp256k1_v0_1_1_scalar_mul(key, key, tweak); - return 1; + rustsecp256k1_v0_1_2_scalar_mul(key, key, tweak); + return ret; } -static int rustsecp256k1_v0_1_1_eckey_pubkey_tweak_mul(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_ge *key, const rustsecp256k1_v0_1_1_scalar *tweak) { - rustsecp256k1_v0_1_1_scalar zero; - rustsecp256k1_v0_1_1_gej pt; - if (rustsecp256k1_v0_1_1_scalar_is_zero(tweak)) { +static int rustsecp256k1_v0_1_2_eckey_pubkey_tweak_mul(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_ge *key, const rustsecp256k1_v0_1_2_scalar *tweak) { + rustsecp256k1_v0_1_2_scalar zero; + rustsecp256k1_v0_1_2_gej pt; + if (rustsecp256k1_v0_1_2_scalar_is_zero(tweak)) { return 0; } - rustsecp256k1_v0_1_1_scalar_set_int(&zero, 0); - rustsecp256k1_v0_1_1_gej_set_ge(&pt, key); - rustsecp256k1_v0_1_1_ecmult(ctx, &pt, &pt, tweak, &zero); - rustsecp256k1_v0_1_1_ge_set_gej(key, &pt); + rustsecp256k1_v0_1_2_scalar_set_int(&zero, 0); + rustsecp256k1_v0_1_2_gej_set_ge(&pt, key); + rustsecp256k1_v0_1_2_ecmult(ctx, &pt, &pt, tweak, &zero); + rustsecp256k1_v0_1_2_ge_set_gej(key, &pt); return 1; } diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult.h b/secp256k1-sys/depend/secp256k1/src/ecmult.h index ffe5b329b..a28d0cb9d 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult.h @@ -14,23 +14,23 @@ typedef struct { /* For accelerating the computation of a*P + b*G: */ - rustsecp256k1_v0_1_1_ge_storage (*pre_g)[]; /* odd multiples of the generator */ + rustsecp256k1_v0_1_2_ge_storage (*pre_g)[]; /* odd multiples of the generator */ #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ge_storage (*pre_g_128)[]; /* odd multiples of 2^128*generator */ + rustsecp256k1_v0_1_2_ge_storage (*pre_g_128)[]; /* odd multiples of 2^128*generator */ #endif -} rustsecp256k1_v0_1_1_ecmult_context; +} rustsecp256k1_v0_1_2_ecmult_context; static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; -static void rustsecp256k1_v0_1_1_ecmult_context_init(rustsecp256k1_v0_1_1_ecmult_context *ctx); -static void rustsecp256k1_v0_1_1_ecmult_context_build(rustsecp256k1_v0_1_1_ecmult_context *ctx, void **prealloc); -static void rustsecp256k1_v0_1_1_ecmult_context_finalize_memcpy(rustsecp256k1_v0_1_1_ecmult_context *dst, const rustsecp256k1_v0_1_1_ecmult_context *src); -static void rustsecp256k1_v0_1_1_ecmult_context_clear(rustsecp256k1_v0_1_1_ecmult_context *ctx); -static int rustsecp256k1_v0_1_1_ecmult_context_is_built(const rustsecp256k1_v0_1_1_ecmult_context *ctx); +static void rustsecp256k1_v0_1_2_ecmult_context_init(rustsecp256k1_v0_1_2_ecmult_context *ctx); +static void rustsecp256k1_v0_1_2_ecmult_context_build(rustsecp256k1_v0_1_2_ecmult_context *ctx, void **prealloc); +static void rustsecp256k1_v0_1_2_ecmult_context_finalize_memcpy(rustsecp256k1_v0_1_2_ecmult_context *dst, const rustsecp256k1_v0_1_2_ecmult_context *src); +static void rustsecp256k1_v0_1_2_ecmult_context_clear(rustsecp256k1_v0_1_2_ecmult_context *ctx); +static int rustsecp256k1_v0_1_2_ecmult_context_is_built(const rustsecp256k1_v0_1_2_ecmult_context *ctx); /** Double multiply: R = na*A + ng*G */ -static void rustsecp256k1_v0_1_1_ecmult(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_scalar *na, const rustsecp256k1_v0_1_1_scalar *ng); +static void rustsecp256k1_v0_1_2_ecmult(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_scalar *na, const rustsecp256k1_v0_1_2_scalar *ng); -typedef int (rustsecp256k1_v0_1_1_ecmult_multi_callback)(rustsecp256k1_v0_1_1_scalar *sc, rustsecp256k1_v0_1_1_ge *pt, size_t idx, void *data); +typedef int (rustsecp256k1_v0_1_2_ecmult_multi_callback)(rustsecp256k1_v0_1_2_scalar *sc, rustsecp256k1_v0_1_2_ge *pt, size_t idx, void *data); /** * Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai. @@ -43,6 +43,6 @@ typedef int (rustsecp256k1_v0_1_1_ecmult_multi_callback)(rustsecp256k1_v0_1_1_sc * 0 if there is not enough scratch space for a single point or * callback returns 0 */ -static int rustsecp256k1_v0_1_1_ecmult_multi_var(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n); +static int rustsecp256k1_v0_1_2_ecmult_multi_var(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n); #endif /* SECP256K1_ECMULT_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult_const.h b/secp256k1-sys/depend/secp256k1/src/ecmult_const.h index b4c3089bb..527d46aa7 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult_const.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult_const.h @@ -10,8 +10,11 @@ #include "scalar.h" #include "group.h" -/* Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus - * one because we internally sometimes add 2 to the number during the WNAF conversion. */ -static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_scalar *q, int bits); +/** + * Multiply: R = q*A (in constant-time) + * Here `bits` should be set to the maximum bitlength of the _absolute value_ of `q`, plus + * one because we internally sometimes add 2 to the number during the WNAF conversion. + */ +static void rustsecp256k1_v0_1_2_ecmult_const(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_scalar *q, int bits); #endif /* SECP256K1_ECMULT_CONST_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult_const_impl.h b/secp256k1-sys/depend/secp256k1/src/ecmult_const_impl.h index 0fe6f6e6c..510a3b5a9 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult_const_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult_const_impl.h @@ -15,23 +15,25 @@ /* This is like `ECMULT_TABLE_GET_GE` but is constant time */ #define ECMULT_CONST_TABLE_GET_GE(r,pre,n,w) do { \ int m; \ - int abs_n = (n) * (((n) > 0) * 2 - 1); \ - int idx_n = abs_n / 2; \ - rustsecp256k1_v0_1_1_fe neg_y; \ + /* Extract the sign-bit for a constant time absolute-value. */ \ + int mask = (n) >> (sizeof(n) * CHAR_BIT - 1); \ + int abs_n = ((n) + mask) ^ mask; \ + int idx_n = abs_n >> 1; \ + rustsecp256k1_v0_1_2_fe neg_y; \ VERIFY_CHECK(((n) & 1) == 1); \ VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ - VERIFY_SETUP(rustsecp256k1_v0_1_1_fe_clear(&(r)->x)); \ - VERIFY_SETUP(rustsecp256k1_v0_1_1_fe_clear(&(r)->y)); \ + VERIFY_SETUP(rustsecp256k1_v0_1_2_fe_clear(&(r)->x)); \ + VERIFY_SETUP(rustsecp256k1_v0_1_2_fe_clear(&(r)->y)); \ for (m = 0; m < ECMULT_TABLE_SIZE(w); m++) { \ /* This loop is used to avoid secret data in array indices. See * the comment in ecmult_gen_impl.h for rationale. */ \ - rustsecp256k1_v0_1_1_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ - rustsecp256k1_v0_1_1_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ + rustsecp256k1_v0_1_2_fe_cmov(&(r)->x, &(pre)[m].x, m == idx_n); \ + rustsecp256k1_v0_1_2_fe_cmov(&(r)->y, &(pre)[m].y, m == idx_n); \ } \ (r)->infinity = 0; \ - rustsecp256k1_v0_1_1_fe_negate(&neg_y, &(r)->y, 1); \ - rustsecp256k1_v0_1_1_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ + rustsecp256k1_v0_1_2_fe_negate(&neg_y, &(r)->y, 1); \ + rustsecp256k1_v0_1_2_fe_cmov(&(r)->y, &neg_y, (n) != abs_n); \ } while(0) @@ -44,11 +46,11 @@ * * Adapted from `The Width-w NAF Method Provides Small Memory and Fast Elliptic Scalar * Multiplications Secure against Side Channel Attacks`, Okeya and Tagaki. M. Joye (Ed.) - * CT-RSA 2003, LNCS 2612, pp. 328-443, 2003. Springer-Verlagy Berlin Heidelberg 2003 + * CT-RSA 2003, LNCS 2612, pp. 328-443, 2003. Springer-Verlag Berlin Heidelberg 2003 * * Numbers reference steps of `Algorithm SPA-resistant Width-w NAF with Odd Scalar` on pp. 335 */ -static int rustsecp256k1_v0_1_1_wnaf_const(int *wnaf, const rustsecp256k1_v0_1_1_scalar *scalar, int w, int size) { +static int rustsecp256k1_v0_1_2_wnaf_const(int *wnaf, const rustsecp256k1_v0_1_2_scalar *scalar, int w, int size) { int global_sign; int skew = 0; int word = 0; @@ -59,7 +61,7 @@ static int rustsecp256k1_v0_1_1_wnaf_const(int *wnaf, const rustsecp256k1_v0_1_1 int flip; int bit; - rustsecp256k1_v0_1_1_scalar s; + rustsecp256k1_v0_1_2_scalar s; int not_neg_one; VERIFY_CHECK(w > 0); @@ -77,33 +79,33 @@ static int rustsecp256k1_v0_1_1_wnaf_const(int *wnaf, const rustsecp256k1_v0_1_1 * particular, to ensure that the outputs from the endomorphism-split fit into * 128 bits). If we negate, the parity of our number flips, inverting which of * {1, 2} we want to add to the scalar when ensuring that it's odd. Further - * complicating things, -1 interacts badly with `rustsecp256k1_v0_1_1_scalar_cadd_bit` and + * complicating things, -1 interacts badly with `rustsecp256k1_v0_1_2_scalar_cadd_bit` and * we need to special-case it in this logic. */ - flip = rustsecp256k1_v0_1_1_scalar_is_high(scalar); + flip = rustsecp256k1_v0_1_2_scalar_is_high(scalar); /* We add 1 to even numbers, 2 to odd ones, noting that negation flips parity */ - bit = flip ^ !rustsecp256k1_v0_1_1_scalar_is_even(scalar); + bit = flip ^ !rustsecp256k1_v0_1_2_scalar_is_even(scalar); /* We check for negative one, since adding 2 to it will cause an overflow */ - rustsecp256k1_v0_1_1_scalar_negate(&s, scalar); - not_neg_one = !rustsecp256k1_v0_1_1_scalar_is_one(&s); + rustsecp256k1_v0_1_2_scalar_negate(&s, scalar); + not_neg_one = !rustsecp256k1_v0_1_2_scalar_is_one(&s); s = *scalar; - rustsecp256k1_v0_1_1_scalar_cadd_bit(&s, bit, not_neg_one); + rustsecp256k1_v0_1_2_scalar_cadd_bit(&s, bit, not_neg_one); /* If we had negative one, flip == 1, s.d[0] == 0, bit == 1, so caller expects * that we added two to it and flipped it. In fact for -1 these operations are * identical. We only flipped, but since skewing is required (in the sense that * the skew must be 1 or 2, never zero) and flipping is not, we need to change * our flags to claim that we only skewed. */ - global_sign = rustsecp256k1_v0_1_1_scalar_cond_negate(&s, flip); + global_sign = rustsecp256k1_v0_1_2_scalar_cond_negate(&s, flip); global_sign *= not_neg_one * 2 - 1; skew = 1 << bit; /* 4 */ - u_last = rustsecp256k1_v0_1_1_scalar_shr_int(&s, w); + u_last = rustsecp256k1_v0_1_2_scalar_shr_int(&s, w); do { int sign; int even; /* 4.1 4.4 */ - u = rustsecp256k1_v0_1_1_scalar_shr_int(&s, w); + u = rustsecp256k1_v0_1_2_scalar_shr_int(&s, w); /* 4.2 */ even = ((u & 1) == 0); sign = 2 * (u_last > 0) - 1; @@ -117,22 +119,22 @@ static int rustsecp256k1_v0_1_1_wnaf_const(int *wnaf, const rustsecp256k1_v0_1_1 } while (word * w < size); wnaf[word] = u * global_sign; - VERIFY_CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&s)); + VERIFY_CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&s)); VERIFY_CHECK(word == WNAF_SIZE_BITS(size, w)); return skew; } -static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_scalar *scalar, int size) { - rustsecp256k1_v0_1_1_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1_v0_1_1_ge tmpa; - rustsecp256k1_v0_1_1_fe Z; +static void rustsecp256k1_v0_1_2_ecmult_const(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_scalar *scalar, int size) { + rustsecp256k1_v0_1_2_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_ge tmpa; + rustsecp256k1_v0_1_2_fe Z; int skew_1; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; int wnaf_lam[1 + WNAF_SIZE(WINDOW_A - 1)]; int skew_lam; - rustsecp256k1_v0_1_1_scalar q_1, q_lam; + rustsecp256k1_v0_1_2_scalar q_1, q_lam; #endif int wnaf_1[1 + WNAF_SIZE(WINDOW_A - 1)]; @@ -144,13 +146,13 @@ static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const if (size > 128) { rsize = 128; /* split q into q_1 and q_lam (where q = q_1 + q_lam*lambda, and q_1 and q_lam are ~128 bit) */ - rustsecp256k1_v0_1_1_scalar_split_lambda(&q_1, &q_lam, scalar); - skew_1 = rustsecp256k1_v0_1_1_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128); - skew_lam = rustsecp256k1_v0_1_1_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128); + rustsecp256k1_v0_1_2_scalar_split_lambda(&q_1, &q_lam, scalar); + skew_1 = rustsecp256k1_v0_1_2_wnaf_const(wnaf_1, &q_1, WINDOW_A - 1, 128); + skew_lam = rustsecp256k1_v0_1_2_wnaf_const(wnaf_lam, &q_lam, WINDOW_A - 1, 128); } else #endif { - skew_1 = rustsecp256k1_v0_1_1_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size); + skew_1 = rustsecp256k1_v0_1_2_wnaf_const(wnaf_1, scalar, WINDOW_A - 1, size); #ifdef USE_ENDOMORPHISM skew_lam = 0; #endif @@ -162,16 +164,17 @@ static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const * that the Z coordinate was 1, use affine addition formulae, and correct * the Z coordinate of the result once at the end. */ - rustsecp256k1_v0_1_1_gej_set_ge(r, a); - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r); + rustsecp256k1_v0_1_2_gej_set_ge(r, a); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_globalz_windowa(pre_a, &Z, r); for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1_v0_1_1_fe_normalize_weak(&pre_a[i].y); + rustsecp256k1_v0_1_2_fe_normalize_weak(&pre_a[i].y); } #ifdef USE_ENDOMORPHISM if (size > 128) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1_v0_1_1_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); + rustsecp256k1_v0_1_2_ge_mul_lambda(&pre_a_lam[i], &pre_a[i]); } + } #endif @@ -181,13 +184,13 @@ static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const i = wnaf_1[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; VERIFY_CHECK(i != 0); ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, i, WINDOW_A); - rustsecp256k1_v0_1_1_gej_set_ge(r, &tmpa); + rustsecp256k1_v0_1_2_gej_set_ge(r, &tmpa); #ifdef USE_ENDOMORPHISM if (size > 128) { i = wnaf_lam[WNAF_SIZE_BITS(rsize, WINDOW_A - 1)]; VERIFY_CHECK(i != 0); ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, i, WINDOW_A); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &tmpa); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &tmpa); } #endif /* remaining loop iterations */ @@ -195,64 +198,64 @@ static void rustsecp256k1_v0_1_1_ecmult_const(rustsecp256k1_v0_1_1_gej *r, const int n; int j; for (j = 0; j < WINDOW_A - 1; ++j) { - rustsecp256k1_v0_1_1_gej_double_nonzero(r, r, NULL); + rustsecp256k1_v0_1_2_gej_double_nonzero(r, r); } n = wnaf_1[i]; ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a, n, WINDOW_A); VERIFY_CHECK(n != 0); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &tmpa); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &tmpa); #ifdef USE_ENDOMORPHISM if (size > 128) { n = wnaf_lam[i]; ECMULT_CONST_TABLE_GET_GE(&tmpa, pre_a_lam, n, WINDOW_A); VERIFY_CHECK(n != 0); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &tmpa); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &tmpa); } #endif } - rustsecp256k1_v0_1_1_fe_mul(&r->z, &r->z, &Z); + rustsecp256k1_v0_1_2_fe_mul(&r->z, &r->z, &Z); { /* Correct for wNAF skew */ - rustsecp256k1_v0_1_1_ge correction = *a; - rustsecp256k1_v0_1_1_ge_storage correction_1_stor; + rustsecp256k1_v0_1_2_ge correction = *a; + rustsecp256k1_v0_1_2_ge_storage correction_1_stor; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ge_storage correction_lam_stor; + rustsecp256k1_v0_1_2_ge_storage correction_lam_stor; #endif - rustsecp256k1_v0_1_1_ge_storage a2_stor; - rustsecp256k1_v0_1_1_gej tmpj; - rustsecp256k1_v0_1_1_gej_set_ge(&tmpj, &correction); - rustsecp256k1_v0_1_1_gej_double_var(&tmpj, &tmpj, NULL); - rustsecp256k1_v0_1_1_ge_set_gej(&correction, &tmpj); - rustsecp256k1_v0_1_1_ge_to_storage(&correction_1_stor, a); + rustsecp256k1_v0_1_2_ge_storage a2_stor; + rustsecp256k1_v0_1_2_gej tmpj; + rustsecp256k1_v0_1_2_gej_set_ge(&tmpj, &correction); + rustsecp256k1_v0_1_2_gej_double_var(&tmpj, &tmpj, NULL); + rustsecp256k1_v0_1_2_ge_set_gej(&correction, &tmpj); + rustsecp256k1_v0_1_2_ge_to_storage(&correction_1_stor, a); #ifdef USE_ENDOMORPHISM if (size > 128) { - rustsecp256k1_v0_1_1_ge_to_storage(&correction_lam_stor, a); + rustsecp256k1_v0_1_2_ge_to_storage(&correction_lam_stor, a); } #endif - rustsecp256k1_v0_1_1_ge_to_storage(&a2_stor, &correction); + rustsecp256k1_v0_1_2_ge_to_storage(&a2_stor, &correction); /* For odd numbers this is 2a (so replace it), for even ones a (so no-op) */ - rustsecp256k1_v0_1_1_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2); + rustsecp256k1_v0_1_2_ge_storage_cmov(&correction_1_stor, &a2_stor, skew_1 == 2); #ifdef USE_ENDOMORPHISM if (size > 128) { - rustsecp256k1_v0_1_1_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2); + rustsecp256k1_v0_1_2_ge_storage_cmov(&correction_lam_stor, &a2_stor, skew_lam == 2); } #endif /* Apply the correction */ - rustsecp256k1_v0_1_1_ge_from_storage(&correction, &correction_1_stor); - rustsecp256k1_v0_1_1_ge_neg(&correction, &correction); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &correction); + rustsecp256k1_v0_1_2_ge_from_storage(&correction, &correction_1_stor); + rustsecp256k1_v0_1_2_ge_neg(&correction, &correction); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &correction); #ifdef USE_ENDOMORPHISM if (size > 128) { - rustsecp256k1_v0_1_1_ge_from_storage(&correction, &correction_lam_stor); - rustsecp256k1_v0_1_1_ge_neg(&correction, &correction); - rustsecp256k1_v0_1_1_ge_mul_lambda(&correction, &correction); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &correction); + rustsecp256k1_v0_1_2_ge_from_storage(&correction, &correction_lam_stor); + rustsecp256k1_v0_1_2_ge_neg(&correction, &correction); + rustsecp256k1_v0_1_2_ge_mul_lambda(&correction, &correction); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &correction); } #endif } diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult_gen.h b/secp256k1-sys/depend/secp256k1/src/ecmult_gen.h index 58a9bac7a..2c333d797 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult_gen.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult_gen.h @@ -10,34 +10,41 @@ #include "scalar.h" #include "group.h" +#if ECMULT_GEN_PREC_BITS != 2 && ECMULT_GEN_PREC_BITS != 4 && ECMULT_GEN_PREC_BITS != 8 +# error "Set ECMULT_GEN_PREC_BITS to 2, 4 or 8." +#endif +#define ECMULT_GEN_PREC_B ECMULT_GEN_PREC_BITS +#define ECMULT_GEN_PREC_G (1 << ECMULT_GEN_PREC_B) +#define ECMULT_GEN_PREC_N (256 / ECMULT_GEN_PREC_B) + typedef struct { /* For accelerating the computation of a*G: * To harden against timing attacks, use the following mechanism: - * * Break up the multiplicand into groups of 4 bits, called n_0, n_1, n_2, ..., n_63. - * * Compute sum(n_i * 16^i * G + U_i, i=0..63), where: - * * U_i = U * 2^i (for i=0..62) - * * U_i = U * (1-2^63) (for i=63) - * where U is a point with no known corresponding scalar. Note that sum(U_i, i=0..63) = 0. - * For each i, and each of the 16 possible values of n_i, (n_i * 16^i * G + U_i) is - * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0..63). + * * Break up the multiplicand into groups of PREC_B bits, called n_0, n_1, n_2, ..., n_(PREC_N-1). + * * Compute sum(n_i * (PREC_G)^i * G + U_i, i=0 ... PREC_N-1), where: + * * U_i = U * 2^i, for i=0 ... PREC_N-2 + * * U_i = U * (1-2^(PREC_N-1)), for i=PREC_N-1 + * where U is a point with no known corresponding scalar. Note that sum(U_i, i=0 ... PREC_N-1) = 0. + * For each i, and each of the PREC_G possible values of n_i, (n_i * (PREC_G)^i * G + U_i) is + * precomputed (call it prec(i, n_i)). The formula now becomes sum(prec(i, n_i), i=0 ... PREC_N-1). * None of the resulting prec group elements have a known scalar, and neither do any of * the intermediate sums while computing a*G. */ - rustsecp256k1_v0_1_1_ge_storage (*prec)[64][16]; /* prec[j][i] = 16^j * i * G + U_i */ - rustsecp256k1_v0_1_1_scalar blind; - rustsecp256k1_v0_1_1_gej initial; -} rustsecp256k1_v0_1_1_ecmult_gen_context; + rustsecp256k1_v0_1_2_ge_storage (*prec)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G]; /* prec[j][i] = (PREC_G)^j * i * G + U_i */ + rustsecp256k1_v0_1_2_scalar blind; + rustsecp256k1_v0_1_2_gej initial; +} rustsecp256k1_v0_1_2_ecmult_gen_context; static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; -static void rustsecp256k1_v0_1_1_ecmult_gen_context_init(rustsecp256k1_v0_1_1_ecmult_gen_context* ctx); -static void rustsecp256k1_v0_1_1_ecmult_gen_context_build(rustsecp256k1_v0_1_1_ecmult_gen_context* ctx, void **prealloc); -static void rustsecp256k1_v0_1_1_ecmult_gen_context_finalize_memcpy(rustsecp256k1_v0_1_1_ecmult_gen_context *dst, const rustsecp256k1_v0_1_1_ecmult_gen_context* src); -static void rustsecp256k1_v0_1_1_ecmult_gen_context_clear(rustsecp256k1_v0_1_1_ecmult_gen_context* ctx); -static int rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(const rustsecp256k1_v0_1_1_ecmult_gen_context* ctx); +static void rustsecp256k1_v0_1_2_ecmult_gen_context_init(rustsecp256k1_v0_1_2_ecmult_gen_context* ctx); +static void rustsecp256k1_v0_1_2_ecmult_gen_context_build(rustsecp256k1_v0_1_2_ecmult_gen_context* ctx, void **prealloc); +static void rustsecp256k1_v0_1_2_ecmult_gen_context_finalize_memcpy(rustsecp256k1_v0_1_2_ecmult_gen_context *dst, const rustsecp256k1_v0_1_2_ecmult_gen_context* src); +static void rustsecp256k1_v0_1_2_ecmult_gen_context_clear(rustsecp256k1_v0_1_2_ecmult_gen_context* ctx); +static int rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(const rustsecp256k1_v0_1_2_ecmult_gen_context* ctx); /** Multiply with the generator: R = a*G */ -static void rustsecp256k1_v0_1_1_ecmult_gen(const rustsecp256k1_v0_1_1_ecmult_gen_context* ctx, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_ecmult_gen(const rustsecp256k1_v0_1_2_ecmult_gen_context* ctx, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *a); -static void rustsecp256k1_v0_1_1_ecmult_gen_blind(rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, const unsigned char *seed32); +static void rustsecp256k1_v0_1_2_ecmult_gen_blind(rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, const unsigned char *seed32); #endif /* SECP256K1_ECMULT_GEN_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult_gen_impl.h b/secp256k1-sys/depend/secp256k1/src/ecmult_gen_impl.h index 3be3f1d4e..2100f1642 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult_gen_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult_gen_impl.h @@ -17,20 +17,20 @@ #endif #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = ROUND_TO_ALIGN(sizeof(*((rustsecp256k1_v0_1_1_ecmult_gen_context*) NULL)->prec)); + static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = ROUND_TO_ALIGN(sizeof(*((rustsecp256k1_v0_1_2_ecmult_gen_context*) NULL)->prec)); #else static const size_t SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE = 0; #endif -static void rustsecp256k1_v0_1_1_ecmult_gen_context_init(rustsecp256k1_v0_1_1_ecmult_gen_context *ctx) { +static void rustsecp256k1_v0_1_2_ecmult_gen_context_init(rustsecp256k1_v0_1_2_ecmult_gen_context *ctx) { ctx->prec = NULL; } -static void rustsecp256k1_v0_1_1_ecmult_gen_context_build(rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, void **prealloc) { +static void rustsecp256k1_v0_1_2_ecmult_gen_context_build(rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, void **prealloc) { #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - rustsecp256k1_v0_1_1_ge prec[1024]; - rustsecp256k1_v0_1_1_gej gj; - rustsecp256k1_v0_1_1_gej nums_gej; + rustsecp256k1_v0_1_2_ge prec[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; + rustsecp256k1_v0_1_2_gej gj; + rustsecp256k1_v0_1_2_gej nums_gej; int i, j; size_t const prealloc_size = SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; void* const base = *prealloc; @@ -40,102 +40,102 @@ static void rustsecp256k1_v0_1_1_ecmult_gen_context_build(rustsecp256k1_v0_1_1_e return; } #ifndef USE_ECMULT_STATIC_PRECOMPUTATION - ctx->prec = (rustsecp256k1_v0_1_1_ge_storage (*)[64][16])manual_alloc(prealloc, prealloc_size, base, prealloc_size); + ctx->prec = (rustsecp256k1_v0_1_2_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])manual_alloc(prealloc, prealloc_size, base, prealloc_size); /* get the generator */ - rustsecp256k1_v0_1_1_gej_set_ge(&gj, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_gej_set_ge(&gj, &rustsecp256k1_v0_1_2_ge_const_g); /* Construct a group element with no known corresponding scalar (nothing up my sleeve). */ { static const unsigned char nums_b32[33] = "The scalar for this x is unknown"; - rustsecp256k1_v0_1_1_fe nums_x; - rustsecp256k1_v0_1_1_ge nums_ge; + rustsecp256k1_v0_1_2_fe nums_x; + rustsecp256k1_v0_1_2_ge nums_ge; int r; - r = rustsecp256k1_v0_1_1_fe_set_b32(&nums_x, nums_b32); + r = rustsecp256k1_v0_1_2_fe_set_b32(&nums_x, nums_b32); (void)r; VERIFY_CHECK(r); - r = rustsecp256k1_v0_1_1_ge_set_xo_var(&nums_ge, &nums_x, 0); + r = rustsecp256k1_v0_1_2_ge_set_xo_var(&nums_ge, &nums_x, 0); (void)r; VERIFY_CHECK(r); - rustsecp256k1_v0_1_1_gej_set_ge(&nums_gej, &nums_ge); + rustsecp256k1_v0_1_2_gej_set_ge(&nums_gej, &nums_ge); /* Add G to make the bits in x uniformly distributed. */ - rustsecp256k1_v0_1_1_gej_add_ge_var(&nums_gej, &nums_gej, &rustsecp256k1_v0_1_1_ge_const_g, NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(&nums_gej, &nums_gej, &rustsecp256k1_v0_1_2_ge_const_g, NULL); } /* compute prec. */ { - rustsecp256k1_v0_1_1_gej precj[1024]; /* Jacobian versions of prec. */ - rustsecp256k1_v0_1_1_gej gbase; - rustsecp256k1_v0_1_1_gej numsbase; - gbase = gj; /* 16^j * G */ + rustsecp256k1_v0_1_2_gej precj[ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G]; /* Jacobian versions of prec. */ + rustsecp256k1_v0_1_2_gej gbase; + rustsecp256k1_v0_1_2_gej numsbase; + gbase = gj; /* PREC_G^j * G */ numsbase = nums_gej; /* 2^j * nums. */ - for (j = 0; j < 64; j++) { - /* Set precj[j*16 .. j*16+15] to (numsbase, numsbase + gbase, ..., numsbase + 15*gbase). */ - precj[j*16] = numsbase; - for (i = 1; i < 16; i++) { - rustsecp256k1_v0_1_1_gej_add_var(&precj[j*16 + i], &precj[j*16 + i - 1], &gbase, NULL); + for (j = 0; j < ECMULT_GEN_PREC_N; j++) { + /* Set precj[j*PREC_G .. j*PREC_G+(PREC_G-1)] to (numsbase, numsbase + gbase, ..., numsbase + (PREC_G-1)*gbase). */ + precj[j*ECMULT_GEN_PREC_G] = numsbase; + for (i = 1; i < ECMULT_GEN_PREC_G; i++) { + rustsecp256k1_v0_1_2_gej_add_var(&precj[j*ECMULT_GEN_PREC_G + i], &precj[j*ECMULT_GEN_PREC_G + i - 1], &gbase, NULL); } - /* Multiply gbase by 16. */ - for (i = 0; i < 4; i++) { - rustsecp256k1_v0_1_1_gej_double_var(&gbase, &gbase, NULL); + /* Multiply gbase by PREC_G. */ + for (i = 0; i < ECMULT_GEN_PREC_B; i++) { + rustsecp256k1_v0_1_2_gej_double_var(&gbase, &gbase, NULL); } /* Multiply numbase by 2. */ - rustsecp256k1_v0_1_1_gej_double_var(&numsbase, &numsbase, NULL); - if (j == 62) { + rustsecp256k1_v0_1_2_gej_double_var(&numsbase, &numsbase, NULL); + if (j == ECMULT_GEN_PREC_N - 2) { /* In the last iteration, numsbase is (1 - 2^j) * nums instead. */ - rustsecp256k1_v0_1_1_gej_neg(&numsbase, &numsbase); - rustsecp256k1_v0_1_1_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL); + rustsecp256k1_v0_1_2_gej_neg(&numsbase, &numsbase); + rustsecp256k1_v0_1_2_gej_add_var(&numsbase, &numsbase, &nums_gej, NULL); } } - rustsecp256k1_v0_1_1_ge_set_all_gej_var(prec, precj, 1024); + rustsecp256k1_v0_1_2_ge_set_all_gej_var(prec, precj, ECMULT_GEN_PREC_N * ECMULT_GEN_PREC_G); } - for (j = 0; j < 64; j++) { - for (i = 0; i < 16; i++) { - rustsecp256k1_v0_1_1_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*16 + i]); + for (j = 0; j < ECMULT_GEN_PREC_N; j++) { + for (i = 0; i < ECMULT_GEN_PREC_G; i++) { + rustsecp256k1_v0_1_2_ge_to_storage(&(*ctx->prec)[j][i], &prec[j*ECMULT_GEN_PREC_G + i]); } } #else (void)prealloc; - ctx->prec = (rustsecp256k1_v0_1_1_ge_storage (*)[64][16])rustsecp256k1_v0_1_1_ecmult_static_context; + ctx->prec = (rustsecp256k1_v0_1_2_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])rustsecp256k1_v0_1_2_ecmult_static_context; #endif - rustsecp256k1_v0_1_1_ecmult_gen_blind(ctx, NULL); + rustsecp256k1_v0_1_2_ecmult_gen_blind(ctx, NULL); } -static int rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(const rustsecp256k1_v0_1_1_ecmult_gen_context* ctx) { +static int rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(const rustsecp256k1_v0_1_2_ecmult_gen_context* ctx) { return ctx->prec != NULL; } -static void rustsecp256k1_v0_1_1_ecmult_gen_context_finalize_memcpy(rustsecp256k1_v0_1_1_ecmult_gen_context *dst, const rustsecp256k1_v0_1_1_ecmult_gen_context *src) { +static void rustsecp256k1_v0_1_2_ecmult_gen_context_finalize_memcpy(rustsecp256k1_v0_1_2_ecmult_gen_context *dst, const rustsecp256k1_v0_1_2_ecmult_gen_context *src) { #ifndef USE_ECMULT_STATIC_PRECOMPUTATION if (src->prec != NULL) { /* We cast to void* first to suppress a -Wcast-align warning. */ - dst->prec = (rustsecp256k1_v0_1_1_ge_storage (*)[64][16])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src)); + dst->prec = (rustsecp256k1_v0_1_2_ge_storage (*)[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G])(void*)((unsigned char*)dst + ((unsigned char*)src->prec - (unsigned char*)src)); } #else (void)dst, (void)src; #endif } -static void rustsecp256k1_v0_1_1_ecmult_gen_context_clear(rustsecp256k1_v0_1_1_ecmult_gen_context *ctx) { - rustsecp256k1_v0_1_1_scalar_clear(&ctx->blind); - rustsecp256k1_v0_1_1_gej_clear(&ctx->initial); +static void rustsecp256k1_v0_1_2_ecmult_gen_context_clear(rustsecp256k1_v0_1_2_ecmult_gen_context *ctx) { + rustsecp256k1_v0_1_2_scalar_clear(&ctx->blind); + rustsecp256k1_v0_1_2_gej_clear(&ctx->initial); ctx->prec = NULL; } -static void rustsecp256k1_v0_1_1_ecmult_gen(const rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *gn) { - rustsecp256k1_v0_1_1_ge add; - rustsecp256k1_v0_1_1_ge_storage adds; - rustsecp256k1_v0_1_1_scalar gnb; +static void rustsecp256k1_v0_1_2_ecmult_gen(const rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *gn) { + rustsecp256k1_v0_1_2_ge add; + rustsecp256k1_v0_1_2_ge_storage adds; + rustsecp256k1_v0_1_2_scalar gnb; int bits; int i, j; memset(&adds, 0, sizeof(adds)); *r = ctx->initial; /* Blind scalar/point multiplication by computing (n-b)G + bG instead of nG. */ - rustsecp256k1_v0_1_1_scalar_add(&gnb, gn, &ctx->blind); + rustsecp256k1_v0_1_2_scalar_add(&gnb, gn, &ctx->blind); add.infinity = 0; - for (j = 0; j < 64; j++) { - bits = rustsecp256k1_v0_1_1_scalar_get_bits(&gnb, j * 4, 4); - for (i = 0; i < 16; i++) { + for (j = 0; j < ECMULT_GEN_PREC_N; j++) { + bits = rustsecp256k1_v0_1_2_scalar_get_bits(&gnb, j * ECMULT_GEN_PREC_B, ECMULT_GEN_PREC_B); + for (i = 0; i < ECMULT_GEN_PREC_G; i++) { /** This uses a conditional move to avoid any secret data in array indexes. * _Any_ use of secret indexes has been demonstrated to result in timing * sidechannels, even when the cache-line access patterns are uniform. @@ -146,33 +146,33 @@ static void rustsecp256k1_v0_1_1_ecmult_gen(const rustsecp256k1_v0_1_1_ecmult_ge * by Dag Arne Osvik, Adi Shamir, and Eran Tromer * (http://www.tau.ac.il/~tromer/papers/cache.pdf) */ - rustsecp256k1_v0_1_1_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits); + rustsecp256k1_v0_1_2_ge_storage_cmov(&adds, &(*ctx->prec)[j][i], i == bits); } - rustsecp256k1_v0_1_1_ge_from_storage(&add, &adds); - rustsecp256k1_v0_1_1_gej_add_ge(r, r, &add); + rustsecp256k1_v0_1_2_ge_from_storage(&add, &adds); + rustsecp256k1_v0_1_2_gej_add_ge(r, r, &add); } bits = 0; - rustsecp256k1_v0_1_1_ge_clear(&add); - rustsecp256k1_v0_1_1_scalar_clear(&gnb); + rustsecp256k1_v0_1_2_ge_clear(&add); + rustsecp256k1_v0_1_2_scalar_clear(&gnb); } -/* Setup blinding values for rustsecp256k1_v0_1_1_ecmult_gen. */ -static void rustsecp256k1_v0_1_1_ecmult_gen_blind(rustsecp256k1_v0_1_1_ecmult_gen_context *ctx, const unsigned char *seed32) { - rustsecp256k1_v0_1_1_scalar b; - rustsecp256k1_v0_1_1_gej gb; - rustsecp256k1_v0_1_1_fe s; +/* Setup blinding values for rustsecp256k1_v0_1_2_ecmult_gen. */ +static void rustsecp256k1_v0_1_2_ecmult_gen_blind(rustsecp256k1_v0_1_2_ecmult_gen_context *ctx, const unsigned char *seed32) { + rustsecp256k1_v0_1_2_scalar b; + rustsecp256k1_v0_1_2_gej gb; + rustsecp256k1_v0_1_2_fe s; unsigned char nonce32[32]; - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 rng; - int retry; + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rng; + int overflow; unsigned char keydata[64] = {0}; if (seed32 == NULL) { /* When seed is NULL, reset the initial point and blinding value. */ - rustsecp256k1_v0_1_1_gej_set_ge(&ctx->initial, &rustsecp256k1_v0_1_1_ge_const_g); - rustsecp256k1_v0_1_1_gej_neg(&ctx->initial, &ctx->initial); - rustsecp256k1_v0_1_1_scalar_set_int(&ctx->blind, 1); + rustsecp256k1_v0_1_2_gej_set_ge(&ctx->initial, &rustsecp256k1_v0_1_2_ge_const_g); + rustsecp256k1_v0_1_2_gej_neg(&ctx->initial, &ctx->initial); + rustsecp256k1_v0_1_2_scalar_set_int(&ctx->blind, 1); } /* The prior blinding value (if not reset) is chained forward by including it in the hash. */ - rustsecp256k1_v0_1_1_scalar_get_b32(nonce32, &ctx->blind); + rustsecp256k1_v0_1_2_scalar_get_b32(nonce32, &ctx->blind); /** Using a CSPRNG allows a failure free interface, avoids needing large amounts of random data, * and guards against weak or adversarial seeds. This is a simpler and safer interface than * asking the caller for blinding values directly and expecting them to retry on failure. @@ -181,31 +181,28 @@ static void rustsecp256k1_v0_1_1_ecmult_gen_blind(rustsecp256k1_v0_1_1_ecmult_ge if (seed32 != NULL) { memcpy(keydata + 32, seed32, 32); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, keydata, seed32 ? 64 : 32); memset(keydata, 0, sizeof(keydata)); - /* Retry for out of range results to achieve uniformity. */ - do { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); - retry = !rustsecp256k1_v0_1_1_fe_set_b32(&s, nonce32); - retry |= rustsecp256k1_v0_1_1_fe_is_zero(&s); - } while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > Fp. */ + /* Accept unobservably small non-uniformity. */ + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + overflow = !rustsecp256k1_v0_1_2_fe_set_b32(&s, nonce32); + overflow |= rustsecp256k1_v0_1_2_fe_is_zero(&s); + rustsecp256k1_v0_1_2_fe_cmov(&s, &rustsecp256k1_v0_1_2_fe_one, overflow); /* Randomize the projection to defend against multiplier sidechannels. */ - rustsecp256k1_v0_1_1_gej_rescale(&ctx->initial, &s); - rustsecp256k1_v0_1_1_fe_clear(&s); - do { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); - rustsecp256k1_v0_1_1_scalar_set_b32(&b, nonce32, &retry); - /* A blinding value of 0 works, but would undermine the projection hardening. */ - retry |= rustsecp256k1_v0_1_1_scalar_is_zero(&b); - } while (retry); /* This branch true is cryptographically unreachable. Requires sha256_hmac output > order. */ - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1_v0_1_2_gej_rescale(&ctx->initial, &s); + rustsecp256k1_v0_1_2_fe_clear(&s); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + rustsecp256k1_v0_1_2_scalar_set_b32(&b, nonce32, NULL); + /* A blinding value of 0 works, but would undermine the projection hardening. */ + rustsecp256k1_v0_1_2_scalar_cmov(&b, &rustsecp256k1_v0_1_2_scalar_one, rustsecp256k1_v0_1_2_scalar_is_zero(&b)); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); memset(nonce32, 0, 32); - rustsecp256k1_v0_1_1_ecmult_gen(ctx, &gb, &b); - rustsecp256k1_v0_1_1_scalar_negate(&b, &b); + rustsecp256k1_v0_1_2_ecmult_gen(ctx, &gb, &b); + rustsecp256k1_v0_1_2_scalar_negate(&b, &b); ctx->blind = b; ctx->initial = gb; - rustsecp256k1_v0_1_1_scalar_clear(&b); - rustsecp256k1_v0_1_1_gej_clear(&gb); + rustsecp256k1_v0_1_2_scalar_clear(&b); + rustsecp256k1_v0_1_2_gej_clear(&gb); } #endif /* SECP256K1_ECMULT_GEN_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/ecmult_impl.h b/secp256k1-sys/depend/secp256k1/src/ecmult_impl.h index 36f0dd75e..fe3f2d17e 100644 --- a/secp256k1-sys/depend/secp256k1/src/ecmult_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/ecmult_impl.h @@ -35,8 +35,8 @@ /** Larger values for ECMULT_WINDOW_SIZE result in possibly better * performance at the cost of an exponentially larger precomputed * table. The exact table size is - * (1 << (WINDOW_G - 2)) * sizeof(rustsecp256k1_v0_1_1_ge_storage) bytes, - * where sizeof(rustsecp256k1_v0_1_1_ge_storage) is typically 64 bytes but can + * (1 << (WINDOW_G - 2)) * sizeof(rustsecp256k1_v0_1_2_ge_storage) bytes, + * where sizeof(rustsecp256k1_v0_1_2_ge_storage) is typically 64 bytes but can * be larger due to platform-specific padding and alignment. * If the endomorphism optimization is enabled (USE_ENDOMORMPHSIM) * two tables of this size are used instead of only one. @@ -94,14 +94,14 @@ * contain prej[0].z / a.z. The other zr[i] values = prej[i].z / prej[i-1].z. * Prej's Z values are undefined, except for the last value. */ -static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(int n, rustsecp256k1_v0_1_1_gej *prej, rustsecp256k1_v0_1_1_fe *zr, const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_gej d; - rustsecp256k1_v0_1_1_ge a_ge, d_ge; +static void rustsecp256k1_v0_1_2_ecmult_odd_multiples_table(int n, rustsecp256k1_v0_1_2_gej *prej, rustsecp256k1_v0_1_2_fe *zr, const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_gej d; + rustsecp256k1_v0_1_2_ge a_ge, d_ge; int i; VERIFY_CHECK(!a->infinity); - rustsecp256k1_v0_1_1_gej_double_var(&d, a, NULL); + rustsecp256k1_v0_1_2_gej_double_var(&d, a, NULL); /* * Perform the additions on an isomorphism where 'd' is affine: drop the z coordinate @@ -111,7 +111,7 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(int n, rustsecp256k1 d_ge.y = d.y; d_ge.infinity = 0; - rustsecp256k1_v0_1_1_ge_set_gej_zinv(&a_ge, a, &d.z); + rustsecp256k1_v0_1_2_ge_set_gej_zinv(&a_ge, a, &d.z); prej[0].x = a_ge.x; prej[0].y = a_ge.y; prej[0].z = a->z; @@ -119,57 +119,57 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(int n, rustsecp256k1 zr[0] = d.z; for (i = 1; i < n; i++) { - rustsecp256k1_v0_1_1_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]); + rustsecp256k1_v0_1_2_gej_add_ge_var(&prej[i], &prej[i-1], &d_ge, &zr[i]); } /* * Each point in 'prej' has a z coordinate too small by a factor of 'd.z'. Only * the final point's z coordinate is actually used though, so just update that. */ - rustsecp256k1_v0_1_1_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.z); + rustsecp256k1_v0_1_2_fe_mul(&prej[n-1].z, &prej[n-1].z, &d.z); } /** Fill a table 'pre' with precomputed odd multiples of a. * * There are two versions of this function: - * - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_globalz_windowa which brings its + * - rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_globalz_windowa which brings its * resulting point set to a single constant Z denominator, stores the X and Y * coordinates as ge_storage points in pre, and stores the global Z in rz. * It only operates on tables sized for WINDOW_A wnaf multiples. - * - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var, which converts its + * - rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_storage_var, which converts its * resulting point set to actually affine points, and stores those in pre. - * It operates on tables of any size, but uses heap-allocated temporaries. + * It operates on tables of any size. * * To compute a*P + b*G, we compute a table for P using the first function, * and for G using the second (which requires an inverse, but it only needs to * happen once). */ -static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_globalz_windowa(rustsecp256k1_v0_1_1_ge *pre, rustsecp256k1_v0_1_1_fe *globalz, const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1_v0_1_1_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; +static void rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_globalz_windowa(rustsecp256k1_v0_1_2_ge *pre, rustsecp256k1_v0_1_2_fe *globalz, const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; /* Compute the odd multiples in Jacobian form. */ - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), prej, zr, a); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), prej, zr, a); /* Bring them to the same Z denominator. */ - rustsecp256k1_v0_1_1_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A), pre, globalz, prej, zr); + rustsecp256k1_v0_1_2_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A), pre, globalz, prej, zr); } -static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const int n, rustsecp256k1_v0_1_1_ge_storage *pre, const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_gej d; - rustsecp256k1_v0_1_1_ge d_ge, p_ge; - rustsecp256k1_v0_1_1_gej pj; - rustsecp256k1_v0_1_1_fe zi; - rustsecp256k1_v0_1_1_fe zr; - rustsecp256k1_v0_1_1_fe dx_over_dz_squared; +static void rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_storage_var(const int n, rustsecp256k1_v0_1_2_ge_storage *pre, const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_gej d; + rustsecp256k1_v0_1_2_ge d_ge, p_ge; + rustsecp256k1_v0_1_2_gej pj; + rustsecp256k1_v0_1_2_fe zi; + rustsecp256k1_v0_1_2_fe zr; + rustsecp256k1_v0_1_2_fe dx_over_dz_squared; int i; VERIFY_CHECK(!a->infinity); - rustsecp256k1_v0_1_1_gej_double_var(&d, a, NULL); + rustsecp256k1_v0_1_2_gej_double_var(&d, a, NULL); /* First, we perform all the additions in an isomorphic curve obtained by multiplying * all `z` coordinates by 1/`d.z`. In these coordinates `d` is affine so we can use - * `rustsecp256k1_v0_1_1_gej_add_ge_var` to perform the additions. For each addition, we store + * `rustsecp256k1_v0_1_2_gej_add_ge_var` to perform the additions. For each addition, we store * the resulting y-coordinate and the z-ratio, since we only have enough memory to * store two field elements. These are sufficient to efficiently undo the isomorphism * and recompute all the `x`s. @@ -178,34 +178,34 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const in d_ge.y = d.y; d_ge.infinity = 0; - rustsecp256k1_v0_1_1_ge_set_gej_zinv(&p_ge, a, &d.z); + rustsecp256k1_v0_1_2_ge_set_gej_zinv(&p_ge, a, &d.z); pj.x = p_ge.x; pj.y = p_ge.y; pj.z = a->z; pj.infinity = 0; for (i = 0; i < (n - 1); i++) { - rustsecp256k1_v0_1_1_fe_normalize_var(&pj.y); - rustsecp256k1_v0_1_1_fe_to_storage(&pre[i].y, &pj.y); - rustsecp256k1_v0_1_1_gej_add_ge_var(&pj, &pj, &d_ge, &zr); - rustsecp256k1_v0_1_1_fe_normalize_var(&zr); - rustsecp256k1_v0_1_1_fe_to_storage(&pre[i].x, &zr); + rustsecp256k1_v0_1_2_fe_normalize_var(&pj.y); + rustsecp256k1_v0_1_2_fe_to_storage(&pre[i].y, &pj.y); + rustsecp256k1_v0_1_2_gej_add_ge_var(&pj, &pj, &d_ge, &zr); + rustsecp256k1_v0_1_2_fe_normalize_var(&zr); + rustsecp256k1_v0_1_2_fe_to_storage(&pre[i].x, &zr); } /* Invert d.z in the same batch, preserving pj.z so we can extract 1/d.z */ - rustsecp256k1_v0_1_1_fe_mul(&zi, &pj.z, &d.z); - rustsecp256k1_v0_1_1_fe_inv_var(&zi, &zi); + rustsecp256k1_v0_1_2_fe_mul(&zi, &pj.z, &d.z); + rustsecp256k1_v0_1_2_fe_inv_var(&zi, &zi); /* Directly set `pre[n - 1]` to `pj`, saving the inverted z-coordinate so * that we can combine it with the saved z-ratios to compute the other zs * without any more inversions. */ - rustsecp256k1_v0_1_1_ge_set_gej_zinv(&p_ge, &pj, &zi); - rustsecp256k1_v0_1_1_ge_to_storage(&pre[n - 1], &p_ge); + rustsecp256k1_v0_1_2_ge_set_gej_zinv(&p_ge, &pj, &zi); + rustsecp256k1_v0_1_2_ge_to_storage(&pre[n - 1], &p_ge); /* Compute the actual x-coordinate of D, which will be needed below. */ - rustsecp256k1_v0_1_1_fe_mul(&d.z, &zi, &pj.z); /* d.z = 1/d.z */ - rustsecp256k1_v0_1_1_fe_sqr(&dx_over_dz_squared, &d.z); - rustsecp256k1_v0_1_1_fe_mul(&dx_over_dz_squared, &dx_over_dz_squared, &d.x); + rustsecp256k1_v0_1_2_fe_mul(&d.z, &zi, &pj.z); /* d.z = 1/d.z */ + rustsecp256k1_v0_1_2_fe_sqr(&dx_over_dz_squared, &d.z); + rustsecp256k1_v0_1_2_fe_mul(&dx_over_dz_squared, &dx_over_dz_squared, &d.x); /* Going into the second loop, we have set `pre[n-1]` to its final affine * form, but still need to set `pre[i]` for `i` in 0 through `n-2`. We @@ -229,21 +229,21 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const in */ i = n - 1; while (i > 0) { - rustsecp256k1_v0_1_1_fe zi2, zi3; - const rustsecp256k1_v0_1_1_fe *rzr; + rustsecp256k1_v0_1_2_fe zi2, zi3; + const rustsecp256k1_v0_1_2_fe *rzr; i--; - rustsecp256k1_v0_1_1_ge_from_storage(&p_ge, &pre[i]); + rustsecp256k1_v0_1_2_ge_from_storage(&p_ge, &pre[i]); /* For each remaining point, we extract the z-ratio from the stored * x-coordinate, compute its z^-1 from that, and compute the full * point from that. */ rzr = &p_ge.x; - rustsecp256k1_v0_1_1_fe_mul(&zi, &zi, rzr); - rustsecp256k1_v0_1_1_fe_sqr(&zi2, &zi); - rustsecp256k1_v0_1_1_fe_mul(&zi3, &zi2, &zi); + rustsecp256k1_v0_1_2_fe_mul(&zi, &zi, rzr); + rustsecp256k1_v0_1_2_fe_sqr(&zi2, &zi); + rustsecp256k1_v0_1_2_fe_mul(&zi3, &zi2, &zi); /* To compute the actual x-coordinate, we use the stored z ratio and - * y-coordinate, which we obtained from `rustsecp256k1_v0_1_1_gej_add_ge_var` + * y-coordinate, which we obtained from `rustsecp256k1_v0_1_2_gej_add_ge_var` * in the loop above, as well as the inverse of the square of its * z-coordinate. We store the latter in the `zi2` variable, which is * computed iteratively starting from the overall Z inverse then @@ -275,13 +275,13 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const in * X = d_x / d_z^2 - rzr / z^2 * = dx_over_dz_squared - rzr * zi2 */ - rustsecp256k1_v0_1_1_fe_mul(&p_ge.x, rzr, &zi2); - rustsecp256k1_v0_1_1_fe_negate(&p_ge.x, &p_ge.x, 1); - rustsecp256k1_v0_1_1_fe_add(&p_ge.x, &dx_over_dz_squared); + rustsecp256k1_v0_1_2_fe_mul(&p_ge.x, rzr, &zi2); + rustsecp256k1_v0_1_2_fe_negate(&p_ge.x, &p_ge.x, 1); + rustsecp256k1_v0_1_2_fe_add(&p_ge.x, &dx_over_dz_squared); /* y is stored_y/z^3, as we expect */ - rustsecp256k1_v0_1_1_fe_mul(&p_ge.y, &p_ge.y, &zi3); + rustsecp256k1_v0_1_2_fe_mul(&p_ge.y, &p_ge.y, &zi3); /* Store */ - rustsecp256k1_v0_1_1_ge_to_storage(&pre[i], &p_ge); + rustsecp256k1_v0_1_2_ge_to_storage(&pre[i], &p_ge); } } @@ -295,7 +295,7 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const in *(r) = (pre)[((n)-1)/2]; \ } else { \ *(r) = (pre)[(-(n)-1)/2]; \ - rustsecp256k1_v0_1_1_fe_negate(&((r)->y), &((r)->y), 1); \ + rustsecp256k1_v0_1_2_fe_negate(&((r)->y), &((r)->y), 1); \ } \ } while(0) @@ -304,29 +304,29 @@ static void rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(const in VERIFY_CHECK((n) >= -((1 << ((w)-1)) - 1)); \ VERIFY_CHECK((n) <= ((1 << ((w)-1)) - 1)); \ if ((n) > 0) { \ - rustsecp256k1_v0_1_1_ge_from_storage((r), &(pre)[((n)-1)/2]); \ + rustsecp256k1_v0_1_2_ge_from_storage((r), &(pre)[((n)-1)/2]); \ } else { \ - rustsecp256k1_v0_1_1_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \ - rustsecp256k1_v0_1_1_fe_negate(&((r)->y), &((r)->y), 1); \ + rustsecp256k1_v0_1_2_ge_from_storage((r), &(pre)[(-(n)-1)/2]); \ + rustsecp256k1_v0_1_2_fe_negate(&((r)->y), &((r)->y), 1); \ } \ } while(0) static const size_t SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE = - ROUND_TO_ALIGN(sizeof((*((rustsecp256k1_v0_1_1_ecmult_context*) NULL)->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1_v0_1_2_ecmult_context*) NULL)->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) #ifdef USE_ENDOMORPHISM - + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1_v0_1_1_ecmult_context*) NULL)->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) + + ROUND_TO_ALIGN(sizeof((*((rustsecp256k1_v0_1_2_ecmult_context*) NULL)->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G)) #endif ; -static void rustsecp256k1_v0_1_1_ecmult_context_init(rustsecp256k1_v0_1_1_ecmult_context *ctx) { +static void rustsecp256k1_v0_1_2_ecmult_context_init(rustsecp256k1_v0_1_2_ecmult_context *ctx) { ctx->pre_g = NULL; #ifdef USE_ENDOMORPHISM ctx->pre_g_128 = NULL; #endif } -static void rustsecp256k1_v0_1_1_ecmult_context_build(rustsecp256k1_v0_1_1_ecmult_context *ctx, void **prealloc) { - rustsecp256k1_v0_1_1_gej gj; +static void rustsecp256k1_v0_1_2_ecmult_context_build(rustsecp256k1_v0_1_2_ecmult_context *ctx, void **prealloc) { + rustsecp256k1_v0_1_2_gej gj; void* const base = *prealloc; size_t const prealloc_size = SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; @@ -335,56 +335,56 @@ static void rustsecp256k1_v0_1_1_ecmult_context_build(rustsecp256k1_v0_1_1_ecmul } /* get the generator */ - rustsecp256k1_v0_1_1_gej_set_ge(&gj, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_gej_set_ge(&gj, &rustsecp256k1_v0_1_2_ge_const_g); { size_t size = sizeof((*ctx->pre_g)[0]) * ((size_t)ECMULT_TABLE_SIZE(WINDOW_G)); /* check for overflow */ VERIFY_CHECK(size / sizeof((*ctx->pre_g)[0]) == ((size_t)ECMULT_TABLE_SIZE(WINDOW_G))); - ctx->pre_g = (rustsecp256k1_v0_1_1_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); + ctx->pre_g = (rustsecp256k1_v0_1_2_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); } /* precompute the tables with odd multiples */ - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g, &gj); #ifdef USE_ENDOMORPHISM { - rustsecp256k1_v0_1_1_gej g_128j; + rustsecp256k1_v0_1_2_gej g_128j; int i; size_t size = sizeof((*ctx->pre_g_128)[0]) * ((size_t) ECMULT_TABLE_SIZE(WINDOW_G)); /* check for overflow */ VERIFY_CHECK(size / sizeof((*ctx->pre_g_128)[0]) == ((size_t)ECMULT_TABLE_SIZE(WINDOW_G))); - ctx->pre_g_128 = (rustsecp256k1_v0_1_1_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); + ctx->pre_g_128 = (rustsecp256k1_v0_1_2_ge_storage (*)[])manual_alloc(prealloc, sizeof((*ctx->pre_g_128)[0]) * ECMULT_TABLE_SIZE(WINDOW_G), base, prealloc_size); /* calculate 2^128*generator */ g_128j = gj; for (i = 0; i < 128; i++) { - rustsecp256k1_v0_1_1_gej_double_var(&g_128j, &g_128j, NULL); + rustsecp256k1_v0_1_2_gej_double_var(&g_128j, &g_128j, NULL); } - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table_storage_var(ECMULT_TABLE_SIZE(WINDOW_G), *ctx->pre_g_128, &g_128j); } #endif } -static void rustsecp256k1_v0_1_1_ecmult_context_finalize_memcpy(rustsecp256k1_v0_1_1_ecmult_context *dst, const rustsecp256k1_v0_1_1_ecmult_context *src) { +static void rustsecp256k1_v0_1_2_ecmult_context_finalize_memcpy(rustsecp256k1_v0_1_2_ecmult_context *dst, const rustsecp256k1_v0_1_2_ecmult_context *src) { if (src->pre_g != NULL) { /* We cast to void* first to suppress a -Wcast-align warning. */ - dst->pre_g = (rustsecp256k1_v0_1_1_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g) - (unsigned char*)src)); + dst->pre_g = (rustsecp256k1_v0_1_2_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g) - (unsigned char*)src)); } #ifdef USE_ENDOMORPHISM if (src->pre_g_128 != NULL) { - dst->pre_g_128 = (rustsecp256k1_v0_1_1_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g_128) - (unsigned char*)src)); + dst->pre_g_128 = (rustsecp256k1_v0_1_2_ge_storage (*)[])(void*)((unsigned char*)dst + ((unsigned char*)(src->pre_g_128) - (unsigned char*)src)); } #endif } -static int rustsecp256k1_v0_1_1_ecmult_context_is_built(const rustsecp256k1_v0_1_1_ecmult_context *ctx) { +static int rustsecp256k1_v0_1_2_ecmult_context_is_built(const rustsecp256k1_v0_1_2_ecmult_context *ctx) { return ctx->pre_g != NULL; } -static void rustsecp256k1_v0_1_1_ecmult_context_clear(rustsecp256k1_v0_1_1_ecmult_context *ctx) { - rustsecp256k1_v0_1_1_ecmult_context_init(ctx); +static void rustsecp256k1_v0_1_2_ecmult_context_clear(rustsecp256k1_v0_1_2_ecmult_context *ctx) { + rustsecp256k1_v0_1_2_ecmult_context_init(ctx); } /** Convert a number to WNAF notation. The number becomes represented by sum(2^i * wnaf[i], i=0..bits), @@ -394,8 +394,8 @@ static void rustsecp256k1_v0_1_1_ecmult_context_clear(rustsecp256k1_v0_1_1_ecmul * - the number of set values in wnaf is returned. This number is at most 256, and at most one more * than the number of bits in the (absolute value) of the input. */ -static int rustsecp256k1_v0_1_1_ecmult_wnaf(int *wnaf, int len, const rustsecp256k1_v0_1_1_scalar *a, int w) { - rustsecp256k1_v0_1_1_scalar s = *a; +static int rustsecp256k1_v0_1_2_ecmult_wnaf(int *wnaf, int len, const rustsecp256k1_v0_1_2_scalar *a, int w) { + rustsecp256k1_v0_1_2_scalar s; int last_set_bit = -1; int bit = 0; int sign = 1; @@ -408,15 +408,16 @@ static int rustsecp256k1_v0_1_1_ecmult_wnaf(int *wnaf, int len, const rustsecp25 memset(wnaf, 0, len * sizeof(wnaf[0])); - if (rustsecp256k1_v0_1_1_scalar_get_bits(&s, 255, 1)) { - rustsecp256k1_v0_1_1_scalar_negate(&s, &s); + s = *a; + if (rustsecp256k1_v0_1_2_scalar_get_bits(&s, 255, 1)) { + rustsecp256k1_v0_1_2_scalar_negate(&s, &s); sign = -1; } while (bit < len) { int now; int word; - if (rustsecp256k1_v0_1_1_scalar_get_bits(&s, bit, 1) == (unsigned int)carry) { + if (rustsecp256k1_v0_1_2_scalar_get_bits(&s, bit, 1) == (unsigned int)carry) { bit++; continue; } @@ -426,7 +427,7 @@ static int rustsecp256k1_v0_1_1_ecmult_wnaf(int *wnaf, int len, const rustsecp25 now = len - bit; } - word = rustsecp256k1_v0_1_1_scalar_get_bits_var(&s, bit, now) + carry; + word = rustsecp256k1_v0_1_2_scalar_get_bits_var(&s, bit, now) + carry; carry = (word >> (w-1)) & 1; word -= carry << w; @@ -439,15 +440,15 @@ static int rustsecp256k1_v0_1_1_ecmult_wnaf(int *wnaf, int len, const rustsecp25 #ifdef VERIFY CHECK(carry == 0); while (bit < 256) { - CHECK(rustsecp256k1_v0_1_1_scalar_get_bits(&s, bit++, 1) == 0); + CHECK(rustsecp256k1_v0_1_2_scalar_get_bits(&s, bit++, 1) == 0); } #endif return last_set_bit + 1; } -struct rustsecp256k1_v0_1_1_strauss_point_state { +struct rustsecp256k1_v0_1_2_strauss_point_state { #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_scalar na_1, na_lam; + rustsecp256k1_v0_1_2_scalar na_1, na_lam; int wnaf_na_1[130]; int wnaf_na_lam[130]; int bits_na_1; @@ -459,22 +460,22 @@ struct rustsecp256k1_v0_1_1_strauss_point_state { size_t input_pos; }; -struct rustsecp256k1_v0_1_1_strauss_state { - rustsecp256k1_v0_1_1_gej* prej; - rustsecp256k1_v0_1_1_fe* zr; - rustsecp256k1_v0_1_1_ge* pre_a; +struct rustsecp256k1_v0_1_2_strauss_state { + rustsecp256k1_v0_1_2_gej* prej; + rustsecp256k1_v0_1_2_fe* zr; + rustsecp256k1_v0_1_2_ge* pre_a; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ge* pre_a_lam; + rustsecp256k1_v0_1_2_ge* pre_a_lam; #endif - struct rustsecp256k1_v0_1_1_strauss_point_state* ps; + struct rustsecp256k1_v0_1_2_strauss_point_state* ps; }; -static void rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_1_ecmult_context *ctx, const struct rustsecp256k1_v0_1_1_strauss_state *state, rustsecp256k1_v0_1_1_gej *r, int num, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_scalar *na, const rustsecp256k1_v0_1_1_scalar *ng) { - rustsecp256k1_v0_1_1_ge tmpa; - rustsecp256k1_v0_1_1_fe Z; +static void rustsecp256k1_v0_1_2_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_2_ecmult_context *ctx, const struct rustsecp256k1_v0_1_2_strauss_state *state, rustsecp256k1_v0_1_2_gej *r, int num, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_scalar *na, const rustsecp256k1_v0_1_2_scalar *ng) { + rustsecp256k1_v0_1_2_ge tmpa; + rustsecp256k1_v0_1_2_fe Z; #ifdef USE_ENDOMORPHISM /* Splitted G factors. */ - rustsecp256k1_v0_1_1_scalar ng_1, ng_128; + rustsecp256k1_v0_1_2_scalar ng_1, ng_128; int wnaf_ng_1[129]; int bits_ng_1 = 0; int wnaf_ng_128[129]; @@ -489,17 +490,17 @@ static void rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_1_ int no = 0; for (np = 0; np < num; ++np) { - if (rustsecp256k1_v0_1_1_scalar_is_zero(&na[np]) || rustsecp256k1_v0_1_1_gej_is_infinity(&a[np])) { + if (rustsecp256k1_v0_1_2_scalar_is_zero(&na[np]) || rustsecp256k1_v0_1_2_gej_is_infinity(&a[np])) { continue; } state->ps[no].input_pos = np; #ifdef USE_ENDOMORPHISM /* split na into na_1 and na_lam (where na = na_1 + na_lam*lambda, and na_1 and na_lam are ~128 bit) */ - rustsecp256k1_v0_1_1_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]); + rustsecp256k1_v0_1_2_scalar_split_lambda(&state->ps[no].na_1, &state->ps[no].na_lam, &na[np]); /* build wnaf representation for na_1 and na_lam. */ - state->ps[no].bits_na_1 = rustsecp256k1_v0_1_1_ecmult_wnaf(state->ps[no].wnaf_na_1, 130, &state->ps[no].na_1, WINDOW_A); - state->ps[no].bits_na_lam = rustsecp256k1_v0_1_1_ecmult_wnaf(state->ps[no].wnaf_na_lam, 130, &state->ps[no].na_lam, WINDOW_A); + state->ps[no].bits_na_1 = rustsecp256k1_v0_1_2_ecmult_wnaf(state->ps[no].wnaf_na_1, 130, &state->ps[no].na_1, WINDOW_A); + state->ps[no].bits_na_lam = rustsecp256k1_v0_1_2_ecmult_wnaf(state->ps[no].wnaf_na_lam, 130, &state->ps[no].na_lam, WINDOW_A); VERIFY_CHECK(state->ps[no].bits_na_1 <= 130); VERIFY_CHECK(state->ps[no].bits_na_lam <= 130); if (state->ps[no].bits_na_1 > bits) { @@ -510,7 +511,7 @@ static void rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_1_ } #else /* build wnaf representation for na. */ - state->ps[no].bits_na = rustsecp256k1_v0_1_1_ecmult_wnaf(state->ps[no].wnaf_na, 256, &na[np], WINDOW_A); + state->ps[no].bits_na = rustsecp256k1_v0_1_2_ecmult_wnaf(state->ps[no].wnaf_na, 256, &na[np], WINDOW_A); if (state->ps[no].bits_na > bits) { bits = state->ps[no].bits_na; } @@ -525,41 +526,41 @@ static void rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_1_ * the Z coordinate of the result once at the end. * The exception is the precomputed G table points, which are actually * affine. Compared to the base used for other points, they have a Z ratio - * of 1/Z, so we can use rustsecp256k1_v0_1_1_gej_add_zinv_var, which uses the same + * of 1/Z, so we can use rustsecp256k1_v0_1_2_gej_add_zinv_var, which uses the same * isomorphism to efficiently add with a known Z inverse. */ if (no > 0) { /* Compute the odd multiples in Jacobian form. */ - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej, state->zr, &a[state->ps[0].input_pos]); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej, state->zr, &a[state->ps[0].input_pos]); for (np = 1; np < no; ++np) { - rustsecp256k1_v0_1_1_gej tmp = a[state->ps[np].input_pos]; + rustsecp256k1_v0_1_2_gej tmp = a[state->ps[np].input_pos]; #ifdef VERIFY - rustsecp256k1_v0_1_1_fe_normalize_var(&(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); + rustsecp256k1_v0_1_2_fe_normalize_var(&(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); #endif - rustsecp256k1_v0_1_1_gej_rescale(&tmp, &(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); - rustsecp256k1_v0_1_1_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &tmp); - rustsecp256k1_v0_1_1_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z)); + rustsecp256k1_v0_1_2_gej_rescale(&tmp, &(state->prej[(np - 1) * ECMULT_TABLE_SIZE(WINDOW_A) + ECMULT_TABLE_SIZE(WINDOW_A) - 1].z)); + rustsecp256k1_v0_1_2_ecmult_odd_multiples_table(ECMULT_TABLE_SIZE(WINDOW_A), state->prej + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &tmp); + rustsecp256k1_v0_1_2_fe_mul(state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), state->zr + np * ECMULT_TABLE_SIZE(WINDOW_A), &(a[state->ps[np].input_pos].z)); } /* Bring them to the same Z denominator. */ - rustsecp256k1_v0_1_1_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, &Z, state->prej, state->zr); + rustsecp256k1_v0_1_2_ge_globalz_set_table_gej(ECMULT_TABLE_SIZE(WINDOW_A) * no, state->pre_a, &Z, state->prej, state->zr); } else { - rustsecp256k1_v0_1_1_fe_set_int(&Z, 1); + rustsecp256k1_v0_1_2_fe_set_int(&Z, 1); } #ifdef USE_ENDOMORPHISM for (np = 0; np < no; ++np) { for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) { - rustsecp256k1_v0_1_1_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]); + rustsecp256k1_v0_1_2_ge_mul_lambda(&state->pre_a_lam[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i]); } } if (ng) { /* split ng into ng_1 and ng_128 (where gn = gn_1 + gn_128*2^128, and gn_1 and gn_128 are ~128 bit) */ - rustsecp256k1_v0_1_1_scalar_split_128(&ng_1, &ng_128, ng); + rustsecp256k1_v0_1_2_scalar_split_128(&ng_1, &ng_128, ng); /* Build wnaf representation for ng_1 and ng_128 */ - bits_ng_1 = rustsecp256k1_v0_1_1_ecmult_wnaf(wnaf_ng_1, 129, &ng_1, WINDOW_G); - bits_ng_128 = rustsecp256k1_v0_1_1_ecmult_wnaf(wnaf_ng_128, 129, &ng_128, WINDOW_G); + bits_ng_1 = rustsecp256k1_v0_1_2_ecmult_wnaf(wnaf_ng_1, 129, &ng_1, WINDOW_G); + bits_ng_128 = rustsecp256k1_v0_1_2_ecmult_wnaf(wnaf_ng_128, 129, &ng_128, WINDOW_G); if (bits_ng_1 > bits) { bits = bits_ng_1; } @@ -569,65 +570,65 @@ static void rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(const rustsecp256k1_v0_1_1_ } #else if (ng) { - bits_ng = rustsecp256k1_v0_1_1_ecmult_wnaf(wnaf_ng, 256, ng, WINDOW_G); + bits_ng = rustsecp256k1_v0_1_2_ecmult_wnaf(wnaf_ng, 256, ng, WINDOW_G); if (bits_ng > bits) { bits = bits_ng; } } #endif - rustsecp256k1_v0_1_1_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(r); for (i = bits - 1; i >= 0; i--) { int n; - rustsecp256k1_v0_1_1_gej_double_var(r, r, NULL); + rustsecp256k1_v0_1_2_gej_double_var(r, r, NULL); #ifdef USE_ENDOMORPHISM for (np = 0; np < no; ++np) { if (i < state->ps[np].bits_na_1 && (n = state->ps[np].wnaf_na_1[i])) { ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A); - rustsecp256k1_v0_1_1_gej_add_ge_var(r, r, &tmpa, NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(r, r, &tmpa, NULL); } if (i < state->ps[np].bits_na_lam && (n = state->ps[np].wnaf_na_lam[i])) { ECMULT_TABLE_GET_GE(&tmpa, state->pre_a_lam + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A); - rustsecp256k1_v0_1_1_gej_add_ge_var(r, r, &tmpa, NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(r, r, &tmpa, NULL); } } if (i < bits_ng_1 && (n = wnaf_ng_1[i])) { ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G); - rustsecp256k1_v0_1_1_gej_add_zinv_var(r, r, &tmpa, &Z); + rustsecp256k1_v0_1_2_gej_add_zinv_var(r, r, &tmpa, &Z); } if (i < bits_ng_128 && (n = wnaf_ng_128[i])) { ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g_128, n, WINDOW_G); - rustsecp256k1_v0_1_1_gej_add_zinv_var(r, r, &tmpa, &Z); + rustsecp256k1_v0_1_2_gej_add_zinv_var(r, r, &tmpa, &Z); } #else for (np = 0; np < no; ++np) { if (i < state->ps[np].bits_na && (n = state->ps[np].wnaf_na[i])) { ECMULT_TABLE_GET_GE(&tmpa, state->pre_a + np * ECMULT_TABLE_SIZE(WINDOW_A), n, WINDOW_A); - rustsecp256k1_v0_1_1_gej_add_ge_var(r, r, &tmpa, NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(r, r, &tmpa, NULL); } } if (i < bits_ng && (n = wnaf_ng[i])) { ECMULT_TABLE_GET_GE_STORAGE(&tmpa, *ctx->pre_g, n, WINDOW_G); - rustsecp256k1_v0_1_1_gej_add_zinv_var(r, r, &tmpa, &Z); + rustsecp256k1_v0_1_2_gej_add_zinv_var(r, r, &tmpa, &Z); } #endif } if (!r->infinity) { - rustsecp256k1_v0_1_1_fe_mul(&r->z, &r->z, &Z); + rustsecp256k1_v0_1_2_fe_mul(&r->z, &r->z, &Z); } } -static void rustsecp256k1_v0_1_1_ecmult(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_scalar *na, const rustsecp256k1_v0_1_1_scalar *ng) { - rustsecp256k1_v0_1_1_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1_v0_1_1_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; - rustsecp256k1_v0_1_1_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; - struct rustsecp256k1_v0_1_1_strauss_point_state ps[1]; +static void rustsecp256k1_v0_1_2_ecmult(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_scalar *na, const rustsecp256k1_v0_1_2_scalar *ng) { + rustsecp256k1_v0_1_2_gej prej[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_fe zr[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_ge pre_a[ECMULT_TABLE_SIZE(WINDOW_A)]; + struct rustsecp256k1_v0_1_2_strauss_point_state ps[1]; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; + rustsecp256k1_v0_1_2_ge pre_a_lam[ECMULT_TABLE_SIZE(WINDOW_A)]; #endif - struct rustsecp256k1_v0_1_1_strauss_state state; + struct rustsecp256k1_v0_1_2_strauss_state state; state.prej = prej; state.zr = zr; @@ -636,67 +637,67 @@ static void rustsecp256k1_v0_1_1_ecmult(const rustsecp256k1_v0_1_1_ecmult_contex state.pre_a_lam = pre_a_lam; #endif state.ps = ps; - rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng); + rustsecp256k1_v0_1_2_ecmult_strauss_wnaf(ctx, &state, r, 1, a, na, ng); } -static size_t rustsecp256k1_v0_1_1_strauss_scratch_size(size_t n_points) { +static size_t rustsecp256k1_v0_1_2_strauss_scratch_size(size_t n_points) { #ifdef USE_ENDOMORPHISM - static const size_t point_size = (2 * sizeof(rustsecp256k1_v0_1_1_ge) + sizeof(rustsecp256k1_v0_1_1_gej) + sizeof(rustsecp256k1_v0_1_1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1_v0_1_1_strauss_point_state) + sizeof(rustsecp256k1_v0_1_1_gej) + sizeof(rustsecp256k1_v0_1_1_scalar); + static const size_t point_size = (2 * sizeof(rustsecp256k1_v0_1_2_ge) + sizeof(rustsecp256k1_v0_1_2_gej) + sizeof(rustsecp256k1_v0_1_2_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1_v0_1_2_strauss_point_state) + sizeof(rustsecp256k1_v0_1_2_gej) + sizeof(rustsecp256k1_v0_1_2_scalar); #else - static const size_t point_size = (sizeof(rustsecp256k1_v0_1_1_ge) + sizeof(rustsecp256k1_v0_1_1_gej) + sizeof(rustsecp256k1_v0_1_1_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1_v0_1_1_strauss_point_state) + sizeof(rustsecp256k1_v0_1_1_gej) + sizeof(rustsecp256k1_v0_1_1_scalar); + static const size_t point_size = (sizeof(rustsecp256k1_v0_1_2_ge) + sizeof(rustsecp256k1_v0_1_2_gej) + sizeof(rustsecp256k1_v0_1_2_fe)) * ECMULT_TABLE_SIZE(WINDOW_A) + sizeof(struct rustsecp256k1_v0_1_2_strauss_point_state) + sizeof(rustsecp256k1_v0_1_2_gej) + sizeof(rustsecp256k1_v0_1_2_scalar); #endif return n_points*point_size; } -static int rustsecp256k1_v0_1_1_ecmult_strauss_batch(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { - rustsecp256k1_v0_1_1_gej* points; - rustsecp256k1_v0_1_1_scalar* scalars; - struct rustsecp256k1_v0_1_1_strauss_state state; +static int rustsecp256k1_v0_1_2_ecmult_strauss_batch(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { + rustsecp256k1_v0_1_2_gej* points; + rustsecp256k1_v0_1_2_scalar* scalars; + struct rustsecp256k1_v0_1_2_strauss_state state; size_t i; - const size_t scratch_checkpoint = rustsecp256k1_v0_1_1_scratch_checkpoint(error_callback, scratch); + const size_t scratch_checkpoint = rustsecp256k1_v0_1_2_scratch_checkpoint(error_callback, scratch); - rustsecp256k1_v0_1_1_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(r); if (inp_g_sc == NULL && n_points == 0) { return 1; } - points = (rustsecp256k1_v0_1_1_gej*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1_v0_1_1_gej)); - scalars = (rustsecp256k1_v0_1_1_scalar*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1_v0_1_1_scalar)); - state.prej = (rustsecp256k1_v0_1_1_gej*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_1_gej)); - state.zr = (rustsecp256k1_v0_1_1_fe*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_1_fe)); + points = (rustsecp256k1_v0_1_2_gej*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1_v0_1_2_gej)); + scalars = (rustsecp256k1_v0_1_2_scalar*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * sizeof(rustsecp256k1_v0_1_2_scalar)); + state.prej = (rustsecp256k1_v0_1_2_gej*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_2_gej)); + state.zr = (rustsecp256k1_v0_1_2_fe*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_2_fe)); #ifdef USE_ENDOMORPHISM - state.pre_a = (rustsecp256k1_v0_1_1_ge*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * 2 * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_1_ge)); + state.pre_a = (rustsecp256k1_v0_1_2_ge*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * 2 * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_2_ge)); state.pre_a_lam = state.pre_a + n_points * ECMULT_TABLE_SIZE(WINDOW_A); #else - state.pre_a = (rustsecp256k1_v0_1_1_ge*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_1_ge)); + state.pre_a = (rustsecp256k1_v0_1_2_ge*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * ECMULT_TABLE_SIZE(WINDOW_A) * sizeof(rustsecp256k1_v0_1_2_ge)); #endif - state.ps = (struct rustsecp256k1_v0_1_1_strauss_point_state*)rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, n_points * sizeof(struct rustsecp256k1_v0_1_1_strauss_point_state)); + state.ps = (struct rustsecp256k1_v0_1_2_strauss_point_state*)rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, n_points * sizeof(struct rustsecp256k1_v0_1_2_strauss_point_state)); if (points == NULL || scalars == NULL || state.prej == NULL || state.zr == NULL || state.pre_a == NULL) { - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } for (i = 0; i < n_points; i++) { - rustsecp256k1_v0_1_1_ge point; + rustsecp256k1_v0_1_2_ge point; if (!cb(&scalars[i], &point, i+cb_offset, cbdata)) { - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } - rustsecp256k1_v0_1_1_gej_set_ge(&points[i], &point); + rustsecp256k1_v0_1_2_gej_set_ge(&points[i], &point); } - rustsecp256k1_v0_1_1_ecmult_strauss_wnaf(ctx, &state, r, n_points, points, scalars, inp_g_sc); - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_ecmult_strauss_wnaf(ctx, &state, r, n_points, points, scalars, inp_g_sc); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 1; } -/* Wrapper for rustsecp256k1_v0_1_1_ecmult_multi_func interface */ -static int rustsecp256k1_v0_1_1_ecmult_strauss_batch_single(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context *actx, rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n) { - return rustsecp256k1_v0_1_1_ecmult_strauss_batch(error_callback, actx, scratch, r, inp_g_sc, cb, cbdata, n, 0); +/* Wrapper for rustsecp256k1_v0_1_2_ecmult_multi_func interface */ +static int rustsecp256k1_v0_1_2_ecmult_strauss_batch_single(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context *actx, rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n) { + return rustsecp256k1_v0_1_2_ecmult_strauss_batch(error_callback, actx, scratch, r, inp_g_sc, cb, cbdata, n, 0); } -static size_t rustsecp256k1_v0_1_1_strauss_max_points(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch *scratch) { - return rustsecp256k1_v0_1_1_scratch_max_allocation(error_callback, scratch, STRAUSS_SCRATCH_OBJECTS) / rustsecp256k1_v0_1_1_strauss_scratch_size(1); +static size_t rustsecp256k1_v0_1_2_strauss_max_points(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch *scratch) { + return rustsecp256k1_v0_1_2_scratch_max_allocation(error_callback, scratch, STRAUSS_SCRATCH_OBJECTS) / rustsecp256k1_v0_1_2_strauss_scratch_size(1); } /** Convert a number to WNAF notation. @@ -706,25 +707,25 @@ static size_t rustsecp256k1_v0_1_1_strauss_max_points(const rustsecp256k1_v0_1_1 * - the number of words set is always WNAF_SIZE(w) * - the returned skew is 0 or 1 */ -static int rustsecp256k1_v0_1_1_wnaf_fixed(int *wnaf, const rustsecp256k1_v0_1_1_scalar *s, int w) { +static int rustsecp256k1_v0_1_2_wnaf_fixed(int *wnaf, const rustsecp256k1_v0_1_2_scalar *s, int w) { int skew = 0; int pos; int max_pos; int last_w; - const rustsecp256k1_v0_1_1_scalar *work = s; + const rustsecp256k1_v0_1_2_scalar *work = s; - if (rustsecp256k1_v0_1_1_scalar_is_zero(s)) { + if (rustsecp256k1_v0_1_2_scalar_is_zero(s)) { for (pos = 0; pos < WNAF_SIZE(w); pos++) { wnaf[pos] = 0; } return 0; } - if (rustsecp256k1_v0_1_1_scalar_is_even(s)) { + if (rustsecp256k1_v0_1_2_scalar_is_even(s)) { skew = 1; } - wnaf[0] = rustsecp256k1_v0_1_1_scalar_get_bits_var(work, 0, w) + skew; + wnaf[0] = rustsecp256k1_v0_1_2_scalar_get_bits_var(work, 0, w) + skew; /* Compute last window size. Relevant when window size doesn't divide the * number of bits in the scalar */ last_w = WNAF_BITS - (WNAF_SIZE(w) - 1) * w; @@ -732,7 +733,7 @@ static int rustsecp256k1_v0_1_1_wnaf_fixed(int *wnaf, const rustsecp256k1_v0_1_1 /* Store the position of the first nonzero word in max_pos to allow * skipping leading zeros when calculating the wnaf. */ for (pos = WNAF_SIZE(w) - 1; pos > 0; pos--) { - int val = rustsecp256k1_v0_1_1_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); + int val = rustsecp256k1_v0_1_2_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); if(val != 0) { break; } @@ -742,7 +743,7 @@ static int rustsecp256k1_v0_1_1_wnaf_fixed(int *wnaf, const rustsecp256k1_v0_1_1 pos = 1; while (pos <= max_pos) { - int val = rustsecp256k1_v0_1_1_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); + int val = rustsecp256k1_v0_1_2_scalar_get_bits_var(work, pos * w, pos == WNAF_SIZE(w)-1 ? last_w : w); if ((val & 1) == 0) { wnaf[pos - 1] -= (1 << w); wnaf[pos] = (val + 1); @@ -768,14 +769,14 @@ static int rustsecp256k1_v0_1_1_wnaf_fixed(int *wnaf, const rustsecp256k1_v0_1_1 return skew; } -struct rustsecp256k1_v0_1_1_pippenger_point_state { +struct rustsecp256k1_v0_1_2_pippenger_point_state { int skew_na; size_t input_pos; }; -struct rustsecp256k1_v0_1_1_pippenger_state { +struct rustsecp256k1_v0_1_2_pippenger_state { int *wnaf_na; - struct rustsecp256k1_v0_1_1_pippenger_point_state* ps; + struct rustsecp256k1_v0_1_2_pippenger_point_state* ps; }; /* @@ -785,7 +786,7 @@ struct rustsecp256k1_v0_1_1_pippenger_state { * to the point's wnaf[i]. Second, the buckets are added together such that * r += 1*bucket[0] + 3*bucket[1] + 5*bucket[2] + ... */ -static int rustsecp256k1_v0_1_1_ecmult_pippenger_wnaf(rustsecp256k1_v0_1_1_gej *buckets, int bucket_window, struct rustsecp256k1_v0_1_1_pippenger_state *state, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *sc, const rustsecp256k1_v0_1_1_ge *pt, size_t num) { +static int rustsecp256k1_v0_1_2_ecmult_pippenger_wnaf(rustsecp256k1_v0_1_2_gej *buckets, int bucket_window, struct rustsecp256k1_v0_1_2_pippenger_state *state, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *sc, const rustsecp256k1_v0_1_2_ge *pt, size_t num) { size_t n_wnaf = WNAF_SIZE(bucket_window+1); size_t np; size_t no = 0; @@ -793,55 +794,55 @@ static int rustsecp256k1_v0_1_1_ecmult_pippenger_wnaf(rustsecp256k1_v0_1_1_gej * int j; for (np = 0; np < num; ++np) { - if (rustsecp256k1_v0_1_1_scalar_is_zero(&sc[np]) || rustsecp256k1_v0_1_1_ge_is_infinity(&pt[np])) { + if (rustsecp256k1_v0_1_2_scalar_is_zero(&sc[np]) || rustsecp256k1_v0_1_2_ge_is_infinity(&pt[np])) { continue; } state->ps[no].input_pos = np; - state->ps[no].skew_na = rustsecp256k1_v0_1_1_wnaf_fixed(&state->wnaf_na[no*n_wnaf], &sc[np], bucket_window+1); + state->ps[no].skew_na = rustsecp256k1_v0_1_2_wnaf_fixed(&state->wnaf_na[no*n_wnaf], &sc[np], bucket_window+1); no++; } - rustsecp256k1_v0_1_1_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(r); if (no == 0) { return 1; } for (i = n_wnaf - 1; i >= 0; i--) { - rustsecp256k1_v0_1_1_gej running_sum; + rustsecp256k1_v0_1_2_gej running_sum; for(j = 0; j < ECMULT_TABLE_SIZE(bucket_window+2); j++) { - rustsecp256k1_v0_1_1_gej_set_infinity(&buckets[j]); + rustsecp256k1_v0_1_2_gej_set_infinity(&buckets[j]); } for (np = 0; np < no; ++np) { int n = state->wnaf_na[np*n_wnaf + i]; - struct rustsecp256k1_v0_1_1_pippenger_point_state point_state = state->ps[np]; - rustsecp256k1_v0_1_1_ge tmp; + struct rustsecp256k1_v0_1_2_pippenger_point_state point_state = state->ps[np]; + rustsecp256k1_v0_1_2_ge tmp; int idx; if (i == 0) { /* correct for wnaf skew */ int skew = point_state.skew_na; if (skew) { - rustsecp256k1_v0_1_1_ge_neg(&tmp, &pt[point_state.input_pos]); - rustsecp256k1_v0_1_1_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL); + rustsecp256k1_v0_1_2_ge_neg(&tmp, &pt[point_state.input_pos]); + rustsecp256k1_v0_1_2_gej_add_ge_var(&buckets[0], &buckets[0], &tmp, NULL); } } if (n > 0) { idx = (n - 1)/2; - rustsecp256k1_v0_1_1_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL); } else if (n < 0) { idx = -(n + 1)/2; - rustsecp256k1_v0_1_1_ge_neg(&tmp, &pt[point_state.input_pos]); - rustsecp256k1_v0_1_1_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL); + rustsecp256k1_v0_1_2_ge_neg(&tmp, &pt[point_state.input_pos]); + rustsecp256k1_v0_1_2_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL); } } for(j = 0; j < bucket_window; j++) { - rustsecp256k1_v0_1_1_gej_double_var(r, r, NULL); + rustsecp256k1_v0_1_2_gej_double_var(r, r, NULL); } - rustsecp256k1_v0_1_1_gej_set_infinity(&running_sum); + rustsecp256k1_v0_1_2_gej_set_infinity(&running_sum); /* Accumulate the sum: bucket[0] + 3*bucket[1] + 5*bucket[2] + 7*bucket[3] + ... * = bucket[0] + bucket[1] + bucket[2] + bucket[3] + ... * + 2 * (bucket[1] + 2*bucket[2] + 3*bucket[3] + ...) @@ -851,13 +852,13 @@ static int rustsecp256k1_v0_1_1_ecmult_pippenger_wnaf(rustsecp256k1_v0_1_1_gej * * The doubling is done implicitly by deferring the final window doubling (of 'r'). */ for(j = ECMULT_TABLE_SIZE(bucket_window+2) - 1; j > 0; j--) { - rustsecp256k1_v0_1_1_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL); - rustsecp256k1_v0_1_1_gej_add_var(r, r, &running_sum, NULL); + rustsecp256k1_v0_1_2_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL); + rustsecp256k1_v0_1_2_gej_add_var(r, r, &running_sum, NULL); } - rustsecp256k1_v0_1_1_gej_add_var(&running_sum, &running_sum, &buckets[0], NULL); - rustsecp256k1_v0_1_1_gej_double_var(r, r, NULL); - rustsecp256k1_v0_1_1_gej_add_var(r, r, &running_sum, NULL); + rustsecp256k1_v0_1_2_gej_add_var(&running_sum, &running_sum, &buckets[0], NULL); + rustsecp256k1_v0_1_2_gej_double_var(r, r, NULL); + rustsecp256k1_v0_1_2_gej_add_var(r, r, &running_sum, NULL); } return 1; } @@ -866,7 +867,7 @@ static int rustsecp256k1_v0_1_1_ecmult_pippenger_wnaf(rustsecp256k1_v0_1_1_gej * * Returns optimal bucket_window (number of bits of a scalar represented by a * set of buckets) for a given number of points. */ -static int rustsecp256k1_v0_1_1_pippenger_bucket_window(size_t n) { +static int rustsecp256k1_v0_1_2_pippenger_bucket_window(size_t n) { #ifdef USE_ENDOMORPHISM if (n <= 1) { return 1; @@ -923,7 +924,7 @@ static int rustsecp256k1_v0_1_1_pippenger_bucket_window(size_t n) { /** * Returns the maximum optimal number of points for a bucket_window. */ -static size_t rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(int bucket_window) { +static size_t rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(int bucket_window) { switch(bucket_window) { #ifdef USE_ENDOMORPHISM case 1: return 1; @@ -958,18 +959,18 @@ static size_t rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(int bucket_window #ifdef USE_ENDOMORPHISM -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_ecmult_endo_split(rustsecp256k1_v0_1_1_scalar *s1, rustsecp256k1_v0_1_1_scalar *s2, rustsecp256k1_v0_1_1_ge *p1, rustsecp256k1_v0_1_1_ge *p2) { - rustsecp256k1_v0_1_1_scalar tmp = *s1; - rustsecp256k1_v0_1_1_scalar_split_lambda(s1, s2, &tmp); - rustsecp256k1_v0_1_1_ge_mul_lambda(p2, p1); - - if (rustsecp256k1_v0_1_1_scalar_is_high(s1)) { - rustsecp256k1_v0_1_1_scalar_negate(s1, s1); - rustsecp256k1_v0_1_1_ge_neg(p1, p1); +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_ecmult_endo_split(rustsecp256k1_v0_1_2_scalar *s1, rustsecp256k1_v0_1_2_scalar *s2, rustsecp256k1_v0_1_2_ge *p1, rustsecp256k1_v0_1_2_ge *p2) { + rustsecp256k1_v0_1_2_scalar tmp = *s1; + rustsecp256k1_v0_1_2_scalar_split_lambda(s1, s2, &tmp); + rustsecp256k1_v0_1_2_ge_mul_lambda(p2, p1); + + if (rustsecp256k1_v0_1_2_scalar_is_high(s1)) { + rustsecp256k1_v0_1_2_scalar_negate(s1, s1); + rustsecp256k1_v0_1_2_ge_neg(p1, p1); } - if (rustsecp256k1_v0_1_1_scalar_is_high(s2)) { - rustsecp256k1_v0_1_1_scalar_negate(s2, s2); - rustsecp256k1_v0_1_1_ge_neg(p2, p2); + if (rustsecp256k1_v0_1_2_scalar_is_high(s2)) { + rustsecp256k1_v0_1_2_scalar_negate(s2, s2); + rustsecp256k1_v0_1_2_ge_neg(p2, p2); } } #endif @@ -978,18 +979,18 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_ecmult_endo_split(rustsecp256k * Returns the scratch size required for a given number of points (excluding * base point G) without considering alignment. */ -static size_t rustsecp256k1_v0_1_1_pippenger_scratch_size(size_t n_points, int bucket_window) { +static size_t rustsecp256k1_v0_1_2_pippenger_scratch_size(size_t n_points, int bucket_window) { #ifdef USE_ENDOMORPHISM size_t entries = 2*n_points + 2; #else size_t entries = n_points + 1; #endif - size_t entry_size = sizeof(rustsecp256k1_v0_1_1_ge) + sizeof(rustsecp256k1_v0_1_1_scalar) + sizeof(struct rustsecp256k1_v0_1_1_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int); - return (sizeof(rustsecp256k1_v0_1_1_gej) << bucket_window) + sizeof(struct rustsecp256k1_v0_1_1_pippenger_state) + entries * entry_size; + size_t entry_size = sizeof(rustsecp256k1_v0_1_2_ge) + sizeof(rustsecp256k1_v0_1_2_scalar) + sizeof(struct rustsecp256k1_v0_1_2_pippenger_point_state) + (WNAF_SIZE(bucket_window+1)+1)*sizeof(int); + return (sizeof(rustsecp256k1_v0_1_2_gej) << bucket_window) + sizeof(struct rustsecp256k1_v0_1_2_pippenger_state) + entries * entry_size; } -static int rustsecp256k1_v0_1_1_ecmult_pippenger_batch(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { - const size_t scratch_checkpoint = rustsecp256k1_v0_1_1_scratch_checkpoint(error_callback, scratch); +static int rustsecp256k1_v0_1_2_ecmult_pippenger_batch(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n_points, size_t cb_offset) { + const size_t scratch_checkpoint = rustsecp256k1_v0_1_2_scratch_checkpoint(error_callback, scratch); /* Use 2(n+1) with the endomorphism, n+1 without, when calculating batch * sizes. The reason for +1 is that we add the G scalar to the list of * other scalars. */ @@ -998,81 +999,81 @@ static int rustsecp256k1_v0_1_1_ecmult_pippenger_batch(const rustsecp256k1_v0_1_ #else size_t entries = n_points + 1; #endif - rustsecp256k1_v0_1_1_ge *points; - rustsecp256k1_v0_1_1_scalar *scalars; - rustsecp256k1_v0_1_1_gej *buckets; - struct rustsecp256k1_v0_1_1_pippenger_state *state_space; + rustsecp256k1_v0_1_2_ge *points; + rustsecp256k1_v0_1_2_scalar *scalars; + rustsecp256k1_v0_1_2_gej *buckets; + struct rustsecp256k1_v0_1_2_pippenger_state *state_space; size_t idx = 0; size_t point_idx = 0; int i, j; int bucket_window; (void)ctx; - rustsecp256k1_v0_1_1_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(r); if (inp_g_sc == NULL && n_points == 0) { return 1; } - bucket_window = rustsecp256k1_v0_1_1_pippenger_bucket_window(n_points); - points = (rustsecp256k1_v0_1_1_ge *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, entries * sizeof(*points)); - scalars = (rustsecp256k1_v0_1_1_scalar *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, entries * sizeof(*scalars)); - state_space = (struct rustsecp256k1_v0_1_1_pippenger_state *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, sizeof(*state_space)); + bucket_window = rustsecp256k1_v0_1_2_pippenger_bucket_window(n_points); + points = (rustsecp256k1_v0_1_2_ge *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, entries * sizeof(*points)); + scalars = (rustsecp256k1_v0_1_2_scalar *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, entries * sizeof(*scalars)); + state_space = (struct rustsecp256k1_v0_1_2_pippenger_state *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, sizeof(*state_space)); if (points == NULL || scalars == NULL || state_space == NULL) { - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } - state_space->ps = (struct rustsecp256k1_v0_1_1_pippenger_point_state *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, entries * sizeof(*state_space->ps)); - state_space->wnaf_na = (int *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, entries*(WNAF_SIZE(bucket_window+1)) * sizeof(int)); - buckets = (rustsecp256k1_v0_1_1_gej *) rustsecp256k1_v0_1_1_scratch_alloc(error_callback, scratch, (1<ps = (struct rustsecp256k1_v0_1_2_pippenger_point_state *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, entries * sizeof(*state_space->ps)); + state_space->wnaf_na = (int *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, entries*(WNAF_SIZE(bucket_window+1)) * sizeof(int)); + buckets = (rustsecp256k1_v0_1_2_gej *) rustsecp256k1_v0_1_2_scratch_alloc(error_callback, scratch, (1<ps == NULL || state_space->wnaf_na == NULL || buckets == NULL) { - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } if (inp_g_sc != NULL) { scalars[0] = *inp_g_sc; - points[0] = rustsecp256k1_v0_1_1_ge_const_g; + points[0] = rustsecp256k1_v0_1_2_ge_const_g; idx++; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]); + rustsecp256k1_v0_1_2_ecmult_endo_split(&scalars[0], &scalars[1], &points[0], &points[1]); idx++; #endif } while (point_idx < n_points) { if (!cb(&scalars[idx], &points[idx], point_idx + cb_offset, cbdata)) { - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(error_callback, scratch, scratch_checkpoint); return 0; } idx++; #ifdef USE_ENDOMORPHISM - rustsecp256k1_v0_1_1_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]); + rustsecp256k1_v0_1_2_ecmult_endo_split(&scalars[idx - 1], &scalars[idx], &points[idx - 1], &points[idx]); idx++; #endif point_idx++; } - rustsecp256k1_v0_1_1_ecmult_pippenger_wnaf(buckets, bucket_window, state_space, r, scalars, points, idx); + rustsecp256k1_v0_1_2_ecmult_pippenger_wnaf(buckets, bucket_window, state_space, r, scalars, points, idx); /* Clear data */ for(i = 0; (size_t)i < idx; i++) { - rustsecp256k1_v0_1_1_scalar_clear(&scalars[i]); + rustsecp256k1_v0_1_2_scalar_clear(&scalars[i]); state_space->ps[i].skew_na = 0; for(j = 0; j < WNAF_SIZE(bucket_window+1); j++) { state_space->wnaf_na[i * WNAF_SIZE(bucket_window+1) + j] = 0; } } for(i = 0; i < 1< max_alloc) { break; } @@ -1118,34 +1119,34 @@ static size_t rustsecp256k1_v0_1_1_pippenger_max_points(const rustsecp256k1_v0_1 /* Computes ecmult_multi by simply multiplying and adding each point. Does not * require a scratch space */ -static int rustsecp256k1_v0_1_1_ecmult_multi_simple_var(const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n_points) { +static int rustsecp256k1_v0_1_2_ecmult_multi_simple_var(const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n_points) { size_t point_idx; - rustsecp256k1_v0_1_1_scalar szero; - rustsecp256k1_v0_1_1_gej tmpj; + rustsecp256k1_v0_1_2_scalar szero; + rustsecp256k1_v0_1_2_gej tmpj; - rustsecp256k1_v0_1_1_scalar_set_int(&szero, 0); - rustsecp256k1_v0_1_1_gej_set_infinity(r); - rustsecp256k1_v0_1_1_gej_set_infinity(&tmpj); + rustsecp256k1_v0_1_2_scalar_set_int(&szero, 0); + rustsecp256k1_v0_1_2_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(&tmpj); /* r = inp_g_sc*G */ - rustsecp256k1_v0_1_1_ecmult(ctx, r, &tmpj, &szero, inp_g_sc); + rustsecp256k1_v0_1_2_ecmult(ctx, r, &tmpj, &szero, inp_g_sc); for (point_idx = 0; point_idx < n_points; point_idx++) { - rustsecp256k1_v0_1_1_ge point; - rustsecp256k1_v0_1_1_gej pointj; - rustsecp256k1_v0_1_1_scalar scalar; + rustsecp256k1_v0_1_2_ge point; + rustsecp256k1_v0_1_2_gej pointj; + rustsecp256k1_v0_1_2_scalar scalar; if (!cb(&scalar, &point, point_idx, cbdata)) { return 0; } /* r += scalar*point */ - rustsecp256k1_v0_1_1_gej_set_ge(&pointj, &point); - rustsecp256k1_v0_1_1_ecmult(ctx, &tmpj, &pointj, &scalar, NULL); - rustsecp256k1_v0_1_1_gej_add_var(r, r, &tmpj, NULL); + rustsecp256k1_v0_1_2_gej_set_ge(&pointj, &point); + rustsecp256k1_v0_1_2_ecmult(ctx, &tmpj, &pointj, &scalar, NULL); + rustsecp256k1_v0_1_2_gej_add_var(r, r, &tmpj, NULL); } return 1; } /* Compute the number of batches and the batch size given the maximum batch size and the * total number of points */ -static int rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n) { +static int rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n) { if (max_n_batch_points == 0) { return 0; } @@ -1163,50 +1164,50 @@ static int rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(size_t *n_batches return 1; } -typedef int (*rustsecp256k1_v0_1_1_ecmult_multi_func)(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context*, rustsecp256k1_v0_1_1_scratch*, rustsecp256k1_v0_1_1_gej*, const rustsecp256k1_v0_1_1_scalar*, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void*, size_t); -static int rustsecp256k1_v0_1_1_ecmult_multi_var(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context *ctx, rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_scalar *inp_g_sc, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void *cbdata, size_t n) { +typedef int (*rustsecp256k1_v0_1_2_ecmult_multi_func)(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context*, rustsecp256k1_v0_1_2_scratch*, rustsecp256k1_v0_1_2_gej*, const rustsecp256k1_v0_1_2_scalar*, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void*, size_t); +static int rustsecp256k1_v0_1_2_ecmult_multi_var(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context *ctx, rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_scalar *inp_g_sc, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void *cbdata, size_t n) { size_t i; - int (*f)(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_ecmult_context*, rustsecp256k1_v0_1_1_scratch*, rustsecp256k1_v0_1_1_gej*, const rustsecp256k1_v0_1_1_scalar*, rustsecp256k1_v0_1_1_ecmult_multi_callback cb, void*, size_t, size_t); + int (*f)(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_ecmult_context*, rustsecp256k1_v0_1_2_scratch*, rustsecp256k1_v0_1_2_gej*, const rustsecp256k1_v0_1_2_scalar*, rustsecp256k1_v0_1_2_ecmult_multi_callback cb, void*, size_t, size_t); size_t n_batches; size_t n_batch_points; - rustsecp256k1_v0_1_1_gej_set_infinity(r); + rustsecp256k1_v0_1_2_gej_set_infinity(r); if (inp_g_sc == NULL && n == 0) { return 1; } else if (n == 0) { - rustsecp256k1_v0_1_1_scalar szero; - rustsecp256k1_v0_1_1_scalar_set_int(&szero, 0); - rustsecp256k1_v0_1_1_ecmult(ctx, r, r, &szero, inp_g_sc); + rustsecp256k1_v0_1_2_scalar szero; + rustsecp256k1_v0_1_2_scalar_set_int(&szero, 0); + rustsecp256k1_v0_1_2_ecmult(ctx, r, r, &szero, inp_g_sc); return 1; } if (scratch == NULL) { - return rustsecp256k1_v0_1_1_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + return rustsecp256k1_v0_1_2_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } /* Compute the batch sizes for Pippenger's algorithm given a scratch space. If it's greater than * a threshold use Pippenger's algorithm. Otherwise use Strauss' algorithm. * As a first step check if there's enough space for Pippenger's algo (which requires less space * than Strauss' algo) and if not, use the simple algorithm. */ - if (!rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1_v0_1_1_pippenger_max_points(error_callback, scratch), n)) { - return rustsecp256k1_v0_1_1_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + if (!rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1_v0_1_2_pippenger_max_points(error_callback, scratch), n)) { + return rustsecp256k1_v0_1_2_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } if (n_batch_points >= ECMULT_PIPPENGER_THRESHOLD) { - f = rustsecp256k1_v0_1_1_ecmult_pippenger_batch; + f = rustsecp256k1_v0_1_2_ecmult_pippenger_batch; } else { - if (!rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1_v0_1_1_strauss_max_points(error_callback, scratch), n)) { - return rustsecp256k1_v0_1_1_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); + if (!rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, rustsecp256k1_v0_1_2_strauss_max_points(error_callback, scratch), n)) { + return rustsecp256k1_v0_1_2_ecmult_multi_simple_var(ctx, r, inp_g_sc, cb, cbdata, n); } - f = rustsecp256k1_v0_1_1_ecmult_strauss_batch; + f = rustsecp256k1_v0_1_2_ecmult_strauss_batch; } for(i = 0; i < n_batches; i++) { size_t nbp = n < n_batch_points ? n : n_batch_points; size_t offset = n_batch_points*i; - rustsecp256k1_v0_1_1_gej tmp; + rustsecp256k1_v0_1_2_gej tmp; if (!f(error_callback, ctx, scratch, &tmp, i == 0 ? inp_g_sc : NULL, cb, cbdata, nbp, offset)) { return 0; } - rustsecp256k1_v0_1_1_gej_add_var(r, r, &tmp, NULL); + rustsecp256k1_v0_1_2_gej_add_var(r, r, &tmp, NULL); n -= nbp; } return 1; diff --git a/secp256k1-sys/depend/secp256k1/src/field.h b/secp256k1-sys/depend/secp256k1/src/field.h index 96513fc37..f4290ae93 100644 --- a/secp256k1-sys/depend/secp256k1/src/field.h +++ b/secp256k1-sys/depend/secp256k1/src/field.h @@ -32,101 +32,103 @@ #include "util.h" -/** Normalize a field element. */ -static void rustsecp256k1_v0_1_1_fe_normalize(rustsecp256k1_v0_1_1_fe *r); +/** Normalize a field element. This brings the field element to a canonical representation, reduces + * its magnitude to 1, and reduces it modulo field size `p`. + */ +static void rustsecp256k1_v0_1_2_fe_normalize(rustsecp256k1_v0_1_2_fe *r); -/** Weakly normalize a field element: reduce it magnitude to 1, but don't fully normalize. */ -static void rustsecp256k1_v0_1_1_fe_normalize_weak(rustsecp256k1_v0_1_1_fe *r); +/** Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize. */ +static void rustsecp256k1_v0_1_2_fe_normalize_weak(rustsecp256k1_v0_1_2_fe *r); /** Normalize a field element, without constant-time guarantee. */ -static void rustsecp256k1_v0_1_1_fe_normalize_var(rustsecp256k1_v0_1_1_fe *r); +static void rustsecp256k1_v0_1_2_fe_normalize_var(rustsecp256k1_v0_1_2_fe *r); /** Verify whether a field element represents zero i.e. would normalize to a zero value. The field * implementation may optionally normalize the input, but this should not be relied upon. */ -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero(rustsecp256k1_v0_1_1_fe *r); +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero(rustsecp256k1_v0_1_2_fe *r); /** Verify whether a field element represents zero i.e. would normalize to a zero value. The field * implementation may optionally normalize the input, but this should not be relied upon. */ -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_1_fe *r); +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_2_fe *r); /** Set a field element equal to a small integer. Resulting field element is normalized. */ -static void rustsecp256k1_v0_1_1_fe_set_int(rustsecp256k1_v0_1_1_fe *r, int a); +static void rustsecp256k1_v0_1_2_fe_set_int(rustsecp256k1_v0_1_2_fe *r, int a); /** Sets a field element equal to zero, initializing all fields. */ -static void rustsecp256k1_v0_1_1_fe_clear(rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_clear(rustsecp256k1_v0_1_2_fe *a); /** Verify whether a field element is zero. Requires the input to be normalized. */ -static int rustsecp256k1_v0_1_1_fe_is_zero(const rustsecp256k1_v0_1_1_fe *a); +static int rustsecp256k1_v0_1_2_fe_is_zero(const rustsecp256k1_v0_1_2_fe *a); /** Check the "oddness" of a field element. Requires the input to be normalized. */ -static int rustsecp256k1_v0_1_1_fe_is_odd(const rustsecp256k1_v0_1_1_fe *a); +static int rustsecp256k1_v0_1_2_fe_is_odd(const rustsecp256k1_v0_1_2_fe *a); /** Compare two field elements. Requires magnitude-1 inputs. */ -static int rustsecp256k1_v0_1_1_fe_equal(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b); +static int rustsecp256k1_v0_1_2_fe_equal(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b); -/** Same as rustsecp256k1_v0_1_1_fe_equal, but may be variable time. */ -static int rustsecp256k1_v0_1_1_fe_equal_var(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b); +/** Same as rustsecp256k1_v0_1_2_fe_equal, but may be variable time. */ +static int rustsecp256k1_v0_1_2_fe_equal_var(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b); /** Compare two field elements. Requires both inputs to be normalized */ -static int rustsecp256k1_v0_1_1_fe_cmp_var(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b); +static int rustsecp256k1_v0_1_2_fe_cmp_var(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b); /** Set a field element equal to 32-byte big endian value. If successful, the resulting field element is normalized. */ -static int rustsecp256k1_v0_1_1_fe_set_b32(rustsecp256k1_v0_1_1_fe *r, const unsigned char *a); +static int rustsecp256k1_v0_1_2_fe_set_b32(rustsecp256k1_v0_1_2_fe *r, const unsigned char *a); /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1_v0_1_1_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_2_fe *a); /** Set a field element equal to the additive inverse of another. Takes a maximum magnitude of the input * as an argument. The magnitude of the output is one higher. */ -static void rustsecp256k1_v0_1_1_fe_negate(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int m); +static void rustsecp256k1_v0_1_2_fe_negate(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int m); /** Multiplies the passed field element with a small integer constant. Multiplies the magnitude by that * small integer. */ -static void rustsecp256k1_v0_1_1_fe_mul_int(rustsecp256k1_v0_1_1_fe *r, int a); +static void rustsecp256k1_v0_1_2_fe_mul_int(rustsecp256k1_v0_1_2_fe *r, int a); /** Adds a field element to another. The result has the sum of the inputs' magnitudes as magnitude. */ -static void rustsecp256k1_v0_1_1_fe_add(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_add(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a); /** Sets a field element to be the product of two others. Requires the inputs' magnitudes to be at most 8. * The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1_v0_1_1_fe_mul(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe * SECP256K1_RESTRICT b); +static void rustsecp256k1_v0_1_2_fe_mul(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe * SECP256K1_RESTRICT b); /** Sets a field element to be the square of another. Requires the input's magnitude to be at most 8. * The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1_v0_1_1_fe_sqr(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_sqr(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a); /** If a has a square root, it is computed in r and 1 is returned. If a does not * have a square root, the root of its negation is computed and 0 is returned. * The input's magnitude can be at most 8. The output magnitude is 1 (but not * guaranteed to be normalized). The result in r will always be a square * itself. */ -static int rustsecp256k1_v0_1_1_fe_sqrt(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a); +static int rustsecp256k1_v0_1_2_fe_sqrt(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a); /** Checks whether a field element is a quadratic residue. */ -static int rustsecp256k1_v0_1_1_fe_is_quad_var(const rustsecp256k1_v0_1_1_fe *a); +static int rustsecp256k1_v0_1_2_fe_is_quad_var(const rustsecp256k1_v0_1_2_fe *a); /** Sets a field element to be the (modular) inverse of another. Requires the input's magnitude to be * at most 8. The output magnitude is 1 (but not guaranteed to be normalized). */ -static void rustsecp256k1_v0_1_1_fe_inv(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_inv(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a); -/** Potentially faster version of rustsecp256k1_v0_1_1_fe_inv, without constant-time guarantee. */ -static void rustsecp256k1_v0_1_1_fe_inv_var(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a); +/** Potentially faster version of rustsecp256k1_v0_1_2_fe_inv, without constant-time guarantee. */ +static void rustsecp256k1_v0_1_2_fe_inv_var(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a); /** Calculate the (modular) inverses of a batch of field elements. Requires the inputs' magnitudes to be * at most 8. The output magnitudes are 1 (but not guaranteed to be normalized). The inputs and * outputs must not overlap in memory. */ -static void rustsecp256k1_v0_1_1_fe_inv_all_var(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, size_t len); +static void rustsecp256k1_v0_1_2_fe_inv_all_var(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, size_t len); /** Convert a field element to the storage type. */ -static void rustsecp256k1_v0_1_1_fe_to_storage(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe *a); +static void rustsecp256k1_v0_1_2_fe_to_storage(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe *a); /** Convert a field element back from the storage type. */ -static void rustsecp256k1_v0_1_1_fe_from_storage(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe_storage *a); +static void rustsecp256k1_v0_1_2_fe_from_storage(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe_storage *a); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */ -static void rustsecp256k1_v0_1_1_fe_storage_cmov(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe_storage *a, int flag); +static void rustsecp256k1_v0_1_2_fe_storage_cmov(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe_storage *a, int flag); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */ -static void rustsecp256k1_v0_1_1_fe_cmov(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int flag); +static void rustsecp256k1_v0_1_2_fe_cmov(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int flag); #endif /* SECP256K1_FIELD_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/field_10x26.h b/secp256k1-sys/depend/secp256k1/src/field_10x26.h index bdb05166b..f40cb7d27 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_10x26.h +++ b/secp256k1-sys/depend/secp256k1/src/field_10x26.h @@ -18,7 +18,7 @@ typedef struct { int magnitude; int normalized; #endif -} rustsecp256k1_v0_1_1_fe; +} rustsecp256k1_v0_1_2_fe; /* Unpacks a constant into a overlapping multi-limbed FE element. */ #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \ @@ -42,7 +42,7 @@ typedef struct { typedef struct { uint32_t n[8]; -} rustsecp256k1_v0_1_1_fe_storage; +} rustsecp256k1_v0_1_2_fe_storage; #define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{ (d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7) }} #define SECP256K1_FE_STORAGE_CONST_GET(d) d.n[7], d.n[6], d.n[5], d.n[4],d.n[3], d.n[2], d.n[1], d.n[0] diff --git a/secp256k1-sys/depend/secp256k1/src/field_10x26_impl.h b/secp256k1-sys/depend/secp256k1/src/field_10x26_impl.h index 91839d9c9..07126b65d 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_10x26_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/field_10x26_impl.h @@ -11,7 +11,7 @@ #include "field.h" #ifdef VERIFY -static void rustsecp256k1_v0_1_1_fe_verify(const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_verify(const rustsecp256k1_v0_1_2_fe *a) { const uint32_t *d = a->n; int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; r &= (d[0] <= 0x3FFFFFFUL * m); @@ -39,7 +39,7 @@ static void rustsecp256k1_v0_1_1_fe_verify(const rustsecp256k1_v0_1_1_fe *a) { } #endif -static void rustsecp256k1_v0_1_1_fe_normalize(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize(rustsecp256k1_v0_1_2_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -90,11 +90,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_normalize_weak(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize_weak(rustsecp256k1_v0_1_2_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -121,11 +121,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize_weak(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_normalize_var(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize_var(rustsecp256k1_v0_1_2_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -177,11 +177,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize_var(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero(rustsecp256k1_v0_1_1_fe *r) { +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero(rustsecp256k1_v0_1_2_fe *r) { uint32_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4], t5 = r->n[5], t6 = r->n[6], t7 = r->n[7], t8 = r->n[8], t9 = r->n[9]; @@ -210,7 +210,7 @@ static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero(rustsecp256k1_v0_1_1_fe *r return (z0 == 0) | (z1 == 0x3FFFFFFUL); } -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_1_fe *r) { +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_2_fe *r) { uint32_t t0, t1, t2, t3, t4, t5, t6, t7, t8, t9; uint32_t z0, z1; uint32_t x; @@ -262,34 +262,34 @@ static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_1_f return (z0 == 0) | (z1 == 0x3FFFFFFUL); } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_set_int(rustsecp256k1_v0_1_1_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_set_int(rustsecp256k1_v0_1_2_fe *r, int a) { r->n[0] = a; r->n[1] = r->n[2] = r->n[3] = r->n[4] = r->n[5] = r->n[6] = r->n[7] = r->n[8] = r->n[9] = 0; #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_is_zero(const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_is_zero(const rustsecp256k1_v0_1_2_fe *a) { const uint32_t *t = a->n; #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif return (t[0] | t[1] | t[2] | t[3] | t[4] | t[5] | t[6] | t[7] | t[8] | t[9]) == 0; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_is_odd(const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_is_odd(const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif return a->n[0] & 1; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_clear(rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_clear(rustsecp256k1_v0_1_2_fe *a) { int i; #ifdef VERIFY a->magnitude = 0; @@ -300,13 +300,13 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_clear(rustsecp256k1_v0_1_1_ } } -static int rustsecp256k1_v0_1_1_fe_cmp_var(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { +static int rustsecp256k1_v0_1_2_fe_cmp_var(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { int i; #ifdef VERIFY VERIFY_CHECK(a->normalized); VERIFY_CHECK(b->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); - rustsecp256k1_v0_1_1_fe_verify(b); + rustsecp256k1_v0_1_2_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(b); #endif for (i = 9; i >= 0; i--) { if (a->n[i] > b->n[i]) { @@ -319,7 +319,8 @@ static int rustsecp256k1_v0_1_1_fe_cmp_var(const rustsecp256k1_v0_1_1_fe *a, con return 0; } -static int rustsecp256k1_v0_1_1_fe_set_b32(rustsecp256k1_v0_1_1_fe *r, const unsigned char *a) { +static int rustsecp256k1_v0_1_2_fe_set_b32(rustsecp256k1_v0_1_2_fe *r, const unsigned char *a) { + int ret; r->n[0] = (uint32_t)a[31] | ((uint32_t)a[30] << 8) | ((uint32_t)a[29] << 16) | ((uint32_t)(a[28] & 0x3) << 24); r->n[1] = (uint32_t)((a[28] >> 2) & 0x3f) | ((uint32_t)a[27] << 6) | ((uint32_t)a[26] << 14) | ((uint32_t)(a[25] & 0xf) << 22); r->n[2] = (uint32_t)((a[25] >> 4) & 0xf) | ((uint32_t)a[24] << 4) | ((uint32_t)a[23] << 12) | ((uint32_t)(a[22] & 0x3f) << 20); @@ -331,22 +332,24 @@ static int rustsecp256k1_v0_1_1_fe_set_b32(rustsecp256k1_v0_1_1_fe *r, const uns r->n[8] = (uint32_t)a[5] | ((uint32_t)a[4] << 8) | ((uint32_t)a[3] << 16) | ((uint32_t)(a[2] & 0x3) << 24); r->n[9] = (uint32_t)((a[2] >> 2) & 0x3f) | ((uint32_t)a[1] << 6) | ((uint32_t)a[0] << 14); - if (r->n[9] == 0x3FFFFFUL && (r->n[8] & r->n[7] & r->n[6] & r->n[5] & r->n[4] & r->n[3] & r->n[2]) == 0x3FFFFFFUL && (r->n[1] + 0x40UL + ((r->n[0] + 0x3D1UL) >> 26)) > 0x3FFFFFFUL) { - return 0; - } + ret = !((r->n[9] == 0x3FFFFFUL) & ((r->n[8] & r->n[7] & r->n[6] & r->n[5] & r->n[4] & r->n[3] & r->n[2]) == 0x3FFFFFFUL) & ((r->n[1] + 0x40UL + ((r->n[0] + 0x3D1UL) >> 26)) > 0x3FFFFFFUL)); #ifdef VERIFY r->magnitude = 1; - r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + if (ret) { + r->normalized = 1; + rustsecp256k1_v0_1_2_fe_verify(r); + } else { + r->normalized = 0; + } #endif - return 1; + return ret; } /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1_v0_1_1_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r[0] = (a->n[9] >> 14) & 0xff; r[1] = (a->n[9] >> 6) & 0xff; @@ -382,10 +385,10 @@ static void rustsecp256k1_v0_1_1_fe_get_b32(unsigned char *r, const rustsecp256k r[31] = a->n[0] & 0xff; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_negate(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int m) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_negate(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int m) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= m); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r->n[0] = 0x3FFFC2FUL * 2 * (m + 1) - a->n[0]; r->n[1] = 0x3FFFFBFUL * 2 * (m + 1) - a->n[1]; @@ -400,11 +403,11 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_negate(rustsecp256k1_v0_1_1 #ifdef VERIFY r->magnitude = m + 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_int(rustsecp256k1_v0_1_1_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_mul_int(rustsecp256k1_v0_1_2_fe *r, int a) { r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -418,13 +421,13 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_int(rustsecp256k1_v0_1_ #ifdef VERIFY r->magnitude *= a; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_add(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_add(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r->n[0] += a->n[0]; r->n[1] += a->n[1]; @@ -439,15 +442,15 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_add(rustsecp256k1_v0_1_1_fe #ifdef VERIFY r->magnitude += a->magnitude; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } #if defined(USE_EXTERNAL_ASM) /* External assembler implementation */ -void rustsecp256k1_v0_1_1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b); -void rustsecp256k1_v0_1_1_fe_sqr_inner(uint32_t *r, const uint32_t *a); +void rustsecp256k1_v0_1_2_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b); +void rustsecp256k1_v0_1_2_fe_sqr_inner(uint32_t *r, const uint32_t *a); #else @@ -457,7 +460,7 @@ void rustsecp256k1_v0_1_1_fe_sqr_inner(uint32_t *r, const uint32_t *a); #define VERIFY_BITS(x, n) do { } while(0) #endif -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_mul_inner(uint32_t *r, const uint32_t *a, const uint32_t * SECP256K1_RESTRICT b) { uint64_t c, d; uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8; uint32_t t9, t1, t0, t2, t3, t4, t5, t6, t7; @@ -787,7 +790,7 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_inner(uint32_t *r, cons /* [r9 r8 r7 r6 r5 r4 r3 r2 r1 r0] = [p18 p17 p16 p15 p14 p13 p12 p11 p10 p9 p8 p7 p6 p5 p4 p3 p2 p1 p0] */ } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_sqr_inner(uint32_t *r, const uint32_t *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_sqr_inner(uint32_t *r, const uint32_t *a) { uint64_t c, d; uint64_t u0, u1, u2, u3, u4, u5, u6, u7, u8; uint32_t t9, t0, t1, t2, t3, t4, t5, t6, t7; @@ -1062,37 +1065,37 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_sqr_inner(uint32_t *r, cons } #endif -static void rustsecp256k1_v0_1_1_fe_mul(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe * SECP256K1_RESTRICT b) { +static void rustsecp256k1_v0_1_2_fe_mul(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe * SECP256K1_RESTRICT b) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); VERIFY_CHECK(b->magnitude <= 8); - rustsecp256k1_v0_1_1_fe_verify(a); - rustsecp256k1_v0_1_1_fe_verify(b); + rustsecp256k1_v0_1_2_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(b); VERIFY_CHECK(r != b); VERIFY_CHECK(a != b); #endif - rustsecp256k1_v0_1_1_fe_mul_inner(r->n, a->n, b->n); + rustsecp256k1_v0_1_2_fe_mul_inner(r->n, a->n, b->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_sqr(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_sqr(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif - rustsecp256k1_v0_1_1_fe_sqr_inner(r->n, a->n); + rustsecp256k1_v0_1_2_fe_sqr_inner(r->n, a->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_cmov(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_cmov(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int flag) { uint32_t mask0, mask1; mask0 = flag + ~((uint32_t)0); mask1 = ~mask0; @@ -1107,14 +1110,14 @@ static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_cmov(rustsecp256k1_v0_1_1_f r->n[8] = (r->n[8] & mask0) | (a->n[8] & mask1); r->n[9] = (r->n[9] & mask0) | (a->n[9] & mask1); #ifdef VERIFY - if (a->magnitude > r->magnitude) { + if (flag) { r->magnitude = a->magnitude; + r->normalized = a->normalized; } - r->normalized &= a->normalized; #endif } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_storage_cmov(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe_storage *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_storage_cmov(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe_storage *a, int flag) { uint32_t mask0, mask1; mask0 = flag + ~((uint32_t)0); mask1 = ~mask0; @@ -1128,7 +1131,7 @@ static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_storage_cmov(rustsecp256k1_ r->n[7] = (r->n[7] & mask0) | (a->n[7] & mask1); } -static void rustsecp256k1_v0_1_1_fe_to_storage(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_to_storage(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); #endif @@ -1142,7 +1145,7 @@ static void rustsecp256k1_v0_1_1_fe_to_storage(rustsecp256k1_v0_1_1_fe_storage * r->n[7] = a->n[8] >> 16 | a->n[9] << 10; } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_from_storage(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe_storage *a) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_from_storage(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe_storage *a) { r->n[0] = a->n[0] & 0x3FFFFFFUL; r->n[1] = a->n[0] >> 26 | ((a->n[1] << 6) & 0x3FFFFFFUL); r->n[2] = a->n[1] >> 20 | ((a->n[2] << 12) & 0x3FFFFFFUL); diff --git a/secp256k1-sys/depend/secp256k1/src/field_5x52.h b/secp256k1-sys/depend/secp256k1/src/field_5x52.h index 72438d063..f413a7b30 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_5x52.h +++ b/secp256k1-sys/depend/secp256k1/src/field_5x52.h @@ -18,7 +18,7 @@ typedef struct { int magnitude; int normalized; #endif -} rustsecp256k1_v0_1_1_fe; +} rustsecp256k1_v0_1_2_fe; /* Unpacks a constant into a overlapping multi-limbed FE element. */ #define SECP256K1_FE_CONST_INNER(d7, d6, d5, d4, d3, d2, d1, d0) { \ @@ -37,7 +37,7 @@ typedef struct { typedef struct { uint64_t n[4]; -} rustsecp256k1_v0_1_1_fe_storage; +} rustsecp256k1_v0_1_2_fe_storage; #define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{ \ (d0) | (((uint64_t)(d1)) << 32), \ diff --git a/secp256k1-sys/depend/secp256k1/src/field_5x52_asm_impl.h b/secp256k1-sys/depend/secp256k1/src/field_5x52_asm_impl.h index e51f0e040..3b4f9614d 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_5x52_asm_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/field_5x52_asm_impl.h @@ -14,7 +14,7 @@ #ifndef SECP256K1_FIELD_INNER5X52_IMPL_H #define SECP256K1_FIELD_INNER5X52_IMPL_H -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { /** * Registers: rdx:rax = multiplication accumulator * r9:r8 = c @@ -284,7 +284,7 @@ __asm__ __volatile__( ); } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_sqr_inner(uint64_t *r, const uint64_t *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_sqr_inner(uint64_t *r, const uint64_t *a) { /** * Registers: rdx:rax = multiplication accumulator * r9:r8 = c diff --git a/secp256k1-sys/depend/secp256k1/src/field_5x52_impl.h b/secp256k1-sys/depend/secp256k1/src/field_5x52_impl.h index aa55b9b45..eeed8366e 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_5x52_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/field_5x52_impl.h @@ -29,7 +29,7 @@ */ #ifdef VERIFY -static void rustsecp256k1_v0_1_1_fe_verify(const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_verify(const rustsecp256k1_v0_1_2_fe *a) { const uint64_t *d = a->n; int m = a->normalized ? 1 : 2 * a->magnitude, r = 1; /* secp256k1 'p' value defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ @@ -50,7 +50,7 @@ static void rustsecp256k1_v0_1_1_fe_verify(const rustsecp256k1_v0_1_1_fe *a) { } #endif -static void rustsecp256k1_v0_1_1_fe_normalize(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize(rustsecp256k1_v0_1_2_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -89,11 +89,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_normalize_weak(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize_weak(rustsecp256k1_v0_1_2_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -113,11 +113,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize_weak(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_normalize_var(rustsecp256k1_v0_1_1_fe *r) { +static void rustsecp256k1_v0_1_2_fe_normalize_var(rustsecp256k1_v0_1_2_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* Reduce t4 at the start so there will be at most a single carry from the first pass */ @@ -157,11 +157,11 @@ static void rustsecp256k1_v0_1_1_fe_normalize_var(rustsecp256k1_v0_1_1_fe *r) { #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero(rustsecp256k1_v0_1_1_fe *r) { +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero(rustsecp256k1_v0_1_2_fe *r) { uint64_t t0 = r->n[0], t1 = r->n[1], t2 = r->n[2], t3 = r->n[3], t4 = r->n[4]; /* z0 tracks a possible raw value of 0, z1 tracks a possible raw value of P */ @@ -184,7 +184,7 @@ static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero(rustsecp256k1_v0_1_1_fe *r return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); } -static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_1_fe *r) { +static int rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_2_fe *r) { uint64_t t0, t1, t2, t3, t4; uint64_t z0, z1; uint64_t x; @@ -225,34 +225,34 @@ static int rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(rustsecp256k1_v0_1_1_f return (z0 == 0) | (z1 == 0xFFFFFFFFFFFFFULL); } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_set_int(rustsecp256k1_v0_1_1_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_set_int(rustsecp256k1_v0_1_2_fe *r, int a) { r->n[0] = a; r->n[1] = r->n[2] = r->n[3] = r->n[4] = 0; #ifdef VERIFY r->magnitude = 1; r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_is_zero(const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_is_zero(const rustsecp256k1_v0_1_2_fe *a) { const uint64_t *t = a->n; #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif return (t[0] | t[1] | t[2] | t[3] | t[4]) == 0; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_is_odd(const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_is_odd(const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif return a->n[0] & 1; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_clear(rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_clear(rustsecp256k1_v0_1_2_fe *a) { int i; #ifdef VERIFY a->magnitude = 0; @@ -263,13 +263,13 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_clear(rustsecp256k1_v0_1_1_ } } -static int rustsecp256k1_v0_1_1_fe_cmp_var(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { +static int rustsecp256k1_v0_1_2_fe_cmp_var(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { int i; #ifdef VERIFY VERIFY_CHECK(a->normalized); VERIFY_CHECK(b->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); - rustsecp256k1_v0_1_1_fe_verify(b); + rustsecp256k1_v0_1_2_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(b); #endif for (i = 4; i >= 0; i--) { if (a->n[i] > b->n[i]) { @@ -282,7 +282,8 @@ static int rustsecp256k1_v0_1_1_fe_cmp_var(const rustsecp256k1_v0_1_1_fe *a, con return 0; } -static int rustsecp256k1_v0_1_1_fe_set_b32(rustsecp256k1_v0_1_1_fe *r, const unsigned char *a) { +static int rustsecp256k1_v0_1_2_fe_set_b32(rustsecp256k1_v0_1_2_fe *r, const unsigned char *a) { + int ret; r->n[0] = (uint64_t)a[31] | ((uint64_t)a[30] << 8) | ((uint64_t)a[29] << 16) @@ -317,22 +318,24 @@ static int rustsecp256k1_v0_1_1_fe_set_b32(rustsecp256k1_v0_1_1_fe *r, const uns | ((uint64_t)a[2] << 24) | ((uint64_t)a[1] << 32) | ((uint64_t)a[0] << 40); - if (r->n[4] == 0x0FFFFFFFFFFFFULL && (r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL && r->n[0] >= 0xFFFFEFFFFFC2FULL) { - return 0; - } + ret = !((r->n[4] == 0x0FFFFFFFFFFFFULL) & ((r->n[3] & r->n[2] & r->n[1]) == 0xFFFFFFFFFFFFFULL) & (r->n[0] >= 0xFFFFEFFFFFC2FULL)); #ifdef VERIFY r->magnitude = 1; - r->normalized = 1; - rustsecp256k1_v0_1_1_fe_verify(r); + if (ret) { + r->normalized = 1; + rustsecp256k1_v0_1_2_fe_verify(r); + } else { + r->normalized = 0; + } #endif - return 1; + return ret; } /** Convert a field element to a 32-byte big endian value. Requires the input to be normalized */ -static void rustsecp256k1_v0_1_1_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_get_b32(unsigned char *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r[0] = (a->n[4] >> 40) & 0xFF; r[1] = (a->n[4] >> 32) & 0xFF; @@ -368,10 +371,10 @@ static void rustsecp256k1_v0_1_1_fe_get_b32(unsigned char *r, const rustsecp256k r[31] = a->n[0] & 0xFF; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_negate(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int m) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_negate(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int m) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= m); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r->n[0] = 0xFFFFEFFFFFC2FULL * 2 * (m + 1) - a->n[0]; r->n[1] = 0xFFFFFFFFFFFFFULL * 2 * (m + 1) - a->n[1]; @@ -381,11 +384,11 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_negate(rustsecp256k1_v0_1_1 #ifdef VERIFY r->magnitude = m + 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_int(rustsecp256k1_v0_1_1_fe *r, int a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_mul_int(rustsecp256k1_v0_1_2_fe *r, int a) { r->n[0] *= a; r->n[1] *= a; r->n[2] *= a; @@ -394,13 +397,13 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_int(rustsecp256k1_v0_1_ #ifdef VERIFY r->magnitude *= a; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_add(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_add(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif r->n[0] += a->n[0]; r->n[1] += a->n[1]; @@ -410,41 +413,41 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_add(rustsecp256k1_v0_1_1_fe #ifdef VERIFY r->magnitude += a->magnitude; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_mul(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe * SECP256K1_RESTRICT b) { +static void rustsecp256k1_v0_1_2_fe_mul(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe * SECP256K1_RESTRICT b) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); VERIFY_CHECK(b->magnitude <= 8); - rustsecp256k1_v0_1_1_fe_verify(a); - rustsecp256k1_v0_1_1_fe_verify(b); + rustsecp256k1_v0_1_2_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(b); VERIFY_CHECK(r != b); VERIFY_CHECK(a != b); #endif - rustsecp256k1_v0_1_1_fe_mul_inner(r->n, a->n, b->n); + rustsecp256k1_v0_1_2_fe_mul_inner(r->n, a->n, b->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static void rustsecp256k1_v0_1_1_fe_sqr(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_sqr(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->magnitude <= 8); - rustsecp256k1_v0_1_1_fe_verify(a); + rustsecp256k1_v0_1_2_fe_verify(a); #endif - rustsecp256k1_v0_1_1_fe_sqr_inner(r->n, a->n); + rustsecp256k1_v0_1_2_fe_sqr_inner(r->n, a->n); #ifdef VERIFY r->magnitude = 1; r->normalized = 0; - rustsecp256k1_v0_1_1_fe_verify(r); + rustsecp256k1_v0_1_2_fe_verify(r); #endif } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_cmov(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_cmov(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, int flag) { uint64_t mask0, mask1; mask0 = flag + ~((uint64_t)0); mask1 = ~mask0; @@ -454,14 +457,14 @@ static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_cmov(rustsecp256k1_v0_1_1_f r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); r->n[4] = (r->n[4] & mask0) | (a->n[4] & mask1); #ifdef VERIFY - if (a->magnitude > r->magnitude) { + if (flag) { r->magnitude = a->magnitude; + r->normalized = a->normalized; } - r->normalized &= a->normalized; #endif } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_storage_cmov(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe_storage *a, int flag) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_storage_cmov(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe_storage *a, int flag) { uint64_t mask0, mask1; mask0 = flag + ~((uint64_t)0); mask1 = ~mask0; @@ -471,7 +474,7 @@ static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_storage_cmov(rustsecp256k1_ r->n[3] = (r->n[3] & mask0) | (a->n[3] & mask1); } -static void rustsecp256k1_v0_1_1_fe_to_storage(rustsecp256k1_v0_1_1_fe_storage *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_to_storage(rustsecp256k1_v0_1_2_fe_storage *r, const rustsecp256k1_v0_1_2_fe *a) { #ifdef VERIFY VERIFY_CHECK(a->normalized); #endif @@ -481,7 +484,7 @@ static void rustsecp256k1_v0_1_1_fe_to_storage(rustsecp256k1_v0_1_1_fe_storage * r->n[3] = a->n[3] >> 36 | a->n[4] << 16; } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_fe_from_storage(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe_storage *a) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_fe_from_storage(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe_storage *a) { r->n[0] = a->n[0] & 0xFFFFFFFFFFFFFULL; r->n[1] = a->n[0] >> 52 | ((a->n[1] << 12) & 0xFFFFFFFFFFFFFULL); r->n[2] = a->n[1] >> 40 | ((a->n[2] << 24) & 0xFFFFFFFFFFFFFULL); diff --git a/secp256k1-sys/depend/secp256k1/src/field_5x52_int128_impl.h b/secp256k1-sys/depend/secp256k1/src/field_5x52_int128_impl.h index 400357cca..85698a41f 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_5x52_int128_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/field_5x52_int128_impl.h @@ -15,7 +15,7 @@ #define VERIFY_BITS(x, n) do { } while(0) #endif -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_mul_inner(uint64_t *r, const uint64_t *a, const uint64_t * SECP256K1_RESTRICT b) { uint128_t c, d; uint64_t t3, t4, tx, u0; uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; @@ -154,7 +154,7 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_mul_inner(uint64_t *r, cons /* [r4 r3 r2 r1 r0] = [p8 p7 p6 p5 p4 p3 p2 p1 p0] */ } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_fe_sqr_inner(uint64_t *r, const uint64_t *a) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_fe_sqr_inner(uint64_t *r, const uint64_t *a) { uint128_t c, d; uint64_t a0 = a[0], a1 = a[1], a2 = a[2], a3 = a[3], a4 = a[4]; int64_t t3, t4, tx, u0; diff --git a/secp256k1-sys/depend/secp256k1/src/field_impl.h b/secp256k1-sys/depend/secp256k1/src/field_impl.h index e9e8f845f..e4a5b8131 100644 --- a/secp256k1-sys/depend/secp256k1/src/field_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/field_impl.h @@ -22,21 +22,21 @@ #error "Please select field implementation" #endif -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_equal(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { - rustsecp256k1_v0_1_1_fe na; - rustsecp256k1_v0_1_1_fe_negate(&na, a, 1); - rustsecp256k1_v0_1_1_fe_add(&na, b); - return rustsecp256k1_v0_1_1_fe_normalizes_to_zero(&na); +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_equal(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { + rustsecp256k1_v0_1_2_fe na; + rustsecp256k1_v0_1_2_fe_negate(&na, a, 1); + rustsecp256k1_v0_1_2_fe_add(&na, b); + return rustsecp256k1_v0_1_2_fe_normalizes_to_zero(&na); } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_fe_equal_var(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { - rustsecp256k1_v0_1_1_fe na; - rustsecp256k1_v0_1_1_fe_negate(&na, a, 1); - rustsecp256k1_v0_1_1_fe_add(&na, b); - return rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&na); +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_fe_equal_var(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { + rustsecp256k1_v0_1_2_fe na; + rustsecp256k1_v0_1_2_fe_negate(&na, a, 1); + rustsecp256k1_v0_1_2_fe_add(&na, b); + return rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&na); } -static int rustsecp256k1_v0_1_1_fe_sqrt(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +static int rustsecp256k1_v0_1_2_fe_sqrt(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { /** Given that p is congruent to 3 mod 4, we can compute the square root of * a mod p as the (p+1)/4'th power of a. * @@ -46,7 +46,7 @@ static int rustsecp256k1_v0_1_1_fe_sqrt(rustsecp256k1_v0_1_1_fe *r, const rustse * Also because (p+1)/4 is an even number, the computed square root is * itself always a square (a ** ((p+1)/4) is the square of a ** ((p+1)/8)). */ - rustsecp256k1_v0_1_1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; + rustsecp256k1_v0_1_2_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; int j; VERIFY_CHECK(r != a); @@ -56,88 +56,88 @@ static int rustsecp256k1_v0_1_1_fe_sqrt(rustsecp256k1_v0_1_1_fe *r, const rustse * 1, [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] */ - rustsecp256k1_v0_1_1_fe_sqr(&x2, a); - rustsecp256k1_v0_1_1_fe_mul(&x2, &x2, a); + rustsecp256k1_v0_1_2_fe_sqr(&x2, a); + rustsecp256k1_v0_1_2_fe_mul(&x2, &x2, a); - rustsecp256k1_v0_1_1_fe_sqr(&x3, &x2); - rustsecp256k1_v0_1_1_fe_mul(&x3, &x3, a); + rustsecp256k1_v0_1_2_fe_sqr(&x3, &x2); + rustsecp256k1_v0_1_2_fe_mul(&x3, &x3, a); x6 = x3; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x6, &x6); + rustsecp256k1_v0_1_2_fe_sqr(&x6, &x6); } - rustsecp256k1_v0_1_1_fe_mul(&x6, &x6, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x6, &x6, &x3); x9 = x6; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x9, &x9); + rustsecp256k1_v0_1_2_fe_sqr(&x9, &x9); } - rustsecp256k1_v0_1_1_fe_mul(&x9, &x9, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x9, &x9, &x3); x11 = x9; for (j=0; j<2; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x11, &x11); + rustsecp256k1_v0_1_2_fe_sqr(&x11, &x11); } - rustsecp256k1_v0_1_1_fe_mul(&x11, &x11, &x2); + rustsecp256k1_v0_1_2_fe_mul(&x11, &x11, &x2); x22 = x11; for (j=0; j<11; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x22, &x22); + rustsecp256k1_v0_1_2_fe_sqr(&x22, &x22); } - rustsecp256k1_v0_1_1_fe_mul(&x22, &x22, &x11); + rustsecp256k1_v0_1_2_fe_mul(&x22, &x22, &x11); x44 = x22; for (j=0; j<22; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x44, &x44); + rustsecp256k1_v0_1_2_fe_sqr(&x44, &x44); } - rustsecp256k1_v0_1_1_fe_mul(&x44, &x44, &x22); + rustsecp256k1_v0_1_2_fe_mul(&x44, &x44, &x22); x88 = x44; for (j=0; j<44; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x88, &x88); + rustsecp256k1_v0_1_2_fe_sqr(&x88, &x88); } - rustsecp256k1_v0_1_1_fe_mul(&x88, &x88, &x44); + rustsecp256k1_v0_1_2_fe_mul(&x88, &x88, &x44); x176 = x88; for (j=0; j<88; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x176, &x176); + rustsecp256k1_v0_1_2_fe_sqr(&x176, &x176); } - rustsecp256k1_v0_1_1_fe_mul(&x176, &x176, &x88); + rustsecp256k1_v0_1_2_fe_mul(&x176, &x176, &x88); x220 = x176; for (j=0; j<44; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x220, &x220); + rustsecp256k1_v0_1_2_fe_sqr(&x220, &x220); } - rustsecp256k1_v0_1_1_fe_mul(&x220, &x220, &x44); + rustsecp256k1_v0_1_2_fe_mul(&x220, &x220, &x44); x223 = x220; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x223, &x223); + rustsecp256k1_v0_1_2_fe_sqr(&x223, &x223); } - rustsecp256k1_v0_1_1_fe_mul(&x223, &x223, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x223, &x223, &x3); /* The final result is then assembled using a sliding window over the blocks. */ t1 = x223; for (j=0; j<23; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(&t1, &t1, &x22); + rustsecp256k1_v0_1_2_fe_mul(&t1, &t1, &x22); for (j=0; j<6; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(&t1, &t1, &x2); - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); - rustsecp256k1_v0_1_1_fe_sqr(r, &t1); + rustsecp256k1_v0_1_2_fe_mul(&t1, &t1, &x2); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(r, &t1); /* Check that a square root was actually calculated */ - rustsecp256k1_v0_1_1_fe_sqr(&t1, r); - return rustsecp256k1_v0_1_1_fe_equal(&t1, a); + rustsecp256k1_v0_1_2_fe_sqr(&t1, r); + return rustsecp256k1_v0_1_2_fe_equal(&t1, a); } -static void rustsecp256k1_v0_1_1_fe_inv(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { - rustsecp256k1_v0_1_1_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; +static void rustsecp256k1_v0_1_2_fe_inv(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { + rustsecp256k1_v0_1_2_fe x2, x3, x6, x9, x11, x22, x44, x88, x176, x220, x223, t1; int j; /** The binary representation of (p - 2) has 5 blocks of 1s, with lengths in @@ -145,93 +145,93 @@ static void rustsecp256k1_v0_1_1_fe_inv(rustsecp256k1_v0_1_1_fe *r, const rustse * [1], [2], 3, 6, 9, 11, [22], 44, 88, 176, 220, [223] */ - rustsecp256k1_v0_1_1_fe_sqr(&x2, a); - rustsecp256k1_v0_1_1_fe_mul(&x2, &x2, a); + rustsecp256k1_v0_1_2_fe_sqr(&x2, a); + rustsecp256k1_v0_1_2_fe_mul(&x2, &x2, a); - rustsecp256k1_v0_1_1_fe_sqr(&x3, &x2); - rustsecp256k1_v0_1_1_fe_mul(&x3, &x3, a); + rustsecp256k1_v0_1_2_fe_sqr(&x3, &x2); + rustsecp256k1_v0_1_2_fe_mul(&x3, &x3, a); x6 = x3; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x6, &x6); + rustsecp256k1_v0_1_2_fe_sqr(&x6, &x6); } - rustsecp256k1_v0_1_1_fe_mul(&x6, &x6, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x6, &x6, &x3); x9 = x6; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x9, &x9); + rustsecp256k1_v0_1_2_fe_sqr(&x9, &x9); } - rustsecp256k1_v0_1_1_fe_mul(&x9, &x9, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x9, &x9, &x3); x11 = x9; for (j=0; j<2; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x11, &x11); + rustsecp256k1_v0_1_2_fe_sqr(&x11, &x11); } - rustsecp256k1_v0_1_1_fe_mul(&x11, &x11, &x2); + rustsecp256k1_v0_1_2_fe_mul(&x11, &x11, &x2); x22 = x11; for (j=0; j<11; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x22, &x22); + rustsecp256k1_v0_1_2_fe_sqr(&x22, &x22); } - rustsecp256k1_v0_1_1_fe_mul(&x22, &x22, &x11); + rustsecp256k1_v0_1_2_fe_mul(&x22, &x22, &x11); x44 = x22; for (j=0; j<22; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x44, &x44); + rustsecp256k1_v0_1_2_fe_sqr(&x44, &x44); } - rustsecp256k1_v0_1_1_fe_mul(&x44, &x44, &x22); + rustsecp256k1_v0_1_2_fe_mul(&x44, &x44, &x22); x88 = x44; for (j=0; j<44; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x88, &x88); + rustsecp256k1_v0_1_2_fe_sqr(&x88, &x88); } - rustsecp256k1_v0_1_1_fe_mul(&x88, &x88, &x44); + rustsecp256k1_v0_1_2_fe_mul(&x88, &x88, &x44); x176 = x88; for (j=0; j<88; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x176, &x176); + rustsecp256k1_v0_1_2_fe_sqr(&x176, &x176); } - rustsecp256k1_v0_1_1_fe_mul(&x176, &x176, &x88); + rustsecp256k1_v0_1_2_fe_mul(&x176, &x176, &x88); x220 = x176; for (j=0; j<44; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x220, &x220); + rustsecp256k1_v0_1_2_fe_sqr(&x220, &x220); } - rustsecp256k1_v0_1_1_fe_mul(&x220, &x220, &x44); + rustsecp256k1_v0_1_2_fe_mul(&x220, &x220, &x44); x223 = x220; for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&x223, &x223); + rustsecp256k1_v0_1_2_fe_sqr(&x223, &x223); } - rustsecp256k1_v0_1_1_fe_mul(&x223, &x223, &x3); + rustsecp256k1_v0_1_2_fe_mul(&x223, &x223, &x3); /* The final result is then assembled using a sliding window over the blocks. */ t1 = x223; for (j=0; j<23; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(&t1, &t1, &x22); + rustsecp256k1_v0_1_2_fe_mul(&t1, &t1, &x22); for (j=0; j<5; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(&t1, &t1, a); + rustsecp256k1_v0_1_2_fe_mul(&t1, &t1, a); for (j=0; j<3; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(&t1, &t1, &x2); + rustsecp256k1_v0_1_2_fe_mul(&t1, &t1, &x2); for (j=0; j<2; j++) { - rustsecp256k1_v0_1_1_fe_sqr(&t1, &t1); + rustsecp256k1_v0_1_2_fe_sqr(&t1, &t1); } - rustsecp256k1_v0_1_1_fe_mul(r, a, &t1); + rustsecp256k1_v0_1_2_fe_mul(r, a, &t1); } -static void rustsecp256k1_v0_1_1_fe_inv_var(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a) { +static void rustsecp256k1_v0_1_2_fe_inv_var(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a) { #if defined(USE_FIELD_INV_BUILTIN) - rustsecp256k1_v0_1_1_fe_inv(r, a); + rustsecp256k1_v0_1_2_fe_inv(r, a); #elif defined(USE_FIELD_INV_NUM) - rustsecp256k1_v0_1_1_num n, m; - static const rustsecp256k1_v0_1_1_fe negone = SECP256K1_FE_CONST( + rustsecp256k1_v0_1_2_num n, m; + static const rustsecp256k1_v0_1_2_fe negone = SECP256K1_FE_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0xFFFFFC2EUL ); @@ -244,27 +244,27 @@ static void rustsecp256k1_v0_1_1_fe_inv_var(rustsecp256k1_v0_1_1_fe *r, const ru }; unsigned char b[32]; int res; - rustsecp256k1_v0_1_1_fe c = *a; - rustsecp256k1_v0_1_1_fe_normalize_var(&c); - rustsecp256k1_v0_1_1_fe_get_b32(b, &c); - rustsecp256k1_v0_1_1_num_set_bin(&n, b, 32); - rustsecp256k1_v0_1_1_num_set_bin(&m, prime, 32); - rustsecp256k1_v0_1_1_num_mod_inverse(&n, &n, &m); - rustsecp256k1_v0_1_1_num_get_bin(b, 32, &n); - res = rustsecp256k1_v0_1_1_fe_set_b32(r, b); + rustsecp256k1_v0_1_2_fe c = *a; + rustsecp256k1_v0_1_2_fe_normalize_var(&c); + rustsecp256k1_v0_1_2_fe_get_b32(b, &c); + rustsecp256k1_v0_1_2_num_set_bin(&n, b, 32); + rustsecp256k1_v0_1_2_num_set_bin(&m, prime, 32); + rustsecp256k1_v0_1_2_num_mod_inverse(&n, &n, &m); + rustsecp256k1_v0_1_2_num_get_bin(b, 32, &n); + res = rustsecp256k1_v0_1_2_fe_set_b32(r, b); (void)res; VERIFY_CHECK(res); /* Verify the result is the (unique) valid inverse using non-GMP code. */ - rustsecp256k1_v0_1_1_fe_mul(&c, &c, r); - rustsecp256k1_v0_1_1_fe_add(&c, &negone); - CHECK(rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&c)); + rustsecp256k1_v0_1_2_fe_mul(&c, &c, r); + rustsecp256k1_v0_1_2_fe_add(&c, &negone); + CHECK(rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&c)); #else #error "Please select field inverse implementation" #endif } -static void rustsecp256k1_v0_1_1_fe_inv_all_var(rustsecp256k1_v0_1_1_fe *r, const rustsecp256k1_v0_1_1_fe *a, size_t len) { - rustsecp256k1_v0_1_1_fe u; +static void rustsecp256k1_v0_1_2_fe_inv_all_var(rustsecp256k1_v0_1_2_fe *r, const rustsecp256k1_v0_1_2_fe *a, size_t len) { + rustsecp256k1_v0_1_2_fe u; size_t i; if (len < 1) { return; @@ -276,25 +276,25 @@ static void rustsecp256k1_v0_1_1_fe_inv_all_var(rustsecp256k1_v0_1_1_fe *r, cons i = 0; while (++i < len) { - rustsecp256k1_v0_1_1_fe_mul(&r[i], &r[i - 1], &a[i]); + rustsecp256k1_v0_1_2_fe_mul(&r[i], &r[i - 1], &a[i]); } - rustsecp256k1_v0_1_1_fe_inv_var(&u, &r[--i]); + rustsecp256k1_v0_1_2_fe_inv_var(&u, &r[--i]); while (i > 0) { size_t j = i--; - rustsecp256k1_v0_1_1_fe_mul(&r[j], &r[i], &u); - rustsecp256k1_v0_1_1_fe_mul(&u, &u, &a[j]); + rustsecp256k1_v0_1_2_fe_mul(&r[j], &r[i], &u); + rustsecp256k1_v0_1_2_fe_mul(&u, &u, &a[j]); } r[0] = u; } -static int rustsecp256k1_v0_1_1_fe_is_quad_var(const rustsecp256k1_v0_1_1_fe *a) { +static int rustsecp256k1_v0_1_2_fe_is_quad_var(const rustsecp256k1_v0_1_2_fe *a) { #ifndef USE_NUM_NONE unsigned char b[32]; - rustsecp256k1_v0_1_1_num n; - rustsecp256k1_v0_1_1_num m; + rustsecp256k1_v0_1_2_num n; + rustsecp256k1_v0_1_2_num m; /* secp256k1 field prime, value p defined in "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ static const unsigned char prime[32] = { 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF, @@ -303,16 +303,18 @@ static int rustsecp256k1_v0_1_1_fe_is_quad_var(const rustsecp256k1_v0_1_1_fe *a) 0xFF,0xFF,0xFF,0xFE,0xFF,0xFF,0xFC,0x2F }; - rustsecp256k1_v0_1_1_fe c = *a; - rustsecp256k1_v0_1_1_fe_normalize_var(&c); - rustsecp256k1_v0_1_1_fe_get_b32(b, &c); - rustsecp256k1_v0_1_1_num_set_bin(&n, b, 32); - rustsecp256k1_v0_1_1_num_set_bin(&m, prime, 32); - return rustsecp256k1_v0_1_1_num_jacobi(&n, &m) >= 0; + rustsecp256k1_v0_1_2_fe c = *a; + rustsecp256k1_v0_1_2_fe_normalize_var(&c); + rustsecp256k1_v0_1_2_fe_get_b32(b, &c); + rustsecp256k1_v0_1_2_num_set_bin(&n, b, 32); + rustsecp256k1_v0_1_2_num_set_bin(&m, prime, 32); + return rustsecp256k1_v0_1_2_num_jacobi(&n, &m) >= 0; #else - rustsecp256k1_v0_1_1_fe r; - return rustsecp256k1_v0_1_1_fe_sqrt(&r, a); + rustsecp256k1_v0_1_2_fe r; + return rustsecp256k1_v0_1_2_fe_sqrt(&r, a); #endif } +static const rustsecp256k1_v0_1_2_fe rustsecp256k1_v0_1_2_fe_one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + #endif /* SECP256K1_FIELD_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/gen_context.c b/secp256k1-sys/depend/secp256k1/src/gen_context.c index 8e4f10286..e0b34ab94 100644 --- a/secp256k1-sys/depend/secp256k1/src/gen_context.c +++ b/secp256k1-sys/depend/secp256k1/src/gen_context.c @@ -4,9 +4,14 @@ * file COPYING or http://www.opensource.org/licenses/mit-license.php.* **********************************************************************/ +// Autotools creates libsecp256k1-config.h, of which ECMULT_GEN_PREC_BITS is needed. +// ifndef guard so downstream users can define their own if they do not use autotools. +#if !defined(ECMULT_GEN_PREC_BITS) +#include "libsecp256k1-config.h" +#endif #define USE_BASIC_CONFIG 1 - #include "basic-config.h" + #include "include/secp256k1.h" #include "util.h" #include "field_impl.h" @@ -20,13 +25,13 @@ static void default_error_callback_fn(const char* str, void* data) { abort(); } -static const rustsecp256k1_v0_1_1_callback default_error_callback = { +static const rustsecp256k1_v0_1_2_callback default_error_callback = { default_error_callback_fn, NULL }; int main(int argc, char **argv) { - rustsecp256k1_v0_1_1_ecmult_gen_context ctx; + rustsecp256k1_v0_1_2_ecmult_gen_context ctx; void *prealloc, *base; int inner; int outer; @@ -45,30 +50,33 @@ int main(int argc, char **argv) { fprintf(fp, "#define _SECP256K1_ECMULT_STATIC_CONTEXT_\n"); fprintf(fp, "#include \"src/group.h\"\n"); fprintf(fp, "#define SC SECP256K1_GE_STORAGE_CONST\n"); - fprintf(fp, "static const rustsecp256k1_v0_1_1_ge_storage rustsecp256k1_v0_1_1_ecmult_static_context[64][16] = {\n"); + fprintf(fp, "#if ECMULT_GEN_PREC_N != %d || ECMULT_GEN_PREC_G != %d\n", ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G); + fprintf(fp, " #error configuration mismatch, invalid ECMULT_GEN_PREC_N, ECMULT_GEN_PREC_G. Try deleting ecmult_static_context.h before the build.\n"); + fprintf(fp, "#endif\n"); + fprintf(fp, "static const rustsecp256k1_v0_1_2_ge_storage rustsecp256k1_v0_1_2_ecmult_static_context[ECMULT_GEN_PREC_N][ECMULT_GEN_PREC_G] = {\n"); base = checked_malloc(&default_error_callback, SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE); prealloc = base; - rustsecp256k1_v0_1_1_ecmult_gen_context_init(&ctx); - rustsecp256k1_v0_1_1_ecmult_gen_context_build(&ctx, &prealloc); - for(outer = 0; outer != 64; outer++) { + rustsecp256k1_v0_1_2_ecmult_gen_context_init(&ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_build(&ctx, &prealloc); + for(outer = 0; outer != ECMULT_GEN_PREC_N; outer++) { fprintf(fp,"{\n"); - for(inner = 0; inner != 16; inner++) { + for(inner = 0; inner != ECMULT_GEN_PREC_G; inner++) { fprintf(fp," SC(%uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu, %uu)", SECP256K1_GE_STORAGE_CONST_GET((*ctx.prec)[outer][inner])); - if (inner != 15) { + if (inner != ECMULT_GEN_PREC_G - 1) { fprintf(fp,",\n"); } else { fprintf(fp,"\n"); } } - if (outer != 63) { + if (outer != ECMULT_GEN_PREC_N - 1) { fprintf(fp,"},\n"); } else { fprintf(fp,"}\n"); } } fprintf(fp,"};\n"); - rustsecp256k1_v0_1_1_ecmult_gen_context_clear(&ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_clear(&ctx); free(base); fprintf(fp, "#undef SC\n"); diff --git a/secp256k1-sys/depend/secp256k1/src/group.h b/secp256k1-sys/depend/secp256k1/src/group.h index b61484b07..cef857d6e 100644 --- a/secp256k1-sys/depend/secp256k1/src/group.h +++ b/secp256k1-sys/depend/secp256k1/src/group.h @@ -12,131 +12,130 @@ /** A group element of the secp256k1 curve, in affine coordinates. */ typedef struct { - rustsecp256k1_v0_1_1_fe x; - rustsecp256k1_v0_1_1_fe y; + rustsecp256k1_v0_1_2_fe x; + rustsecp256k1_v0_1_2_fe y; int infinity; /* whether this represents the point at infinity */ -} rustsecp256k1_v0_1_1_ge; +} rustsecp256k1_v0_1_2_ge; #define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), 0} #define SECP256K1_GE_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1} /** A group element of the secp256k1 curve, in jacobian coordinates. */ typedef struct { - rustsecp256k1_v0_1_1_fe x; /* actual X: x/z^2 */ - rustsecp256k1_v0_1_1_fe y; /* actual Y: y/z^3 */ - rustsecp256k1_v0_1_1_fe z; + rustsecp256k1_v0_1_2_fe x; /* actual X: x/z^2 */ + rustsecp256k1_v0_1_2_fe y; /* actual Y: y/z^3 */ + rustsecp256k1_v0_1_2_fe z; int infinity; /* whether this represents the point at infinity */ -} rustsecp256k1_v0_1_1_gej; +} rustsecp256k1_v0_1_2_gej; #define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_CONST((i),(j),(k),(l),(m),(n),(o),(p)), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1), 0} #define SECP256K1_GEJ_CONST_INFINITY {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0), 1} typedef struct { - rustsecp256k1_v0_1_1_fe_storage x; - rustsecp256k1_v0_1_1_fe_storage y; -} rustsecp256k1_v0_1_1_ge_storage; + rustsecp256k1_v0_1_2_fe_storage x; + rustsecp256k1_v0_1_2_fe_storage y; +} rustsecp256k1_v0_1_2_ge_storage; #define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p) {SECP256K1_FE_STORAGE_CONST((a),(b),(c),(d),(e),(f),(g),(h)), SECP256K1_FE_STORAGE_CONST((i),(j),(k),(l),(m),(n),(o),(p))} #define SECP256K1_GE_STORAGE_CONST_GET(t) SECP256K1_FE_STORAGE_CONST_GET(t.x), SECP256K1_FE_STORAGE_CONST_GET(t.y) /** Set a group element equal to the point with given X and Y coordinates */ -static void rustsecp256k1_v0_1_1_ge_set_xy(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x, const rustsecp256k1_v0_1_1_fe *y); +static void rustsecp256k1_v0_1_2_ge_set_xy(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x, const rustsecp256k1_v0_1_2_fe *y); /** Set a group element (affine) equal to the point with the given X coordinate * and a Y coordinate that is a quadratic residue modulo p. The return value * is true iff a coordinate with the given X coordinate exists. */ -static int rustsecp256k1_v0_1_1_ge_set_xquad(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x); +static int rustsecp256k1_v0_1_2_ge_set_xquad(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x); /** Set a group element (affine) equal to the point with the given X coordinate, and given oddness * for Y. Return value indicates whether the result is valid. */ -static int rustsecp256k1_v0_1_1_ge_set_xo_var(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x, int odd); +static int rustsecp256k1_v0_1_2_ge_set_xo_var(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x, int odd); /** Check whether a group element is the point at infinity. */ -static int rustsecp256k1_v0_1_1_ge_is_infinity(const rustsecp256k1_v0_1_1_ge *a); +static int rustsecp256k1_v0_1_2_ge_is_infinity(const rustsecp256k1_v0_1_2_ge *a); /** Check whether a group element is valid (i.e., on the curve). */ -static int rustsecp256k1_v0_1_1_ge_is_valid_var(const rustsecp256k1_v0_1_1_ge *a); +static int rustsecp256k1_v0_1_2_ge_is_valid_var(const rustsecp256k1_v0_1_2_ge *a); -static void rustsecp256k1_v0_1_1_ge_neg(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge *a); +static void rustsecp256k1_v0_1_2_ge_neg(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge *a); /** Set a group element equal to another which is given in jacobian coordinates */ -static void rustsecp256k1_v0_1_1_ge_set_gej(rustsecp256k1_v0_1_1_ge *r, rustsecp256k1_v0_1_1_gej *a); +static void rustsecp256k1_v0_1_2_ge_set_gej(rustsecp256k1_v0_1_2_ge *r, rustsecp256k1_v0_1_2_gej *a); /** Set a batch of group elements equal to the inputs given in jacobian coordinates */ -static void rustsecp256k1_v0_1_1_ge_set_all_gej_var(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_gej *a, size_t len); +static void rustsecp256k1_v0_1_2_ge_set_all_gej_var(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_gej *a, size_t len); /** Bring a batch inputs given in jacobian coordinates (with known z-ratios) to * the same global z "denominator". zr must contain the known z-ratios such * that mul(a[i].z, zr[i+1]) == a[i+1].z. zr[0] is ignored. The x and y * coordinates of the result are stored in r, the common z coordinate is * stored in globalz. */ -static void rustsecp256k1_v0_1_1_ge_globalz_set_table_gej(size_t len, rustsecp256k1_v0_1_1_ge *r, rustsecp256k1_v0_1_1_fe *globalz, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_fe *zr); +static void rustsecp256k1_v0_1_2_ge_globalz_set_table_gej(size_t len, rustsecp256k1_v0_1_2_ge *r, rustsecp256k1_v0_1_2_fe *globalz, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_fe *zr); /** Set a group element (affine) equal to the point at infinity. */ -static void rustsecp256k1_v0_1_1_ge_set_infinity(rustsecp256k1_v0_1_1_ge *r); +static void rustsecp256k1_v0_1_2_ge_set_infinity(rustsecp256k1_v0_1_2_ge *r); /** Set a group element (jacobian) equal to the point at infinity. */ -static void rustsecp256k1_v0_1_1_gej_set_infinity(rustsecp256k1_v0_1_1_gej *r); +static void rustsecp256k1_v0_1_2_gej_set_infinity(rustsecp256k1_v0_1_2_gej *r); /** Set a group element (jacobian) equal to another which is given in affine coordinates. */ -static void rustsecp256k1_v0_1_1_gej_set_ge(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_ge *a); +static void rustsecp256k1_v0_1_2_gej_set_ge(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_ge *a); /** Compare the X coordinate of a group element (jacobian). */ -static int rustsecp256k1_v0_1_1_gej_eq_x_var(const rustsecp256k1_v0_1_1_fe *x, const rustsecp256k1_v0_1_1_gej *a); +static int rustsecp256k1_v0_1_2_gej_eq_x_var(const rustsecp256k1_v0_1_2_fe *x, const rustsecp256k1_v0_1_2_gej *a); /** Set r equal to the inverse of a (i.e., mirrored around the X axis) */ -static void rustsecp256k1_v0_1_1_gej_neg(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a); +static void rustsecp256k1_v0_1_2_gej_neg(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a); /** Check whether a group element is the point at infinity. */ -static int rustsecp256k1_v0_1_1_gej_is_infinity(const rustsecp256k1_v0_1_1_gej *a); +static int rustsecp256k1_v0_1_2_gej_is_infinity(const rustsecp256k1_v0_1_2_gej *a); /** Check whether a group element's y coordinate is a quadratic residue. */ -static int rustsecp256k1_v0_1_1_gej_has_quad_y_var(const rustsecp256k1_v0_1_1_gej *a); +static int rustsecp256k1_v0_1_2_gej_has_quad_y_var(const rustsecp256k1_v0_1_2_gej *a); -/** Set r equal to the double of a. If rzr is not-NULL, r->z = a->z * *rzr (where infinity means an implicit z = 0). - * a may not be zero. Constant time. */ -static void rustsecp256k1_v0_1_1_gej_double_nonzero(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, rustsecp256k1_v0_1_1_fe *rzr); +/** Set r equal to the double of a, a cannot be infinity. Constant time. */ +static void rustsecp256k1_v0_1_2_gej_double_nonzero(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a); -/** Set r equal to the double of a. If rzr is not-NULL, r->z = a->z * *rzr (where infinity means an implicit z = 0). */ -static void rustsecp256k1_v0_1_1_gej_double_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, rustsecp256k1_v0_1_1_fe *rzr); +/** Set r equal to the double of a. If rzr is not-NULL this sets *rzr such that r->z == a->z * *rzr (where infinity means an implicit z = 0). */ +static void rustsecp256k1_v0_1_2_gej_double_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, rustsecp256k1_v0_1_2_fe *rzr); -/** Set r equal to the sum of a and b. If rzr is non-NULL, r->z = a->z * *rzr (a cannot be infinity in that case). */ -static void rustsecp256k1_v0_1_1_gej_add_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_gej *b, rustsecp256k1_v0_1_1_fe *rzr); +/** Set r equal to the sum of a and b. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */ +static void rustsecp256k1_v0_1_2_gej_add_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_gej *b, rustsecp256k1_v0_1_2_fe *rzr); /** Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity). */ -static void rustsecp256k1_v0_1_1_gej_add_ge(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b); +static void rustsecp256k1_v0_1_2_gej_add_ge(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b); /** Set r equal to the sum of a and b (with b given in affine coordinates). This is more efficient - than rustsecp256k1_v0_1_1_gej_add_var. It is identical to rustsecp256k1_v0_1_1_gej_add_ge but without constant-time - guarantee, and b is allowed to be infinity. If rzr is non-NULL, r->z = a->z * *rzr (a cannot be infinity in that case). */ -static void rustsecp256k1_v0_1_1_gej_add_ge_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b, rustsecp256k1_v0_1_1_fe *rzr); + than rustsecp256k1_v0_1_2_gej_add_var. It is identical to rustsecp256k1_v0_1_2_gej_add_ge but without constant-time + guarantee, and b is allowed to be infinity. If rzr is non-NULL this sets *rzr such that r->z == a->z * *rzr (a cannot be infinity in that case). */ +static void rustsecp256k1_v0_1_2_gej_add_ge_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b, rustsecp256k1_v0_1_2_fe *rzr); /** Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv). */ -static void rustsecp256k1_v0_1_1_gej_add_zinv_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b, const rustsecp256k1_v0_1_1_fe *bzinv); +static void rustsecp256k1_v0_1_2_gej_add_zinv_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b, const rustsecp256k1_v0_1_2_fe *bzinv); #ifdef USE_ENDOMORPHISM /** Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast. */ -static void rustsecp256k1_v0_1_1_ge_mul_lambda(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge *a); +static void rustsecp256k1_v0_1_2_ge_mul_lambda(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge *a); #endif -/** Clear a rustsecp256k1_v0_1_1_gej to prevent leaking sensitive information. */ -static void rustsecp256k1_v0_1_1_gej_clear(rustsecp256k1_v0_1_1_gej *r); +/** Clear a rustsecp256k1_v0_1_2_gej to prevent leaking sensitive information. */ +static void rustsecp256k1_v0_1_2_gej_clear(rustsecp256k1_v0_1_2_gej *r); -/** Clear a rustsecp256k1_v0_1_1_ge to prevent leaking sensitive information. */ -static void rustsecp256k1_v0_1_1_ge_clear(rustsecp256k1_v0_1_1_ge *r); +/** Clear a rustsecp256k1_v0_1_2_ge to prevent leaking sensitive information. */ +static void rustsecp256k1_v0_1_2_ge_clear(rustsecp256k1_v0_1_2_ge *r); /** Convert a group element to the storage type. */ -static void rustsecp256k1_v0_1_1_ge_to_storage(rustsecp256k1_v0_1_1_ge_storage *r, const rustsecp256k1_v0_1_1_ge *a); +static void rustsecp256k1_v0_1_2_ge_to_storage(rustsecp256k1_v0_1_2_ge_storage *r, const rustsecp256k1_v0_1_2_ge *a); /** Convert a group element back from the storage type. */ -static void rustsecp256k1_v0_1_1_ge_from_storage(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge_storage *a); +static void rustsecp256k1_v0_1_2_ge_from_storage(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge_storage *a); /** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */ -static void rustsecp256k1_v0_1_1_ge_storage_cmov(rustsecp256k1_v0_1_1_ge_storage *r, const rustsecp256k1_v0_1_1_ge_storage *a, int flag); +static void rustsecp256k1_v0_1_2_ge_storage_cmov(rustsecp256k1_v0_1_2_ge_storage *r, const rustsecp256k1_v0_1_2_ge_storage *a, int flag); /** Rescale a jacobian point by b which must be non-zero. Constant-time. */ -static void rustsecp256k1_v0_1_1_gej_rescale(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_fe *b); +static void rustsecp256k1_v0_1_2_gej_rescale(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_fe *b); #endif /* SECP256K1_GROUP_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/group_impl.h b/secp256k1-sys/depend/secp256k1/src/group_impl.h index 9a1148570..9bc286d31 100644 --- a/secp256k1-sys/depend/secp256k1/src/group_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/group_impl.h @@ -38,7 +38,7 @@ */ #if defined(EXHAUSTIVE_TEST_ORDER) # if EXHAUSTIVE_TEST_ORDER == 199 -static const rustsecp256k1_v0_1_1_ge rustsecp256k1_v0_1_1_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1_v0_1_2_ge rustsecp256k1_v0_1_2_ge_const_g = SECP256K1_GE_CONST( 0xFA7CC9A7, 0x0737F2DB, 0xA749DD39, 0x2B4FB069, 0x3B017A7D, 0xA808C2F1, 0xFB12940C, 0x9EA66C18, 0x78AC123A, 0x5ED8AEF3, 0x8732BC91, 0x1F3A2868, @@ -47,7 +47,7 @@ static const rustsecp256k1_v0_1_1_ge rustsecp256k1_v0_1_1_ge_const_g = SECP256K1 static const int CURVE_B = 4; # elif EXHAUSTIVE_TEST_ORDER == 13 -static const rustsecp256k1_v0_1_1_ge rustsecp256k1_v0_1_1_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1_v0_1_2_ge rustsecp256k1_v0_1_2_ge_const_g = SECP256K1_GE_CONST( 0xedc60018, 0xa51a786b, 0x2ea91f4d, 0x4c9416c0, 0x9de54c3b, 0xa1316554, 0x6cf4345c, 0x7277ef15, 0x54cb1b6b, 0xdc8c1273, 0x087844ea, 0x43f4603e, @@ -61,7 +61,7 @@ static const int CURVE_B = 2; /** Generator for secp256k1, value 'g' defined in * "Standards for Efficient Cryptography" (SEC2) 2.7.1. */ -static const rustsecp256k1_v0_1_1_ge rustsecp256k1_v0_1_1_ge_const_g = SECP256K1_GE_CONST( +static const rustsecp256k1_v0_1_2_ge rustsecp256k1_v0_1_2_ge_const_g = SECP256K1_GE_CONST( 0x79BE667EUL, 0xF9DCBBACUL, 0x55A06295UL, 0xCE870B07UL, 0x029BFCDBUL, 0x2DCE28D9UL, 0x59F2815BUL, 0x16F81798UL, 0x483ADA77UL, 0x26A3C465UL, 0x5DA4FBFCUL, 0x0E1108A8UL, @@ -71,63 +71,63 @@ static const rustsecp256k1_v0_1_1_ge rustsecp256k1_v0_1_1_ge_const_g = SECP256K1 static const int CURVE_B = 7; #endif -static void rustsecp256k1_v0_1_1_ge_set_gej_zinv(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_fe *zi) { - rustsecp256k1_v0_1_1_fe zi2; - rustsecp256k1_v0_1_1_fe zi3; - rustsecp256k1_v0_1_1_fe_sqr(&zi2, zi); - rustsecp256k1_v0_1_1_fe_mul(&zi3, &zi2, zi); - rustsecp256k1_v0_1_1_fe_mul(&r->x, &a->x, &zi2); - rustsecp256k1_v0_1_1_fe_mul(&r->y, &a->y, &zi3); +static void rustsecp256k1_v0_1_2_ge_set_gej_zinv(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_fe *zi) { + rustsecp256k1_v0_1_2_fe zi2; + rustsecp256k1_v0_1_2_fe zi3; + rustsecp256k1_v0_1_2_fe_sqr(&zi2, zi); + rustsecp256k1_v0_1_2_fe_mul(&zi3, &zi2, zi); + rustsecp256k1_v0_1_2_fe_mul(&r->x, &a->x, &zi2); + rustsecp256k1_v0_1_2_fe_mul(&r->y, &a->y, &zi3); r->infinity = a->infinity; } -static void rustsecp256k1_v0_1_1_ge_set_xy(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x, const rustsecp256k1_v0_1_1_fe *y) { +static void rustsecp256k1_v0_1_2_ge_set_xy(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x, const rustsecp256k1_v0_1_2_fe *y) { r->infinity = 0; r->x = *x; r->y = *y; } -static int rustsecp256k1_v0_1_1_ge_is_infinity(const rustsecp256k1_v0_1_1_ge *a) { +static int rustsecp256k1_v0_1_2_ge_is_infinity(const rustsecp256k1_v0_1_2_ge *a) { return a->infinity; } -static void rustsecp256k1_v0_1_1_ge_neg(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge *a) { +static void rustsecp256k1_v0_1_2_ge_neg(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge *a) { *r = *a; - rustsecp256k1_v0_1_1_fe_normalize_weak(&r->y); - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->y, 1); + rustsecp256k1_v0_1_2_fe_normalize_weak(&r->y); + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->y, 1); } -static void rustsecp256k1_v0_1_1_ge_set_gej(rustsecp256k1_v0_1_1_ge *r, rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_fe z2, z3; +static void rustsecp256k1_v0_1_2_ge_set_gej(rustsecp256k1_v0_1_2_ge *r, rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_fe z2, z3; r->infinity = a->infinity; - rustsecp256k1_v0_1_1_fe_inv(&a->z, &a->z); - rustsecp256k1_v0_1_1_fe_sqr(&z2, &a->z); - rustsecp256k1_v0_1_1_fe_mul(&z3, &a->z, &z2); - rustsecp256k1_v0_1_1_fe_mul(&a->x, &a->x, &z2); - rustsecp256k1_v0_1_1_fe_mul(&a->y, &a->y, &z3); - rustsecp256k1_v0_1_1_fe_set_int(&a->z, 1); + rustsecp256k1_v0_1_2_fe_inv(&a->z, &a->z); + rustsecp256k1_v0_1_2_fe_sqr(&z2, &a->z); + rustsecp256k1_v0_1_2_fe_mul(&z3, &a->z, &z2); + rustsecp256k1_v0_1_2_fe_mul(&a->x, &a->x, &z2); + rustsecp256k1_v0_1_2_fe_mul(&a->y, &a->y, &z3); + rustsecp256k1_v0_1_2_fe_set_int(&a->z, 1); r->x = a->x; r->y = a->y; } -static void rustsecp256k1_v0_1_1_ge_set_gej_var(rustsecp256k1_v0_1_1_ge *r, rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_fe z2, z3; +static void rustsecp256k1_v0_1_2_ge_set_gej_var(rustsecp256k1_v0_1_2_ge *r, rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_fe z2, z3; r->infinity = a->infinity; if (a->infinity) { return; } - rustsecp256k1_v0_1_1_fe_inv_var(&a->z, &a->z); - rustsecp256k1_v0_1_1_fe_sqr(&z2, &a->z); - rustsecp256k1_v0_1_1_fe_mul(&z3, &a->z, &z2); - rustsecp256k1_v0_1_1_fe_mul(&a->x, &a->x, &z2); - rustsecp256k1_v0_1_1_fe_mul(&a->y, &a->y, &z3); - rustsecp256k1_v0_1_1_fe_set_int(&a->z, 1); + rustsecp256k1_v0_1_2_fe_inv_var(&a->z, &a->z); + rustsecp256k1_v0_1_2_fe_sqr(&z2, &a->z); + rustsecp256k1_v0_1_2_fe_mul(&z3, &a->z, &z2); + rustsecp256k1_v0_1_2_fe_mul(&a->x, &a->x, &z2); + rustsecp256k1_v0_1_2_fe_mul(&a->y, &a->y, &z3); + rustsecp256k1_v0_1_2_fe_set_int(&a->z, 1); r->x = a->x; r->y = a->y; } -static void rustsecp256k1_v0_1_1_ge_set_all_gej_var(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_gej *a, size_t len) { - rustsecp256k1_v0_1_1_fe u; +static void rustsecp256k1_v0_1_2_ge_set_all_gej_var(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_gej *a, size_t len) { + rustsecp256k1_v0_1_2_fe u; size_t i; size_t last_i = SIZE_MAX; @@ -137,7 +137,7 @@ static void rustsecp256k1_v0_1_1_ge_set_all_gej_var(rustsecp256k1_v0_1_1_ge *r, if (last_i == SIZE_MAX) { r[i].x = a[i].z; } else { - rustsecp256k1_v0_1_1_fe_mul(&r[i].x, &r[last_i].x, &a[i].z); + rustsecp256k1_v0_1_2_fe_mul(&r[i].x, &r[last_i].x, &a[i].z); } last_i = i; } @@ -145,14 +145,14 @@ static void rustsecp256k1_v0_1_1_ge_set_all_gej_var(rustsecp256k1_v0_1_1_ge *r, if (last_i == SIZE_MAX) { return; } - rustsecp256k1_v0_1_1_fe_inv_var(&u, &r[last_i].x); + rustsecp256k1_v0_1_2_fe_inv_var(&u, &r[last_i].x); i = last_i; while (i > 0) { i--; if (!a[i].infinity) { - rustsecp256k1_v0_1_1_fe_mul(&r[last_i].x, &r[i].x, &u); - rustsecp256k1_v0_1_1_fe_mul(&u, &u, &a[last_i].z); + rustsecp256k1_v0_1_2_fe_mul(&r[last_i].x, &r[i].x, &u); + rustsecp256k1_v0_1_2_fe_mul(&u, &u, &a[last_i].z); last_i = i; } } @@ -162,21 +162,21 @@ static void rustsecp256k1_v0_1_1_ge_set_all_gej_var(rustsecp256k1_v0_1_1_ge *r, for (i = 0; i < len; i++) { r[i].infinity = a[i].infinity; if (!a[i].infinity) { - rustsecp256k1_v0_1_1_ge_set_gej_zinv(&r[i], &a[i], &r[i].x); + rustsecp256k1_v0_1_2_ge_set_gej_zinv(&r[i], &a[i], &r[i].x); } } } -static void rustsecp256k1_v0_1_1_ge_globalz_set_table_gej(size_t len, rustsecp256k1_v0_1_1_ge *r, rustsecp256k1_v0_1_1_fe *globalz, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_fe *zr) { +static void rustsecp256k1_v0_1_2_ge_globalz_set_table_gej(size_t len, rustsecp256k1_v0_1_2_ge *r, rustsecp256k1_v0_1_2_fe *globalz, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_fe *zr) { size_t i = len - 1; - rustsecp256k1_v0_1_1_fe zs; + rustsecp256k1_v0_1_2_fe zs; if (len > 0) { /* The z of the final point gives us the "global Z" for the table. */ r[i].x = a[i].x; r[i].y = a[i].y; /* Ensure all y values are in weak normal form for fast negation of points */ - rustsecp256k1_v0_1_1_fe_normalize_weak(&r[i].y); + rustsecp256k1_v0_1_2_fe_normalize_weak(&r[i].y); *globalz = a[i].z; r[i].infinity = 0; zs = zr[i]; @@ -184,93 +184,93 @@ static void rustsecp256k1_v0_1_1_ge_globalz_set_table_gej(size_t len, rustsecp25 /* Work our way backwards, using the z-ratios to scale the x/y values. */ while (i > 0) { if (i != len - 1) { - rustsecp256k1_v0_1_1_fe_mul(&zs, &zs, &zr[i]); + rustsecp256k1_v0_1_2_fe_mul(&zs, &zs, &zr[i]); } i--; - rustsecp256k1_v0_1_1_ge_set_gej_zinv(&r[i], &a[i], &zs); + rustsecp256k1_v0_1_2_ge_set_gej_zinv(&r[i], &a[i], &zs); } } } -static void rustsecp256k1_v0_1_1_gej_set_infinity(rustsecp256k1_v0_1_1_gej *r) { +static void rustsecp256k1_v0_1_2_gej_set_infinity(rustsecp256k1_v0_1_2_gej *r) { r->infinity = 1; - rustsecp256k1_v0_1_1_fe_clear(&r->x); - rustsecp256k1_v0_1_1_fe_clear(&r->y); - rustsecp256k1_v0_1_1_fe_clear(&r->z); + rustsecp256k1_v0_1_2_fe_clear(&r->x); + rustsecp256k1_v0_1_2_fe_clear(&r->y); + rustsecp256k1_v0_1_2_fe_clear(&r->z); } -static void rustsecp256k1_v0_1_1_ge_set_infinity(rustsecp256k1_v0_1_1_ge *r) { +static void rustsecp256k1_v0_1_2_ge_set_infinity(rustsecp256k1_v0_1_2_ge *r) { r->infinity = 1; - rustsecp256k1_v0_1_1_fe_clear(&r->x); - rustsecp256k1_v0_1_1_fe_clear(&r->y); + rustsecp256k1_v0_1_2_fe_clear(&r->x); + rustsecp256k1_v0_1_2_fe_clear(&r->y); } -static void rustsecp256k1_v0_1_1_gej_clear(rustsecp256k1_v0_1_1_gej *r) { +static void rustsecp256k1_v0_1_2_gej_clear(rustsecp256k1_v0_1_2_gej *r) { r->infinity = 0; - rustsecp256k1_v0_1_1_fe_clear(&r->x); - rustsecp256k1_v0_1_1_fe_clear(&r->y); - rustsecp256k1_v0_1_1_fe_clear(&r->z); + rustsecp256k1_v0_1_2_fe_clear(&r->x); + rustsecp256k1_v0_1_2_fe_clear(&r->y); + rustsecp256k1_v0_1_2_fe_clear(&r->z); } -static void rustsecp256k1_v0_1_1_ge_clear(rustsecp256k1_v0_1_1_ge *r) { +static void rustsecp256k1_v0_1_2_ge_clear(rustsecp256k1_v0_1_2_ge *r) { r->infinity = 0; - rustsecp256k1_v0_1_1_fe_clear(&r->x); - rustsecp256k1_v0_1_1_fe_clear(&r->y); + rustsecp256k1_v0_1_2_fe_clear(&r->x); + rustsecp256k1_v0_1_2_fe_clear(&r->y); } -static int rustsecp256k1_v0_1_1_ge_set_xquad(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x) { - rustsecp256k1_v0_1_1_fe x2, x3, c; +static int rustsecp256k1_v0_1_2_ge_set_xquad(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x) { + rustsecp256k1_v0_1_2_fe x2, x3, c; r->x = *x; - rustsecp256k1_v0_1_1_fe_sqr(&x2, x); - rustsecp256k1_v0_1_1_fe_mul(&x3, x, &x2); + rustsecp256k1_v0_1_2_fe_sqr(&x2, x); + rustsecp256k1_v0_1_2_fe_mul(&x3, x, &x2); r->infinity = 0; - rustsecp256k1_v0_1_1_fe_set_int(&c, CURVE_B); - rustsecp256k1_v0_1_1_fe_add(&c, &x3); - return rustsecp256k1_v0_1_1_fe_sqrt(&r->y, &c); + rustsecp256k1_v0_1_2_fe_set_int(&c, CURVE_B); + rustsecp256k1_v0_1_2_fe_add(&c, &x3); + return rustsecp256k1_v0_1_2_fe_sqrt(&r->y, &c); } -static int rustsecp256k1_v0_1_1_ge_set_xo_var(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_fe *x, int odd) { - if (!rustsecp256k1_v0_1_1_ge_set_xquad(r, x)) { +static int rustsecp256k1_v0_1_2_ge_set_xo_var(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_fe *x, int odd) { + if (!rustsecp256k1_v0_1_2_ge_set_xquad(r, x)) { return 0; } - rustsecp256k1_v0_1_1_fe_normalize_var(&r->y); - if (rustsecp256k1_v0_1_1_fe_is_odd(&r->y) != odd) { - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->y, 1); + rustsecp256k1_v0_1_2_fe_normalize_var(&r->y); + if (rustsecp256k1_v0_1_2_fe_is_odd(&r->y) != odd) { + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->y, 1); } return 1; } -static void rustsecp256k1_v0_1_1_gej_set_ge(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_ge *a) { +static void rustsecp256k1_v0_1_2_gej_set_ge(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_ge *a) { r->infinity = a->infinity; r->x = a->x; r->y = a->y; - rustsecp256k1_v0_1_1_fe_set_int(&r->z, 1); + rustsecp256k1_v0_1_2_fe_set_int(&r->z, 1); } -static int rustsecp256k1_v0_1_1_gej_eq_x_var(const rustsecp256k1_v0_1_1_fe *x, const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_fe r, r2; +static int rustsecp256k1_v0_1_2_gej_eq_x_var(const rustsecp256k1_v0_1_2_fe *x, const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_fe r, r2; VERIFY_CHECK(!a->infinity); - rustsecp256k1_v0_1_1_fe_sqr(&r, &a->z); rustsecp256k1_v0_1_1_fe_mul(&r, &r, x); - r2 = a->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&r2); - return rustsecp256k1_v0_1_1_fe_equal_var(&r, &r2); + rustsecp256k1_v0_1_2_fe_sqr(&r, &a->z); rustsecp256k1_v0_1_2_fe_mul(&r, &r, x); + r2 = a->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&r2); + return rustsecp256k1_v0_1_2_fe_equal_var(&r, &r2); } -static void rustsecp256k1_v0_1_1_gej_neg(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a) { +static void rustsecp256k1_v0_1_2_gej_neg(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a) { r->infinity = a->infinity; r->x = a->x; r->y = a->y; r->z = a->z; - rustsecp256k1_v0_1_1_fe_normalize_weak(&r->y); - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->y, 1); + rustsecp256k1_v0_1_2_fe_normalize_weak(&r->y); + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->y, 1); } -static int rustsecp256k1_v0_1_1_gej_is_infinity(const rustsecp256k1_v0_1_1_gej *a) { +static int rustsecp256k1_v0_1_2_gej_is_infinity(const rustsecp256k1_v0_1_2_gej *a) { return a->infinity; } -static int rustsecp256k1_v0_1_1_gej_is_valid_var(const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_fe y2, x3, z2, z6; +static int rustsecp256k1_v0_1_2_gej_is_valid_var(const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_fe y2, x3, z2, z6; if (a->infinity) { return 0; } @@ -279,31 +279,31 @@ static int rustsecp256k1_v0_1_1_gej_is_valid_var(const rustsecp256k1_v0_1_1_gej * Y^2 / Z^6 = X^3 / Z^6 + 7 * Y^2 = X^3 + 7*Z^6 */ - rustsecp256k1_v0_1_1_fe_sqr(&y2, &a->y); - rustsecp256k1_v0_1_1_fe_sqr(&x3, &a->x); rustsecp256k1_v0_1_1_fe_mul(&x3, &x3, &a->x); - rustsecp256k1_v0_1_1_fe_sqr(&z2, &a->z); - rustsecp256k1_v0_1_1_fe_sqr(&z6, &z2); rustsecp256k1_v0_1_1_fe_mul(&z6, &z6, &z2); - rustsecp256k1_v0_1_1_fe_mul_int(&z6, CURVE_B); - rustsecp256k1_v0_1_1_fe_add(&x3, &z6); - rustsecp256k1_v0_1_1_fe_normalize_weak(&x3); - return rustsecp256k1_v0_1_1_fe_equal_var(&y2, &x3); -} - -static int rustsecp256k1_v0_1_1_ge_is_valid_var(const rustsecp256k1_v0_1_1_ge *a) { - rustsecp256k1_v0_1_1_fe y2, x3, c; + rustsecp256k1_v0_1_2_fe_sqr(&y2, &a->y); + rustsecp256k1_v0_1_2_fe_sqr(&x3, &a->x); rustsecp256k1_v0_1_2_fe_mul(&x3, &x3, &a->x); + rustsecp256k1_v0_1_2_fe_sqr(&z2, &a->z); + rustsecp256k1_v0_1_2_fe_sqr(&z6, &z2); rustsecp256k1_v0_1_2_fe_mul(&z6, &z6, &z2); + rustsecp256k1_v0_1_2_fe_mul_int(&z6, CURVE_B); + rustsecp256k1_v0_1_2_fe_add(&x3, &z6); + rustsecp256k1_v0_1_2_fe_normalize_weak(&x3); + return rustsecp256k1_v0_1_2_fe_equal_var(&y2, &x3); +} + +static int rustsecp256k1_v0_1_2_ge_is_valid_var(const rustsecp256k1_v0_1_2_ge *a) { + rustsecp256k1_v0_1_2_fe y2, x3, c; if (a->infinity) { return 0; } /* y^2 = x^3 + 7 */ - rustsecp256k1_v0_1_1_fe_sqr(&y2, &a->y); - rustsecp256k1_v0_1_1_fe_sqr(&x3, &a->x); rustsecp256k1_v0_1_1_fe_mul(&x3, &x3, &a->x); - rustsecp256k1_v0_1_1_fe_set_int(&c, CURVE_B); - rustsecp256k1_v0_1_1_fe_add(&x3, &c); - rustsecp256k1_v0_1_1_fe_normalize_weak(&x3); - return rustsecp256k1_v0_1_1_fe_equal_var(&y2, &x3); + rustsecp256k1_v0_1_2_fe_sqr(&y2, &a->y); + rustsecp256k1_v0_1_2_fe_sqr(&x3, &a->x); rustsecp256k1_v0_1_2_fe_mul(&x3, &x3, &a->x); + rustsecp256k1_v0_1_2_fe_set_int(&c, CURVE_B); + rustsecp256k1_v0_1_2_fe_add(&x3, &c); + rustsecp256k1_v0_1_2_fe_normalize_weak(&x3); + return rustsecp256k1_v0_1_2_fe_equal_var(&y2, &x3); } -static void rustsecp256k1_v0_1_1_gej_double_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, rustsecp256k1_v0_1_1_fe *rzr) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_gej_double_nonzero(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a) { /* Operations: 3 mul, 4 sqr, 0 normalize, 12 mul_int/add/negate. * * Note that there is an implementation described at @@ -311,7 +311,34 @@ static void rustsecp256k1_v0_1_1_gej_double_var(rustsecp256k1_v0_1_1_gej *r, con * which trades a multiply for a square, but in practice this is actually slower, * mainly because it requires more normalizations. */ - rustsecp256k1_v0_1_1_fe t1,t2,t3,t4; + rustsecp256k1_v0_1_2_fe t1,t2,t3,t4; + + VERIFY_CHECK(!rustsecp256k1_v0_1_2_gej_is_infinity(a)); + r->infinity = 0; + + rustsecp256k1_v0_1_2_fe_mul(&r->z, &a->z, &a->y); + rustsecp256k1_v0_1_2_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */ + rustsecp256k1_v0_1_2_fe_sqr(&t1, &a->x); + rustsecp256k1_v0_1_2_fe_mul_int(&t1, 3); /* T1 = 3*X^2 (3) */ + rustsecp256k1_v0_1_2_fe_sqr(&t2, &t1); /* T2 = 9*X^4 (1) */ + rustsecp256k1_v0_1_2_fe_sqr(&t3, &a->y); + rustsecp256k1_v0_1_2_fe_mul_int(&t3, 2); /* T3 = 2*Y^2 (2) */ + rustsecp256k1_v0_1_2_fe_sqr(&t4, &t3); + rustsecp256k1_v0_1_2_fe_mul_int(&t4, 2); /* T4 = 8*Y^4 (2) */ + rustsecp256k1_v0_1_2_fe_mul(&t3, &t3, &a->x); /* T3 = 2*X*Y^2 (1) */ + r->x = t3; + rustsecp256k1_v0_1_2_fe_mul_int(&r->x, 4); /* X' = 8*X*Y^2 (4) */ + rustsecp256k1_v0_1_2_fe_negate(&r->x, &r->x, 4); /* X' = -8*X*Y^2 (5) */ + rustsecp256k1_v0_1_2_fe_add(&r->x, &t2); /* X' = 9*X^4 - 8*X*Y^2 (6) */ + rustsecp256k1_v0_1_2_fe_negate(&t2, &t2, 1); /* T2 = -9*X^4 (2) */ + rustsecp256k1_v0_1_2_fe_mul_int(&t3, 6); /* T3 = 12*X*Y^2 (6) */ + rustsecp256k1_v0_1_2_fe_add(&t3, &t2); /* T3 = 12*X*Y^2 - 9*X^4 (8) */ + rustsecp256k1_v0_1_2_fe_mul(&r->y, &t1, &t3); /* Y' = 36*X^3*Y^2 - 27*X^6 (1) */ + rustsecp256k1_v0_1_2_fe_negate(&t2, &t4, 2); /* T2 = -8*Y^4 (3) */ + rustsecp256k1_v0_1_2_fe_add(&r->y, &t2); /* Y' = 36*X^3*Y^2 - 27*X^6 - 8*Y^4 (4) */ +} + +static void rustsecp256k1_v0_1_2_gej_double_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, rustsecp256k1_v0_1_2_fe *rzr) { /** For secp256k1, 2Q is infinity if and only if Q is infinity. This is because if 2Q = infinity, * Q must equal -Q, or that Q.y == -(Q.y), or Q.y is 0. For a point on y^2 = x^3 + 7 to have * y=0, x^3 must be -7 mod p. However, -7 has no cube root mod p. @@ -322,50 +349,26 @@ static void rustsecp256k1_v0_1_1_gej_double_var(rustsecp256k1_v0_1_1_gej *r, con * the infinity flag even though the point doubles to infinity, and the result * point will be gibberish (z = 0 but infinity = 0). */ - r->infinity = a->infinity; - if (r->infinity) { + if (a->infinity) { + r->infinity = 1; if (rzr != NULL) { - rustsecp256k1_v0_1_1_fe_set_int(rzr, 1); + rustsecp256k1_v0_1_2_fe_set_int(rzr, 1); } return; } if (rzr != NULL) { *rzr = a->y; - rustsecp256k1_v0_1_1_fe_normalize_weak(rzr); - rustsecp256k1_v0_1_1_fe_mul_int(rzr, 2); + rustsecp256k1_v0_1_2_fe_normalize_weak(rzr); + rustsecp256k1_v0_1_2_fe_mul_int(rzr, 2); } - rustsecp256k1_v0_1_1_fe_mul(&r->z, &a->z, &a->y); - rustsecp256k1_v0_1_1_fe_mul_int(&r->z, 2); /* Z' = 2*Y*Z (2) */ - rustsecp256k1_v0_1_1_fe_sqr(&t1, &a->x); - rustsecp256k1_v0_1_1_fe_mul_int(&t1, 3); /* T1 = 3*X^2 (3) */ - rustsecp256k1_v0_1_1_fe_sqr(&t2, &t1); /* T2 = 9*X^4 (1) */ - rustsecp256k1_v0_1_1_fe_sqr(&t3, &a->y); - rustsecp256k1_v0_1_1_fe_mul_int(&t3, 2); /* T3 = 2*Y^2 (2) */ - rustsecp256k1_v0_1_1_fe_sqr(&t4, &t3); - rustsecp256k1_v0_1_1_fe_mul_int(&t4, 2); /* T4 = 8*Y^4 (2) */ - rustsecp256k1_v0_1_1_fe_mul(&t3, &t3, &a->x); /* T3 = 2*X*Y^2 (1) */ - r->x = t3; - rustsecp256k1_v0_1_1_fe_mul_int(&r->x, 4); /* X' = 8*X*Y^2 (4) */ - rustsecp256k1_v0_1_1_fe_negate(&r->x, &r->x, 4); /* X' = -8*X*Y^2 (5) */ - rustsecp256k1_v0_1_1_fe_add(&r->x, &t2); /* X' = 9*X^4 - 8*X*Y^2 (6) */ - rustsecp256k1_v0_1_1_fe_negate(&t2, &t2, 1); /* T2 = -9*X^4 (2) */ - rustsecp256k1_v0_1_1_fe_mul_int(&t3, 6); /* T3 = 12*X*Y^2 (6) */ - rustsecp256k1_v0_1_1_fe_add(&t3, &t2); /* T3 = 12*X*Y^2 - 9*X^4 (8) */ - rustsecp256k1_v0_1_1_fe_mul(&r->y, &t1, &t3); /* Y' = 36*X^3*Y^2 - 27*X^6 (1) */ - rustsecp256k1_v0_1_1_fe_negate(&t2, &t4, 2); /* T2 = -8*Y^4 (3) */ - rustsecp256k1_v0_1_1_fe_add(&r->y, &t2); /* Y' = 36*X^3*Y^2 - 27*X^6 - 8*Y^4 (4) */ -} - -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_gej_double_nonzero(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, rustsecp256k1_v0_1_1_fe *rzr) { - VERIFY_CHECK(!rustsecp256k1_v0_1_1_gej_is_infinity(a)); - rustsecp256k1_v0_1_1_gej_double_var(r, a, rzr); + rustsecp256k1_v0_1_2_gej_double_nonzero(r, a); } -static void rustsecp256k1_v0_1_1_gej_add_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_gej *b, rustsecp256k1_v0_1_1_fe *rzr) { +static void rustsecp256k1_v0_1_2_gej_add_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_gej *b, rustsecp256k1_v0_1_2_fe *rzr) { /* Operations: 12 mul, 4 sqr, 2 normalize, 12 mul_int/add/negate */ - rustsecp256k1_v0_1_1_fe z22, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1_v0_1_2_fe z22, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (a->infinity) { VERIFY_CHECK(rzr == NULL); @@ -375,112 +378,112 @@ static void rustsecp256k1_v0_1_1_gej_add_var(rustsecp256k1_v0_1_1_gej *r, const if (b->infinity) { if (rzr != NULL) { - rustsecp256k1_v0_1_1_fe_set_int(rzr, 1); + rustsecp256k1_v0_1_2_fe_set_int(rzr, 1); } *r = *a; return; } r->infinity = 0; - rustsecp256k1_v0_1_1_fe_sqr(&z22, &b->z); - rustsecp256k1_v0_1_1_fe_sqr(&z12, &a->z); - rustsecp256k1_v0_1_1_fe_mul(&u1, &a->x, &z22); - rustsecp256k1_v0_1_1_fe_mul(&u2, &b->x, &z12); - rustsecp256k1_v0_1_1_fe_mul(&s1, &a->y, &z22); rustsecp256k1_v0_1_1_fe_mul(&s1, &s1, &b->z); - rustsecp256k1_v0_1_1_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_1_fe_mul(&s2, &s2, &a->z); - rustsecp256k1_v0_1_1_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_1_fe_add(&h, &u2); - rustsecp256k1_v0_1_1_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_1_fe_add(&i, &s2); - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1_v0_1_1_gej_double_var(r, a, rzr); + rustsecp256k1_v0_1_2_fe_sqr(&z22, &b->z); + rustsecp256k1_v0_1_2_fe_sqr(&z12, &a->z); + rustsecp256k1_v0_1_2_fe_mul(&u1, &a->x, &z22); + rustsecp256k1_v0_1_2_fe_mul(&u2, &b->x, &z12); + rustsecp256k1_v0_1_2_fe_mul(&s1, &a->y, &z22); rustsecp256k1_v0_1_2_fe_mul(&s1, &s1, &b->z); + rustsecp256k1_v0_1_2_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_2_fe_mul(&s2, &s2, &a->z); + rustsecp256k1_v0_1_2_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_2_fe_add(&h, &u2); + rustsecp256k1_v0_1_2_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_2_fe_add(&i, &s2); + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1_v0_1_2_gej_double_var(r, a, rzr); } else { if (rzr != NULL) { - rustsecp256k1_v0_1_1_fe_set_int(rzr, 0); + rustsecp256k1_v0_1_2_fe_set_int(rzr, 0); } r->infinity = 1; } return; } - rustsecp256k1_v0_1_1_fe_sqr(&i2, &i); - rustsecp256k1_v0_1_1_fe_sqr(&h2, &h); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h, &h2); - rustsecp256k1_v0_1_1_fe_mul(&h, &h, &b->z); + rustsecp256k1_v0_1_2_fe_sqr(&i2, &i); + rustsecp256k1_v0_1_2_fe_sqr(&h2, &h); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h, &h2); + rustsecp256k1_v0_1_2_fe_mul(&h, &h, &b->z); if (rzr != NULL) { *rzr = h; } - rustsecp256k1_v0_1_1_fe_mul(&r->z, &a->z, &h); - rustsecp256k1_v0_1_1_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1_v0_1_1_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_1_fe_add(&r->x, &h3); rustsecp256k1_v0_1_1_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_1_fe_add(&r->x, &i2); - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_1_fe_add(&r->y, &t); rustsecp256k1_v0_1_1_fe_mul(&r->y, &r->y, &i); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_1_fe_negate(&h3, &h3, 1); - rustsecp256k1_v0_1_1_fe_add(&r->y, &h3); + rustsecp256k1_v0_1_2_fe_mul(&r->z, &a->z, &h); + rustsecp256k1_v0_1_2_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1_v0_1_2_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_2_fe_add(&r->x, &h3); rustsecp256k1_v0_1_2_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_2_fe_add(&r->x, &i2); + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_2_fe_add(&r->y, &t); rustsecp256k1_v0_1_2_fe_mul(&r->y, &r->y, &i); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_2_fe_negate(&h3, &h3, 1); + rustsecp256k1_v0_1_2_fe_add(&r->y, &h3); } -static void rustsecp256k1_v0_1_1_gej_add_ge_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b, rustsecp256k1_v0_1_1_fe *rzr) { +static void rustsecp256k1_v0_1_2_gej_add_ge_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b, rustsecp256k1_v0_1_2_fe *rzr) { /* 8 mul, 3 sqr, 4 normalize, 12 mul_int/add/negate */ - rustsecp256k1_v0_1_1_fe z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1_v0_1_2_fe z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (a->infinity) { VERIFY_CHECK(rzr == NULL); - rustsecp256k1_v0_1_1_gej_set_ge(r, b); + rustsecp256k1_v0_1_2_gej_set_ge(r, b); return; } if (b->infinity) { if (rzr != NULL) { - rustsecp256k1_v0_1_1_fe_set_int(rzr, 1); + rustsecp256k1_v0_1_2_fe_set_int(rzr, 1); } *r = *a; return; } r->infinity = 0; - rustsecp256k1_v0_1_1_fe_sqr(&z12, &a->z); - u1 = a->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&u1); - rustsecp256k1_v0_1_1_fe_mul(&u2, &b->x, &z12); - s1 = a->y; rustsecp256k1_v0_1_1_fe_normalize_weak(&s1); - rustsecp256k1_v0_1_1_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_1_fe_mul(&s2, &s2, &a->z); - rustsecp256k1_v0_1_1_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_1_fe_add(&h, &u2); - rustsecp256k1_v0_1_1_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_1_fe_add(&i, &s2); - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1_v0_1_1_gej_double_var(r, a, rzr); + rustsecp256k1_v0_1_2_fe_sqr(&z12, &a->z); + u1 = a->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&u1); + rustsecp256k1_v0_1_2_fe_mul(&u2, &b->x, &z12); + s1 = a->y; rustsecp256k1_v0_1_2_fe_normalize_weak(&s1); + rustsecp256k1_v0_1_2_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_2_fe_mul(&s2, &s2, &a->z); + rustsecp256k1_v0_1_2_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_2_fe_add(&h, &u2); + rustsecp256k1_v0_1_2_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_2_fe_add(&i, &s2); + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1_v0_1_2_gej_double_var(r, a, rzr); } else { if (rzr != NULL) { - rustsecp256k1_v0_1_1_fe_set_int(rzr, 0); + rustsecp256k1_v0_1_2_fe_set_int(rzr, 0); } r->infinity = 1; } return; } - rustsecp256k1_v0_1_1_fe_sqr(&i2, &i); - rustsecp256k1_v0_1_1_fe_sqr(&h2, &h); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h, &h2); + rustsecp256k1_v0_1_2_fe_sqr(&i2, &i); + rustsecp256k1_v0_1_2_fe_sqr(&h2, &h); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h, &h2); if (rzr != NULL) { *rzr = h; } - rustsecp256k1_v0_1_1_fe_mul(&r->z, &a->z, &h); - rustsecp256k1_v0_1_1_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1_v0_1_1_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_1_fe_add(&r->x, &h3); rustsecp256k1_v0_1_1_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_1_fe_add(&r->x, &i2); - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_1_fe_add(&r->y, &t); rustsecp256k1_v0_1_1_fe_mul(&r->y, &r->y, &i); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_1_fe_negate(&h3, &h3, 1); - rustsecp256k1_v0_1_1_fe_add(&r->y, &h3); + rustsecp256k1_v0_1_2_fe_mul(&r->z, &a->z, &h); + rustsecp256k1_v0_1_2_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1_v0_1_2_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_2_fe_add(&r->x, &h3); rustsecp256k1_v0_1_2_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_2_fe_add(&r->x, &i2); + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_2_fe_add(&r->y, &t); rustsecp256k1_v0_1_2_fe_mul(&r->y, &r->y, &i); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_2_fe_negate(&h3, &h3, 1); + rustsecp256k1_v0_1_2_fe_add(&r->y, &h3); } -static void rustsecp256k1_v0_1_1_gej_add_zinv_var(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b, const rustsecp256k1_v0_1_1_fe *bzinv) { +static void rustsecp256k1_v0_1_2_gej_add_zinv_var(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b, const rustsecp256k1_v0_1_2_fe *bzinv) { /* 9 mul, 3 sqr, 4 normalize, 12 mul_int/add/negate */ - rustsecp256k1_v0_1_1_fe az, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; + rustsecp256k1_v0_1_2_fe az, z12, u1, u2, s1, s2, h, i, i2, h2, h3, t; if (b->infinity) { *r = *a; return; } if (a->infinity) { - rustsecp256k1_v0_1_1_fe bzinv2, bzinv3; + rustsecp256k1_v0_1_2_fe bzinv2, bzinv3; r->infinity = b->infinity; - rustsecp256k1_v0_1_1_fe_sqr(&bzinv2, bzinv); - rustsecp256k1_v0_1_1_fe_mul(&bzinv3, &bzinv2, bzinv); - rustsecp256k1_v0_1_1_fe_mul(&r->x, &b->x, &bzinv2); - rustsecp256k1_v0_1_1_fe_mul(&r->y, &b->y, &bzinv3); - rustsecp256k1_v0_1_1_fe_set_int(&r->z, 1); + rustsecp256k1_v0_1_2_fe_sqr(&bzinv2, bzinv); + rustsecp256k1_v0_1_2_fe_mul(&bzinv3, &bzinv2, bzinv); + rustsecp256k1_v0_1_2_fe_mul(&r->x, &b->x, &bzinv2); + rustsecp256k1_v0_1_2_fe_mul(&r->y, &b->y, &bzinv3); + rustsecp256k1_v0_1_2_fe_set_int(&r->z, 1); return; } r->infinity = 0; @@ -493,40 +496,40 @@ static void rustsecp256k1_v0_1_1_gej_add_zinv_var(rustsecp256k1_v0_1_1_gej *r, c * The variable az below holds the modified Z coordinate for a, which is used * for the computation of rx and ry, but not for rz. */ - rustsecp256k1_v0_1_1_fe_mul(&az, &a->z, bzinv); - - rustsecp256k1_v0_1_1_fe_sqr(&z12, &az); - u1 = a->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&u1); - rustsecp256k1_v0_1_1_fe_mul(&u2, &b->x, &z12); - s1 = a->y; rustsecp256k1_v0_1_1_fe_normalize_weak(&s1); - rustsecp256k1_v0_1_1_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_1_fe_mul(&s2, &s2, &az); - rustsecp256k1_v0_1_1_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_1_fe_add(&h, &u2); - rustsecp256k1_v0_1_1_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_1_fe_add(&i, &s2); - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&h)) { - if (rustsecp256k1_v0_1_1_fe_normalizes_to_zero_var(&i)) { - rustsecp256k1_v0_1_1_gej_double_var(r, a, NULL); + rustsecp256k1_v0_1_2_fe_mul(&az, &a->z, bzinv); + + rustsecp256k1_v0_1_2_fe_sqr(&z12, &az); + u1 = a->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&u1); + rustsecp256k1_v0_1_2_fe_mul(&u2, &b->x, &z12); + s1 = a->y; rustsecp256k1_v0_1_2_fe_normalize_weak(&s1); + rustsecp256k1_v0_1_2_fe_mul(&s2, &b->y, &z12); rustsecp256k1_v0_1_2_fe_mul(&s2, &s2, &az); + rustsecp256k1_v0_1_2_fe_negate(&h, &u1, 1); rustsecp256k1_v0_1_2_fe_add(&h, &u2); + rustsecp256k1_v0_1_2_fe_negate(&i, &s1, 1); rustsecp256k1_v0_1_2_fe_add(&i, &s2); + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&h)) { + if (rustsecp256k1_v0_1_2_fe_normalizes_to_zero_var(&i)) { + rustsecp256k1_v0_1_2_gej_double_var(r, a, NULL); } else { r->infinity = 1; } return; } - rustsecp256k1_v0_1_1_fe_sqr(&i2, &i); - rustsecp256k1_v0_1_1_fe_sqr(&h2, &h); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h, &h2); - r->z = a->z; rustsecp256k1_v0_1_1_fe_mul(&r->z, &r->z, &h); - rustsecp256k1_v0_1_1_fe_mul(&t, &u1, &h2); - r->x = t; rustsecp256k1_v0_1_1_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_1_fe_add(&r->x, &h3); rustsecp256k1_v0_1_1_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_1_fe_add(&r->x, &i2); - rustsecp256k1_v0_1_1_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_1_fe_add(&r->y, &t); rustsecp256k1_v0_1_1_fe_mul(&r->y, &r->y, &i); - rustsecp256k1_v0_1_1_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_1_fe_negate(&h3, &h3, 1); - rustsecp256k1_v0_1_1_fe_add(&r->y, &h3); + rustsecp256k1_v0_1_2_fe_sqr(&i2, &i); + rustsecp256k1_v0_1_2_fe_sqr(&h2, &h); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h, &h2); + r->z = a->z; rustsecp256k1_v0_1_2_fe_mul(&r->z, &r->z, &h); + rustsecp256k1_v0_1_2_fe_mul(&t, &u1, &h2); + r->x = t; rustsecp256k1_v0_1_2_fe_mul_int(&r->x, 2); rustsecp256k1_v0_1_2_fe_add(&r->x, &h3); rustsecp256k1_v0_1_2_fe_negate(&r->x, &r->x, 3); rustsecp256k1_v0_1_2_fe_add(&r->x, &i2); + rustsecp256k1_v0_1_2_fe_negate(&r->y, &r->x, 5); rustsecp256k1_v0_1_2_fe_add(&r->y, &t); rustsecp256k1_v0_1_2_fe_mul(&r->y, &r->y, &i); + rustsecp256k1_v0_1_2_fe_mul(&h3, &h3, &s1); rustsecp256k1_v0_1_2_fe_negate(&h3, &h3, 1); + rustsecp256k1_v0_1_2_fe_add(&r->y, &h3); } -static void rustsecp256k1_v0_1_1_gej_add_ge(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_ge *b) { +static void rustsecp256k1_v0_1_2_gej_add_ge(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_ge *b) { /* Operations: 7 mul, 5 sqr, 4 normalize, 21 mul_int/add/negate/cmov */ - static const rustsecp256k1_v0_1_1_fe fe_1 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1_v0_1_1_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; - rustsecp256k1_v0_1_1_fe m_alt, rr_alt; + static const rustsecp256k1_v0_1_2_fe fe_1 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1_v0_1_2_fe zz, u1, u2, s1, s2, t, tt, m, n, q, rr; + rustsecp256k1_v0_1_2_fe m_alt, rr_alt; int infinity, degenerate; VERIFY_CHECK(!b->infinity); VERIFY_CHECK(a->infinity == 0 || a->infinity == 1); @@ -581,115 +584,115 @@ static void rustsecp256k1_v0_1_1_gej_add_ge(rustsecp256k1_v0_1_1_gej *r, const r * so this covers everything. */ - rustsecp256k1_v0_1_1_fe_sqr(&zz, &a->z); /* z = Z1^2 */ - u1 = a->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */ - rustsecp256k1_v0_1_1_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ - s1 = a->y; rustsecp256k1_v0_1_1_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */ - rustsecp256k1_v0_1_1_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ - rustsecp256k1_v0_1_1_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ - t = u1; rustsecp256k1_v0_1_1_fe_add(&t, &u2); /* t = T = U1+U2 (2) */ - m = s1; rustsecp256k1_v0_1_1_fe_add(&m, &s2); /* m = M = S1+S2 (2) */ - rustsecp256k1_v0_1_1_fe_sqr(&rr, &t); /* rr = T^2 (1) */ - rustsecp256k1_v0_1_1_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 */ - rustsecp256k1_v0_1_1_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (2) */ - rustsecp256k1_v0_1_1_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (3) */ + rustsecp256k1_v0_1_2_fe_sqr(&zz, &a->z); /* z = Z1^2 */ + u1 = a->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&u1); /* u1 = U1 = X1*Z2^2 (1) */ + rustsecp256k1_v0_1_2_fe_mul(&u2, &b->x, &zz); /* u2 = U2 = X2*Z1^2 (1) */ + s1 = a->y; rustsecp256k1_v0_1_2_fe_normalize_weak(&s1); /* s1 = S1 = Y1*Z2^3 (1) */ + rustsecp256k1_v0_1_2_fe_mul(&s2, &b->y, &zz); /* s2 = Y2*Z1^2 (1) */ + rustsecp256k1_v0_1_2_fe_mul(&s2, &s2, &a->z); /* s2 = S2 = Y2*Z1^3 (1) */ + t = u1; rustsecp256k1_v0_1_2_fe_add(&t, &u2); /* t = T = U1+U2 (2) */ + m = s1; rustsecp256k1_v0_1_2_fe_add(&m, &s2); /* m = M = S1+S2 (2) */ + rustsecp256k1_v0_1_2_fe_sqr(&rr, &t); /* rr = T^2 (1) */ + rustsecp256k1_v0_1_2_fe_negate(&m_alt, &u2, 1); /* Malt = -X2*Z1^2 */ + rustsecp256k1_v0_1_2_fe_mul(&tt, &u1, &m_alt); /* tt = -U1*U2 (2) */ + rustsecp256k1_v0_1_2_fe_add(&rr, &tt); /* rr = R = T^2-U1*U2 (3) */ /** If lambda = R/M = 0/0 we have a problem (except in the "trivial" * case that Z = z1z2 = 0, and this is special-cased later on). */ - degenerate = rustsecp256k1_v0_1_1_fe_normalizes_to_zero(&m) & - rustsecp256k1_v0_1_1_fe_normalizes_to_zero(&rr); + degenerate = rustsecp256k1_v0_1_2_fe_normalizes_to_zero(&m) & + rustsecp256k1_v0_1_2_fe_normalizes_to_zero(&rr); /* This only occurs when y1 == -y2 and x1^3 == x2^3, but x1 != x2. * This means either x1 == beta*x2 or beta*x1 == x2, where beta is * a nontrivial cube root of one. In either case, an alternate * non-indeterminate expression for lambda is (y1 - y2)/(x1 - x2), * so we set R/M equal to this. */ rr_alt = s1; - rustsecp256k1_v0_1_1_fe_mul_int(&rr_alt, 2); /* rr = Y1*Z2^3 - Y2*Z1^3 (2) */ - rustsecp256k1_v0_1_1_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 */ + rustsecp256k1_v0_1_2_fe_mul_int(&rr_alt, 2); /* rr = Y1*Z2^3 - Y2*Z1^3 (2) */ + rustsecp256k1_v0_1_2_fe_add(&m_alt, &u1); /* Malt = X1*Z2^2 - X2*Z1^2 */ - rustsecp256k1_v0_1_1_fe_cmov(&rr_alt, &rr, !degenerate); - rustsecp256k1_v0_1_1_fe_cmov(&m_alt, &m, !degenerate); + rustsecp256k1_v0_1_2_fe_cmov(&rr_alt, &rr, !degenerate); + rustsecp256k1_v0_1_2_fe_cmov(&m_alt, &m, !degenerate); /* Now Ralt / Malt = lambda and is guaranteed not to be 0/0. * From here on out Ralt and Malt represent the numerator * and denominator of lambda; R and M represent the explicit * expressions x1^2 + x2^2 + x1x2 and y1 + y2. */ - rustsecp256k1_v0_1_1_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ - rustsecp256k1_v0_1_1_fe_mul(&q, &n, &t); /* q = Q = T*Malt^2 (1) */ + rustsecp256k1_v0_1_2_fe_sqr(&n, &m_alt); /* n = Malt^2 (1) */ + rustsecp256k1_v0_1_2_fe_mul(&q, &n, &t); /* q = Q = T*Malt^2 (1) */ /* These two lines use the observation that either M == Malt or M == 0, * so M^3 * Malt is either Malt^4 (which is computed by squaring), or * zero (which is "computed" by cmov). So the cost is one squaring * versus two multiplications. */ - rustsecp256k1_v0_1_1_fe_sqr(&n, &n); - rustsecp256k1_v0_1_1_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (2) */ - rustsecp256k1_v0_1_1_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ - rustsecp256k1_v0_1_1_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Malt*Z (1) */ - infinity = rustsecp256k1_v0_1_1_fe_normalizes_to_zero(&r->z) * (1 - a->infinity); - rustsecp256k1_v0_1_1_fe_mul_int(&r->z, 2); /* r->z = Z3 = 2*Malt*Z (2) */ - rustsecp256k1_v0_1_1_fe_negate(&q, &q, 1); /* q = -Q (2) */ - rustsecp256k1_v0_1_1_fe_add(&t, &q); /* t = Ralt^2-Q (3) */ - rustsecp256k1_v0_1_1_fe_normalize_weak(&t); + rustsecp256k1_v0_1_2_fe_sqr(&n, &n); + rustsecp256k1_v0_1_2_fe_cmov(&n, &m, degenerate); /* n = M^3 * Malt (2) */ + rustsecp256k1_v0_1_2_fe_sqr(&t, &rr_alt); /* t = Ralt^2 (1) */ + rustsecp256k1_v0_1_2_fe_mul(&r->z, &a->z, &m_alt); /* r->z = Malt*Z (1) */ + infinity = rustsecp256k1_v0_1_2_fe_normalizes_to_zero(&r->z) * (1 - a->infinity); + rustsecp256k1_v0_1_2_fe_mul_int(&r->z, 2); /* r->z = Z3 = 2*Malt*Z (2) */ + rustsecp256k1_v0_1_2_fe_negate(&q, &q, 1); /* q = -Q (2) */ + rustsecp256k1_v0_1_2_fe_add(&t, &q); /* t = Ralt^2-Q (3) */ + rustsecp256k1_v0_1_2_fe_normalize_weak(&t); r->x = t; /* r->x = Ralt^2-Q (1) */ - rustsecp256k1_v0_1_1_fe_mul_int(&t, 2); /* t = 2*x3 (2) */ - rustsecp256k1_v0_1_1_fe_add(&t, &q); /* t = 2*x3 - Q: (4) */ - rustsecp256k1_v0_1_1_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*x3 - Q) (1) */ - rustsecp256k1_v0_1_1_fe_add(&t, &n); /* t = Ralt*(2*x3 - Q) + M^3*Malt (3) */ - rustsecp256k1_v0_1_1_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2x3) - M^3*Malt (4) */ - rustsecp256k1_v0_1_1_fe_normalize_weak(&r->y); - rustsecp256k1_v0_1_1_fe_mul_int(&r->x, 4); /* r->x = X3 = 4*(Ralt^2-Q) */ - rustsecp256k1_v0_1_1_fe_mul_int(&r->y, 4); /* r->y = Y3 = 4*Ralt*(Q - 2x3) - 4*M^3*Malt (4) */ + rustsecp256k1_v0_1_2_fe_mul_int(&t, 2); /* t = 2*x3 (2) */ + rustsecp256k1_v0_1_2_fe_add(&t, &q); /* t = 2*x3 - Q: (4) */ + rustsecp256k1_v0_1_2_fe_mul(&t, &t, &rr_alt); /* t = Ralt*(2*x3 - Q) (1) */ + rustsecp256k1_v0_1_2_fe_add(&t, &n); /* t = Ralt*(2*x3 - Q) + M^3*Malt (3) */ + rustsecp256k1_v0_1_2_fe_negate(&r->y, &t, 3); /* r->y = Ralt*(Q - 2x3) - M^3*Malt (4) */ + rustsecp256k1_v0_1_2_fe_normalize_weak(&r->y); + rustsecp256k1_v0_1_2_fe_mul_int(&r->x, 4); /* r->x = X3 = 4*(Ralt^2-Q) */ + rustsecp256k1_v0_1_2_fe_mul_int(&r->y, 4); /* r->y = Y3 = 4*Ralt*(Q - 2x3) - 4*M^3*Malt (4) */ /** In case a->infinity == 1, replace r with (b->x, b->y, 1). */ - rustsecp256k1_v0_1_1_fe_cmov(&r->x, &b->x, a->infinity); - rustsecp256k1_v0_1_1_fe_cmov(&r->y, &b->y, a->infinity); - rustsecp256k1_v0_1_1_fe_cmov(&r->z, &fe_1, a->infinity); + rustsecp256k1_v0_1_2_fe_cmov(&r->x, &b->x, a->infinity); + rustsecp256k1_v0_1_2_fe_cmov(&r->y, &b->y, a->infinity); + rustsecp256k1_v0_1_2_fe_cmov(&r->z, &fe_1, a->infinity); r->infinity = infinity; } -static void rustsecp256k1_v0_1_1_gej_rescale(rustsecp256k1_v0_1_1_gej *r, const rustsecp256k1_v0_1_1_fe *s) { +static void rustsecp256k1_v0_1_2_gej_rescale(rustsecp256k1_v0_1_2_gej *r, const rustsecp256k1_v0_1_2_fe *s) { /* Operations: 4 mul, 1 sqr */ - rustsecp256k1_v0_1_1_fe zz; - VERIFY_CHECK(!rustsecp256k1_v0_1_1_fe_is_zero(s)); - rustsecp256k1_v0_1_1_fe_sqr(&zz, s); - rustsecp256k1_v0_1_1_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ - rustsecp256k1_v0_1_1_fe_mul(&r->y, &r->y, &zz); - rustsecp256k1_v0_1_1_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ - rustsecp256k1_v0_1_1_fe_mul(&r->z, &r->z, s); /* r->z *= s */ + rustsecp256k1_v0_1_2_fe zz; + VERIFY_CHECK(!rustsecp256k1_v0_1_2_fe_is_zero(s)); + rustsecp256k1_v0_1_2_fe_sqr(&zz, s); + rustsecp256k1_v0_1_2_fe_mul(&r->x, &r->x, &zz); /* r->x *= s^2 */ + rustsecp256k1_v0_1_2_fe_mul(&r->y, &r->y, &zz); + rustsecp256k1_v0_1_2_fe_mul(&r->y, &r->y, s); /* r->y *= s^3 */ + rustsecp256k1_v0_1_2_fe_mul(&r->z, &r->z, s); /* r->z *= s */ } -static void rustsecp256k1_v0_1_1_ge_to_storage(rustsecp256k1_v0_1_1_ge_storage *r, const rustsecp256k1_v0_1_1_ge *a) { - rustsecp256k1_v0_1_1_fe x, y; +static void rustsecp256k1_v0_1_2_ge_to_storage(rustsecp256k1_v0_1_2_ge_storage *r, const rustsecp256k1_v0_1_2_ge *a) { + rustsecp256k1_v0_1_2_fe x, y; VERIFY_CHECK(!a->infinity); x = a->x; - rustsecp256k1_v0_1_1_fe_normalize(&x); + rustsecp256k1_v0_1_2_fe_normalize(&x); y = a->y; - rustsecp256k1_v0_1_1_fe_normalize(&y); - rustsecp256k1_v0_1_1_fe_to_storage(&r->x, &x); - rustsecp256k1_v0_1_1_fe_to_storage(&r->y, &y); + rustsecp256k1_v0_1_2_fe_normalize(&y); + rustsecp256k1_v0_1_2_fe_to_storage(&r->x, &x); + rustsecp256k1_v0_1_2_fe_to_storage(&r->y, &y); } -static void rustsecp256k1_v0_1_1_ge_from_storage(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge_storage *a) { - rustsecp256k1_v0_1_1_fe_from_storage(&r->x, &a->x); - rustsecp256k1_v0_1_1_fe_from_storage(&r->y, &a->y); +static void rustsecp256k1_v0_1_2_ge_from_storage(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge_storage *a) { + rustsecp256k1_v0_1_2_fe_from_storage(&r->x, &a->x); + rustsecp256k1_v0_1_2_fe_from_storage(&r->y, &a->y); r->infinity = 0; } -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_ge_storage_cmov(rustsecp256k1_v0_1_1_ge_storage *r, const rustsecp256k1_v0_1_1_ge_storage *a, int flag) { - rustsecp256k1_v0_1_1_fe_storage_cmov(&r->x, &a->x, flag); - rustsecp256k1_v0_1_1_fe_storage_cmov(&r->y, &a->y, flag); +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_ge_storage_cmov(rustsecp256k1_v0_1_2_ge_storage *r, const rustsecp256k1_v0_1_2_ge_storage *a, int flag) { + rustsecp256k1_v0_1_2_fe_storage_cmov(&r->x, &a->x, flag); + rustsecp256k1_v0_1_2_fe_storage_cmov(&r->y, &a->y, flag); } #ifdef USE_ENDOMORPHISM -static void rustsecp256k1_v0_1_1_ge_mul_lambda(rustsecp256k1_v0_1_1_ge *r, const rustsecp256k1_v0_1_1_ge *a) { - static const rustsecp256k1_v0_1_1_fe beta = SECP256K1_FE_CONST( +static void rustsecp256k1_v0_1_2_ge_mul_lambda(rustsecp256k1_v0_1_2_ge *r, const rustsecp256k1_v0_1_2_ge *a) { + static const rustsecp256k1_v0_1_2_fe beta = SECP256K1_FE_CONST( 0x7ae96a2bul, 0x657c0710ul, 0x6e64479eul, 0xac3434e9ul, 0x9cf04975ul, 0x12f58995ul, 0xc1396c28ul, 0x719501eeul ); *r = *a; - rustsecp256k1_v0_1_1_fe_mul(&r->x, &r->x, &beta); + rustsecp256k1_v0_1_2_fe_mul(&r->x, &r->x, &beta); } #endif -static int rustsecp256k1_v0_1_1_gej_has_quad_y_var(const rustsecp256k1_v0_1_1_gej *a) { - rustsecp256k1_v0_1_1_fe yz; +static int rustsecp256k1_v0_1_2_gej_has_quad_y_var(const rustsecp256k1_v0_1_2_gej *a) { + rustsecp256k1_v0_1_2_fe yz; if (a->infinity) { return 0; @@ -698,8 +701,8 @@ static int rustsecp256k1_v0_1_1_gej_has_quad_y_var(const rustsecp256k1_v0_1_1_ge /* We rely on the fact that the Jacobi symbol of 1 / a->z^3 is the same as * that of a->z. Thus a->y / a->z^3 is a quadratic residue iff a->y * a->z is */ - rustsecp256k1_v0_1_1_fe_mul(&yz, &a->y, &a->z); - return rustsecp256k1_v0_1_1_fe_is_quad_var(&yz); + rustsecp256k1_v0_1_2_fe_mul(&yz, &a->y, &a->z); + return rustsecp256k1_v0_1_2_fe_is_quad_var(&yz); } #endif /* SECP256K1_GROUP_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/hash.h b/secp256k1-sys/depend/secp256k1/src/hash.h index 33bf5744c..11e6ab5d3 100644 --- a/secp256k1-sys/depend/secp256k1/src/hash.h +++ b/secp256k1-sys/depend/secp256k1/src/hash.h @@ -14,28 +14,28 @@ typedef struct { uint32_t s[8]; uint32_t buf[16]; /* In big endian */ size_t bytes; -} rustsecp256k1_v0_1_1_sha256; +} rustsecp256k1_v0_1_2_sha256; -static void rustsecp256k1_v0_1_1_sha256_initialize(rustsecp256k1_v0_1_1_sha256 *hash); -static void rustsecp256k1_v0_1_1_sha256_write(rustsecp256k1_v0_1_1_sha256 *hash, const unsigned char *data, size_t size); -static void rustsecp256k1_v0_1_1_sha256_finalize(rustsecp256k1_v0_1_1_sha256 *hash, unsigned char *out32); +static void rustsecp256k1_v0_1_2_sha256_initialize(rustsecp256k1_v0_1_2_sha256 *hash); +static void rustsecp256k1_v0_1_2_sha256_write(rustsecp256k1_v0_1_2_sha256 *hash, const unsigned char *data, size_t size); +static void rustsecp256k1_v0_1_2_sha256_finalize(rustsecp256k1_v0_1_2_sha256 *hash, unsigned char *out32); typedef struct { - rustsecp256k1_v0_1_1_sha256 inner, outer; -} rustsecp256k1_v0_1_1_hmac_sha256; + rustsecp256k1_v0_1_2_sha256 inner, outer; +} rustsecp256k1_v0_1_2_hmac_sha256; -static void rustsecp256k1_v0_1_1_hmac_sha256_initialize(rustsecp256k1_v0_1_1_hmac_sha256 *hash, const unsigned char *key, size_t size); -static void rustsecp256k1_v0_1_1_hmac_sha256_write(rustsecp256k1_v0_1_1_hmac_sha256 *hash, const unsigned char *data, size_t size); -static void rustsecp256k1_v0_1_1_hmac_sha256_finalize(rustsecp256k1_v0_1_1_hmac_sha256 *hash, unsigned char *out32); +static void rustsecp256k1_v0_1_2_hmac_sha256_initialize(rustsecp256k1_v0_1_2_hmac_sha256 *hash, const unsigned char *key, size_t size); +static void rustsecp256k1_v0_1_2_hmac_sha256_write(rustsecp256k1_v0_1_2_hmac_sha256 *hash, const unsigned char *data, size_t size); +static void rustsecp256k1_v0_1_2_hmac_sha256_finalize(rustsecp256k1_v0_1_2_hmac_sha256 *hash, unsigned char *out32); typedef struct { unsigned char v[32]; unsigned char k[32]; int retry; -} rustsecp256k1_v0_1_1_rfc6979_hmac_sha256; +} rustsecp256k1_v0_1_2_rfc6979_hmac_sha256; -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen); -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen); -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng); +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen); +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen); +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng); #endif /* SECP256K1_HASH_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/hash_impl.h b/secp256k1-sys/depend/secp256k1/src/hash_impl.h index 71ed8093d..aacf11acf 100644 --- a/secp256k1-sys/depend/secp256k1/src/hash_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/hash_impl.h @@ -33,7 +33,7 @@ #define BE32(p) ((((p) & 0xFF) << 24) | (((p) & 0xFF00) << 8) | (((p) & 0xFF0000) >> 8) | (((p) & 0xFF000000) >> 24)) #endif -static void rustsecp256k1_v0_1_1_sha256_initialize(rustsecp256k1_v0_1_1_sha256 *hash) { +static void rustsecp256k1_v0_1_2_sha256_initialize(rustsecp256k1_v0_1_2_sha256 *hash) { hash->s[0] = 0x6a09e667ul; hash->s[1] = 0xbb67ae85ul; hash->s[2] = 0x3c6ef372ul; @@ -46,7 +46,7 @@ static void rustsecp256k1_v0_1_1_sha256_initialize(rustsecp256k1_v0_1_1_sha256 * } /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */ -static void rustsecp256k1_v0_1_1_sha256_transform(uint32_t* s, const uint32_t* chunk) { +static void rustsecp256k1_v0_1_2_sha256_transform(uint32_t* s, const uint32_t* chunk) { uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7]; uint32_t w0, w1, w2, w3, w4, w5, w6, w7, w8, w9, w10, w11, w12, w13, w14, w15; @@ -128,16 +128,17 @@ static void rustsecp256k1_v0_1_1_sha256_transform(uint32_t* s, const uint32_t* c s[7] += h; } -static void rustsecp256k1_v0_1_1_sha256_write(rustsecp256k1_v0_1_1_sha256 *hash, const unsigned char *data, size_t len) { +static void rustsecp256k1_v0_1_2_sha256_write(rustsecp256k1_v0_1_2_sha256 *hash, const unsigned char *data, size_t len) { size_t bufsize = hash->bytes & 0x3F; hash->bytes += len; - while (bufsize + len >= 64) { + VERIFY_CHECK(hash->bytes >= len); + while (len >= 64 - bufsize) { /* Fill the buffer, and process it. */ size_t chunk_len = 64 - bufsize; memcpy(((unsigned char*)hash->buf) + bufsize, data, chunk_len); data += chunk_len; len -= chunk_len; - rustsecp256k1_v0_1_1_sha256_transform(hash->s, hash->buf); + rustsecp256k1_v0_1_2_sha256_transform(hash->s, hash->buf); bufsize = 0; } if (len) { @@ -146,15 +147,15 @@ static void rustsecp256k1_v0_1_1_sha256_write(rustsecp256k1_v0_1_1_sha256 *hash, } } -static void rustsecp256k1_v0_1_1_sha256_finalize(rustsecp256k1_v0_1_1_sha256 *hash, unsigned char *out32) { +static void rustsecp256k1_v0_1_2_sha256_finalize(rustsecp256k1_v0_1_2_sha256 *hash, unsigned char *out32) { static const unsigned char pad[64] = {0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}; uint32_t sizedesc[2]; uint32_t out[8]; int i = 0; sizedesc[0] = BE32(hash->bytes >> 29); sizedesc[1] = BE32(hash->bytes << 3); - rustsecp256k1_v0_1_1_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); - rustsecp256k1_v0_1_1_sha256_write(hash, (const unsigned char*)sizedesc, 8); + rustsecp256k1_v0_1_2_sha256_write(hash, pad, 1 + ((119 - (hash->bytes % 64)) % 64)); + rustsecp256k1_v0_1_2_sha256_write(hash, (const unsigned char*)sizedesc, 8); for (i = 0; i < 8; i++) { out[i] = BE32(hash->s[i]); hash->s[i] = 0; @@ -162,49 +163,49 @@ static void rustsecp256k1_v0_1_1_sha256_finalize(rustsecp256k1_v0_1_1_sha256 *ha memcpy(out32, (const unsigned char*)out, 32); } -static void rustsecp256k1_v0_1_1_hmac_sha256_initialize(rustsecp256k1_v0_1_1_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { +static void rustsecp256k1_v0_1_2_hmac_sha256_initialize(rustsecp256k1_v0_1_2_hmac_sha256 *hash, const unsigned char *key, size_t keylen) { size_t n; unsigned char rkey[64]; if (keylen <= sizeof(rkey)) { memcpy(rkey, key, keylen); memset(rkey + keylen, 0, sizeof(rkey) - keylen); } else { - rustsecp256k1_v0_1_1_sha256 sha256; - rustsecp256k1_v0_1_1_sha256_initialize(&sha256); - rustsecp256k1_v0_1_1_sha256_write(&sha256, key, keylen); - rustsecp256k1_v0_1_1_sha256_finalize(&sha256, rkey); + rustsecp256k1_v0_1_2_sha256 sha256; + rustsecp256k1_v0_1_2_sha256_initialize(&sha256); + rustsecp256k1_v0_1_2_sha256_write(&sha256, key, keylen); + rustsecp256k1_v0_1_2_sha256_finalize(&sha256, rkey); memset(rkey + 32, 0, 32); } - rustsecp256k1_v0_1_1_sha256_initialize(&hash->outer); + rustsecp256k1_v0_1_2_sha256_initialize(&hash->outer); for (n = 0; n < sizeof(rkey); n++) { rkey[n] ^= 0x5c; } - rustsecp256k1_v0_1_1_sha256_write(&hash->outer, rkey, sizeof(rkey)); + rustsecp256k1_v0_1_2_sha256_write(&hash->outer, rkey, sizeof(rkey)); - rustsecp256k1_v0_1_1_sha256_initialize(&hash->inner); + rustsecp256k1_v0_1_2_sha256_initialize(&hash->inner); for (n = 0; n < sizeof(rkey); n++) { rkey[n] ^= 0x5c ^ 0x36; } - rustsecp256k1_v0_1_1_sha256_write(&hash->inner, rkey, sizeof(rkey)); + rustsecp256k1_v0_1_2_sha256_write(&hash->inner, rkey, sizeof(rkey)); memset(rkey, 0, sizeof(rkey)); } -static void rustsecp256k1_v0_1_1_hmac_sha256_write(rustsecp256k1_v0_1_1_hmac_sha256 *hash, const unsigned char *data, size_t size) { - rustsecp256k1_v0_1_1_sha256_write(&hash->inner, data, size); +static void rustsecp256k1_v0_1_2_hmac_sha256_write(rustsecp256k1_v0_1_2_hmac_sha256 *hash, const unsigned char *data, size_t size) { + rustsecp256k1_v0_1_2_sha256_write(&hash->inner, data, size); } -static void rustsecp256k1_v0_1_1_hmac_sha256_finalize(rustsecp256k1_v0_1_1_hmac_sha256 *hash, unsigned char *out32) { +static void rustsecp256k1_v0_1_2_hmac_sha256_finalize(rustsecp256k1_v0_1_2_hmac_sha256 *hash, unsigned char *out32) { unsigned char temp[32]; - rustsecp256k1_v0_1_1_sha256_finalize(&hash->inner, temp); - rustsecp256k1_v0_1_1_sha256_write(&hash->outer, temp, 32); + rustsecp256k1_v0_1_2_sha256_finalize(&hash->inner, temp); + rustsecp256k1_v0_1_2_sha256_write(&hash->outer, temp, 32); memset(temp, 0, 32); - rustsecp256k1_v0_1_1_sha256_finalize(&hash->outer, out32); + rustsecp256k1_v0_1_2_sha256_finalize(&hash->outer, out32); } -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { - rustsecp256k1_v0_1_1_hmac_sha256 hmac; +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen) { + rustsecp256k1_v0_1_2_hmac_sha256 hmac; static const unsigned char zero[1] = {0x00}; static const unsigned char one[1] = {0x01}; @@ -212,47 +213,47 @@ static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(rustsecp256k1_v0 memset(rng->k, 0x00, 32); /* RFC6979 3.2.c. */ /* RFC6979 3.2.d. */ - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, zero, 1); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, key, keylen); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, zero, 1); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, key, keylen); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->v); /* RFC6979 3.2.f. */ - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, one, 1); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, key, keylen); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, one, 1); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, key, keylen); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->v); rng->retry = 0; } -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen) { /* RFC6979 3.2.h. */ static const unsigned char zero[1] = {0x00}; if (rng->retry) { - rustsecp256k1_v0_1_1_hmac_sha256 hmac; - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, zero, 1); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->k); - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1_v0_1_2_hmac_sha256 hmac; + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, zero, 1); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->k); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->v); } while (outlen > 0) { - rustsecp256k1_v0_1_1_hmac_sha256 hmac; + rustsecp256k1_v0_1_2_hmac_sha256 hmac; int now = outlen; - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hmac, rng->k, 32); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hmac, rng->v, 32); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hmac, rng->v); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hmac, rng->k, 32); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hmac, rng->v, 32); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hmac, rng->v); if (now > 32) { now = 32; } @@ -264,7 +265,7 @@ static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(rustsecp256k1_v0_1 rng->retry = 1; } -static void rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 *rng) { +static void rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 *rng) { memset(rng->k, 0, 32); memset(rng->v, 0, 32); rng->retry = 0; diff --git a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1.java b/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1.java deleted file mode 100644 index 706080772..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1.java +++ /dev/null @@ -1,446 +0,0 @@ -/* - * Copyright 2013 Google Inc. - * Copyright 2014-2016 the libsecp256k1 contributors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.bitcoin; - -import java.nio.ByteBuffer; -import java.nio.ByteOrder; - -import java.math.BigInteger; -import com.google.common.base.Preconditions; -import java.util.concurrent.locks.Lock; -import java.util.concurrent.locks.ReentrantReadWriteLock; -import static org.bitcoin.NativeSecp256k1Util.*; - -/** - *

This class holds native methods to handle ECDSA verification.

- * - *

You can find an example library that can be used for this at https://github.com/bitcoin/secp256k1

- * - *

To build secp256k1 for use with bitcoinj, run - * `./configure --enable-jni --enable-experimental --enable-module-ecdh` - * and `make` then copy `.libs/libsecp256k1.so` to your system library path - * or point the JVM to the folder containing it with -Djava.library.path - *

- */ -public class NativeSecp256k1 { - - private static final ReentrantReadWriteLock rwl = new ReentrantReadWriteLock(); - private static final Lock r = rwl.readLock(); - private static final Lock w = rwl.writeLock(); - private static ThreadLocal nativeECDSABuffer = new ThreadLocal(); - /** - * Verifies the given secp256k1 signature in native code. - * Calling when enabled == false is undefined (probably library not loaded) - * - * @param data The data which was signed, must be exactly 32 bytes - * @param signature The signature - * @param pub The public key which did the signing - */ - public static boolean verify(byte[] data, byte[] signature, byte[] pub) throws AssertFailException{ - Preconditions.checkArgument(data.length == 32 && signature.length <= 520 && pub.length <= 520); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < 520) { - byteBuff = ByteBuffer.allocateDirect(520); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(data); - byteBuff.put(signature); - byteBuff.put(pub); - - byte[][] retByteArray; - - r.lock(); - try { - return rustsecp256k1_v0_1_1_ecdsa_verify(byteBuff, Secp256k1Context.getContext(), signature.length, pub.length) == 1; - } finally { - r.unlock(); - } - } - - /** - * libsecp256k1 Create an ECDSA signature. - * - * @param data Message hash, 32 bytes - * @param key Secret key, 32 bytes - * - * Return values - * @param sig byte array of signature - */ - public static byte[] sign(byte[] data, byte[] sec) throws AssertFailException{ - Preconditions.checkArgument(data.length == 32 && sec.length <= 32); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < 32 + 32) { - byteBuff = ByteBuffer.allocateDirect(32 + 32); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(data); - byteBuff.put(sec); - - byte[][] retByteArray; - - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_ecdsa_sign(byteBuff, Secp256k1Context.getContext()); - } finally { - r.unlock(); - } - - byte[] sigArr = retByteArray[0]; - int sigLen = new BigInteger(new byte[] { retByteArray[1][0] }).intValue(); - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(sigArr.length, sigLen, "Got bad signature length."); - - return retVal == 0 ? new byte[0] : sigArr; - } - - /** - * libsecp256k1 Seckey Verify - returns 1 if valid, 0 if invalid - * - * @param seckey ECDSA Secret key, 32 bytes - */ - public static boolean secKeyVerify(byte[] seckey) { - Preconditions.checkArgument(seckey.length == 32); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < seckey.length) { - byteBuff = ByteBuffer.allocateDirect(seckey.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(seckey); - - r.lock(); - try { - return rustsecp256k1_v0_1_1_ec_seckey_verify(byteBuff,Secp256k1Context.getContext()) == 1; - } finally { - r.unlock(); - } - } - - - /** - * libsecp256k1 Compute Pubkey - computes public key from secret key - * - * @param seckey ECDSA Secret key, 32 bytes - * - * Return values - * @param pubkey ECDSA Public key, 33 or 65 bytes - */ - //TODO add a 'compressed' arg - public static byte[] computePubkey(byte[] seckey) throws AssertFailException{ - Preconditions.checkArgument(seckey.length == 32); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < seckey.length) { - byteBuff = ByteBuffer.allocateDirect(seckey.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(seckey); - - byte[][] retByteArray; - - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_ec_pubkey_create(byteBuff, Secp256k1Context.getContext()); - } finally { - r.unlock(); - } - - byte[] pubArr = retByteArray[0]; - int pubLen = new BigInteger(new byte[] { retByteArray[1][0] }).intValue(); - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(pubArr.length, pubLen, "Got bad pubkey length."); - - return retVal == 0 ? new byte[0]: pubArr; - } - - /** - * libsecp256k1 Cleanup - This destroys the secp256k1 context object - * This should be called at the end of the program for proper cleanup of the context. - */ - public static synchronized void cleanup() { - w.lock(); - try { - rustsecp256k1_v0_1_1_destroy_context(Secp256k1Context.getContext()); - } finally { - w.unlock(); - } - } - - public static long cloneContext() { - r.lock(); - try { - return rustsecp256k1_v0_1_1_ctx_clone(Secp256k1Context.getContext()); - } finally { r.unlock(); } - } - - /** - * libsecp256k1 PrivKey Tweak-Mul - Tweak privkey by multiplying to it - * - * @param tweak some bytes to tweak with - * @param seckey 32-byte seckey - */ - public static byte[] privKeyTweakMul(byte[] privkey, byte[] tweak) throws AssertFailException{ - Preconditions.checkArgument(privkey.length == 32); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < privkey.length + tweak.length) { - byteBuff = ByteBuffer.allocateDirect(privkey.length + tweak.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(privkey); - byteBuff.put(tweak); - - byte[][] retByteArray; - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_privkey_tweak_mul(byteBuff,Secp256k1Context.getContext()); - } finally { - r.unlock(); - } - - byte[] privArr = retByteArray[0]; - - int privLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF; - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(privArr.length, privLen, "Got bad pubkey length."); - - assertEquals(retVal, 1, "Failed return value check."); - - return privArr; - } - - /** - * libsecp256k1 PrivKey Tweak-Add - Tweak privkey by adding to it - * - * @param tweak some bytes to tweak with - * @param seckey 32-byte seckey - */ - public static byte[] privKeyTweakAdd(byte[] privkey, byte[] tweak) throws AssertFailException{ - Preconditions.checkArgument(privkey.length == 32); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < privkey.length + tweak.length) { - byteBuff = ByteBuffer.allocateDirect(privkey.length + tweak.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(privkey); - byteBuff.put(tweak); - - byte[][] retByteArray; - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_privkey_tweak_add(byteBuff,Secp256k1Context.getContext()); - } finally { - r.unlock(); - } - - byte[] privArr = retByteArray[0]; - - int privLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF; - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(privArr.length, privLen, "Got bad pubkey length."); - - assertEquals(retVal, 1, "Failed return value check."); - - return privArr; - } - - /** - * libsecp256k1 PubKey Tweak-Add - Tweak pubkey by adding to it - * - * @param tweak some bytes to tweak with - * @param pubkey 32-byte seckey - */ - public static byte[] pubKeyTweakAdd(byte[] pubkey, byte[] tweak) throws AssertFailException{ - Preconditions.checkArgument(pubkey.length == 33 || pubkey.length == 65); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < pubkey.length + tweak.length) { - byteBuff = ByteBuffer.allocateDirect(pubkey.length + tweak.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(pubkey); - byteBuff.put(tweak); - - byte[][] retByteArray; - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_pubkey_tweak_add(byteBuff,Secp256k1Context.getContext(), pubkey.length); - } finally { - r.unlock(); - } - - byte[] pubArr = retByteArray[0]; - - int pubLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF; - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(pubArr.length, pubLen, "Got bad pubkey length."); - - assertEquals(retVal, 1, "Failed return value check."); - - return pubArr; - } - - /** - * libsecp256k1 PubKey Tweak-Mul - Tweak pubkey by multiplying to it - * - * @param tweak some bytes to tweak with - * @param pubkey 32-byte seckey - */ - public static byte[] pubKeyTweakMul(byte[] pubkey, byte[] tweak) throws AssertFailException{ - Preconditions.checkArgument(pubkey.length == 33 || pubkey.length == 65); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < pubkey.length + tweak.length) { - byteBuff = ByteBuffer.allocateDirect(pubkey.length + tweak.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(pubkey); - byteBuff.put(tweak); - - byte[][] retByteArray; - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_pubkey_tweak_mul(byteBuff,Secp256k1Context.getContext(), pubkey.length); - } finally { - r.unlock(); - } - - byte[] pubArr = retByteArray[0]; - - int pubLen = (byte) new BigInteger(new byte[] { retByteArray[1][0] }).intValue() & 0xFF; - int retVal = new BigInteger(new byte[] { retByteArray[1][1] }).intValue(); - - assertEquals(pubArr.length, pubLen, "Got bad pubkey length."); - - assertEquals(retVal, 1, "Failed return value check."); - - return pubArr; - } - - /** - * libsecp256k1 create ECDH secret - constant time ECDH calculation - * - * @param seckey byte array of secret key used in exponentiaion - * @param pubkey byte array of public key used in exponentiaion - */ - public static byte[] createECDHSecret(byte[] seckey, byte[] pubkey) throws AssertFailException{ - Preconditions.checkArgument(seckey.length <= 32 && pubkey.length <= 65); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < 32 + pubkey.length) { - byteBuff = ByteBuffer.allocateDirect(32 + pubkey.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(seckey); - byteBuff.put(pubkey); - - byte[][] retByteArray; - r.lock(); - try { - retByteArray = rustsecp256k1_v0_1_1_ecdh(byteBuff, Secp256k1Context.getContext(), pubkey.length); - } finally { - r.unlock(); - } - - byte[] resArr = retByteArray[0]; - int retVal = new BigInteger(new byte[] { retByteArray[1][0] }).intValue(); - - assertEquals(resArr.length, 32, "Got bad result length."); - assertEquals(retVal, 1, "Failed return value check."); - - return resArr; - } - - /** - * libsecp256k1 randomize - updates the context randomization - * - * @param seed 32-byte random seed - */ - public static synchronized boolean randomize(byte[] seed) throws AssertFailException{ - Preconditions.checkArgument(seed.length == 32 || seed == null); - - ByteBuffer byteBuff = nativeECDSABuffer.get(); - if (byteBuff == null || byteBuff.capacity() < seed.length) { - byteBuff = ByteBuffer.allocateDirect(seed.length); - byteBuff.order(ByteOrder.nativeOrder()); - nativeECDSABuffer.set(byteBuff); - } - byteBuff.rewind(); - byteBuff.put(seed); - - w.lock(); - try { - return rustsecp256k1_v0_1_1_context_randomize(byteBuff, Secp256k1Context.getContext()) == 1; - } finally { - w.unlock(); - } - } - - private static native long rustsecp256k1_v0_1_1_ctx_clone(long context); - - private static native int rustsecp256k1_v0_1_1_context_randomize(ByteBuffer byteBuff, long context); - - private static native byte[][] rustsecp256k1_v0_1_1_privkey_tweak_add(ByteBuffer byteBuff, long context); - - private static native byte[][] rustsecp256k1_v0_1_1_privkey_tweak_mul(ByteBuffer byteBuff, long context); - - private static native byte[][] rustsecp256k1_v0_1_1_pubkey_tweak_add(ByteBuffer byteBuff, long context, int pubLen); - - private static native byte[][] rustsecp256k1_v0_1_1_pubkey_tweak_mul(ByteBuffer byteBuff, long context, int pubLen); - - private static native void rustsecp256k1_v0_1_1_destroy_context(long context); - - private static native int rustsecp256k1_v0_1_1_ecdsa_verify(ByteBuffer byteBuff, long context, int sigLen, int pubLen); - - private static native byte[][] rustsecp256k1_v0_1_1_ecdsa_sign(ByteBuffer byteBuff, long context); - - private static native int rustsecp256k1_v0_1_1_ec_seckey_verify(ByteBuffer byteBuff, long context); - - private static native byte[][] rustsecp256k1_v0_1_1_ec_pubkey_create(ByteBuffer byteBuff, long context); - - private static native byte[][] rustsecp256k1_v0_1_1_ec_pubkey_parse(ByteBuffer byteBuff, long context, int inputLen); - - private static native byte[][] rustsecp256k1_v0_1_1_ecdh(ByteBuffer byteBuff, long context, int inputLen); - -} diff --git a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Test.java b/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Test.java deleted file mode 100644 index d766a1029..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Test.java +++ /dev/null @@ -1,226 +0,0 @@ -package org.bitcoin; - -import com.google.common.io.BaseEncoding; -import java.util.Arrays; -import java.math.BigInteger; -import javax.xml.bind.DatatypeConverter; -import static org.bitcoin.NativeSecp256k1Util.*; - -/** - * This class holds test cases defined for testing this library. - */ -public class NativeSecp256k1Test { - - //TODO improve comments/add more tests - /** - * This tests verify() for a valid signature - */ - public static void testVerifyPos() throws AssertFailException{ - boolean result = false; - byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing" - byte[] sig = BaseEncoding.base16().lowerCase().decode("3044022079BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F817980220294F14E883B3F525B5367756C2A11EF6CF84B730B36C17CB0C56F0AAB2C98589".toLowerCase()); - byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase()); - - result = NativeSecp256k1.verify( data, sig, pub); - assertEquals( result, true , "testVerifyPos"); - } - - /** - * This tests verify() for a non-valid signature - */ - public static void testVerifyNeg() throws AssertFailException{ - boolean result = false; - byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A91".toLowerCase()); //sha256hash of "testing" - byte[] sig = BaseEncoding.base16().lowerCase().decode("3044022079BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F817980220294F14E883B3F525B5367756C2A11EF6CF84B730B36C17CB0C56F0AAB2C98589".toLowerCase()); - byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase()); - - result = NativeSecp256k1.verify( data, sig, pub); - //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16)); - assertEquals( result, false , "testVerifyNeg"); - } - - /** - * This tests secret key verify() for a valid secretkey - */ - public static void testSecKeyVerifyPos() throws AssertFailException{ - boolean result = false; - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - - result = NativeSecp256k1.secKeyVerify( sec ); - //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16)); - assertEquals( result, true , "testSecKeyVerifyPos"); - } - - /** - * This tests secret key verify() for an invalid secretkey - */ - public static void testSecKeyVerifyNeg() throws AssertFailException{ - boolean result = false; - byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase()); - - result = NativeSecp256k1.secKeyVerify( sec ); - //System.out.println(" TEST " + new BigInteger(1, resultbytes).toString(16)); - assertEquals( result, false , "testSecKeyVerifyNeg"); - } - - /** - * This tests public key create() for a valid secretkey - */ - public static void testPubKeyCreatePos() throws AssertFailException{ - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - - byte[] resultArr = NativeSecp256k1.computePubkey( sec); - String pubkeyString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( pubkeyString , "04C591A8FF19AC9C4E4E5793673B83123437E975285E7B442F4EE2654DFFCA5E2D2103ED494718C697AC9AEBCFD19612E224DB46661011863ED2FC54E71861E2A6" , "testPubKeyCreatePos"); - } - - /** - * This tests public key create() for a invalid secretkey - */ - public static void testPubKeyCreateNeg() throws AssertFailException{ - byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase()); - - byte[] resultArr = NativeSecp256k1.computePubkey( sec); - String pubkeyString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( pubkeyString, "" , "testPubKeyCreateNeg"); - } - - /** - * This tests sign() for a valid secretkey - */ - public static void testSignPos() throws AssertFailException{ - - byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing" - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - - byte[] resultArr = NativeSecp256k1.sign(data, sec); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString, "30440220182A108E1448DC8F1FB467D06A0F3BB8EA0533584CB954EF8DA112F1D60E39A202201C66F36DA211C087F3AF88B50EDF4F9BDAA6CF5FD6817E74DCA34DB12390C6E9" , "testSignPos"); - } - - /** - * This tests sign() for a invalid secretkey - */ - public static void testSignNeg() throws AssertFailException{ - byte[] data = BaseEncoding.base16().lowerCase().decode("CF80CD8AED482D5D1527D7DC72FCEFF84E6326592848447D2DC0B0E87DFC9A90".toLowerCase()); //sha256hash of "testing" - byte[] sec = BaseEncoding.base16().lowerCase().decode("FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF".toLowerCase()); - - byte[] resultArr = NativeSecp256k1.sign(data, sec); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString, "" , "testSignNeg"); - } - - /** - * This tests private key tweak-add - */ - public static void testPrivKeyTweakAdd_1() throws AssertFailException { - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak" - - byte[] resultArr = NativeSecp256k1.privKeyTweakAdd( sec , data ); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString , "A168571E189E6F9A7E2D657A4B53AE99B909F7E712D1C23CED28093CD57C88F3" , "testPrivKeyAdd_1"); - } - - /** - * This tests private key tweak-mul - */ - public static void testPrivKeyTweakMul_1() throws AssertFailException { - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak" - - byte[] resultArr = NativeSecp256k1.privKeyTweakMul( sec , data ); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString , "97F8184235F101550F3C71C927507651BD3F1CDB4A5A33B8986ACF0DEE20FFFC" , "testPrivKeyMul_1"); - } - - /** - * This tests private key tweak-add uncompressed - */ - public static void testPrivKeyTweakAdd_2() throws AssertFailException { - byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase()); - byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak" - - byte[] resultArr = NativeSecp256k1.pubKeyTweakAdd( pub , data ); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString , "0411C6790F4B663CCE607BAAE08C43557EDC1A4D11D88DFCB3D841D0C6A941AF525A268E2A863C148555C48FB5FBA368E88718A46E205FABC3DBA2CCFFAB0796EF" , "testPrivKeyAdd_2"); - } - - /** - * This tests private key tweak-mul uncompressed - */ - public static void testPrivKeyTweakMul_2() throws AssertFailException { - byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase()); - byte[] data = BaseEncoding.base16().lowerCase().decode("3982F19BEF1615BCCFBB05E321C10E1D4CBA3DF0E841C2E41EEB6016347653C3".toLowerCase()); //sha256hash of "tweak" - - byte[] resultArr = NativeSecp256k1.pubKeyTweakMul( pub , data ); - String sigString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( sigString , "04E0FE6FE55EBCA626B98A807F6CAF654139E14E5E3698F01A9A658E21DC1D2791EC060D4F412A794D5370F672BC94B722640B5F76914151CFCA6E712CA48CC589" , "testPrivKeyMul_2"); - } - - /** - * This tests seed randomization - */ - public static void testRandomize() throws AssertFailException { - byte[] seed = BaseEncoding.base16().lowerCase().decode("A441B15FE9A3CF56661190A0B93B9DEC7D04127288CC87250967CF3B52894D11".toLowerCase()); //sha256hash of "random" - boolean result = NativeSecp256k1.randomize(seed); - assertEquals( result, true, "testRandomize"); - } - - public static void testCreateECDHSecret() throws AssertFailException{ - - byte[] sec = BaseEncoding.base16().lowerCase().decode("67E56582298859DDAE725F972992A07C6C4FB9F62A8FFF58CE3CA926A1063530".toLowerCase()); - byte[] pub = BaseEncoding.base16().lowerCase().decode("040A629506E1B65CD9D2E0BA9C75DF9C4FED0DB16DC9625ED14397F0AFC836FAE595DC53F8B0EFE61E703075BD9B143BAC75EC0E19F82A2208CAEB32BE53414C40".toLowerCase()); - - byte[] resultArr = NativeSecp256k1.createECDHSecret(sec, pub); - String ecdhString = javax.xml.bind.DatatypeConverter.printHexBinary(resultArr); - assertEquals( ecdhString, "2A2A67007A926E6594AF3EB564FC74005B37A9C8AEF2033C4552051B5C87F043" , "testCreateECDHSecret"); - } - - public static void main(String[] args) throws AssertFailException{ - - - System.out.println("\n libsecp256k1 enabled: " + Secp256k1Context.isEnabled() + "\n"); - - assertEquals( Secp256k1Context.isEnabled(), true, "isEnabled" ); - - //Test verify() success/fail - testVerifyPos(); - testVerifyNeg(); - - //Test secKeyVerify() success/fail - testSecKeyVerifyPos(); - testSecKeyVerifyNeg(); - - //Test computePubkey() success/fail - testPubKeyCreatePos(); - testPubKeyCreateNeg(); - - //Test sign() success/fail - testSignPos(); - testSignNeg(); - - //Test privKeyTweakAdd() 1 - testPrivKeyTweakAdd_1(); - - //Test privKeyTweakMul() 2 - testPrivKeyTweakMul_1(); - - //Test privKeyTweakAdd() 3 - testPrivKeyTweakAdd_2(); - - //Test privKeyTweakMul() 4 - testPrivKeyTweakMul_2(); - - //Test randomize() - testRandomize(); - - //Test ECDH - testCreateECDHSecret(); - - NativeSecp256k1.cleanup(); - - System.out.println(" All tests passed." ); - - } -} diff --git a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Util.java b/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Util.java deleted file mode 100644 index 04732ba04..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/NativeSecp256k1Util.java +++ /dev/null @@ -1,45 +0,0 @@ -/* - * Copyright 2014-2016 the libsecp256k1 contributors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.bitcoin; - -public class NativeSecp256k1Util{ - - public static void assertEquals( int val, int val2, String message ) throws AssertFailException{ - if( val != val2 ) - throw new AssertFailException("FAIL: " + message); - } - - public static void assertEquals( boolean val, boolean val2, String message ) throws AssertFailException{ - if( val != val2 ) - throw new AssertFailException("FAIL: " + message); - else - System.out.println("PASS: " + message); - } - - public static void assertEquals( String val, String val2, String message ) throws AssertFailException{ - if( !val.equals(val2) ) - throw new AssertFailException("FAIL: " + message); - else - System.out.println("PASS: " + message); - } - - public static class AssertFailException extends Exception { - public AssertFailException(String message) { - super( message ); - } - } -} diff --git a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/Secp256k1Context.java b/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/Secp256k1Context.java deleted file mode 100644 index 875950915..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org/bitcoin/Secp256k1Context.java +++ /dev/null @@ -1,51 +0,0 @@ -/* - * Copyright 2014-2016 the libsecp256k1 contributors - * - * Licensed under the Apache License, Version 2.0 (the "License"); - * you may not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, - * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -package org.bitcoin; - -/** - * This class holds the context reference used in native methods - * to handle ECDSA operations. - */ -public class Secp256k1Context { - private static final boolean enabled; //true if the library is loaded - private static final long context; //ref to pointer to context obj - - static { //static initializer - boolean isEnabled = true; - long contextRef = -1; - try { - System.loadLibrary("secp256k1"); - contextRef = rustsecp256k1_v0_1_1_init_context(); - } catch (UnsatisfiedLinkError e) { - System.out.println("UnsatisfiedLinkError: " + e.toString()); - isEnabled = false; - } - enabled = isEnabled; - context = contextRef; - } - - public static boolean isEnabled() { - return enabled; - } - - public static long getContext() { - if(!enabled) return -1; //sanity check - return context; - } - - private static native long rustsecp256k1_v0_1_1_init_context(); -} diff --git a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c b/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c deleted file mode 100644 index bcfbd8d9c..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.c +++ /dev/null @@ -1,379 +0,0 @@ -#include -#include -#include -#include "org_bitcoin_NativeSecp256k1.h" -#include "include/secp256k1.h" -#include "include/secp256k1_ecdh.h" -#include "include/secp256k1_recovery.h" - - -SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ctx_1clone - (JNIEnv* env, jclass classObject, jlong ctx_l) -{ - const rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - - jlong ctx_clone_l = (uintptr_t) rustsecp256k1_v0_1_1_context_clone(ctx); - - (void)classObject;(void)env; - - return ctx_clone_l; - -} - -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1context_1randomize - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - - const unsigned char* seed = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - - (void)classObject; - - return rustsecp256k1_v0_1_1_context_randomize(ctx, seed); - -} - -SECP256K1_API void JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1destroy_1context - (JNIEnv* env, jclass classObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - - rustsecp256k1_v0_1_1_context_destroy(ctx); - - (void)classObject;(void)env; -} - -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdsa_1verify - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint siglen, jint publen) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - - unsigned char* data = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* sigdata = { (unsigned char*) (data + 32) }; - const unsigned char* pubdata = { (unsigned char*) (data + siglen + 32) }; - - rustsecp256k1_v0_1_1_ecdsa_signature sig; - rustsecp256k1_v0_1_1_pubkey pubkey; - - int ret = rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigdata, siglen); - - if( ret ) { - ret = rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubdata, publen); - - if( ret ) { - ret = rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, data, &pubkey); - } - } - - (void)classObject; - - return ret; -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdsa_1sign - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - unsigned char* data = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - unsigned char* secKey = (unsigned char*) (data + 32); - - jobjectArray retArray; - jbyteArray sigArray, intsByteArray; - unsigned char intsarray[2]; - - rustsecp256k1_v0_1_1_ecdsa_signature sig[72]; - - int ret = rustsecp256k1_v0_1_1_ecdsa_sign(ctx, sig, data, secKey, NULL, NULL); - - unsigned char outputSer[72]; - size_t outputLen = 72; - - if( ret ) { - int ret2 = rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx,outputSer, &outputLen, sig ); (void)ret2; - } - - intsarray[0] = outputLen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - sigArray = (*env)->NewByteArray(env, outputLen); - (*env)->SetByteArrayRegion(env, sigArray, 0, outputLen, (jbyte*)outputSer); - (*env)->SetObjectArrayElement(env, retArray, 0, sigArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} - -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ec_1seckey_1verify - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - unsigned char* secKey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - - (void)classObject; - - return rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, secKey); -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ec_1pubkey_1create - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - const unsigned char* secKey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - - rustsecp256k1_v0_1_1_pubkey pubkey; - - jobjectArray retArray; - jbyteArray pubkeyArray, intsByteArray; - unsigned char intsarray[2]; - - int ret = rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, secKey); - - unsigned char outputSer[65]; - size_t outputLen = 65; - - if( ret ) { - int ret2 = rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2; - } - - intsarray[0] = outputLen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - pubkeyArray = (*env)->NewByteArray(env, outputLen); - (*env)->SetByteArrayRegion(env, pubkeyArray, 0, outputLen, (jbyte*)outputSer); - (*env)->SetObjectArrayElement(env, retArray, 0, pubkeyArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; - -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1privkey_1tweak_1add - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - unsigned char* privkey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* tweak = (unsigned char*) (privkey + 32); - - jobjectArray retArray; - jbyteArray privArray, intsByteArray; - unsigned char intsarray[2]; - - int privkeylen = 32; - - int ret = rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, privkey, tweak); - - intsarray[0] = privkeylen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - privArray = (*env)->NewByteArray(env, privkeylen); - (*env)->SetByteArrayRegion(env, privArray, 0, privkeylen, (jbyte*)privkey); - (*env)->SetObjectArrayElement(env, retArray, 0, privArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1privkey_1tweak_1mul - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - unsigned char* privkey = (unsigned char*) (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* tweak = (unsigned char*) (privkey + 32); - - jobjectArray retArray; - jbyteArray privArray, intsByteArray; - unsigned char intsarray[2]; - - int privkeylen = 32; - - int ret = rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, privkey, tweak); - - intsarray[0] = privkeylen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - privArray = (*env)->NewByteArray(env, privkeylen); - (*env)->SetByteArrayRegion(env, privArray, 0, privkeylen, (jbyte*)privkey); - (*env)->SetObjectArrayElement(env, retArray, 0, privArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1pubkey_1tweak_1add - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; -/* rustsecp256k1_v0_1_1_pubkey* pubkey = (rustsecp256k1_v0_1_1_pubkey*) (*env)->GetDirectBufferAddress(env, byteBufferObject);*/ - unsigned char* pkey = (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* tweak = (unsigned char*) (pkey + publen); - - jobjectArray retArray; - jbyteArray pubArray, intsByteArray; - unsigned char intsarray[2]; - unsigned char outputSer[65]; - size_t outputLen = 65; - - rustsecp256k1_v0_1_1_pubkey pubkey; - int ret = rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pkey, publen); - - if( ret ) { - ret = rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, tweak); - } - - if( ret ) { - int ret2 = rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2; - } - - intsarray[0] = outputLen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - pubArray = (*env)->NewByteArray(env, outputLen); - (*env)->SetByteArrayRegion(env, pubArray, 0, outputLen, (jbyte*)outputSer); - (*env)->SetObjectArrayElement(env, retArray, 0, pubArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1pubkey_1tweak_1mul - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - unsigned char* pkey = (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* tweak = (unsigned char*) (pkey + publen); - - jobjectArray retArray; - jbyteArray pubArray, intsByteArray; - unsigned char intsarray[2]; - unsigned char outputSer[65]; - size_t outputLen = 65; - - rustsecp256k1_v0_1_1_pubkey pubkey; - int ret = rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pkey, publen); - - if ( ret ) { - ret = rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey, tweak); - } - - if( ret ) { - int ret2 = rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx,outputSer, &outputLen, &pubkey,SECP256K1_EC_UNCOMPRESSED );(void)ret2; - } - - intsarray[0] = outputLen; - intsarray[1] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - pubArray = (*env)->NewByteArray(env, outputLen); - (*env)->SetByteArrayRegion(env, pubArray, 0, outputLen, (jbyte*)outputSer); - (*env)->SetObjectArrayElement(env, retArray, 0, pubArray); - - intsByteArray = (*env)->NewByteArray(env, 2); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 2, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} - -SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdsa_1pubkey_1combine - (JNIEnv * env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint numkeys) -{ - (void)classObject;(void)env;(void)byteBufferObject;(void)ctx_l;(void)numkeys; - - return 0; -} - -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdh - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen) -{ - rustsecp256k1_v0_1_1_context *ctx = (rustsecp256k1_v0_1_1_context*)(uintptr_t)ctx_l; - const unsigned char* secdata = (*env)->GetDirectBufferAddress(env, byteBufferObject); - const unsigned char* pubdata = (const unsigned char*) (secdata + 32); - - jobjectArray retArray; - jbyteArray outArray, intsByteArray; - unsigned char intsarray[1]; - rustsecp256k1_v0_1_1_pubkey pubkey; - unsigned char nonce_res[32]; - size_t outputLen = 32; - - int ret = rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubdata, publen); - - if (ret) { - ret = rustsecp256k1_v0_1_1_ecdh( - ctx, - nonce_res, - &pubkey, - secdata, - NULL, - NULL - ); - } - - intsarray[0] = ret; - - retArray = (*env)->NewObjectArray(env, 2, - (*env)->FindClass(env, "[B"), - (*env)->NewByteArray(env, 1)); - - outArray = (*env)->NewByteArray(env, outputLen); - (*env)->SetByteArrayRegion(env, outArray, 0, 32, (jbyte*)nonce_res); - (*env)->SetObjectArrayElement(env, retArray, 0, outArray); - - intsByteArray = (*env)->NewByteArray(env, 1); - (*env)->SetByteArrayRegion(env, intsByteArray, 0, 1, (jbyte*)intsarray); - (*env)->SetObjectArrayElement(env, retArray, 1, intsByteArray); - - (void)classObject; - - return retArray; -} diff --git a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.h b/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.h deleted file mode 100644 index 9e55b61b4..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_NativeSecp256k1.h +++ /dev/null @@ -1,119 +0,0 @@ -/* DO NOT EDIT THIS FILE - it is machine generated */ -#include -#include "include/secp256k1.h" -/* Header for class org_bitcoin_NativeSecp256k1 */ - -#ifndef _Included_org_bitcoin_NativeSecp256k1 -#define _Included_org_bitcoin_NativeSecp256k1 -#ifdef __cplusplus -extern "C" { -#endif -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ctx_clone - * Signature: (J)J - */ -SECP256K1_API jlong JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ctx_1clone - (JNIEnv *, jclass, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_context_randomize - * Signature: (Ljava/nio/ByteBuffer;J)I - */ -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1context_1randomize - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_privkey_tweak_add - * Signature: (Ljava/nio/ByteBuffer;J)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1privkey_1tweak_1add - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_privkey_tweak_mul - * Signature: (Ljava/nio/ByteBuffer;J)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1privkey_1tweak_1mul - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_pubkey_tweak_add - * Signature: (Ljava/nio/ByteBuffer;JI)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1pubkey_1tweak_1add - (JNIEnv *, jclass, jobject, jlong, jint); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_pubkey_tweak_mul - * Signature: (Ljava/nio/ByteBuffer;JI)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1pubkey_1tweak_1mul - (JNIEnv *, jclass, jobject, jlong, jint); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_destroy_context - * Signature: (J)V - */ -SECP256K1_API void JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1destroy_1context - (JNIEnv *, jclass, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ecdsa_verify - * Signature: (Ljava/nio/ByteBuffer;JII)I - */ -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdsa_1verify - (JNIEnv *, jclass, jobject, jlong, jint, jint); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ecdsa_sign - * Signature: (Ljava/nio/ByteBuffer;J)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdsa_1sign - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ec_seckey_verify - * Signature: (Ljava/nio/ByteBuffer;J)I - */ -SECP256K1_API jint JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ec_1seckey_1verify - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ec_pubkey_create - * Signature: (Ljava/nio/ByteBuffer;J)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ec_1pubkey_1create - (JNIEnv *, jclass, jobject, jlong); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ec_pubkey_parse - * Signature: (Ljava/nio/ByteBuffer;JI)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ec_1pubkey_1parse - (JNIEnv *, jclass, jobject, jlong, jint); - -/* - * Class: org_bitcoin_NativeSecp256k1 - * Method: rustsecp256k1_v0_1_1_ecdh - * Signature: (Ljava/nio/ByteBuffer;JI)[[B - */ -SECP256K1_API jobjectArray JNICALL Java_org_bitcoin_NativeSecp256k1_rustsecp256k1_v0_1_1_1ecdh - (JNIEnv* env, jclass classObject, jobject byteBufferObject, jlong ctx_l, jint publen); - - -#ifdef __cplusplus -} -#endif -#endif diff --git a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.c b/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.c deleted file mode 100644 index 94b3e5907..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.c +++ /dev/null @@ -1,15 +0,0 @@ -#include -#include -#include "org_bitcoin_Secp256k1Context.h" -#include "include/secp256k1.h" - -SECP256K1_API jlong JNICALL Java_org_bitcoin_Secp256k1Context_rustsecp256k1_v0_1_1_1init_1context - (JNIEnv* env, jclass classObject) -{ - rustsecp256k1_v0_1_1_context *ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - - (void)classObject;(void)env; - - return (uintptr_t)ctx; -} - diff --git a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.h b/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.h deleted file mode 100644 index 1c3f4f426..000000000 --- a/secp256k1-sys/depend/secp256k1/src/java/org_bitcoin_Secp256k1Context.h +++ /dev/null @@ -1,22 +0,0 @@ -/* DO NOT EDIT THIS FILE - it is machine generated */ -#include -#include "include/secp256k1.h" -/* Header for class org_bitcoin_Secp256k1Context */ - -#ifndef _Included_org_bitcoin_Secp256k1Context -#define _Included_org_bitcoin_Secp256k1Context -#ifdef __cplusplus -extern "C" { -#endif -/* - * Class: org_bitcoin_Secp256k1Context - * Method: rustsecp256k1_v0_1_1_init_context - * Signature: ()J - */ -SECP256K1_API jlong JNICALL Java_org_bitcoin_Secp256k1Context_rustsecp256k1_v0_1_1_1init_1context - (JNIEnv *, jclass); - -#ifdef __cplusplus -} -#endif -#endif diff --git a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include index c08852796..a9c30933a 100644 --- a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include +++ b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1_v0_1_1_ecdh.h +include_HEADERS += include/rustsecp256k1_v0_1_2_ecdh.h noinst_HEADERS += src/modules/ecdh/main_impl.h noinst_HEADERS += src/modules/ecdh/tests_impl.h if USE_BENCHMARK diff --git a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/main_impl.h b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/main_impl.h index 01cf62277..c5f052675 100644 --- a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/main_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/main_impl.h @@ -10,58 +10,62 @@ #include "include/secp256k1_ecdh.h" #include "ecmult_const_impl.h" -static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x, const unsigned char *y, void *data) { - unsigned char version = (y[31] & 0x01) | 0x02; - rustsecp256k1_v0_1_1_sha256 sha; +static int ecdh_hash_function_sha256(unsigned char *output, const unsigned char *x32, const unsigned char *y32, void *data) { + unsigned char version = (y32[31] & 0x01) | 0x02; + rustsecp256k1_v0_1_2_sha256 sha; (void)data; - rustsecp256k1_v0_1_1_sha256_initialize(&sha); - rustsecp256k1_v0_1_1_sha256_write(&sha, &version, 1); - rustsecp256k1_v0_1_1_sha256_write(&sha, x, 32); - rustsecp256k1_v0_1_1_sha256_finalize(&sha, output); + rustsecp256k1_v0_1_2_sha256_initialize(&sha); + rustsecp256k1_v0_1_2_sha256_write(&sha, &version, 1); + rustsecp256k1_v0_1_2_sha256_write(&sha, x32, 32); + rustsecp256k1_v0_1_2_sha256_finalize(&sha, output); return 1; } -const rustsecp256k1_v0_1_1_ecdh_hash_function rustsecp256k1_v0_1_1_ecdh_hash_function_sha256 = ecdh_hash_function_sha256; -const rustsecp256k1_v0_1_1_ecdh_hash_function rustsecp256k1_v0_1_1_ecdh_hash_function_default = ecdh_hash_function_sha256; +const rustsecp256k1_v0_1_2_ecdh_hash_function rustsecp256k1_v0_1_2_ecdh_hash_function_sha256 = ecdh_hash_function_sha256; +const rustsecp256k1_v0_1_2_ecdh_hash_function rustsecp256k1_v0_1_2_ecdh_hash_function_default = ecdh_hash_function_sha256; -int rustsecp256k1_v0_1_1_ecdh(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *output, const rustsecp256k1_v0_1_1_pubkey *point, const unsigned char *scalar, rustsecp256k1_v0_1_1_ecdh_hash_function hashfp, void *data) { +int rustsecp256k1_v0_1_2_ecdh(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, const rustsecp256k1_v0_1_2_pubkey *point, const unsigned char *scalar, rustsecp256k1_v0_1_2_ecdh_hash_function hashfp, void *data) { int ret = 0; int overflow = 0; - rustsecp256k1_v0_1_1_gej res; - rustsecp256k1_v0_1_1_ge pt; - rustsecp256k1_v0_1_1_scalar s; + rustsecp256k1_v0_1_2_gej res; + rustsecp256k1_v0_1_2_ge pt; + rustsecp256k1_v0_1_2_scalar s; + unsigned char x[32]; + unsigned char y[32]; + VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(point != NULL); ARG_CHECK(scalar != NULL); + if (hashfp == NULL) { - hashfp = rustsecp256k1_v0_1_1_ecdh_hash_function_default; + hashfp = rustsecp256k1_v0_1_2_ecdh_hash_function_default; } - rustsecp256k1_v0_1_1_pubkey_load(ctx, &pt, point); - rustsecp256k1_v0_1_1_scalar_set_b32(&s, scalar, &overflow); - if (overflow || rustsecp256k1_v0_1_1_scalar_is_zero(&s)) { - ret = 0; - } else { - unsigned char x[32]; - unsigned char y[32]; + rustsecp256k1_v0_1_2_pubkey_load(ctx, &pt, point); + rustsecp256k1_v0_1_2_scalar_set_b32(&s, scalar, &overflow); - rustsecp256k1_v0_1_1_ecmult_const(&res, &pt, &s, 256); - rustsecp256k1_v0_1_1_ge_set_gej(&pt, &res); + overflow |= rustsecp256k1_v0_1_2_scalar_is_zero(&s); + rustsecp256k1_v0_1_2_scalar_cmov(&s, &rustsecp256k1_v0_1_2_scalar_one, overflow); - /* Compute a hash of the point */ - rustsecp256k1_v0_1_1_fe_normalize(&pt.x); - rustsecp256k1_v0_1_1_fe_normalize(&pt.y); - rustsecp256k1_v0_1_1_fe_get_b32(x, &pt.x); - rustsecp256k1_v0_1_1_fe_get_b32(y, &pt.y); + rustsecp256k1_v0_1_2_ecmult_const(&res, &pt, &s, 256); + rustsecp256k1_v0_1_2_ge_set_gej(&pt, &res); - ret = hashfp(output, x, y, data); - } + /* Compute a hash of the point */ + rustsecp256k1_v0_1_2_fe_normalize(&pt.x); + rustsecp256k1_v0_1_2_fe_normalize(&pt.y); + rustsecp256k1_v0_1_2_fe_get_b32(x, &pt.x); + rustsecp256k1_v0_1_2_fe_get_b32(y, &pt.y); + + ret = hashfp(output, x, y, data); + + memset(x, 0, 32); + memset(y, 0, 32); + rustsecp256k1_v0_1_2_scalar_clear(&s); - rustsecp256k1_v0_1_1_scalar_clear(&s); - return ret; + return !!ret & !overflow; } #endif /* SECP256K1_MODULE_ECDH_MAIN_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h index fe8d59930..46c97d155 100644 --- a/secp256k1-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/modules/ecdh/tests_impl.h @@ -26,69 +26,69 @@ int ecdh_hash_function_custom(unsigned char *output, const unsigned char *x, con void test_ecdh_api(void) { /* Setup context that just counts errors */ - rustsecp256k1_v0_1_1_context *tctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1_v0_1_1_pubkey point; + rustsecp256k1_v0_1_2_context *tctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1_v0_1_2_pubkey point; unsigned char res[32]; unsigned char s_one[32] = { 0 }; int32_t ecount = 0; s_one[31] = 1; - rustsecp256k1_v0_1_1_context_set_error_callback(tctx, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(tctx, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(tctx, &point, s_one) == 1); + rustsecp256k1_v0_1_2_context_set_error_callback(tctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(tctx, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(tctx, &point, s_one) == 1); /* Check all NULLs are detected */ - CHECK(rustsecp256k1_v0_1_1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(tctx, NULL, &point, s_one, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdh(tctx, res, NULL, s_one, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(tctx, res, NULL, s_one, NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdh(tctx, res, &point, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(tctx, res, &point, NULL, NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdh(tctx, res, &point, s_one, NULL, NULL) == 1); CHECK(ecount == 3); /* Cleanup */ - rustsecp256k1_v0_1_1_context_destroy(tctx); + rustsecp256k1_v0_1_2_context_destroy(tctx); } void test_ecdh_generator_basepoint(void) { unsigned char s_one[32] = { 0 }; - rustsecp256k1_v0_1_1_pubkey point[2]; + rustsecp256k1_v0_1_2_pubkey point[2]; int i; s_one[31] = 1; /* Check against pubkey creation when the basepoint is the generator */ for (i = 0; i < 100; ++i) { - rustsecp256k1_v0_1_1_sha256 sha; + rustsecp256k1_v0_1_2_sha256 sha; unsigned char s_b32[32]; unsigned char output_ecdh[65]; unsigned char output_ser[32]; unsigned char point_ser[65]; size_t point_ser_len = sizeof(point_ser); - rustsecp256k1_v0_1_1_scalar s; + rustsecp256k1_v0_1_2_scalar s; random_scalar_order(&s); - rustsecp256k1_v0_1_1_scalar_get_b32(s_b32, &s); + rustsecp256k1_v0_1_2_scalar_get_b32(s_b32, &s); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &point[0], s_one) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &point[1], s_b32) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &point[0], s_one) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &point[1], s_b32) == 1); /* compute using ECDH function with custom hash function */ - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output_ecdh, &point[0], s_b32, ecdh_hash_function_custom, NULL) == 1); /* compute "explicitly" */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_UNCOMPRESSED) == 1); /* compare */ CHECK(memcmp(output_ecdh, point_ser, 65) == 0); /* compute using ECDH function with default hash function */ - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output_ecdh, &point[0], s_b32, NULL, NULL) == 1); /* compute "explicitly" */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); - rustsecp256k1_v0_1_1_sha256_initialize(&sha); - rustsecp256k1_v0_1_1_sha256_write(&sha, point_ser, point_ser_len); - rustsecp256k1_v0_1_1_sha256_finalize(&sha, output_ser); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, point_ser, &point_ser_len, &point[1], SECP256K1_EC_COMPRESSED) == 1); + rustsecp256k1_v0_1_2_sha256_initialize(&sha); + rustsecp256k1_v0_1_2_sha256_write(&sha, point_ser, point_ser_len); + rustsecp256k1_v0_1_2_sha256_finalize(&sha, output_ser); /* compare */ CHECK(memcmp(output_ecdh, output_ser, 32) == 0); } @@ -104,23 +104,23 @@ void test_bad_scalar(void) { }; unsigned char s_rand[32] = { 0 }; unsigned char output[32]; - rustsecp256k1_v0_1_1_scalar rand; - rustsecp256k1_v0_1_1_pubkey point; + rustsecp256k1_v0_1_2_scalar rand; + rustsecp256k1_v0_1_2_pubkey point; /* Create random point */ random_scalar_order(&rand); - rustsecp256k1_v0_1_1_scalar_get_b32(s_rand, &rand); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &point, s_rand) == 1); + rustsecp256k1_v0_1_2_scalar_get_b32(s_rand, &rand); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &point, s_rand) == 1); /* Try to multiply it by bad values */ - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output, &point, s_zero, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 0); /* ...and a good one */ s_overflow[31] -= 1; - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output, &point, s_overflow, NULL, NULL) == 1); /* Hash function failure results in ecdh failure */ - CHECK(rustsecp256k1_v0_1_1_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdh(ctx, output, &point, s_overflow, ecdh_hash_function_test_fail, NULL) == 0); } void run_ecdh_tests(void) { diff --git a/secp256k1-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include b/secp256k1-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include index 0aefe7476..8d5bffe18 100644 --- a/secp256k1-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include +++ b/secp256k1-sys/depend/secp256k1/src/modules/recovery/Makefile.am.include @@ -1,4 +1,4 @@ -include_HEADERS += include/rustsecp256k1_v0_1_1_recovery.h +include_HEADERS += include/rustsecp256k1_v0_1_2_recovery.h noinst_HEADERS += src/modules/recovery/main_impl.h noinst_HEADERS += src/modules/recovery/tests_impl.h if USE_BENCHMARK diff --git a/secp256k1-sys/depend/secp256k1/src/modules/recovery/main_impl.h b/secp256k1-sys/depend/secp256k1/src/modules/recovery/main_impl.h old mode 100755 new mode 100644 index 45e1531ec..5a4889b1c --- a/secp256k1-sys/depend/secp256k1/src/modules/recovery/main_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/modules/recovery/main_impl.h @@ -9,34 +9,34 @@ #include "include/secp256k1_recovery.h" -static void rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_load(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_scalar* r, rustsecp256k1_v0_1_1_scalar* s, int* recid, const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig) { +static void rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_load(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_scalar* r, rustsecp256k1_v0_1_2_scalar* s, int* recid, const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig) { (void)ctx; - if (sizeof(rustsecp256k1_v0_1_1_scalar) == 32) { - /* When the rustsecp256k1_v0_1_1_scalar type is exactly 32 byte, use its - * representation inside rustsecp256k1_v0_1_1_ecdsa_signature, as conversion is very fast. - * Note that rustsecp256k1_v0_1_1_ecdsa_signature_save must use the same representation. */ + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { + /* When the rustsecp256k1_v0_1_2_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1_v0_1_2_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1_v0_1_2_ecdsa_signature_save must use the same representation. */ memcpy(r, &sig->data[0], 32); memcpy(s, &sig->data[32], 32); } else { - rustsecp256k1_v0_1_1_scalar_set_b32(r, &sig->data[0], NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(s, &sig->data[32], NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(s, &sig->data[32], NULL); } *recid = sig->data[64]; } -static void rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_save(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig, const rustsecp256k1_v0_1_1_scalar* r, const rustsecp256k1_v0_1_1_scalar* s, int recid) { - if (sizeof(rustsecp256k1_v0_1_1_scalar) == 32) { +static void rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_save(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig, const rustsecp256k1_v0_1_2_scalar* r, const rustsecp256k1_v0_1_2_scalar* s, int recid) { + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { memcpy(&sig->data[0], r, 32); memcpy(&sig->data[32], s, 32); } else { - rustsecp256k1_v0_1_1_scalar_get_b32(&sig->data[0], r); - rustsecp256k1_v0_1_1_scalar_get_b32(&sig->data[32], s); + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[0], r); + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[32], s); } sig->data[64] = recid; } -int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig, const unsigned char *input64, int recid) { + rustsecp256k1_v0_1_2_scalar r, s; int ret = 1; int overflow = 0; @@ -45,144 +45,144 @@ int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(const rustsec ARG_CHECK(input64 != NULL); ARG_CHECK(recid >= 0 && recid <= 3); - rustsecp256k1_v0_1_1_scalar_set_b32(&r, &input64[0], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&r, &input64[0], &overflow); ret &= !overflow; - rustsecp256k1_v0_1_1_scalar_set_b32(&s, &input64[32], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&s, &input64[32], &overflow); ret &= !overflow; if (ret) { - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_save(sig, &r, &s, recid); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_save(sig, &r, &s, recid); } else { memset(sig, 0, sizeof(*sig)); } return ret; } -int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *output64, int *recid, const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sig) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output64, int *recid, const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sig) { + rustsecp256k1_v0_1_2_scalar r, s; (void)ctx; ARG_CHECK(output64 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(recid != NULL); - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig); - rustsecp256k1_v0_1_1_scalar_get_b32(&output64[0], &r); - rustsecp256k1_v0_1_1_scalar_get_b32(&output64[32], &s); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_load(ctx, &r, &s, recid, sig); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[0], &r); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[32], &s); return 1; } -int rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature* sig, const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature* sigin) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature* sigin) { + rustsecp256k1_v0_1_2_scalar r, s; int recid; (void)ctx; ARG_CHECK(sig != NULL); ARG_CHECK(sigin != NULL); - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin); - rustsecp256k1_v0_1_1_ecdsa_signature_save(sig, &r, &s); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, sigin); + rustsecp256k1_v0_1_2_ecdsa_signature_save(sig, &r, &s); return 1; } -static int rustsecp256k1_v0_1_1_ecdsa_sig_recover(const rustsecp256k1_v0_1_1_ecmult_context *ctx, const rustsecp256k1_v0_1_1_scalar *sigr, const rustsecp256k1_v0_1_1_scalar* sigs, rustsecp256k1_v0_1_1_ge *pubkey, const rustsecp256k1_v0_1_1_scalar *message, int recid) { +static int rustsecp256k1_v0_1_2_ecdsa_sig_recover(const rustsecp256k1_v0_1_2_ecmult_context *ctx, const rustsecp256k1_v0_1_2_scalar *sigr, const rustsecp256k1_v0_1_2_scalar* sigs, rustsecp256k1_v0_1_2_ge *pubkey, const rustsecp256k1_v0_1_2_scalar *message, int recid) { unsigned char brx[32]; - rustsecp256k1_v0_1_1_fe fx; - rustsecp256k1_v0_1_1_ge x; - rustsecp256k1_v0_1_1_gej xj; - rustsecp256k1_v0_1_1_scalar rn, u1, u2; - rustsecp256k1_v0_1_1_gej qj; + rustsecp256k1_v0_1_2_fe fx; + rustsecp256k1_v0_1_2_ge x; + rustsecp256k1_v0_1_2_gej xj; + rustsecp256k1_v0_1_2_scalar rn, u1, u2; + rustsecp256k1_v0_1_2_gej qj; int r; - if (rustsecp256k1_v0_1_1_scalar_is_zero(sigr) || rustsecp256k1_v0_1_1_scalar_is_zero(sigs)) { + if (rustsecp256k1_v0_1_2_scalar_is_zero(sigr) || rustsecp256k1_v0_1_2_scalar_is_zero(sigs)) { return 0; } - rustsecp256k1_v0_1_1_scalar_get_b32(brx, sigr); - r = rustsecp256k1_v0_1_1_fe_set_b32(&fx, brx); + rustsecp256k1_v0_1_2_scalar_get_b32(brx, sigr); + r = rustsecp256k1_v0_1_2_fe_set_b32(&fx, brx); (void)r; VERIFY_CHECK(r); /* brx comes from a scalar, so is less than the order; certainly less than p */ if (recid & 2) { - if (rustsecp256k1_v0_1_1_fe_cmp_var(&fx, &rustsecp256k1_v0_1_1_ecdsa_const_p_minus_order) >= 0) { + if (rustsecp256k1_v0_1_2_fe_cmp_var(&fx, &rustsecp256k1_v0_1_2_ecdsa_const_p_minus_order) >= 0) { return 0; } - rustsecp256k1_v0_1_1_fe_add(&fx, &rustsecp256k1_v0_1_1_ecdsa_const_order_as_fe); + rustsecp256k1_v0_1_2_fe_add(&fx, &rustsecp256k1_v0_1_2_ecdsa_const_order_as_fe); } - if (!rustsecp256k1_v0_1_1_ge_set_xo_var(&x, &fx, recid & 1)) { + if (!rustsecp256k1_v0_1_2_ge_set_xo_var(&x, &fx, recid & 1)) { return 0; } - rustsecp256k1_v0_1_1_gej_set_ge(&xj, &x); - rustsecp256k1_v0_1_1_scalar_inverse_var(&rn, sigr); - rustsecp256k1_v0_1_1_scalar_mul(&u1, &rn, message); - rustsecp256k1_v0_1_1_scalar_negate(&u1, &u1); - rustsecp256k1_v0_1_1_scalar_mul(&u2, &rn, sigs); - rustsecp256k1_v0_1_1_ecmult(ctx, &qj, &xj, &u2, &u1); - rustsecp256k1_v0_1_1_ge_set_gej_var(pubkey, &qj); - return !rustsecp256k1_v0_1_1_gej_is_infinity(&qj); + rustsecp256k1_v0_1_2_gej_set_ge(&xj, &x); + rustsecp256k1_v0_1_2_scalar_inverse_var(&rn, sigr); + rustsecp256k1_v0_1_2_scalar_mul(&u1, &rn, message); + rustsecp256k1_v0_1_2_scalar_negate(&u1, &u1); + rustsecp256k1_v0_1_2_scalar_mul(&u2, &rn, sigs); + rustsecp256k1_v0_1_2_ecmult(ctx, &qj, &xj, &u2, &u1); + rustsecp256k1_v0_1_2_ge_set_gej_var(pubkey, &qj); + return !rustsecp256k1_v0_1_2_gej_is_infinity(&qj); } -int rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1_v0_1_1_nonce_function noncefp, const void* noncedata) { - rustsecp256k1_v0_1_1_scalar r, s; - rustsecp256k1_v0_1_1_scalar sec, non, msg; +int rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_recoverable_signature *signature, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1_v0_1_2_nonce_function noncefp, const void* noncedata) { + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar sec, non, msg; int recid; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msg32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); if (noncefp == NULL) { - noncefp = rustsecp256k1_v0_1_1_nonce_function_default; + noncefp = rustsecp256k1_v0_1_2_nonce_function_default; } - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&sec, seckey, &overflow); /* Fail if the secret key is invalid. */ - if (!overflow && !rustsecp256k1_v0_1_1_scalar_is_zero(&sec)) { + if (!overflow && !rustsecp256k1_v0_1_2_scalar_is_zero(&sec)) { unsigned char nonce32[32]; unsigned int count = 0; - rustsecp256k1_v0_1_1_scalar_set_b32(&msg, msg32, NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(&msg, msg32, NULL); while (1) { ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); if (!ret) { break; } - rustsecp256k1_v0_1_1_scalar_set_b32(&non, nonce32, &overflow); - if (!rustsecp256k1_v0_1_1_scalar_is_zero(&non) && !overflow) { - if (rustsecp256k1_v0_1_1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) { + rustsecp256k1_v0_1_2_scalar_set_b32(&non, nonce32, &overflow); + if (!overflow && !rustsecp256k1_v0_1_2_scalar_is_zero(&non)) { + if (rustsecp256k1_v0_1_2_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, &recid)) { break; } } count++; } memset(nonce32, 0, 32); - rustsecp256k1_v0_1_1_scalar_clear(&msg); - rustsecp256k1_v0_1_1_scalar_clear(&non); - rustsecp256k1_v0_1_1_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_clear(&msg); + rustsecp256k1_v0_1_2_scalar_clear(&non); + rustsecp256k1_v0_1_2_scalar_clear(&sec); } if (ret) { - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_save(signature, &r, &s, recid); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_save(signature, &r, &s, recid); } else { memset(signature, 0, sizeof(*signature)); } return ret; } -int rustsecp256k1_v0_1_1_ecdsa_recover(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubkey, const rustsecp256k1_v0_1_1_ecdsa_recoverable_signature *signature, const unsigned char *msg32) { - rustsecp256k1_v0_1_1_ge q; - rustsecp256k1_v0_1_1_scalar r, s; - rustsecp256k1_v0_1_1_scalar m; +int rustsecp256k1_v0_1_2_ecdsa_recover(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const rustsecp256k1_v0_1_2_ecdsa_recoverable_signature *signature, const unsigned char *msg32) { + rustsecp256k1_v0_1_2_ge q; + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar m; int recid; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(msg32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(pubkey != NULL); - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, signature); VERIFY_CHECK(recid >= 0 && recid < 4); /* should have been caught in parse_compact */ - rustsecp256k1_v0_1_1_scalar_set_b32(&m, msg32, NULL); - if (rustsecp256k1_v0_1_1_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) { - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &q); + rustsecp256k1_v0_1_2_scalar_set_b32(&m, msg32, NULL); + if (rustsecp256k1_v0_1_2_ecdsa_sig_recover(&ctx->ecmult_ctx, &r, &s, &q, &m, recid)) { + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &q); return 1; } else { memset(pubkey, 0, sizeof(*pubkey)); diff --git a/secp256k1-sys/depend/secp256k1/src/modules/recovery/tests_impl.h b/secp256k1-sys/depend/secp256k1/src/modules/recovery/tests_impl.h index c531517eb..a0e751450 100644 --- a/secp256k1-sys/depend/secp256k1/src/modules/recovery/tests_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/modules/recovery/tests_impl.h @@ -25,19 +25,19 @@ static int recovery_test_nonce_function(unsigned char *nonce32, const unsigned c } /* On the next run, return a valid nonce, but flip a coin as to whether or not to fail signing. */ memset(nonce32, 1, 32); - return rustsecp256k1_v0_1_1_rand_bits(1); + return rustsecp256k1_v0_1_2_rand_bits(1); } void test_ecdsa_recovery_api(void) { /* Setup contexts that just count errors */ - rustsecp256k1_v0_1_1_context *none = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1_v0_1_1_context *sign = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN); - rustsecp256k1_v0_1_1_context *vrfy = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_VERIFY); - rustsecp256k1_v0_1_1_context *both = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_pubkey recpubkey; - rustsecp256k1_v0_1_1_ecdsa_signature normal_sig; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature recsig; + rustsecp256k1_v0_1_2_context *none = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1_v0_1_2_context *sign = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN); + rustsecp256k1_v0_1_2_context *vrfy = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_VERIFY); + rustsecp256k1_v0_1_2_context *both = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey recpubkey; + rustsecp256k1_v0_1_2_ecdsa_signature normal_sig; + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature recsig; unsigned char privkey[32] = { 1 }; unsigned char message[32] = { 2 }; int32_t ecount = 0; @@ -49,159 +49,159 @@ void test_ecdsa_recovery_api(void) { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; - rustsecp256k1_v0_1_1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_error_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_error_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_error_callback(both, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(both, counting_illegal_callback_fn, &ecount); /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Check bad contexts and NULLs for signing */ ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(none, &recsig, message, privkey, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(sign, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(vrfy, &recsig, message, privkey, NULL, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, NULL, message, privkey, NULL, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, NULL, privkey, NULL, NULL) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, NULL, NULL, NULL) == 0); CHECK(ecount == 5); /* This will fail or succeed randomly, and in either case will not ARG_CHECK failure */ - rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL); + rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, privkey, recovery_test_nonce_function, NULL); CHECK(ecount == 5); /* These will all fail, but not in ARG_CHECK way */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, zero_privkey, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, over_privkey, NULL, NULL) == 0); /* This one will succeed. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); CHECK(ecount == 5); /* Check signing with a goofy nonce function */ /* Check bad contexts and NULLs for recovery */ ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(none, &recpubkey, &recsig, message) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(none, &recpubkey, &recsig, message) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(sign, &recpubkey, &recsig, message) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(vrfy, &recpubkey, &recsig, message) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(both, &recpubkey, &recsig, message) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(both, &recpubkey, &recsig, message) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(both, NULL, &recsig, message) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(both, NULL, &recsig, message) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(both, &recpubkey, NULL, message) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(both, &recpubkey, NULL, message) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(both, &recpubkey, &recsig, NULL) == 0); CHECK(ecount == 5); /* Check NULLs for conversion */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(both, &normal_sig, message, privkey, NULL, NULL) == 1); ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(both, NULL, &recsig) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(both, &normal_sig, NULL) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(both, &normal_sig, &recsig) == 1); /* Check NULLs for de/serialization */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(both, &recsig, message, privkey, NULL, NULL) == 1); ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(both, NULL, &recid, &recsig) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(both, sig, NULL, &recsig) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(both, sig, &recid, &recsig) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(both, NULL, sig, recid) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(both, &recsig, NULL, recid) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, -1) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, 5) == 0); CHECK(ecount == 7); /* overflow in signature will fail but not affect ecount */ memcpy(sig, over_privkey, 32); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(both, &recsig, sig, recid) == 0); CHECK(ecount == 7); /* cleanup */ - rustsecp256k1_v0_1_1_context_destroy(none); - rustsecp256k1_v0_1_1_context_destroy(sign); - rustsecp256k1_v0_1_1_context_destroy(vrfy); - rustsecp256k1_v0_1_1_context_destroy(both); + rustsecp256k1_v0_1_2_context_destroy(none); + rustsecp256k1_v0_1_2_context_destroy(sign); + rustsecp256k1_v0_1_2_context_destroy(vrfy); + rustsecp256k1_v0_1_2_context_destroy(both); } void test_ecdsa_recovery_end_to_end(void) { unsigned char extra[32] = {0x00}; unsigned char privkey[32]; unsigned char message[32]; - rustsecp256k1_v0_1_1_ecdsa_signature signature[5]; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature rsignature[5]; + rustsecp256k1_v0_1_2_ecdsa_signature signature[5]; + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature rsignature[5]; unsigned char sig[74]; - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_pubkey recpubkey; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey recpubkey; int recid = 0; /* Generate a random key and message. */ { - rustsecp256k1_v0_1_1_scalar msg, key; + rustsecp256k1_v0_1_2_scalar msg, key; random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_scalar_get_b32(privkey, &key); - rustsecp256k1_v0_1_1_scalar_get_b32(message, &msg); + rustsecp256k1_v0_1_2_scalar_get_b32(privkey, &key); + rustsecp256k1_v0_1_2_scalar_get_b32(message, &msg); } /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Serialize/parse compact and verify/recover. */ extra[0] = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsignature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsignature[4], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsignature[1], message, privkey, NULL, extra) == 1); extra[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsignature[2], message, privkey, NULL, extra) == 1); extra[31] = 0; extra[0] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsignature[3], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); CHECK(memcmp(&signature[4], &signature[0], 64) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); memset(&rsignature[4], 0, sizeof(rsignature[4])); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 1); /* Parse compact (with recovery id) and recover. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 1); CHECK(memcmp(&pubkey, &recpubkey, sizeof(pubkey)) == 0); /* Serialize/destroy/parse signature and verify again. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); - sig[rustsecp256k1_v0_1_1_rand_bits(6)] += 1 + rustsecp256k1_v0_1_1_rand_int(255); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact(ctx, sig, &recid, &rsignature[4]) == 1); + sig[rustsecp256k1_v0_1_2_rand_bits(6)] += 1 + rustsecp256k1_v0_1_2_rand_int(255); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsignature[4], sig, recid) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(ctx, &signature[4], &rsignature[4]) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[4], message, &pubkey) == 0); /* Recover again */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 || + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &recpubkey, &rsignature[4], message) == 0 || memcmp(&pubkey, &recpubkey, sizeof(pubkey)) != 0); } @@ -215,7 +215,7 @@ void test_ecdsa_recovery_edge_cases(void) { }; const unsigned char sig64[64] = { /* Generated by signing the above message with nonce 'This is the nonce we will use...' - * and secret key 0 (which is not valid), resulting in recid 0. */ + * and secret key 0 (which is not valid), resulting in recid 1. */ 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8, 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96, 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63, @@ -225,7 +225,7 @@ void test_ecdsa_recovery_edge_cases(void) { 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86, 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57 }; - rustsecp256k1_v0_1_1_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey pubkey; /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */ const unsigned char sigb64[64] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, @@ -237,19 +237,19 @@ void test_ecdsa_recovery_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, }; - rustsecp256k1_v0_1_1_pubkey pubkeyb; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature rsig; - rustsecp256k1_v0_1_1_ecdsa_signature sig; + rustsecp256k1_v0_1_2_pubkey pubkeyb; + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature rsig; + rustsecp256k1_v0_1_2_ecdsa_signature sig; int recid; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0)); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2)); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3)); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 0)); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 1)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 2)); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sig64, 3)); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkey, &rsig, msg32)); for (recid = 0; recid < 4; recid++) { int i; @@ -294,40 +294,40 @@ void test_ecdsa_recovery_edge_cases(void) { 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04 }; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 1); for (recid2 = 0; recid2 < 4; recid2++) { - rustsecp256k1_v0_1_1_pubkey pubkey2b; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1); + rustsecp256k1_v0_1_2_pubkey pubkey2b; + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigb64, recid2) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkey2b, &rsig, msg32) == 1); /* Verifying with (order + r,4) should always fail. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); } /* DER parsing tests. */ /* Zero length r/s. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0); /* Leading zeros. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0); sigbderalt3[4] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); sigbderalt4[7] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); /* Damage signature. */ sigbder[7]++; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); sigbder[7]--; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0); for(i = 0; i < 8; i++) { int c; unsigned char orig = sigbder[i]; @@ -337,7 +337,7 @@ void test_ecdsa_recovery_edge_cases(void) { continue; } sigbder[i] = c; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyb) == 0); } sigbder[i] = orig; } @@ -357,25 +357,25 @@ void test_ecdsa_recovery_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, }; - rustsecp256k1_v0_1_1_pubkey pubkeyc; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1); + rustsecp256k1_v0_1_2_pubkey pubkeyc; + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkeyc, &rsig, msg32) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 1); sigcder[4] = 0; sigc64[31] = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); sigcder[4] = 1; sigcder[7] = 0; sigc64[31] = 1; sigc64[63] = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact(ctx, &rsig, sigc64, 0) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_recover(ctx, &pubkeyb, &rsig, msg32) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pubkeyc) == 0); } } diff --git a/secp256k1-sys/depend/secp256k1/src/num.h b/secp256k1-sys/depend/secp256k1/src/num.h index 0d7f3a171..f18668bad 100644 --- a/secp256k1-sys/depend/secp256k1/src/num.h +++ b/secp256k1-sys/depend/secp256k1/src/num.h @@ -20,54 +20,54 @@ #endif /** Copy a number. */ -static void rustsecp256k1_v0_1_1_num_copy(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a); +static void rustsecp256k1_v0_1_2_num_copy(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a); /** Convert a number's absolute value to a binary big-endian string. * There must be enough place. */ -static void rustsecp256k1_v0_1_1_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1_v0_1_1_num *a); +static void rustsecp256k1_v0_1_2_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1_v0_1_2_num *a); /** Set a number to the value of a binary big-endian string. */ -static void rustsecp256k1_v0_1_1_num_set_bin(rustsecp256k1_v0_1_1_num *r, const unsigned char *a, unsigned int alen); +static void rustsecp256k1_v0_1_2_num_set_bin(rustsecp256k1_v0_1_2_num *r, const unsigned char *a, unsigned int alen); /** Compute a modular inverse. The input must be less than the modulus. */ -static void rustsecp256k1_v0_1_1_num_mod_inverse(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *m); +static void rustsecp256k1_v0_1_2_num_mod_inverse(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *m); /** Compute the jacobi symbol (a|b). b must be positive and odd. */ -static int rustsecp256k1_v0_1_1_num_jacobi(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static int rustsecp256k1_v0_1_2_num_jacobi(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Compare the absolute value of two numbers. */ -static int rustsecp256k1_v0_1_1_num_cmp(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static int rustsecp256k1_v0_1_2_num_cmp(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Test whether two number are equal (including sign). */ -static int rustsecp256k1_v0_1_1_num_eq(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static int rustsecp256k1_v0_1_2_num_eq(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Add two (signed) numbers. */ -static void rustsecp256k1_v0_1_1_num_add(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static void rustsecp256k1_v0_1_2_num_add(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Subtract two (signed) numbers. */ -static void rustsecp256k1_v0_1_1_num_sub(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static void rustsecp256k1_v0_1_2_num_sub(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Multiply two (signed) numbers. */ -static void rustsecp256k1_v0_1_1_num_mul(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b); +static void rustsecp256k1_v0_1_2_num_mul(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b); /** Replace a number by its remainder modulo m. M's sign is ignored. The result is a number between 0 and m-1, even if r was negative. */ -static void rustsecp256k1_v0_1_1_num_mod(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *m); +static void rustsecp256k1_v0_1_2_num_mod(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *m); /** Right-shift the passed number by bits bits. */ -static void rustsecp256k1_v0_1_1_num_shift(rustsecp256k1_v0_1_1_num *r, int bits); +static void rustsecp256k1_v0_1_2_num_shift(rustsecp256k1_v0_1_2_num *r, int bits); /** Check whether a number is zero. */ -static int rustsecp256k1_v0_1_1_num_is_zero(const rustsecp256k1_v0_1_1_num *a); +static int rustsecp256k1_v0_1_2_num_is_zero(const rustsecp256k1_v0_1_2_num *a); /** Check whether a number is one. */ -static int rustsecp256k1_v0_1_1_num_is_one(const rustsecp256k1_v0_1_1_num *a); +static int rustsecp256k1_v0_1_2_num_is_one(const rustsecp256k1_v0_1_2_num *a); /** Check whether a number is strictly negative. */ -static int rustsecp256k1_v0_1_1_num_is_neg(const rustsecp256k1_v0_1_1_num *a); +static int rustsecp256k1_v0_1_2_num_is_neg(const rustsecp256k1_v0_1_2_num *a); /** Change a number's sign. */ -static void rustsecp256k1_v0_1_1_num_negate(rustsecp256k1_v0_1_1_num *r); +static void rustsecp256k1_v0_1_2_num_negate(rustsecp256k1_v0_1_2_num *r); #endif diff --git a/secp256k1-sys/depend/secp256k1/src/num_gmp.h b/secp256k1-sys/depend/secp256k1/src/num_gmp.h index ab26525cd..cdbe4e20b 100644 --- a/secp256k1-sys/depend/secp256k1/src/num_gmp.h +++ b/secp256k1-sys/depend/secp256k1/src/num_gmp.h @@ -15,6 +15,6 @@ typedef struct { mp_limb_t data[2*NUM_LIMBS]; int neg; int limbs; -} rustsecp256k1_v0_1_1_num; +} rustsecp256k1_v0_1_2_num; #endif /* SECP256K1_NUM_REPR_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/num_gmp_impl.h b/secp256k1-sys/depend/secp256k1/src/num_gmp_impl.h index 21d35962f..1bce9e7b1 100644 --- a/secp256k1-sys/depend/secp256k1/src/num_gmp_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/num_gmp_impl.h @@ -15,18 +15,18 @@ #include "num.h" #ifdef VERIFY -static void rustsecp256k1_v0_1_1_num_sanity(const rustsecp256k1_v0_1_1_num *a) { +static void rustsecp256k1_v0_1_2_num_sanity(const rustsecp256k1_v0_1_2_num *a) { VERIFY_CHECK(a->limbs == 1 || (a->limbs > 1 && a->data[a->limbs-1] != 0)); } #else -#define rustsecp256k1_v0_1_1_num_sanity(a) do { } while(0) +#define rustsecp256k1_v0_1_2_num_sanity(a) do { } while(0) #endif -static void rustsecp256k1_v0_1_1_num_copy(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a) { +static void rustsecp256k1_v0_1_2_num_copy(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a) { *r = *a; } -static void rustsecp256k1_v0_1_1_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1_v0_1_1_num *a) { +static void rustsecp256k1_v0_1_2_num_get_bin(unsigned char *r, unsigned int rlen, const rustsecp256k1_v0_1_2_num *a) { unsigned char tmp[65]; int len = 0; int shift = 0; @@ -42,7 +42,7 @@ static void rustsecp256k1_v0_1_1_num_get_bin(unsigned char *r, unsigned int rlen memset(tmp, 0, sizeof(tmp)); } -static void rustsecp256k1_v0_1_1_num_set_bin(rustsecp256k1_v0_1_1_num *r, const unsigned char *a, unsigned int alen) { +static void rustsecp256k1_v0_1_2_num_set_bin(rustsecp256k1_v0_1_2_num *r, const unsigned char *a, unsigned int alen) { int len; VERIFY_CHECK(alen > 0); VERIFY_CHECK(alen <= 64); @@ -59,7 +59,7 @@ static void rustsecp256k1_v0_1_1_num_set_bin(rustsecp256k1_v0_1_1_num *r, const } } -static void rustsecp256k1_v0_1_1_num_add_abs(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static void rustsecp256k1_v0_1_2_num_add_abs(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { mp_limb_t c = mpn_add(r->data, a->data, a->limbs, b->data, b->limbs); r->limbs = a->limbs; if (c != 0) { @@ -68,7 +68,7 @@ static void rustsecp256k1_v0_1_1_num_add_abs(rustsecp256k1_v0_1_1_num *r, const } } -static void rustsecp256k1_v0_1_1_num_sub_abs(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static void rustsecp256k1_v0_1_2_num_sub_abs(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { mp_limb_t c = mpn_sub(r->data, a->data, a->limbs, b->data, b->limbs); (void)c; VERIFY_CHECK(c == 0); @@ -78,9 +78,9 @@ static void rustsecp256k1_v0_1_1_num_sub_abs(rustsecp256k1_v0_1_1_num *r, const } } -static void rustsecp256k1_v0_1_1_num_mod(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *m) { - rustsecp256k1_v0_1_1_num_sanity(r); - rustsecp256k1_v0_1_1_num_sanity(m); +static void rustsecp256k1_v0_1_2_num_mod(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *m) { + rustsecp256k1_v0_1_2_num_sanity(r); + rustsecp256k1_v0_1_2_num_sanity(m); if (r->limbs >= m->limbs) { mp_limb_t t[2*NUM_LIMBS]; @@ -93,20 +93,20 @@ static void rustsecp256k1_v0_1_1_num_mod(rustsecp256k1_v0_1_1_num *r, const rust } if (r->neg && (r->limbs > 1 || r->data[0] != 0)) { - rustsecp256k1_v0_1_1_num_sub_abs(r, m, r); + rustsecp256k1_v0_1_2_num_sub_abs(r, m, r); r->neg = 0; } } -static void rustsecp256k1_v0_1_1_num_mod_inverse(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *m) { +static void rustsecp256k1_v0_1_2_num_mod_inverse(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *m) { int i; mp_limb_t g[NUM_LIMBS+1]; mp_limb_t u[NUM_LIMBS+1]; mp_limb_t v[NUM_LIMBS+1]; mp_size_t sn; mp_size_t gn; - rustsecp256k1_v0_1_1_num_sanity(a); - rustsecp256k1_v0_1_1_num_sanity(m); + rustsecp256k1_v0_1_2_num_sanity(a); + rustsecp256k1_v0_1_2_num_sanity(m); /** mpn_gcdext computes: (G,S) = gcdext(U,V), where * * G = gcd(U,V) @@ -144,11 +144,11 @@ static void rustsecp256k1_v0_1_1_num_mod_inverse(rustsecp256k1_v0_1_1_num *r, co memset(v, 0, sizeof(v)); } -static int rustsecp256k1_v0_1_1_num_jacobi(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static int rustsecp256k1_v0_1_2_num_jacobi(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { int ret; mpz_t ga, gb; - rustsecp256k1_v0_1_1_num_sanity(a); - rustsecp256k1_v0_1_1_num_sanity(b); + rustsecp256k1_v0_1_2_num_sanity(a); + rustsecp256k1_v0_1_2_num_sanity(b); VERIFY_CHECK(!b->neg && (b->limbs > 0) && (b->data[0] & 1)); mpz_inits(ga, gb, NULL); @@ -166,19 +166,19 @@ static int rustsecp256k1_v0_1_1_num_jacobi(const rustsecp256k1_v0_1_1_num *a, co return ret; } -static int rustsecp256k1_v0_1_1_num_is_one(const rustsecp256k1_v0_1_1_num *a) { +static int rustsecp256k1_v0_1_2_num_is_one(const rustsecp256k1_v0_1_2_num *a) { return (a->limbs == 1 && a->data[0] == 1); } -static int rustsecp256k1_v0_1_1_num_is_zero(const rustsecp256k1_v0_1_1_num *a) { +static int rustsecp256k1_v0_1_2_num_is_zero(const rustsecp256k1_v0_1_2_num *a) { return (a->limbs == 1 && a->data[0] == 0); } -static int rustsecp256k1_v0_1_1_num_is_neg(const rustsecp256k1_v0_1_1_num *a) { +static int rustsecp256k1_v0_1_2_num_is_neg(const rustsecp256k1_v0_1_2_num *a) { return (a->limbs > 1 || a->data[0] != 0) && a->neg; } -static int rustsecp256k1_v0_1_1_num_cmp(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static int rustsecp256k1_v0_1_2_num_cmp(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { if (a->limbs > b->limbs) { return 1; } @@ -188,54 +188,54 @@ static int rustsecp256k1_v0_1_1_num_cmp(const rustsecp256k1_v0_1_1_num *a, const return mpn_cmp(a->data, b->data, a->limbs); } -static int rustsecp256k1_v0_1_1_num_eq(const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static int rustsecp256k1_v0_1_2_num_eq(const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { if (a->limbs > b->limbs) { return 0; } if (a->limbs < b->limbs) { return 0; } - if ((a->neg && !rustsecp256k1_v0_1_1_num_is_zero(a)) != (b->neg && !rustsecp256k1_v0_1_1_num_is_zero(b))) { + if ((a->neg && !rustsecp256k1_v0_1_2_num_is_zero(a)) != (b->neg && !rustsecp256k1_v0_1_2_num_is_zero(b))) { return 0; } return mpn_cmp(a->data, b->data, a->limbs) == 0; } -static void rustsecp256k1_v0_1_1_num_subadd(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b, int bneg) { +static void rustsecp256k1_v0_1_2_num_subadd(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b, int bneg) { if (!(b->neg ^ bneg ^ a->neg)) { /* a and b have the same sign */ r->neg = a->neg; if (a->limbs >= b->limbs) { - rustsecp256k1_v0_1_1_num_add_abs(r, a, b); + rustsecp256k1_v0_1_2_num_add_abs(r, a, b); } else { - rustsecp256k1_v0_1_1_num_add_abs(r, b, a); + rustsecp256k1_v0_1_2_num_add_abs(r, b, a); } } else { - if (rustsecp256k1_v0_1_1_num_cmp(a, b) > 0) { + if (rustsecp256k1_v0_1_2_num_cmp(a, b) > 0) { r->neg = a->neg; - rustsecp256k1_v0_1_1_num_sub_abs(r, a, b); + rustsecp256k1_v0_1_2_num_sub_abs(r, a, b); } else { r->neg = b->neg ^ bneg; - rustsecp256k1_v0_1_1_num_sub_abs(r, b, a); + rustsecp256k1_v0_1_2_num_sub_abs(r, b, a); } } } -static void rustsecp256k1_v0_1_1_num_add(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { - rustsecp256k1_v0_1_1_num_sanity(a); - rustsecp256k1_v0_1_1_num_sanity(b); - rustsecp256k1_v0_1_1_num_subadd(r, a, b, 0); +static void rustsecp256k1_v0_1_2_num_add(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { + rustsecp256k1_v0_1_2_num_sanity(a); + rustsecp256k1_v0_1_2_num_sanity(b); + rustsecp256k1_v0_1_2_num_subadd(r, a, b, 0); } -static void rustsecp256k1_v0_1_1_num_sub(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { - rustsecp256k1_v0_1_1_num_sanity(a); - rustsecp256k1_v0_1_1_num_sanity(b); - rustsecp256k1_v0_1_1_num_subadd(r, a, b, 1); +static void rustsecp256k1_v0_1_2_num_sub(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { + rustsecp256k1_v0_1_2_num_sanity(a); + rustsecp256k1_v0_1_2_num_sanity(b); + rustsecp256k1_v0_1_2_num_subadd(r, a, b, 1); } -static void rustsecp256k1_v0_1_1_num_mul(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_num *a, const rustsecp256k1_v0_1_1_num *b) { +static void rustsecp256k1_v0_1_2_num_mul(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_num *a, const rustsecp256k1_v0_1_2_num *b) { mp_limb_t tmp[2*NUM_LIMBS+1]; - rustsecp256k1_v0_1_1_num_sanity(a); - rustsecp256k1_v0_1_1_num_sanity(b); + rustsecp256k1_v0_1_2_num_sanity(a); + rustsecp256k1_v0_1_2_num_sanity(b); VERIFY_CHECK(a->limbs + b->limbs <= 2*NUM_LIMBS+1); if ((a->limbs==1 && a->data[0]==0) || (b->limbs==1 && b->data[0]==0)) { @@ -259,7 +259,7 @@ static void rustsecp256k1_v0_1_1_num_mul(rustsecp256k1_v0_1_1_num *r, const rust memset(tmp, 0, sizeof(tmp)); } -static void rustsecp256k1_v0_1_1_num_shift(rustsecp256k1_v0_1_1_num *r, int bits) { +static void rustsecp256k1_v0_1_2_num_shift(rustsecp256k1_v0_1_2_num *r, int bits) { if (bits % GMP_NUMB_BITS) { /* Shift within limbs. */ mpn_rshift(r->data, r->data, r->limbs, bits % GMP_NUMB_BITS); @@ -281,7 +281,7 @@ static void rustsecp256k1_v0_1_1_num_shift(rustsecp256k1_v0_1_1_num *r, int bits } } -static void rustsecp256k1_v0_1_1_num_negate(rustsecp256k1_v0_1_1_num *r) { +static void rustsecp256k1_v0_1_2_num_negate(rustsecp256k1_v0_1_2_num *r) { r->neg ^= 1; } diff --git a/secp256k1-sys/depend/secp256k1/src/scalar.h b/secp256k1-sys/depend/secp256k1/src/scalar.h index 3292b1a10..fa7c26c57 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar.h @@ -24,83 +24,94 @@ #endif /** Clear a scalar to prevent the leak of sensitive data. */ -static void rustsecp256k1_v0_1_1_scalar_clear(rustsecp256k1_v0_1_1_scalar *r); +static void rustsecp256k1_v0_1_2_scalar_clear(rustsecp256k1_v0_1_2_scalar *r); /** Access bits from a scalar. All requested bits must belong to the same 32-bit limb. */ -static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count); +static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count); /** Access bits from a scalar. Not constant time. */ -static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits_var(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count); +static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits_var(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count); -/** Set a scalar from a big endian byte array. */ -static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, const unsigned char *bin, int *overflow); +/** Set a scalar from a big endian byte array. The scalar will be reduced modulo group order `n`. + * In: bin: pointer to a 32-byte array. + * Out: r: scalar to be set. + * overflow: non-zero if the scalar was bigger or equal to `n` before reduction, zero otherwise (can be NULL). + */ +static void rustsecp256k1_v0_1_2_scalar_set_b32(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *bin, int *overflow); + +/** Set a scalar from a big endian byte array and returns 1 if it is a valid + * seckey and 0 otherwise. */ +static int rustsecp256k1_v0_1_2_scalar_set_b32_seckey(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *bin); /** Set a scalar to an unsigned integer. */ -static void rustsecp256k1_v0_1_1_scalar_set_int(rustsecp256k1_v0_1_1_scalar *r, unsigned int v); +static void rustsecp256k1_v0_1_2_scalar_set_int(rustsecp256k1_v0_1_2_scalar *r, unsigned int v); /** Convert a scalar to a byte array. */ -static void rustsecp256k1_v0_1_1_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_1_scalar* a); +static void rustsecp256k1_v0_1_2_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_2_scalar* a); /** Add two scalars together (modulo the group order). Returns whether it overflowed. */ -static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b); +static int rustsecp256k1_v0_1_2_scalar_add(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b); /** Conditionally add a power of two to a scalar. The result is not allowed to overflow. */ -static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, unsigned int bit, int flag); +static void rustsecp256k1_v0_1_2_scalar_cadd_bit(rustsecp256k1_v0_1_2_scalar *r, unsigned int bit, int flag); /** Multiply two scalars (modulo the group order). */ -static void rustsecp256k1_v0_1_1_scalar_mul(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b); +static void rustsecp256k1_v0_1_2_scalar_mul(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b); /** Shift a scalar right by some amount strictly between 0 and 16, returning * the low bits that were shifted off */ -static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, int n); +static int rustsecp256k1_v0_1_2_scalar_shr_int(rustsecp256k1_v0_1_2_scalar *r, int n); /** Compute the square of a scalar (modulo the group order). */ -static void rustsecp256k1_v0_1_1_scalar_sqr(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_sqr(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a); /** Compute the inverse of a scalar (modulo the group order). */ -static void rustsecp256k1_v0_1_1_scalar_inverse(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_inverse(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a); /** Compute the inverse of a scalar (modulo the group order), without constant-time guarantee. */ -static void rustsecp256k1_v0_1_1_scalar_inverse_var(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_inverse_var(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a); /** Compute the complement of a scalar (modulo the group order). */ -static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_negate(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a); /** Check whether a scalar equals zero. */ -static int rustsecp256k1_v0_1_1_scalar_is_zero(const rustsecp256k1_v0_1_1_scalar *a); +static int rustsecp256k1_v0_1_2_scalar_is_zero(const rustsecp256k1_v0_1_2_scalar *a); /** Check whether a scalar equals one. */ -static int rustsecp256k1_v0_1_1_scalar_is_one(const rustsecp256k1_v0_1_1_scalar *a); +static int rustsecp256k1_v0_1_2_scalar_is_one(const rustsecp256k1_v0_1_2_scalar *a); /** Check whether a scalar, considered as an nonnegative integer, is even. */ -static int rustsecp256k1_v0_1_1_scalar_is_even(const rustsecp256k1_v0_1_1_scalar *a); +static int rustsecp256k1_v0_1_2_scalar_is_even(const rustsecp256k1_v0_1_2_scalar *a); /** Check whether a scalar is higher than the group order divided by 2. */ -static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar *a); +static int rustsecp256k1_v0_1_2_scalar_is_high(const rustsecp256k1_v0_1_2_scalar *a); /** Conditionally negate a number, in constant time. * Returns -1 if the number was negated, 1 otherwise */ -static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar *a, int flag); +static int rustsecp256k1_v0_1_2_scalar_cond_negate(rustsecp256k1_v0_1_2_scalar *a, int flag); #ifndef USE_NUM_NONE /** Convert a scalar to a number. */ -static void rustsecp256k1_v0_1_1_scalar_get_num(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_get_num(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_scalar *a); /** Get the order of the group as a number. */ -static void rustsecp256k1_v0_1_1_scalar_order_get_num(rustsecp256k1_v0_1_1_num *r); +static void rustsecp256k1_v0_1_2_scalar_order_get_num(rustsecp256k1_v0_1_2_num *r); #endif /** Compare two scalars. */ -static int rustsecp256k1_v0_1_1_scalar_eq(const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b); +static int rustsecp256k1_v0_1_2_scalar_eq(const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b); #ifdef USE_ENDOMORPHISM /** Find r1 and r2 such that r1+r2*2^128 = a. */ -static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a); -/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see rustsecp256k1_v0_1_1_gej_mul_lambda). */ -static void rustsecp256k1_v0_1_1_scalar_split_lambda(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a); +static void rustsecp256k1_v0_1_2_scalar_split_128(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a); +/** Find r1 and r2 such that r1+r2*lambda = a, and r1 and r2 are maximum 128 bits long (see rustsecp256k1_v0_1_2_gej_mul_lambda). */ +static void rustsecp256k1_v0_1_2_scalar_split_lambda(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a); #endif /** Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer. Shift must be at least 256. */ -static void rustsecp256k1_v0_1_1_scalar_mul_shift_var(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b, unsigned int shift); +static void rustsecp256k1_v0_1_2_scalar_mul_shift_var(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b, unsigned int shift); + +/** If flag is true, set *r equal to *a; otherwise leave it. Constant-time. */ +static void rustsecp256k1_v0_1_2_scalar_cmov(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, int flag); #endif /* SECP256K1_SCALAR_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_4x64.h b/secp256k1-sys/depend/secp256k1/src/scalar_4x64.h index 2e092eab0..e661601d8 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_4x64.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_4x64.h @@ -12,7 +12,7 @@ /** A scalar modulo the group order of the secp256k1 curve. */ typedef struct { uint64_t d[4]; -} rustsecp256k1_v0_1_1_scalar; +} rustsecp256k1_v0_1_2_scalar; #define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{((uint64_t)(d1)) << 32 | (d0), ((uint64_t)(d3)) << 32 | (d2), ((uint64_t)(d5)) << 32 | (d4), ((uint64_t)(d7)) << 32 | (d6)}} diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_4x64_impl.h b/secp256k1-sys/depend/secp256k1/src/scalar_4x64_impl.h index f2602eb0b..677c9a282 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_4x64_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_4x64_impl.h @@ -24,37 +24,37 @@ #define SECP256K1_N_H_2 ((uint64_t)0xFFFFFFFFFFFFFFFFULL) #define SECP256K1_N_H_3 ((uint64_t)0x7FFFFFFFFFFFFFFFULL) -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_clear(rustsecp256k1_v0_1_1_scalar *r) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_clear(rustsecp256k1_v0_1_2_scalar *r) { r->d[0] = 0; r->d[1] = 0; r->d[2] = 0; r->d[3] = 0; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_set_int(rustsecp256k1_v0_1_1_scalar *r, unsigned int v) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_set_int(rustsecp256k1_v0_1_2_scalar *r, unsigned int v) { r->d[0] = v; r->d[1] = 0; r->d[2] = 0; r->d[3] = 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK((offset + count - 1) >> 6 == offset >> 6); return (a->d[offset >> 6] >> (offset & 0x3F)) & ((((uint64_t)1) << count) - 1); } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits_var(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits_var(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK(count < 32); VERIFY_CHECK(offset + count <= 256); if ((offset + count - 1) >> 6 == offset >> 6) { - return rustsecp256k1_v0_1_1_scalar_get_bits(a, offset, count); + return rustsecp256k1_v0_1_2_scalar_get_bits(a, offset, count); } else { VERIFY_CHECK((offset >> 6) + 1 < 4); return ((a->d[offset >> 6] >> (offset & 0x3F)) | (a->d[(offset >> 6) + 1] << (64 - (offset & 0x3F)))) & ((((uint64_t)1) << count) - 1); } } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_check_overflow(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_check_overflow(const rustsecp256k1_v0_1_2_scalar *a) { int yes = 0; int no = 0; no |= (a->d[3] < SECP256K1_N_3); /* No need for a > check. */ @@ -66,7 +66,7 @@ SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_check_overflow(const rus return yes; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_reduce(rustsecp256k1_v0_1_1_scalar *r, unsigned int overflow) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_reduce(rustsecp256k1_v0_1_2_scalar *r, unsigned int overflow) { uint128_t t; VERIFY_CHECK(overflow <= 1); t = (uint128_t)r->d[0] + overflow * SECP256K1_N_C_0; @@ -80,7 +80,7 @@ SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_reduce(rustsecp256k1_v0_ return overflow; } -static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static int rustsecp256k1_v0_1_2_scalar_add(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { int overflow; uint128_t t = (uint128_t)a->d[0] + b->d[0]; r->d[0] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; @@ -90,13 +90,13 @@ static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const r->d[2] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; t += (uint128_t)a->d[3] + b->d[3]; r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; t >>= 64; - overflow = t + rustsecp256k1_v0_1_1_scalar_check_overflow(r); + overflow = t + rustsecp256k1_v0_1_2_scalar_check_overflow(r); VERIFY_CHECK(overflow == 0 || overflow == 1); - rustsecp256k1_v0_1_1_scalar_reduce(r, overflow); + rustsecp256k1_v0_1_2_scalar_reduce(r, overflow); return overflow; } -static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1_v0_1_2_scalar_cadd_bit(rustsecp256k1_v0_1_2_scalar *r, unsigned int bit, int flag) { uint128_t t; VERIFY_CHECK(bit < 256); bit += ((uint32_t) flag - 1) & 0x100; /* forcing (bit >> 6) > 3 makes this a noop */ @@ -110,35 +110,35 @@ static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, r->d[3] = t & 0xFFFFFFFFFFFFFFFFULL; #ifdef VERIFY VERIFY_CHECK((t >> 64) == 0); - VERIFY_CHECK(rustsecp256k1_v0_1_1_scalar_check_overflow(r) == 0); + VERIFY_CHECK(rustsecp256k1_v0_1_2_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1_v0_1_2_scalar_set_b32(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *b32, int *overflow) { int over; r->d[0] = (uint64_t)b32[31] | (uint64_t)b32[30] << 8 | (uint64_t)b32[29] << 16 | (uint64_t)b32[28] << 24 | (uint64_t)b32[27] << 32 | (uint64_t)b32[26] << 40 | (uint64_t)b32[25] << 48 | (uint64_t)b32[24] << 56; r->d[1] = (uint64_t)b32[23] | (uint64_t)b32[22] << 8 | (uint64_t)b32[21] << 16 | (uint64_t)b32[20] << 24 | (uint64_t)b32[19] << 32 | (uint64_t)b32[18] << 40 | (uint64_t)b32[17] << 48 | (uint64_t)b32[16] << 56; r->d[2] = (uint64_t)b32[15] | (uint64_t)b32[14] << 8 | (uint64_t)b32[13] << 16 | (uint64_t)b32[12] << 24 | (uint64_t)b32[11] << 32 | (uint64_t)b32[10] << 40 | (uint64_t)b32[9] << 48 | (uint64_t)b32[8] << 56; r->d[3] = (uint64_t)b32[7] | (uint64_t)b32[6] << 8 | (uint64_t)b32[5] << 16 | (uint64_t)b32[4] << 24 | (uint64_t)b32[3] << 32 | (uint64_t)b32[2] << 40 | (uint64_t)b32[1] << 48 | (uint64_t)b32[0] << 56; - over = rustsecp256k1_v0_1_1_scalar_reduce(r, rustsecp256k1_v0_1_1_scalar_check_overflow(r)); + over = rustsecp256k1_v0_1_2_scalar_reduce(r, rustsecp256k1_v0_1_2_scalar_check_overflow(r)); if (overflow) { *overflow = over; } } -static void rustsecp256k1_v0_1_1_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_1_scalar* a) { +static void rustsecp256k1_v0_1_2_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_2_scalar* a) { bin[0] = a->d[3] >> 56; bin[1] = a->d[3] >> 48; bin[2] = a->d[3] >> 40; bin[3] = a->d[3] >> 32; bin[4] = a->d[3] >> 24; bin[5] = a->d[3] >> 16; bin[6] = a->d[3] >> 8; bin[7] = a->d[3]; bin[8] = a->d[2] >> 56; bin[9] = a->d[2] >> 48; bin[10] = a->d[2] >> 40; bin[11] = a->d[2] >> 32; bin[12] = a->d[2] >> 24; bin[13] = a->d[2] >> 16; bin[14] = a->d[2] >> 8; bin[15] = a->d[2]; bin[16] = a->d[1] >> 56; bin[17] = a->d[1] >> 48; bin[18] = a->d[1] >> 40; bin[19] = a->d[1] >> 32; bin[20] = a->d[1] >> 24; bin[21] = a->d[1] >> 16; bin[22] = a->d[1] >> 8; bin[23] = a->d[1]; bin[24] = a->d[0] >> 56; bin[25] = a->d[0] >> 48; bin[26] = a->d[0] >> 40; bin[27] = a->d[0] >> 32; bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0]; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_zero(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_zero(const rustsecp256k1_v0_1_2_scalar *a) { return (a->d[0] | a->d[1] | a->d[2] | a->d[3]) == 0; } -static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { - uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (rustsecp256k1_v0_1_1_scalar_is_zero(a) == 0); +static void rustsecp256k1_v0_1_2_scalar_negate(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { + uint64_t nonzero = 0xFFFFFFFFFFFFFFFFULL * (rustsecp256k1_v0_1_2_scalar_is_zero(a) == 0); uint128_t t = (uint128_t)(~a->d[0]) + SECP256K1_N_0 + 1; r->d[0] = t & nonzero; t >>= 64; t += (uint128_t)(~a->d[1]) + SECP256K1_N_1; @@ -149,11 +149,11 @@ static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, c r->d[3] = t & nonzero; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_one(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_one(const rustsecp256k1_v0_1_2_scalar *a) { return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3]) == 0; } -static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar *a) { +static int rustsecp256k1_v0_1_2_scalar_is_high(const rustsecp256k1_v0_1_2_scalar *a) { int yes = 0; int no = 0; no |= (a->d[3] < SECP256K1_N_H_3); @@ -165,11 +165,11 @@ static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar return yes; } -static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar *r, int flag) { +static int rustsecp256k1_v0_1_2_scalar_cond_negate(rustsecp256k1_v0_1_2_scalar *r, int flag) { /* If we are flag = 0, mask = 00...00 and this is a no-op; - * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1_v0_1_1_scalar_negate */ + * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1_v0_1_2_scalar_negate */ uint64_t mask = !flag - 1; - uint64_t nonzero = (rustsecp256k1_v0_1_1_scalar_is_zero(r) != 0) - 1; + uint64_t nonzero = (rustsecp256k1_v0_1_2_scalar_is_zero(r) != 0) - 1; uint128_t t = (uint128_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); r->d[0] = t & nonzero; t >>= 64; t += (uint128_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); @@ -267,7 +267,7 @@ static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar * VERIFY_CHECK(c2 == 0); \ } -static void rustsecp256k1_v0_1_1_scalar_reduce_512(rustsecp256k1_v0_1_1_scalar *r, const uint64_t *l) { +static void rustsecp256k1_v0_1_2_scalar_reduce_512(rustsecp256k1_v0_1_2_scalar *r, const uint64_t *l) { #ifdef USE_ASM_X86_64 /* Reduce 512 bits into 385. */ uint64_t m0, m1, m2, m3, m4, m5, m6; @@ -573,10 +573,10 @@ static void rustsecp256k1_v0_1_1_scalar_reduce_512(rustsecp256k1_v0_1_1_scalar * #endif /* Final reduction of r. */ - rustsecp256k1_v0_1_1_scalar_reduce(r, c + rustsecp256k1_v0_1_1_scalar_check_overflow(r)); + rustsecp256k1_v0_1_2_scalar_reduce(r, c + rustsecp256k1_v0_1_2_scalar_check_overflow(r)); } -static void rustsecp256k1_v0_1_1_scalar_mul_512(uint64_t l[8], const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static void rustsecp256k1_v0_1_2_scalar_mul_512(uint64_t l[8], const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { #ifdef USE_ASM_X86_64 const uint64_t *pb = b->d; __asm__ __volatile__( @@ -743,7 +743,7 @@ static void rustsecp256k1_v0_1_1_scalar_mul_512(uint64_t l[8], const rustsecp256 #endif } -static void rustsecp256k1_v0_1_1_scalar_sqr_512(uint64_t l[8], const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_sqr_512(uint64_t l[8], const rustsecp256k1_v0_1_2_scalar *a) { #ifdef USE_ASM_X86_64 __asm__ __volatile__( /* Preload */ @@ -888,13 +888,13 @@ static void rustsecp256k1_v0_1_1_scalar_sqr_512(uint64_t l[8], const rustsecp256 #undef extract #undef extract_fast -static void rustsecp256k1_v0_1_1_scalar_mul(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static void rustsecp256k1_v0_1_2_scalar_mul(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { uint64_t l[8]; - rustsecp256k1_v0_1_1_scalar_mul_512(l, a, b); - rustsecp256k1_v0_1_1_scalar_reduce_512(r, l); + rustsecp256k1_v0_1_2_scalar_mul_512(l, a, b); + rustsecp256k1_v0_1_2_scalar_reduce_512(r, l); } -static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, int n) { +static int rustsecp256k1_v0_1_2_scalar_shr_int(rustsecp256k1_v0_1_2_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -906,14 +906,14 @@ static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, i return ret; } -static void rustsecp256k1_v0_1_1_scalar_sqr(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_sqr(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { uint64_t l[8]; - rustsecp256k1_v0_1_1_scalar_sqr_512(l, a); - rustsecp256k1_v0_1_1_scalar_reduce_512(r, l); + rustsecp256k1_v0_1_2_scalar_sqr_512(l, a); + rustsecp256k1_v0_1_2_scalar_reduce_512(r, l); } #ifdef USE_ENDOMORPHISM -static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_split_128(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a) { r1->d[0] = a->d[0]; r1->d[1] = a->d[1]; r1->d[2] = 0; @@ -925,17 +925,17 @@ static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r } #endif -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_eq(const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_eq(const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3])) == 0; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_mul_shift_var(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b, unsigned int shift) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_mul_shift_var(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b, unsigned int shift) { uint64_t l[8]; unsigned int shiftlimbs; unsigned int shiftlow; unsigned int shifthigh; VERIFY_CHECK(shift >= 256); - rustsecp256k1_v0_1_1_scalar_mul_512(l, a, b); + rustsecp256k1_v0_1_2_scalar_mul_512(l, a, b); shiftlimbs = shift >> 6; shiftlow = shift & 0x3F; shifthigh = 64 - shiftlow; @@ -943,7 +943,17 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_mul_shift_var(rustsecp2 r->d[1] = shift < 448 ? (l[1 + shiftlimbs] >> shiftlow | (shift < 384 && shiftlow ? (l[2 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[2] = shift < 384 ? (l[2 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[3 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[3] = shift < 320 ? (l[3 + shiftlimbs] >> shiftlow) : 0; - rustsecp256k1_v0_1_1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1); + rustsecp256k1_v0_1_2_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 6] >> ((shift - 1) & 0x3f)) & 1); +} + +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_scalar_cmov(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, int flag) { + uint64_t mask0, mask1; + mask0 = flag + ~((uint64_t)0); + mask1 = ~mask0; + r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1); + r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1); + r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1); + r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1); } #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_8x32.h b/secp256k1-sys/depend/secp256k1/src/scalar_8x32.h index cd6b97c80..81d36d4fe 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_8x32.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_8x32.h @@ -12,7 +12,7 @@ /** A scalar modulo the group order of the secp256k1 curve. */ typedef struct { uint32_t d[8]; -} rustsecp256k1_v0_1_1_scalar; +} rustsecp256k1_v0_1_2_scalar; #define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) {{(d0), (d1), (d2), (d3), (d4), (d5), (d6), (d7)}} diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_8x32_impl.h b/secp256k1-sys/depend/secp256k1/src/scalar_8x32_impl.h index 0e1fef686..b870cadd7 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_8x32_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_8x32_impl.h @@ -34,7 +34,7 @@ #define SECP256K1_N_H_6 ((uint32_t)0xFFFFFFFFUL) #define SECP256K1_N_H_7 ((uint32_t)0x7FFFFFFFUL) -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_clear(rustsecp256k1_v0_1_1_scalar *r) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_clear(rustsecp256k1_v0_1_2_scalar *r) { r->d[0] = 0; r->d[1] = 0; r->d[2] = 0; @@ -45,7 +45,7 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_clear(rustsecp256k1_v0_ r->d[7] = 0; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_set_int(rustsecp256k1_v0_1_1_scalar *r, unsigned int v) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_set_int(rustsecp256k1_v0_1_2_scalar *r, unsigned int v) { r->d[0] = v; r->d[1] = 0; r->d[2] = 0; @@ -56,23 +56,23 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_set_int(rustsecp256k1_v r->d[7] = 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK((offset + count - 1) >> 5 == offset >> 5); return (a->d[offset >> 5] >> (offset & 0x1F)) & ((1 << count) - 1); } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits_var(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits_var(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { VERIFY_CHECK(count < 32); VERIFY_CHECK(offset + count <= 256); if ((offset + count - 1) >> 5 == offset >> 5) { - return rustsecp256k1_v0_1_1_scalar_get_bits(a, offset, count); + return rustsecp256k1_v0_1_2_scalar_get_bits(a, offset, count); } else { VERIFY_CHECK((offset >> 5) + 1 < 8); return ((a->d[offset >> 5] >> (offset & 0x1F)) | (a->d[(offset >> 5) + 1] << (32 - (offset & 0x1F)))) & ((((uint32_t)1) << count) - 1); } } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_check_overflow(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_check_overflow(const rustsecp256k1_v0_1_2_scalar *a) { int yes = 0; int no = 0; no |= (a->d[7] < SECP256K1_N_7); /* No need for a > check. */ @@ -90,7 +90,7 @@ SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_check_overflow(const rus return yes; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_reduce(rustsecp256k1_v0_1_1_scalar *r, uint32_t overflow) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_reduce(rustsecp256k1_v0_1_2_scalar *r, uint32_t overflow) { uint64_t t; VERIFY_CHECK(overflow <= 1); t = (uint64_t)r->d[0] + overflow * SECP256K1_N_C_0; @@ -112,7 +112,7 @@ SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_reduce(rustsecp256k1_v0_ return overflow; } -static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static int rustsecp256k1_v0_1_2_scalar_add(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { int overflow; uint64_t t = (uint64_t)a->d[0] + b->d[0]; r->d[0] = t & 0xFFFFFFFFULL; t >>= 32; @@ -130,13 +130,13 @@ static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const r->d[6] = t & 0xFFFFFFFFULL; t >>= 32; t += (uint64_t)a->d[7] + b->d[7]; r->d[7] = t & 0xFFFFFFFFULL; t >>= 32; - overflow = t + rustsecp256k1_v0_1_1_scalar_check_overflow(r); + overflow = t + rustsecp256k1_v0_1_2_scalar_check_overflow(r); VERIFY_CHECK(overflow == 0 || overflow == 1); - rustsecp256k1_v0_1_1_scalar_reduce(r, overflow); + rustsecp256k1_v0_1_2_scalar_reduce(r, overflow); return overflow; } -static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1_v0_1_2_scalar_cadd_bit(rustsecp256k1_v0_1_2_scalar *r, unsigned int bit, int flag) { uint64_t t; VERIFY_CHECK(bit < 256); bit += ((uint32_t) flag - 1) & 0x100; /* forcing (bit >> 5) > 7 makes this a noop */ @@ -158,11 +158,11 @@ static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, r->d[7] = t & 0xFFFFFFFFULL; #ifdef VERIFY VERIFY_CHECK((t >> 32) == 0); - VERIFY_CHECK(rustsecp256k1_v0_1_1_scalar_check_overflow(r) == 0); + VERIFY_CHECK(rustsecp256k1_v0_1_2_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1_v0_1_2_scalar_set_b32(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *b32, int *overflow) { int over; r->d[0] = (uint32_t)b32[31] | (uint32_t)b32[30] << 8 | (uint32_t)b32[29] << 16 | (uint32_t)b32[28] << 24; r->d[1] = (uint32_t)b32[27] | (uint32_t)b32[26] << 8 | (uint32_t)b32[25] << 16 | (uint32_t)b32[24] << 24; @@ -172,13 +172,13 @@ static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, r->d[5] = (uint32_t)b32[11] | (uint32_t)b32[10] << 8 | (uint32_t)b32[9] << 16 | (uint32_t)b32[8] << 24; r->d[6] = (uint32_t)b32[7] | (uint32_t)b32[6] << 8 | (uint32_t)b32[5] << 16 | (uint32_t)b32[4] << 24; r->d[7] = (uint32_t)b32[3] | (uint32_t)b32[2] << 8 | (uint32_t)b32[1] << 16 | (uint32_t)b32[0] << 24; - over = rustsecp256k1_v0_1_1_scalar_reduce(r, rustsecp256k1_v0_1_1_scalar_check_overflow(r)); + over = rustsecp256k1_v0_1_2_scalar_reduce(r, rustsecp256k1_v0_1_2_scalar_check_overflow(r)); if (overflow) { *overflow = over; } } -static void rustsecp256k1_v0_1_1_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_1_scalar* a) { +static void rustsecp256k1_v0_1_2_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_2_scalar* a) { bin[0] = a->d[7] >> 24; bin[1] = a->d[7] >> 16; bin[2] = a->d[7] >> 8; bin[3] = a->d[7]; bin[4] = a->d[6] >> 24; bin[5] = a->d[6] >> 16; bin[6] = a->d[6] >> 8; bin[7] = a->d[6]; bin[8] = a->d[5] >> 24; bin[9] = a->d[5] >> 16; bin[10] = a->d[5] >> 8; bin[11] = a->d[5]; @@ -189,12 +189,12 @@ static void rustsecp256k1_v0_1_1_scalar_get_b32(unsigned char *bin, const rustse bin[28] = a->d[0] >> 24; bin[29] = a->d[0] >> 16; bin[30] = a->d[0] >> 8; bin[31] = a->d[0]; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_zero(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_zero(const rustsecp256k1_v0_1_2_scalar *a) { return (a->d[0] | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; } -static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { - uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1_v0_1_1_scalar_is_zero(a) == 0); +static void rustsecp256k1_v0_1_2_scalar_negate(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { + uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1_v0_1_2_scalar_is_zero(a) == 0); uint64_t t = (uint64_t)(~a->d[0]) + SECP256K1_N_0 + 1; r->d[0] = t & nonzero; t >>= 32; t += (uint64_t)(~a->d[1]) + SECP256K1_N_1; @@ -213,11 +213,11 @@ static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, c r->d[7] = t & nonzero; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_one(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_one(const rustsecp256k1_v0_1_2_scalar *a) { return ((a->d[0] ^ 1) | a->d[1] | a->d[2] | a->d[3] | a->d[4] | a->d[5] | a->d[6] | a->d[7]) == 0; } -static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar *a) { +static int rustsecp256k1_v0_1_2_scalar_is_high(const rustsecp256k1_v0_1_2_scalar *a) { int yes = 0; int no = 0; no |= (a->d[7] < SECP256K1_N_H_7); @@ -235,11 +235,11 @@ static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar return yes; } -static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar *r, int flag) { +static int rustsecp256k1_v0_1_2_scalar_cond_negate(rustsecp256k1_v0_1_2_scalar *r, int flag) { /* If we are flag = 0, mask = 00...00 and this is a no-op; - * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1_v0_1_1_scalar_negate */ + * if we are flag = 1, mask = 11...11 and this is identical to rustsecp256k1_v0_1_2_scalar_negate */ uint32_t mask = !flag - 1; - uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1_v0_1_1_scalar_is_zero(r) == 0); + uint32_t nonzero = 0xFFFFFFFFUL * (rustsecp256k1_v0_1_2_scalar_is_zero(r) == 0); uint64_t t = (uint64_t)(r->d[0] ^ mask) + ((SECP256K1_N_0 + 1) & mask); r->d[0] = t & nonzero; t >>= 32; t += (uint64_t)(r->d[1] ^ mask) + (SECP256K1_N_1 & mask); @@ -346,7 +346,7 @@ static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar * VERIFY_CHECK(c2 == 0); \ } -static void rustsecp256k1_v0_1_1_scalar_reduce_512(rustsecp256k1_v0_1_1_scalar *r, const uint32_t *l) { +static void rustsecp256k1_v0_1_2_scalar_reduce_512(rustsecp256k1_v0_1_2_scalar *r, const uint32_t *l) { uint64_t c; uint32_t n0 = l[8], n1 = l[9], n2 = l[10], n3 = l[11], n4 = l[12], n5 = l[13], n6 = l[14], n7 = l[15]; uint32_t m0, m1, m2, m3, m4, m5, m6, m7, m8, m9, m10, m11, m12; @@ -485,10 +485,10 @@ static void rustsecp256k1_v0_1_1_scalar_reduce_512(rustsecp256k1_v0_1_1_scalar * r->d[7] = c & 0xFFFFFFFFUL; c >>= 32; /* Final reduction of r. */ - rustsecp256k1_v0_1_1_scalar_reduce(r, c + rustsecp256k1_v0_1_1_scalar_check_overflow(r)); + rustsecp256k1_v0_1_2_scalar_reduce(r, c + rustsecp256k1_v0_1_2_scalar_check_overflow(r)); } -static void rustsecp256k1_v0_1_1_scalar_mul_512(uint32_t *l, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static void rustsecp256k1_v0_1_2_scalar_mul_512(uint32_t *l, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { /* 96 bit accumulator. */ uint32_t c0 = 0, c1 = 0, c2 = 0; @@ -576,7 +576,7 @@ static void rustsecp256k1_v0_1_1_scalar_mul_512(uint32_t *l, const rustsecp256k1 l[15] = c0; } -static void rustsecp256k1_v0_1_1_scalar_sqr_512(uint32_t *l, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_sqr_512(uint32_t *l, const rustsecp256k1_v0_1_2_scalar *a) { /* 96 bit accumulator. */ uint32_t c0 = 0, c1 = 0, c2 = 0; @@ -644,13 +644,13 @@ static void rustsecp256k1_v0_1_1_scalar_sqr_512(uint32_t *l, const rustsecp256k1 #undef extract #undef extract_fast -static void rustsecp256k1_v0_1_1_scalar_mul(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static void rustsecp256k1_v0_1_2_scalar_mul(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { uint32_t l[16]; - rustsecp256k1_v0_1_1_scalar_mul_512(l, a, b); - rustsecp256k1_v0_1_1_scalar_reduce_512(r, l); + rustsecp256k1_v0_1_2_scalar_mul_512(l, a, b); + rustsecp256k1_v0_1_2_scalar_reduce_512(r, l); } -static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, int n) { +static int rustsecp256k1_v0_1_2_scalar_shr_int(rustsecp256k1_v0_1_2_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -666,14 +666,14 @@ static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, i return ret; } -static void rustsecp256k1_v0_1_1_scalar_sqr(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_sqr(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { uint32_t l[16]; - rustsecp256k1_v0_1_1_scalar_sqr_512(l, a); - rustsecp256k1_v0_1_1_scalar_reduce_512(r, l); + rustsecp256k1_v0_1_2_scalar_sqr_512(l, a); + rustsecp256k1_v0_1_2_scalar_reduce_512(r, l); } #ifdef USE_ENDOMORPHISM -static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_split_128(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a) { r1->d[0] = a->d[0]; r1->d[1] = a->d[1]; r1->d[2] = a->d[2]; @@ -693,17 +693,17 @@ static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r } #endif -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_eq(const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_eq(const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { return ((a->d[0] ^ b->d[0]) | (a->d[1] ^ b->d[1]) | (a->d[2] ^ b->d[2]) | (a->d[3] ^ b->d[3]) | (a->d[4] ^ b->d[4]) | (a->d[5] ^ b->d[5]) | (a->d[6] ^ b->d[6]) | (a->d[7] ^ b->d[7])) == 0; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_mul_shift_var(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b, unsigned int shift) { +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_mul_shift_var(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b, unsigned int shift) { uint32_t l[16]; unsigned int shiftlimbs; unsigned int shiftlow; unsigned int shifthigh; VERIFY_CHECK(shift >= 256); - rustsecp256k1_v0_1_1_scalar_mul_512(l, a, b); + rustsecp256k1_v0_1_2_scalar_mul_512(l, a, b); shiftlimbs = shift >> 5; shiftlow = shift & 0x1F; shifthigh = 32 - shiftlow; @@ -715,7 +715,21 @@ SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_mul_shift_var(rustsecp2 r->d[5] = shift < 352 ? (l[5 + shiftlimbs] >> shiftlow | (shift < 320 && shiftlow ? (l[6 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[6] = shift < 320 ? (l[6 + shiftlimbs] >> shiftlow | (shift < 288 && shiftlow ? (l[7 + shiftlimbs] << shifthigh) : 0)) : 0; r->d[7] = shift < 288 ? (l[7 + shiftlimbs] >> shiftlow) : 0; - rustsecp256k1_v0_1_1_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); + rustsecp256k1_v0_1_2_scalar_cadd_bit(r, 0, (l[(shift - 1) >> 5] >> ((shift - 1) & 0x1f)) & 1); +} + +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_scalar_cmov(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, int flag) { + uint32_t mask0, mask1; + mask0 = flag + ~((uint32_t)0); + mask1 = ~mask0; + r->d[0] = (r->d[0] & mask0) | (a->d[0] & mask1); + r->d[1] = (r->d[1] & mask0) | (a->d[1] & mask1); + r->d[2] = (r->d[2] & mask0) | (a->d[2] & mask1); + r->d[3] = (r->d[3] & mask0) | (a->d[3] & mask1); + r->d[4] = (r->d[4] & mask0) | (a->d[4] & mask1); + r->d[5] = (r->d[5] & mask0) | (a->d[5] & mask1); + r->d[6] = (r->d[6] & mask0) | (a->d[6] & mask1); + r->d[7] = (r->d[7] & mask0) | (a->d[7] & mask1); } #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_impl.h b/secp256k1-sys/depend/secp256k1/src/scalar_impl.h index f403d430f..69e6e2de3 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_impl.h @@ -7,8 +7,8 @@ #ifndef SECP256K1_SCALAR_IMPL_H #define SECP256K1_SCALAR_IMPL_H -#include "group.h" #include "scalar.h" +#include "util.h" #if defined HAVE_CONFIG_H #include "libsecp256k1-config.h" @@ -24,15 +24,18 @@ #error "Please select scalar implementation" #endif +static const rustsecp256k1_v0_1_2_scalar rustsecp256k1_v0_1_2_scalar_one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); +static const rustsecp256k1_v0_1_2_scalar rustsecp256k1_v0_1_2_scalar_zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + #ifndef USE_NUM_NONE -static void rustsecp256k1_v0_1_1_scalar_get_num(rustsecp256k1_v0_1_1_num *r, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_get_num(rustsecp256k1_v0_1_2_num *r, const rustsecp256k1_v0_1_2_scalar *a) { unsigned char c[32]; - rustsecp256k1_v0_1_1_scalar_get_b32(c, a); - rustsecp256k1_v0_1_1_num_set_bin(r, c, 32); + rustsecp256k1_v0_1_2_scalar_get_b32(c, a); + rustsecp256k1_v0_1_2_num_set_bin(r, c, 32); } -/** secp256k1 curve order, see rustsecp256k1_v0_1_1_ecdsa_const_order_as_fe in ecdsa_impl.h */ -static void rustsecp256k1_v0_1_1_scalar_order_get_num(rustsecp256k1_v0_1_1_num *r) { +/** secp256k1 curve order, see rustsecp256k1_v0_1_2_ecdsa_const_order_as_fe in ecdsa_impl.h */ +static void rustsecp256k1_v0_1_2_scalar_order_get_num(rustsecp256k1_v0_1_2_num *r) { #if defined(EXHAUSTIVE_TEST_ORDER) static const unsigned char order[32] = { 0,0,0,0,0,0,0,0, @@ -48,11 +51,17 @@ static void rustsecp256k1_v0_1_1_scalar_order_get_num(rustsecp256k1_v0_1_1_num * 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41 }; #endif - rustsecp256k1_v0_1_1_num_set_bin(r, order, 32); + rustsecp256k1_v0_1_2_num_set_bin(r, order, 32); } #endif -static void rustsecp256k1_v0_1_1_scalar_inverse(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *x) { +static int rustsecp256k1_v0_1_2_scalar_set_b32_seckey(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *bin) { + int overflow; + rustsecp256k1_v0_1_2_scalar_set_b32(r, bin, &overflow); + return (!overflow) & (!rustsecp256k1_v0_1_2_scalar_is_zero(r)); +} + +static void rustsecp256k1_v0_1_2_scalar_inverse(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *x) { #if defined(EXHAUSTIVE_TEST_ORDER) int i; *r = 0; @@ -64,180 +73,180 @@ static void rustsecp256k1_v0_1_1_scalar_inverse(rustsecp256k1_v0_1_1_scalar *r, VERIFY_CHECK(*r != 0); } #else - rustsecp256k1_v0_1_1_scalar *t; + rustsecp256k1_v0_1_2_scalar *t; int i; /* First compute xN as x ^ (2^N - 1) for some values of N, * and uM as x ^ M for some values of M. */ - rustsecp256k1_v0_1_1_scalar x2, x3, x6, x8, x14, x28, x56, x112, x126; - rustsecp256k1_v0_1_1_scalar u2, u5, u9, u11, u13; + rustsecp256k1_v0_1_2_scalar x2, x3, x6, x8, x14, x28, x56, x112, x126; + rustsecp256k1_v0_1_2_scalar u2, u5, u9, u11, u13; - rustsecp256k1_v0_1_1_scalar_sqr(&u2, x); - rustsecp256k1_v0_1_1_scalar_mul(&x2, &u2, x); - rustsecp256k1_v0_1_1_scalar_mul(&u5, &u2, &x2); - rustsecp256k1_v0_1_1_scalar_mul(&x3, &u5, &u2); - rustsecp256k1_v0_1_1_scalar_mul(&u9, &x3, &u2); - rustsecp256k1_v0_1_1_scalar_mul(&u11, &u9, &u2); - rustsecp256k1_v0_1_1_scalar_mul(&u13, &u11, &u2); + rustsecp256k1_v0_1_2_scalar_sqr(&u2, x); + rustsecp256k1_v0_1_2_scalar_mul(&x2, &u2, x); + rustsecp256k1_v0_1_2_scalar_mul(&u5, &u2, &x2); + rustsecp256k1_v0_1_2_scalar_mul(&x3, &u5, &u2); + rustsecp256k1_v0_1_2_scalar_mul(&u9, &x3, &u2); + rustsecp256k1_v0_1_2_scalar_mul(&u11, &u9, &u2); + rustsecp256k1_v0_1_2_scalar_mul(&u13, &u11, &u2); - rustsecp256k1_v0_1_1_scalar_sqr(&x6, &u13); - rustsecp256k1_v0_1_1_scalar_sqr(&x6, &x6); - rustsecp256k1_v0_1_1_scalar_mul(&x6, &x6, &u11); + rustsecp256k1_v0_1_2_scalar_sqr(&x6, &u13); + rustsecp256k1_v0_1_2_scalar_sqr(&x6, &x6); + rustsecp256k1_v0_1_2_scalar_mul(&x6, &x6, &u11); - rustsecp256k1_v0_1_1_scalar_sqr(&x8, &x6); - rustsecp256k1_v0_1_1_scalar_sqr(&x8, &x8); - rustsecp256k1_v0_1_1_scalar_mul(&x8, &x8, &x2); + rustsecp256k1_v0_1_2_scalar_sqr(&x8, &x6); + rustsecp256k1_v0_1_2_scalar_sqr(&x8, &x8); + rustsecp256k1_v0_1_2_scalar_mul(&x8, &x8, &x2); - rustsecp256k1_v0_1_1_scalar_sqr(&x14, &x8); + rustsecp256k1_v0_1_2_scalar_sqr(&x14, &x8); for (i = 0; i < 5; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&x14, &x14); + rustsecp256k1_v0_1_2_scalar_sqr(&x14, &x14); } - rustsecp256k1_v0_1_1_scalar_mul(&x14, &x14, &x6); + rustsecp256k1_v0_1_2_scalar_mul(&x14, &x14, &x6); - rustsecp256k1_v0_1_1_scalar_sqr(&x28, &x14); + rustsecp256k1_v0_1_2_scalar_sqr(&x28, &x14); for (i = 0; i < 13; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&x28, &x28); + rustsecp256k1_v0_1_2_scalar_sqr(&x28, &x28); } - rustsecp256k1_v0_1_1_scalar_mul(&x28, &x28, &x14); + rustsecp256k1_v0_1_2_scalar_mul(&x28, &x28, &x14); - rustsecp256k1_v0_1_1_scalar_sqr(&x56, &x28); + rustsecp256k1_v0_1_2_scalar_sqr(&x56, &x28); for (i = 0; i < 27; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&x56, &x56); + rustsecp256k1_v0_1_2_scalar_sqr(&x56, &x56); } - rustsecp256k1_v0_1_1_scalar_mul(&x56, &x56, &x28); + rustsecp256k1_v0_1_2_scalar_mul(&x56, &x56, &x28); - rustsecp256k1_v0_1_1_scalar_sqr(&x112, &x56); + rustsecp256k1_v0_1_2_scalar_sqr(&x112, &x56); for (i = 0; i < 55; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&x112, &x112); + rustsecp256k1_v0_1_2_scalar_sqr(&x112, &x112); } - rustsecp256k1_v0_1_1_scalar_mul(&x112, &x112, &x56); + rustsecp256k1_v0_1_2_scalar_mul(&x112, &x112, &x56); - rustsecp256k1_v0_1_1_scalar_sqr(&x126, &x112); + rustsecp256k1_v0_1_2_scalar_sqr(&x126, &x112); for (i = 0; i < 13; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(&x126, &x126); + rustsecp256k1_v0_1_2_scalar_sqr(&x126, &x126); } - rustsecp256k1_v0_1_1_scalar_mul(&x126, &x126, &x14); + rustsecp256k1_v0_1_2_scalar_mul(&x126, &x126, &x14); /* Then accumulate the final result (t starts at x126). */ t = &x126; for (i = 0; i < 3; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u5); /* 101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u5); /* 101 */ for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u5); /* 101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u5); /* 101 */ for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u11); /* 1011 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u11); /* 1011 */ for (i = 0; i < 4; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u11); /* 1011 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u11); /* 1011 */ for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 5; i++) { /* 00 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u13); /* 1101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u13); /* 1101 */ for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u5); /* 101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u5); /* 101 */ for (i = 0; i < 3; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u9); /* 1001 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u9); /* 1001 */ for (i = 0; i < 6; i++) { /* 000 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u5); /* 101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u5); /* 101 */ for (i = 0; i < 10; i++) { /* 0000000 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 4; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x3); /* 111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x3); /* 111 */ for (i = 0; i < 9; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x8); /* 11111111 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x8); /* 11111111 */ for (i = 0; i < 5; i++) { /* 0 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u9); /* 1001 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u9); /* 1001 */ for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u11); /* 1011 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u11); /* 1011 */ for (i = 0; i < 4; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u13); /* 1101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u13); /* 1101 */ for (i = 0; i < 5; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &x2); /* 11 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &x2); /* 11 */ for (i = 0; i < 6; i++) { /* 00 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u13); /* 1101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u13); /* 1101 */ for (i = 0; i < 10; i++) { /* 000000 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u13); /* 1101 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u13); /* 1101 */ for (i = 0; i < 4; i++) { - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, &u9); /* 1001 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, &u9); /* 1001 */ for (i = 0; i < 6; i++) { /* 00000 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(t, t, x); /* 1 */ + rustsecp256k1_v0_1_2_scalar_mul(t, t, x); /* 1 */ for (i = 0; i < 8; i++) { /* 00 */ - rustsecp256k1_v0_1_1_scalar_sqr(t, t); + rustsecp256k1_v0_1_2_scalar_sqr(t, t); } - rustsecp256k1_v0_1_1_scalar_mul(r, t, &x6); /* 111111 */ + rustsecp256k1_v0_1_2_scalar_mul(r, t, &x6); /* 111111 */ } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_even(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_even(const rustsecp256k1_v0_1_2_scalar *a) { return !(a->d[0] & 1); } #endif -static void rustsecp256k1_v0_1_1_scalar_inverse_var(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *x) { +static void rustsecp256k1_v0_1_2_scalar_inverse_var(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *x) { #if defined(USE_SCALAR_INV_BUILTIN) - rustsecp256k1_v0_1_1_scalar_inverse(r, x); + rustsecp256k1_v0_1_2_scalar_inverse(r, x); #elif defined(USE_SCALAR_INV_NUM) unsigned char b[32]; - rustsecp256k1_v0_1_1_num n, m; - rustsecp256k1_v0_1_1_scalar t = *x; - rustsecp256k1_v0_1_1_scalar_get_b32(b, &t); - rustsecp256k1_v0_1_1_num_set_bin(&n, b, 32); - rustsecp256k1_v0_1_1_scalar_order_get_num(&m); - rustsecp256k1_v0_1_1_num_mod_inverse(&n, &n, &m); - rustsecp256k1_v0_1_1_num_get_bin(b, 32, &n); - rustsecp256k1_v0_1_1_scalar_set_b32(r, b, NULL); + rustsecp256k1_v0_1_2_num n, m; + rustsecp256k1_v0_1_2_scalar t = *x; + rustsecp256k1_v0_1_2_scalar_get_b32(b, &t); + rustsecp256k1_v0_1_2_num_set_bin(&n, b, 32); + rustsecp256k1_v0_1_2_scalar_order_get_num(&m); + rustsecp256k1_v0_1_2_num_mod_inverse(&n, &n, &m); + rustsecp256k1_v0_1_2_num_get_bin(b, 32, &n); + rustsecp256k1_v0_1_2_scalar_set_b32(r, b, NULL); /* Verify that the inverse was computed correctly, without GMP code. */ - rustsecp256k1_v0_1_1_scalar_mul(&t, &t, r); - CHECK(rustsecp256k1_v0_1_1_scalar_is_one(&t)); + rustsecp256k1_v0_1_2_scalar_mul(&t, &t, r); + CHECK(rustsecp256k1_v0_1_2_scalar_is_one(&t)); #else #error "Please select scalar inverse implementation" #endif @@ -251,7 +260,7 @@ static void rustsecp256k1_v0_1_1_scalar_inverse_var(rustsecp256k1_v0_1_1_scalar * nontrivial to get full test coverage for the exhaustive tests. We therefore * (arbitrarily) set k2 = k + 5 and k1 = k - k2 * lambda. */ -static void rustsecp256k1_v0_1_1_scalar_split_lambda(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_split_lambda(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a) { *r2 = (*a + 5) % EXHAUSTIVE_TEST_ORDER; *r1 = (*a + (EXHAUSTIVE_TEST_ORDER - *r2) * EXHAUSTIVE_TEST_LAMBDA) % EXHAUSTIVE_TEST_ORDER; } @@ -294,38 +303,38 @@ static void rustsecp256k1_v0_1_1_scalar_split_lambda(rustsecp256k1_v0_1_1_scalar * The function below splits a in r1 and r2, such that r1 + lambda * r2 == a (mod order). */ -static void rustsecp256k1_v0_1_1_scalar_split_lambda(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a) { - rustsecp256k1_v0_1_1_scalar c1, c2; - static const rustsecp256k1_v0_1_1_scalar minus_lambda = SECP256K1_SCALAR_CONST( +static void rustsecp256k1_v0_1_2_scalar_split_lambda(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a) { + rustsecp256k1_v0_1_2_scalar c1, c2; + static const rustsecp256k1_v0_1_2_scalar minus_lambda = SECP256K1_SCALAR_CONST( 0xAC9C52B3UL, 0x3FA3CF1FUL, 0x5AD9E3FDUL, 0x77ED9BA4UL, 0xA880B9FCUL, 0x8EC739C2UL, 0xE0CFC810UL, 0xB51283CFUL ); - static const rustsecp256k1_v0_1_1_scalar minus_b1 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1_v0_1_2_scalar minus_b1 = SECP256K1_SCALAR_CONST( 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000000UL, 0xE4437ED6UL, 0x010E8828UL, 0x6F547FA9UL, 0x0ABFE4C3UL ); - static const rustsecp256k1_v0_1_1_scalar minus_b2 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1_v0_1_2_scalar minus_b2 = SECP256K1_SCALAR_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL, 0x8A280AC5UL, 0x0774346DUL, 0xD765CDA8UL, 0x3DB1562CUL ); - static const rustsecp256k1_v0_1_1_scalar g1 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1_v0_1_2_scalar g1 = SECP256K1_SCALAR_CONST( 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00003086UL, 0xD221A7D4UL, 0x6BCDE86CUL, 0x90E49284UL, 0xEB153DABUL ); - static const rustsecp256k1_v0_1_1_scalar g2 = SECP256K1_SCALAR_CONST( + static const rustsecp256k1_v0_1_2_scalar g2 = SECP256K1_SCALAR_CONST( 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x0000E443UL, 0x7ED6010EUL, 0x88286F54UL, 0x7FA90ABFUL, 0xE4C42212UL ); VERIFY_CHECK(r1 != a); VERIFY_CHECK(r2 != a); /* these _var calls are constant time since the shift amount is constant */ - rustsecp256k1_v0_1_1_scalar_mul_shift_var(&c1, a, &g1, 272); - rustsecp256k1_v0_1_1_scalar_mul_shift_var(&c2, a, &g2, 272); - rustsecp256k1_v0_1_1_scalar_mul(&c1, &c1, &minus_b1); - rustsecp256k1_v0_1_1_scalar_mul(&c2, &c2, &minus_b2); - rustsecp256k1_v0_1_1_scalar_add(r2, &c1, &c2); - rustsecp256k1_v0_1_1_scalar_mul(r1, r2, &minus_lambda); - rustsecp256k1_v0_1_1_scalar_add(r1, r1, a); + rustsecp256k1_v0_1_2_scalar_mul_shift_var(&c1, a, &g1, 272); + rustsecp256k1_v0_1_2_scalar_mul_shift_var(&c2, a, &g2, 272); + rustsecp256k1_v0_1_2_scalar_mul(&c1, &c1, &minus_b1); + rustsecp256k1_v0_1_2_scalar_mul(&c2, &c2, &minus_b2); + rustsecp256k1_v0_1_2_scalar_add(r2, &c1, &c2); + rustsecp256k1_v0_1_2_scalar_mul(r1, r2, &minus_lambda); + rustsecp256k1_v0_1_2_scalar_add(r1, r1, a); } #endif #endif diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_low.h b/secp256k1-sys/depend/secp256k1/src/scalar_low.h index fef7696d1..3a3eee75a 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_low.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_low.h @@ -10,6 +10,8 @@ #include /** A scalar modulo the group order of the secp256k1 curve. */ -typedef uint32_t rustsecp256k1_v0_1_1_scalar; +typedef uint32_t rustsecp256k1_v0_1_2_scalar; + +#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0) (d0) #endif /* SECP256K1_SCALAR_REPR_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/scalar_low_impl.h b/secp256k1-sys/depend/secp256k1/src/scalar_low_impl.h index de0fe194c..842ad9cae 100644 --- a/secp256k1-sys/depend/secp256k1/src/scalar_low_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/scalar_low_impl.h @@ -11,40 +11,43 @@ #include -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_even(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_even(const rustsecp256k1_v0_1_2_scalar *a) { return !(*a & 1); } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_clear(rustsecp256k1_v0_1_1_scalar *r) { *r = 0; } -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_scalar_set_int(rustsecp256k1_v0_1_1_scalar *r, unsigned int v) { *r = v; } +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_clear(rustsecp256k1_v0_1_2_scalar *r) { *r = 0; } +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_scalar_set_int(rustsecp256k1_v0_1_2_scalar *r, unsigned int v) { *r = v; } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { if (offset < 32) return ((*a >> offset) & ((((uint32_t)1) << count) - 1)); else return 0; } -SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_1_scalar_get_bits_var(const rustsecp256k1_v0_1_1_scalar *a, unsigned int offset, unsigned int count) { - return rustsecp256k1_v0_1_1_scalar_get_bits(a, offset, count); +SECP256K1_INLINE static unsigned int rustsecp256k1_v0_1_2_scalar_get_bits_var(const rustsecp256k1_v0_1_2_scalar *a, unsigned int offset, unsigned int count) { + return rustsecp256k1_v0_1_2_scalar_get_bits(a, offset, count); } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_check_overflow(const rustsecp256k1_v0_1_1_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_check_overflow(const rustsecp256k1_v0_1_2_scalar *a) { return *a >= EXHAUSTIVE_TEST_ORDER; } -static int rustsecp256k1_v0_1_1_scalar_add(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static int rustsecp256k1_v0_1_2_scalar_add(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { *r = (*a + *b) % EXHAUSTIVE_TEST_ORDER; return *r < *b; } -static void rustsecp256k1_v0_1_1_scalar_cadd_bit(rustsecp256k1_v0_1_1_scalar *r, unsigned int bit, int flag) { +static void rustsecp256k1_v0_1_2_scalar_cadd_bit(rustsecp256k1_v0_1_2_scalar *r, unsigned int bit, int flag) { if (flag && bit < 32) - *r += (1 << bit); + *r += ((uint32_t)1 << bit); #ifdef VERIFY - VERIFY_CHECK(rustsecp256k1_v0_1_1_scalar_check_overflow(r) == 0); + VERIFY_CHECK(bit < 32); + /* Verify that adding (1 << bit) will not overflow any in-range scalar *r by overflowing the underlying uint32_t. */ + VERIFY_CHECK(((uint32_t)1 << bit) - 1 <= UINT32_MAX - EXHAUSTIVE_TEST_ORDER); + VERIFY_CHECK(rustsecp256k1_v0_1_2_scalar_check_overflow(r) == 0); #endif } -static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, const unsigned char *b32, int *overflow) { +static void rustsecp256k1_v0_1_2_scalar_set_b32(rustsecp256k1_v0_1_2_scalar *r, const unsigned char *b32, int *overflow) { const int base = 0x100 % EXHAUSTIVE_TEST_ORDER; int i; *r = 0; @@ -55,16 +58,16 @@ static void rustsecp256k1_v0_1_1_scalar_set_b32(rustsecp256k1_v0_1_1_scalar *r, if (overflow) *overflow = 0; } -static void rustsecp256k1_v0_1_1_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_1_scalar* a) { +static void rustsecp256k1_v0_1_2_scalar_get_b32(unsigned char *bin, const rustsecp256k1_v0_1_2_scalar* a) { memset(bin, 0, 32); bin[28] = *a >> 24; bin[29] = *a >> 16; bin[30] = *a >> 8; bin[31] = *a; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_zero(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_zero(const rustsecp256k1_v0_1_2_scalar *a) { return *a == 0; } -static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_negate(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { if (*a == 0) { *r = 0; } else { @@ -72,24 +75,24 @@ static void rustsecp256k1_v0_1_1_scalar_negate(rustsecp256k1_v0_1_1_scalar *r, c } } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_is_one(const rustsecp256k1_v0_1_1_scalar *a) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_is_one(const rustsecp256k1_v0_1_2_scalar *a) { return *a == 1; } -static int rustsecp256k1_v0_1_1_scalar_is_high(const rustsecp256k1_v0_1_1_scalar *a) { +static int rustsecp256k1_v0_1_2_scalar_is_high(const rustsecp256k1_v0_1_2_scalar *a) { return *a > EXHAUSTIVE_TEST_ORDER / 2; } -static int rustsecp256k1_v0_1_1_scalar_cond_negate(rustsecp256k1_v0_1_1_scalar *r, int flag) { - if (flag) rustsecp256k1_v0_1_1_scalar_negate(r, r); +static int rustsecp256k1_v0_1_2_scalar_cond_negate(rustsecp256k1_v0_1_2_scalar *r, int flag) { + if (flag) rustsecp256k1_v0_1_2_scalar_negate(r, r); return flag ? -1 : 1; } -static void rustsecp256k1_v0_1_1_scalar_mul(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +static void rustsecp256k1_v0_1_2_scalar_mul(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { *r = (*a * *b) % EXHAUSTIVE_TEST_ORDER; } -static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, int n) { +static int rustsecp256k1_v0_1_2_scalar_shr_int(rustsecp256k1_v0_1_2_scalar *r, int n) { int ret; VERIFY_CHECK(n > 0); VERIFY_CHECK(n < 16); @@ -98,17 +101,24 @@ static int rustsecp256k1_v0_1_1_scalar_shr_int(rustsecp256k1_v0_1_1_scalar *r, i return ret; } -static void rustsecp256k1_v0_1_1_scalar_sqr(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_sqr(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a) { *r = (*a * *a) % EXHAUSTIVE_TEST_ORDER; } -static void rustsecp256k1_v0_1_1_scalar_split_128(rustsecp256k1_v0_1_1_scalar *r1, rustsecp256k1_v0_1_1_scalar *r2, const rustsecp256k1_v0_1_1_scalar *a) { +static void rustsecp256k1_v0_1_2_scalar_split_128(rustsecp256k1_v0_1_2_scalar *r1, rustsecp256k1_v0_1_2_scalar *r2, const rustsecp256k1_v0_1_2_scalar *a) { *r1 = *a; *r2 = 0; } -SECP256K1_INLINE static int rustsecp256k1_v0_1_1_scalar_eq(const rustsecp256k1_v0_1_1_scalar *a, const rustsecp256k1_v0_1_1_scalar *b) { +SECP256K1_INLINE static int rustsecp256k1_v0_1_2_scalar_eq(const rustsecp256k1_v0_1_2_scalar *a, const rustsecp256k1_v0_1_2_scalar *b) { return *a == *b; } +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_scalar_cmov(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_scalar *a, int flag) { + uint32_t mask0, mask1; + mask0 = flag + ~((uint32_t)0); + mask1 = ~mask0; + *r = (*r & mask0) | (*a & mask1); +} + #endif /* SECP256K1_SCALAR_REPR_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/scratch.h b/secp256k1-sys/depend/secp256k1/src/scratch.h index 2daa50918..ea76de4e2 100644 --- a/secp256k1-sys/depend/secp256k1/src/scratch.h +++ b/secp256k1-sys/depend/secp256k1/src/scratch.h @@ -9,7 +9,7 @@ /* The typedef is used internally; the struct name is used in the public API * (where it is exposed as a different typedef) */ -typedef struct rustsecp256k1_v0_1_1_scratch_space_struct { +typedef struct rustsecp256k1_v0_1_2_scratch_space_struct { /** guard against interpreting this object as other types */ unsigned char magic[8]; /** actual allocated data */ @@ -19,24 +19,24 @@ typedef struct rustsecp256k1_v0_1_1_scratch_space_struct { size_t alloc_size; /** maximum size available to allocate */ size_t max_size; -} rustsecp256k1_v0_1_1_scratch; +} rustsecp256k1_v0_1_2_scratch; -static rustsecp256k1_v0_1_1_scratch* rustsecp256k1_v0_1_1_scratch_create(const rustsecp256k1_v0_1_1_callback* error_callback, size_t max_size); +static rustsecp256k1_v0_1_2_scratch* rustsecp256k1_v0_1_2_scratch_create(const rustsecp256k1_v0_1_2_callback* error_callback, size_t max_size); -static void rustsecp256k1_v0_1_1_scratch_destroy(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch* scratch); +static void rustsecp256k1_v0_1_2_scratch_destroy(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch* scratch); /** Returns an opaque object used to "checkpoint" a scratch space. Used - * with `rustsecp256k1_v0_1_1_scratch_apply_checkpoint` to undo allocations. */ -static size_t rustsecp256k1_v0_1_1_scratch_checkpoint(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_scratch* scratch); + * with `rustsecp256k1_v0_1_2_scratch_apply_checkpoint` to undo allocations. */ +static size_t rustsecp256k1_v0_1_2_scratch_checkpoint(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_scratch* scratch); -/** Applies a check point received from `rustsecp256k1_v0_1_1_scratch_checkpoint`, +/** Applies a check point received from `rustsecp256k1_v0_1_2_scratch_checkpoint`, * undoing all allocations since that point. */ -static void rustsecp256k1_v0_1_1_scratch_apply_checkpoint(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch* scratch, size_t checkpoint); +static void rustsecp256k1_v0_1_2_scratch_apply_checkpoint(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch* scratch, size_t checkpoint); /** Returns the maximum allocation the scratch space will allow */ -static size_t rustsecp256k1_v0_1_1_scratch_max_allocation(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_scratch* scratch, size_t n_objects); +static size_t rustsecp256k1_v0_1_2_scratch_max_allocation(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_scratch* scratch, size_t n_objects); /** Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available space */ -static void *rustsecp256k1_v0_1_1_scratch_alloc(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch* scratch, size_t n); +static void *rustsecp256k1_v0_1_2_scratch_alloc(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch* scratch, size_t n); #endif diff --git a/secp256k1-sys/depend/secp256k1/src/scratch_impl.h b/secp256k1-sys/depend/secp256k1/src/scratch_impl.h index d193804c0..9b736800c 100644 --- a/secp256k1-sys/depend/secp256k1/src/scratch_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/scratch_impl.h @@ -10,29 +10,29 @@ #include "util.h" #include "scratch.h" -static size_t rustsecp256k1_v0_1_1_scratch_checkpoint(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_scratch* scratch) { +static size_t rustsecp256k1_v0_1_2_scratch_checkpoint(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_scratch* scratch) { if (memcmp(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1_v0_1_1_callback_call(error_callback, "invalid scratch space"); + rustsecp256k1_v0_1_2_callback_call(error_callback, "invalid scratch space"); return 0; } return scratch->alloc_size; } -static void rustsecp256k1_v0_1_1_scratch_apply_checkpoint(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch* scratch, size_t checkpoint) { +static void rustsecp256k1_v0_1_2_scratch_apply_checkpoint(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch* scratch, size_t checkpoint) { if (memcmp(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1_v0_1_1_callback_call(error_callback, "invalid scratch space"); + rustsecp256k1_v0_1_2_callback_call(error_callback, "invalid scratch space"); return; } if (checkpoint > scratch->alloc_size) { - rustsecp256k1_v0_1_1_callback_call(error_callback, "invalid checkpoint"); + rustsecp256k1_v0_1_2_callback_call(error_callback, "invalid checkpoint"); return; } scratch->alloc_size = checkpoint; } -static size_t rustsecp256k1_v0_1_1_scratch_max_allocation(const rustsecp256k1_v0_1_1_callback* error_callback, const rustsecp256k1_v0_1_1_scratch* scratch, size_t objects) { +static size_t rustsecp256k1_v0_1_2_scratch_max_allocation(const rustsecp256k1_v0_1_2_callback* error_callback, const rustsecp256k1_v0_1_2_scratch* scratch, size_t objects) { if (memcmp(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1_v0_1_1_callback_call(error_callback, "invalid scratch space"); + rustsecp256k1_v0_1_2_callback_call(error_callback, "invalid scratch space"); return 0; } if (scratch->max_size - scratch->alloc_size <= objects * (ALIGNMENT - 1)) { @@ -41,12 +41,12 @@ static size_t rustsecp256k1_v0_1_1_scratch_max_allocation(const rustsecp256k1_v0 return scratch->max_size - scratch->alloc_size - objects * (ALIGNMENT - 1); } -static void *rustsecp256k1_v0_1_1_scratch_alloc(const rustsecp256k1_v0_1_1_callback* error_callback, rustsecp256k1_v0_1_1_scratch* scratch, size_t size) { +static void *rustsecp256k1_v0_1_2_scratch_alloc(const rustsecp256k1_v0_1_2_callback* error_callback, rustsecp256k1_v0_1_2_scratch* scratch, size_t size) { void *ret; size = ROUND_TO_ALIGN(size); if (memcmp(scratch->magic, "scratch", 8) != 0) { - rustsecp256k1_v0_1_1_callback_call(error_callback, "invalid scratch space"); + rustsecp256k1_v0_1_2_callback_call(error_callback, "invalid scratch space"); return NULL; } diff --git a/secp256k1-sys/depend/secp256k1/src/secp256k1.c b/secp256k1-sys/depend/secp256k1/src/secp256k1.c index ab76e0561..e31dbf340 100644 --- a/secp256k1-sys/depend/secp256k1/src/secp256k1.c +++ b/secp256k1-sys/depend/secp256k1/src/secp256k1.c @@ -20,67 +20,73 @@ #include "hash_impl.h" #include "scratch_impl.h" +#if defined(VALGRIND) +# include +#endif + #define ARG_CHECK(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1_v0_1_1_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1_v0_1_2_callback_call(&ctx->illegal_callback, #cond); \ return 0; \ } \ } while(0) #define ARG_CHECK_NO_RETURN(cond) do { \ if (EXPECT(!(cond), 0)) { \ - rustsecp256k1_v0_1_1_callback_call(&ctx->illegal_callback, #cond); \ + rustsecp256k1_v0_1_2_callback_call(&ctx->illegal_callback, #cond); \ } \ } while(0) #ifndef USE_EXTERNAL_DEFAULT_CALLBACKS #include #include -static void rustsecp256k1_v0_1_1_default_illegal_callback_fn(const char* str, void* data) { +static void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); abort(); } -static void rustsecp256k1_v0_1_1_default_error_callback_fn(const char* str, void* data) { +static void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* str, void* data) { (void)data; fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); abort(); } #else -void rustsecp256k1_v0_1_1_default_illegal_callback_fn(const char* str, void* data); -void rustsecp256k1_v0_1_1_default_error_callback_fn(const char* str, void* data); +void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* str, void* data); +void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* str, void* data); #endif -static const rustsecp256k1_v0_1_1_callback default_illegal_callback = { - rustsecp256k1_v0_1_1_default_illegal_callback_fn, +static const rustsecp256k1_v0_1_2_callback default_illegal_callback = { + rustsecp256k1_v0_1_2_default_illegal_callback_fn, NULL }; -static const rustsecp256k1_v0_1_1_callback default_error_callback = { - rustsecp256k1_v0_1_1_default_error_callback_fn, +static const rustsecp256k1_v0_1_2_callback default_error_callback = { + rustsecp256k1_v0_1_2_default_error_callback_fn, NULL }; -struct rustsecp256k1_v0_1_1_context_struct { - rustsecp256k1_v0_1_1_ecmult_context ecmult_ctx; - rustsecp256k1_v0_1_1_ecmult_gen_context ecmult_gen_ctx; - rustsecp256k1_v0_1_1_callback illegal_callback; - rustsecp256k1_v0_1_1_callback error_callback; +struct rustsecp256k1_v0_1_2_context_struct { + rustsecp256k1_v0_1_2_ecmult_context ecmult_ctx; + rustsecp256k1_v0_1_2_ecmult_gen_context ecmult_gen_ctx; + rustsecp256k1_v0_1_2_callback illegal_callback; + rustsecp256k1_v0_1_2_callback error_callback; + int declassify; }; -static const rustsecp256k1_v0_1_1_context rustsecp256k1_v0_1_1_context_no_precomp_ = { +static const rustsecp256k1_v0_1_2_context rustsecp256k1_v0_1_2_context_no_precomp_ = { { 0 }, { 0 }, - { rustsecp256k1_v0_1_1_default_illegal_callback_fn, 0 }, - { rustsecp256k1_v0_1_1_default_error_callback_fn, 0 } + { rustsecp256k1_v0_1_2_default_illegal_callback_fn, 0 }, + { rustsecp256k1_v0_1_2_default_error_callback_fn, 0 }, + 0 }; -const rustsecp256k1_v0_1_1_context *rustsecp256k1_v0_1_1_context_no_precomp = &rustsecp256k1_v0_1_1_context_no_precomp_; +const rustsecp256k1_v0_1_2_context *rustsecp256k1_v0_1_2_context_no_precomp = &rustsecp256k1_v0_1_2_context_no_precomp_; -size_t rustsecp256k1_v0_1_1_context_preallocated_size(unsigned int flags) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_1_context)); +size_t rustsecp256k1_v0_1_2_context_preallocated_size(unsigned int flags) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_2_context)); if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { - rustsecp256k1_v0_1_1_callback_call(&default_illegal_callback, + rustsecp256k1_v0_1_2_callback_call(&default_illegal_callback, "Invalid flags"); return 0; } @@ -94,138 +100,153 @@ size_t rustsecp256k1_v0_1_1_context_preallocated_size(unsigned int flags) { return ret; } -size_t rustsecp256k1_v0_1_1_context_preallocated_clone_size(const rustsecp256k1_v0_1_1_context* ctx) { - size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_1_context)); +size_t rustsecp256k1_v0_1_2_context_preallocated_clone_size(const rustsecp256k1_v0_1_2_context* ctx) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_2_context)); VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + if (rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; } - if (rustsecp256k1_v0_1_1_ecmult_context_is_built(&ctx->ecmult_ctx)) { + if (rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)) { ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; } return ret; } -rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallocated_create(void* prealloc, unsigned int flags) { +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_create(void* prealloc, unsigned int flags) { void* const base = prealloc; size_t prealloc_size; - rustsecp256k1_v0_1_1_context* ret; + rustsecp256k1_v0_1_2_context* ret; VERIFY_CHECK(prealloc != NULL); - prealloc_size = rustsecp256k1_v0_1_1_context_preallocated_size(flags); - ret = (rustsecp256k1_v0_1_1_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1_v0_1_1_context), base, prealloc_size); + prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_size(flags); + ret = (rustsecp256k1_v0_1_2_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1_v0_1_2_context), base, prealloc_size); ret->illegal_callback = default_illegal_callback; ret->error_callback = default_error_callback; if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { - rustsecp256k1_v0_1_1_callback_call(&ret->illegal_callback, + rustsecp256k1_v0_1_2_callback_call(&ret->illegal_callback, "Invalid flags"); return NULL; } - rustsecp256k1_v0_1_1_ecmult_context_init(&ret->ecmult_ctx); - rustsecp256k1_v0_1_1_ecmult_gen_context_init(&ret->ecmult_gen_ctx); + rustsecp256k1_v0_1_2_ecmult_context_init(&ret->ecmult_ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_init(&ret->ecmult_gen_ctx); if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { - rustsecp256k1_v0_1_1_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); + rustsecp256k1_v0_1_2_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); } if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { - rustsecp256k1_v0_1_1_ecmult_context_build(&ret->ecmult_ctx, &prealloc); + rustsecp256k1_v0_1_2_ecmult_context_build(&ret->ecmult_ctx, &prealloc); } + ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); - return (rustsecp256k1_v0_1_1_context*) ret; + return (rustsecp256k1_v0_1_2_context*) ret; } -rustsecp256k1_v0_1_1_context* rustsecp256k1_v0_1_1_context_preallocated_clone(const rustsecp256k1_v0_1_1_context* ctx, void* prealloc) { +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_clone(const rustsecp256k1_v0_1_2_context* ctx, void* prealloc) { size_t prealloc_size; - rustsecp256k1_v0_1_1_context* ret; + rustsecp256k1_v0_1_2_context* ret; VERIFY_CHECK(ctx != NULL); ARG_CHECK(prealloc != NULL); - prealloc_size = rustsecp256k1_v0_1_1_context_preallocated_clone_size(ctx); - ret = (rustsecp256k1_v0_1_1_context*)prealloc; + prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1_v0_1_2_context*)prealloc; memcpy(ret, ctx, prealloc_size); - rustsecp256k1_v0_1_1_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); - rustsecp256k1_v0_1_1_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); + rustsecp256k1_v0_1_2_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); return ret; } -void rustsecp256k1_v0_1_1_context_preallocated_destroy(rustsecp256k1_v0_1_1_context* ctx) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_1_context_no_precomp); +void rustsecp256k1_v0_1_2_context_preallocated_destroy(rustsecp256k1_v0_1_2_context* ctx) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); if (ctx != NULL) { - rustsecp256k1_v0_1_1_ecmult_context_clear(&ctx->ecmult_ctx); - rustsecp256k1_v0_1_1_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); + rustsecp256k1_v0_1_2_ecmult_context_clear(&ctx->ecmult_ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); } } -void rustsecp256k1_v0_1_1_context_set_illegal_callback(rustsecp256k1_v0_1_1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_1_context_no_precomp); +void rustsecp256k1_v0_1_2_context_set_illegal_callback(rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1_v0_1_1_default_illegal_callback_fn; + fun = rustsecp256k1_v0_1_2_default_illegal_callback_fn; } ctx->illegal_callback.fn = fun; ctx->illegal_callback.data = data; } -void rustsecp256k1_v0_1_1_context_set_error_callback(rustsecp256k1_v0_1_1_context* ctx, void (*fun)(const char* message, void* data), const void* data) { - ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_1_context_no_precomp); +void rustsecp256k1_v0_1_2_context_set_error_callback(rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); if (fun == NULL) { - fun = rustsecp256k1_v0_1_1_default_error_callback_fn; + fun = rustsecp256k1_v0_1_2_default_error_callback_fn; } ctx->error_callback.fn = fun; ctx->error_callback.data = data; } -static int rustsecp256k1_v0_1_1_pubkey_load(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ge* ge, const rustsecp256k1_v0_1_1_pubkey* pubkey) { - if (sizeof(rustsecp256k1_v0_1_1_ge_storage) == 64) { - /* When the rustsecp256k1_v0_1_1_ge_storage type is exactly 64 byte, use its - * representation inside rustsecp256k1_v0_1_1_pubkey, as conversion is very fast. - * Note that rustsecp256k1_v0_1_1_pubkey_save must use the same representation. */ - rustsecp256k1_v0_1_1_ge_storage s; +/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour + * of the software. This is setup for use with valgrind but could be substituted with + * the appropriate instrumentation for other analysis tools. + */ +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_declassify(const rustsecp256k1_v0_1_2_context* ctx, void *p, size_t len) { +#if defined(VALGRIND) + if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len); +#else + (void)ctx; + (void)p; + (void)len; +#endif +} + +static int rustsecp256k1_v0_1_2_pubkey_load(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ge* ge, const rustsecp256k1_v0_1_2_pubkey* pubkey) { + if (sizeof(rustsecp256k1_v0_1_2_ge_storage) == 64) { + /* When the rustsecp256k1_v0_1_2_ge_storage type is exactly 64 byte, use its + * representation inside rustsecp256k1_v0_1_2_pubkey, as conversion is very fast. + * Note that rustsecp256k1_v0_1_2_pubkey_save must use the same representation. */ + rustsecp256k1_v0_1_2_ge_storage s; memcpy(&s, &pubkey->data[0], sizeof(s)); - rustsecp256k1_v0_1_1_ge_from_storage(ge, &s); + rustsecp256k1_v0_1_2_ge_from_storage(ge, &s); } else { /* Otherwise, fall back to 32-byte big endian for X and Y. */ - rustsecp256k1_v0_1_1_fe x, y; - rustsecp256k1_v0_1_1_fe_set_b32(&x, pubkey->data); - rustsecp256k1_v0_1_1_fe_set_b32(&y, pubkey->data + 32); - rustsecp256k1_v0_1_1_ge_set_xy(ge, &x, &y); + rustsecp256k1_v0_1_2_fe x, y; + rustsecp256k1_v0_1_2_fe_set_b32(&x, pubkey->data); + rustsecp256k1_v0_1_2_fe_set_b32(&y, pubkey->data + 32); + rustsecp256k1_v0_1_2_ge_set_xy(ge, &x, &y); } - ARG_CHECK(!rustsecp256k1_v0_1_1_fe_is_zero(&ge->x)); + ARG_CHECK(!rustsecp256k1_v0_1_2_fe_is_zero(&ge->x)); return 1; } -static void rustsecp256k1_v0_1_1_pubkey_save(rustsecp256k1_v0_1_1_pubkey* pubkey, rustsecp256k1_v0_1_1_ge* ge) { - if (sizeof(rustsecp256k1_v0_1_1_ge_storage) == 64) { - rustsecp256k1_v0_1_1_ge_storage s; - rustsecp256k1_v0_1_1_ge_to_storage(&s, ge); +static void rustsecp256k1_v0_1_2_pubkey_save(rustsecp256k1_v0_1_2_pubkey* pubkey, rustsecp256k1_v0_1_2_ge* ge) { + if (sizeof(rustsecp256k1_v0_1_2_ge_storage) == 64) { + rustsecp256k1_v0_1_2_ge_storage s; + rustsecp256k1_v0_1_2_ge_to_storage(&s, ge); memcpy(&pubkey->data[0], &s, sizeof(s)); } else { - VERIFY_CHECK(!rustsecp256k1_v0_1_1_ge_is_infinity(ge)); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge->x); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge->y); - rustsecp256k1_v0_1_1_fe_get_b32(pubkey->data, &ge->x); - rustsecp256k1_v0_1_1_fe_get_b32(pubkey->data + 32, &ge->y); + VERIFY_CHECK(!rustsecp256k1_v0_1_2_ge_is_infinity(ge)); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge->x); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge->y); + rustsecp256k1_v0_1_2_fe_get_b32(pubkey->data, &ge->x); + rustsecp256k1_v0_1_2_fe_get_b32(pubkey->data + 32, &ge->y); } } -int rustsecp256k1_v0_1_1_ec_pubkey_parse(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey* pubkey, const unsigned char *input, size_t inputlen) { - rustsecp256k1_v0_1_1_ge Q; +int rustsecp256k1_v0_1_2_ec_pubkey_parse(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey* pubkey, const unsigned char *input, size_t inputlen) { + rustsecp256k1_v0_1_2_ge Q; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); ARG_CHECK(input != NULL); - if (!rustsecp256k1_v0_1_1_eckey_pubkey_parse(&Q, input, inputlen)) { + if (!rustsecp256k1_v0_1_2_eckey_pubkey_parse(&Q, input, inputlen)) { return 0; } - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &Q); - rustsecp256k1_v0_1_1_ge_clear(&Q); + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &Q); + rustsecp256k1_v0_1_2_ge_clear(&Q); return 1; } -int rustsecp256k1_v0_1_1_ec_pubkey_serialize(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_1_pubkey* pubkey, unsigned int flags) { - rustsecp256k1_v0_1_1_ge Q; +int rustsecp256k1_v0_1_2_ec_pubkey_serialize(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_2_pubkey* pubkey, unsigned int flags) { + rustsecp256k1_v0_1_2_ge Q; size_t len; int ret = 0; @@ -238,8 +259,8 @@ int rustsecp256k1_v0_1_1_ec_pubkey_serialize(const rustsecp256k1_v0_1_1_context* memset(output, 0, len); ARG_CHECK(pubkey != NULL); ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); - if (rustsecp256k1_v0_1_1_pubkey_load(ctx, &Q, pubkey)) { - ret = rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); + if (rustsecp256k1_v0_1_2_pubkey_load(ctx, &Q, pubkey)) { + ret = rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); if (ret) { *outputlen = len; } @@ -247,39 +268,39 @@ int rustsecp256k1_v0_1_1_ec_pubkey_serialize(const rustsecp256k1_v0_1_1_context* return ret; } -static void rustsecp256k1_v0_1_1_ecdsa_signature_load(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_scalar* r, rustsecp256k1_v0_1_1_scalar* s, const rustsecp256k1_v0_1_1_ecdsa_signature* sig) { +static void rustsecp256k1_v0_1_2_ecdsa_signature_load(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_scalar* r, rustsecp256k1_v0_1_2_scalar* s, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { (void)ctx; - if (sizeof(rustsecp256k1_v0_1_1_scalar) == 32) { - /* When the rustsecp256k1_v0_1_1_scalar type is exactly 32 byte, use its - * representation inside rustsecp256k1_v0_1_1_ecdsa_signature, as conversion is very fast. - * Note that rustsecp256k1_v0_1_1_ecdsa_signature_save must use the same representation. */ + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { + /* When the rustsecp256k1_v0_1_2_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1_v0_1_2_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1_v0_1_2_ecdsa_signature_save must use the same representation. */ memcpy(r, &sig->data[0], 32); memcpy(s, &sig->data[32], 32); } else { - rustsecp256k1_v0_1_1_scalar_set_b32(r, &sig->data[0], NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(s, &sig->data[32], NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(s, &sig->data[32], NULL); } } -static void rustsecp256k1_v0_1_1_ecdsa_signature_save(rustsecp256k1_v0_1_1_ecdsa_signature* sig, const rustsecp256k1_v0_1_1_scalar* r, const rustsecp256k1_v0_1_1_scalar* s) { - if (sizeof(rustsecp256k1_v0_1_1_scalar) == 32) { +static void rustsecp256k1_v0_1_2_ecdsa_signature_save(rustsecp256k1_v0_1_2_ecdsa_signature* sig, const rustsecp256k1_v0_1_2_scalar* r, const rustsecp256k1_v0_1_2_scalar* s) { + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { memcpy(&sig->data[0], r, 32); memcpy(&sig->data[32], s, 32); } else { - rustsecp256k1_v0_1_1_scalar_get_b32(&sig->data[0], r); - rustsecp256k1_v0_1_1_scalar_get_b32(&sig->data[32], s); + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[0], r); + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[32], s); } } -int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { + rustsecp256k1_v0_1_2_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(input != NULL); - if (rustsecp256k1_v0_1_1_ecdsa_sig_parse(&r, &s, input, inputlen)) { - rustsecp256k1_v0_1_1_ecdsa_signature_save(sig, &r, &s); + if (rustsecp256k1_v0_1_2_ecdsa_sig_parse(&r, &s, input, inputlen)) { + rustsecp256k1_v0_1_2_ecdsa_signature_save(sig, &r, &s); return 1; } else { memset(sig, 0, sizeof(*sig)); @@ -287,8 +308,8 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(const rustsecp256k1_v0_1_1_co } } -int rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature* sig, const unsigned char *input64) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input64) { + rustsecp256k1_v0_1_2_scalar r, s; int ret = 1; int overflow = 0; @@ -296,77 +317,77 @@ int rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(const rustsecp256k1_v0_1_ ARG_CHECK(sig != NULL); ARG_CHECK(input64 != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&r, &input64[0], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&r, &input64[0], &overflow); ret &= !overflow; - rustsecp256k1_v0_1_1_scalar_set_b32(&s, &input64[32], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&s, &input64[32], &overflow); ret &= !overflow; if (ret) { - rustsecp256k1_v0_1_1_ecdsa_signature_save(sig, &r, &s); + rustsecp256k1_v0_1_2_ecdsa_signature_save(sig, &r, &s); } else { memset(sig, 0, sizeof(*sig)); } return ret; } -int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_1_ecdsa_signature* sig) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { + rustsecp256k1_v0_1_2_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output != NULL); ARG_CHECK(outputlen != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, sig); - return rustsecp256k1_v0_1_1_ecdsa_sig_serialize(output, outputlen, &r, &s); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + return rustsecp256k1_v0_1_2_ecdsa_sig_serialize(output, outputlen, &r, &s); } -int rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *output64, const rustsecp256k1_v0_1_1_ecdsa_signature* sig) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output64, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { + rustsecp256k1_v0_1_2_scalar r, s; VERIFY_CHECK(ctx != NULL); ARG_CHECK(output64 != NULL); ARG_CHECK(sig != NULL); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, sig); - rustsecp256k1_v0_1_1_scalar_get_b32(&output64[0], &r); - rustsecp256k1_v0_1_1_scalar_get_b32(&output64[32], &s); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[0], &r); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[32], &s); return 1; } -int rustsecp256k1_v0_1_1_ecdsa_signature_normalize(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature *sigout, const rustsecp256k1_v0_1_1_ecdsa_signature *sigin) { - rustsecp256k1_v0_1_1_scalar r, s; +int rustsecp256k1_v0_1_2_ecdsa_signature_normalize(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature *sigout, const rustsecp256k1_v0_1_2_ecdsa_signature *sigin) { + rustsecp256k1_v0_1_2_scalar r, s; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(sigin != NULL); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, sigin); - ret = rustsecp256k1_v0_1_1_scalar_is_high(&s); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sigin); + ret = rustsecp256k1_v0_1_2_scalar_is_high(&s); if (sigout != NULL) { if (ret) { - rustsecp256k1_v0_1_1_scalar_negate(&s, &s); + rustsecp256k1_v0_1_2_scalar_negate(&s, &s); } - rustsecp256k1_v0_1_1_ecdsa_signature_save(sigout, &r, &s); + rustsecp256k1_v0_1_2_ecdsa_signature_save(sigout, &r, &s); } return ret; } -int rustsecp256k1_v0_1_1_ecdsa_verify(const rustsecp256k1_v0_1_1_context* ctx, const rustsecp256k1_v0_1_1_ecdsa_signature *sig, const unsigned char *msg32, const rustsecp256k1_v0_1_1_pubkey *pubkey) { - rustsecp256k1_v0_1_1_ge q; - rustsecp256k1_v0_1_1_scalar r, s; - rustsecp256k1_v0_1_1_scalar m; +int rustsecp256k1_v0_1_2_ecdsa_verify(const rustsecp256k1_v0_1_2_context* ctx, const rustsecp256k1_v0_1_2_ecdsa_signature *sig, const unsigned char *msg32, const rustsecp256k1_v0_1_2_pubkey *pubkey) { + rustsecp256k1_v0_1_2_ge q; + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar m; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(msg32 != NULL); ARG_CHECK(sig != NULL); ARG_CHECK(pubkey != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&m, msg32, NULL); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, sig); - return (!rustsecp256k1_v0_1_1_scalar_is_high(&s) && - rustsecp256k1_v0_1_1_pubkey_load(ctx, &q, pubkey) && - rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); + rustsecp256k1_v0_1_2_scalar_set_b32(&m, msg32, NULL); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + return (!rustsecp256k1_v0_1_2_scalar_is_high(&s) && + rustsecp256k1_v0_1_2_pubkey_load(ctx, &q, pubkey) && + rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); } static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { @@ -377,7 +398,7 @@ static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *off static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { unsigned char keydata[112]; unsigned int offset = 0; - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 rng; + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rng; unsigned int i; /* We feed a byte array to the PRNG as input, consisting of: * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. @@ -395,167 +416,180 @@ static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *m if (algo16 != NULL) { buffer_append(keydata, &offset, algo16, 16); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); memset(keydata, 0, sizeof(keydata)); for (i = 0; i <= counter; i++) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); return 1; } -const rustsecp256k1_v0_1_1_nonce_function rustsecp256k1_v0_1_1_nonce_function_rfc6979 = nonce_function_rfc6979; -const rustsecp256k1_v0_1_1_nonce_function rustsecp256k1_v0_1_1_nonce_function_default = nonce_function_rfc6979; +const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_rfc6979 = nonce_function_rfc6979; +const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_default = nonce_function_rfc6979; -int rustsecp256k1_v0_1_1_ecdsa_sign(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1_v0_1_1_nonce_function noncefp, const void* noncedata) { - rustsecp256k1_v0_1_1_scalar r, s; - rustsecp256k1_v0_1_1_scalar sec, non, msg; +int rustsecp256k1_v0_1_2_ecdsa_sign(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1_v0_1_2_nonce_function noncefp, const void* noncedata) { + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar sec, non, msg; int ret = 0; - int overflow = 0; + int is_sec_valid; + unsigned char nonce32[32]; + unsigned int count = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(msg32 != NULL); ARG_CHECK(signature != NULL); ARG_CHECK(seckey != NULL); if (noncefp == NULL) { - noncefp = rustsecp256k1_v0_1_1_nonce_function_default; + noncefp = rustsecp256k1_v0_1_2_nonce_function_default; } - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, &overflow); /* Fail if the secret key is invalid. */ - if (!overflow && !rustsecp256k1_v0_1_1_scalar_is_zero(&sec)) { - unsigned char nonce32[32]; - unsigned int count = 0; - rustsecp256k1_v0_1_1_scalar_set_b32(&msg, msg32, NULL); - while (1) { - ret = noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); - if (!ret) { + is_sec_valid = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_one, !is_sec_valid); + rustsecp256k1_v0_1_2_scalar_set_b32(&msg, msg32, NULL); + while (1) { + int is_nonce_valid; + ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); + if (!ret) { + break; + } + is_nonce_valid = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&non, nonce32); + /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ + rustsecp256k1_v0_1_2_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); + if (is_nonce_valid) { + ret = rustsecp256k1_v0_1_2_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL); + /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ + rustsecp256k1_v0_1_2_declassify(ctx, &ret, sizeof(ret)); + if (ret) { break; } - rustsecp256k1_v0_1_1_scalar_set_b32(&non, nonce32, &overflow); - if (!overflow && !rustsecp256k1_v0_1_1_scalar_is_zero(&non)) { - if (rustsecp256k1_v0_1_1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL)) { - break; - } - } - count++; } - memset(nonce32, 0, 32); - rustsecp256k1_v0_1_1_scalar_clear(&msg); - rustsecp256k1_v0_1_1_scalar_clear(&non); - rustsecp256k1_v0_1_1_scalar_clear(&sec); - } - if (ret) { - rustsecp256k1_v0_1_1_ecdsa_signature_save(signature, &r, &s); - } else { - memset(signature, 0, sizeof(*signature)); - } + count++; + } + /* We don't want to declassify is_sec_valid and therefore the range of + * seckey. As a result is_sec_valid is included in ret only after ret was + * used as a branching variable. */ + ret &= is_sec_valid; + memset(nonce32, 0, 32); + rustsecp256k1_v0_1_2_scalar_clear(&msg); + rustsecp256k1_v0_1_2_scalar_clear(&non); + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_cmov(&r, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_cmov(&s, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_ecdsa_signature_save(signature, &r, &s); return ret; } -int rustsecp256k1_v0_1_1_ec_seckey_verify(const rustsecp256k1_v0_1_1_context* ctx, const unsigned char *seckey) { - rustsecp256k1_v0_1_1_scalar sec; +int rustsecp256k1_v0_1_2_ec_seckey_verify(const rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seckey) { + rustsecp256k1_v0_1_2_scalar sec; int ret; - int overflow; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, &overflow); - ret = !overflow && !rustsecp256k1_v0_1_1_scalar_is_zero(&sec); - rustsecp256k1_v0_1_1_scalar_clear(&sec); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_clear(&sec); return ret; } -int rustsecp256k1_v0_1_1_ec_pubkey_create(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubkey, const unsigned char *seckey) { - rustsecp256k1_v0_1_1_gej pj; - rustsecp256k1_v0_1_1_ge p; - rustsecp256k1_v0_1_1_scalar sec; - int overflow; +int rustsecp256k1_v0_1_2_ec_pubkey_create(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *seckey) { + rustsecp256k1_v0_1_2_gej pj; + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar sec; int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); memset(pubkey, 0, sizeof(*pubkey)); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); ARG_CHECK(seckey != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, &overflow); - ret = (!overflow) & (!rustsecp256k1_v0_1_1_scalar_is_zero(&sec)); - if (ret) { - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); - rustsecp256k1_v0_1_1_ge_set_gej(&p, &pj); - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &p); - } - rustsecp256k1_v0_1_1_scalar_clear(&sec); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_one, !ret); + + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); + rustsecp256k1_v0_1_2_ge_set_gej(&p, &pj); + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); + memczero(pubkey, sizeof(*pubkey), !ret); + + rustsecp256k1_v0_1_2_scalar_clear(&sec); return ret; } -int rustsecp256k1_v0_1_1_ec_privkey_negate(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *seckey) { - rustsecp256k1_v0_1_1_scalar sec; +int rustsecp256k1_v0_1_2_ec_seckey_negate(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey) { + rustsecp256k1_v0_1_2_scalar sec; + int ret = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, NULL); - rustsecp256k1_v0_1_1_scalar_negate(&sec, &sec); - rustsecp256k1_v0_1_1_scalar_get_b32(seckey, &sec); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_negate(&sec, &sec); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); - rustsecp256k1_v0_1_1_scalar_clear(&sec); - return 1; + rustsecp256k1_v0_1_2_scalar_clear(&sec); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_privkey_negate(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey) { + return rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey); } -int rustsecp256k1_v0_1_1_ec_pubkey_negate(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubkey) { +int rustsecp256k1_v0_1_2_ec_pubkey_negate(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey) { int ret = 0; - rustsecp256k1_v0_1_1_ge p; + rustsecp256k1_v0_1_2_ge p; VERIFY_CHECK(ctx != NULL); ARG_CHECK(pubkey != NULL); - ret = rustsecp256k1_v0_1_1_pubkey_load(ctx, &p, pubkey); + ret = rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - rustsecp256k1_v0_1_1_ge_neg(&p, &p); - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &p); + rustsecp256k1_v0_1_2_ge_neg(&p, &p); + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); } return ret; } -int rustsecp256k1_v0_1_1_ec_privkey_tweak_add(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { - rustsecp256k1_v0_1_1_scalar term; - rustsecp256k1_v0_1_1_scalar sec; +int rustsecp256k1_v0_1_2_ec_seckey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_scalar term; + rustsecp256k1_v0_1_2_scalar sec; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&term, tweak, &overflow); - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(&term, tweak, &overflow); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); - ret = !overflow && rustsecp256k1_v0_1_1_eckey_privkey_tweak_add(&sec, &term); - memset(seckey, 0, 32); - if (ret) { - rustsecp256k1_v0_1_1_scalar_get_b32(seckey, &sec); - } + ret &= (!overflow) & rustsecp256k1_v0_1_2_eckey_privkey_tweak_add(&sec, &term); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); - rustsecp256k1_v0_1_1_scalar_clear(&sec); - rustsecp256k1_v0_1_1_scalar_clear(&term); + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_clear(&term); return ret; } -int rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubkey, const unsigned char *tweak) { - rustsecp256k1_v0_1_1_ge p; - rustsecp256k1_v0_1_1_scalar term; +int rustsecp256k1_v0_1_2_ec_privkey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + return rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, seckey, tweak); +} + +int rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar term; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&term, tweak, &overflow); - ret = !overflow && rustsecp256k1_v0_1_1_pubkey_load(ctx, &p, pubkey); + rustsecp256k1_v0_1_2_scalar_set_b32(&term, tweak, &overflow); + ret = !overflow && rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - if (rustsecp256k1_v0_1_1_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &p); + if (rustsecp256k1_v0_1_2_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); } else { ret = 0; } @@ -564,44 +598,46 @@ int rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(const rustsecp256k1_v0_1_1_context* return ret; } -int rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(const rustsecp256k1_v0_1_1_context* ctx, unsigned char *seckey, const unsigned char *tweak) { - rustsecp256k1_v0_1_1_scalar factor; - rustsecp256k1_v0_1_1_scalar sec; +int rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_scalar factor; + rustsecp256k1_v0_1_2_scalar sec; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); ARG_CHECK(seckey != NULL); ARG_CHECK(tweak != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&factor, tweak, &overflow); - rustsecp256k1_v0_1_1_scalar_set_b32(&sec, seckey, NULL); - ret = !overflow && rustsecp256k1_v0_1_1_eckey_privkey_tweak_mul(&sec, &factor); - memset(seckey, 0, 32); - if (ret) { - rustsecp256k1_v0_1_1_scalar_get_b32(seckey, &sec); - } + rustsecp256k1_v0_1_2_scalar_set_b32(&factor, tweak, &overflow); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + ret &= (!overflow) & rustsecp256k1_v0_1_2_eckey_privkey_tweak_mul(&sec, &factor); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); - rustsecp256k1_v0_1_1_scalar_clear(&sec); - rustsecp256k1_v0_1_1_scalar_clear(&factor); + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_clear(&factor); return ret; } -int rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubkey, const unsigned char *tweak) { - rustsecp256k1_v0_1_1_ge p; - rustsecp256k1_v0_1_1_scalar factor; +int rustsecp256k1_v0_1_2_ec_privkey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + return rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, seckey, tweak); +} + +int rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar factor; int ret = 0; int overflow = 0; VERIFY_CHECK(ctx != NULL); - ARG_CHECK(rustsecp256k1_v0_1_1_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); ARG_CHECK(pubkey != NULL); ARG_CHECK(tweak != NULL); - rustsecp256k1_v0_1_1_scalar_set_b32(&factor, tweak, &overflow); - ret = !overflow && rustsecp256k1_v0_1_1_pubkey_load(ctx, &p, pubkey); + rustsecp256k1_v0_1_2_scalar_set_b32(&factor, tweak, &overflow); + ret = !overflow && rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); memset(pubkey, 0, sizeof(*pubkey)); if (ret) { - if (rustsecp256k1_v0_1_1_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { - rustsecp256k1_v0_1_1_pubkey_save(pubkey, &p); + if (rustsecp256k1_v0_1_2_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); } else { ret = 0; } @@ -610,35 +646,35 @@ int rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(const rustsecp256k1_v0_1_1_context* return ret; } -int rustsecp256k1_v0_1_1_context_randomize(rustsecp256k1_v0_1_1_context* ctx, const unsigned char *seed32) { +int rustsecp256k1_v0_1_2_context_randomize(rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seed32) { VERIFY_CHECK(ctx != NULL); - if (rustsecp256k1_v0_1_1_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { - rustsecp256k1_v0_1_1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + if (rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + rustsecp256k1_v0_1_2_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); } return 1; } -int rustsecp256k1_v0_1_1_ec_pubkey_combine(const rustsecp256k1_v0_1_1_context* ctx, rustsecp256k1_v0_1_1_pubkey *pubnonce, const rustsecp256k1_v0_1_1_pubkey * const *pubnonces, size_t n) { +int rustsecp256k1_v0_1_2_ec_pubkey_combine(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubnonce, const rustsecp256k1_v0_1_2_pubkey * const *pubnonces, size_t n) { size_t i; - rustsecp256k1_v0_1_1_gej Qj; - rustsecp256k1_v0_1_1_ge Q; + rustsecp256k1_v0_1_2_gej Qj; + rustsecp256k1_v0_1_2_ge Q; ARG_CHECK(pubnonce != NULL); memset(pubnonce, 0, sizeof(*pubnonce)); ARG_CHECK(n >= 1); ARG_CHECK(pubnonces != NULL); - rustsecp256k1_v0_1_1_gej_set_infinity(&Qj); + rustsecp256k1_v0_1_2_gej_set_infinity(&Qj); for (i = 0; i < n; i++) { - rustsecp256k1_v0_1_1_pubkey_load(ctx, &Q, pubnonces[i]); - rustsecp256k1_v0_1_1_gej_add_ge(&Qj, &Qj, &Q); + rustsecp256k1_v0_1_2_pubkey_load(ctx, &Q, pubnonces[i]); + rustsecp256k1_v0_1_2_gej_add_ge(&Qj, &Qj, &Q); } - if (rustsecp256k1_v0_1_1_gej_is_infinity(&Qj)) { + if (rustsecp256k1_v0_1_2_gej_is_infinity(&Qj)) { return 0; } - rustsecp256k1_v0_1_1_ge_set_gej(&Q, &Qj); - rustsecp256k1_v0_1_1_pubkey_save(pubnonce, &Q); + rustsecp256k1_v0_1_2_ge_set_gej(&Q, &Qj); + rustsecp256k1_v0_1_2_pubkey_save(pubnonce, &Q); return 1; } diff --git a/secp256k1-sys/depend/secp256k1/src/secp256k1.c.orig b/secp256k1-sys/depend/secp256k1/src/secp256k1.c.orig new file mode 100644 index 000000000..7ba696efb --- /dev/null +++ b/secp256k1-sys/depend/secp256k1/src/secp256k1.c.orig @@ -0,0 +1,726 @@ +/********************************************************************** + * Copyright (c) 2013-2015 Pieter Wuille * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or http://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#include "include/secp256k1.h" +#include "include/secp256k1_preallocated.h" + +#include "util.h" +#include "num_impl.h" +#include "field_impl.h" +#include "scalar_impl.h" +#include "group_impl.h" +#include "ecmult_impl.h" +#include "ecmult_const_impl.h" +#include "ecmult_gen_impl.h" +#include "ecdsa_impl.h" +#include "eckey_impl.h" +#include "hash_impl.h" +#include "scratch_impl.h" + +#if defined(VALGRIND) +# include +#endif + +#define ARG_CHECK(cond) do { \ + if (EXPECT(!(cond), 0)) { \ + rustsecp256k1_v0_1_2_callback_call(&ctx->illegal_callback, #cond); \ + return 0; \ + } \ +} while(0) + +#define ARG_CHECK_NO_RETURN(cond) do { \ + if (EXPECT(!(cond), 0)) { \ + rustsecp256k1_v0_1_2_callback_call(&ctx->illegal_callback, #cond); \ + } \ +} while(0) + +#ifndef USE_EXTERNAL_DEFAULT_CALLBACKS +#include +#include +static void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* str, void* data) { + (void)data; + fprintf(stderr, "[libsecp256k1] illegal argument: %s\n", str); + abort(); +} +static void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* str, void* data) { + (void)data; + fprintf(stderr, "[libsecp256k1] internal consistency check failed: %s\n", str); + abort(); +} +#else +void rustsecp256k1_v0_1_2_default_illegal_callback_fn(const char* str, void* data); +void rustsecp256k1_v0_1_2_default_error_callback_fn(const char* str, void* data); +#endif + +static const rustsecp256k1_v0_1_2_callback default_illegal_callback = { + rustsecp256k1_v0_1_2_default_illegal_callback_fn, + NULL +}; + +static const rustsecp256k1_v0_1_2_callback default_error_callback = { + rustsecp256k1_v0_1_2_default_error_callback_fn, + NULL +}; + +struct rustsecp256k1_v0_1_2_context_struct { + rustsecp256k1_v0_1_2_ecmult_context ecmult_ctx; + rustsecp256k1_v0_1_2_ecmult_gen_context ecmult_gen_ctx; + rustsecp256k1_v0_1_2_callback illegal_callback; + rustsecp256k1_v0_1_2_callback error_callback; + int declassify; +}; + +static const rustsecp256k1_v0_1_2_context rustsecp256k1_v0_1_2_context_no_precomp_ = { + { 0 }, + { 0 }, + { rustsecp256k1_v0_1_2_default_illegal_callback_fn, 0 }, + { rustsecp256k1_v0_1_2_default_error_callback_fn, 0 }, + 0 +}; +const rustsecp256k1_v0_1_2_context *rustsecp256k1_v0_1_2_context_no_precomp = &rustsecp256k1_v0_1_2_context_no_precomp_; + +size_t rustsecp256k1_v0_1_2_context_preallocated_size(unsigned int flags) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_2_context)); + + if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { + rustsecp256k1_v0_1_2_callback_call(&default_illegal_callback, + "Invalid flags"); + return 0; + } + + if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { + ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; + } + if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { + ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; + } + return ret; +} + +size_t rustsecp256k1_v0_1_2_context_preallocated_clone_size(const rustsecp256k1_v0_1_2_context* ctx) { + size_t ret = ROUND_TO_ALIGN(sizeof(rustsecp256k1_v0_1_2_context)); + VERIFY_CHECK(ctx != NULL); + if (rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + ret += SECP256K1_ECMULT_GEN_CONTEXT_PREALLOCATED_SIZE; + } + if (rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)) { + ret += SECP256K1_ECMULT_CONTEXT_PREALLOCATED_SIZE; + } + return ret; +} + +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_create(void* prealloc, unsigned int flags) { + void* const base = prealloc; + size_t prealloc_size; + rustsecp256k1_v0_1_2_context* ret; + + VERIFY_CHECK(prealloc != NULL); + prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_size(flags); + ret = (rustsecp256k1_v0_1_2_context*)manual_alloc(&prealloc, sizeof(rustsecp256k1_v0_1_2_context), base, prealloc_size); + ret->illegal_callback = default_illegal_callback; + ret->error_callback = default_error_callback; + + if (EXPECT((flags & SECP256K1_FLAGS_TYPE_MASK) != SECP256K1_FLAGS_TYPE_CONTEXT, 0)) { + rustsecp256k1_v0_1_2_callback_call(&ret->illegal_callback, + "Invalid flags"); + return NULL; + } + + rustsecp256k1_v0_1_2_ecmult_context_init(&ret->ecmult_ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_init(&ret->ecmult_gen_ctx); + + if (flags & SECP256K1_FLAGS_BIT_CONTEXT_SIGN) { + rustsecp256k1_v0_1_2_ecmult_gen_context_build(&ret->ecmult_gen_ctx, &prealloc); + } + if (flags & SECP256K1_FLAGS_BIT_CONTEXT_VERIFY) { + rustsecp256k1_v0_1_2_ecmult_context_build(&ret->ecmult_ctx, &prealloc); + } + ret->declassify = !!(flags & SECP256K1_FLAGS_BIT_CONTEXT_DECLASSIFY); + + return (rustsecp256k1_v0_1_2_context*) ret; +} + +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_create(unsigned int flags) { + size_t const prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_size(flags); + rustsecp256k1_v0_1_2_context* ctx = (rustsecp256k1_v0_1_2_context*)checked_malloc(&default_error_callback, prealloc_size); + if (EXPECT(rustsecp256k1_v0_1_2_context_preallocated_create(ctx, flags) == NULL, 0)) { + free(ctx); + return NULL; + } + + return ctx; +} + +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_preallocated_clone(const rustsecp256k1_v0_1_2_context* ctx, void* prealloc) { + size_t prealloc_size; + rustsecp256k1_v0_1_2_context* ret; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(prealloc != NULL); + + prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1_v0_1_2_context*)prealloc; + memcpy(ret, ctx, prealloc_size); + rustsecp256k1_v0_1_2_ecmult_gen_context_finalize_memcpy(&ret->ecmult_gen_ctx, &ctx->ecmult_gen_ctx); + rustsecp256k1_v0_1_2_ecmult_context_finalize_memcpy(&ret->ecmult_ctx, &ctx->ecmult_ctx); + return ret; +} + +rustsecp256k1_v0_1_2_context* rustsecp256k1_v0_1_2_context_clone(const rustsecp256k1_v0_1_2_context* ctx) { + rustsecp256k1_v0_1_2_context* ret; + size_t prealloc_size; + + VERIFY_CHECK(ctx != NULL); + prealloc_size = rustsecp256k1_v0_1_2_context_preallocated_clone_size(ctx); + ret = (rustsecp256k1_v0_1_2_context*)checked_malloc(&ctx->error_callback, prealloc_size); + ret = rustsecp256k1_v0_1_2_context_preallocated_clone(ctx, ret); + return ret; +} + +void rustsecp256k1_v0_1_2_context_preallocated_destroy(rustsecp256k1_v0_1_2_context* ctx) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); + if (ctx != NULL) { + rustsecp256k1_v0_1_2_ecmult_context_clear(&ctx->ecmult_ctx); + rustsecp256k1_v0_1_2_ecmult_gen_context_clear(&ctx->ecmult_gen_ctx); + } +} + +void rustsecp256k1_v0_1_2_context_destroy(rustsecp256k1_v0_1_2_context* ctx) { + if (ctx != NULL) { + rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx); + free(ctx); + } +} + +void rustsecp256k1_v0_1_2_context_set_illegal_callback(rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); + if (fun == NULL) { + fun = rustsecp256k1_v0_1_2_default_illegal_callback_fn; + } + ctx->illegal_callback.fn = fun; + ctx->illegal_callback.data = data; +} + +void rustsecp256k1_v0_1_2_context_set_error_callback(rustsecp256k1_v0_1_2_context* ctx, void (*fun)(const char* message, void* data), const void* data) { + ARG_CHECK_NO_RETURN(ctx != rustsecp256k1_v0_1_2_context_no_precomp); + if (fun == NULL) { + fun = rustsecp256k1_v0_1_2_default_error_callback_fn; + } + ctx->error_callback.fn = fun; + ctx->error_callback.data = data; +} + +rustsecp256k1_v0_1_2_scratch_space* rustsecp256k1_v0_1_2_scratch_space_create(const rustsecp256k1_v0_1_2_context* ctx, size_t max_size) { + VERIFY_CHECK(ctx != NULL); + return rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, max_size); +} + +void rustsecp256k1_v0_1_2_scratch_space_destroy(const rustsecp256k1_v0_1_2_context *ctx, rustsecp256k1_v0_1_2_scratch_space* scratch) { + VERIFY_CHECK(ctx != NULL); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); +} + +/* Mark memory as no-longer-secret for the purpose of analysing constant-time behaviour + * of the software. This is setup for use with valgrind but could be substituted with + * the appropriate instrumentation for other analysis tools. + */ +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_declassify(const rustsecp256k1_v0_1_2_context* ctx, void *p, size_t len) { +#if defined(VALGRIND) + if (EXPECT(ctx->declassify,0)) VALGRIND_MAKE_MEM_DEFINED(p, len); +#else + (void)ctx; + (void)p; + (void)len; +#endif +} + +static int rustsecp256k1_v0_1_2_pubkey_load(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ge* ge, const rustsecp256k1_v0_1_2_pubkey* pubkey) { + if (sizeof(rustsecp256k1_v0_1_2_ge_storage) == 64) { + /* When the rustsecp256k1_v0_1_2_ge_storage type is exactly 64 byte, use its + * representation inside rustsecp256k1_v0_1_2_pubkey, as conversion is very fast. + * Note that rustsecp256k1_v0_1_2_pubkey_save must use the same representation. */ + rustsecp256k1_v0_1_2_ge_storage s; + memcpy(&s, &pubkey->data[0], sizeof(s)); + rustsecp256k1_v0_1_2_ge_from_storage(ge, &s); + } else { + /* Otherwise, fall back to 32-byte big endian for X and Y. */ + rustsecp256k1_v0_1_2_fe x, y; + rustsecp256k1_v0_1_2_fe_set_b32(&x, pubkey->data); + rustsecp256k1_v0_1_2_fe_set_b32(&y, pubkey->data + 32); + rustsecp256k1_v0_1_2_ge_set_xy(ge, &x, &y); + } + ARG_CHECK(!rustsecp256k1_v0_1_2_fe_is_zero(&ge->x)); + return 1; +} + +static void rustsecp256k1_v0_1_2_pubkey_save(rustsecp256k1_v0_1_2_pubkey* pubkey, rustsecp256k1_v0_1_2_ge* ge) { + if (sizeof(rustsecp256k1_v0_1_2_ge_storage) == 64) { + rustsecp256k1_v0_1_2_ge_storage s; + rustsecp256k1_v0_1_2_ge_to_storage(&s, ge); + memcpy(&pubkey->data[0], &s, sizeof(s)); + } else { + VERIFY_CHECK(!rustsecp256k1_v0_1_2_ge_is_infinity(ge)); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge->x); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge->y); + rustsecp256k1_v0_1_2_fe_get_b32(pubkey->data, &ge->x); + rustsecp256k1_v0_1_2_fe_get_b32(pubkey->data + 32, &ge->y); + } +} + +int rustsecp256k1_v0_1_2_ec_pubkey_parse(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey* pubkey, const unsigned char *input, size_t inputlen) { + rustsecp256k1_v0_1_2_ge Q; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(pubkey != NULL); + memset(pubkey, 0, sizeof(*pubkey)); + ARG_CHECK(input != NULL); + if (!rustsecp256k1_v0_1_2_eckey_pubkey_parse(&Q, input, inputlen)) { + return 0; + } + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &Q); + rustsecp256k1_v0_1_2_ge_clear(&Q); + return 1; +} + +int rustsecp256k1_v0_1_2_ec_pubkey_serialize(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_2_pubkey* pubkey, unsigned int flags) { + rustsecp256k1_v0_1_2_ge Q; + size_t len; + int ret = 0; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(outputlen != NULL); + ARG_CHECK(*outputlen >= ((flags & SECP256K1_FLAGS_BIT_COMPRESSION) ? 33 : 65)); + len = *outputlen; + *outputlen = 0; + ARG_CHECK(output != NULL); + memset(output, 0, len); + ARG_CHECK(pubkey != NULL); + ARG_CHECK((flags & SECP256K1_FLAGS_TYPE_MASK) == SECP256K1_FLAGS_TYPE_COMPRESSION); + if (rustsecp256k1_v0_1_2_pubkey_load(ctx, &Q, pubkey)) { + ret = rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&Q, output, &len, flags & SECP256K1_FLAGS_BIT_COMPRESSION); + if (ret) { + *outputlen = len; + } + } + return ret; +} + +static void rustsecp256k1_v0_1_2_ecdsa_signature_load(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_scalar* r, rustsecp256k1_v0_1_2_scalar* s, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { + (void)ctx; + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { + /* When the rustsecp256k1_v0_1_2_scalar type is exactly 32 byte, use its + * representation inside rustsecp256k1_v0_1_2_ecdsa_signature, as conversion is very fast. + * Note that rustsecp256k1_v0_1_2_ecdsa_signature_save must use the same representation. */ + memcpy(r, &sig->data[0], 32); + memcpy(s, &sig->data[32], 32); + } else { + rustsecp256k1_v0_1_2_scalar_set_b32(r, &sig->data[0], NULL); + rustsecp256k1_v0_1_2_scalar_set_b32(s, &sig->data[32], NULL); + } +} + +static void rustsecp256k1_v0_1_2_ecdsa_signature_save(rustsecp256k1_v0_1_2_ecdsa_signature* sig, const rustsecp256k1_v0_1_2_scalar* r, const rustsecp256k1_v0_1_2_scalar* s) { + if (sizeof(rustsecp256k1_v0_1_2_scalar) == 32) { + memcpy(&sig->data[0], r, 32); + memcpy(&sig->data[32], s, 32); + } else { + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[0], r); + rustsecp256k1_v0_1_2_scalar_get_b32(&sig->data[32], s); + } +} + +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) { + rustsecp256k1_v0_1_2_scalar r, s; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(sig != NULL); + ARG_CHECK(input != NULL); + + if (rustsecp256k1_v0_1_2_ecdsa_sig_parse(&r, &s, input, inputlen)) { + rustsecp256k1_v0_1_2_ecdsa_signature_save(sig, &r, &s); + return 1; + } else { + memset(sig, 0, sizeof(*sig)); + return 0; + } +} + +int rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature* sig, const unsigned char *input64) { + rustsecp256k1_v0_1_2_scalar r, s; + int ret = 1; + int overflow = 0; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(sig != NULL); + ARG_CHECK(input64 != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&r, &input64[0], &overflow); + ret &= !overflow; + rustsecp256k1_v0_1_2_scalar_set_b32(&s, &input64[32], &overflow); + ret &= !overflow; + if (ret) { + rustsecp256k1_v0_1_2_ecdsa_signature_save(sig, &r, &s); + } else { + memset(sig, 0, sizeof(*sig)); + } + return ret; +} + +int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output, size_t *outputlen, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { + rustsecp256k1_v0_1_2_scalar r, s; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(output != NULL); + ARG_CHECK(outputlen != NULL); + ARG_CHECK(sig != NULL); + + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + return rustsecp256k1_v0_1_2_ecdsa_sig_serialize(output, outputlen, &r, &s); +} + +int rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *output64, const rustsecp256k1_v0_1_2_ecdsa_signature* sig) { + rustsecp256k1_v0_1_2_scalar r, s; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(output64 != NULL); + ARG_CHECK(sig != NULL); + + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[0], &r); + rustsecp256k1_v0_1_2_scalar_get_b32(&output64[32], &s); + return 1; +} + +int rustsecp256k1_v0_1_2_ecdsa_signature_normalize(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature *sigout, const rustsecp256k1_v0_1_2_ecdsa_signature *sigin) { + rustsecp256k1_v0_1_2_scalar r, s; + int ret = 0; + + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(sigin != NULL); + + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sigin); + ret = rustsecp256k1_v0_1_2_scalar_is_high(&s); + if (sigout != NULL) { + if (ret) { + rustsecp256k1_v0_1_2_scalar_negate(&s, &s); + } + rustsecp256k1_v0_1_2_ecdsa_signature_save(sigout, &r, &s); + } + + return ret; +} + +int rustsecp256k1_v0_1_2_ecdsa_verify(const rustsecp256k1_v0_1_2_context* ctx, const rustsecp256k1_v0_1_2_ecdsa_signature *sig, const unsigned char *msg32, const rustsecp256k1_v0_1_2_pubkey *pubkey) { + rustsecp256k1_v0_1_2_ge q; + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar m; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(msg32 != NULL); + ARG_CHECK(sig != NULL); + ARG_CHECK(pubkey != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&m, msg32, NULL); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, sig); + return (!rustsecp256k1_v0_1_2_scalar_is_high(&s) && + rustsecp256k1_v0_1_2_pubkey_load(ctx, &q, pubkey) && + rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &r, &s, &q, &m)); +} + +static SECP256K1_INLINE void buffer_append(unsigned char *buf, unsigned int *offset, const void *data, unsigned int len) { + memcpy(buf + *offset, data, len); + *offset += len; +} + +static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) { + unsigned char keydata[112]; + unsigned int offset = 0; + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rng; + unsigned int i; + /* We feed a byte array to the PRNG as input, consisting of: + * - the private key (32 bytes) and message (32 bytes), see RFC 6979 3.2d. + * - optionally 32 extra bytes of data, see RFC 6979 3.6 Additional Data. + * - optionally 16 extra bytes with the algorithm name. + * Because the arguments have distinct fixed lengths it is not possible for + * different argument mixtures to emulate each other and result in the same + * nonces. + */ + buffer_append(keydata, &offset, key32, 32); + buffer_append(keydata, &offset, msg32, 32); + if (data != NULL) { + buffer_append(keydata, &offset, data, 32); + } + if (algo16 != NULL) { + buffer_append(keydata, &offset, algo16, 16); + } + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, keydata, offset); + memset(keydata, 0, sizeof(keydata)); + for (i = 0; i <= counter; i++) { + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, nonce32, 32); + } + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); + return 1; +} + +const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_rfc6979 = nonce_function_rfc6979; +const rustsecp256k1_v0_1_2_nonce_function rustsecp256k1_v0_1_2_nonce_function_default = nonce_function_rfc6979; + +int rustsecp256k1_v0_1_2_ecdsa_sign(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_ecdsa_signature *signature, const unsigned char *msg32, const unsigned char *seckey, rustsecp256k1_v0_1_2_nonce_function noncefp, const void* noncedata) { + rustsecp256k1_v0_1_2_scalar r, s; + rustsecp256k1_v0_1_2_scalar sec, non, msg; + int ret = 0; + int is_sec_valid; + unsigned char nonce32[32]; + unsigned int count = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(msg32 != NULL); + ARG_CHECK(signature != NULL); + ARG_CHECK(seckey != NULL); + if (noncefp == NULL) { + noncefp = rustsecp256k1_v0_1_2_nonce_function_default; + } + + /* Fail if the secret key is invalid. */ + is_sec_valid = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_one, !is_sec_valid); + rustsecp256k1_v0_1_2_scalar_set_b32(&msg, msg32, NULL); + while (1) { + int is_nonce_valid; + ret = !!noncefp(nonce32, msg32, seckey, NULL, (void*)noncedata, count); + if (!ret) { + break; + } + is_nonce_valid = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&non, nonce32); + /* The nonce is still secret here, but it being invalid is is less likely than 1:2^255. */ + rustsecp256k1_v0_1_2_declassify(ctx, &is_nonce_valid, sizeof(is_nonce_valid)); + if (is_nonce_valid) { + ret = rustsecp256k1_v0_1_2_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, &r, &s, &sec, &msg, &non, NULL); + /* The final signature is no longer a secret, nor is the fact that we were successful or not. */ + rustsecp256k1_v0_1_2_declassify(ctx, &ret, sizeof(ret)); + if (ret) { + break; + } + } + count++; + } + /* We don't want to declassify is_sec_valid and therefore the range of + * seckey. As a result is_sec_valid is included in ret only after ret was + * used as a branching variable. */ + ret &= is_sec_valid; + memset(nonce32, 0, 32); + rustsecp256k1_v0_1_2_scalar_clear(&msg); + rustsecp256k1_v0_1_2_scalar_clear(&non); + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_cmov(&r, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_cmov(&s, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_ecdsa_signature_save(signature, &r, &s); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_seckey_verify(const rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seckey) { + rustsecp256k1_v0_1_2_scalar sec; + int ret; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(seckey != NULL); + + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_clear(&sec); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_pubkey_create(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *seckey) { + rustsecp256k1_v0_1_2_gej pj; + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar sec; + int ret = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(pubkey != NULL); + memset(pubkey, 0, sizeof(*pubkey)); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)); + ARG_CHECK(seckey != NULL); + + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_one, !ret); + + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &pj, &sec); + rustsecp256k1_v0_1_2_ge_set_gej(&p, &pj); + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); + memczero(pubkey, sizeof(*pubkey), !ret); + + rustsecp256k1_v0_1_2_scalar_clear(&sec); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_seckey_negate(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey) { + rustsecp256k1_v0_1_2_scalar sec; + int ret = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(seckey != NULL); + + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_negate(&sec, &sec); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); + + rustsecp256k1_v0_1_2_scalar_clear(&sec); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_privkey_negate(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey) { + return rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey); +} + +int rustsecp256k1_v0_1_2_ec_pubkey_negate(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey) { + int ret = 0; + rustsecp256k1_v0_1_2_ge p; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(pubkey != NULL); + + ret = rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); + memset(pubkey, 0, sizeof(*pubkey)); + if (ret) { + rustsecp256k1_v0_1_2_ge_neg(&p, &p); + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); + } + return ret; +} + +int rustsecp256k1_v0_1_2_ec_seckey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_scalar term; + rustsecp256k1_v0_1_2_scalar sec; + int ret = 0; + int overflow = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(seckey != NULL); + ARG_CHECK(tweak != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&term, tweak, &overflow); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + + ret &= (!overflow) & rustsecp256k1_v0_1_2_eckey_privkey_tweak_add(&sec, &term); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); + + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_clear(&term); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_privkey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + return rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, seckey, tweak); +} + +int rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar term; + int ret = 0; + int overflow = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(pubkey != NULL); + ARG_CHECK(tweak != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&term, tweak, &overflow); + ret = !overflow && rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); + memset(pubkey, 0, sizeof(*pubkey)); + if (ret) { + if (rustsecp256k1_v0_1_2_eckey_pubkey_tweak_add(&ctx->ecmult_ctx, &p, &term)) { + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); + } else { + ret = 0; + } + } + + return ret; +} + +int rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_scalar factor; + rustsecp256k1_v0_1_2_scalar sec; + int ret = 0; + int overflow = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(seckey != NULL); + ARG_CHECK(tweak != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&factor, tweak, &overflow); + ret = rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&sec, seckey); + ret &= (!overflow) & rustsecp256k1_v0_1_2_eckey_privkey_tweak_mul(&sec, &factor); + rustsecp256k1_v0_1_2_scalar_cmov(&sec, &rustsecp256k1_v0_1_2_scalar_zero, !ret); + rustsecp256k1_v0_1_2_scalar_get_b32(seckey, &sec); + + rustsecp256k1_v0_1_2_scalar_clear(&sec); + rustsecp256k1_v0_1_2_scalar_clear(&factor); + return ret; +} + +int rustsecp256k1_v0_1_2_ec_privkey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, unsigned char *seckey, const unsigned char *tweak) { + return rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, seckey, tweak); +} + +int rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubkey, const unsigned char *tweak) { + rustsecp256k1_v0_1_2_ge p; + rustsecp256k1_v0_1_2_scalar factor; + int ret = 0; + int overflow = 0; + VERIFY_CHECK(ctx != NULL); + ARG_CHECK(rustsecp256k1_v0_1_2_ecmult_context_is_built(&ctx->ecmult_ctx)); + ARG_CHECK(pubkey != NULL); + ARG_CHECK(tweak != NULL); + + rustsecp256k1_v0_1_2_scalar_set_b32(&factor, tweak, &overflow); + ret = !overflow && rustsecp256k1_v0_1_2_pubkey_load(ctx, &p, pubkey); + memset(pubkey, 0, sizeof(*pubkey)); + if (ret) { + if (rustsecp256k1_v0_1_2_eckey_pubkey_tweak_mul(&ctx->ecmult_ctx, &p, &factor)) { + rustsecp256k1_v0_1_2_pubkey_save(pubkey, &p); + } else { + ret = 0; + } + } + + return ret; +} + +int rustsecp256k1_v0_1_2_context_randomize(rustsecp256k1_v0_1_2_context* ctx, const unsigned char *seed32) { + VERIFY_CHECK(ctx != NULL); + if (rustsecp256k1_v0_1_2_ecmult_gen_context_is_built(&ctx->ecmult_gen_ctx)) { + rustsecp256k1_v0_1_2_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + } + return 1; +} + +int rustsecp256k1_v0_1_2_ec_pubkey_combine(const rustsecp256k1_v0_1_2_context* ctx, rustsecp256k1_v0_1_2_pubkey *pubnonce, const rustsecp256k1_v0_1_2_pubkey * const *pubnonces, size_t n) { + size_t i; + rustsecp256k1_v0_1_2_gej Qj; + rustsecp256k1_v0_1_2_ge Q; + + ARG_CHECK(pubnonce != NULL); + memset(pubnonce, 0, sizeof(*pubnonce)); + ARG_CHECK(n >= 1); + ARG_CHECK(pubnonces != NULL); + + rustsecp256k1_v0_1_2_gej_set_infinity(&Qj); + + for (i = 0; i < n; i++) { + rustsecp256k1_v0_1_2_pubkey_load(ctx, &Q, pubnonces[i]); + rustsecp256k1_v0_1_2_gej_add_ge(&Qj, &Qj, &Q); + } + if (rustsecp256k1_v0_1_2_gej_is_infinity(&Qj)) { + return 0; + } + rustsecp256k1_v0_1_2_ge_set_gej(&Q, &Qj); + rustsecp256k1_v0_1_2_pubkey_save(pubnonce, &Q); + return 1; +} + +#ifdef ENABLE_MODULE_ECDH +# include "modules/ecdh/main_impl.h" +#endif + +#ifdef ENABLE_MODULE_RECOVERY +# include "modules/recovery/main_impl.h" +#endif diff --git a/secp256k1-sys/depend/secp256k1/src/testrand.h b/secp256k1-sys/depend/secp256k1/src/testrand.h index 6f11d898a..eed5fccec 100644 --- a/secp256k1-sys/depend/secp256k1/src/testrand.h +++ b/secp256k1-sys/depend/secp256k1/src/testrand.h @@ -14,25 +14,25 @@ /* A non-cryptographic RNG used only for test infrastructure. */ /** Seed the pseudorandom number generator for testing. */ -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_rand_seed(const unsigned char *seed16); +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_rand_seed(const unsigned char *seed16); /** Generate a pseudorandom number in the range [0..2**32-1]. */ -static uint32_t rustsecp256k1_v0_1_1_rand32(void); +static uint32_t rustsecp256k1_v0_1_2_rand32(void); /** Generate a pseudorandom number in the range [0..2**bits-1]. Bits must be 1 or * more. */ -static uint32_t rustsecp256k1_v0_1_1_rand_bits(int bits); +static uint32_t rustsecp256k1_v0_1_2_rand_bits(int bits); /** Generate a pseudorandom number in the range [0..range-1]. */ -static uint32_t rustsecp256k1_v0_1_1_rand_int(uint32_t range); +static uint32_t rustsecp256k1_v0_1_2_rand_int(uint32_t range); /** Generate a pseudorandom 32-byte array. */ -static void rustsecp256k1_v0_1_1_rand256(unsigned char *b32); +static void rustsecp256k1_v0_1_2_rand256(unsigned char *b32); /** Generate a pseudorandom 32-byte array with long sequences of zero and one bits. */ -static void rustsecp256k1_v0_1_1_rand256_test(unsigned char *b32); +static void rustsecp256k1_v0_1_2_rand256_test(unsigned char *b32); /** Generate pseudorandom bytes with long sequences of zero and one bits. */ -static void rustsecp256k1_v0_1_1_rand_bytes_test(unsigned char *bytes, size_t len); +static void rustsecp256k1_v0_1_2_rand_bytes_test(unsigned char *bytes, size_t len); #endif /* SECP256K1_TESTRAND_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/testrand_impl.h b/secp256k1-sys/depend/secp256k1/src/testrand_impl.h index 9ef7a9c8e..83629326a 100644 --- a/secp256k1-sys/depend/secp256k1/src/testrand_impl.h +++ b/secp256k1-sys/depend/secp256k1/src/testrand_impl.h @@ -13,38 +13,38 @@ #include "testrand.h" #include "hash.h" -static rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 rustsecp256k1_v0_1_1_test_rng; -static uint32_t rustsecp256k1_v0_1_1_test_rng_precomputed[8]; -static int rustsecp256k1_v0_1_1_test_rng_precomputed_used = 8; -static uint64_t rustsecp256k1_v0_1_1_test_rng_integer; -static int rustsecp256k1_v0_1_1_test_rng_integer_bits_left = 0; +static rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rustsecp256k1_v0_1_2_test_rng; +static uint32_t rustsecp256k1_v0_1_2_test_rng_precomputed[8]; +static int rustsecp256k1_v0_1_2_test_rng_precomputed_used = 8; +static uint64_t rustsecp256k1_v0_1_2_test_rng_integer; +static int rustsecp256k1_v0_1_2_test_rng_integer_bits_left = 0; -SECP256K1_INLINE static void rustsecp256k1_v0_1_1_rand_seed(const unsigned char *seed16) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rustsecp256k1_v0_1_1_test_rng, seed16, 16); +SECP256K1_INLINE static void rustsecp256k1_v0_1_2_rand_seed(const unsigned char *seed16) { + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rustsecp256k1_v0_1_2_test_rng, seed16, 16); } -SECP256K1_INLINE static uint32_t rustsecp256k1_v0_1_1_rand32(void) { - if (rustsecp256k1_v0_1_1_test_rng_precomputed_used == 8) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rustsecp256k1_v0_1_1_test_rng, (unsigned char*)(&rustsecp256k1_v0_1_1_test_rng_precomputed[0]), sizeof(rustsecp256k1_v0_1_1_test_rng_precomputed)); - rustsecp256k1_v0_1_1_test_rng_precomputed_used = 0; +SECP256K1_INLINE static uint32_t rustsecp256k1_v0_1_2_rand32(void) { + if (rustsecp256k1_v0_1_2_test_rng_precomputed_used == 8) { + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rustsecp256k1_v0_1_2_test_rng, (unsigned char*)(&rustsecp256k1_v0_1_2_test_rng_precomputed[0]), sizeof(rustsecp256k1_v0_1_2_test_rng_precomputed)); + rustsecp256k1_v0_1_2_test_rng_precomputed_used = 0; } - return rustsecp256k1_v0_1_1_test_rng_precomputed[rustsecp256k1_v0_1_1_test_rng_precomputed_used++]; + return rustsecp256k1_v0_1_2_test_rng_precomputed[rustsecp256k1_v0_1_2_test_rng_precomputed_used++]; } -static uint32_t rustsecp256k1_v0_1_1_rand_bits(int bits) { +static uint32_t rustsecp256k1_v0_1_2_rand_bits(int bits) { uint32_t ret; - if (rustsecp256k1_v0_1_1_test_rng_integer_bits_left < bits) { - rustsecp256k1_v0_1_1_test_rng_integer |= (((uint64_t)rustsecp256k1_v0_1_1_rand32()) << rustsecp256k1_v0_1_1_test_rng_integer_bits_left); - rustsecp256k1_v0_1_1_test_rng_integer_bits_left += 32; + if (rustsecp256k1_v0_1_2_test_rng_integer_bits_left < bits) { + rustsecp256k1_v0_1_2_test_rng_integer |= (((uint64_t)rustsecp256k1_v0_1_2_rand32()) << rustsecp256k1_v0_1_2_test_rng_integer_bits_left); + rustsecp256k1_v0_1_2_test_rng_integer_bits_left += 32; } - ret = rustsecp256k1_v0_1_1_test_rng_integer; - rustsecp256k1_v0_1_1_test_rng_integer >>= bits; - rustsecp256k1_v0_1_1_test_rng_integer_bits_left -= bits; + ret = rustsecp256k1_v0_1_2_test_rng_integer; + rustsecp256k1_v0_1_2_test_rng_integer >>= bits; + rustsecp256k1_v0_1_2_test_rng_integer_bits_left -= bits; ret &= ((~((uint32_t)0)) >> (32 - bits)); return ret; } -static uint32_t rustsecp256k1_v0_1_1_rand_int(uint32_t range) { +static uint32_t rustsecp256k1_v0_1_2_rand_int(uint32_t range) { /* We want a uniform integer between 0 and range-1, inclusive. * B is the smallest number such that range <= 2**B. * two mechanisms implemented here: @@ -76,25 +76,25 @@ static uint32_t rustsecp256k1_v0_1_1_rand_int(uint32_t range) { mult = 1; } while(1) { - uint32_t x = rustsecp256k1_v0_1_1_rand_bits(bits); + uint32_t x = rustsecp256k1_v0_1_2_rand_bits(bits); if (x < trange) { return (mult == 1) ? x : (x % range); } } } -static void rustsecp256k1_v0_1_1_rand256(unsigned char *b32) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rustsecp256k1_v0_1_1_test_rng, b32, 32); +static void rustsecp256k1_v0_1_2_rand256(unsigned char *b32) { + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rustsecp256k1_v0_1_2_test_rng, b32, 32); } -static void rustsecp256k1_v0_1_1_rand_bytes_test(unsigned char *bytes, size_t len) { +static void rustsecp256k1_v0_1_2_rand_bytes_test(unsigned char *bytes, size_t len) { size_t bits = 0; memset(bytes, 0, len); while (bits < len * 8) { int now; uint32_t val; - now = 1 + (rustsecp256k1_v0_1_1_rand_bits(6) * rustsecp256k1_v0_1_1_rand_bits(5) + 16) / 31; - val = rustsecp256k1_v0_1_1_rand_bits(1); + now = 1 + (rustsecp256k1_v0_1_2_rand_bits(6) * rustsecp256k1_v0_1_2_rand_bits(5) + 16) / 31; + val = rustsecp256k1_v0_1_2_rand_bits(1); while (now > 0 && bits < len * 8) { bytes[bits / 8] |= val << (bits % 8); now--; @@ -103,8 +103,8 @@ static void rustsecp256k1_v0_1_1_rand_bytes_test(unsigned char *bytes, size_t le } } -static void rustsecp256k1_v0_1_1_rand256_test(unsigned char *b32) { - rustsecp256k1_v0_1_1_rand_bytes_test(b32, 32); +static void rustsecp256k1_v0_1_2_rand256_test(unsigned char *b32) { + rustsecp256k1_v0_1_2_rand_bytes_test(b32, 32); } #endif /* SECP256K1_TESTRAND_IMPL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/tests.c b/secp256k1-sys/depend/secp256k1/src/tests.c index 28c2de6a4..47679521c 100644 --- a/secp256k1-sys/depend/secp256k1/src/tests.c +++ b/secp256k1-sys/depend/secp256k1/src/tests.c @@ -44,7 +44,7 @@ void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) #endif static int count = 64; -static rustsecp256k1_v0_1_1_context *ctx = NULL; +static rustsecp256k1_v0_1_2_context *ctx = NULL; static void counting_illegal_callback_fn(const char* str, void* data) { /* Dummy callback function that just counts. */ @@ -62,181 +62,189 @@ static void uncounting_illegal_callback_fn(const char* str, void* data) { (*p)--; } -void random_field_element_test(rustsecp256k1_v0_1_1_fe *fe) { +void random_field_element_test(rustsecp256k1_v0_1_2_fe *fe) { do { unsigned char b32[32]; - rustsecp256k1_v0_1_1_rand256_test(b32); - if (rustsecp256k1_v0_1_1_fe_set_b32(fe, b32)) { + rustsecp256k1_v0_1_2_rand256_test(b32); + if (rustsecp256k1_v0_1_2_fe_set_b32(fe, b32)) { break; } } while(1); } -void random_field_element_magnitude(rustsecp256k1_v0_1_1_fe *fe) { - rustsecp256k1_v0_1_1_fe zero; - int n = rustsecp256k1_v0_1_1_rand_int(9); - rustsecp256k1_v0_1_1_fe_normalize(fe); +void random_field_element_magnitude(rustsecp256k1_v0_1_2_fe *fe) { + rustsecp256k1_v0_1_2_fe zero; + int n = rustsecp256k1_v0_1_2_rand_int(9); + rustsecp256k1_v0_1_2_fe_normalize(fe); if (n == 0) { return; } - rustsecp256k1_v0_1_1_fe_clear(&zero); - rustsecp256k1_v0_1_1_fe_negate(&zero, &zero, 0); - rustsecp256k1_v0_1_1_fe_mul_int(&zero, n - 1); - rustsecp256k1_v0_1_1_fe_add(fe, &zero); - VERIFY_CHECK(fe->magnitude == n); + rustsecp256k1_v0_1_2_fe_clear(&zero); + rustsecp256k1_v0_1_2_fe_negate(&zero, &zero, 0); + rustsecp256k1_v0_1_2_fe_mul_int(&zero, n - 1); + rustsecp256k1_v0_1_2_fe_add(fe, &zero); +#ifdef VERIFY + CHECK(fe->magnitude == n); +#endif } -void random_group_element_test(rustsecp256k1_v0_1_1_ge *ge) { - rustsecp256k1_v0_1_1_fe fe; +void random_group_element_test(rustsecp256k1_v0_1_2_ge *ge) { + rustsecp256k1_v0_1_2_fe fe; do { random_field_element_test(&fe); - if (rustsecp256k1_v0_1_1_ge_set_xo_var(ge, &fe, rustsecp256k1_v0_1_1_rand_bits(1))) { - rustsecp256k1_v0_1_1_fe_normalize(&ge->y); + if (rustsecp256k1_v0_1_2_ge_set_xo_var(ge, &fe, rustsecp256k1_v0_1_2_rand_bits(1))) { + rustsecp256k1_v0_1_2_fe_normalize(&ge->y); break; } } while(1); } -void random_group_element_jacobian_test(rustsecp256k1_v0_1_1_gej *gej, const rustsecp256k1_v0_1_1_ge *ge) { - rustsecp256k1_v0_1_1_fe z2, z3; +void random_group_element_jacobian_test(rustsecp256k1_v0_1_2_gej *gej, const rustsecp256k1_v0_1_2_ge *ge) { + rustsecp256k1_v0_1_2_fe z2, z3; do { random_field_element_test(&gej->z); - if (!rustsecp256k1_v0_1_1_fe_is_zero(&gej->z)) { + if (!rustsecp256k1_v0_1_2_fe_is_zero(&gej->z)) { break; } } while(1); - rustsecp256k1_v0_1_1_fe_sqr(&z2, &gej->z); - rustsecp256k1_v0_1_1_fe_mul(&z3, &z2, &gej->z); - rustsecp256k1_v0_1_1_fe_mul(&gej->x, &ge->x, &z2); - rustsecp256k1_v0_1_1_fe_mul(&gej->y, &ge->y, &z3); + rustsecp256k1_v0_1_2_fe_sqr(&z2, &gej->z); + rustsecp256k1_v0_1_2_fe_mul(&z3, &z2, &gej->z); + rustsecp256k1_v0_1_2_fe_mul(&gej->x, &ge->x, &z2); + rustsecp256k1_v0_1_2_fe_mul(&gej->y, &ge->y, &z3); gej->infinity = ge->infinity; } -void random_scalar_order_test(rustsecp256k1_v0_1_1_scalar *num) { +void random_scalar_order_test(rustsecp256k1_v0_1_2_scalar *num) { do { unsigned char b32[32]; int overflow = 0; - rustsecp256k1_v0_1_1_rand256_test(b32); - rustsecp256k1_v0_1_1_scalar_set_b32(num, b32, &overflow); - if (overflow || rustsecp256k1_v0_1_1_scalar_is_zero(num)) { + rustsecp256k1_v0_1_2_rand256_test(b32); + rustsecp256k1_v0_1_2_scalar_set_b32(num, b32, &overflow); + if (overflow || rustsecp256k1_v0_1_2_scalar_is_zero(num)) { continue; } break; } while(1); } -void random_scalar_order(rustsecp256k1_v0_1_1_scalar *num) { +void random_scalar_order(rustsecp256k1_v0_1_2_scalar *num) { do { unsigned char b32[32]; int overflow = 0; - rustsecp256k1_v0_1_1_rand256(b32); - rustsecp256k1_v0_1_1_scalar_set_b32(num, b32, &overflow); - if (overflow || rustsecp256k1_v0_1_1_scalar_is_zero(num)) { + rustsecp256k1_v0_1_2_rand256(b32); + rustsecp256k1_v0_1_2_scalar_set_b32(num, b32, &overflow); + if (overflow || rustsecp256k1_v0_1_2_scalar_is_zero(num)) { continue; } break; } while(1); } +void random_scalar_order_b32(unsigned char *b32) { + rustsecp256k1_v0_1_2_scalar num; + random_scalar_order(&num); + rustsecp256k1_v0_1_2_scalar_get_b32(b32, &num); +} + void run_context_tests(int use_prealloc) { - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_pubkey zero_pubkey; - rustsecp256k1_v0_1_1_ecdsa_signature sig; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey zero_pubkey; + rustsecp256k1_v0_1_2_ecdsa_signature sig; unsigned char ctmp[32]; int32_t ecount; int32_t ecount2; - rustsecp256k1_v0_1_1_context *none; - rustsecp256k1_v0_1_1_context *sign; - rustsecp256k1_v0_1_1_context *vrfy; - rustsecp256k1_v0_1_1_context *both; + rustsecp256k1_v0_1_2_context *none; + rustsecp256k1_v0_1_2_context *sign; + rustsecp256k1_v0_1_2_context *vrfy; + rustsecp256k1_v0_1_2_context *both; void *none_prealloc = NULL; void *sign_prealloc = NULL; void *vrfy_prealloc = NULL; void *both_prealloc = NULL; - rustsecp256k1_v0_1_1_gej pubj; - rustsecp256k1_v0_1_1_ge pub; - rustsecp256k1_v0_1_1_scalar msg, key, nonce; - rustsecp256k1_v0_1_1_scalar sigr, sigs; + rustsecp256k1_v0_1_2_gej pubj; + rustsecp256k1_v0_1_2_ge pub; + rustsecp256k1_v0_1_2_scalar msg, key, nonce; + rustsecp256k1_v0_1_2_scalar sigr, sigs; if (use_prealloc) { - none_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); - sign_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); - vrfy_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); - both_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); + none_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_NONE)); + sign_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); + vrfy_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); + both_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(none_prealloc != NULL); CHECK(sign_prealloc != NULL); CHECK(vrfy_prealloc != NULL); CHECK(both_prealloc != NULL); - none = rustsecp256k1_v0_1_1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE); - sign = rustsecp256k1_v0_1_1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN); - vrfy = rustsecp256k1_v0_1_1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY); - both = rustsecp256k1_v0_1_1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + none = rustsecp256k1_v0_1_2_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE); + sign = rustsecp256k1_v0_1_2_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN); + vrfy = rustsecp256k1_v0_1_2_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY); + both = rustsecp256k1_v0_1_2_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); } else { - none = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_NONE); - sign = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN); - vrfy = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_VERIFY); - both = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + none = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_NONE); + sign = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN); + vrfy = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_VERIFY); + both = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); } memset(&zero_pubkey, 0, sizeof(zero_pubkey)); ecount = 0; ecount2 = 10; - rustsecp256k1_v0_1_1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); - rustsecp256k1_v0_1_1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2); + rustsecp256k1_v0_1_2_context_set_error_callback(sign, counting_illegal_callback_fn, NULL); CHECK(vrfy->error_callback.fn != sign->error_callback.fn); /* check if sizes for cloning are consistent */ - CHECK(rustsecp256k1_v0_1_1_context_preallocated_clone_size(none) == rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); - CHECK(rustsecp256k1_v0_1_1_context_preallocated_clone_size(sign) == rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); - CHECK(rustsecp256k1_v0_1_1_context_preallocated_clone_size(vrfy) == rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); - CHECK(rustsecp256k1_v0_1_1_context_preallocated_clone_size(both) == rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); + CHECK(rustsecp256k1_v0_1_2_context_preallocated_clone_size(none) == rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_NONE)); + CHECK(rustsecp256k1_v0_1_2_context_preallocated_clone_size(sign) == rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); + CHECK(rustsecp256k1_v0_1_2_context_preallocated_clone_size(vrfy) == rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); + CHECK(rustsecp256k1_v0_1_2_context_preallocated_clone_size(both) == rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); /*** clone and destroy all of them to make sure cloning was complete ***/ { - rustsecp256k1_v0_1_1_context *ctx_tmp; + rustsecp256k1_v0_1_2_context *ctx_tmp; if (use_prealloc) { /* clone into a non-preallocated context and then again into a new preallocated one. */ - ctx_tmp = none; none = rustsecp256k1_v0_1_1_context_clone(none); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); - free(none_prealloc); none_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL); - ctx_tmp = none; none = rustsecp256k1_v0_1_1_context_preallocated_clone(none, none_prealloc); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); + ctx_tmp = none; none = rustsecp256k1_v0_1_2_context_clone(none); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); + free(none_prealloc); none_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL); + ctx_tmp = none; none = rustsecp256k1_v0_1_2_context_preallocated_clone(none, none_prealloc); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); - ctx_tmp = sign; sign = rustsecp256k1_v0_1_1_context_clone(sign); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); - free(sign_prealloc); sign_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL); - ctx_tmp = sign; sign = rustsecp256k1_v0_1_1_context_preallocated_clone(sign, sign_prealloc); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); + ctx_tmp = sign; sign = rustsecp256k1_v0_1_2_context_clone(sign); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); + free(sign_prealloc); sign_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL); + ctx_tmp = sign; sign = rustsecp256k1_v0_1_2_context_preallocated_clone(sign, sign_prealloc); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); - ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_1_context_clone(vrfy); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); - free(vrfy_prealloc); vrfy_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL); - ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_1_context_preallocated_clone(vrfy, vrfy_prealloc); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); + ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_2_context_clone(vrfy); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); + free(vrfy_prealloc); vrfy_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL); + ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_2_context_preallocated_clone(vrfy, vrfy_prealloc); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); - ctx_tmp = both; both = rustsecp256k1_v0_1_1_context_clone(both); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); - free(both_prealloc); both_prealloc = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL); - ctx_tmp = both; both = rustsecp256k1_v0_1_1_context_preallocated_clone(both, both_prealloc); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); + ctx_tmp = both; both = rustsecp256k1_v0_1_2_context_clone(both); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); + free(both_prealloc); both_prealloc = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL); + ctx_tmp = both; both = rustsecp256k1_v0_1_2_context_preallocated_clone(both, both_prealloc); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); } else { /* clone into a preallocated context and then again into a new non-preallocated one. */ void *prealloc_tmp; - prealloc_tmp = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL); - ctx_tmp = none; none = rustsecp256k1_v0_1_1_context_preallocated_clone(none, prealloc_tmp); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); - ctx_tmp = none; none = rustsecp256k1_v0_1_1_context_clone(none); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL); + ctx_tmp = none; none = rustsecp256k1_v0_1_2_context_preallocated_clone(none, prealloc_tmp); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); + ctx_tmp = none; none = rustsecp256k1_v0_1_2_context_clone(none); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL); - ctx_tmp = sign; sign = rustsecp256k1_v0_1_1_context_preallocated_clone(sign, prealloc_tmp); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); - ctx_tmp = sign; sign = rustsecp256k1_v0_1_1_context_clone(sign); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL); + ctx_tmp = sign; sign = rustsecp256k1_v0_1_2_context_preallocated_clone(sign, prealloc_tmp); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); + ctx_tmp = sign; sign = rustsecp256k1_v0_1_2_context_clone(sign); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); - ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_1_context_preallocated_clone(vrfy, prealloc_tmp); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); - ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_1_context_clone(vrfy); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); + ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_2_context_preallocated_clone(vrfy, prealloc_tmp); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); + ctx_tmp = vrfy; vrfy = rustsecp256k1_v0_1_2_context_clone(vrfy); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); - prealloc_tmp = malloc(rustsecp256k1_v0_1_1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); - ctx_tmp = both; both = rustsecp256k1_v0_1_1_context_preallocated_clone(both, prealloc_tmp); rustsecp256k1_v0_1_1_context_destroy(ctx_tmp); - ctx_tmp = both; both = rustsecp256k1_v0_1_1_context_clone(both); rustsecp256k1_v0_1_1_context_preallocated_destroy(ctx_tmp); + prealloc_tmp = malloc(rustsecp256k1_v0_1_2_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL); + ctx_tmp = both; both = rustsecp256k1_v0_1_2_context_preallocated_clone(both, prealloc_tmp); rustsecp256k1_v0_1_2_context_destroy(ctx_tmp); + ctx_tmp = both; both = rustsecp256k1_v0_1_2_context_clone(both); rustsecp256k1_v0_1_2_context_preallocated_destroy(ctx_tmp); free(prealloc_tmp); } } @@ -244,91 +252,91 @@ void run_context_tests(int use_prealloc) { /* Verify that the error callback makes it across the clone. */ CHECK(vrfy->error_callback.fn != sign->error_callback.fn); /* And that it resets back to default. */ - rustsecp256k1_v0_1_1_context_set_error_callback(sign, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_error_callback(sign, NULL, NULL); CHECK(vrfy->error_callback.fn == sign->error_callback.fn); /*** attempt to use them ***/ random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); - rustsecp256k1_v0_1_1_ge_set_gej(&pub, &pubj); + rustsecp256k1_v0_1_2_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key); + rustsecp256k1_v0_1_2_ge_set_gej(&pub, &pubj); /* Verify context-type checking illegal-argument errors. */ memset(ctmp, 1, 32); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0); CHECK(ecount == 1); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(sign, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(sign, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0); CHECK(ecount == 2); VG_UNDEF(&sig, sizeof(sig)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1); VG_CHECK(&sig, sizeof(sig)); CHECK(ecount2 == 10); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0); CHECK(ecount2 == 11); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0); CHECK(ecount2 == 12); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0); CHECK(ecount2 == 13); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(vrfy, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(vrfy, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(sign, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(sign, &pubkey) == 1); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(sign, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(sign, NULL) == 0); CHECK(ecount2 == 14); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(vrfy, &zero_pubkey) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_context_randomize(vrfy, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_context_randomize(vrfy, ctmp) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_context_randomize(vrfy, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_context_randomize(vrfy, NULL) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_context_randomize(sign, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_context_randomize(sign, ctmp) == 1); CHECK(ecount2 == 14); - CHECK(rustsecp256k1_v0_1_1_context_randomize(sign, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_context_randomize(sign, NULL) == 1); CHECK(ecount2 == 14); - rustsecp256k1_v0_1_1_context_set_illegal_callback(vrfy, NULL, NULL); - rustsecp256k1_v0_1_1_context_set_illegal_callback(sign, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(vrfy, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(sign, NULL, NULL); /* obtain a working nonce */ do { random_scalar_order_test(&nonce); - } while(!rustsecp256k1_v0_1_1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + } while(!rustsecp256k1_v0_1_2_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); /* try signing */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL)); /* try verifying */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg)); /* cleanup */ if (use_prealloc) { - rustsecp256k1_v0_1_1_context_preallocated_destroy(none); - rustsecp256k1_v0_1_1_context_preallocated_destroy(sign); - rustsecp256k1_v0_1_1_context_preallocated_destroy(vrfy); - rustsecp256k1_v0_1_1_context_preallocated_destroy(both); + rustsecp256k1_v0_1_2_context_preallocated_destroy(none); + rustsecp256k1_v0_1_2_context_preallocated_destroy(sign); + rustsecp256k1_v0_1_2_context_preallocated_destroy(vrfy); + rustsecp256k1_v0_1_2_context_preallocated_destroy(both); free(none_prealloc); free(sign_prealloc); free(vrfy_prealloc); free(both_prealloc); } else { - rustsecp256k1_v0_1_1_context_destroy(none); - rustsecp256k1_v0_1_1_context_destroy(sign); - rustsecp256k1_v0_1_1_context_destroy(vrfy); - rustsecp256k1_v0_1_1_context_destroy(both); + rustsecp256k1_v0_1_2_context_destroy(none); + rustsecp256k1_v0_1_2_context_destroy(sign); + rustsecp256k1_v0_1_2_context_destroy(vrfy); + rustsecp256k1_v0_1_2_context_destroy(both); } /* Defined as no-op. */ - rustsecp256k1_v0_1_1_context_destroy(NULL); - rustsecp256k1_v0_1_1_context_preallocated_destroy(NULL); + rustsecp256k1_v0_1_2_context_destroy(NULL); + rustsecp256k1_v0_1_2_context_preallocated_destroy(NULL); } @@ -338,69 +346,69 @@ void run_scratch_tests(void) { int32_t ecount = 0; size_t checkpoint; size_t checkpoint_2; - rustsecp256k1_v0_1_1_context *none = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_NONE); - rustsecp256k1_v0_1_1_scratch_space *scratch; - rustsecp256k1_v0_1_1_scratch_space local_scratch; + rustsecp256k1_v0_1_2_context *none = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_NONE); + rustsecp256k1_v0_1_2_scratch_space *scratch; + rustsecp256k1_v0_1_2_scratch_space local_scratch; /* Test public API */ - rustsecp256k1_v0_1_1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); - rustsecp256k1_v0_1_1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_error_callback(none, counting_illegal_callback_fn, &ecount); - scratch = rustsecp256k1_v0_1_1_scratch_space_create(none, 1000); + scratch = rustsecp256k1_v0_1_2_scratch_space_create(none, 1000); CHECK(scratch != NULL); CHECK(ecount == 0); /* Test internal API */ - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1)); CHECK(scratch->alloc_size == 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* Allocating 500 bytes succeeds */ - checkpoint = rustsecp256k1_v0_1_1_scratch_checkpoint(&none->error_callback, scratch); - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&none->error_callback, scratch, 500) != NULL); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); + checkpoint = rustsecp256k1_v0_1_2_scratch_checkpoint(&none->error_callback, scratch); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&none->error_callback, scratch, 500) != NULL); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); CHECK(scratch->alloc_size != 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* Allocating another 500 bytes fails */ - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&none->error_callback, scratch, 500) == NULL); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&none->error_callback, scratch, 500) == NULL); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1)); CHECK(scratch->alloc_size != 0); CHECK(scratch->alloc_size % ALIGNMENT == 0); /* ...but it succeeds once we apply the checkpoint to undo it */ - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); CHECK(scratch->alloc_size == 0); - CHECK(rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&none->error_callback, scratch, 500) != NULL); + CHECK(rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&none->error_callback, scratch, 500) != NULL); CHECK(scratch->alloc_size != 0); /* try to apply a bad checkpoint */ - checkpoint_2 = rustsecp256k1_v0_1_1_scratch_checkpoint(&none->error_callback, scratch); - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); + checkpoint_2 = rustsecp256k1_v0_1_2_scratch_checkpoint(&none->error_callback, scratch); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint); CHECK(ecount == 0); - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */ + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */ CHECK(ecount == 1); - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */ + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */ CHECK(ecount == 2); /* try to use badly initialized scratch space */ - rustsecp256k1_v0_1_1_scratch_space_destroy(none, scratch); + rustsecp256k1_v0_1_2_scratch_space_destroy(none, scratch); memset(&local_scratch, 0, sizeof(local_scratch)); scratch = &local_scratch; - CHECK(!rustsecp256k1_v0_1_1_scratch_max_allocation(&none->error_callback, scratch, 0)); + CHECK(!rustsecp256k1_v0_1_2_scratch_max_allocation(&none->error_callback, scratch, 0)); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&none->error_callback, scratch, 500) == NULL); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&none->error_callback, scratch, 500) == NULL); CHECK(ecount == 4); - rustsecp256k1_v0_1_1_scratch_space_destroy(none, scratch); + rustsecp256k1_v0_1_2_scratch_space_destroy(none, scratch); CHECK(ecount == 5); /* cleanup */ - rustsecp256k1_v0_1_1_scratch_space_destroy(none, NULL); /* no-op */ - rustsecp256k1_v0_1_1_context_destroy(none); + rustsecp256k1_v0_1_2_scratch_space_destroy(none, NULL); /* no-op */ + rustsecp256k1_v0_1_2_context_destroy(none); } /***** HASH TESTS *****/ @@ -425,17 +433,17 @@ void run_sha256_tests(void) { int i; for (i = 0; i < 8; i++) { unsigned char out[32]; - rustsecp256k1_v0_1_1_sha256 hasher; - rustsecp256k1_v0_1_1_sha256_initialize(&hasher); - rustsecp256k1_v0_1_1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); - rustsecp256k1_v0_1_1_sha256_finalize(&hasher, out); + rustsecp256k1_v0_1_2_sha256 hasher; + rustsecp256k1_v0_1_2_sha256_initialize(&hasher); + rustsecp256k1_v0_1_2_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); + rustsecp256k1_v0_1_2_sha256_finalize(&hasher, out); CHECK(memcmp(out, outputs[i], 32) == 0); if (strlen(inputs[i]) > 0) { - int split = rustsecp256k1_v0_1_1_rand_int(strlen(inputs[i])); - rustsecp256k1_v0_1_1_sha256_initialize(&hasher); - rustsecp256k1_v0_1_1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); - rustsecp256k1_v0_1_1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); - rustsecp256k1_v0_1_1_sha256_finalize(&hasher, out); + int split = rustsecp256k1_v0_1_2_rand_int(strlen(inputs[i])); + rustsecp256k1_v0_1_2_sha256_initialize(&hasher); + rustsecp256k1_v0_1_2_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); + rustsecp256k1_v0_1_2_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); + rustsecp256k1_v0_1_2_sha256_finalize(&hasher, out); CHECK(memcmp(out, outputs[i], 32) == 0); } } @@ -468,18 +476,18 @@ void run_hmac_sha256_tests(void) { }; int i; for (i = 0; i < 6; i++) { - rustsecp256k1_v0_1_1_hmac_sha256 hasher; + rustsecp256k1_v0_1_2_hmac_sha256 hasher; unsigned char out[32]; - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hasher, out); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i])); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hasher, out); CHECK(memcmp(out, outputs[i], 32) == 0); if (strlen(inputs[i]) > 0) { - int split = rustsecp256k1_v0_1_1_rand_int(strlen(inputs[i])); - rustsecp256k1_v0_1_1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); - rustsecp256k1_v0_1_1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); - rustsecp256k1_v0_1_1_hmac_sha256_finalize(&hasher, out); + int split = rustsecp256k1_v0_1_2_rand_int(strlen(inputs[i])); + rustsecp256k1_v0_1_2_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i])); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split); + rustsecp256k1_v0_1_2_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split); + rustsecp256k1_v0_1_2_hmac_sha256_finalize(&hasher, out); CHECK(memcmp(out, outputs[i], 32) == 0); } } @@ -500,30 +508,30 @@ void run_rfc6979_hmac_sha256_tests(void) { {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94} }; - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256 rng; + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256 rng; unsigned char out[32]; int i; - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, key1, 64); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, key1, 64); for (i = 0; i < 3; i++) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, out, 32); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, out, 32); CHECK(memcmp(out, out1[i], 32) == 0); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, key1, 65); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, key1, 65); for (i = 0; i < 3; i++) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, out, 32); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, out, 32); CHECK(memcmp(out, out1[i], 32) != 0); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_initialize(&rng, key2, 64); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_initialize(&rng, key2, 64); for (i = 0; i < 3; i++) { - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_generate(&rng, out, 32); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_generate(&rng, out, 32); CHECK(memcmp(out, out2[i], 32) == 0); } - rustsecp256k1_v0_1_1_rfc6979_hmac_sha256_finalize(&rng); + rustsecp256k1_v0_1_2_rfc6979_hmac_sha256_finalize(&rng); } /***** RANDOM TESTS *****/ @@ -545,7 +553,7 @@ void test_rand_bits(int rand32, int bits) { /* Multiply the output of all rand calls with the odd number m, which should not change the uniformity of its distribution. */ for (i = 0; i < rounds[usebits]; i++) { - uint32_t r = (rand32 ? rustsecp256k1_v0_1_1_rand32() : rustsecp256k1_v0_1_1_rand_bits(bits)); + uint32_t r = (rand32 ? rustsecp256k1_v0_1_2_rand32() : rustsecp256k1_v0_1_2_rand_bits(bits)); CHECK((((uint64_t)r) >> bits) == 0); for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) { uint32_t rm = r * mults[m]; @@ -570,7 +578,7 @@ void test_rand_int(uint32_t range, uint32_t subrange) { uint64_t x = 0; CHECK((range % subrange) == 0); for (i = 0; i < rounds; i++) { - uint32_t r = rustsecp256k1_v0_1_1_rand_int(range); + uint32_t r = rustsecp256k1_v0_1_2_rand_int(range); CHECK(r < range); r = r % subrange; x |= (((uint64_t)1) << r); @@ -601,176 +609,176 @@ void run_rand_int(void) { /***** NUM TESTS *****/ #ifndef USE_NUM_NONE -void random_num_negate(rustsecp256k1_v0_1_1_num *num) { - if (rustsecp256k1_v0_1_1_rand_bits(1)) { - rustsecp256k1_v0_1_1_num_negate(num); +void random_num_negate(rustsecp256k1_v0_1_2_num *num) { + if (rustsecp256k1_v0_1_2_rand_bits(1)) { + rustsecp256k1_v0_1_2_num_negate(num); } } -void random_num_order_test(rustsecp256k1_v0_1_1_num *num) { - rustsecp256k1_v0_1_1_scalar sc; +void random_num_order_test(rustsecp256k1_v0_1_2_num *num) { + rustsecp256k1_v0_1_2_scalar sc; random_scalar_order_test(&sc); - rustsecp256k1_v0_1_1_scalar_get_num(num, &sc); + rustsecp256k1_v0_1_2_scalar_get_num(num, &sc); } -void random_num_order(rustsecp256k1_v0_1_1_num *num) { - rustsecp256k1_v0_1_1_scalar sc; +void random_num_order(rustsecp256k1_v0_1_2_num *num) { + rustsecp256k1_v0_1_2_scalar sc; random_scalar_order(&sc); - rustsecp256k1_v0_1_1_scalar_get_num(num, &sc); + rustsecp256k1_v0_1_2_scalar_get_num(num, &sc); } void test_num_negate(void) { - rustsecp256k1_v0_1_1_num n1; - rustsecp256k1_v0_1_1_num n2; + rustsecp256k1_v0_1_2_num n1; + rustsecp256k1_v0_1_2_num n2; random_num_order_test(&n1); /* n1 = R */ random_num_negate(&n1); - rustsecp256k1_v0_1_1_num_copy(&n2, &n1); /* n2 = R */ - rustsecp256k1_v0_1_1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */ - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&n1)); - rustsecp256k1_v0_1_1_num_copy(&n1, &n2); /* n1 = R */ - rustsecp256k1_v0_1_1_num_negate(&n1); /* n1 = -R */ - CHECK(!rustsecp256k1_v0_1_1_num_is_zero(&n1)); - rustsecp256k1_v0_1_1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */ - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&n1)); - rustsecp256k1_v0_1_1_num_copy(&n1, &n2); /* n1 = R */ - rustsecp256k1_v0_1_1_num_negate(&n1); /* n1 = -R */ - CHECK(rustsecp256k1_v0_1_1_num_is_neg(&n1) != rustsecp256k1_v0_1_1_num_is_neg(&n2)); - rustsecp256k1_v0_1_1_num_negate(&n1); /* n1 = R */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&n1, &n2)); + rustsecp256k1_v0_1_2_num_copy(&n2, &n1); /* n2 = R */ + rustsecp256k1_v0_1_2_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */ + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&n1)); + rustsecp256k1_v0_1_2_num_copy(&n1, &n2); /* n1 = R */ + rustsecp256k1_v0_1_2_num_negate(&n1); /* n1 = -R */ + CHECK(!rustsecp256k1_v0_1_2_num_is_zero(&n1)); + rustsecp256k1_v0_1_2_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */ + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&n1)); + rustsecp256k1_v0_1_2_num_copy(&n1, &n2); /* n1 = R */ + rustsecp256k1_v0_1_2_num_negate(&n1); /* n1 = -R */ + CHECK(rustsecp256k1_v0_1_2_num_is_neg(&n1) != rustsecp256k1_v0_1_2_num_is_neg(&n2)); + rustsecp256k1_v0_1_2_num_negate(&n1); /* n1 = R */ + CHECK(rustsecp256k1_v0_1_2_num_eq(&n1, &n2)); } void test_num_add_sub(void) { int i; - rustsecp256k1_v0_1_1_scalar s; - rustsecp256k1_v0_1_1_num n1; - rustsecp256k1_v0_1_1_num n2; - rustsecp256k1_v0_1_1_num n1p2, n2p1, n1m2, n2m1; + rustsecp256k1_v0_1_2_scalar s; + rustsecp256k1_v0_1_2_num n1; + rustsecp256k1_v0_1_2_num n2; + rustsecp256k1_v0_1_2_num n1p2, n2p1, n1m2, n2m1; random_num_order_test(&n1); /* n1 = R1 */ - if (rustsecp256k1_v0_1_1_rand_bits(1)) { + if (rustsecp256k1_v0_1_2_rand_bits(1)) { random_num_negate(&n1); } random_num_order_test(&n2); /* n2 = R2 */ - if (rustsecp256k1_v0_1_1_rand_bits(1)) { + if (rustsecp256k1_v0_1_2_rand_bits(1)) { random_num_negate(&n2); } - rustsecp256k1_v0_1_1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */ - rustsecp256k1_v0_1_1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */ - rustsecp256k1_v0_1_1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */ - rustsecp256k1_v0_1_1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&n1p2, &n2p1)); - CHECK(!rustsecp256k1_v0_1_1_num_eq(&n1p2, &n1m2)); - rustsecp256k1_v0_1_1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&n2m1, &n1m2)); - CHECK(!rustsecp256k1_v0_1_1_num_eq(&n2m1, &n1)); - rustsecp256k1_v0_1_1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&n2m1, &n1)); - CHECK(!rustsecp256k1_v0_1_1_num_eq(&n2p1, &n1)); - rustsecp256k1_v0_1_1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&n2p1, &n1)); + rustsecp256k1_v0_1_2_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */ + rustsecp256k1_v0_1_2_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */ + rustsecp256k1_v0_1_2_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */ + rustsecp256k1_v0_1_2_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */ + CHECK(rustsecp256k1_v0_1_2_num_eq(&n1p2, &n2p1)); + CHECK(!rustsecp256k1_v0_1_2_num_eq(&n1p2, &n1m2)); + rustsecp256k1_v0_1_2_num_negate(&n2m1); /* n2m1 = -R2 + R1 */ + CHECK(rustsecp256k1_v0_1_2_num_eq(&n2m1, &n1m2)); + CHECK(!rustsecp256k1_v0_1_2_num_eq(&n2m1, &n1)); + rustsecp256k1_v0_1_2_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */ + CHECK(rustsecp256k1_v0_1_2_num_eq(&n2m1, &n1)); + CHECK(!rustsecp256k1_v0_1_2_num_eq(&n2p1, &n1)); + rustsecp256k1_v0_1_2_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */ + CHECK(rustsecp256k1_v0_1_2_num_eq(&n2p1, &n1)); /* check is_one */ - rustsecp256k1_v0_1_1_scalar_set_int(&s, 1); - rustsecp256k1_v0_1_1_scalar_get_num(&n1, &s); - CHECK(rustsecp256k1_v0_1_1_num_is_one(&n1)); + rustsecp256k1_v0_1_2_scalar_set_int(&s, 1); + rustsecp256k1_v0_1_2_scalar_get_num(&n1, &s); + CHECK(rustsecp256k1_v0_1_2_num_is_one(&n1)); /* check that 2^n + 1 is never 1 */ - rustsecp256k1_v0_1_1_scalar_get_num(&n2, &s); + rustsecp256k1_v0_1_2_scalar_get_num(&n2, &s); for (i = 0; i < 250; ++i) { - rustsecp256k1_v0_1_1_num_add(&n1, &n1, &n1); /* n1 *= 2 */ - rustsecp256k1_v0_1_1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */ - CHECK(!rustsecp256k1_v0_1_1_num_is_one(&n1p2)); + rustsecp256k1_v0_1_2_num_add(&n1, &n1, &n1); /* n1 *= 2 */ + rustsecp256k1_v0_1_2_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */ + CHECK(!rustsecp256k1_v0_1_2_num_is_one(&n1p2)); } } void test_num_mod(void) { int i; - rustsecp256k1_v0_1_1_scalar s; - rustsecp256k1_v0_1_1_num order, n; + rustsecp256k1_v0_1_2_scalar s; + rustsecp256k1_v0_1_2_num order, n; /* check that 0 mod anything is 0 */ random_scalar_order_test(&s); - rustsecp256k1_v0_1_1_scalar_get_num(&order, &s); - rustsecp256k1_v0_1_1_scalar_set_int(&s, 0); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &s); - rustsecp256k1_v0_1_1_num_mod(&n, &order); - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&n)); + rustsecp256k1_v0_1_2_scalar_get_num(&order, &s); + rustsecp256k1_v0_1_2_scalar_set_int(&s, 0); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &s); + rustsecp256k1_v0_1_2_num_mod(&n, &order); + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&n)); /* check that anything mod 1 is 0 */ - rustsecp256k1_v0_1_1_scalar_set_int(&s, 1); - rustsecp256k1_v0_1_1_scalar_get_num(&order, &s); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &s); - rustsecp256k1_v0_1_1_num_mod(&n, &order); - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&n)); + rustsecp256k1_v0_1_2_scalar_set_int(&s, 1); + rustsecp256k1_v0_1_2_scalar_get_num(&order, &s); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &s); + rustsecp256k1_v0_1_2_num_mod(&n, &order); + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&n)); /* check that increasing the number past 2^256 does not break this */ random_scalar_order_test(&s); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &s); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &s); /* multiply by 2^8, which'll test this case with high probability */ for (i = 0; i < 8; ++i) { - rustsecp256k1_v0_1_1_num_add(&n, &n, &n); + rustsecp256k1_v0_1_2_num_add(&n, &n, &n); } - rustsecp256k1_v0_1_1_num_mod(&n, &order); - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&n)); + rustsecp256k1_v0_1_2_num_mod(&n, &order); + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&n)); } void test_num_jacobi(void) { - rustsecp256k1_v0_1_1_scalar sqr; - rustsecp256k1_v0_1_1_scalar small; - rustsecp256k1_v0_1_1_scalar five; /* five is not a quadratic residue */ - rustsecp256k1_v0_1_1_num order, n; + rustsecp256k1_v0_1_2_scalar sqr; + rustsecp256k1_v0_1_2_scalar small; + rustsecp256k1_v0_1_2_scalar five; /* five is not a quadratic residue */ + rustsecp256k1_v0_1_2_num order, n; int i; /* squares mod 5 are 1, 4 */ const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 }; /* check some small values with 5 as the order */ - rustsecp256k1_v0_1_1_scalar_set_int(&five, 5); - rustsecp256k1_v0_1_1_scalar_get_num(&order, &five); + rustsecp256k1_v0_1_2_scalar_set_int(&five, 5); + rustsecp256k1_v0_1_2_scalar_get_num(&order, &five); for (i = 0; i < 10; ++i) { - rustsecp256k1_v0_1_1_scalar_set_int(&small, i); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &small); - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == jacobi5[i]); + rustsecp256k1_v0_1_2_scalar_set_int(&small, i); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &small); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == jacobi5[i]); } /** test large values with 5 as group order */ - rustsecp256k1_v0_1_1_scalar_get_num(&order, &five); + rustsecp256k1_v0_1_2_scalar_get_num(&order, &five); /* we first need a scalar which is not a multiple of 5 */ do { - rustsecp256k1_v0_1_1_num fiven; + rustsecp256k1_v0_1_2_num fiven; random_scalar_order_test(&sqr); - rustsecp256k1_v0_1_1_scalar_get_num(&fiven, &five); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &sqr); - rustsecp256k1_v0_1_1_num_mod(&n, &fiven); - } while (rustsecp256k1_v0_1_1_num_is_zero(&n)); + rustsecp256k1_v0_1_2_scalar_get_num(&fiven, &five); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &sqr); + rustsecp256k1_v0_1_2_num_mod(&n, &fiven); + } while (rustsecp256k1_v0_1_2_num_is_zero(&n)); /* next force it to be a residue. 2 is a nonresidue mod 5 so we can * just multiply by two, i.e. add the number to itself */ - if (rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == -1) { - rustsecp256k1_v0_1_1_num_add(&n, &n, &n); + if (rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == -1) { + rustsecp256k1_v0_1_2_num_add(&n, &n, &n); } /* test residue */ - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == 1); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == 1); /* test nonresidue */ - rustsecp256k1_v0_1_1_num_add(&n, &n, &n); - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == -1); + rustsecp256k1_v0_1_2_num_add(&n, &n, &n); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == -1); /** test with secp group order as order */ - rustsecp256k1_v0_1_1_scalar_order_get_num(&order); + rustsecp256k1_v0_1_2_scalar_order_get_num(&order); random_scalar_order_test(&sqr); - rustsecp256k1_v0_1_1_scalar_sqr(&sqr, &sqr); + rustsecp256k1_v0_1_2_scalar_sqr(&sqr, &sqr); /* test residue */ - rustsecp256k1_v0_1_1_scalar_get_num(&n, &sqr); - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == 1); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &sqr); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == 1); /* test nonresidue */ - rustsecp256k1_v0_1_1_scalar_mul(&sqr, &sqr, &five); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &sqr); - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == -1); + rustsecp256k1_v0_1_2_scalar_mul(&sqr, &sqr, &five); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &sqr); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == -1); /* test multiple of the order*/ - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&order, &order) == 0); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&order, &order) == 0); /* check one less than the order */ - rustsecp256k1_v0_1_1_scalar_set_int(&small, 1); - rustsecp256k1_v0_1_1_scalar_get_num(&n, &small); - rustsecp256k1_v0_1_1_num_sub(&n, &order, &n); - CHECK(rustsecp256k1_v0_1_1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */ + rustsecp256k1_v0_1_2_scalar_set_int(&small, 1); + rustsecp256k1_v0_1_2_scalar_get_num(&n, &small); + rustsecp256k1_v0_1_2_num_sub(&n, &order, &n); + CHECK(rustsecp256k1_v0_1_2_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */ } void run_num_smalltests(void) { @@ -787,12 +795,12 @@ void run_num_smalltests(void) { /***** SCALAR TESTS *****/ void scalar_test(void) { - rustsecp256k1_v0_1_1_scalar s; - rustsecp256k1_v0_1_1_scalar s1; - rustsecp256k1_v0_1_1_scalar s2; + rustsecp256k1_v0_1_2_scalar s; + rustsecp256k1_v0_1_2_scalar s1; + rustsecp256k1_v0_1_2_scalar s2; #ifndef USE_NUM_NONE - rustsecp256k1_v0_1_1_num snum, s1num, s2num; - rustsecp256k1_v0_1_1_num order, half_order; + rustsecp256k1_v0_1_2_num snum, s1num, s2num; + rustsecp256k1_v0_1_2_num order, half_order; #endif unsigned char c[32]; @@ -804,141 +812,141 @@ void scalar_test(void) { /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */ random_scalar_order_test(&s2); - rustsecp256k1_v0_1_1_scalar_get_b32(c, &s2); + rustsecp256k1_v0_1_2_scalar_get_b32(c, &s2); #ifndef USE_NUM_NONE - rustsecp256k1_v0_1_1_scalar_get_num(&snum, &s); - rustsecp256k1_v0_1_1_scalar_get_num(&s1num, &s1); - rustsecp256k1_v0_1_1_scalar_get_num(&s2num, &s2); + rustsecp256k1_v0_1_2_scalar_get_num(&snum, &s); + rustsecp256k1_v0_1_2_scalar_get_num(&s1num, &s1); + rustsecp256k1_v0_1_2_scalar_get_num(&s2num, &s2); - rustsecp256k1_v0_1_1_scalar_order_get_num(&order); + rustsecp256k1_v0_1_2_scalar_order_get_num(&order); half_order = order; - rustsecp256k1_v0_1_1_num_shift(&half_order, 1); + rustsecp256k1_v0_1_2_num_shift(&half_order, 1); #endif { int i; /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */ - rustsecp256k1_v0_1_1_scalar n; - rustsecp256k1_v0_1_1_scalar_set_int(&n, 0); + rustsecp256k1_v0_1_2_scalar n; + rustsecp256k1_v0_1_2_scalar_set_int(&n, 0); for (i = 0; i < 256; i += 4) { - rustsecp256k1_v0_1_1_scalar t; + rustsecp256k1_v0_1_2_scalar t; int j; - rustsecp256k1_v0_1_1_scalar_set_int(&t, rustsecp256k1_v0_1_1_scalar_get_bits(&s, 256 - 4 - i, 4)); + rustsecp256k1_v0_1_2_scalar_set_int(&t, rustsecp256k1_v0_1_2_scalar_get_bits(&s, 256 - 4 - i, 4)); for (j = 0; j < 4; j++) { - rustsecp256k1_v0_1_1_scalar_add(&n, &n, &n); + rustsecp256k1_v0_1_2_scalar_add(&n, &n, &n); } - rustsecp256k1_v0_1_1_scalar_add(&n, &n, &t); + rustsecp256k1_v0_1_2_scalar_add(&n, &n, &t); } - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&n, &s)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&n, &s)); } { /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */ - rustsecp256k1_v0_1_1_scalar n; + rustsecp256k1_v0_1_2_scalar n; int i = 0; - rustsecp256k1_v0_1_1_scalar_set_int(&n, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&n, 0); while (i < 256) { - rustsecp256k1_v0_1_1_scalar t; + rustsecp256k1_v0_1_2_scalar t; int j; - int now = rustsecp256k1_v0_1_1_rand_int(15) + 1; + int now = rustsecp256k1_v0_1_2_rand_int(15) + 1; if (now + i > 256) { now = 256 - i; } - rustsecp256k1_v0_1_1_scalar_set_int(&t, rustsecp256k1_v0_1_1_scalar_get_bits_var(&s, 256 - now - i, now)); + rustsecp256k1_v0_1_2_scalar_set_int(&t, rustsecp256k1_v0_1_2_scalar_get_bits_var(&s, 256 - now - i, now)); for (j = 0; j < now; j++) { - rustsecp256k1_v0_1_1_scalar_add(&n, &n, &n); + rustsecp256k1_v0_1_2_scalar_add(&n, &n, &n); } - rustsecp256k1_v0_1_1_scalar_add(&n, &n, &t); + rustsecp256k1_v0_1_2_scalar_add(&n, &n, &t); i += now; } - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&n, &s)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&n, &s)); } #ifndef USE_NUM_NONE { /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */ - rustsecp256k1_v0_1_1_num rnum; - rustsecp256k1_v0_1_1_num r2num; - rustsecp256k1_v0_1_1_scalar r; - rustsecp256k1_v0_1_1_num_add(&rnum, &snum, &s2num); - rustsecp256k1_v0_1_1_num_mod(&rnum, &order); - rustsecp256k1_v0_1_1_scalar_add(&r, &s, &s2); - rustsecp256k1_v0_1_1_scalar_get_num(&r2num, &r); - CHECK(rustsecp256k1_v0_1_1_num_eq(&rnum, &r2num)); + rustsecp256k1_v0_1_2_num rnum; + rustsecp256k1_v0_1_2_num r2num; + rustsecp256k1_v0_1_2_scalar r; + rustsecp256k1_v0_1_2_num_add(&rnum, &snum, &s2num); + rustsecp256k1_v0_1_2_num_mod(&rnum, &order); + rustsecp256k1_v0_1_2_scalar_add(&r, &s, &s2); + rustsecp256k1_v0_1_2_scalar_get_num(&r2num, &r); + CHECK(rustsecp256k1_v0_1_2_num_eq(&rnum, &r2num)); } { /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */ - rustsecp256k1_v0_1_1_scalar r; - rustsecp256k1_v0_1_1_num r2num; - rustsecp256k1_v0_1_1_num rnum; - rustsecp256k1_v0_1_1_num_mul(&rnum, &snum, &s2num); - rustsecp256k1_v0_1_1_num_mod(&rnum, &order); - rustsecp256k1_v0_1_1_scalar_mul(&r, &s, &s2); - rustsecp256k1_v0_1_1_scalar_get_num(&r2num, &r); - CHECK(rustsecp256k1_v0_1_1_num_eq(&rnum, &r2num)); + rustsecp256k1_v0_1_2_scalar r; + rustsecp256k1_v0_1_2_num r2num; + rustsecp256k1_v0_1_2_num rnum; + rustsecp256k1_v0_1_2_num_mul(&rnum, &snum, &s2num); + rustsecp256k1_v0_1_2_num_mod(&rnum, &order); + rustsecp256k1_v0_1_2_scalar_mul(&r, &s, &s2); + rustsecp256k1_v0_1_2_scalar_get_num(&r2num, &r); + CHECK(rustsecp256k1_v0_1_2_num_eq(&rnum, &r2num)); /* The result can only be zero if at least one of the factors was zero. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&r) == (rustsecp256k1_v0_1_1_scalar_is_zero(&s) || rustsecp256k1_v0_1_1_scalar_is_zero(&s2))); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&r) == (rustsecp256k1_v0_1_2_scalar_is_zero(&s) || rustsecp256k1_v0_1_2_scalar_is_zero(&s2))); /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&rnum, &snum) == (rustsecp256k1_v0_1_1_scalar_is_zero(&s) || rustsecp256k1_v0_1_1_scalar_is_one(&s2))); - CHECK(rustsecp256k1_v0_1_1_num_eq(&rnum, &s2num) == (rustsecp256k1_v0_1_1_scalar_is_zero(&s2) || rustsecp256k1_v0_1_1_scalar_is_one(&s))); + CHECK(rustsecp256k1_v0_1_2_num_eq(&rnum, &snum) == (rustsecp256k1_v0_1_2_scalar_is_zero(&s) || rustsecp256k1_v0_1_2_scalar_is_one(&s2))); + CHECK(rustsecp256k1_v0_1_2_num_eq(&rnum, &s2num) == (rustsecp256k1_v0_1_2_scalar_is_zero(&s2) || rustsecp256k1_v0_1_2_scalar_is_one(&s))); } { - rustsecp256k1_v0_1_1_scalar neg; - rustsecp256k1_v0_1_1_num negnum; - rustsecp256k1_v0_1_1_num negnum2; + rustsecp256k1_v0_1_2_scalar neg; + rustsecp256k1_v0_1_2_num negnum; + rustsecp256k1_v0_1_2_num negnum2; /* Check that comparison with zero matches comparison with zero on the number. */ - CHECK(rustsecp256k1_v0_1_1_num_is_zero(&snum) == rustsecp256k1_v0_1_1_scalar_is_zero(&s)); + CHECK(rustsecp256k1_v0_1_2_num_is_zero(&snum) == rustsecp256k1_v0_1_2_scalar_is_zero(&s)); /* Check that comparison with the half order is equal to testing for high scalar. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_high(&s) == (rustsecp256k1_v0_1_1_num_cmp(&snum, &half_order) > 0)); - rustsecp256k1_v0_1_1_scalar_negate(&neg, &s); - rustsecp256k1_v0_1_1_num_sub(&negnum, &order, &snum); - rustsecp256k1_v0_1_1_num_mod(&negnum, &order); + CHECK(rustsecp256k1_v0_1_2_scalar_is_high(&s) == (rustsecp256k1_v0_1_2_num_cmp(&snum, &half_order) > 0)); + rustsecp256k1_v0_1_2_scalar_negate(&neg, &s); + rustsecp256k1_v0_1_2_num_sub(&negnum, &order, &snum); + rustsecp256k1_v0_1_2_num_mod(&negnum, &order); /* Check that comparison with the half order is equal to testing for high scalar after negation. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_high(&neg) == (rustsecp256k1_v0_1_1_num_cmp(&negnum, &half_order) > 0)); + CHECK(rustsecp256k1_v0_1_2_scalar_is_high(&neg) == (rustsecp256k1_v0_1_2_num_cmp(&negnum, &half_order) > 0)); /* Negating should change the high property, unless the value was already zero. */ - CHECK((rustsecp256k1_v0_1_1_scalar_is_high(&s) == rustsecp256k1_v0_1_1_scalar_is_high(&neg)) == rustsecp256k1_v0_1_1_scalar_is_zero(&s)); - rustsecp256k1_v0_1_1_scalar_get_num(&negnum2, &neg); + CHECK((rustsecp256k1_v0_1_2_scalar_is_high(&s) == rustsecp256k1_v0_1_2_scalar_is_high(&neg)) == rustsecp256k1_v0_1_2_scalar_is_zero(&s)); + rustsecp256k1_v0_1_2_scalar_get_num(&negnum2, &neg); /* Negating a scalar should be equal to (order - n) mod order on the number. */ - CHECK(rustsecp256k1_v0_1_1_num_eq(&negnum, &negnum2)); - rustsecp256k1_v0_1_1_scalar_add(&neg, &neg, &s); + CHECK(rustsecp256k1_v0_1_2_num_eq(&negnum, &negnum2)); + rustsecp256k1_v0_1_2_scalar_add(&neg, &neg, &s); /* Adding a number to its negation should result in zero. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&neg)); - rustsecp256k1_v0_1_1_scalar_negate(&neg, &neg); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&neg)); + rustsecp256k1_v0_1_2_scalar_negate(&neg, &neg); /* Negating zero should still result in zero. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&neg)); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&neg)); } { - /* Test rustsecp256k1_v0_1_1_scalar_mul_shift_var. */ - rustsecp256k1_v0_1_1_scalar r; - rustsecp256k1_v0_1_1_num one; - rustsecp256k1_v0_1_1_num rnum; - rustsecp256k1_v0_1_1_num rnum2; + /* Test rustsecp256k1_v0_1_2_scalar_mul_shift_var. */ + rustsecp256k1_v0_1_2_scalar r; + rustsecp256k1_v0_1_2_num one; + rustsecp256k1_v0_1_2_num rnum; + rustsecp256k1_v0_1_2_num rnum2; unsigned char cone[1] = {0x01}; - unsigned int shift = 256 + rustsecp256k1_v0_1_1_rand_int(257); - rustsecp256k1_v0_1_1_scalar_mul_shift_var(&r, &s1, &s2, shift); - rustsecp256k1_v0_1_1_num_mul(&rnum, &s1num, &s2num); - rustsecp256k1_v0_1_1_num_shift(&rnum, shift - 1); - rustsecp256k1_v0_1_1_num_set_bin(&one, cone, 1); - rustsecp256k1_v0_1_1_num_add(&rnum, &rnum, &one); - rustsecp256k1_v0_1_1_num_shift(&rnum, 1); - rustsecp256k1_v0_1_1_scalar_get_num(&rnum2, &r); - CHECK(rustsecp256k1_v0_1_1_num_eq(&rnum, &rnum2)); + unsigned int shift = 256 + rustsecp256k1_v0_1_2_rand_int(257); + rustsecp256k1_v0_1_2_scalar_mul_shift_var(&r, &s1, &s2, shift); + rustsecp256k1_v0_1_2_num_mul(&rnum, &s1num, &s2num); + rustsecp256k1_v0_1_2_num_shift(&rnum, shift - 1); + rustsecp256k1_v0_1_2_num_set_bin(&one, cone, 1); + rustsecp256k1_v0_1_2_num_add(&rnum, &rnum, &one); + rustsecp256k1_v0_1_2_num_shift(&rnum, 1); + rustsecp256k1_v0_1_2_scalar_get_num(&rnum2, &r); + CHECK(rustsecp256k1_v0_1_2_num_eq(&rnum, &rnum2)); } { - /* test rustsecp256k1_v0_1_1_scalar_shr_int */ - rustsecp256k1_v0_1_1_scalar r; + /* test rustsecp256k1_v0_1_2_scalar_shr_int */ + rustsecp256k1_v0_1_2_scalar r; int i; random_scalar_order_test(&r); for (i = 0; i < 100; ++i) { int low; - int shift = 1 + rustsecp256k1_v0_1_1_rand_int(15); + int shift = 1 + rustsecp256k1_v0_1_2_rand_int(15); int expected = r.d[0] % (1 << shift); - low = rustsecp256k1_v0_1_1_scalar_shr_int(&r, shift); + low = rustsecp256k1_v0_1_2_scalar_shr_int(&r, shift); CHECK(expected == low); } } @@ -946,175 +954,222 @@ void scalar_test(void) { { /* Test that scalar inverses are equal to the inverse of their number modulo the order. */ - if (!rustsecp256k1_v0_1_1_scalar_is_zero(&s)) { - rustsecp256k1_v0_1_1_scalar inv; + if (!rustsecp256k1_v0_1_2_scalar_is_zero(&s)) { + rustsecp256k1_v0_1_2_scalar inv; #ifndef USE_NUM_NONE - rustsecp256k1_v0_1_1_num invnum; - rustsecp256k1_v0_1_1_num invnum2; + rustsecp256k1_v0_1_2_num invnum; + rustsecp256k1_v0_1_2_num invnum2; #endif - rustsecp256k1_v0_1_1_scalar_inverse(&inv, &s); + rustsecp256k1_v0_1_2_scalar_inverse(&inv, &s); #ifndef USE_NUM_NONE - rustsecp256k1_v0_1_1_num_mod_inverse(&invnum, &snum, &order); - rustsecp256k1_v0_1_1_scalar_get_num(&invnum2, &inv); - CHECK(rustsecp256k1_v0_1_1_num_eq(&invnum, &invnum2)); + rustsecp256k1_v0_1_2_num_mod_inverse(&invnum, &snum, &order); + rustsecp256k1_v0_1_2_scalar_get_num(&invnum2, &inv); + CHECK(rustsecp256k1_v0_1_2_num_eq(&invnum, &invnum2)); #endif - rustsecp256k1_v0_1_1_scalar_mul(&inv, &inv, &s); + rustsecp256k1_v0_1_2_scalar_mul(&inv, &inv, &s); /* Multiplying a scalar with its inverse must result in one. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_one(&inv)); - rustsecp256k1_v0_1_1_scalar_inverse(&inv, &inv); + CHECK(rustsecp256k1_v0_1_2_scalar_is_one(&inv)); + rustsecp256k1_v0_1_2_scalar_inverse(&inv, &inv); /* Inverting one must result in one. */ - CHECK(rustsecp256k1_v0_1_1_scalar_is_one(&inv)); + CHECK(rustsecp256k1_v0_1_2_scalar_is_one(&inv)); #ifndef USE_NUM_NONE - rustsecp256k1_v0_1_1_scalar_get_num(&invnum, &inv); - CHECK(rustsecp256k1_v0_1_1_num_is_one(&invnum)); + rustsecp256k1_v0_1_2_scalar_get_num(&invnum, &inv); + CHECK(rustsecp256k1_v0_1_2_num_is_one(&invnum)); #endif } } { /* Test commutativity of add. */ - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar_add(&r1, &s1, &s2); - rustsecp256k1_v0_1_1_scalar_add(&r2, &s2, &s1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar_add(&r1, &s1, &s2); + rustsecp256k1_v0_1_2_scalar_add(&r2, &s2, &s1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar b; + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar b; int i; /* Test add_bit. */ - int bit = rustsecp256k1_v0_1_1_rand_bits(8); - rustsecp256k1_v0_1_1_scalar_set_int(&b, 1); - CHECK(rustsecp256k1_v0_1_1_scalar_is_one(&b)); + int bit = rustsecp256k1_v0_1_2_rand_bits(8); + rustsecp256k1_v0_1_2_scalar_set_int(&b, 1); + CHECK(rustsecp256k1_v0_1_2_scalar_is_one(&b)); for (i = 0; i < bit; i++) { - rustsecp256k1_v0_1_1_scalar_add(&b, &b, &b); + rustsecp256k1_v0_1_2_scalar_add(&b, &b, &b); } r1 = s1; r2 = s1; - if (!rustsecp256k1_v0_1_1_scalar_add(&r1, &r1, &b)) { + if (!rustsecp256k1_v0_1_2_scalar_add(&r1, &r1, &b)) { /* No overflow happened. */ - rustsecp256k1_v0_1_1_scalar_cadd_bit(&r2, bit, 1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar_cadd_bit(&r2, bit, 1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); /* cadd is a noop when flag is zero */ - rustsecp256k1_v0_1_1_scalar_cadd_bit(&r2, bit, 0); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar_cadd_bit(&r2, bit, 0); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } } { /* Test commutativity of mul. */ - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar_mul(&r1, &s1, &s2); - rustsecp256k1_v0_1_1_scalar_mul(&r2, &s2, &s1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar_mul(&r1, &s1, &s2); + rustsecp256k1_v0_1_2_scalar_mul(&r2, &s2, &s1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { /* Test associativity of add. */ - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar_add(&r1, &s1, &s2); - rustsecp256k1_v0_1_1_scalar_add(&r1, &r1, &s); - rustsecp256k1_v0_1_1_scalar_add(&r2, &s2, &s); - rustsecp256k1_v0_1_1_scalar_add(&r2, &s1, &r2); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar_add(&r1, &s1, &s2); + rustsecp256k1_v0_1_2_scalar_add(&r1, &r1, &s); + rustsecp256k1_v0_1_2_scalar_add(&r2, &s2, &s); + rustsecp256k1_v0_1_2_scalar_add(&r2, &s1, &r2); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { /* Test associativity of mul. */ - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar_mul(&r1, &s1, &s2); - rustsecp256k1_v0_1_1_scalar_mul(&r1, &r1, &s); - rustsecp256k1_v0_1_1_scalar_mul(&r2, &s2, &s); - rustsecp256k1_v0_1_1_scalar_mul(&r2, &s1, &r2); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar_mul(&r1, &s1, &s2); + rustsecp256k1_v0_1_2_scalar_mul(&r1, &r1, &s); + rustsecp256k1_v0_1_2_scalar_mul(&r2, &s2, &s); + rustsecp256k1_v0_1_2_scalar_mul(&r2, &s1, &r2); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { /* Test distributitivity of mul over add. */ - rustsecp256k1_v0_1_1_scalar r1, r2, t; - rustsecp256k1_v0_1_1_scalar_add(&r1, &s1, &s2); - rustsecp256k1_v0_1_1_scalar_mul(&r1, &r1, &s); - rustsecp256k1_v0_1_1_scalar_mul(&r2, &s1, &s); - rustsecp256k1_v0_1_1_scalar_mul(&t, &s2, &s); - rustsecp256k1_v0_1_1_scalar_add(&r2, &r2, &t); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2, t; + rustsecp256k1_v0_1_2_scalar_add(&r1, &s1, &s2); + rustsecp256k1_v0_1_2_scalar_mul(&r1, &r1, &s); + rustsecp256k1_v0_1_2_scalar_mul(&r2, &s1, &s); + rustsecp256k1_v0_1_2_scalar_mul(&t, &s2, &s); + rustsecp256k1_v0_1_2_scalar_add(&r2, &r2, &t); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { /* Test square. */ - rustsecp256k1_v0_1_1_scalar r1, r2; - rustsecp256k1_v0_1_1_scalar_sqr(&r1, &s1); - rustsecp256k1_v0_1_1_scalar_mul(&r2, &s1, &s1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &r2)); + rustsecp256k1_v0_1_2_scalar r1, r2; + rustsecp256k1_v0_1_2_scalar_sqr(&r1, &s1); + rustsecp256k1_v0_1_2_scalar_mul(&r2, &s1, &s1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &r2)); } { /* Test multiplicative identity. */ - rustsecp256k1_v0_1_1_scalar r1, v1; - rustsecp256k1_v0_1_1_scalar_set_int(&v1,1); - rustsecp256k1_v0_1_1_scalar_mul(&r1, &s1, &v1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &s1)); + rustsecp256k1_v0_1_2_scalar r1, v1; + rustsecp256k1_v0_1_2_scalar_set_int(&v1,1); + rustsecp256k1_v0_1_2_scalar_mul(&r1, &s1, &v1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &s1)); } { /* Test additive identity. */ - rustsecp256k1_v0_1_1_scalar r1, v0; - rustsecp256k1_v0_1_1_scalar_set_int(&v0,0); - rustsecp256k1_v0_1_1_scalar_add(&r1, &s1, &v0); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &s1)); + rustsecp256k1_v0_1_2_scalar r1, v0; + rustsecp256k1_v0_1_2_scalar_set_int(&v0,0); + rustsecp256k1_v0_1_2_scalar_add(&r1, &s1, &v0); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &s1)); } { /* Test zero product property. */ - rustsecp256k1_v0_1_1_scalar r1, v0; - rustsecp256k1_v0_1_1_scalar_set_int(&v0,0); - rustsecp256k1_v0_1_1_scalar_mul(&r1, &s1, &v0); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &v0)); + rustsecp256k1_v0_1_2_scalar r1, v0; + rustsecp256k1_v0_1_2_scalar_set_int(&v0,0); + rustsecp256k1_v0_1_2_scalar_mul(&r1, &s1, &v0); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &v0)); } } +void run_scalar_set_b32_seckey_tests(void) { + unsigned char b32[32]; + rustsecp256k1_v0_1_2_scalar s1; + rustsecp256k1_v0_1_2_scalar s2; + + /* Usually set_b32 and set_b32_seckey give the same result */ + random_scalar_order_b32(b32); + rustsecp256k1_v0_1_2_scalar_set_b32(&s1, b32, NULL); + CHECK(rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&s2, b32) == 1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&s1, &s2) == 1); + + memset(b32, 0, sizeof(b32)); + CHECK(rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&s2, b32) == 0); + memset(b32, 0xFF, sizeof(b32)); + CHECK(rustsecp256k1_v0_1_2_scalar_set_b32_seckey(&s2, b32) == 0); +} + void run_scalar_tests(void) { int i; for (i = 0; i < 128 * count; i++) { scalar_test(); } + for (i = 0; i < count; i++) { + run_scalar_set_b32_seckey_tests(); + } { /* (-1)+1 should be zero. */ - rustsecp256k1_v0_1_1_scalar s, o; - rustsecp256k1_v0_1_1_scalar_set_int(&s, 1); - CHECK(rustsecp256k1_v0_1_1_scalar_is_one(&s)); - rustsecp256k1_v0_1_1_scalar_negate(&o, &s); - rustsecp256k1_v0_1_1_scalar_add(&o, &o, &s); - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&o)); - rustsecp256k1_v0_1_1_scalar_negate(&o, &o); - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&o)); + rustsecp256k1_v0_1_2_scalar s, o; + rustsecp256k1_v0_1_2_scalar_set_int(&s, 1); + CHECK(rustsecp256k1_v0_1_2_scalar_is_one(&s)); + rustsecp256k1_v0_1_2_scalar_negate(&o, &s); + rustsecp256k1_v0_1_2_scalar_add(&o, &o, &s); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&o)); + rustsecp256k1_v0_1_2_scalar_negate(&o, &o); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&o)); } #ifndef USE_NUM_NONE { - /* A scalar with value of the curve order should be 0. */ - rustsecp256k1_v0_1_1_num order; - rustsecp256k1_v0_1_1_scalar zero; + /* Test rustsecp256k1_v0_1_2_scalar_set_b32 boundary conditions */ + rustsecp256k1_v0_1_2_num order; + rustsecp256k1_v0_1_2_scalar scalar; unsigned char bin[32]; + unsigned char bin_tmp[32]; int overflow = 0; - rustsecp256k1_v0_1_1_scalar_order_get_num(&order); - rustsecp256k1_v0_1_1_num_get_bin(bin, 32, &order); - rustsecp256k1_v0_1_1_scalar_set_b32(&zero, bin, &overflow); + /* 2^256-1 - order */ + static const rustsecp256k1_v0_1_2_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST( + 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL, + 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL + ); + + /* A scalar set to 0s should be 0. */ + memset(bin, 0, 32); + rustsecp256k1_v0_1_2_scalar_set_b32(&scalar, bin, &overflow); + CHECK(overflow == 0); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&scalar)); + + /* A scalar with value of the curve order should be 0. */ + rustsecp256k1_v0_1_2_scalar_order_get_num(&order); + rustsecp256k1_v0_1_2_num_get_bin(bin, 32, &order); + rustsecp256k1_v0_1_2_scalar_set_b32(&scalar, bin, &overflow); + CHECK(overflow == 1); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&scalar)); + + /* A scalar with value of the curve order minus one should not overflow. */ + bin[31] -= 1; + rustsecp256k1_v0_1_2_scalar_set_b32(&scalar, bin, &overflow); + CHECK(overflow == 0); + rustsecp256k1_v0_1_2_scalar_get_b32(bin_tmp, &scalar); + CHECK(memcmp(bin, bin_tmp, 32) == 0); + + /* A scalar set to all 1s should overflow. */ + memset(bin, 0xFF, 32); + rustsecp256k1_v0_1_2_scalar_set_b32(&scalar, bin, &overflow); CHECK(overflow == 1); - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&zero)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&scalar, &all_ones_minus_order)); } #endif { /* Does check_overflow check catch all ones? */ - static const rustsecp256k1_v0_1_1_scalar overflowed = SECP256K1_SCALAR_CONST( + static const rustsecp256k1_v0_1_2_scalar overflowed = SECP256K1_SCALAR_CONST( 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL ); - CHECK(rustsecp256k1_v0_1_1_scalar_check_overflow(&overflowed)); + CHECK(rustsecp256k1_v0_1_2_scalar_check_overflow(&overflowed)); } { @@ -1123,15 +1178,15 @@ void run_scalar_tests(void) { * and edge-case coverage on 32-bit and 64-bit implementations. * The responses were generated with Sage 5.9. */ - rustsecp256k1_v0_1_1_scalar x; - rustsecp256k1_v0_1_1_scalar y; - rustsecp256k1_v0_1_1_scalar z; - rustsecp256k1_v0_1_1_scalar zz; - rustsecp256k1_v0_1_1_scalar one; - rustsecp256k1_v0_1_1_scalar r1; - rustsecp256k1_v0_1_1_scalar r2; + rustsecp256k1_v0_1_2_scalar x; + rustsecp256k1_v0_1_2_scalar y; + rustsecp256k1_v0_1_2_scalar z; + rustsecp256k1_v0_1_2_scalar zz; + rustsecp256k1_v0_1_2_scalar one; + rustsecp256k1_v0_1_2_scalar r1; + rustsecp256k1_v0_1_2_scalar r2; #if defined(USE_SCALAR_INV_NUM) - rustsecp256k1_v0_1_1_scalar zzv; + rustsecp256k1_v0_1_2_scalar zzv; #endif int overflow; unsigned char chal[33][2][32] = { @@ -1666,71 +1721,71 @@ void run_scalar_tests(void) { 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46, 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}} }; - rustsecp256k1_v0_1_1_scalar_set_int(&one, 1); + rustsecp256k1_v0_1_2_scalar_set_int(&one, 1); for (i = 0; i < 33; i++) { - rustsecp256k1_v0_1_1_scalar_set_b32(&x, chal[i][0], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&x, chal[i][0], &overflow); CHECK(!overflow); - rustsecp256k1_v0_1_1_scalar_set_b32(&y, chal[i][1], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&y, chal[i][1], &overflow); CHECK(!overflow); - rustsecp256k1_v0_1_1_scalar_set_b32(&r1, res[i][0], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&r1, res[i][0], &overflow); CHECK(!overflow); - rustsecp256k1_v0_1_1_scalar_set_b32(&r2, res[i][1], &overflow); + rustsecp256k1_v0_1_2_scalar_set_b32(&r2, res[i][1], &overflow); CHECK(!overflow); - rustsecp256k1_v0_1_1_scalar_mul(&z, &x, &y); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&z)); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r1, &z)); - if (!rustsecp256k1_v0_1_1_scalar_is_zero(&y)) { - rustsecp256k1_v0_1_1_scalar_inverse(&zz, &y); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&zz)); + rustsecp256k1_v0_1_2_scalar_mul(&z, &x, &y); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&z)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r1, &z)); + if (!rustsecp256k1_v0_1_2_scalar_is_zero(&y)) { + rustsecp256k1_v0_1_2_scalar_inverse(&zz, &y); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&zz)); #if defined(USE_SCALAR_INV_NUM) - rustsecp256k1_v0_1_1_scalar_inverse_var(&zzv, &y); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&zzv, &zz)); + rustsecp256k1_v0_1_2_scalar_inverse_var(&zzv, &y); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&zzv, &zz)); #endif - rustsecp256k1_v0_1_1_scalar_mul(&z, &z, &zz); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&z)); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&x, &z)); - rustsecp256k1_v0_1_1_scalar_mul(&zz, &zz, &y); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&zz)); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&one, &zz)); + rustsecp256k1_v0_1_2_scalar_mul(&z, &z, &zz); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&z)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&x, &z)); + rustsecp256k1_v0_1_2_scalar_mul(&zz, &zz, &y); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&zz)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&one, &zz)); } - rustsecp256k1_v0_1_1_scalar_mul(&z, &x, &x); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&z)); - rustsecp256k1_v0_1_1_scalar_sqr(&zz, &x); - CHECK(!rustsecp256k1_v0_1_1_scalar_check_overflow(&zz)); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&zz, &z)); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&r2, &zz)); + rustsecp256k1_v0_1_2_scalar_mul(&z, &x, &x); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&z)); + rustsecp256k1_v0_1_2_scalar_sqr(&zz, &x); + CHECK(!rustsecp256k1_v0_1_2_scalar_check_overflow(&zz)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&zz, &z)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&r2, &zz)); } } } /***** FIELD TESTS *****/ -void random_fe(rustsecp256k1_v0_1_1_fe *x) { +void random_fe(rustsecp256k1_v0_1_2_fe *x) { unsigned char bin[32]; do { - rustsecp256k1_v0_1_1_rand256(bin); - if (rustsecp256k1_v0_1_1_fe_set_b32(x, bin)) { + rustsecp256k1_v0_1_2_rand256(bin); + if (rustsecp256k1_v0_1_2_fe_set_b32(x, bin)) { return; } } while(1); } -void random_fe_test(rustsecp256k1_v0_1_1_fe *x) { +void random_fe_test(rustsecp256k1_v0_1_2_fe *x) { unsigned char bin[32]; do { - rustsecp256k1_v0_1_1_rand256_test(bin); - if (rustsecp256k1_v0_1_1_fe_set_b32(x, bin)) { + rustsecp256k1_v0_1_2_rand256_test(bin); + if (rustsecp256k1_v0_1_2_fe_set_b32(x, bin)) { return; } } while(1); } -void random_fe_non_zero(rustsecp256k1_v0_1_1_fe *nz) { +void random_fe_non_zero(rustsecp256k1_v0_1_2_fe *nz) { int tries = 10; while (--tries >= 0) { random_fe(nz); - rustsecp256k1_v0_1_1_fe_normalize(nz); - if (!rustsecp256k1_v0_1_1_fe_is_zero(nz)) { + rustsecp256k1_v0_1_2_fe_normalize(nz); + if (!rustsecp256k1_v0_1_2_fe_is_zero(nz)) { break; } } @@ -1738,26 +1793,26 @@ void random_fe_non_zero(rustsecp256k1_v0_1_1_fe *nz) { CHECK(tries >= 0); } -void random_fe_non_square(rustsecp256k1_v0_1_1_fe *ns) { - rustsecp256k1_v0_1_1_fe r; +void random_fe_non_square(rustsecp256k1_v0_1_2_fe *ns) { + rustsecp256k1_v0_1_2_fe r; random_fe_non_zero(ns); - if (rustsecp256k1_v0_1_1_fe_sqrt(&r, ns)) { - rustsecp256k1_v0_1_1_fe_negate(ns, ns, 1); + if (rustsecp256k1_v0_1_2_fe_sqrt(&r, ns)) { + rustsecp256k1_v0_1_2_fe_negate(ns, ns, 1); } } -int check_fe_equal(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { - rustsecp256k1_v0_1_1_fe an = *a; - rustsecp256k1_v0_1_1_fe bn = *b; - rustsecp256k1_v0_1_1_fe_normalize_weak(&an); - rustsecp256k1_v0_1_1_fe_normalize_var(&bn); - return rustsecp256k1_v0_1_1_fe_equal_var(&an, &bn); +int check_fe_equal(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { + rustsecp256k1_v0_1_2_fe an = *a; + rustsecp256k1_v0_1_2_fe bn = *b; + rustsecp256k1_v0_1_2_fe_normalize_weak(&an); + rustsecp256k1_v0_1_2_fe_normalize_var(&bn); + return rustsecp256k1_v0_1_2_fe_equal_var(&an, &bn); } -int check_fe_inverse(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *ai) { - rustsecp256k1_v0_1_1_fe x; - rustsecp256k1_v0_1_1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1_v0_1_1_fe_mul(&x, a, ai); +int check_fe_inverse(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *ai) { + rustsecp256k1_v0_1_2_fe x; + rustsecp256k1_v0_1_2_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1_v0_1_2_fe_mul(&x, a, ai); return check_fe_equal(&x, &one); } @@ -1768,150 +1823,158 @@ void run_field_convert(void) { 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40 }; - static const rustsecp256k1_v0_1_1_fe_storage fes = SECP256K1_FE_STORAGE_CONST( + static const rustsecp256k1_v0_1_2_fe_storage fes = SECP256K1_FE_STORAGE_CONST( 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL ); - static const rustsecp256k1_v0_1_1_fe fe = SECP256K1_FE_CONST( + static const rustsecp256k1_v0_1_2_fe fe = SECP256K1_FE_CONST( 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL, 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL ); - rustsecp256k1_v0_1_1_fe fe2; + rustsecp256k1_v0_1_2_fe fe2; unsigned char b322[32]; - rustsecp256k1_v0_1_1_fe_storage fes2; + rustsecp256k1_v0_1_2_fe_storage fes2; /* Check conversions to fe. */ - CHECK(rustsecp256k1_v0_1_1_fe_set_b32(&fe2, b32)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&fe, &fe2)); - rustsecp256k1_v0_1_1_fe_from_storage(&fe2, &fes); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&fe, &fe2)); + CHECK(rustsecp256k1_v0_1_2_fe_set_b32(&fe2, b32)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&fe, &fe2)); + rustsecp256k1_v0_1_2_fe_from_storage(&fe2, &fes); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&fe, &fe2)); /* Check conversion from fe. */ - rustsecp256k1_v0_1_1_fe_get_b32(b322, &fe); + rustsecp256k1_v0_1_2_fe_get_b32(b322, &fe); CHECK(memcmp(b322, b32, 32) == 0); - rustsecp256k1_v0_1_1_fe_to_storage(&fes2, &fe); + rustsecp256k1_v0_1_2_fe_to_storage(&fes2, &fe); CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0); } -int fe_memcmp(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *b) { - rustsecp256k1_v0_1_1_fe t = *b; +int fe_memcmp(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *b) { + rustsecp256k1_v0_1_2_fe t = *b; #ifdef VERIFY t.magnitude = a->magnitude; t.normalized = a->normalized; #endif - return memcmp(a, &t, sizeof(rustsecp256k1_v0_1_1_fe)); + return memcmp(a, &t, sizeof(rustsecp256k1_v0_1_2_fe)); } void run_field_misc(void) { - rustsecp256k1_v0_1_1_fe x; - rustsecp256k1_v0_1_1_fe y; - rustsecp256k1_v0_1_1_fe z; - rustsecp256k1_v0_1_1_fe q; - rustsecp256k1_v0_1_1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); + rustsecp256k1_v0_1_2_fe x; + rustsecp256k1_v0_1_2_fe y; + rustsecp256k1_v0_1_2_fe z; + rustsecp256k1_v0_1_2_fe q; + rustsecp256k1_v0_1_2_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5); int i, j; for (i = 0; i < 5*count; i++) { - rustsecp256k1_v0_1_1_fe_storage xs, ys, zs; + rustsecp256k1_v0_1_2_fe_storage xs, ys, zs; random_fe(&x); random_fe_non_zero(&y); /* Test the fe equality and comparison operations. */ - CHECK(rustsecp256k1_v0_1_1_fe_cmp_var(&x, &x) == 0); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&x, &x)); + CHECK(rustsecp256k1_v0_1_2_fe_cmp_var(&x, &x) == 0); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&x, &x)); z = x; - rustsecp256k1_v0_1_1_fe_add(&z,&y); + rustsecp256k1_v0_1_2_fe_add(&z,&y); /* Test fe conditional move; z is not normalized here. */ q = x; - rustsecp256k1_v0_1_1_fe_cmov(&x, &z, 0); - VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude); - rustsecp256k1_v0_1_1_fe_cmov(&x, &x, 1); + rustsecp256k1_v0_1_2_fe_cmov(&x, &z, 0); +#ifdef VERIFY + CHECK(x.normalized && x.magnitude == 1); +#endif + rustsecp256k1_v0_1_2_fe_cmov(&x, &x, 1); CHECK(fe_memcmp(&x, &z) != 0); CHECK(fe_memcmp(&x, &q) == 0); - rustsecp256k1_v0_1_1_fe_cmov(&q, &z, 1); - VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude); + rustsecp256k1_v0_1_2_fe_cmov(&q, &z, 1); +#ifdef VERIFY + CHECK(!q.normalized && q.magnitude == z.magnitude); +#endif CHECK(fe_memcmp(&q, &z) == 0); - rustsecp256k1_v0_1_1_fe_normalize_var(&x); - rustsecp256k1_v0_1_1_fe_normalize_var(&z); - CHECK(!rustsecp256k1_v0_1_1_fe_equal_var(&x, &z)); - rustsecp256k1_v0_1_1_fe_normalize_var(&q); - rustsecp256k1_v0_1_1_fe_cmov(&q, &z, (i&1)); - VERIFY_CHECK(q.normalized && q.magnitude == 1); + rustsecp256k1_v0_1_2_fe_normalize_var(&x); + rustsecp256k1_v0_1_2_fe_normalize_var(&z); + CHECK(!rustsecp256k1_v0_1_2_fe_equal_var(&x, &z)); + rustsecp256k1_v0_1_2_fe_normalize_var(&q); + rustsecp256k1_v0_1_2_fe_cmov(&q, &z, (i&1)); +#ifdef VERIFY + CHECK(q.normalized && q.magnitude == 1); +#endif for (j = 0; j < 6; j++) { - rustsecp256k1_v0_1_1_fe_negate(&z, &z, j+1); - rustsecp256k1_v0_1_1_fe_normalize_var(&q); - rustsecp256k1_v0_1_1_fe_cmov(&q, &z, (j&1)); - VERIFY_CHECK(!q.normalized && q.magnitude == (j+2)); + rustsecp256k1_v0_1_2_fe_negate(&z, &z, j+1); + rustsecp256k1_v0_1_2_fe_normalize_var(&q); + rustsecp256k1_v0_1_2_fe_cmov(&q, &z, (j&1)); +#ifdef VERIFY + CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1)); +#endif } - rustsecp256k1_v0_1_1_fe_normalize_var(&z); + rustsecp256k1_v0_1_2_fe_normalize_var(&z); /* Test storage conversion and conditional moves. */ - rustsecp256k1_v0_1_1_fe_to_storage(&xs, &x); - rustsecp256k1_v0_1_1_fe_to_storage(&ys, &y); - rustsecp256k1_v0_1_1_fe_to_storage(&zs, &z); - rustsecp256k1_v0_1_1_fe_storage_cmov(&zs, &xs, 0); - rustsecp256k1_v0_1_1_fe_storage_cmov(&zs, &zs, 1); + rustsecp256k1_v0_1_2_fe_to_storage(&xs, &x); + rustsecp256k1_v0_1_2_fe_to_storage(&ys, &y); + rustsecp256k1_v0_1_2_fe_to_storage(&zs, &z); + rustsecp256k1_v0_1_2_fe_storage_cmov(&zs, &xs, 0); + rustsecp256k1_v0_1_2_fe_storage_cmov(&zs, &zs, 1); CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0); - rustsecp256k1_v0_1_1_fe_storage_cmov(&ys, &xs, 1); + rustsecp256k1_v0_1_2_fe_storage_cmov(&ys, &xs, 1); CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0); - rustsecp256k1_v0_1_1_fe_from_storage(&x, &xs); - rustsecp256k1_v0_1_1_fe_from_storage(&y, &ys); - rustsecp256k1_v0_1_1_fe_from_storage(&z, &zs); + rustsecp256k1_v0_1_2_fe_from_storage(&x, &xs); + rustsecp256k1_v0_1_2_fe_from_storage(&y, &ys); + rustsecp256k1_v0_1_2_fe_from_storage(&z, &zs); /* Test that mul_int, mul, and add agree. */ - rustsecp256k1_v0_1_1_fe_add(&y, &x); - rustsecp256k1_v0_1_1_fe_add(&y, &x); + rustsecp256k1_v0_1_2_fe_add(&y, &x); + rustsecp256k1_v0_1_2_fe_add(&y, &x); z = x; - rustsecp256k1_v0_1_1_fe_mul_int(&z, 3); + rustsecp256k1_v0_1_2_fe_mul_int(&z, 3); CHECK(check_fe_equal(&y, &z)); - rustsecp256k1_v0_1_1_fe_add(&y, &x); - rustsecp256k1_v0_1_1_fe_add(&z, &x); + rustsecp256k1_v0_1_2_fe_add(&y, &x); + rustsecp256k1_v0_1_2_fe_add(&z, &x); CHECK(check_fe_equal(&z, &y)); z = x; - rustsecp256k1_v0_1_1_fe_mul_int(&z, 5); - rustsecp256k1_v0_1_1_fe_mul(&q, &x, &fe5); + rustsecp256k1_v0_1_2_fe_mul_int(&z, 5); + rustsecp256k1_v0_1_2_fe_mul(&q, &x, &fe5); CHECK(check_fe_equal(&z, &q)); - rustsecp256k1_v0_1_1_fe_negate(&x, &x, 1); - rustsecp256k1_v0_1_1_fe_add(&z, &x); - rustsecp256k1_v0_1_1_fe_add(&q, &x); + rustsecp256k1_v0_1_2_fe_negate(&x, &x, 1); + rustsecp256k1_v0_1_2_fe_add(&z, &x); + rustsecp256k1_v0_1_2_fe_add(&q, &x); CHECK(check_fe_equal(&y, &z)); CHECK(check_fe_equal(&q, &y)); } } void run_field_inv(void) { - rustsecp256k1_v0_1_1_fe x, xi, xii; + rustsecp256k1_v0_1_2_fe x, xi, xii; int i; for (i = 0; i < 10*count; i++) { random_fe_non_zero(&x); - rustsecp256k1_v0_1_1_fe_inv(&xi, &x); + rustsecp256k1_v0_1_2_fe_inv(&xi, &x); CHECK(check_fe_inverse(&x, &xi)); - rustsecp256k1_v0_1_1_fe_inv(&xii, &xi); + rustsecp256k1_v0_1_2_fe_inv(&xii, &xi); CHECK(check_fe_equal(&x, &xii)); } } void run_field_inv_var(void) { - rustsecp256k1_v0_1_1_fe x, xi, xii; + rustsecp256k1_v0_1_2_fe x, xi, xii; int i; for (i = 0; i < 10*count; i++) { random_fe_non_zero(&x); - rustsecp256k1_v0_1_1_fe_inv_var(&xi, &x); + rustsecp256k1_v0_1_2_fe_inv_var(&xi, &x); CHECK(check_fe_inverse(&x, &xi)); - rustsecp256k1_v0_1_1_fe_inv_var(&xii, &xi); + rustsecp256k1_v0_1_2_fe_inv_var(&xii, &xi); CHECK(check_fe_equal(&x, &xii)); } } void run_field_inv_all_var(void) { - rustsecp256k1_v0_1_1_fe x[16], xi[16], xii[16]; + rustsecp256k1_v0_1_2_fe x[16], xi[16], xii[16]; int i; /* Check it's safe to call for 0 elements */ - rustsecp256k1_v0_1_1_fe_inv_all_var(xi, x, 0); + rustsecp256k1_v0_1_2_fe_inv_all_var(xi, x, 0); for (i = 0; i < count; i++) { size_t j; - size_t len = rustsecp256k1_v0_1_1_rand_int(15) + 1; + size_t len = rustsecp256k1_v0_1_2_rand_int(15) + 1; for (j = 0; j < len; j++) { random_fe_non_zero(&x[j]); } - rustsecp256k1_v0_1_1_fe_inv_all_var(xi, x, len); + rustsecp256k1_v0_1_2_fe_inv_all_var(xi, x, len); for (j = 0; j < len; j++) { CHECK(check_fe_inverse(&x[j], &xi[j])); } - rustsecp256k1_v0_1_1_fe_inv_all_var(xii, xi, len); + rustsecp256k1_v0_1_2_fe_inv_all_var(xii, xi, len); for (j = 0; j < len; j++) { CHECK(check_fe_equal(&x[j], &xii[j])); } @@ -1919,50 +1982,50 @@ void run_field_inv_all_var(void) { } void run_sqr(void) { - rustsecp256k1_v0_1_1_fe x, s; + rustsecp256k1_v0_1_2_fe x, s; { int i; - rustsecp256k1_v0_1_1_fe_set_int(&x, 1); - rustsecp256k1_v0_1_1_fe_negate(&x, &x, 1); + rustsecp256k1_v0_1_2_fe_set_int(&x, 1); + rustsecp256k1_v0_1_2_fe_negate(&x, &x, 1); for (i = 1; i <= 512; ++i) { - rustsecp256k1_v0_1_1_fe_mul_int(&x, 2); - rustsecp256k1_v0_1_1_fe_normalize(&x); - rustsecp256k1_v0_1_1_fe_sqr(&s, &x); + rustsecp256k1_v0_1_2_fe_mul_int(&x, 2); + rustsecp256k1_v0_1_2_fe_normalize(&x); + rustsecp256k1_v0_1_2_fe_sqr(&s, &x); } } } -void test_sqrt(const rustsecp256k1_v0_1_1_fe *a, const rustsecp256k1_v0_1_1_fe *k) { - rustsecp256k1_v0_1_1_fe r1, r2; - int v = rustsecp256k1_v0_1_1_fe_sqrt(&r1, a); +void test_sqrt(const rustsecp256k1_v0_1_2_fe *a, const rustsecp256k1_v0_1_2_fe *k) { + rustsecp256k1_v0_1_2_fe r1, r2; + int v = rustsecp256k1_v0_1_2_fe_sqrt(&r1, a); CHECK((v == 0) == (k == NULL)); if (k != NULL) { /* Check that the returned root is +/- the given known answer */ - rustsecp256k1_v0_1_1_fe_negate(&r2, &r1, 1); - rustsecp256k1_v0_1_1_fe_add(&r1, k); rustsecp256k1_v0_1_1_fe_add(&r2, k); - rustsecp256k1_v0_1_1_fe_normalize(&r1); rustsecp256k1_v0_1_1_fe_normalize(&r2); - CHECK(rustsecp256k1_v0_1_1_fe_is_zero(&r1) || rustsecp256k1_v0_1_1_fe_is_zero(&r2)); + rustsecp256k1_v0_1_2_fe_negate(&r2, &r1, 1); + rustsecp256k1_v0_1_2_fe_add(&r1, k); rustsecp256k1_v0_1_2_fe_add(&r2, k); + rustsecp256k1_v0_1_2_fe_normalize(&r1); rustsecp256k1_v0_1_2_fe_normalize(&r2); + CHECK(rustsecp256k1_v0_1_2_fe_is_zero(&r1) || rustsecp256k1_v0_1_2_fe_is_zero(&r2)); } } void run_sqrt(void) { - rustsecp256k1_v0_1_1_fe ns, x, s, t; + rustsecp256k1_v0_1_2_fe ns, x, s, t; int i; /* Check sqrt(0) is 0 */ - rustsecp256k1_v0_1_1_fe_set_int(&x, 0); - rustsecp256k1_v0_1_1_fe_sqr(&s, &x); + rustsecp256k1_v0_1_2_fe_set_int(&x, 0); + rustsecp256k1_v0_1_2_fe_sqr(&s, &x); test_sqrt(&s, &x); /* Check sqrt of small squares (and their negatives) */ for (i = 1; i <= 100; i++) { - rustsecp256k1_v0_1_1_fe_set_int(&x, i); - rustsecp256k1_v0_1_1_fe_sqr(&s, &x); + rustsecp256k1_v0_1_2_fe_set_int(&x, i); + rustsecp256k1_v0_1_2_fe_sqr(&s, &x); test_sqrt(&s, &x); - rustsecp256k1_v0_1_1_fe_negate(&t, &s, 1); + rustsecp256k1_v0_1_2_fe_negate(&t, &s, 1); test_sqrt(&t, NULL); } @@ -1972,11 +2035,11 @@ void run_sqrt(void) { random_fe_non_square(&ns); for (j = 0; j < count; j++) { random_fe(&x); - rustsecp256k1_v0_1_1_fe_sqr(&s, &x); + rustsecp256k1_v0_1_2_fe_sqr(&s, &x); test_sqrt(&s, &x); - rustsecp256k1_v0_1_1_fe_negate(&t, &s, 1); + rustsecp256k1_v0_1_2_fe_negate(&t, &s, 1); test_sqrt(&t, NULL); - rustsecp256k1_v0_1_1_fe_mul(&t, &s, &ns); + rustsecp256k1_v0_1_2_fe_mul(&t, &s, &ns); test_sqrt(&t, NULL); } } @@ -1984,52 +2047,52 @@ void run_sqrt(void) { /***** GROUP TESTS *****/ -void ge_equals_ge(const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_ge *b) { +void ge_equals_ge(const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_ge *b) { CHECK(a->infinity == b->infinity); if (a->infinity) { return; } - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&a->x, &b->x)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&a->y, &b->y)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&a->x, &b->x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&a->y, &b->y)); } /* This compares jacobian points including their Z, not just their geometric meaning. */ -int gej_xyz_equals_gej(const rustsecp256k1_v0_1_1_gej *a, const rustsecp256k1_v0_1_1_gej *b) { - rustsecp256k1_v0_1_1_gej a2; - rustsecp256k1_v0_1_1_gej b2; +int gej_xyz_equals_gej(const rustsecp256k1_v0_1_2_gej *a, const rustsecp256k1_v0_1_2_gej *b) { + rustsecp256k1_v0_1_2_gej a2; + rustsecp256k1_v0_1_2_gej b2; int ret = 1; ret &= a->infinity == b->infinity; if (ret && !a->infinity) { a2 = *a; b2 = *b; - rustsecp256k1_v0_1_1_fe_normalize(&a2.x); - rustsecp256k1_v0_1_1_fe_normalize(&a2.y); - rustsecp256k1_v0_1_1_fe_normalize(&a2.z); - rustsecp256k1_v0_1_1_fe_normalize(&b2.x); - rustsecp256k1_v0_1_1_fe_normalize(&b2.y); - rustsecp256k1_v0_1_1_fe_normalize(&b2.z); - ret &= rustsecp256k1_v0_1_1_fe_cmp_var(&a2.x, &b2.x) == 0; - ret &= rustsecp256k1_v0_1_1_fe_cmp_var(&a2.y, &b2.y) == 0; - ret &= rustsecp256k1_v0_1_1_fe_cmp_var(&a2.z, &b2.z) == 0; + rustsecp256k1_v0_1_2_fe_normalize(&a2.x); + rustsecp256k1_v0_1_2_fe_normalize(&a2.y); + rustsecp256k1_v0_1_2_fe_normalize(&a2.z); + rustsecp256k1_v0_1_2_fe_normalize(&b2.x); + rustsecp256k1_v0_1_2_fe_normalize(&b2.y); + rustsecp256k1_v0_1_2_fe_normalize(&b2.z); + ret &= rustsecp256k1_v0_1_2_fe_cmp_var(&a2.x, &b2.x) == 0; + ret &= rustsecp256k1_v0_1_2_fe_cmp_var(&a2.y, &b2.y) == 0; + ret &= rustsecp256k1_v0_1_2_fe_cmp_var(&a2.z, &b2.z) == 0; } return ret; } -void ge_equals_gej(const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_gej *b) { - rustsecp256k1_v0_1_1_fe z2s; - rustsecp256k1_v0_1_1_fe u1, u2, s1, s2; +void ge_equals_gej(const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_gej *b) { + rustsecp256k1_v0_1_2_fe z2s; + rustsecp256k1_v0_1_2_fe u1, u2, s1, s2; CHECK(a->infinity == b->infinity); if (a->infinity) { return; } /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ - rustsecp256k1_v0_1_1_fe_sqr(&z2s, &b->z); - rustsecp256k1_v0_1_1_fe_mul(&u1, &a->x, &z2s); - u2 = b->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&u2); - rustsecp256k1_v0_1_1_fe_mul(&s1, &a->y, &z2s); rustsecp256k1_v0_1_1_fe_mul(&s1, &s1, &b->z); - s2 = b->y; rustsecp256k1_v0_1_1_fe_normalize_weak(&s2); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&u1, &u2)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&s1, &s2)); + rustsecp256k1_v0_1_2_fe_sqr(&z2s, &b->z); + rustsecp256k1_v0_1_2_fe_mul(&u1, &a->x, &z2s); + u2 = b->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&u2); + rustsecp256k1_v0_1_2_fe_mul(&s1, &a->y, &z2s); rustsecp256k1_v0_1_2_fe_mul(&s1, &s1, &b->z); + s2 = b->y; rustsecp256k1_v0_1_2_fe_normalize_weak(&s2); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&u1, &u2)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&s1, &s2)); } void test_ge(void) { @@ -2046,34 +2109,34 @@ void test_ge(void) { * * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well. */ - rustsecp256k1_v0_1_1_ge *ge = (rustsecp256k1_v0_1_1_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_ge) * (1 + 4 * runs)); - rustsecp256k1_v0_1_1_gej *gej = (rustsecp256k1_v0_1_1_gej *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_gej) * (1 + 4 * runs)); - rustsecp256k1_v0_1_1_fe *zinv = (rustsecp256k1_v0_1_1_fe *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_fe) * (1 + 4 * runs)); - rustsecp256k1_v0_1_1_fe zf; - rustsecp256k1_v0_1_1_fe zfi2, zfi3; - - rustsecp256k1_v0_1_1_gej_set_infinity(&gej[0]); - rustsecp256k1_v0_1_1_ge_clear(&ge[0]); - rustsecp256k1_v0_1_1_ge_set_gej_var(&ge[0], &gej[0]); + rustsecp256k1_v0_1_2_ge *ge = (rustsecp256k1_v0_1_2_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_ge) * (1 + 4 * runs)); + rustsecp256k1_v0_1_2_gej *gej = (rustsecp256k1_v0_1_2_gej *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_gej) * (1 + 4 * runs)); + rustsecp256k1_v0_1_2_fe *zinv = (rustsecp256k1_v0_1_2_fe *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_fe) * (1 + 4 * runs)); + rustsecp256k1_v0_1_2_fe zf; + rustsecp256k1_v0_1_2_fe zfi2, zfi3; + + rustsecp256k1_v0_1_2_gej_set_infinity(&gej[0]); + rustsecp256k1_v0_1_2_ge_clear(&ge[0]); + rustsecp256k1_v0_1_2_ge_set_gej_var(&ge[0], &gej[0]); for (i = 0; i < runs; i++) { int j; - rustsecp256k1_v0_1_1_ge g; + rustsecp256k1_v0_1_2_ge g; random_group_element_test(&g); #ifdef USE_ENDOMORPHISM if (i >= runs - 2) { - rustsecp256k1_v0_1_1_ge_mul_lambda(&g, &ge[1]); + rustsecp256k1_v0_1_2_ge_mul_lambda(&g, &ge[1]); } if (i >= runs - 1) { - rustsecp256k1_v0_1_1_ge_mul_lambda(&g, &g); + rustsecp256k1_v0_1_2_ge_mul_lambda(&g, &g); } #endif ge[1 + 4 * i] = g; ge[2 + 4 * i] = g; - rustsecp256k1_v0_1_1_ge_neg(&ge[3 + 4 * i], &g); - rustsecp256k1_v0_1_1_ge_neg(&ge[4 + 4 * i], &g); - rustsecp256k1_v0_1_1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); + rustsecp256k1_v0_1_2_ge_neg(&ge[3 + 4 * i], &g); + rustsecp256k1_v0_1_2_ge_neg(&ge[4 + 4 * i], &g); + rustsecp256k1_v0_1_2_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]); random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]); - rustsecp256k1_v0_1_1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); + rustsecp256k1_v0_1_2_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]); random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]); for (j = 0; j < 4; j++) { random_field_element_magnitude(&ge[1 + j + 4 * i].x); @@ -2086,99 +2149,99 @@ void test_ge(void) { /* Compute z inverses. */ { - rustsecp256k1_v0_1_1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_fe) * (1 + 4 * runs)); + rustsecp256k1_v0_1_2_fe *zs = checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_fe) * (1 + 4 * runs)); for (i = 0; i < 4 * runs + 1; i++) { if (i == 0) { /* The point at infinity does not have a meaningful z inverse. Any should do. */ do { random_field_element_test(&zs[i]); - } while(rustsecp256k1_v0_1_1_fe_is_zero(&zs[i])); + } while(rustsecp256k1_v0_1_2_fe_is_zero(&zs[i])); } else { zs[i] = gej[i].z; } } - rustsecp256k1_v0_1_1_fe_inv_all_var(zinv, zs, 4 * runs + 1); + rustsecp256k1_v0_1_2_fe_inv_all_var(zinv, zs, 4 * runs + 1); free(zs); } /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */ do { random_field_element_test(&zf); - } while(rustsecp256k1_v0_1_1_fe_is_zero(&zf)); + } while(rustsecp256k1_v0_1_2_fe_is_zero(&zf)); random_field_element_magnitude(&zf); - rustsecp256k1_v0_1_1_fe_inv_var(&zfi3, &zf); - rustsecp256k1_v0_1_1_fe_sqr(&zfi2, &zfi3); - rustsecp256k1_v0_1_1_fe_mul(&zfi3, &zfi3, &zfi2); + rustsecp256k1_v0_1_2_fe_inv_var(&zfi3, &zf); + rustsecp256k1_v0_1_2_fe_sqr(&zfi2, &zfi3); + rustsecp256k1_v0_1_2_fe_mul(&zfi3, &zfi3, &zfi2); for (i1 = 0; i1 < 1 + 4 * runs; i1++) { int i2; for (i2 = 0; i2 < 1 + 4 * runs; i2++) { /* Compute reference result using gej + gej (var). */ - rustsecp256k1_v0_1_1_gej refj, resj; - rustsecp256k1_v0_1_1_ge ref; - rustsecp256k1_v0_1_1_fe zr; - rustsecp256k1_v0_1_1_gej_add_var(&refj, &gej[i1], &gej[i2], rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i1]) ? NULL : &zr); + rustsecp256k1_v0_1_2_gej refj, resj; + rustsecp256k1_v0_1_2_ge ref; + rustsecp256k1_v0_1_2_fe zr; + rustsecp256k1_v0_1_2_gej_add_var(&refj, &gej[i1], &gej[i2], rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i1]) ? NULL : &zr); /* Check Z ratio. */ - if (!rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i1]) && !rustsecp256k1_v0_1_1_gej_is_infinity(&refj)) { - rustsecp256k1_v0_1_1_fe zrz; rustsecp256k1_v0_1_1_fe_mul(&zrz, &zr, &gej[i1].z); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&zrz, &refj.z)); + if (!rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i1]) && !rustsecp256k1_v0_1_2_gej_is_infinity(&refj)) { + rustsecp256k1_v0_1_2_fe zrz; rustsecp256k1_v0_1_2_fe_mul(&zrz, &zr, &gej[i1].z); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&zrz, &refj.z)); } - rustsecp256k1_v0_1_1_ge_set_gej_var(&ref, &refj); + rustsecp256k1_v0_1_2_ge_set_gej_var(&ref, &refj); /* Test gej + ge with Z ratio result (var). */ - rustsecp256k1_v0_1_1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i1]) ? NULL : &zr); + rustsecp256k1_v0_1_2_gej_add_ge_var(&resj, &gej[i1], &ge[i2], rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i1]) ? NULL : &zr); ge_equals_gej(&ref, &resj); - if (!rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i1]) && !rustsecp256k1_v0_1_1_gej_is_infinity(&resj)) { - rustsecp256k1_v0_1_1_fe zrz; rustsecp256k1_v0_1_1_fe_mul(&zrz, &zr, &gej[i1].z); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&zrz, &resj.z)); + if (!rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i1]) && !rustsecp256k1_v0_1_2_gej_is_infinity(&resj)) { + rustsecp256k1_v0_1_2_fe zrz; rustsecp256k1_v0_1_2_fe_mul(&zrz, &zr, &gej[i1].z); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&zrz, &resj.z)); } /* Test gej + ge (var, with additional Z factor). */ { - rustsecp256k1_v0_1_1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ - rustsecp256k1_v0_1_1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); - rustsecp256k1_v0_1_1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); + rustsecp256k1_v0_1_2_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */ + rustsecp256k1_v0_1_2_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2); + rustsecp256k1_v0_1_2_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3); random_field_element_magnitude(&ge2_zfi.x); random_field_element_magnitude(&ge2_zfi.y); - rustsecp256k1_v0_1_1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); + rustsecp256k1_v0_1_2_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf); ge_equals_gej(&ref, &resj); } /* Test gej + ge (const). */ if (i2 != 0) { - /* rustsecp256k1_v0_1_1_gej_add_ge does not support its second argument being infinity. */ - rustsecp256k1_v0_1_1_gej_add_ge(&resj, &gej[i1], &ge[i2]); + /* rustsecp256k1_v0_1_2_gej_add_ge does not support its second argument being infinity. */ + rustsecp256k1_v0_1_2_gej_add_ge(&resj, &gej[i1], &ge[i2]); ge_equals_gej(&ref, &resj); } /* Test doubling (var). */ if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) { - rustsecp256k1_v0_1_1_fe zr2; + rustsecp256k1_v0_1_2_fe zr2; /* Normal doubling with Z ratio result. */ - rustsecp256k1_v0_1_1_gej_double_var(&resj, &gej[i1], &zr2); + rustsecp256k1_v0_1_2_gej_double_var(&resj, &gej[i1], &zr2); ge_equals_gej(&ref, &resj); /* Check Z ratio. */ - rustsecp256k1_v0_1_1_fe_mul(&zr2, &zr2, &gej[i1].z); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&zr2, &resj.z)); + rustsecp256k1_v0_1_2_fe_mul(&zr2, &zr2, &gej[i1].z); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&zr2, &resj.z)); /* Normal doubling. */ - rustsecp256k1_v0_1_1_gej_double_var(&resj, &gej[i2], NULL); + rustsecp256k1_v0_1_2_gej_double_var(&resj, &gej[i2], NULL); ge_equals_gej(&ref, &resj); } /* Test adding opposites. */ if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) { - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&ref)); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&ref)); } /* Test adding infinity. */ if (i1 == 0) { - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&ge[i1])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i1])); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&ge[i1])); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i1])); ge_equals_gej(&ref, &gej[i2]); } if (i2 == 0) { - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&ge[i2])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&gej[i2])); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&ge[i2])); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&gej[i2])); ge_equals_gej(&ref, &gej[i1]); } } @@ -2186,41 +2249,41 @@ void test_ge(void) { /* Test adding all points together in random order equals infinity. */ { - rustsecp256k1_v0_1_1_gej sum = SECP256K1_GEJ_CONST_INFINITY; - rustsecp256k1_v0_1_1_gej *gej_shuffled = (rustsecp256k1_v0_1_1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_1_gej)); + rustsecp256k1_v0_1_2_gej sum = SECP256K1_GEJ_CONST_INFINITY; + rustsecp256k1_v0_1_2_gej *gej_shuffled = (rustsecp256k1_v0_1_2_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_2_gej)); for (i = 0; i < 4 * runs + 1; i++) { gej_shuffled[i] = gej[i]; } for (i = 0; i < 4 * runs + 1; i++) { - int swap = i + rustsecp256k1_v0_1_1_rand_int(4 * runs + 1 - i); + int swap = i + rustsecp256k1_v0_1_2_rand_int(4 * runs + 1 - i); if (swap != i) { - rustsecp256k1_v0_1_1_gej t = gej_shuffled[i]; + rustsecp256k1_v0_1_2_gej t = gej_shuffled[i]; gej_shuffled[i] = gej_shuffled[swap]; gej_shuffled[swap] = t; } } for (i = 0; i < 4 * runs + 1; i++) { - rustsecp256k1_v0_1_1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); + rustsecp256k1_v0_1_2_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL); } - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&sum)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&sum)); free(gej_shuffled); } /* Test batch gej -> ge conversion with and without known z ratios. */ { - rustsecp256k1_v0_1_1_fe *zr = (rustsecp256k1_v0_1_1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_1_fe)); - rustsecp256k1_v0_1_1_ge *ge_set_all = (rustsecp256k1_v0_1_1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_1_ge)); + rustsecp256k1_v0_1_2_fe *zr = (rustsecp256k1_v0_1_2_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_2_fe)); + rustsecp256k1_v0_1_2_ge *ge_set_all = (rustsecp256k1_v0_1_2_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(rustsecp256k1_v0_1_2_ge)); for (i = 0; i < 4 * runs + 1; i++) { /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */ if (i < 4 * runs) { - rustsecp256k1_v0_1_1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z); + rustsecp256k1_v0_1_2_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z); } } - rustsecp256k1_v0_1_1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); + rustsecp256k1_v0_1_2_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1); for (i = 0; i < 4 * runs + 1; i++) { - rustsecp256k1_v0_1_1_fe s; + rustsecp256k1_v0_1_2_fe s; random_fe_non_zero(&s); - rustsecp256k1_v0_1_1_gej_rescale(&gej[i], &s); + rustsecp256k1_v0_1_2_gej_rescale(&gej[i], &s); ge_equals_gej(&ge_set_all[i], &gej[i]); } free(ge_set_all); @@ -2230,14 +2293,14 @@ void test_ge(void) { /* Test batch gej -> ge conversion with many infinities. */ for (i = 0; i < 4 * runs + 1; i++) { random_group_element_test(&ge[i]); - /* randomly set half the points to infinitiy */ - if(rustsecp256k1_v0_1_1_fe_is_odd(&ge[i].x)) { - rustsecp256k1_v0_1_1_ge_set_infinity(&ge[i]); + /* randomly set half the points to infinity */ + if(rustsecp256k1_v0_1_2_fe_is_odd(&ge[i].x)) { + rustsecp256k1_v0_1_2_ge_set_infinity(&ge[i]); } - rustsecp256k1_v0_1_1_gej_set_ge(&gej[i], &ge[i]); + rustsecp256k1_v0_1_2_gej_set_ge(&gej[i], &ge[i]); } /* batch invert */ - rustsecp256k1_v0_1_1_ge_set_all_gej_var(ge, gej, 4 * runs + 1); + rustsecp256k1_v0_1_2_ge_set_all_gej_var(ge, gej, 4 * runs + 1); /* check result */ for (i = 0; i < 4 * runs + 1; i++) { ge_equals_gej(&ge[i], &gej[i]); @@ -2279,39 +2342,39 @@ void test_add_neg_y_diff_x(void) { * print " Q: %x %x" % Q.xy() * print "P + Q: %x %x" % (P + Q).xy() */ - rustsecp256k1_v0_1_1_gej aj = SECP256K1_GEJ_CONST( + rustsecp256k1_v0_1_2_gej aj = SECP256K1_GEJ_CONST( 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30, 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb, 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8, 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d ); - rustsecp256k1_v0_1_1_gej bj = SECP256K1_GEJ_CONST( + rustsecp256k1_v0_1_2_gej bj = SECP256K1_GEJ_CONST( 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86, 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7, 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57, 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2 ); - rustsecp256k1_v0_1_1_gej sumj = SECP256K1_GEJ_CONST( + rustsecp256k1_v0_1_2_gej sumj = SECP256K1_GEJ_CONST( 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027, 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a, 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08, 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe ); - rustsecp256k1_v0_1_1_ge b; - rustsecp256k1_v0_1_1_gej resj; - rustsecp256k1_v0_1_1_ge res; - rustsecp256k1_v0_1_1_ge_set_gej(&b, &bj); + rustsecp256k1_v0_1_2_ge b; + rustsecp256k1_v0_1_2_gej resj; + rustsecp256k1_v0_1_2_ge res; + rustsecp256k1_v0_1_2_ge_set_gej(&b, &bj); - rustsecp256k1_v0_1_1_gej_add_var(&resj, &aj, &bj, NULL); - rustsecp256k1_v0_1_1_ge_set_gej(&res, &resj); + rustsecp256k1_v0_1_2_gej_add_var(&resj, &aj, &bj, NULL); + rustsecp256k1_v0_1_2_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); - rustsecp256k1_v0_1_1_gej_add_ge(&resj, &aj, &b); - rustsecp256k1_v0_1_1_ge_set_gej(&res, &resj); + rustsecp256k1_v0_1_2_gej_add_ge(&resj, &aj, &b); + rustsecp256k1_v0_1_2_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); - rustsecp256k1_v0_1_1_gej_add_ge_var(&resj, &aj, &b, NULL); - rustsecp256k1_v0_1_1_ge_set_gej(&res, &resj); + rustsecp256k1_v0_1_2_gej_add_ge_var(&resj, &aj, &b, NULL); + rustsecp256k1_v0_1_2_ge_set_gej(&res, &resj); ge_equals_gej(&res, &sumj); } @@ -2324,26 +2387,26 @@ void run_ge(void) { } void test_ec_combine(void) { - rustsecp256k1_v0_1_1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1_v0_1_1_pubkey data[6]; - const rustsecp256k1_v0_1_1_pubkey* d[6]; - rustsecp256k1_v0_1_1_pubkey sd; - rustsecp256k1_v0_1_1_pubkey sd2; - rustsecp256k1_v0_1_1_gej Qj; - rustsecp256k1_v0_1_1_ge Q; + rustsecp256k1_v0_1_2_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1_v0_1_2_pubkey data[6]; + const rustsecp256k1_v0_1_2_pubkey* d[6]; + rustsecp256k1_v0_1_2_pubkey sd; + rustsecp256k1_v0_1_2_pubkey sd2; + rustsecp256k1_v0_1_2_gej Qj; + rustsecp256k1_v0_1_2_ge Q; int i; for (i = 1; i <= 6; i++) { - rustsecp256k1_v0_1_1_scalar s; + rustsecp256k1_v0_1_2_scalar s; random_scalar_order_test(&s); - rustsecp256k1_v0_1_1_scalar_add(&sum, &sum, &s); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); - rustsecp256k1_v0_1_1_ge_set_gej(&Q, &Qj); - rustsecp256k1_v0_1_1_pubkey_save(&data[i - 1], &Q); + rustsecp256k1_v0_1_2_scalar_add(&sum, &sum, &s); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s); + rustsecp256k1_v0_1_2_ge_set_gej(&Q, &Qj); + rustsecp256k1_v0_1_2_pubkey_save(&data[i - 1], &Q); d[i - 1] = &data[i - 1]; - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); - rustsecp256k1_v0_1_1_ge_set_gej(&Q, &Qj); - rustsecp256k1_v0_1_1_pubkey_save(&sd, &Q); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &sd2, d, i) == 1); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum); + rustsecp256k1_v0_1_2_ge_set_gej(&Q, &Qj); + rustsecp256k1_v0_1_2_pubkey_save(&sd, &Q); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &sd2, d, i) == 1); CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0); } } @@ -2355,32 +2418,32 @@ void run_ec_combine(void) { } } -void test_group_decompress(const rustsecp256k1_v0_1_1_fe* x) { +void test_group_decompress(const rustsecp256k1_v0_1_2_fe* x) { /* The input itself, normalized. */ - rustsecp256k1_v0_1_1_fe fex = *x; - rustsecp256k1_v0_1_1_fe fez; + rustsecp256k1_v0_1_2_fe fex = *x; + rustsecp256k1_v0_1_2_fe fez; /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */ - rustsecp256k1_v0_1_1_ge ge_quad, ge_even, ge_odd; - rustsecp256k1_v0_1_1_gej gej_quad; + rustsecp256k1_v0_1_2_ge ge_quad, ge_even, ge_odd; + rustsecp256k1_v0_1_2_gej gej_quad; /* Return values of the above calls. */ int res_quad, res_even, res_odd; - rustsecp256k1_v0_1_1_fe_normalize_var(&fex); + rustsecp256k1_v0_1_2_fe_normalize_var(&fex); - res_quad = rustsecp256k1_v0_1_1_ge_set_xquad(&ge_quad, &fex); - res_even = rustsecp256k1_v0_1_1_ge_set_xo_var(&ge_even, &fex, 0); - res_odd = rustsecp256k1_v0_1_1_ge_set_xo_var(&ge_odd, &fex, 1); + res_quad = rustsecp256k1_v0_1_2_ge_set_xquad(&ge_quad, &fex); + res_even = rustsecp256k1_v0_1_2_ge_set_xo_var(&ge_even, &fex, 0); + res_odd = rustsecp256k1_v0_1_2_ge_set_xo_var(&ge_odd, &fex, 1); CHECK(res_quad == res_even); CHECK(res_quad == res_odd); if (res_quad) { - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_quad.x); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_odd.x); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_even.x); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_quad.y); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_odd.y); - rustsecp256k1_v0_1_1_fe_normalize_var(&ge_even.y); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_quad.x); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_odd.x); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_even.x); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_quad.y); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_odd.y); + rustsecp256k1_v0_1_2_fe_normalize_var(&ge_even.y); /* No infinity allowed. */ CHECK(!ge_quad.infinity); @@ -2388,41 +2451,41 @@ void test_group_decompress(const rustsecp256k1_v0_1_1_fe* x) { CHECK(!ge_odd.infinity); /* Check that the x coordinates check out. */ - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&ge_quad.x, x)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&ge_even.x, x)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&ge_odd.x, x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&ge_quad.x, x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&ge_even.x, x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&ge_odd.x, x)); /* Check that the Y coordinate result in ge_quad is a square. */ - CHECK(rustsecp256k1_v0_1_1_fe_is_quad_var(&ge_quad.y)); + CHECK(rustsecp256k1_v0_1_2_fe_is_quad_var(&ge_quad.y)); /* Check odd/even Y in ge_odd, ge_even. */ - CHECK(rustsecp256k1_v0_1_1_fe_is_odd(&ge_odd.y)); - CHECK(!rustsecp256k1_v0_1_1_fe_is_odd(&ge_even.y)); + CHECK(rustsecp256k1_v0_1_2_fe_is_odd(&ge_odd.y)); + CHECK(!rustsecp256k1_v0_1_2_fe_is_odd(&ge_even.y)); - /* Check rustsecp256k1_v0_1_1_gej_has_quad_y_var. */ - rustsecp256k1_v0_1_1_gej_set_ge(&gej_quad, &ge_quad); - CHECK(rustsecp256k1_v0_1_1_gej_has_quad_y_var(&gej_quad)); + /* Check rustsecp256k1_v0_1_2_gej_has_quad_y_var. */ + rustsecp256k1_v0_1_2_gej_set_ge(&gej_quad, &ge_quad); + CHECK(rustsecp256k1_v0_1_2_gej_has_quad_y_var(&gej_quad)); do { random_fe_test(&fez); - } while (rustsecp256k1_v0_1_1_fe_is_zero(&fez)); - rustsecp256k1_v0_1_1_gej_rescale(&gej_quad, &fez); - CHECK(rustsecp256k1_v0_1_1_gej_has_quad_y_var(&gej_quad)); - rustsecp256k1_v0_1_1_gej_neg(&gej_quad, &gej_quad); - CHECK(!rustsecp256k1_v0_1_1_gej_has_quad_y_var(&gej_quad)); + } while (rustsecp256k1_v0_1_2_fe_is_zero(&fez)); + rustsecp256k1_v0_1_2_gej_rescale(&gej_quad, &fez); + CHECK(rustsecp256k1_v0_1_2_gej_has_quad_y_var(&gej_quad)); + rustsecp256k1_v0_1_2_gej_neg(&gej_quad, &gej_quad); + CHECK(!rustsecp256k1_v0_1_2_gej_has_quad_y_var(&gej_quad)); do { random_fe_test(&fez); - } while (rustsecp256k1_v0_1_1_fe_is_zero(&fez)); - rustsecp256k1_v0_1_1_gej_rescale(&gej_quad, &fez); - CHECK(!rustsecp256k1_v0_1_1_gej_has_quad_y_var(&gej_quad)); - rustsecp256k1_v0_1_1_gej_neg(&gej_quad, &gej_quad); - CHECK(rustsecp256k1_v0_1_1_gej_has_quad_y_var(&gej_quad)); + } while (rustsecp256k1_v0_1_2_fe_is_zero(&fez)); + rustsecp256k1_v0_1_2_gej_rescale(&gej_quad, &fez); + CHECK(!rustsecp256k1_v0_1_2_gej_has_quad_y_var(&gej_quad)); + rustsecp256k1_v0_1_2_gej_neg(&gej_quad, &gej_quad); + CHECK(rustsecp256k1_v0_1_2_gej_has_quad_y_var(&gej_quad)); } } void run_group_decompress(void) { int i; for (i = 0; i < count * 4; i++) { - rustsecp256k1_v0_1_1_fe fe; + rustsecp256k1_v0_1_2_fe fe; random_fe_test(&fe); test_group_decompress(&fe); } @@ -2432,218 +2495,218 @@ void run_group_decompress(void) { void run_ecmult_chain(void) { /* random starting point A (on the curve) */ - rustsecp256k1_v0_1_1_gej a = SECP256K1_GEJ_CONST( + rustsecp256k1_v0_1_2_gej a = SECP256K1_GEJ_CONST( 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3, 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004, 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f, 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f ); /* two random initial factors xn and gn */ - rustsecp256k1_v0_1_1_scalar xn = SECP256K1_SCALAR_CONST( + rustsecp256k1_v0_1_2_scalar xn = SECP256K1_SCALAR_CONST( 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c, 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407 ); - rustsecp256k1_v0_1_1_scalar gn = SECP256K1_SCALAR_CONST( + rustsecp256k1_v0_1_2_scalar gn = SECP256K1_SCALAR_CONST( 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9, 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de ); /* two small multipliers to be applied to xn and gn in every iteration: */ - static const rustsecp256k1_v0_1_1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); - static const rustsecp256k1_v0_1_1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); + static const rustsecp256k1_v0_1_2_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337); + static const rustsecp256k1_v0_1_2_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113); /* accumulators with the resulting coefficients to A and G */ - rustsecp256k1_v0_1_1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1_v0_1_1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1_v0_1_2_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1_v0_1_2_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); /* actual points */ - rustsecp256k1_v0_1_1_gej x; - rustsecp256k1_v0_1_1_gej x2; + rustsecp256k1_v0_1_2_gej x; + rustsecp256k1_v0_1_2_gej x2; int i; /* the point being computed */ x = a; for (i = 0; i < 200*count; i++) { /* in each iteration, compute X = xn*X + gn*G; */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn); /* also compute ae and ge: the actual accumulated factors for A and G */ /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */ - rustsecp256k1_v0_1_1_scalar_mul(&ae, &ae, &xn); - rustsecp256k1_v0_1_1_scalar_mul(&ge, &ge, &xn); - rustsecp256k1_v0_1_1_scalar_add(&ge, &ge, &gn); + rustsecp256k1_v0_1_2_scalar_mul(&ae, &ae, &xn); + rustsecp256k1_v0_1_2_scalar_mul(&ge, &ge, &xn); + rustsecp256k1_v0_1_2_scalar_add(&ge, &ge, &gn); /* modify xn and gn */ - rustsecp256k1_v0_1_1_scalar_mul(&xn, &xn, &xf); - rustsecp256k1_v0_1_1_scalar_mul(&gn, &gn, &gf); + rustsecp256k1_v0_1_2_scalar_mul(&xn, &xn, &xf); + rustsecp256k1_v0_1_2_scalar_mul(&gn, &gn, &gf); /* verify */ if (i == 19999) { /* expected result after 19999 iterations */ - rustsecp256k1_v0_1_1_gej rp = SECP256K1_GEJ_CONST( + rustsecp256k1_v0_1_2_gej rp = SECP256K1_GEJ_CONST( 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE, 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830, 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D, 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88 ); - rustsecp256k1_v0_1_1_gej_neg(&rp, &rp); - rustsecp256k1_v0_1_1_gej_add_var(&rp, &rp, &x, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&rp)); + rustsecp256k1_v0_1_2_gej_neg(&rp, &rp); + rustsecp256k1_v0_1_2_gej_add_var(&rp, &rp, &x, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&rp)); } } /* redo the computation, but directly with the resulting ae and ge coefficients: */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); - rustsecp256k1_v0_1_1_gej_neg(&x2, &x2); - rustsecp256k1_v0_1_1_gej_add_var(&x2, &x2, &x, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&x2)); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge); + rustsecp256k1_v0_1_2_gej_neg(&x2, &x2); + rustsecp256k1_v0_1_2_gej_add_var(&x2, &x2, &x, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&x2)); } -void test_point_times_order(const rustsecp256k1_v0_1_1_gej *point) { +void test_point_times_order(const rustsecp256k1_v0_1_2_gej *point) { /* X * (point + G) + (order-X) * (pointer + G) = 0 */ - rustsecp256k1_v0_1_1_scalar x; - rustsecp256k1_v0_1_1_scalar nx; - rustsecp256k1_v0_1_1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1_v0_1_1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1_v0_1_1_gej res1, res2; - rustsecp256k1_v0_1_1_ge res3; + rustsecp256k1_v0_1_2_scalar x; + rustsecp256k1_v0_1_2_scalar nx; + rustsecp256k1_v0_1_2_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1_v0_1_2_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1_v0_1_2_gej res1, res2; + rustsecp256k1_v0_1_2_ge res3; unsigned char pub[65]; size_t psize = 65; random_scalar_order_test(&x); - rustsecp256k1_v0_1_1_scalar_negate(&nx, &x); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ - rustsecp256k1_v0_1_1_gej_add_var(&res1, &res1, &res2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&res1)); - CHECK(rustsecp256k1_v0_1_1_gej_is_valid_var(&res1) == 0); - rustsecp256k1_v0_1_1_ge_set_gej(&res3, &res1); - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&res3)); - CHECK(rustsecp256k1_v0_1_1_ge_is_valid_var(&res3) == 0); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); + rustsecp256k1_v0_1_2_scalar_negate(&nx, &x); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */ + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */ + rustsecp256k1_v0_1_2_gej_add_var(&res1, &res1, &res2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&res1)); + CHECK(rustsecp256k1_v0_1_2_gej_is_valid_var(&res1) == 0); + rustsecp256k1_v0_1_2_ge_set_gej(&res3, &res1); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&res3)); + CHECK(rustsecp256k1_v0_1_2_ge_is_valid_var(&res3) == 0); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0); psize = 65; - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0); /* check zero/one edge cases */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); - rustsecp256k1_v0_1_1_ge_set_gej(&res3, &res1); - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&res3)); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); - rustsecp256k1_v0_1_1_ge_set_gej(&res3, &res1); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero); + rustsecp256k1_v0_1_2_ge_set_gej(&res3, &res1); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&res3)); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero); + rustsecp256k1_v0_1_2_ge_set_gej(&res3, &res1); ge_equals_gej(&res3, point); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); - rustsecp256k1_v0_1_1_ge_set_gej(&res3, &res1); - ge_equals_ge(&res3, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one); + rustsecp256k1_v0_1_2_ge_set_gej(&res3, &res1); + ge_equals_ge(&res3, &rustsecp256k1_v0_1_2_ge_const_g); } void run_point_times_order(void) { int i; - rustsecp256k1_v0_1_1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); - static const rustsecp256k1_v0_1_1_fe xr = SECP256K1_FE_CONST( + rustsecp256k1_v0_1_2_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2); + static const rustsecp256k1_v0_1_2_fe xr = SECP256K1_FE_CONST( 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C, 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45 ); for (i = 0; i < 500; i++) { - rustsecp256k1_v0_1_1_ge p; - if (rustsecp256k1_v0_1_1_ge_set_xo_var(&p, &x, 1)) { - rustsecp256k1_v0_1_1_gej j; - CHECK(rustsecp256k1_v0_1_1_ge_is_valid_var(&p)); - rustsecp256k1_v0_1_1_gej_set_ge(&j, &p); - CHECK(rustsecp256k1_v0_1_1_gej_is_valid_var(&j)); + rustsecp256k1_v0_1_2_ge p; + if (rustsecp256k1_v0_1_2_ge_set_xo_var(&p, &x, 1)) { + rustsecp256k1_v0_1_2_gej j; + CHECK(rustsecp256k1_v0_1_2_ge_is_valid_var(&p)); + rustsecp256k1_v0_1_2_gej_set_ge(&j, &p); + CHECK(rustsecp256k1_v0_1_2_gej_is_valid_var(&j)); test_point_times_order(&j); } - rustsecp256k1_v0_1_1_fe_sqr(&x, &x); + rustsecp256k1_v0_1_2_fe_sqr(&x, &x); } - rustsecp256k1_v0_1_1_fe_normalize_var(&x); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&x, &xr)); + rustsecp256k1_v0_1_2_fe_normalize_var(&x); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&x, &xr)); } void ecmult_const_random_mult(void) { /* random starting point A (on the curve) */ - rustsecp256k1_v0_1_1_ge a = SECP256K1_GE_CONST( + rustsecp256k1_v0_1_2_ge a = SECP256K1_GE_CONST( 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b, 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a, 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c, 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d ); /* random initial factor xn */ - rustsecp256k1_v0_1_1_scalar xn = SECP256K1_SCALAR_CONST( + rustsecp256k1_v0_1_2_scalar xn = SECP256K1_SCALAR_CONST( 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327, 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b ); /* expected xn * A (from sage) */ - rustsecp256k1_v0_1_1_ge expected_b = SECP256K1_GE_CONST( + rustsecp256k1_v0_1_2_ge expected_b = SECP256K1_GE_CONST( 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd, 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786, 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f, 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956 ); - rustsecp256k1_v0_1_1_gej b; - rustsecp256k1_v0_1_1_ecmult_const(&b, &a, &xn, 256); + rustsecp256k1_v0_1_2_gej b; + rustsecp256k1_v0_1_2_ecmult_const(&b, &a, &xn, 256); - CHECK(rustsecp256k1_v0_1_1_ge_is_valid_var(&a)); + CHECK(rustsecp256k1_v0_1_2_ge_is_valid_var(&a)); ge_equals_gej(&expected_b, &b); } void ecmult_const_commutativity(void) { - rustsecp256k1_v0_1_1_scalar a; - rustsecp256k1_v0_1_1_scalar b; - rustsecp256k1_v0_1_1_gej res1; - rustsecp256k1_v0_1_1_gej res2; - rustsecp256k1_v0_1_1_ge mid1; - rustsecp256k1_v0_1_1_ge mid2; + rustsecp256k1_v0_1_2_scalar a; + rustsecp256k1_v0_1_2_scalar b; + rustsecp256k1_v0_1_2_gej res1; + rustsecp256k1_v0_1_2_gej res2; + rustsecp256k1_v0_1_2_ge mid1; + rustsecp256k1_v0_1_2_ge mid2; random_scalar_order_test(&a); random_scalar_order_test(&b); - rustsecp256k1_v0_1_1_ecmult_const(&res1, &rustsecp256k1_v0_1_1_ge_const_g, &a, 256); - rustsecp256k1_v0_1_1_ecmult_const(&res2, &rustsecp256k1_v0_1_1_ge_const_g, &b, 256); - rustsecp256k1_v0_1_1_ge_set_gej(&mid1, &res1); - rustsecp256k1_v0_1_1_ge_set_gej(&mid2, &res2); - rustsecp256k1_v0_1_1_ecmult_const(&res1, &mid1, &b, 256); - rustsecp256k1_v0_1_1_ecmult_const(&res2, &mid2, &a, 256); - rustsecp256k1_v0_1_1_ge_set_gej(&mid1, &res1); - rustsecp256k1_v0_1_1_ge_set_gej(&mid2, &res2); + rustsecp256k1_v0_1_2_ecmult_const(&res1, &rustsecp256k1_v0_1_2_ge_const_g, &a, 256); + rustsecp256k1_v0_1_2_ecmult_const(&res2, &rustsecp256k1_v0_1_2_ge_const_g, &b, 256); + rustsecp256k1_v0_1_2_ge_set_gej(&mid1, &res1); + rustsecp256k1_v0_1_2_ge_set_gej(&mid2, &res2); + rustsecp256k1_v0_1_2_ecmult_const(&res1, &mid1, &b, 256); + rustsecp256k1_v0_1_2_ecmult_const(&res2, &mid2, &a, 256); + rustsecp256k1_v0_1_2_ge_set_gej(&mid1, &res1); + rustsecp256k1_v0_1_2_ge_set_gej(&mid2, &res2); ge_equals_ge(&mid1, &mid2); } void ecmult_const_mult_zero_one(void) { - rustsecp256k1_v0_1_1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); - rustsecp256k1_v0_1_1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); - rustsecp256k1_v0_1_1_scalar negone; - rustsecp256k1_v0_1_1_gej res1; - rustsecp256k1_v0_1_1_ge res2; - rustsecp256k1_v0_1_1_ge point; - rustsecp256k1_v0_1_1_scalar_negate(&negone, &one); + rustsecp256k1_v0_1_2_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0); + rustsecp256k1_v0_1_2_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1); + rustsecp256k1_v0_1_2_scalar negone; + rustsecp256k1_v0_1_2_gej res1; + rustsecp256k1_v0_1_2_ge res2; + rustsecp256k1_v0_1_2_ge point; + rustsecp256k1_v0_1_2_scalar_negate(&negone, &one); random_group_element_test(&point); - rustsecp256k1_v0_1_1_ecmult_const(&res1, &point, &zero, 3); - rustsecp256k1_v0_1_1_ge_set_gej(&res2, &res1); - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&res2)); - rustsecp256k1_v0_1_1_ecmult_const(&res1, &point, &one, 2); - rustsecp256k1_v0_1_1_ge_set_gej(&res2, &res1); + rustsecp256k1_v0_1_2_ecmult_const(&res1, &point, &zero, 3); + rustsecp256k1_v0_1_2_ge_set_gej(&res2, &res1); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&res2)); + rustsecp256k1_v0_1_2_ecmult_const(&res1, &point, &one, 2); + rustsecp256k1_v0_1_2_ge_set_gej(&res2, &res1); ge_equals_ge(&res2, &point); - rustsecp256k1_v0_1_1_ecmult_const(&res1, &point, &negone, 256); - rustsecp256k1_v0_1_1_gej_neg(&res1, &res1); - rustsecp256k1_v0_1_1_ge_set_gej(&res2, &res1); + rustsecp256k1_v0_1_2_ecmult_const(&res1, &point, &negone, 256); + rustsecp256k1_v0_1_2_gej_neg(&res1, &res1); + rustsecp256k1_v0_1_2_ge_set_gej(&res2, &res1); ge_equals_ge(&res2, &point); } void ecmult_const_chain_multiply(void) { /* Check known result (randomly generated test problem from sage) */ - const rustsecp256k1_v0_1_1_scalar scalar = SECP256K1_SCALAR_CONST( + const rustsecp256k1_v0_1_2_scalar scalar = SECP256K1_SCALAR_CONST( 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d, 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b ); - const rustsecp256k1_v0_1_1_gej expected_point = SECP256K1_GEJ_CONST( + const rustsecp256k1_v0_1_2_gej expected_point = SECP256K1_GEJ_CONST( 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd, 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f, 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196, 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435 ); - rustsecp256k1_v0_1_1_gej point; - rustsecp256k1_v0_1_1_ge res; + rustsecp256k1_v0_1_2_gej point; + rustsecp256k1_v0_1_2_ge res; int i; - rustsecp256k1_v0_1_1_gej_set_ge(&point, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_gej_set_ge(&point, &rustsecp256k1_v0_1_2_ge_const_g); for (i = 0; i < 100; ++i) { - rustsecp256k1_v0_1_1_ge tmp; - rustsecp256k1_v0_1_1_ge_set_gej(&tmp, &point); - rustsecp256k1_v0_1_1_ecmult_const(&point, &tmp, &scalar, 256); + rustsecp256k1_v0_1_2_ge tmp; + rustsecp256k1_v0_1_2_ge_set_gej(&tmp, &point); + rustsecp256k1_v0_1_2_ecmult_const(&point, &tmp, &scalar, 256); } - rustsecp256k1_v0_1_1_ge_set_gej(&res, &point); + rustsecp256k1_v0_1_2_ge_set_gej(&res, &point); ge_equals_gej(&res, &expected_point); } @@ -2655,18 +2718,18 @@ void run_ecmult_const_tests(void) { } typedef struct { - rustsecp256k1_v0_1_1_scalar *sc; - rustsecp256k1_v0_1_1_ge *pt; + rustsecp256k1_v0_1_2_scalar *sc; + rustsecp256k1_v0_1_2_ge *pt; } ecmult_multi_data; -static int ecmult_multi_callback(rustsecp256k1_v0_1_1_scalar *sc, rustsecp256k1_v0_1_1_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_callback(rustsecp256k1_v0_1_2_scalar *sc, rustsecp256k1_v0_1_2_ge *pt, size_t idx, void *cbdata) { ecmult_multi_data *data = (ecmult_multi_data*) cbdata; *sc = data->sc[idx]; *pt = data->pt[idx]; return 1; } -static int ecmult_multi_false_callback(rustsecp256k1_v0_1_1_scalar *sc, rustsecp256k1_v0_1_1_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_false_callback(rustsecp256k1_v0_1_2_scalar *sc, rustsecp256k1_v0_1_2_ge *pt, size_t idx, void *cbdata) { (void)sc; (void)pt; (void)idx; @@ -2674,102 +2737,102 @@ static int ecmult_multi_false_callback(rustsecp256k1_v0_1_1_scalar *sc, rustsecp return 0; } -void test_ecmult_multi(rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1_1_ecmult_multi_func ecmult_multi) { +void test_ecmult_multi(rustsecp256k1_v0_1_2_scratch *scratch, rustsecp256k1_v0_1_2_ecmult_multi_func ecmult_multi) { int ncount; - rustsecp256k1_v0_1_1_scalar szero; - rustsecp256k1_v0_1_1_scalar sc[32]; - rustsecp256k1_v0_1_1_ge pt[32]; - rustsecp256k1_v0_1_1_gej r; - rustsecp256k1_v0_1_1_gej r2; + rustsecp256k1_v0_1_2_scalar szero; + rustsecp256k1_v0_1_2_scalar sc[32]; + rustsecp256k1_v0_1_2_ge pt[32]; + rustsecp256k1_v0_1_2_gej r; + rustsecp256k1_v0_1_2_gej r2; ecmult_multi_data data; data.sc = sc; data.pt = pt; - rustsecp256k1_v0_1_1_scalar_set_int(&szero, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&szero, 0); /* No points to multiply */ CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0)); /* Check 1- and 2-point multiplies against ecmult */ for (ncount = 0; ncount < count; ncount++) { - rustsecp256k1_v0_1_1_ge ptg; - rustsecp256k1_v0_1_1_gej ptgj; + rustsecp256k1_v0_1_2_ge ptg; + rustsecp256k1_v0_1_2_gej ptgj; random_scalar_order(&sc[0]); random_scalar_order(&sc[1]); random_group_element_test(&ptg); - rustsecp256k1_v0_1_1_gej_set_ge(&ptgj, &ptg); + rustsecp256k1_v0_1_2_gej_set_ge(&ptgj, &ptg); pt[0] = ptg; - pt[1] = rustsecp256k1_v0_1_1_ge_const_g; + pt[1] = rustsecp256k1_v0_1_2_ge_const_g; /* only G scalar */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); /* 1-point */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); /* Try to multiply 1 point, but callback returns false */ CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1)); /* 2-point */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); /* 2-point with G scalar */ - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } /* Check infinite outputs of various forms */ for (ncount = 0; ncount < count; ncount++) { - rustsecp256k1_v0_1_1_ge ptg; + rustsecp256k1_v0_1_2_ge ptg; size_t i, j; size_t sizes[] = { 2, 10, 32 }; for (j = 0; j < 3; j++) { for (i = 0; i < 32; i++) { random_scalar_order(&sc[i]); - rustsecp256k1_v0_1_1_ge_set_infinity(&pt[i]); + rustsecp256k1_v0_1_2_ge_set_infinity(&pt[i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } for (j = 0; j < 3; j++) { for (i = 0; i < 32; i++) { random_group_element_test(&ptg); pt[i] = ptg; - rustsecp256k1_v0_1_1_scalar_set_int(&sc[i], 0); + rustsecp256k1_v0_1_2_scalar_set_int(&sc[i], 0); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } for (j = 0; j < 3; j++) { random_group_element_test(&ptg); for (i = 0; i < 16; i++) { random_scalar_order(&sc[2*i]); - rustsecp256k1_v0_1_1_scalar_negate(&sc[2*i + 1], &sc[2*i]); + rustsecp256k1_v0_1_2_scalar_negate(&sc[2*i + 1], &sc[2*i]); pt[2 * i] = ptg; pt[2 * i + 1] = ptg; } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); random_scalar_order(&sc[0]); for (i = 0; i < 16; i++) { @@ -2778,70 +2841,70 @@ void test_ecmult_multi(rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1 sc[2*i] = sc[0]; sc[2*i+1] = sc[0]; pt[2 * i] = ptg; - rustsecp256k1_v0_1_1_ge_neg(&pt[2*i+1], &pt[2*i]); + rustsecp256k1_v0_1_2_ge_neg(&pt[2*i+1], &pt[2*i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } random_group_element_test(&ptg); - rustsecp256k1_v0_1_1_scalar_set_int(&sc[0], 0); + rustsecp256k1_v0_1_2_scalar_set_int(&sc[0], 0); pt[0] = ptg; for (i = 1; i < 32; i++) { pt[i] = ptg; random_scalar_order(&sc[i]); - rustsecp256k1_v0_1_1_scalar_add(&sc[0], &sc[0], &sc[i]); - rustsecp256k1_v0_1_1_scalar_negate(&sc[i], &sc[i]); + rustsecp256k1_v0_1_2_scalar_add(&sc[0], &sc[0], &sc[i]); + rustsecp256k1_v0_1_2_scalar_negate(&sc[i], &sc[i]); } CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32)); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } /* Check random points, constant scalar */ for (ncount = 0; ncount < count; ncount++) { size_t i; - rustsecp256k1_v0_1_1_gej_set_infinity(&r); + rustsecp256k1_v0_1_2_gej_set_infinity(&r); random_scalar_order(&sc[0]); for (i = 0; i < 20; i++) { - rustsecp256k1_v0_1_1_ge ptg; + rustsecp256k1_v0_1_2_ge ptg; sc[i] = sc[0]; random_group_element_test(&ptg); pt[i] = ptg; - rustsecp256k1_v0_1_1_gej_add_ge_var(&r, &r, &pt[i], NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(&r, &r, &pt[i], NULL); } - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } /* Check random scalars, constant point */ for (ncount = 0; ncount < count; ncount++) { size_t i; - rustsecp256k1_v0_1_1_ge ptg; - rustsecp256k1_v0_1_1_gej p0j; - rustsecp256k1_v0_1_1_scalar rs; - rustsecp256k1_v0_1_1_scalar_set_int(&rs, 0); + rustsecp256k1_v0_1_2_ge ptg; + rustsecp256k1_v0_1_2_gej p0j; + rustsecp256k1_v0_1_2_scalar rs; + rustsecp256k1_v0_1_2_scalar_set_int(&rs, 0); random_group_element_test(&ptg); for (i = 0; i < 20; i++) { random_scalar_order(&sc[i]); pt[i] = ptg; - rustsecp256k1_v0_1_1_scalar_add(&rs, &rs, &sc[i]); + rustsecp256k1_v0_1_2_scalar_add(&rs, &rs, &sc[i]); } - rustsecp256k1_v0_1_1_gej_set_ge(&p0j, &pt[0]); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero); + rustsecp256k1_v0_1_2_gej_set_ge(&p0j, &pt[0]); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } /* Sanity check that zero scalars don't cause problems */ @@ -2850,62 +2913,62 @@ void test_ecmult_multi(rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1 random_group_element_test(&pt[ncount]); } - rustsecp256k1_v0_1_1_scalar_clear(&sc[0]); + rustsecp256k1_v0_1_2_scalar_clear(&sc[0]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20)); - rustsecp256k1_v0_1_1_scalar_clear(&sc[1]); - rustsecp256k1_v0_1_1_scalar_clear(&sc[2]); - rustsecp256k1_v0_1_1_scalar_clear(&sc[3]); - rustsecp256k1_v0_1_1_scalar_clear(&sc[4]); + rustsecp256k1_v0_1_2_scalar_clear(&sc[1]); + rustsecp256k1_v0_1_2_scalar_clear(&sc[2]); + rustsecp256k1_v0_1_2_scalar_clear(&sc[3]); + rustsecp256k1_v0_1_2_scalar_clear(&sc[4]); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6)); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5)); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */ { const size_t TOP = 8; size_t s0i, s1i; size_t t0i, t1i; - rustsecp256k1_v0_1_1_ge ptg; - rustsecp256k1_v0_1_1_gej ptgj; + rustsecp256k1_v0_1_2_ge ptg; + rustsecp256k1_v0_1_2_gej ptgj; random_group_element_test(&ptg); - rustsecp256k1_v0_1_1_gej_set_ge(&ptgj, &ptg); + rustsecp256k1_v0_1_2_gej_set_ge(&ptgj, &ptg); for(t0i = 0; t0i < TOP; t0i++) { for(t1i = 0; t1i < TOP; t1i++) { - rustsecp256k1_v0_1_1_gej t0p, t1p; - rustsecp256k1_v0_1_1_scalar t0, t1; + rustsecp256k1_v0_1_2_gej t0p, t1p; + rustsecp256k1_v0_1_2_scalar t0, t1; - rustsecp256k1_v0_1_1_scalar_set_int(&t0, (t0i + 1) / 2); - rustsecp256k1_v0_1_1_scalar_cond_negate(&t0, t0i & 1); - rustsecp256k1_v0_1_1_scalar_set_int(&t1, (t1i + 1) / 2); - rustsecp256k1_v0_1_1_scalar_cond_negate(&t1, t1i & 1); + rustsecp256k1_v0_1_2_scalar_set_int(&t0, (t0i + 1) / 2); + rustsecp256k1_v0_1_2_scalar_cond_negate(&t0, t0i & 1); + rustsecp256k1_v0_1_2_scalar_set_int(&t1, (t1i + 1) / 2); + rustsecp256k1_v0_1_2_scalar_cond_negate(&t1, t1i & 1); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero); for(s0i = 0; s0i < TOP; s0i++) { for(s1i = 0; s1i < TOP; s1i++) { - rustsecp256k1_v0_1_1_scalar tmp1, tmp2; - rustsecp256k1_v0_1_1_gej expected, actual; + rustsecp256k1_v0_1_2_scalar tmp1, tmp2; + rustsecp256k1_v0_1_2_gej expected, actual; - rustsecp256k1_v0_1_1_ge_set_gej(&pt[0], &t0p); - rustsecp256k1_v0_1_1_ge_set_gej(&pt[1], &t1p); + rustsecp256k1_v0_1_2_ge_set_gej(&pt[0], &t0p); + rustsecp256k1_v0_1_2_ge_set_gej(&pt[1], &t1p); - rustsecp256k1_v0_1_1_scalar_set_int(&sc[0], (s0i + 1) / 2); - rustsecp256k1_v0_1_1_scalar_cond_negate(&sc[0], s0i & 1); - rustsecp256k1_v0_1_1_scalar_set_int(&sc[1], (s1i + 1) / 2); - rustsecp256k1_v0_1_1_scalar_cond_negate(&sc[1], s1i & 1); + rustsecp256k1_v0_1_2_scalar_set_int(&sc[0], (s0i + 1) / 2); + rustsecp256k1_v0_1_2_scalar_cond_negate(&sc[0], s0i & 1); + rustsecp256k1_v0_1_2_scalar_set_int(&sc[1], (s1i + 1) / 2); + rustsecp256k1_v0_1_2_scalar_cond_negate(&sc[1], s1i & 1); - rustsecp256k1_v0_1_1_scalar_mul(&tmp1, &t0, &sc[0]); - rustsecp256k1_v0_1_1_scalar_mul(&tmp2, &t1, &sc[1]); - rustsecp256k1_v0_1_1_scalar_add(&tmp1, &tmp1, &tmp2); + rustsecp256k1_v0_1_2_scalar_mul(&tmp1, &t0, &sc[0]); + rustsecp256k1_v0_1_2_scalar_mul(&tmp2, &t1, &sc[1]); + rustsecp256k1_v0_1_2_scalar_add(&tmp1, &tmp1, &tmp2); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero); CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2)); - rustsecp256k1_v0_1_1_gej_neg(&expected, &expected); - rustsecp256k1_v0_1_1_gej_add_var(&actual, &actual, &expected, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&actual)); + rustsecp256k1_v0_1_2_gej_neg(&expected, &expected); + rustsecp256k1_v0_1_2_gej_add_var(&actual, &actual, &expected, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&actual)); } } } @@ -2913,28 +2976,28 @@ void test_ecmult_multi(rustsecp256k1_v0_1_1_scratch *scratch, rustsecp256k1_v0_1 } } -void test_ecmult_multi_batch_single(rustsecp256k1_v0_1_1_ecmult_multi_func ecmult_multi) { - rustsecp256k1_v0_1_1_scalar szero; - rustsecp256k1_v0_1_1_scalar sc[32]; - rustsecp256k1_v0_1_1_ge pt[32]; - rustsecp256k1_v0_1_1_gej r; +void test_ecmult_multi_batch_single(rustsecp256k1_v0_1_2_ecmult_multi_func ecmult_multi) { + rustsecp256k1_v0_1_2_scalar szero; + rustsecp256k1_v0_1_2_scalar sc[32]; + rustsecp256k1_v0_1_2_ge pt[32]; + rustsecp256k1_v0_1_2_gej r; ecmult_multi_data data; - rustsecp256k1_v0_1_1_scratch *scratch_empty; + rustsecp256k1_v0_1_2_scratch *scratch_empty; data.sc = sc; data.pt = pt; - rustsecp256k1_v0_1_1_scalar_set_int(&szero, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&szero, 0); /* Try to multiply 1 point, but scratch space is empty.*/ - scratch_empty = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, 0); + scratch_empty = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, 0); CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1)); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch_empty); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch_empty); } -void test_rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(void) { +void test_rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(void) { int i; - CHECK(rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(0) == 0); + CHECK(rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(0) == 0); for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) { #ifdef USE_ENDOMORPHISM /* Bucket_window of 8 is not used with endo */ @@ -2942,9 +3005,9 @@ void test_rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(void) { continue; } #endif - CHECK(rustsecp256k1_v0_1_1_pippenger_bucket_window(rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(i)) == i); + CHECK(rustsecp256k1_v0_1_2_pippenger_bucket_window(rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(i)) == i); if (i != PIPPENGER_MAX_BUCKET_WINDOW) { - CHECK(rustsecp256k1_v0_1_1_pippenger_bucket_window(rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(i)+1) > i); + CHECK(rustsecp256k1_v0_1_2_pippenger_bucket_window(rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(i)+1) > i); } } } @@ -2954,9 +3017,9 @@ void test_rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(void) { * for a given scratch space. */ void test_ecmult_multi_pippenger_max_points(void) { - size_t scratch_size = rustsecp256k1_v0_1_1_rand_int(256); - size_t max_size = rustsecp256k1_v0_1_1_pippenger_scratch_size(rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); - rustsecp256k1_v0_1_1_scratch *scratch; + size_t scratch_size = rustsecp256k1_v0_1_2_rand_int(256); + size_t max_size = rustsecp256k1_v0_1_2_pippenger_scratch_size(rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12); + rustsecp256k1_v0_1_2_scratch *scratch; size_t n_points_supported; int bucket_window = 0; @@ -2964,24 +3027,24 @@ void test_ecmult_multi_pippenger_max_points(void) { size_t i; size_t total_alloc; size_t checkpoint; - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, scratch_size); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, scratch_size); CHECK(scratch != NULL); - checkpoint = rustsecp256k1_v0_1_1_scratch_checkpoint(&ctx->error_callback, scratch); - n_points_supported = rustsecp256k1_v0_1_1_pippenger_max_points(&ctx->error_callback, scratch); + checkpoint = rustsecp256k1_v0_1_2_scratch_checkpoint(&ctx->error_callback, scratch); + n_points_supported = rustsecp256k1_v0_1_2_pippenger_max_points(&ctx->error_callback, scratch); if (n_points_supported == 0) { - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); continue; } - bucket_window = rustsecp256k1_v0_1_1_pippenger_bucket_window(n_points_supported); + bucket_window = rustsecp256k1_v0_1_2_pippenger_bucket_window(n_points_supported); /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */ - total_alloc = rustsecp256k1_v0_1_1_pippenger_scratch_size(n_points_supported, bucket_window); + total_alloc = rustsecp256k1_v0_1_2_pippenger_scratch_size(n_points_supported, bucket_window); for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) { - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&ctx->error_callback, scratch, 1)); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&ctx->error_callback, scratch, 1)); total_alloc--; } - CHECK(rustsecp256k1_v0_1_1_scratch_alloc(&ctx->error_callback, scratch, total_alloc)); - rustsecp256k1_v0_1_1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + CHECK(rustsecp256k1_v0_1_2_scratch_alloc(&ctx->error_callback, scratch, total_alloc)); + rustsecp256k1_v0_1_2_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); } CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW); } @@ -2991,152 +3054,152 @@ void test_ecmult_multi_batch_size_helper(void) { max_n_batch_points = 0; n = 1; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0); max_n_batch_points = 1; n = 0; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 0); CHECK(n_batch_points == 0); max_n_batch_points = 2; n = 5; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 3); CHECK(n_batch_points == 2); max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH; n = ECMULT_MAX_POINTS_PER_BATCH; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 1); CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH); max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1; n = ECMULT_MAX_POINTS_PER_BATCH + 1; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == 2); CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1); max_n_batch_points = 1; n = SIZE_MAX; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == SIZE_MAX); CHECK(n_batch_points == 1); max_n_batch_points = 2; n = SIZE_MAX; - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1); CHECK(n_batches == SIZE_MAX/2 + 1); CHECK(n_batch_points == 2); } /** - * Run rustsecp256k1_v0_1_1_ecmult_multi_var with num points and a scratch space restricted to + * Run rustsecp256k1_v0_1_2_ecmult_multi_var with num points and a scratch space restricted to * 1 <= i <= num points. */ void test_ecmult_multi_batching(void) { static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD; - rustsecp256k1_v0_1_1_scalar scG; - rustsecp256k1_v0_1_1_scalar szero; - rustsecp256k1_v0_1_1_scalar *sc = (rustsecp256k1_v0_1_1_scalar *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_scalar) * n_points); - rustsecp256k1_v0_1_1_ge *pt = (rustsecp256k1_v0_1_1_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_1_ge) * n_points); - rustsecp256k1_v0_1_1_gej r; - rustsecp256k1_v0_1_1_gej r2; + rustsecp256k1_v0_1_2_scalar scG; + rustsecp256k1_v0_1_2_scalar szero; + rustsecp256k1_v0_1_2_scalar *sc = (rustsecp256k1_v0_1_2_scalar *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_scalar) * n_points); + rustsecp256k1_v0_1_2_ge *pt = (rustsecp256k1_v0_1_2_ge *)checked_malloc(&ctx->error_callback, sizeof(rustsecp256k1_v0_1_2_ge) * n_points); + rustsecp256k1_v0_1_2_gej r; + rustsecp256k1_v0_1_2_gej r2; ecmult_multi_data data; int i; - rustsecp256k1_v0_1_1_scratch *scratch; + rustsecp256k1_v0_1_2_scratch *scratch; - rustsecp256k1_v0_1_1_gej_set_infinity(&r2); - rustsecp256k1_v0_1_1_scalar_set_int(&szero, 0); + rustsecp256k1_v0_1_2_gej_set_infinity(&r2); + rustsecp256k1_v0_1_2_scalar_set_int(&szero, 0); /* Get random scalars and group elements and compute result */ random_scalar_order(&scG); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG); for(i = 0; i < n_points; i++) { - rustsecp256k1_v0_1_1_ge ptg; - rustsecp256k1_v0_1_1_gej ptgj; + rustsecp256k1_v0_1_2_ge ptg; + rustsecp256k1_v0_1_2_gej ptgj; random_group_element_test(&ptg); - rustsecp256k1_v0_1_1_gej_set_ge(&ptgj, &ptg); + rustsecp256k1_v0_1_2_gej_set_ge(&ptgj, &ptg); pt[i] = ptg; random_scalar_order(&sc[i]); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL); - rustsecp256k1_v0_1_1_gej_add_var(&r2, &r2, &ptgj, NULL); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL); + rustsecp256k1_v0_1_2_gej_add_var(&r2, &r2, &ptgj, NULL); } data.sc = sc; data.pt = pt; - rustsecp256k1_v0_1_1_gej_neg(&r2, &r2); + rustsecp256k1_v0_1_2_gej_neg(&r2, &r2); /* Test with empty scratch space. It should compute the correct result using * ecmult_mult_simple algorithm which doesn't require a scratch space. */ - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, 0); - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, 0); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); /* Test with space for 1 point in pippenger. That's not enough because * ecmult_multi selects strauss which requires more memory. It should * therefore select the simple algorithm. */ - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, rustsecp256k1_v0_1_1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, rustsecp256k1_v0_1_2_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); for(i = 1; i <= n_points; i++) { if (i > ECMULT_PIPPENGER_THRESHOLD) { - int bucket_window = rustsecp256k1_v0_1_1_pippenger_bucket_window(i); - size_t scratch_size = rustsecp256k1_v0_1_1_pippenger_scratch_size(i, bucket_window); - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); + int bucket_window = rustsecp256k1_v0_1_2_pippenger_bucket_window(i); + size_t scratch_size = rustsecp256k1_v0_1_2_pippenger_scratch_size(i, bucket_window); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT); } else { - size_t scratch_size = rustsecp256k1_v0_1_1_strauss_scratch_size(i); - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); + size_t scratch_size = rustsecp256k1_v0_1_2_strauss_scratch_size(i); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); } - CHECK(rustsecp256k1_v0_1_1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); - rustsecp256k1_v0_1_1_gej_add_var(&r, &r, &r2, NULL); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + CHECK(rustsecp256k1_v0_1_2_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points)); + rustsecp256k1_v0_1_2_gej_add_var(&r, &r, &r2, NULL); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); } free(sc); free(pt); } void run_ecmult_multi_tests(void) { - rustsecp256k1_v0_1_1_scratch *scratch; + rustsecp256k1_v0_1_2_scratch *scratch; - test_rustsecp256k1_v0_1_1_pippenger_bucket_window_inv(); + test_rustsecp256k1_v0_1_2_pippenger_bucket_window_inv(); test_ecmult_multi_pippenger_max_points(); - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, 819200); - test_ecmult_multi(scratch, rustsecp256k1_v0_1_1_ecmult_multi_var); - test_ecmult_multi(NULL, rustsecp256k1_v0_1_1_ecmult_multi_var); - test_ecmult_multi(scratch, rustsecp256k1_v0_1_1_ecmult_pippenger_batch_single); - test_ecmult_multi_batch_single(rustsecp256k1_v0_1_1_ecmult_pippenger_batch_single); - test_ecmult_multi(scratch, rustsecp256k1_v0_1_1_ecmult_strauss_batch_single); - test_ecmult_multi_batch_single(rustsecp256k1_v0_1_1_ecmult_strauss_batch_single); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, 819200); + test_ecmult_multi(scratch, rustsecp256k1_v0_1_2_ecmult_multi_var); + test_ecmult_multi(NULL, rustsecp256k1_v0_1_2_ecmult_multi_var); + test_ecmult_multi(scratch, rustsecp256k1_v0_1_2_ecmult_pippenger_batch_single); + test_ecmult_multi_batch_single(rustsecp256k1_v0_1_2_ecmult_pippenger_batch_single); + test_ecmult_multi(scratch, rustsecp256k1_v0_1_2_ecmult_strauss_batch_single); + test_ecmult_multi_batch_single(rustsecp256k1_v0_1_2_ecmult_strauss_batch_single); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); /* Run test_ecmult_multi with space for exactly one point */ - scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, rustsecp256k1_v0_1_1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); - test_ecmult_multi(scratch, rustsecp256k1_v0_1_1_ecmult_multi_var); - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, rustsecp256k1_v0_1_2_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT); + test_ecmult_multi(scratch, rustsecp256k1_v0_1_2_ecmult_multi_var); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); test_ecmult_multi_batch_size_helper(); test_ecmult_multi_batching(); } -void test_wnaf(const rustsecp256k1_v0_1_1_scalar *number, int w) { - rustsecp256k1_v0_1_1_scalar x, two, t; +void test_wnaf(const rustsecp256k1_v0_1_2_scalar *number, int w) { + rustsecp256k1_v0_1_2_scalar x, two, t; int wnaf[256]; int zeroes = -1; int i; int bits; - rustsecp256k1_v0_1_1_scalar_set_int(&x, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&two, 2); - bits = rustsecp256k1_v0_1_1_ecmult_wnaf(wnaf, 256, number, w); + rustsecp256k1_v0_1_2_scalar_set_int(&x, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&two, 2); + bits = rustsecp256k1_v0_1_2_ecmult_wnaf(wnaf, 256, number, w); CHECK(bits <= 256); for (i = bits-1; i >= 0; i--) { int v = wnaf[i]; - rustsecp256k1_v0_1_1_scalar_mul(&x, &x, &two); + rustsecp256k1_v0_1_2_scalar_mul(&x, &x, &two); if (v) { CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */ zeroes=0; @@ -3148,108 +3211,108 @@ void test_wnaf(const rustsecp256k1_v0_1_1_scalar *number, int w) { zeroes++; } if (v >= 0) { - rustsecp256k1_v0_1_1_scalar_set_int(&t, v); + rustsecp256k1_v0_1_2_scalar_set_int(&t, v); } else { - rustsecp256k1_v0_1_1_scalar_set_int(&t, -v); - rustsecp256k1_v0_1_1_scalar_negate(&t, &t); + rustsecp256k1_v0_1_2_scalar_set_int(&t, -v); + rustsecp256k1_v0_1_2_scalar_negate(&t, &t); } - rustsecp256k1_v0_1_1_scalar_add(&x, &x, &t); + rustsecp256k1_v0_1_2_scalar_add(&x, &x, &t); } - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&x, number)); /* check that wnaf represents number */ + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&x, number)); /* check that wnaf represents number */ } -void test_constant_wnaf_negate(const rustsecp256k1_v0_1_1_scalar *number) { - rustsecp256k1_v0_1_1_scalar neg1 = *number; - rustsecp256k1_v0_1_1_scalar neg2 = *number; +void test_constant_wnaf_negate(const rustsecp256k1_v0_1_2_scalar *number) { + rustsecp256k1_v0_1_2_scalar neg1 = *number; + rustsecp256k1_v0_1_2_scalar neg2 = *number; int sign1 = 1; int sign2 = 1; - if (!rustsecp256k1_v0_1_1_scalar_get_bits(&neg1, 0, 1)) { - rustsecp256k1_v0_1_1_scalar_negate(&neg1, &neg1); + if (!rustsecp256k1_v0_1_2_scalar_get_bits(&neg1, 0, 1)) { + rustsecp256k1_v0_1_2_scalar_negate(&neg1, &neg1); sign1 = -1; } - sign2 = rustsecp256k1_v0_1_1_scalar_cond_negate(&neg2, rustsecp256k1_v0_1_1_scalar_is_even(&neg2)); + sign2 = rustsecp256k1_v0_1_2_scalar_cond_negate(&neg2, rustsecp256k1_v0_1_2_scalar_is_even(&neg2)); CHECK(sign1 == sign2); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&neg1, &neg2)); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&neg1, &neg2)); } -void test_constant_wnaf(const rustsecp256k1_v0_1_1_scalar *number, int w) { - rustsecp256k1_v0_1_1_scalar x, shift; +void test_constant_wnaf(const rustsecp256k1_v0_1_2_scalar *number, int w) { + rustsecp256k1_v0_1_2_scalar x, shift; int wnaf[256] = {0}; int i; int skew; int bits = 256; - rustsecp256k1_v0_1_1_scalar num = *number; + rustsecp256k1_v0_1_2_scalar num = *number; - rustsecp256k1_v0_1_1_scalar_set_int(&x, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&shift, 1 << w); + rustsecp256k1_v0_1_2_scalar_set_int(&x, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&shift, 1 << w); /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */ #ifdef USE_ENDOMORPHISM for (i = 0; i < 16; ++i) { - rustsecp256k1_v0_1_1_scalar_shr_int(&num, 8); + rustsecp256k1_v0_1_2_scalar_shr_int(&num, 8); } bits = 128; #endif - skew = rustsecp256k1_v0_1_1_wnaf_const(wnaf, &num, w, bits); + skew = rustsecp256k1_v0_1_2_wnaf_const(wnaf, &num, w, bits); for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) { - rustsecp256k1_v0_1_1_scalar t; + rustsecp256k1_v0_1_2_scalar t; int v = wnaf[i]; CHECK(v != 0); /* check nonzero */ CHECK(v & 1); /* check parity */ CHECK(v > -(1 << w)); /* check range above */ CHECK(v < (1 << w)); /* check range below */ - rustsecp256k1_v0_1_1_scalar_mul(&x, &x, &shift); + rustsecp256k1_v0_1_2_scalar_mul(&x, &x, &shift); if (v >= 0) { - rustsecp256k1_v0_1_1_scalar_set_int(&t, v); + rustsecp256k1_v0_1_2_scalar_set_int(&t, v); } else { - rustsecp256k1_v0_1_1_scalar_set_int(&t, -v); - rustsecp256k1_v0_1_1_scalar_negate(&t, &t); + rustsecp256k1_v0_1_2_scalar_set_int(&t, -v); + rustsecp256k1_v0_1_2_scalar_negate(&t, &t); } - rustsecp256k1_v0_1_1_scalar_add(&x, &x, &t); + rustsecp256k1_v0_1_2_scalar_add(&x, &x, &t); } /* Skew num because when encoding numbers as odd we use an offset */ - rustsecp256k1_v0_1_1_scalar_cadd_bit(&num, skew == 2, 1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&x, &num)); + rustsecp256k1_v0_1_2_scalar_cadd_bit(&num, skew == 2, 1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&x, &num)); } -void test_fixed_wnaf(const rustsecp256k1_v0_1_1_scalar *number, int w) { - rustsecp256k1_v0_1_1_scalar x, shift; +void test_fixed_wnaf(const rustsecp256k1_v0_1_2_scalar *number, int w) { + rustsecp256k1_v0_1_2_scalar x, shift; int wnaf[256] = {0}; int i; int skew; - rustsecp256k1_v0_1_1_scalar num = *number; + rustsecp256k1_v0_1_2_scalar num = *number; - rustsecp256k1_v0_1_1_scalar_set_int(&x, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&shift, 1 << w); + rustsecp256k1_v0_1_2_scalar_set_int(&x, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&shift, 1 << w); /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */ #ifdef USE_ENDOMORPHISM for (i = 0; i < 16; ++i) { - rustsecp256k1_v0_1_1_scalar_shr_int(&num, 8); + rustsecp256k1_v0_1_2_scalar_shr_int(&num, 8); } #endif - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 0; --i) { - rustsecp256k1_v0_1_1_scalar t; + rustsecp256k1_v0_1_2_scalar t; int v = wnaf[i]; CHECK(v == 0 || v & 1); /* check parity */ CHECK(v > -(1 << w)); /* check range above */ CHECK(v < (1 << w)); /* check range below */ - rustsecp256k1_v0_1_1_scalar_mul(&x, &x, &shift); + rustsecp256k1_v0_1_2_scalar_mul(&x, &x, &shift); if (v >= 0) { - rustsecp256k1_v0_1_1_scalar_set_int(&t, v); + rustsecp256k1_v0_1_2_scalar_set_int(&t, v); } else { - rustsecp256k1_v0_1_1_scalar_set_int(&t, -v); - rustsecp256k1_v0_1_1_scalar_negate(&t, &t); + rustsecp256k1_v0_1_2_scalar_set_int(&t, -v); + rustsecp256k1_v0_1_2_scalar_negate(&t, &t); } - rustsecp256k1_v0_1_1_scalar_add(&x, &x, &t); + rustsecp256k1_v0_1_2_scalar_add(&x, &x, &t); } /* If skew is 1 then add 1 to num */ - rustsecp256k1_v0_1_1_scalar_cadd_bit(&num, 0, skew == 1); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&x, &num)); + rustsecp256k1_v0_1_2_scalar_cadd_bit(&num, 0, skew == 1); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&x, &num)); } /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the @@ -3269,18 +3332,18 @@ void test_fixed_wnaf_small(void) { int wnaf[256] = {0}; int i; int skew; - rustsecp256k1_v0_1_1_scalar num; + rustsecp256k1_v0_1_2_scalar num; - rustsecp256k1_v0_1_1_scalar_set_int(&num, 0); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 0); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 0; --i) { int v = wnaf[i]; CHECK(v == 0); } CHECK(skew == 0); - rustsecp256k1_v0_1_1_scalar_set_int(&num, 1); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 1); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); for (i = WNAF_SIZE(w)-1; i >= 1; --i) { int v = wnaf[i]; CHECK(v == 0); @@ -3290,29 +3353,29 @@ void test_fixed_wnaf_small(void) { { int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf }; - rustsecp256k1_v0_1_1_scalar_set_int(&num, 0xffffffff); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 0xffffffff); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } { int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf }; - rustsecp256k1_v0_1_1_scalar_set_int(&num, 0xeeeeeeee); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 0xeeeeeeee); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 1); } { int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 }; - rustsecp256k1_v0_1_1_scalar_set_int(&num, 0x01010101); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 0x01010101); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } { int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 }; - rustsecp256k1_v0_1_1_scalar_set_int(&num, 0x01ef1ef1); - skew = rustsecp256k1_v0_1_1_wnaf_fixed(wnaf, &num, w); + rustsecp256k1_v0_1_2_scalar_set_int(&num, 0x01ef1ef1); + skew = rustsecp256k1_v0_1_2_wnaf_fixed(wnaf, &num, w); test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w); CHECK(skew == 0); } @@ -3320,7 +3383,7 @@ void test_fixed_wnaf_small(void) { void run_wnaf(void) { int i; - rustsecp256k1_v0_1_1_scalar n = {{0}}; + rustsecp256k1_v0_1_2_scalar n = {{0}}; /* Sanity check: 1 and 2 are the smallest odd and even numbers and should * have easier-to-diagnose failure modes */ @@ -3338,43 +3401,43 @@ void run_wnaf(void) { test_constant_wnaf(&n, 4 + (i % 10)); test_fixed_wnaf(&n, 4 + (i % 10)); } - rustsecp256k1_v0_1_1_scalar_set_int(&n, 0); - CHECK(rustsecp256k1_v0_1_1_scalar_cond_negate(&n, 1) == -1); - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&n)); - CHECK(rustsecp256k1_v0_1_1_scalar_cond_negate(&n, 0) == 1); - CHECK(rustsecp256k1_v0_1_1_scalar_is_zero(&n)); + rustsecp256k1_v0_1_2_scalar_set_int(&n, 0); + CHECK(rustsecp256k1_v0_1_2_scalar_cond_negate(&n, 1) == -1); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&n)); + CHECK(rustsecp256k1_v0_1_2_scalar_cond_negate(&n, 0) == 1); + CHECK(rustsecp256k1_v0_1_2_scalar_is_zero(&n)); } void test_ecmult_constants(void) { /* Test ecmult_gen() for [0..36) and [order-36..0). */ - rustsecp256k1_v0_1_1_scalar x; - rustsecp256k1_v0_1_1_gej r; - rustsecp256k1_v0_1_1_ge ng; + rustsecp256k1_v0_1_2_scalar x; + rustsecp256k1_v0_1_2_gej r; + rustsecp256k1_v0_1_2_ge ng; int i; int j; - rustsecp256k1_v0_1_1_ge_neg(&ng, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_ge_neg(&ng, &rustsecp256k1_v0_1_2_ge_const_g); for (i = 0; i < 36; i++ ) { - rustsecp256k1_v0_1_1_scalar_set_int(&x, i); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); + rustsecp256k1_v0_1_2_scalar_set_int(&x, i); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); for (j = 0; j < i; j++) { if (j == i - 1) { - ge_equals_gej(&rustsecp256k1_v0_1_1_ge_const_g, &r); + ge_equals_gej(&rustsecp256k1_v0_1_2_ge_const_g, &r); } - rustsecp256k1_v0_1_1_gej_add_ge(&r, &r, &ng); + rustsecp256k1_v0_1_2_gej_add_ge(&r, &r, &ng); } - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } for (i = 1; i <= 36; i++ ) { - rustsecp256k1_v0_1_1_scalar_set_int(&x, i); - rustsecp256k1_v0_1_1_scalar_negate(&x, &x); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); + rustsecp256k1_v0_1_2_scalar_set_int(&x, i); + rustsecp256k1_v0_1_2_scalar_negate(&x, &x); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x); for (j = 0; j < i; j++) { if (j == i - 1) { ge_equals_gej(&ng, &r); } - rustsecp256k1_v0_1_1_gej_add_ge(&r, &r, &rustsecp256k1_v0_1_1_ge_const_g); + rustsecp256k1_v0_1_2_gej_add_ge(&r, &r, &rustsecp256k1_v0_1_2_ge_const_g); } - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&r)); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&r)); } } @@ -3384,36 +3447,36 @@ void run_ecmult_constants(void) { void test_ecmult_gen_blind(void) { /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */ - rustsecp256k1_v0_1_1_scalar key; - rustsecp256k1_v0_1_1_scalar b; + rustsecp256k1_v0_1_2_scalar key; + rustsecp256k1_v0_1_2_scalar b; unsigned char seed32[32]; - rustsecp256k1_v0_1_1_gej pgej; - rustsecp256k1_v0_1_1_gej pgej2; - rustsecp256k1_v0_1_1_gej i; - rustsecp256k1_v0_1_1_ge pge; + rustsecp256k1_v0_1_2_gej pgej; + rustsecp256k1_v0_1_2_gej pgej2; + rustsecp256k1_v0_1_2_gej i; + rustsecp256k1_v0_1_2_ge pge; random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); - rustsecp256k1_v0_1_1_rand256(seed32); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key); + rustsecp256k1_v0_1_2_rand256(seed32); b = ctx->ecmult_gen_ctx.blind; i = ctx->ecmult_gen_ctx.initial; - rustsecp256k1_v0_1_1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); - CHECK(!rustsecp256k1_v0_1_1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); + rustsecp256k1_v0_1_2_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32); + CHECK(!rustsecp256k1_v0_1_2_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key); CHECK(!gej_xyz_equals_gej(&pgej, &pgej2)); CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial)); - rustsecp256k1_v0_1_1_ge_set_gej(&pge, &pgej); + rustsecp256k1_v0_1_2_ge_set_gej(&pge, &pgej); ge_equals_gej(&pge, &pgej2); } void test_ecmult_gen_blind_reset(void) { /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */ - rustsecp256k1_v0_1_1_scalar b; - rustsecp256k1_v0_1_1_gej initial; - rustsecp256k1_v0_1_1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); + rustsecp256k1_v0_1_2_scalar b; + rustsecp256k1_v0_1_2_gej initial; + rustsecp256k1_v0_1_2_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); b = ctx->ecmult_gen_ctx.blind; initial = ctx->ecmult_gen_ctx.initial; - rustsecp256k1_v0_1_1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); - CHECK(rustsecp256k1_v0_1_1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); + rustsecp256k1_v0_1_2_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0); + CHECK(rustsecp256k1_v0_1_2_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind)); CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial)); } @@ -3428,25 +3491,25 @@ void run_ecmult_gen_blind(void) { #ifdef USE_ENDOMORPHISM /***** ENDOMORPHISH TESTS *****/ void test_scalar_split(void) { - rustsecp256k1_v0_1_1_scalar full; - rustsecp256k1_v0_1_1_scalar s1, slam; + rustsecp256k1_v0_1_2_scalar full; + rustsecp256k1_v0_1_2_scalar s1, slam; const unsigned char zero[32] = {0}; unsigned char tmp[32]; random_scalar_order_test(&full); - rustsecp256k1_v0_1_1_scalar_split_lambda(&s1, &slam, &full); + rustsecp256k1_v0_1_2_scalar_split_lambda(&s1, &slam, &full); /* check that both are <= 128 bits in size */ - if (rustsecp256k1_v0_1_1_scalar_is_high(&s1)) { - rustsecp256k1_v0_1_1_scalar_negate(&s1, &s1); + if (rustsecp256k1_v0_1_2_scalar_is_high(&s1)) { + rustsecp256k1_v0_1_2_scalar_negate(&s1, &s1); } - if (rustsecp256k1_v0_1_1_scalar_is_high(&slam)) { - rustsecp256k1_v0_1_1_scalar_negate(&slam, &slam); + if (rustsecp256k1_v0_1_2_scalar_is_high(&slam)) { + rustsecp256k1_v0_1_2_scalar_negate(&slam, &slam); } - rustsecp256k1_v0_1_1_scalar_get_b32(tmp, &s1); + rustsecp256k1_v0_1_2_scalar_get_b32(tmp, &s1); CHECK(memcmp(zero, tmp, 16) == 0); - rustsecp256k1_v0_1_1_scalar_get_b32(tmp, &slam); + rustsecp256k1_v0_1_2_scalar_get_b32(tmp, &slam); CHECK(memcmp(zero, tmp, 16) == 0); } @@ -3457,12 +3520,12 @@ void run_endomorphism_tests(void) { void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) { unsigned char pubkeyc[65]; - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_ge ge; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_ge ge; size_t pubkeyclen; int32_t ecount; ecount = 0; - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) { /* Smaller sizes are tested exhaustively elsewhere. */ int32_t i; @@ -3488,11 +3551,11 @@ void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvali memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); outl = 65; VG_UNDEF(pubkeyo, 65); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1); VG_CHECK(pubkeyo, outl); CHECK(outl == 33); CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0); @@ -3500,14 +3563,14 @@ void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvali if (ypass) { /* This test isn't always done because we decode with alternative signs, so the y won't match. */ CHECK(pubkeyo[0] == ysign); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - rustsecp256k1_v0_1_1_pubkey_save(&pubkey, &ge); + rustsecp256k1_v0_1_2_pubkey_save(&pubkey, &ge); VG_CHECK(&pubkey, sizeof(pubkey)); outl = 65; VG_UNDEF(pubkeyo, 65); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); VG_CHECK(pubkeyo, outl); CHECK(outl == 65); CHECK(pubkeyo[0] == 4); @@ -3519,15 +3582,15 @@ void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvali memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } } } - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, NULL, NULL); } void run_ec_pubkey_parse_test(void) { @@ -3711,8 +3774,8 @@ void run_ec_pubkey_parse_test(void) { }; unsigned char sout[65]; unsigned char shortkey[2]; - rustsecp256k1_v0_1_1_ge ge; - rustsecp256k1_v0_1_1_pubkey pubkey; + rustsecp256k1_v0_1_2_ge ge; + rustsecp256k1_v0_1_2_pubkey pubkey; size_t len; int32_t i; int32_t ecount; @@ -3720,16 +3783,16 @@ void run_ec_pubkey_parse_test(void) { ecount = 0; /* Nothing should be reading this far into pubkeyc. */ VG_UNDEF(&pubkeyc[65], 1); - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); /* Zero length claimed, fail, zeroize, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(shortkey, 2); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* Length one claimed, fail, zeroize, no illegal arg error. */ for (i = 0; i < 256 ; i++) { @@ -3738,10 +3801,10 @@ void run_ec_pubkey_parse_test(void) { shortkey[0] = i; VG_UNDEF(&shortkey[1], 1); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } /* Length two claimed, fail, zeroize, no illegal arg error. */ @@ -3751,101 +3814,101 @@ void run_ec_pubkey_parse_test(void) { shortkey[0] = i & 255; shortkey[1] = i >> 8; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); } memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0); CHECK(ecount == 2); /* NULL input string. Illegal arg and zeroize output. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 2); /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */ memset(&pubkey, 0xfe, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 0); CHECK(ecount == 1); /* Valid parse. */ memset(&pubkey, 0, sizeof(pubkey)); ecount = 0; VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(rustsecp256k1_v0_1_1_context_no_precomp, &pubkey, pubkeyc, 65) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(rustsecp256k1_v0_1_2_context_no_precomp, &pubkey, pubkeyc, 65) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); CHECK(ecount == 0); VG_UNDEF(&ge, sizeof(ge)); - CHECK(rustsecp256k1_v0_1_1_pubkey_load(ctx, &ge, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_pubkey_load(ctx, &ge, &pubkey) == 1); VG_CHECK(&ge.x, sizeof(ge.x)); VG_CHECK(&ge.y, sizeof(ge.y)); VG_CHECK(&ge.infinity, sizeof(ge.infinity)); - ge_equals_ge(&rustsecp256k1_v0_1_1_ge_const_g, &ge); + ge_equals_ge(&rustsecp256k1_v0_1_2_ge_const_g, &ge); CHECK(ecount == 0); - /* rustsecp256k1_v0_1_1_ec_pubkey_serialize illegal args. */ + /* rustsecp256k1_v0_1_2_ec_pubkey_serialize illegal args. */ ecount = 0; len = 65; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); CHECK(ecount == 1); CHECK(len == 0); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0); CHECK(ecount == 2); len = 65; VG_UNDEF(sout, 65); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0); VG_CHECK(sout, 65); CHECK(ecount == 3); CHECK(len == 0); len = 65; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0); CHECK(ecount == 4); CHECK(len == 0); len = 65; VG_UNDEF(sout, 65); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1); VG_CHECK(sout, 65); CHECK(ecount == 4); CHECK(len == 65); /* Multiple illegal args. Should still set arg error only once. */ ecount = 0; ecount2 = 11; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); CHECK(ecount == 1); /* Does the illegal arg callback actually change the behavior? */ - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0); CHECK(ecount == 1); CHECK(ecount2 == 10); - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, NULL, NULL); /* Try a bunch of prefabbed points with all possible encodings. */ for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) { ec_pubkey_parse_pointtest(valid[i], 1, 1); @@ -3865,263 +3928,318 @@ void run_eckey_edge_case_test(void) { 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 }; - const unsigned char zeros[sizeof(rustsecp256k1_v0_1_1_pubkey)] = {0x00}; + const unsigned char zeros[sizeof(rustsecp256k1_v0_1_2_pubkey)] = {0x00}; unsigned char ctmp[33]; unsigned char ctmp2[33]; - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_pubkey pubkey2; - rustsecp256k1_v0_1_1_pubkey pubkey_one; - rustsecp256k1_v0_1_1_pubkey pubkey_negone; - const rustsecp256k1_v0_1_1_pubkey *pubkeys[3]; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey pubkey2; + rustsecp256k1_v0_1_2_pubkey pubkey_one; + rustsecp256k1_v0_1_2_pubkey pubkey_negone; + const rustsecp256k1_v0_1_2_pubkey *pubkeys[3]; size_t len; int32_t ecount; /* Group order is too large, reject. */ - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, orderc) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, orderc) == 0); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, orderc) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, orderc) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); /* Maximum value is too large, reject. */ memset(ctmp, 255, 32); - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); /* Zero is too small, reject. */ memset(ctmp, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); /* One must be accepted. */ ctmp[31] = 0x01; - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) > 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) > 0); pubkey_one = pubkey; /* Group order + 1 is too large, reject. */ memcpy(ctmp, orderc, 32); ctmp[31] = 0x42; - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 0); memset(&pubkey, 1, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, ctmp) == 0); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); /* -1 must be accepted. */ ctmp[31] = 0x40; - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 1); memset(&pubkey, 0, sizeof(pubkey)); VG_UNDEF(&pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, ctmp) == 1); VG_CHECK(&pubkey, sizeof(pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) > 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) > 0); pubkey_negone = pubkey; /* Tweak of zero leaves the value unchanged. */ memset(ctmp2, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1); CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40); memcpy(&pubkey2, &pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Multiply tweak of zero zeroizes the output. */ - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); CHECK(memcmp(zeros, ctmp, 32) == 0); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0); CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); - /* Overflowing key tweak zeroizes. */ + /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing + seckey, the seckey is zeroized. */ + memcpy(ctmp, orderc, 32); + memset(ctmp2, 0, 32); + ctmp2[31] = 0x01; + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0); + CHECK(memcmp(zeros, ctmp, 32) == 0); + memcpy(ctmp, orderc, 32); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0); + CHECK(memcmp(zeros, ctmp, 32) == 0); + /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing + tweak, the seckey is zeroized. */ memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0); CHECK(memcmp(zeros, ctmp, 32) == 0); memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0); CHECK(memcmp(zeros, ctmp, 32) == 0); memcpy(ctmp, orderc, 32); ctmp[31] = 0x40; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); + /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing + tweak, the pubkey is zeroized. */ + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0); CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0); CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); - /* Private key tweaks results in a key of zero. */ + /* If the resulting key in rustsecp256k1_v0_1_2_ec_seckey_tweak_add and + * rustsecp256k1_v0_1_2_ec_pubkey_tweak_add is 0 the functions fail and in the latter + * case the pubkey is zeroized. */ + memcpy(ctmp, orderc, 32); + ctmp[31] = 0x40; + memset(ctmp2, 0, 32); ctmp2[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0); CHECK(memcmp(zeros, ctmp2, 32) == 0); ctmp2[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); /* Tweak computation wraps and results in a key of 1. */ ctmp2[31] = 2; - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1); CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1); ctmp2[31] = 2; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); ctmp2[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1); CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Tweak mul * 2 = 1+1. */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1); ctmp2[31] = 2; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1); CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); /* Test argument errors. */ ecount = 0; - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); CHECK(ecount == 0); /* Zeroize pubkey on parse error. */ memset(&pubkey, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0); CHECK(ecount == 1); CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0); memcpy(&pubkey, &pubkey2, sizeof(pubkey)); memset(&pubkey2, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0); CHECK(ecount == 2); CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0); /* Plain argument errors. */ ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, ctmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, ctmp) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, NULL) == 0); CHECK(ecount == 1); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 4; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 4; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0); CHECK(ecount == 2); ecount = 0; memset(ctmp2, 0, 32); ctmp2[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0); CHECK(ecount == 2); ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, NULL, ctmp) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, NULL, ctmp) == 0); CHECK(ecount == 1); memset(&pubkey, 1, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, NULL) == 0); CHECK(ecount == 2); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); - /* rustsecp256k1_v0_1_1_ec_pubkey_combine tests. */ + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); + /* rustsecp256k1_v0_1_2_ec_pubkey_combine tests. */ ecount = 0; pubkeys[0] = &pubkey_one; - VG_UNDEF(&pubkeys[0], sizeof(rustsecp256k1_v0_1_1_pubkey *)); - VG_UNDEF(&pubkeys[1], sizeof(rustsecp256k1_v0_1_1_pubkey *)); - VG_UNDEF(&pubkeys[2], sizeof(rustsecp256k1_v0_1_1_pubkey *)); - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + VG_UNDEF(&pubkeys[0], sizeof(rustsecp256k1_v0_1_2_pubkey *)); + VG_UNDEF(&pubkeys[1], sizeof(rustsecp256k1_v0_1_2_pubkey *)); + VG_UNDEF(&pubkeys[2], sizeof(rustsecp256k1_v0_1_2_pubkey *)); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); CHECK(ecount == 2); - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); CHECK(ecount == 3); pubkeys[0] = &pubkey_negone; - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) > 0); CHECK(ecount == 3); len = 33; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1); CHECK(memcmp(ctmp, ctmp2, 33) == 0); /* Result is infinity. */ pubkeys[0] = &pubkey_one; pubkeys[1] = &pubkey_negone; - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) == 0); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) == 0); CHECK(ecount == 3); /* Passes through infinity but comes out one. */ pubkeys[2] = &pubkey_one; - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) > 0); CHECK(ecount == 3); len = 33; - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1); CHECK(memcmp(ctmp, ctmp2, 33) == 0); /* Adds to two. */ pubkeys[1] = &pubkey_one; - memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_1_pubkey)); - VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); - VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_1_pubkey)); - CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_1_pubkey)) > 0); + memset(&pubkey, 255, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VG_UNDEF(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1); + VG_CHECK(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + CHECK(memcmp(&pubkey, zeros, sizeof(rustsecp256k1_v0_1_2_pubkey)) > 0); CHECK(ecount == 3); - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, NULL, NULL); } -void random_sign(rustsecp256k1_v0_1_1_scalar *sigr, rustsecp256k1_v0_1_1_scalar *sigs, const rustsecp256k1_v0_1_1_scalar *key, const rustsecp256k1_v0_1_1_scalar *msg, int *recid) { - rustsecp256k1_v0_1_1_scalar nonce; +void run_eckey_negate_test(void) { + unsigned char seckey[32]; + unsigned char seckey_tmp[32]; + + random_scalar_order_b32(seckey); + memcpy(seckey_tmp, seckey, 32); + + /* Verify negation changes the key and changes it back */ + CHECK(rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey) == 1); + CHECK(memcmp(seckey, seckey_tmp, 32) != 0); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey) == 1); + CHECK(memcmp(seckey, seckey_tmp, 32) == 0); + + /* Check that privkey alias gives same result */ + CHECK(rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_privkey_negate(ctx, seckey_tmp) == 1); + CHECK(memcmp(seckey, seckey_tmp, 32) == 0); + + /* Negating all 0s fails */ + memset(seckey, 0, 32); + memset(seckey_tmp, 0, 32); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey) == 0); + /* Check that seckey is not modified */ + CHECK(memcmp(seckey, seckey_tmp, 32) == 0); + + /* Negating an overflowing seckey fails and the seckey is zeroed. In this + * test, the seckey has 16 random bytes to ensure that ec_seckey_negate + * doesn't just set seckey to a constant value in case of failure. */ + random_scalar_order_b32(seckey); + memset(seckey, 0xFF, 16); + memset(seckey_tmp, 0, 32); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, seckey) == 0); + CHECK(memcmp(seckey, seckey_tmp, 32) == 0); +} + +void random_sign(rustsecp256k1_v0_1_2_scalar *sigr, rustsecp256k1_v0_1_2_scalar *sigs, const rustsecp256k1_v0_1_2_scalar *key, const rustsecp256k1_v0_1_2_scalar *msg, int *recid) { + rustsecp256k1_v0_1_2_scalar nonce; do { random_scalar_order_test(&nonce); - } while(!rustsecp256k1_v0_1_1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); + } while(!rustsecp256k1_v0_1_2_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid)); } void test_ecdsa_sign_verify(void) { - rustsecp256k1_v0_1_1_gej pubj; - rustsecp256k1_v0_1_1_ge pub; - rustsecp256k1_v0_1_1_scalar one; - rustsecp256k1_v0_1_1_scalar msg, key; - rustsecp256k1_v0_1_1_scalar sigr, sigs; + rustsecp256k1_v0_1_2_gej pubj; + rustsecp256k1_v0_1_2_ge pub; + rustsecp256k1_v0_1_2_scalar one; + rustsecp256k1_v0_1_2_scalar msg, key; + rustsecp256k1_v0_1_2_scalar sigr, sigs; int recid; int getrec; random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); - rustsecp256k1_v0_1_1_ge_set_gej(&pub, &pubj); - getrec = rustsecp256k1_v0_1_1_rand_bits(1); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key); + rustsecp256k1_v0_1_2_ge_set_gej(&pub, &pubj); + getrec = rustsecp256k1_v0_1_2_rand_bits(1); random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL); if (getrec) { CHECK(recid >= 0 && recid < 4); } - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); - rustsecp256k1_v0_1_1_scalar_set_int(&one, 1); - rustsecp256k1_v0_1_1_scalar_add(&msg, &msg, &one); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); + rustsecp256k1_v0_1_2_scalar_set_int(&one, 1); + rustsecp256k1_v0_1_2_scalar_add(&msg, &msg, &one); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg)); } void run_ecdsa_sign_verify(void) { @@ -4178,9 +4296,9 @@ static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5); } -int is_empty_signature(const rustsecp256k1_v0_1_1_ecdsa_signature *sig) { - static const unsigned char res[sizeof(rustsecp256k1_v0_1_1_ecdsa_signature)] = {0}; - return memcmp(sig, res, sizeof(rustsecp256k1_v0_1_1_ecdsa_signature)) == 0; +int is_empty_signature(const rustsecp256k1_v0_1_2_ecdsa_signature *sig) { + static const unsigned char res[sizeof(rustsecp256k1_v0_1_2_ecdsa_signature)] = {0}; + return memcmp(sig, res, sizeof(rustsecp256k1_v0_1_2_ecdsa_signature)) == 0; } void test_ecdsa_end_to_end(void) { @@ -4188,90 +4306,104 @@ void test_ecdsa_end_to_end(void) { unsigned char privkey[32]; unsigned char message[32]; unsigned char privkey2[32]; - rustsecp256k1_v0_1_1_ecdsa_signature signature[6]; - rustsecp256k1_v0_1_1_scalar r, s; + rustsecp256k1_v0_1_2_ecdsa_signature signature[6]; + rustsecp256k1_v0_1_2_scalar r, s; unsigned char sig[74]; size_t siglen = 74; unsigned char pubkeyc[65]; size_t pubkeyclen = 65; - rustsecp256k1_v0_1_1_pubkey pubkey; - rustsecp256k1_v0_1_1_pubkey pubkey_tmp; + rustsecp256k1_v0_1_2_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey pubkey_tmp; unsigned char seckey[300]; size_t seckeylen = 300; /* Generate a random key and message. */ { - rustsecp256k1_v0_1_1_scalar msg, key; + rustsecp256k1_v0_1_2_scalar msg, key; random_scalar_order_test(&msg); random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_scalar_get_b32(privkey, &key); - rustsecp256k1_v0_1_1_scalar_get_b32(message, &msg); + rustsecp256k1_v0_1_2_scalar_get_b32(privkey, &key); + rustsecp256k1_v0_1_2_scalar_get_b32(message, &msg); } /* Construct and verify corresponding public key. */ - CHECK(rustsecp256k1_v0_1_1_ec_seckey_verify(ctx, privkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, privkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, privkey) == 1); /* Verify exporting and importing public key. */ - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, rustsecp256k1_v0_1_1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, rustsecp256k1_v0_1_2_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED)); memset(&pubkey, 0, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1); /* Verify negation changes the key and changes it back */ memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey)); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_negate(ctx, &pubkey_tmp) == 1); CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0); /* Verify private key import and export. */ - CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, rustsecp256k1_v0_1_1_rand_bits(1) == 1)); + CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, rustsecp256k1_v0_1_2_rand_bits(1) == 1)); CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1); CHECK(memcmp(privkey, privkey2, 32) == 0); /* Optionally tweak the keys using addition. */ - if (rustsecp256k1_v0_1_1_rand_int(3) == 0) { + if (rustsecp256k1_v0_1_2_rand_int(3) == 0) { int ret1; int ret2; + int ret3; unsigned char rnd[32]; - rustsecp256k1_v0_1_1_pubkey pubkey2; - rustsecp256k1_v0_1_1_rand256_test(rnd); - ret1 = rustsecp256k1_v0_1_1_ec_privkey_tweak_add(ctx, privkey, rnd); - ret2 = rustsecp256k1_v0_1_1_ec_pubkey_tweak_add(ctx, &pubkey, rnd); + unsigned char privkey_tmp[32]; + rustsecp256k1_v0_1_2_pubkey pubkey2; + rustsecp256k1_v0_1_2_rand256_test(rnd); + memcpy(privkey_tmp, privkey, 32); + ret1 = rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, privkey, rnd); + ret2 = rustsecp256k1_v0_1_2_ec_pubkey_tweak_add(ctx, &pubkey, rnd); + /* Check that privkey alias gives same result */ + ret3 = rustsecp256k1_v0_1_2_ec_privkey_tweak_add(ctx, privkey_tmp, rnd); CHECK(ret1 == ret2); + CHECK(ret2 == ret3); if (ret1 == 0) { return; } - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); + CHECK(memcmp(privkey, privkey_tmp, 32) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); } /* Optionally tweak the keys using multiplication. */ - if (rustsecp256k1_v0_1_1_rand_int(3) == 0) { + if (rustsecp256k1_v0_1_2_rand_int(3) == 0) { int ret1; int ret2; + int ret3; unsigned char rnd[32]; - rustsecp256k1_v0_1_1_pubkey pubkey2; - rustsecp256k1_v0_1_1_rand256_test(rnd); - ret1 = rustsecp256k1_v0_1_1_ec_privkey_tweak_mul(ctx, privkey, rnd); - ret2 = rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); + unsigned char privkey_tmp[32]; + rustsecp256k1_v0_1_2_pubkey pubkey2; + rustsecp256k1_v0_1_2_rand256_test(rnd); + memcpy(privkey_tmp, privkey, 32); + ret1 = rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, privkey, rnd); + ret2 = rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul(ctx, &pubkey, rnd); + /* Check that privkey alias gives same result */ + ret3 = rustsecp256k1_v0_1_2_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd); CHECK(ret1 == ret2); + CHECK(ret2 == ret3); if (ret1 == 0) { return; } - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); + CHECK(memcmp(privkey, privkey_tmp, 32) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey2, privkey) == 1); CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0); } /* Sign. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1); extra[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1); extra[31] = 0; extra[0] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1); CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0); CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0); CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0); @@ -4280,71 +4412,71 @@ void test_ecdsa_end_to_end(void) { CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0); CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0); /* Verify. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1); /* Test lower-S form, malleate, verify and fail, test again, malleate again */ - CHECK(!rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, NULL, &signature[0])); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, &signature[0]); - rustsecp256k1_v0_1_1_scalar_negate(&s, &s); - rustsecp256k1_v0_1_1_ecdsa_signature_save(&signature[5], &r, &s); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); - rustsecp256k1_v0_1_1_scalar_negate(&s, &s); - rustsecp256k1_v0_1_1_ecdsa_signature_save(&signature[5], &r, &s); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, NULL, &signature[5])); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, NULL, &signature[0])); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, &signature[0]); + rustsecp256k1_v0_1_2_scalar_negate(&s, &s); + rustsecp256k1_v0_1_2_ecdsa_signature_save(&signature[5], &r, &s); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, &signature[5], &signature[5])); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); + rustsecp256k1_v0_1_2_scalar_negate(&s, &s); + rustsecp256k1_v0_1_2_ecdsa_signature_save(&signature[5], &r, &s); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, NULL, &signature[5])); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1); CHECK(memcmp(&signature[5], &signature[0], 64) == 0); /* Serialize/parse DER and verify again */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); memset(&signature[0], 0, sizeof(signature[0])); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1); /* Serialize/destroy/parse DER and verify again. */ siglen = 74; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); - sig[rustsecp256k1_v0_1_1_rand_int(siglen)] += 1 + rustsecp256k1_v0_1_1_rand_int(255); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || - rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1); + sig[rustsecp256k1_v0_1_2_rand_int(siglen)] += 1 + rustsecp256k1_v0_1_2_rand_int(255); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 || + rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0); } void test_random_pubkeys(void) { - rustsecp256k1_v0_1_1_ge elem; - rustsecp256k1_v0_1_1_ge elem2; + rustsecp256k1_v0_1_2_ge elem; + rustsecp256k1_v0_1_2_ge elem2; unsigned char in[65]; /* Generate some randomly sized pubkeys. */ - size_t len = rustsecp256k1_v0_1_1_rand_bits(2) == 0 ? 65 : 33; - if (rustsecp256k1_v0_1_1_rand_bits(2) == 0) { - len = rustsecp256k1_v0_1_1_rand_bits(6); + size_t len = rustsecp256k1_v0_1_2_rand_bits(2) == 0 ? 65 : 33; + if (rustsecp256k1_v0_1_2_rand_bits(2) == 0) { + len = rustsecp256k1_v0_1_2_rand_bits(6); } if (len == 65) { - in[0] = rustsecp256k1_v0_1_1_rand_bits(1) ? 4 : (rustsecp256k1_v0_1_1_rand_bits(1) ? 6 : 7); + in[0] = rustsecp256k1_v0_1_2_rand_bits(1) ? 4 : (rustsecp256k1_v0_1_2_rand_bits(1) ? 6 : 7); } else { - in[0] = rustsecp256k1_v0_1_1_rand_bits(1) ? 2 : 3; + in[0] = rustsecp256k1_v0_1_2_rand_bits(1) ? 2 : 3; } - if (rustsecp256k1_v0_1_1_rand_bits(3) == 0) { - in[0] = rustsecp256k1_v0_1_1_rand_bits(8); + if (rustsecp256k1_v0_1_2_rand_bits(3) == 0) { + in[0] = rustsecp256k1_v0_1_2_rand_bits(8); } if (len > 1) { - rustsecp256k1_v0_1_1_rand256(&in[1]); + rustsecp256k1_v0_1_2_rand256(&in[1]); } if (len > 33) { - rustsecp256k1_v0_1_1_rand256(&in[33]); + rustsecp256k1_v0_1_2_rand256(&in[33]); } - if (rustsecp256k1_v0_1_1_eckey_pubkey_parse(&elem, in, len)) { + if (rustsecp256k1_v0_1_2_eckey_pubkey_parse(&elem, in, len)) { unsigned char out[65]; unsigned char firstb; int res; size_t size = len; firstb = in[0]; /* If the pubkey can be parsed, it should round-trip... */ - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&elem, out, &size, len == 33)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&elem, out, &size, len == 33)); CHECK(size == len); CHECK(memcmp(&in[1], &out[1], len-1) == 0); /* ... except for the type of hybrid inputs. */ @@ -4352,13 +4484,13 @@ void test_random_pubkeys(void) { CHECK(in[0] == out[0]); } size = 65; - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&elem, in, &size, 0)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&elem, in, &size, 0)); CHECK(size == 65); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&elem2, in, size)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&elem2, in, size)); ge_equals_ge(&elem,&elem2); /* Check that the X9.62 hybrid type is checked. */ - in[0] = rustsecp256k1_v0_1_1_rand_bits(1) ? 6 : 7; - res = rustsecp256k1_v0_1_1_eckey_pubkey_parse(&elem2, in, size); + in[0] = rustsecp256k1_v0_1_2_rand_bits(1) ? 6 : 7; + res = rustsecp256k1_v0_1_2_eckey_pubkey_parse(&elem2, in, size); if (firstb == 2 || firstb == 3) { if (in[0] == firstb + 4) { CHECK(res); @@ -4368,7 +4500,7 @@ void test_random_pubkeys(void) { } if (res) { ge_equals_ge(&elem,&elem2); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_serialize(&elem, out, &size, 0)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_serialize(&elem, out, &size, 0)); CHECK(memcmp(&in[1], &out[1], 64) == 0); } } @@ -4401,13 +4533,13 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ int ret = 0; - rustsecp256k1_v0_1_1_ecdsa_signature sig_der; + rustsecp256k1_v0_1_2_ecdsa_signature sig_der; unsigned char roundtrip_der[2048]; unsigned char compact_der[64]; size_t len_der = 2048; int parsed_der = 0, valid_der = 0, roundtrips_der = 0; - rustsecp256k1_v0_1_1_ecdsa_signature sig_der_lax; + rustsecp256k1_v0_1_2_ecdsa_signature sig_der_lax; unsigned char roundtrip_der_lax[2048]; unsigned char compact_der_lax[64]; size_t len_der_lax = 2048; @@ -4422,23 +4554,23 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0; #endif - parsed_der = rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); + parsed_der = rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen); if (parsed_der) { - ret |= (!rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; + ret |= (!rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0; valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0); } if (valid_der) { - ret |= (!rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; + ret |= (!rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1; roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0; } - parsed_der_lax = rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); + parsed_der_lax = rustsecp256k1_v0_1_2_ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen); if (parsed_der_lax) { - ret |= (!rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; + ret |= (!rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10; valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0); } if (valid_der_lax) { - ret |= (!rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; + ret |= (!rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11; roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0; } @@ -4455,7 +4587,7 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ if (valid_der) { ret |= (!roundtrips_der_lax) << 12; ret |= (len_der != len_der_lax) << 13; - ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14; + ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14; } ret |= (roundtrips_der != roundtrips_der_lax) << 15; if (parsed_der) { @@ -4496,7 +4628,7 @@ int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_ ret |= (roundtrips_der != roundtrips_openssl) << 7; if (roundtrips_openssl) { ret |= (len_der != (size_t)len_openssl) << 8; - ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9; + ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9; } #endif return ret; @@ -4516,27 +4648,27 @@ static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) { static void damage_array(unsigned char *sig, size_t *len) { int pos; - int action = rustsecp256k1_v0_1_1_rand_bits(3); + int action = rustsecp256k1_v0_1_2_rand_bits(3); if (action < 1 && *len > 3) { /* Delete a byte. */ - pos = rustsecp256k1_v0_1_1_rand_int(*len); + pos = rustsecp256k1_v0_1_2_rand_int(*len); memmove(sig + pos, sig + pos + 1, *len - pos - 1); (*len)--; return; } else if (action < 2 && *len < 2048) { /* Insert a byte. */ - pos = rustsecp256k1_v0_1_1_rand_int(1 + *len); + pos = rustsecp256k1_v0_1_2_rand_int(1 + *len); memmove(sig + pos + 1, sig + pos, *len - pos); - sig[pos] = rustsecp256k1_v0_1_1_rand_bits(8); + sig[pos] = rustsecp256k1_v0_1_2_rand_bits(8); (*len)++; return; } else if (action < 4) { /* Modify a byte. */ - sig[rustsecp256k1_v0_1_1_rand_int(*len)] += 1 + rustsecp256k1_v0_1_1_rand_int(255); + sig[rustsecp256k1_v0_1_2_rand_int(*len)] += 1 + rustsecp256k1_v0_1_2_rand_int(255); return; } else { /* action < 8 */ /* Modify a bit. */ - sig[rustsecp256k1_v0_1_1_rand_int(*len)] ^= 1 << rustsecp256k1_v0_1_1_rand_bits(3); + sig[rustsecp256k1_v0_1_2_rand_int(*len)] ^= 1 << rustsecp256k1_v0_1_2_rand_bits(3); return; } } @@ -4549,23 +4681,23 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly int n; *len = 0; - der = rustsecp256k1_v0_1_1_rand_bits(2) == 0; + der = rustsecp256k1_v0_1_2_rand_bits(2) == 0; *certainly_der = der; *certainly_not_der = 0; - indet = der ? 0 : rustsecp256k1_v0_1_1_rand_int(10) == 0; + indet = der ? 0 : rustsecp256k1_v0_1_2_rand_int(10) == 0; for (n = 0; n < 2; n++) { /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */ - nlow[n] = der ? 1 : (rustsecp256k1_v0_1_1_rand_bits(3) != 0); + nlow[n] = der ? 1 : (rustsecp256k1_v0_1_2_rand_bits(3) != 0); /* The length of the number in bytes (the first byte of which will always be nonzero) */ - nlen[n] = nlow[n] ? rustsecp256k1_v0_1_1_rand_int(33) : 32 + rustsecp256k1_v0_1_1_rand_int(200) * rustsecp256k1_v0_1_1_rand_int(8) / 8; + nlen[n] = nlow[n] ? rustsecp256k1_v0_1_2_rand_int(33) : 32 + rustsecp256k1_v0_1_2_rand_int(200) * rustsecp256k1_v0_1_2_rand_int(8) / 8; CHECK(nlen[n] <= 232); /* The top bit of the number. */ - nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : rustsecp256k1_v0_1_1_rand_bits(1)); + nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : rustsecp256k1_v0_1_2_rand_bits(1)); /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */ - nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + rustsecp256k1_v0_1_1_rand_bits(7) : 1 + rustsecp256k1_v0_1_1_rand_int(127)); + nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + rustsecp256k1_v0_1_2_rand_bits(7) : 1 + rustsecp256k1_v0_1_2_rand_int(127)); /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */ - nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? rustsecp256k1_v0_1_1_rand_int(3) : rustsecp256k1_v0_1_1_rand_int(300 - nlen[n]) * rustsecp256k1_v0_1_1_rand_int(8) / 8); + nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? rustsecp256k1_v0_1_2_rand_int(3) : rustsecp256k1_v0_1_2_rand_int(300 - nlen[n]) * rustsecp256k1_v0_1_2_rand_int(8) / 8); if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) { *certainly_not_der = 1; } @@ -4574,7 +4706,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2); if (!der) { /* nlenlen[n] max 127 bytes */ - int add = rustsecp256k1_v0_1_1_rand_int(127 - nlenlen[n]) * rustsecp256k1_v0_1_1_rand_int(16) * rustsecp256k1_v0_1_1_rand_int(16) / 256; + int add = rustsecp256k1_v0_1_2_rand_int(127 - nlenlen[n]) * rustsecp256k1_v0_1_2_rand_int(16) * rustsecp256k1_v0_1_2_rand_int(16) / 256; nlenlen[n] += add; if (add != 0) { *certainly_not_der = 1; @@ -4588,7 +4720,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen <= 856); /* The length of the garbage inside the tuple. */ - elen = (der || indet) ? 0 : rustsecp256k1_v0_1_1_rand_int(980 - tlen) * rustsecp256k1_v0_1_1_rand_int(8) / 8; + elen = (der || indet) ? 0 : rustsecp256k1_v0_1_2_rand_int(980 - tlen) * rustsecp256k1_v0_1_2_rand_int(8) / 8; if (elen != 0) { *certainly_not_der = 1; } @@ -4596,7 +4728,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen <= 980); /* The length of the garbage after the end of the tuple. */ - glen = der ? 0 : rustsecp256k1_v0_1_1_rand_int(990 - tlen) * rustsecp256k1_v0_1_1_rand_int(8) / 8; + glen = der ? 0 : rustsecp256k1_v0_1_2_rand_int(990 - tlen) * rustsecp256k1_v0_1_2_rand_int(8) / 8; if (glen != 0) { *certainly_not_der = 1; } @@ -4611,7 +4743,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly } else { int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2); if (!der) { - int add = rustsecp256k1_v0_1_1_rand_int(127 - tlenlen) * rustsecp256k1_v0_1_1_rand_int(16) * rustsecp256k1_v0_1_1_rand_int(16) / 256; + int add = rustsecp256k1_v0_1_2_rand_int(127 - tlenlen) * rustsecp256k1_v0_1_2_rand_int(16) * rustsecp256k1_v0_1_2_rand_int(16) / 256; tlenlen += add; if (add != 0) { *certainly_not_der = 1; @@ -4662,13 +4794,13 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly nlen[n]--; } /* Generate remaining random bytes of number */ - rustsecp256k1_v0_1_1_rand_bytes_test(sig + *len, nlen[n]); + rustsecp256k1_v0_1_2_rand_bytes_test(sig + *len, nlen[n]); *len += nlen[n]; nlen[n] = 0; } /* Generate random garbage inside tuple. */ - rustsecp256k1_v0_1_1_rand_bytes_test(sig + *len, elen); + rustsecp256k1_v0_1_2_rand_bytes_test(sig + *len, elen); *len += elen; /* Generate end-of-contents bytes. */ @@ -4680,7 +4812,7 @@ static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly CHECK(tlen + glen <= 1121); /* Generate random garbage outside tuple. */ - rustsecp256k1_v0_1_1_rand_bytes_test(sig + *len, glen); + rustsecp256k1_v0_1_2_rand_bytes_test(sig + *len, glen); *len += glen; tlen += glen; CHECK(tlen <= 1121); @@ -4721,22 +4853,22 @@ void run_ecdsa_der_parse(void) { /* Tests several edge cases. */ void test_ecdsa_edge_cases(void) { int t; - rustsecp256k1_v0_1_1_ecdsa_signature sig; + rustsecp256k1_v0_1_2_ecdsa_signature sig; /* Test the case where ECDSA recomputes a point that is infinity. */ { - rustsecp256k1_v0_1_1_gej keyj; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 1); - rustsecp256k1_v0_1_1_scalar_negate(&ss, &ss); - rustsecp256k1_v0_1_1_scalar_inverse(&ss, &ss); - rustsecp256k1_v0_1_1_scalar_set_int(&sr, 1); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); - rustsecp256k1_v0_1_1_ge_set_gej(&key, &keyj); + rustsecp256k1_v0_1_2_gej keyj; + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 1); + rustsecp256k1_v0_1_2_scalar_negate(&ss, &ss); + rustsecp256k1_v0_1_2_scalar_inverse(&ss, &ss); + rustsecp256k1_v0_1_2_scalar_set_int(&sr, 1); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr); + rustsecp256k1_v0_1_2_ge_set_gej(&key, &keyj); msg = ss; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with r of zero fails. */ @@ -4748,14 +4880,14 @@ void test_ecdsa_edge_cases(void) { 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41 }; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 1); - rustsecp256k1_v0_1_1_scalar_set_int(&msg, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&sr, 0); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 1); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&sr, 0); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key, pubkey_mods_zero, 33)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with s of zero fails. */ @@ -4767,14 +4899,14 @@ void test_ecdsa_edge_cases(void) { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01 }; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&msg, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&sr, 1); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&sr, 1); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Verify signature with message 0 passes. */ @@ -4793,23 +4925,23 @@ void test_ecdsa_edge_cases(void) { 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x43 }; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_ge key2; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 2); - rustsecp256k1_v0_1_1_scalar_set_int(&msg, 0); - rustsecp256k1_v0_1_1_scalar_set_int(&sr, 2); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key2, pubkey2, 33)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_ge key2; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 2); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, 0); + rustsecp256k1_v0_1_2_scalar_set_int(&sr, 2); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key2, pubkey2, 33)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); } /* Verify signature with message 1 passes. */ @@ -4834,24 +4966,24 @@ void test_ecdsa_edge_cases(void) { 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb }; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_ge key2; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 1); - rustsecp256k1_v0_1_1_scalar_set_int(&msg, 1); - rustsecp256k1_v0_1_1_scalar_set_b32(&sr, csr, NULL); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key2, pubkey2, 33)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 2); - rustsecp256k1_v0_1_1_scalar_inverse_var(&ss, &ss); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_ge key2; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 1); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, 1); + rustsecp256k1_v0_1_2_scalar_set_b32(&sr, csr, NULL); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key2, pubkey2, 33)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 2); + rustsecp256k1_v0_1_2_scalar_inverse_var(&ss, &ss); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0); } /* Verify signature with message -1 passes. */ @@ -4869,25 +5001,25 @@ void test_ecdsa_edge_cases(void) { 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4, 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee }; - rustsecp256k1_v0_1_1_ge key; - rustsecp256k1_v0_1_1_scalar msg; - rustsecp256k1_v0_1_1_scalar sr, ss; - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 1); - rustsecp256k1_v0_1_1_scalar_set_int(&msg, 1); - rustsecp256k1_v0_1_1_scalar_negate(&msg, &msg); - rustsecp256k1_v0_1_1_scalar_set_b32(&sr, csr, NULL); - CHECK(rustsecp256k1_v0_1_1_eckey_pubkey_parse(&key, pubkey, 33)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_negate(&ss, &ss); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); - rustsecp256k1_v0_1_1_scalar_set_int(&ss, 3); - rustsecp256k1_v0_1_1_scalar_inverse_var(&ss, &ss); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); + rustsecp256k1_v0_1_2_ge key; + rustsecp256k1_v0_1_2_scalar msg; + rustsecp256k1_v0_1_2_scalar sr, ss; + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 1); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, 1); + rustsecp256k1_v0_1_2_scalar_negate(&msg, &msg); + rustsecp256k1_v0_1_2_scalar_set_b32(&sr, csr, NULL); + CHECK(rustsecp256k1_v0_1_2_eckey_pubkey_parse(&key, pubkey, 33)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_negate(&ss, &ss); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1); + rustsecp256k1_v0_1_2_scalar_set_int(&ss, 3); + rustsecp256k1_v0_1_2_scalar_inverse_var(&ss, &ss); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0); } /* Signature where s would be zero. */ { - rustsecp256k1_v0_1_1_pubkey pubkey; + rustsecp256k1_v0_1_2_pubkey pubkey; size_t siglen; int32_t ecount; unsigned char signature[72]; @@ -4916,71 +5048,71 @@ void test_ecdsa_edge_cases(void) { 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9, }; ecount = 0; - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0); msg[31] = 0xaa; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1); CHECK(ecount == 0); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, key) == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, key) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg, NULL) == 0); CHECK(ecount == 6); - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1); CHECK(ecount == 6); - CHECK(rustsecp256k1_v0_1_1_ec_pubkey_create(ctx, &pubkey, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, NULL) == 0); CHECK(ecount == 7); /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0); CHECK(ecount == 8); siglen = 72; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0); CHECK(ecount == 9); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0); CHECK(ecount == 10); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0); CHECK(ecount == 11); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1); CHECK(ecount == 11); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0); CHECK(ecount == 12); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0); CHECK(ecount == 13); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1); CHECK(ecount == 13); siglen = 10; /* Too little room for a signature does not fail via ARGCHECK. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0); CHECK(ecount == 13); ecount = 0; - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_normalize(ctx, NULL, NULL) == 0); CHECK(ecount == 1); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0); CHECK(ecount == 2); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1); CHECK(ecount == 3); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0); CHECK(ecount == 4); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0); CHECK(ecount == 5); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1); CHECK(ecount == 5); memset(signature, 255, 64); - CHECK(rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0); CHECK(ecount == 5); - rustsecp256k1_v0_1_1_context_set_illegal_callback(ctx, NULL, NULL); + rustsecp256k1_v0_1_2_context_set_illegal_callback(ctx, NULL, NULL); } /* Nonce function corner cases. */ @@ -4989,43 +5121,43 @@ void test_ecdsa_edge_cases(void) { int i; unsigned char key[32]; unsigned char msg[32]; - rustsecp256k1_v0_1_1_ecdsa_signature sig2; - rustsecp256k1_v0_1_1_scalar sr[512], ss; + rustsecp256k1_v0_1_2_ecdsa_signature sig2; + rustsecp256k1_v0_1_2_scalar sr[512], ss; const unsigned char *extra; extra = t == 0 ? NULL : zero; memset(msg, 0, 32); msg[31] = 1; /* High key results in signature failure. */ memset(key, 0xFF, 32); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); CHECK(is_empty_signature(&sig)); /* Zero key results in signature failure. */ memset(key, 0, 32); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0); CHECK(is_empty_signature(&sig)); /* Nonce function failure results in signature failure. */ key[31] = 1; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0); CHECK(is_empty_signature(&sig)); /* The retry loop successfully makes its way to the first good value. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1); CHECK(!is_empty_signature(&sig)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1); CHECK(!is_empty_signature(&sig2)); CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); /* The default nonce function is deterministic. */ - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0); /* The default nonce function changes output with different messages. */ for(i = 0; i < 256; i++) { int j; msg[0] = i; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); for (j = 0; j < i; j++) { - CHECK(!rustsecp256k1_v0_1_1_scalar_eq(&sr[i], &sr[j])); + CHECK(!rustsecp256k1_v0_1_2_scalar_eq(&sr[i], &sr[j])); } } msg[0] = 0; @@ -5034,11 +5166,11 @@ void test_ecdsa_edge_cases(void) { for(i = 256; i < 512; i++) { int j; key[0] = i - 256; - CHECK(rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1); CHECK(!is_empty_signature(&sig2)); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2); for (j = 0; j < i; j++) { - CHECK(!rustsecp256k1_v0_1_1_scalar_eq(&sr[i], &sr[j])); + CHECK(!rustsecp256k1_v0_1_2_scalar_eq(&sr[i], &sr[j])); } } key[0] = 0; @@ -5097,7 +5229,7 @@ EC_KEY *get_openssl_key(const unsigned char *key32) { unsigned char privkey[300]; size_t privkeylen; const unsigned char* pbegin = privkey; - int compr = rustsecp256k1_v0_1_1_rand_bits(1); + int compr = rustsecp256k1_v0_1_2_rand_bits(1); EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1); CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr)); CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen)); @@ -5106,35 +5238,35 @@ EC_KEY *get_openssl_key(const unsigned char *key32) { } void test_ecdsa_openssl(void) { - rustsecp256k1_v0_1_1_gej qj; - rustsecp256k1_v0_1_1_ge q; - rustsecp256k1_v0_1_1_scalar sigr, sigs; - rustsecp256k1_v0_1_1_scalar one; - rustsecp256k1_v0_1_1_scalar msg2; - rustsecp256k1_v0_1_1_scalar key, msg; + rustsecp256k1_v0_1_2_gej qj; + rustsecp256k1_v0_1_2_ge q; + rustsecp256k1_v0_1_2_scalar sigr, sigs; + rustsecp256k1_v0_1_2_scalar one; + rustsecp256k1_v0_1_2_scalar msg2; + rustsecp256k1_v0_1_2_scalar key, msg; EC_KEY *ec_key; unsigned int sigsize = 80; size_t secp_sigsize = 80; unsigned char message[32]; unsigned char signature[80]; unsigned char key32[32]; - rustsecp256k1_v0_1_1_rand256_test(message); - rustsecp256k1_v0_1_1_scalar_set_b32(&msg, message, NULL); + rustsecp256k1_v0_1_2_rand256_test(message); + rustsecp256k1_v0_1_2_scalar_set_b32(&msg, message, NULL); random_scalar_order_test(&key); - rustsecp256k1_v0_1_1_scalar_get_b32(key32, &key); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); - rustsecp256k1_v0_1_1_ge_set_gej(&q, &qj); + rustsecp256k1_v0_1_2_scalar_get_b32(key32, &key); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key); + rustsecp256k1_v0_1_2_ge_set_gej(&q, &qj); ec_key = get_openssl_key(key32); CHECK(ec_key != NULL); CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); - rustsecp256k1_v0_1_1_scalar_set_int(&one, 1); - rustsecp256k1_v0_1_1_scalar_add(&msg2, &msg, &one); - CHECK(!rustsecp256k1_v0_1_1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg)); + rustsecp256k1_v0_1_2_scalar_set_int(&one, 1); + rustsecp256k1_v0_1_2_scalar_add(&msg2, &msg, &one); + CHECK(!rustsecp256k1_v0_1_2_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2)); random_sign(&sigr, &sigs, &key, &msg, NULL); - CHECK(rustsecp256k1_v0_1_1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); + CHECK(rustsecp256k1_v0_1_2_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs)); CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1); EC_KEY_free(ec_key); @@ -5156,9 +5288,33 @@ void run_ecdsa_openssl(void) { # include "modules/recovery/tests_impl.h" #endif +void run_memczero_test(void) { + unsigned char buf1[6] = {1, 2, 3, 4, 5, 6}; + unsigned char buf2[sizeof(buf1)]; + + /* memczero(..., ..., 0) is a noop. */ + memcpy(buf2, buf1, sizeof(buf1)); + memczero(buf1, sizeof(buf1), 0); + CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0); + + /* memczero(..., ..., 1) zeros the buffer. */ + memset(buf2, 0, sizeof(buf2)); + memczero(buf1, sizeof(buf1) , 1); + CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0); +} + int main(int argc, char **argv) { unsigned char seed16[16] = {0}; unsigned char run32[32] = {0}; + + /* Disable buffering for stdout to improve reliability of getting + * diagnostic information. Happens right at the start of main because + * setbuf must be used before any other operation on the stream. */ + setbuf(stdout, NULL); + /* Also disable buffering for stderr because it's not guaranteed that it's + * unbuffered on all systems. */ + setbuf(stderr, NULL); + /* find iteration count */ if (argc > 1) { count = strtol(argv[1], NULL, 0); @@ -5170,7 +5326,7 @@ int main(int argc, char **argv) { const char* ch = argv[2]; while (pos < 16 && ch[0] != 0 && ch[1] != 0) { unsigned short sh; - if (sscanf(ch, "%2hx", &sh)) { + if ((sscanf(ch, "%2hx", &sh)) == 1) { seed16[pos] = sh; } else { break; @@ -5196,7 +5352,7 @@ int main(int argc, char **argv) { fclose(frand); } } - rustsecp256k1_v0_1_1_rand_seed(seed16); + rustsecp256k1_v0_1_2_rand_seed(seed16); printf("test count = %i\n", count); printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]); @@ -5205,10 +5361,10 @@ int main(int argc, char **argv) { run_context_tests(0); run_context_tests(1); run_scratch_tests(); - ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); - if (rustsecp256k1_v0_1_1_rand_bits(1)) { - rustsecp256k1_v0_1_1_rand256(run32); - CHECK(rustsecp256k1_v0_1_1_context_randomize(ctx, rustsecp256k1_v0_1_1_rand_bits(1) ? run32 : NULL)); + ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + if (rustsecp256k1_v0_1_2_rand_bits(1)) { + rustsecp256k1_v0_1_2_rand256(run32); + CHECK(rustsecp256k1_v0_1_2_context_randomize(ctx, rustsecp256k1_v0_1_2_rand_bits(1) ? run32 : NULL)); } run_rand_bits(); @@ -5260,6 +5416,9 @@ int main(int argc, char **argv) { /* EC key edge cases */ run_eckey_edge_case_test(); + /* EC key arithmetic test */ + run_eckey_negate_test(); + #ifdef ENABLE_MODULE_ECDH /* ecdh tests */ run_ecdh_tests(); @@ -5280,11 +5439,14 @@ int main(int argc, char **argv) { run_recovery_tests(); #endif - rustsecp256k1_v0_1_1_rand256(run32); + /* util tests */ + run_memczero_test(); + + rustsecp256k1_v0_1_2_rand256(run32); printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]); /* shutdown */ - rustsecp256k1_v0_1_1_context_destroy(ctx); + rustsecp256k1_v0_1_2_context_destroy(ctx); printf("no problems found\n"); return 0; diff --git a/secp256k1-sys/depend/secp256k1/src/tests_exhaustive.c b/secp256k1-sys/depend/secp256k1/src/tests_exhaustive.c index 3b0e6d256..7223a7350 100644 --- a/secp256k1-sys/depend/secp256k1/src/tests_exhaustive.c +++ b/secp256k1-sys/depend/secp256k1/src/tests_exhaustive.c @@ -32,47 +32,47 @@ #endif /** stolen from tests.c */ -void ge_equals_ge(const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_ge *b) { +void ge_equals_ge(const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_ge *b) { CHECK(a->infinity == b->infinity); if (a->infinity) { return; } - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&a->x, &b->x)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&a->y, &b->y)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&a->x, &b->x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&a->y, &b->y)); } -void ge_equals_gej(const rustsecp256k1_v0_1_1_ge *a, const rustsecp256k1_v0_1_1_gej *b) { - rustsecp256k1_v0_1_1_fe z2s; - rustsecp256k1_v0_1_1_fe u1, u2, s1, s2; +void ge_equals_gej(const rustsecp256k1_v0_1_2_ge *a, const rustsecp256k1_v0_1_2_gej *b) { + rustsecp256k1_v0_1_2_fe z2s; + rustsecp256k1_v0_1_2_fe u1, u2, s1, s2; CHECK(a->infinity == b->infinity); if (a->infinity) { return; } /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */ - rustsecp256k1_v0_1_1_fe_sqr(&z2s, &b->z); - rustsecp256k1_v0_1_1_fe_mul(&u1, &a->x, &z2s); - u2 = b->x; rustsecp256k1_v0_1_1_fe_normalize_weak(&u2); - rustsecp256k1_v0_1_1_fe_mul(&s1, &a->y, &z2s); rustsecp256k1_v0_1_1_fe_mul(&s1, &s1, &b->z); - s2 = b->y; rustsecp256k1_v0_1_1_fe_normalize_weak(&s2); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&u1, &u2)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&s1, &s2)); + rustsecp256k1_v0_1_2_fe_sqr(&z2s, &b->z); + rustsecp256k1_v0_1_2_fe_mul(&u1, &a->x, &z2s); + u2 = b->x; rustsecp256k1_v0_1_2_fe_normalize_weak(&u2); + rustsecp256k1_v0_1_2_fe_mul(&s1, &a->y, &z2s); rustsecp256k1_v0_1_2_fe_mul(&s1, &s1, &b->z); + s2 = b->y; rustsecp256k1_v0_1_2_fe_normalize_weak(&s2); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&u1, &u2)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&s1, &s2)); } -void random_fe(rustsecp256k1_v0_1_1_fe *x) { +void random_fe(rustsecp256k1_v0_1_2_fe *x) { unsigned char bin[32]; do { - rustsecp256k1_v0_1_1_rand256(bin); - if (rustsecp256k1_v0_1_1_fe_set_b32(x, bin)) { + rustsecp256k1_v0_1_2_rand256(bin); + if (rustsecp256k1_v0_1_2_fe_set_b32(x, bin)) { return; } } while(1); } /** END stolen from tests.c */ -int rustsecp256k1_v0_1_1_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, +int rustsecp256k1_v0_1_2_nonce_function_smallint(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int attempt) { - rustsecp256k1_v0_1_1_scalar s; + rustsecp256k1_v0_1_2_scalar s; int *idata = data; (void)msg32; (void)key32; @@ -84,97 +84,97 @@ int rustsecp256k1_v0_1_1_nonce_function_smallint(unsigned char *nonce32, const u if (attempt > 0) { *idata = (*idata + 1) % EXHAUSTIVE_TEST_ORDER; } - rustsecp256k1_v0_1_1_scalar_set_int(&s, *idata); - rustsecp256k1_v0_1_1_scalar_get_b32(nonce32, &s); + rustsecp256k1_v0_1_2_scalar_set_int(&s, *idata); + rustsecp256k1_v0_1_2_scalar_get_b32(nonce32, &s); return 1; } #ifdef USE_ENDOMORPHISM -void test_exhaustive_endomorphism(const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_endomorphism(const rustsecp256k1_v0_1_2_ge *group, int order) { int i; for (i = 0; i < order; i++) { - rustsecp256k1_v0_1_1_ge res; - rustsecp256k1_v0_1_1_ge_mul_lambda(&res, &group[i]); + rustsecp256k1_v0_1_2_ge res; + rustsecp256k1_v0_1_2_ge_mul_lambda(&res, &group[i]); ge_equals_ge(&group[i * EXHAUSTIVE_TEST_LAMBDA % EXHAUSTIVE_TEST_ORDER], &res); } } #endif -void test_exhaustive_addition(const rustsecp256k1_v0_1_1_ge *group, const rustsecp256k1_v0_1_1_gej *groupj, int order) { +void test_exhaustive_addition(const rustsecp256k1_v0_1_2_ge *group, const rustsecp256k1_v0_1_2_gej *groupj, int order) { int i, j; /* Sanity-check (and check infinity functions) */ - CHECK(rustsecp256k1_v0_1_1_ge_is_infinity(&group[0])); - CHECK(rustsecp256k1_v0_1_1_gej_is_infinity(&groupj[0])); + CHECK(rustsecp256k1_v0_1_2_ge_is_infinity(&group[0])); + CHECK(rustsecp256k1_v0_1_2_gej_is_infinity(&groupj[0])); for (i = 1; i < order; i++) { - CHECK(!rustsecp256k1_v0_1_1_ge_is_infinity(&group[i])); - CHECK(!rustsecp256k1_v0_1_1_gej_is_infinity(&groupj[i])); + CHECK(!rustsecp256k1_v0_1_2_ge_is_infinity(&group[i])); + CHECK(!rustsecp256k1_v0_1_2_gej_is_infinity(&groupj[i])); } /* Check all addition formulae */ for (j = 0; j < order; j++) { - rustsecp256k1_v0_1_1_fe fe_inv; - rustsecp256k1_v0_1_1_fe_inv(&fe_inv, &groupj[j].z); + rustsecp256k1_v0_1_2_fe fe_inv; + rustsecp256k1_v0_1_2_fe_inv(&fe_inv, &groupj[j].z); for (i = 0; i < order; i++) { - rustsecp256k1_v0_1_1_ge zless_gej; - rustsecp256k1_v0_1_1_gej tmp; + rustsecp256k1_v0_1_2_ge zless_gej; + rustsecp256k1_v0_1_2_gej tmp; /* add_var */ - rustsecp256k1_v0_1_1_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); + rustsecp256k1_v0_1_2_gej_add_var(&tmp, &groupj[i], &groupj[j], NULL); ge_equals_gej(&group[(i + j) % order], &tmp); /* add_ge */ if (j > 0) { - rustsecp256k1_v0_1_1_gej_add_ge(&tmp, &groupj[i], &group[j]); + rustsecp256k1_v0_1_2_gej_add_ge(&tmp, &groupj[i], &group[j]); ge_equals_gej(&group[(i + j) % order], &tmp); } /* add_ge_var */ - rustsecp256k1_v0_1_1_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); + rustsecp256k1_v0_1_2_gej_add_ge_var(&tmp, &groupj[i], &group[j], NULL); ge_equals_gej(&group[(i + j) % order], &tmp); /* add_zinv_var */ zless_gej.infinity = groupj[j].infinity; zless_gej.x = groupj[j].x; zless_gej.y = groupj[j].y; - rustsecp256k1_v0_1_1_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); + rustsecp256k1_v0_1_2_gej_add_zinv_var(&tmp, &groupj[i], &zless_gej, &fe_inv); ge_equals_gej(&group[(i + j) % order], &tmp); } } /* Check doubling */ for (i = 0; i < order; i++) { - rustsecp256k1_v0_1_1_gej tmp; + rustsecp256k1_v0_1_2_gej tmp; if (i > 0) { - rustsecp256k1_v0_1_1_gej_double_nonzero(&tmp, &groupj[i], NULL); + rustsecp256k1_v0_1_2_gej_double_nonzero(&tmp, &groupj[i]); ge_equals_gej(&group[(2 * i) % order], &tmp); } - rustsecp256k1_v0_1_1_gej_double_var(&tmp, &groupj[i], NULL); + rustsecp256k1_v0_1_2_gej_double_var(&tmp, &groupj[i], NULL); ge_equals_gej(&group[(2 * i) % order], &tmp); } /* Check negation */ for (i = 1; i < order; i++) { - rustsecp256k1_v0_1_1_ge tmp; - rustsecp256k1_v0_1_1_gej tmpj; - rustsecp256k1_v0_1_1_ge_neg(&tmp, &group[i]); + rustsecp256k1_v0_1_2_ge tmp; + rustsecp256k1_v0_1_2_gej tmpj; + rustsecp256k1_v0_1_2_ge_neg(&tmp, &group[i]); ge_equals_ge(&group[order - i], &tmp); - rustsecp256k1_v0_1_1_gej_neg(&tmpj, &groupj[i]); + rustsecp256k1_v0_1_2_gej_neg(&tmpj, &groupj[i]); ge_equals_gej(&group[order - i], &tmpj); } } -void test_exhaustive_ecmult(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, const rustsecp256k1_v0_1_1_gej *groupj, int order) { +void test_exhaustive_ecmult(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, const rustsecp256k1_v0_1_2_gej *groupj, int order) { int i, j, r_log; for (r_log = 1; r_log < order; r_log++) { for (j = 0; j < order; j++) { for (i = 0; i < order; i++) { - rustsecp256k1_v0_1_1_gej tmp; - rustsecp256k1_v0_1_1_scalar na, ng; - rustsecp256k1_v0_1_1_scalar_set_int(&na, i); - rustsecp256k1_v0_1_1_scalar_set_int(&ng, j); + rustsecp256k1_v0_1_2_gej tmp; + rustsecp256k1_v0_1_2_scalar na, ng; + rustsecp256k1_v0_1_2_scalar_set_int(&na, i); + rustsecp256k1_v0_1_2_scalar_set_int(&ng, j); - rustsecp256k1_v0_1_1_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); + rustsecp256k1_v0_1_2_ecmult(&ctx->ecmult_ctx, &tmp, &groupj[r_log], &na, &ng); ge_equals_gej(&group[(i * r_log + j) % order], &tmp); if (i > 0) { - rustsecp256k1_v0_1_1_ecmult_const(&tmp, &group[i], &ng, 256); + rustsecp256k1_v0_1_2_ecmult_const(&tmp, &group[i], &ng, 256); ge_equals_gej(&group[(i * j) % order], &tmp); } } @@ -183,106 +183,106 @@ void test_exhaustive_ecmult(const rustsecp256k1_v0_1_1_context *ctx, const rusts } typedef struct { - rustsecp256k1_v0_1_1_scalar sc[2]; - rustsecp256k1_v0_1_1_ge pt[2]; + rustsecp256k1_v0_1_2_scalar sc[2]; + rustsecp256k1_v0_1_2_ge pt[2]; } ecmult_multi_data; -static int ecmult_multi_callback(rustsecp256k1_v0_1_1_scalar *sc, rustsecp256k1_v0_1_1_ge *pt, size_t idx, void *cbdata) { +static int ecmult_multi_callback(rustsecp256k1_v0_1_2_scalar *sc, rustsecp256k1_v0_1_2_ge *pt, size_t idx, void *cbdata) { ecmult_multi_data *data = (ecmult_multi_data*) cbdata; *sc = data->sc[idx]; *pt = data->pt[idx]; return 1; } -void test_exhaustive_ecmult_multi(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_ecmult_multi(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, int order) { int i, j, k, x, y; - rustsecp256k1_v0_1_1_scratch *scratch = rustsecp256k1_v0_1_1_scratch_create(&ctx->error_callback, 4096); + rustsecp256k1_v0_1_2_scratch *scratch = rustsecp256k1_v0_1_2_scratch_create(&ctx->error_callback, 4096); for (i = 0; i < order; i++) { for (j = 0; j < order; j++) { for (k = 0; k < order; k++) { for (x = 0; x < order; x++) { for (y = 0; y < order; y++) { - rustsecp256k1_v0_1_1_gej tmp; - rustsecp256k1_v0_1_1_scalar g_sc; + rustsecp256k1_v0_1_2_gej tmp; + rustsecp256k1_v0_1_2_scalar g_sc; ecmult_multi_data data; - rustsecp256k1_v0_1_1_scalar_set_int(&data.sc[0], i); - rustsecp256k1_v0_1_1_scalar_set_int(&data.sc[1], j); - rustsecp256k1_v0_1_1_scalar_set_int(&g_sc, k); + rustsecp256k1_v0_1_2_scalar_set_int(&data.sc[0], i); + rustsecp256k1_v0_1_2_scalar_set_int(&data.sc[1], j); + rustsecp256k1_v0_1_2_scalar_set_int(&g_sc, k); data.pt[0] = group[x]; data.pt[1] = group[y]; - rustsecp256k1_v0_1_1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2); + rustsecp256k1_v0_1_2_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &tmp, &g_sc, ecmult_multi_callback, &data, 2); ge_equals_gej(&group[(i * x + j * y + k) % order], &tmp); } } } } } - rustsecp256k1_v0_1_1_scratch_destroy(&ctx->error_callback, scratch); + rustsecp256k1_v0_1_2_scratch_destroy(&ctx->error_callback, scratch); } -void r_from_k(rustsecp256k1_v0_1_1_scalar *r, const rustsecp256k1_v0_1_1_ge *group, int k) { - rustsecp256k1_v0_1_1_fe x; +void r_from_k(rustsecp256k1_v0_1_2_scalar *r, const rustsecp256k1_v0_1_2_ge *group, int k) { + rustsecp256k1_v0_1_2_fe x; unsigned char x_bin[32]; k %= EXHAUSTIVE_TEST_ORDER; x = group[k].x; - rustsecp256k1_v0_1_1_fe_normalize(&x); - rustsecp256k1_v0_1_1_fe_get_b32(x_bin, &x); - rustsecp256k1_v0_1_1_scalar_set_b32(r, x_bin, NULL); + rustsecp256k1_v0_1_2_fe_normalize(&x); + rustsecp256k1_v0_1_2_fe_get_b32(x_bin, &x); + rustsecp256k1_v0_1_2_scalar_set_b32(r, x_bin, NULL); } -void test_exhaustive_verify(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_verify(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, int order) { int s, r, msg, key; for (s = 1; s < order; s++) { for (r = 1; r < order; r++) { for (msg = 1; msg < order; msg++) { for (key = 1; key < order; key++) { - rustsecp256k1_v0_1_1_ge nonconst_ge; - rustsecp256k1_v0_1_1_ecdsa_signature sig; - rustsecp256k1_v0_1_1_pubkey pk; - rustsecp256k1_v0_1_1_scalar sk_s, msg_s, r_s, s_s; - rustsecp256k1_v0_1_1_scalar s_times_k_s, msg_plus_r_times_sk_s; + rustsecp256k1_v0_1_2_ge nonconst_ge; + rustsecp256k1_v0_1_2_ecdsa_signature sig; + rustsecp256k1_v0_1_2_pubkey pk; + rustsecp256k1_v0_1_2_scalar sk_s, msg_s, r_s, s_s; + rustsecp256k1_v0_1_2_scalar s_times_k_s, msg_plus_r_times_sk_s; int k, should_verify; unsigned char msg32[32]; - rustsecp256k1_v0_1_1_scalar_set_int(&s_s, s); - rustsecp256k1_v0_1_1_scalar_set_int(&r_s, r); - rustsecp256k1_v0_1_1_scalar_set_int(&msg_s, msg); - rustsecp256k1_v0_1_1_scalar_set_int(&sk_s, key); + rustsecp256k1_v0_1_2_scalar_set_int(&s_s, s); + rustsecp256k1_v0_1_2_scalar_set_int(&r_s, r); + rustsecp256k1_v0_1_2_scalar_set_int(&msg_s, msg); + rustsecp256k1_v0_1_2_scalar_set_int(&sk_s, key); /* Verify by hand */ /* Run through every k value that gives us this r and check that *one* works. * Note there could be none, there could be multiple, ECDSA is weird. */ should_verify = 0; for (k = 0; k < order; k++) { - rustsecp256k1_v0_1_1_scalar check_x_s; + rustsecp256k1_v0_1_2_scalar check_x_s; r_from_k(&check_x_s, group, k); if (r_s == check_x_s) { - rustsecp256k1_v0_1_1_scalar_set_int(&s_times_k_s, k); - rustsecp256k1_v0_1_1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); - rustsecp256k1_v0_1_1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); - rustsecp256k1_v0_1_1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); - should_verify |= rustsecp256k1_v0_1_1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); + rustsecp256k1_v0_1_2_scalar_set_int(&s_times_k_s, k); + rustsecp256k1_v0_1_2_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); + rustsecp256k1_v0_1_2_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); + rustsecp256k1_v0_1_2_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); + should_verify |= rustsecp256k1_v0_1_2_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); } } /* nb we have a "high s" rule */ - should_verify &= !rustsecp256k1_v0_1_1_scalar_is_high(&s_s); + should_verify &= !rustsecp256k1_v0_1_2_scalar_is_high(&s_s); /* Verify by calling verify */ - rustsecp256k1_v0_1_1_ecdsa_signature_save(&sig, &r_s, &s_s); + rustsecp256k1_v0_1_2_ecdsa_signature_save(&sig, &r_s, &s_s); memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); - rustsecp256k1_v0_1_1_pubkey_save(&pk, &nonconst_ge); - rustsecp256k1_v0_1_1_scalar_get_b32(msg32, &msg_s); + rustsecp256k1_v0_1_2_pubkey_save(&pk, &nonconst_ge); + rustsecp256k1_v0_1_2_scalar_get_b32(msg32, &msg_s); CHECK(should_verify == - rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pk)); + rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pk)); } } } } } -void test_exhaustive_sign(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_sign(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, int order) { int i, j, k; /* Loop */ @@ -290,17 +290,17 @@ void test_exhaustive_sign(const rustsecp256k1_v0_1_1_context *ctx, const rustsec for (j = 1; j < order; j++) { /* key */ for (k = 1; k < order; k++) { /* nonce */ const int starting_k = k; - rustsecp256k1_v0_1_1_ecdsa_signature sig; - rustsecp256k1_v0_1_1_scalar sk, msg, r, s, expected_r; + rustsecp256k1_v0_1_2_ecdsa_signature sig; + rustsecp256k1_v0_1_2_scalar sk, msg, r, s, expected_r; unsigned char sk32[32], msg32[32]; - rustsecp256k1_v0_1_1_scalar_set_int(&msg, i); - rustsecp256k1_v0_1_1_scalar_set_int(&sk, j); - rustsecp256k1_v0_1_1_scalar_get_b32(sk32, &sk); - rustsecp256k1_v0_1_1_scalar_get_b32(msg32, &msg); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, i); + rustsecp256k1_v0_1_2_scalar_set_int(&sk, j); + rustsecp256k1_v0_1_2_scalar_get_b32(sk32, &sk); + rustsecp256k1_v0_1_2_scalar_get_b32(msg32, &msg); - rustsecp256k1_v0_1_1_ecdsa_sign(ctx, &sig, msg32, sk32, rustsecp256k1_v0_1_1_nonce_function_smallint, &k); + rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &sig, msg32, sk32, rustsecp256k1_v0_1_2_nonce_function_smallint, &k); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, &sig); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, &sig); /* Note that we compute expected_r *after* signing -- this is important * because our nonce-computing function function might change k during * signing. */ @@ -328,7 +328,7 @@ void test_exhaustive_sign(const rustsecp256k1_v0_1_1_context *ctx, const rustsec } #ifdef ENABLE_MODULE_RECOVERY -void test_exhaustive_recovery_sign(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_recovery_sign(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, int order) { int i, j, k; /* Loop */ @@ -336,44 +336,44 @@ void test_exhaustive_recovery_sign(const rustsecp256k1_v0_1_1_context *ctx, cons for (j = 1; j < order; j++) { /* key */ for (k = 1; k < order; k++) { /* nonce */ const int starting_k = k; - rustsecp256k1_v0_1_1_fe r_dot_y_normalized; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature rsig; - rustsecp256k1_v0_1_1_ecdsa_signature sig; - rustsecp256k1_v0_1_1_scalar sk, msg, r, s, expected_r; + rustsecp256k1_v0_1_2_fe r_dot_y_normalized; + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature rsig; + rustsecp256k1_v0_1_2_ecdsa_signature sig; + rustsecp256k1_v0_1_2_scalar sk, msg, r, s, expected_r; unsigned char sk32[32], msg32[32]; int expected_recid; int recid; - rustsecp256k1_v0_1_1_scalar_set_int(&msg, i); - rustsecp256k1_v0_1_1_scalar_set_int(&sk, j); - rustsecp256k1_v0_1_1_scalar_get_b32(sk32, &sk); - rustsecp256k1_v0_1_1_scalar_get_b32(msg32, &msg); + rustsecp256k1_v0_1_2_scalar_set_int(&msg, i); + rustsecp256k1_v0_1_2_scalar_set_int(&sk, j); + rustsecp256k1_v0_1_2_scalar_get_b32(sk32, &sk); + rustsecp256k1_v0_1_2_scalar_get_b32(msg32, &msg); - rustsecp256k1_v0_1_1_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, rustsecp256k1_v0_1_1_nonce_function_smallint, &k); + rustsecp256k1_v0_1_2_ecdsa_sign_recoverable(ctx, &rsig, msg32, sk32, rustsecp256k1_v0_1_2_nonce_function_smallint, &k); /* Check directly */ - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_load(ctx, &r, &s, &recid, &rsig); r_from_k(&expected_r, group, k); CHECK(r == expected_r); CHECK((k * s) % order == (i + r * j) % order || (k * (EXHAUSTIVE_TEST_ORDER - s)) % order == (i + r * j) % order); /* In computing the recid, there is an overflow condition that is disabled in - * scalar_low_impl.h `rustsecp256k1_v0_1_1_scalar_set_b32` because almost every r.y value + * scalar_low_impl.h `rustsecp256k1_v0_1_2_scalar_set_b32` because almost every r.y value * will exceed the group order, and our signing code always holds out for r * values that don't overflow, so with a proper overflow check the tests would * loop indefinitely. */ r_dot_y_normalized = group[k].y; - rustsecp256k1_v0_1_1_fe_normalize(&r_dot_y_normalized); + rustsecp256k1_v0_1_2_fe_normalize(&r_dot_y_normalized); /* Also the recovery id is flipped depending if we hit the low-s branch */ if ((k * s) % order == (i + r * j) % order) { - expected_recid = rustsecp256k1_v0_1_1_fe_is_odd(&r_dot_y_normalized) ? 1 : 0; + expected_recid = rustsecp256k1_v0_1_2_fe_is_odd(&r_dot_y_normalized) ? 1 : 0; } else { - expected_recid = rustsecp256k1_v0_1_1_fe_is_odd(&r_dot_y_normalized) ? 0 : 1; + expected_recid = rustsecp256k1_v0_1_2_fe_is_odd(&r_dot_y_normalized) ? 0 : 1; } CHECK(recid == expected_recid); /* Convert to a standard sig then check */ - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); - rustsecp256k1_v0_1_1_ecdsa_signature_load(ctx, &r, &s, &sig); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); + rustsecp256k1_v0_1_2_ecdsa_signature_load(ctx, &r, &s, &sig); /* Note that we compute expected_r *after* signing -- this is important * because our nonce-computing function function might change k during * signing. */ @@ -391,46 +391,46 @@ void test_exhaustive_recovery_sign(const rustsecp256k1_v0_1_1_context *ctx, cons } } -void test_exhaustive_recovery_verify(const rustsecp256k1_v0_1_1_context *ctx, const rustsecp256k1_v0_1_1_ge *group, int order) { +void test_exhaustive_recovery_verify(const rustsecp256k1_v0_1_2_context *ctx, const rustsecp256k1_v0_1_2_ge *group, int order) { /* This is essentially a copy of test_exhaustive_verify, with recovery added */ int s, r, msg, key; for (s = 1; s < order; s++) { for (r = 1; r < order; r++) { for (msg = 1; msg < order; msg++) { for (key = 1; key < order; key++) { - rustsecp256k1_v0_1_1_ge nonconst_ge; - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature rsig; - rustsecp256k1_v0_1_1_ecdsa_signature sig; - rustsecp256k1_v0_1_1_pubkey pk; - rustsecp256k1_v0_1_1_scalar sk_s, msg_s, r_s, s_s; - rustsecp256k1_v0_1_1_scalar s_times_k_s, msg_plus_r_times_sk_s; + rustsecp256k1_v0_1_2_ge nonconst_ge; + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature rsig; + rustsecp256k1_v0_1_2_ecdsa_signature sig; + rustsecp256k1_v0_1_2_pubkey pk; + rustsecp256k1_v0_1_2_scalar sk_s, msg_s, r_s, s_s; + rustsecp256k1_v0_1_2_scalar s_times_k_s, msg_plus_r_times_sk_s; int recid = 0; int k, should_verify; unsigned char msg32[32]; - rustsecp256k1_v0_1_1_scalar_set_int(&s_s, s); - rustsecp256k1_v0_1_1_scalar_set_int(&r_s, r); - rustsecp256k1_v0_1_1_scalar_set_int(&msg_s, msg); - rustsecp256k1_v0_1_1_scalar_set_int(&sk_s, key); - rustsecp256k1_v0_1_1_scalar_get_b32(msg32, &msg_s); + rustsecp256k1_v0_1_2_scalar_set_int(&s_s, s); + rustsecp256k1_v0_1_2_scalar_set_int(&r_s, r); + rustsecp256k1_v0_1_2_scalar_set_int(&msg_s, msg); + rustsecp256k1_v0_1_2_scalar_set_int(&sk_s, key); + rustsecp256k1_v0_1_2_scalar_get_b32(msg32, &msg_s); /* Verify by hand */ /* Run through every k value that gives us this r and check that *one* works. * Note there could be none, there could be multiple, ECDSA is weird. */ should_verify = 0; for (k = 0; k < order; k++) { - rustsecp256k1_v0_1_1_scalar check_x_s; + rustsecp256k1_v0_1_2_scalar check_x_s; r_from_k(&check_x_s, group, k); if (r_s == check_x_s) { - rustsecp256k1_v0_1_1_scalar_set_int(&s_times_k_s, k); - rustsecp256k1_v0_1_1_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); - rustsecp256k1_v0_1_1_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); - rustsecp256k1_v0_1_1_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); - should_verify |= rustsecp256k1_v0_1_1_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); + rustsecp256k1_v0_1_2_scalar_set_int(&s_times_k_s, k); + rustsecp256k1_v0_1_2_scalar_mul(&s_times_k_s, &s_times_k_s, &s_s); + rustsecp256k1_v0_1_2_scalar_mul(&msg_plus_r_times_sk_s, &r_s, &sk_s); + rustsecp256k1_v0_1_2_scalar_add(&msg_plus_r_times_sk_s, &msg_plus_r_times_sk_s, &msg_s); + should_verify |= rustsecp256k1_v0_1_2_scalar_eq(&s_times_k_s, &msg_plus_r_times_sk_s); } } /* nb we have a "high s" rule */ - should_verify &= !rustsecp256k1_v0_1_1_scalar_is_high(&s_s); + should_verify &= !rustsecp256k1_v0_1_2_scalar_is_high(&s_s); /* We would like to try recovering the pubkey and checking that it matches, * but pubkey recovery is impossible in the exhaustive tests (the reason @@ -438,12 +438,12 @@ void test_exhaustive_recovery_verify(const rustsecp256k1_v0_1_1_context *ctx, co * overlap between the sets, so there are no valid signatures). */ /* Verify by converting to a standard signature and calling verify */ - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid); - rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_save(&rsig, &r_s, &s_s, recid); + rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert(ctx, &sig, &rsig); memcpy(&nonconst_ge, &group[sk_s], sizeof(nonconst_ge)); - rustsecp256k1_v0_1_1_pubkey_save(&pk, &nonconst_ge); + rustsecp256k1_v0_1_2_pubkey_save(&pk, &nonconst_ge); CHECK(should_verify == - rustsecp256k1_v0_1_1_ecdsa_verify(ctx, &sig, msg32, &pk)); + rustsecp256k1_v0_1_2_ecdsa_verify(ctx, &sig, msg32, &pk)); } } } @@ -453,40 +453,40 @@ void test_exhaustive_recovery_verify(const rustsecp256k1_v0_1_1_context *ctx, co int main(void) { int i; - rustsecp256k1_v0_1_1_gej groupj[EXHAUSTIVE_TEST_ORDER]; - rustsecp256k1_v0_1_1_ge group[EXHAUSTIVE_TEST_ORDER]; + rustsecp256k1_v0_1_2_gej groupj[EXHAUSTIVE_TEST_ORDER]; + rustsecp256k1_v0_1_2_ge group[EXHAUSTIVE_TEST_ORDER]; /* Build context */ - rustsecp256k1_v0_1_1_context *ctx = rustsecp256k1_v0_1_1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); + rustsecp256k1_v0_1_2_context *ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY); /* TODO set z = 1, then do num_tests runs with random z values */ /* Generate the entire group */ - rustsecp256k1_v0_1_1_gej_set_infinity(&groupj[0]); - rustsecp256k1_v0_1_1_ge_set_gej(&group[0], &groupj[0]); + rustsecp256k1_v0_1_2_gej_set_infinity(&groupj[0]); + rustsecp256k1_v0_1_2_ge_set_gej(&group[0], &groupj[0]); for (i = 1; i < EXHAUSTIVE_TEST_ORDER; i++) { /* Set a different random z-value for each Jacobian point */ - rustsecp256k1_v0_1_1_fe z; + rustsecp256k1_v0_1_2_fe z; random_fe(&z); - rustsecp256k1_v0_1_1_gej_add_ge(&groupj[i], &groupj[i - 1], &rustsecp256k1_v0_1_1_ge_const_g); - rustsecp256k1_v0_1_1_ge_set_gej(&group[i], &groupj[i]); - rustsecp256k1_v0_1_1_gej_rescale(&groupj[i], &z); + rustsecp256k1_v0_1_2_gej_add_ge(&groupj[i], &groupj[i - 1], &rustsecp256k1_v0_1_2_ge_const_g); + rustsecp256k1_v0_1_2_ge_set_gej(&group[i], &groupj[i]); + rustsecp256k1_v0_1_2_gej_rescale(&groupj[i], &z); /* Verify against ecmult_gen */ { - rustsecp256k1_v0_1_1_scalar scalar_i; - rustsecp256k1_v0_1_1_gej generatedj; - rustsecp256k1_v0_1_1_ge generated; + rustsecp256k1_v0_1_2_scalar scalar_i; + rustsecp256k1_v0_1_2_gej generatedj; + rustsecp256k1_v0_1_2_ge generated; - rustsecp256k1_v0_1_1_scalar_set_int(&scalar_i, i); - rustsecp256k1_v0_1_1_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); - rustsecp256k1_v0_1_1_ge_set_gej(&generated, &generatedj); + rustsecp256k1_v0_1_2_scalar_set_int(&scalar_i, i); + rustsecp256k1_v0_1_2_ecmult_gen(&ctx->ecmult_gen_ctx, &generatedj, &scalar_i); + rustsecp256k1_v0_1_2_ge_set_gej(&generated, &generatedj); CHECK(group[i].infinity == 0); CHECK(generated.infinity == 0); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&generated.x, &group[i].x)); - CHECK(rustsecp256k1_v0_1_1_fe_equal_var(&generated.y, &group[i].y)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&generated.x, &group[i].x)); + CHECK(rustsecp256k1_v0_1_2_fe_equal_var(&generated.y, &group[i].y)); } } @@ -505,7 +505,7 @@ int main(void) { test_exhaustive_recovery_verify(ctx, group, EXHAUSTIVE_TEST_ORDER); #endif - rustsecp256k1_v0_1_1_context_destroy(ctx); + rustsecp256k1_v0_1_2_context_destroy(ctx); return 0; } diff --git a/secp256k1-sys/depend/secp256k1/src/util.h b/secp256k1-sys/depend/secp256k1/src/util.h index 7ea0d15f0..448fdb4fa 100644 --- a/secp256k1-sys/depend/secp256k1/src/util.h +++ b/secp256k1-sys/depend/secp256k1/src/util.h @@ -14,13 +14,14 @@ #include #include #include +#include typedef struct { void (*fn)(const char *text, void* data); const void* data; -} rustsecp256k1_v0_1_1_callback; +} rustsecp256k1_v0_1_2_callback; -static SECP256K1_INLINE void rustsecp256k1_v0_1_1_callback_call(const rustsecp256k1_v0_1_1_callback * const cb, const char * const text) { +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_callback_call(const rustsecp256k1_v0_1_2_callback * const cb, const char * const text) { cb->fn(text, (void*)cb->data); } @@ -143,4 +144,19 @@ static SECP256K1_INLINE void *manual_alloc(void** prealloc_ptr, size_t alloc_siz SECP256K1_GNUC_EXT typedef unsigned __int128 uint128_t; #endif +/* Zero memory if flag == 1. Flag must be 0 or 1. Constant time. */ +static SECP256K1_INLINE void memczero(void *s, size_t len, int flag) { + unsigned char *p = (unsigned char *)s; + /* Access flag with a volatile-qualified lvalue. + This prevents clang from figuring out (after inlining) that flag can + take only be 0 or 1, which leads to variable time code. */ + volatile int vflag = flag; + unsigned char mask = -(unsigned char) vflag; + while (len) { + *p &= ~mask; + p++; + len--; + } +} + #endif /* SECP256K1_UTIL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/util.h.orig b/secp256k1-sys/depend/secp256k1/src/util.h.orig new file mode 100644 index 000000000..92cafeb03 --- /dev/null +++ b/secp256k1-sys/depend/secp256k1/src/util.h.orig @@ -0,0 +1,178 @@ +/********************************************************************** + * Copyright (c) 2013, 2014 Pieter Wuille * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or http://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#ifndef SECP256K1_UTIL_H +#define SECP256K1_UTIL_H + +#if defined HAVE_CONFIG_H +#include "libsecp256k1-config.h" +#endif + +#include +#include +#include +#include + +typedef struct { + void (*fn)(const char *text, void* data); + const void* data; +} rustsecp256k1_v0_1_2_callback; + +static SECP256K1_INLINE void rustsecp256k1_v0_1_2_callback_call(const rustsecp256k1_v0_1_2_callback * const cb, const char * const text) { + cb->fn(text, (void*)cb->data); +} + +#ifdef DETERMINISTIC +#define TEST_FAILURE(msg) do { \ + fprintf(stderr, "%s\n", msg); \ + abort(); \ +} while(0); +#else +#define TEST_FAILURE(msg) do { \ + fprintf(stderr, "%s:%d: %s\n", __FILE__, __LINE__, msg); \ + abort(); \ +} while(0) +#endif + +#if SECP256K1_GNUC_PREREQ(3, 0) +#define EXPECT(x,c) __builtin_expect((x),(c)) +#else +#define EXPECT(x,c) (x) +#endif + +#ifdef DETERMINISTIC +#define CHECK(cond) do { \ + if (EXPECT(!(cond), 0)) { \ + TEST_FAILURE("test condition failed"); \ + } \ +} while(0) +#else +#define CHECK(cond) do { \ + if (EXPECT(!(cond), 0)) { \ + TEST_FAILURE("test condition failed: " #cond); \ + } \ +} while(0) +#endif + +/* Like assert(), but when VERIFY is defined, and side-effect safe. */ +#if defined(COVERAGE) +#define VERIFY_CHECK(check) +#define VERIFY_SETUP(stmt) +#elif defined(VERIFY) +#define VERIFY_CHECK CHECK +#define VERIFY_SETUP(stmt) do { stmt; } while(0) +#else +#define VERIFY_CHECK(cond) do { (void)(cond); } while(0) +#define VERIFY_SETUP(stmt) +#endif + +static SECP256K1_INLINE void *checked_malloc(const rustsecp256k1_v0_1_2_callback* cb, size_t size) { + void *ret = malloc(size); + if (ret == NULL) { + rustsecp256k1_v0_1_2_callback_call(cb, "Out of memory"); + } + return ret; +} + +static SECP256K1_INLINE void *checked_realloc(const rustsecp256k1_v0_1_2_callback* cb, void *ptr, size_t size) { + void *ret = realloc(ptr, size); + if (ret == NULL) { + rustsecp256k1_v0_1_2_callback_call(cb, "Out of memory"); + } + return ret; +} + +#if defined(__BIGGEST_ALIGNMENT__) +#define ALIGNMENT __BIGGEST_ALIGNMENT__ +#else +/* Using 16 bytes alignment because common architectures never have alignment + * requirements above 8 for any of the types we care about. In addition we + * leave some room because currently we don't care about a few bytes. */ +#define ALIGNMENT 16 +#endif + +#define ROUND_TO_ALIGN(size) (((size + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT) + +/* Assume there is a contiguous memory object with bounds [base, base + max_size) + * of which the memory range [base, *prealloc_ptr) is already allocated for usage, + * where *prealloc_ptr is an aligned pointer. In that setting, this functions + * reserves the subobject [*prealloc_ptr, *prealloc_ptr + alloc_size) of + * alloc_size bytes by increasing *prealloc_ptr accordingly, taking into account + * alignment requirements. + * + * The function returns an aligned pointer to the newly allocated subobject. + * + * This is useful for manual memory management: if we're simply given a block + * [base, base + max_size), the caller can use this function to allocate memory + * in this block and keep track of the current allocation state with *prealloc_ptr. + * + * It is VERIFY_CHECKed that there is enough space left in the memory object and + * *prealloc_ptr is aligned relative to base. + */ +static SECP256K1_INLINE void *manual_alloc(void** prealloc_ptr, size_t alloc_size, void* base, size_t max_size) { + size_t aligned_alloc_size = ROUND_TO_ALIGN(alloc_size); + void* ret; + VERIFY_CHECK(prealloc_ptr != NULL); + VERIFY_CHECK(*prealloc_ptr != NULL); + VERIFY_CHECK(base != NULL); + VERIFY_CHECK((unsigned char*)*prealloc_ptr >= (unsigned char*)base); + VERIFY_CHECK(((unsigned char*)*prealloc_ptr - (unsigned char*)base) % ALIGNMENT == 0); + VERIFY_CHECK((unsigned char*)*prealloc_ptr - (unsigned char*)base + aligned_alloc_size <= max_size); + ret = *prealloc_ptr; + *((unsigned char**)prealloc_ptr) += aligned_alloc_size; + return ret; +} + +/* Macro for restrict, when available and not in a VERIFY build. */ +#if defined(SECP256K1_BUILD) && defined(VERIFY) +# define SECP256K1_RESTRICT +#else +# if (!defined(__STDC_VERSION__) || (__STDC_VERSION__ < 199901L) ) +# if SECP256K1_GNUC_PREREQ(3,0) +# define SECP256K1_RESTRICT __restrict__ +# elif (defined(_MSC_VER) && _MSC_VER >= 1400) +# define SECP256K1_RESTRICT __restrict +# else +# define SECP256K1_RESTRICT +# endif +# else +# define SECP256K1_RESTRICT restrict +# endif +#endif + +#if defined(_WIN32) +# define I64FORMAT "I64d" +# define I64uFORMAT "I64u" +#else +# define I64FORMAT "lld" +# define I64uFORMAT "llu" +#endif + +#if defined(HAVE___INT128) +# if defined(__GNUC__) +# define SECP256K1_GNUC_EXT __extension__ +# else +# define SECP256K1_GNUC_EXT +# endif +SECP256K1_GNUC_EXT typedef unsigned __int128 uint128_t; +#endif + +/* Zero memory if flag == 1. Flag must be 0 or 1. Constant time. */ +static SECP256K1_INLINE void memczero(void *s, size_t len, int flag) { + unsigned char *p = (unsigned char *)s; + /* Access flag with a volatile-qualified lvalue. + This prevents clang from figuring out (after inlining) that flag can + take only be 0 or 1, which leads to variable time code. */ + volatile int vflag = flag; + unsigned char mask = -(unsigned char) vflag; + while (len) { + *p &= ~mask; + p++; + len--; + } +} + +#endif /* SECP256K1_UTIL_H */ diff --git a/secp256k1-sys/depend/secp256k1/src/valgrind_ctime_test.c b/secp256k1-sys/depend/secp256k1/src/valgrind_ctime_test.c new file mode 100644 index 000000000..66ba74b5e --- /dev/null +++ b/secp256k1-sys/depend/secp256k1/src/valgrind_ctime_test.c @@ -0,0 +1,100 @@ +/********************************************************************** + * Copyright (c) 2020 Gregory Maxwell * + * Distributed under the MIT software license, see the accompanying * + * file COPYING or http://www.opensource.org/licenses/mit-license.php.* + **********************************************************************/ + +#include +#include "include/secp256k1.h" +#include "util.h" + +#if ENABLE_MODULE_ECDH +# include "include/rustsecp256k1_v0_1_2_ecdh.h" +#endif + +int main(void) { + rustsecp256k1_v0_1_2_context* ctx; + rustsecp256k1_v0_1_2_ecdsa_signature signature; + rustsecp256k1_v0_1_2_pubkey pubkey; + size_t siglen = 74; + size_t outputlen = 33; + int i; + int ret; + unsigned char msg[32]; + unsigned char key[32]; + unsigned char sig[74]; + unsigned char spubkey[33]; + + if (!RUNNING_ON_VALGRIND) { + fprintf(stderr, "This test can only usefully be run inside valgrind.\n"); + fprintf(stderr, "Usage: libtool --mode=execute valgrind ./valgrind_ctime_test\n"); + exit(1); + } + + /** In theory, testing with a single secret input should be sufficient: + * If control flow depended on secrets the tool would generate an error. + */ + for (i = 0; i < 32; i++) { + key[i] = i + 65; + } + for (i = 0; i < 32; i++) { + msg[i] = i + 1; + } + + ctx = rustsecp256k1_v0_1_2_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_DECLASSIFY); + + /* Test keygen. */ + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_ec_pubkey_create(ctx, &pubkey, key); + VALGRIND_MAKE_MEM_DEFINED(&pubkey, sizeof(rustsecp256k1_v0_1_2_pubkey)); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret); + CHECK(rustsecp256k1_v0_1_2_ec_pubkey_serialize(ctx, spubkey, &outputlen, &pubkey, SECP256K1_EC_COMPRESSED) == 1); + + /* Test signing. */ + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_ecdsa_sign(ctx, &signature, msg, key, NULL, NULL); + VALGRIND_MAKE_MEM_DEFINED(&signature, sizeof(rustsecp256k1_v0_1_2_ecdsa_signature)); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret); + CHECK(rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature)); + +#if ENABLE_MODULE_ECDH + /* Test ECDH. */ + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_ecdh(ctx, msg, &pubkey, key, NULL, NULL); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret == 1); +#endif + + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_ec_seckey_verify(ctx, key); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret == 1); + + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_ec_seckey_negate(ctx, key); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret == 1); + + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + VALGRIND_MAKE_MEM_UNDEFINED(msg, 32); + ret = rustsecp256k1_v0_1_2_ec_seckey_tweak_add(ctx, key, msg); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret == 1); + + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + VALGRIND_MAKE_MEM_UNDEFINED(msg, 32); + ret = rustsecp256k1_v0_1_2_ec_seckey_tweak_mul(ctx, key, msg); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret == 1); + + /* Test context randomisation. Do this last because it leaves the context tainted. */ + VALGRIND_MAKE_MEM_UNDEFINED(key, 32); + ret = rustsecp256k1_v0_1_2_context_randomize(ctx, key); + VALGRIND_MAKE_MEM_DEFINED(&ret, sizeof(ret)); + CHECK(ret); + + rustsecp256k1_v0_1_2_context_destroy(ctx); + return 0; +} diff --git a/secp256k1-sys/src/lib.rs b/secp256k1-sys/src/lib.rs index a7792351e..3aaa808a3 100644 --- a/secp256k1-sys/src/lib.rs +++ b/secp256k1-sys/src/lib.rs @@ -138,91 +138,91 @@ impl Default for Signature { #[cfg(not(feature = "fuzztarget"))] extern "C" { /// Default ECDH hash function - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdh_hash_function_default")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdh_hash_function_default")] pub static secp256k1_ecdh_hash_function_default: EcdhHashFn; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_nonce_function_rfc6979")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_nonce_function_rfc6979")] pub static secp256k1_nonce_function_rfc6979: NonceFn; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_nonce_function_default")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_nonce_function_default")] pub static secp256k1_nonce_function_default: NonceFn; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_no_precomp")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_no_precomp")] pub static secp256k1_context_no_precomp: *const Context; // Contexts - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_preallocated_size")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_preallocated_size")] pub fn secp256k1_context_preallocated_size(flags: c_uint) -> size_t; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_preallocated_create")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_preallocated_create")] pub fn secp256k1_context_preallocated_create(prealloc: *mut c_void, flags: c_uint) -> *mut Context; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_preallocated_destroy")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_preallocated_destroy")] pub fn secp256k1_context_preallocated_destroy(cx: *mut Context); - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_preallocated_clone_size")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_preallocated_clone_size")] pub fn secp256k1_context_preallocated_clone_size(cx: *const Context) -> size_t; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_preallocated_clone")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_preallocated_clone")] pub fn secp256k1_context_preallocated_clone(cx: *const Context, prealloc: *mut c_void) -> *mut Context; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_context_randomize")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_context_randomize")] pub fn secp256k1_context_randomize(cx: *mut Context, seed32: *const c_uchar) -> c_int; // Pubkeys - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_parse")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_parse")] pub fn secp256k1_ec_pubkey_parse(cx: *const Context, pk: *mut PublicKey, input: *const c_uchar, in_len: size_t) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_serialize")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_serialize")] pub fn secp256k1_ec_pubkey_serialize(cx: *const Context, output: *mut c_uchar, out_len: *mut size_t, pk: *const PublicKey, compressed: c_uint) -> c_int; // Signatures - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_parse_der")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_parse_der")] pub fn secp256k1_ecdsa_signature_parse_der(cx: *const Context, sig: *mut Signature, input: *const c_uchar, in_len: size_t) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_parse_compact")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_parse_compact")] pub fn secp256k1_ecdsa_signature_parse_compact(cx: *const Context, sig: *mut Signature, input64: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_parse_der_lax")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_parse_der_lax")] pub fn ecdsa_signature_parse_der_lax(cx: *const Context, sig: *mut Signature, input: *const c_uchar, in_len: size_t) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_serialize_der")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_serialize_der")] pub fn secp256k1_ecdsa_signature_serialize_der(cx: *const Context, output: *mut c_uchar, out_len: *mut size_t, sig: *const Signature) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_serialize_compact")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_serialize_compact")] pub fn secp256k1_ecdsa_signature_serialize_compact(cx: *const Context, output64: *mut c_uchar, sig: *const Signature) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_signature_normalize")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_signature_normalize")] pub fn secp256k1_ecdsa_signature_normalize(cx: *const Context, out_sig: *mut Signature, in_sig: *const Signature) -> c_int; // ECDSA - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_verify")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_verify")] pub fn secp256k1_ecdsa_verify(cx: *const Context, sig: *const Signature, msg32: *const c_uchar, pk: *const PublicKey) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_sign")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_sign")] pub fn secp256k1_ecdsa_sign(cx: *const Context, sig: *mut Signature, msg32: *const c_uchar, @@ -232,54 +232,69 @@ extern "C" { -> c_int; // EC - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_seckey_verify")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_seckey_verify")] pub fn secp256k1_ec_seckey_verify(cx: *const Context, sk: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_create")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_create")] pub fn secp256k1_ec_pubkey_create(cx: *const Context, pk: *mut PublicKey, sk: *const c_uchar) -> c_int; //TODO secp256k1_ec_privkey_export //TODO secp256k1_ec_privkey_import - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_privkey_tweak_add")] + #[deprecated(since = "0.1.3",note = "Please use the secp256k1_ec_seckey_tweak_add function instead")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_privkey_tweak_add")] pub fn secp256k1_ec_privkey_tweak_add(cx: *const Context, sk: *mut c_uchar, tweak: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_tweak_add")] + + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_seckey_tweak_add")] + pub fn secp256k1_ec_seckey_tweak_add(cx: *const Context, + sk: *mut c_uchar, + tweak: *const c_uchar) + -> c_int; + + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_tweak_add")] pub fn secp256k1_ec_pubkey_tweak_add(cx: *const Context, pk: *mut PublicKey, tweak: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_privkey_tweak_mul")] + #[deprecated(since = "0.1.3",note = "Please use the secp256k1_ec_seckey_tweak_mul function instead")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_privkey_tweak_mul")] pub fn secp256k1_ec_privkey_tweak_mul(cx: *const Context, sk: *mut c_uchar, tweak: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_tweak_mul")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_seckey_tweak_mul")] + pub fn secp256k1_ec_seckey_tweak_mul(cx: *const Context, + sk: *mut c_uchar, + tweak: *const c_uchar) + -> c_int; + + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_tweak_mul")] pub fn secp256k1_ec_pubkey_tweak_mul(cx: *const Context, pk: *mut PublicKey, tweak: *const c_uchar) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ec_pubkey_combine")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ec_pubkey_combine")] pub fn secp256k1_ec_pubkey_combine(cx: *const Context, out: *mut PublicKey, ins: *const *const PublicKey, n: c_int) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdh")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdh")] pub fn secp256k1_ecdh( cx: *const Context, output: *mut c_uchar, pubkey: *const PublicKey, - privkey: *const c_uchar, + seckey: *const c_uchar, hashfp: EcdhHashFn, data: *mut c_void, ) -> c_int; @@ -296,7 +311,7 @@ extern "C" { // In: flags: which parts of the context to initialize. #[no_mangle] #[cfg(all(feature = "std", not(feature = "external-symbols")))] -pub unsafe extern "C" fn rustsecp256k1_v0_1_1_context_create(flags: c_uint) -> *mut Context { +pub unsafe extern "C" fn rustsecp256k1_v0_1_2_context_create(flags: c_uint) -> *mut Context { use std::mem; assert!(mem::align_of::() >= mem::align_of::()); assert_eq!(mem::size_of::(), mem::size_of::<&usize>()); @@ -314,7 +329,7 @@ pub unsafe extern "C" fn rustsecp256k1_v0_1_1_context_create(flags: c_uint) -> * #[cfg(all(feature = "std", not(feature = "external-symbols")))] pub unsafe fn secp256k1_context_create(flags: c_uint) -> *mut Context { - rustsecp256k1_v0_1_1_context_create(flags) + rustsecp256k1_v0_1_2_context_create(flags) } /// A reimplementation of the C function `secp256k1_context_destroy` in rust. @@ -325,7 +340,7 @@ pub unsafe fn secp256k1_context_create(flags: c_uint) -> *mut Context { /// #[no_mangle] #[cfg(all(feature = "std", not(feature = "external-symbols")))] -pub unsafe extern "C" fn rustsecp256k1_v0_1_1_context_destroy(ctx: *mut Context) { +pub unsafe extern "C" fn rustsecp256k1_v0_1_2_context_destroy(ctx: *mut Context) { secp256k1_context_preallocated_destroy(ctx); let ctx: *mut usize = ctx as *mut usize; @@ -337,7 +352,7 @@ pub unsafe extern "C" fn rustsecp256k1_v0_1_1_context_destroy(ctx: *mut Context) #[cfg(all(feature = "std", not(feature = "external-symbols")))] pub unsafe fn secp256k1_context_destroy(ctx: *mut Context) { - rustsecp256k1_v0_1_1_context_destroy(ctx) + rustsecp256k1_v0_1_2_context_destroy(ctx) } @@ -361,7 +376,7 @@ pub unsafe fn secp256k1_context_destroy(ctx: *mut Context) { /// #[no_mangle] #[cfg(not(feature = "external-symbols"))] -pub unsafe extern "C" fn rustsecp256k1_v0_1_1_default_illegal_callback_fn(message: *const c_char, _data: *mut c_void) { +pub unsafe extern "C" fn rustsecp256k1_v0_1_2_default_illegal_callback_fn(message: *const c_char, _data: *mut c_void) { use core::str; let msg_slice = slice::from_raw_parts(message as *const u8, strlen(message)); let msg = str::from_utf8_unchecked(msg_slice); @@ -384,7 +399,7 @@ pub unsafe extern "C" fn rustsecp256k1_v0_1_1_default_illegal_callback_fn(messag /// #[no_mangle] #[cfg(not(feature = "external-symbols"))] -pub unsafe extern "C" fn rustsecp256k1_v0_1_1_default_error_callback_fn(message: *const c_char, _data: *mut c_void) { +pub unsafe extern "C" fn rustsecp256k1_v0_1_2_default_error_callback_fn(message: *const c_char, _data: *mut c_void) { use core::str; let msg_slice = slice::from_raw_parts(message as *const u8, strlen(message)); let msg = str::from_utf8_unchecked(msg_slice); @@ -405,7 +420,7 @@ unsafe fn strlen(mut str_ptr: *const c_char) -> usize { /// A trait for producing pointers that will always be valid in C. (assuming NULL pointer is a valid no-op) /// Rust doesn't promise what pointers does it give to ZST (https://doc.rust-lang.org/nomicon/exotic-sizes.html#zero-sized-types-zsts) /// In case the type is empty this trait will give a NULL pointer, which should be handled in C. -/// +/// pub trait CPtr { type Target; fn as_c_ptr(&self) -> *const Self::Target; @@ -448,9 +463,9 @@ mod fuzz_dummy { pub static secp256k1_context_no_precomp: &Context = &Context(0); extern "C" { - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdh_hash_function_default")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdh_hash_function_default")] pub static secp256k1_ecdh_hash_function_default: EcdhHashFn; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_nonce_function_rfc6979")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_nonce_function_rfc6979")] pub static secp256k1_nonce_function_rfc6979: NonceFn; } @@ -695,10 +710,18 @@ mod fuzz_dummy { //TODO secp256k1_ec_privkey_import /// Copies the first 16 bytes of tweak into the last 16 bytes of sk + #[deprecated(since = "0.1.3",note = "Please use the secp256k1_ec_seckey_tweak_add function instead")] pub unsafe fn secp256k1_ec_privkey_tweak_add(cx: *const Context, sk: *mut c_uchar, tweak: *const c_uchar) -> c_int { + secp256k1_ec_seckey_tweak_add(cx, sk, tweak) + } + + pub unsafe fn secp256k1_ec_seckey_tweak_add(cx: *const Context, + sk: *mut c_uchar, + tweak: *const c_uchar) + -> c_int { assert!(!cx.is_null() && (*cx).0 as u32 & !(SECP256K1_START_NONE | SECP256K1_START_VERIFY | SECP256K1_START_SIGN) == 0); if secp256k1_ec_seckey_verify(cx, sk) != 1 { return 0; } ptr::copy(tweak.offset(16), sk.offset(16), 16); @@ -721,10 +744,19 @@ mod fuzz_dummy { } /// Copies the last 16 bytes of tweak into the last 16 bytes of sk + #[deprecated(since = "0.1.3",note = "Please use the secp256k1_ec_seckey_tweak_mul function instead")] pub unsafe fn secp256k1_ec_privkey_tweak_mul(cx: *const Context, sk: *mut c_uchar, tweak: *const c_uchar) -> c_int { + secp256k1_ec_seckey_tweak_mul(cx, sk, tweak) + } + + /// Copies the last 16 bytes of tweak into the last 16 bytes of sk + pub unsafe fn secp256k1_ec_seckey_tweak_mul(cx: *const Context, + sk: *mut c_uchar, + tweak: *const c_uchar) + -> c_int { assert!(!cx.is_null() && (*cx).0 as u32 & !(SECP256K1_START_NONE | SECP256K1_START_VERIFY | SECP256K1_START_SIGN) == 0); if secp256k1_ec_seckey_verify(cx, sk) != 1 { return 0; } ptr::copy(tweak.offset(16), sk.offset(16), 16); diff --git a/secp256k1-sys/src/recovery.rs b/secp256k1-sys/src/recovery.rs index 4e5d2b983..d7f45e815 100644 --- a/secp256k1-sys/src/recovery.rs +++ b/secp256k1-sys/src/recovery.rs @@ -41,21 +41,21 @@ impl Default for RecoverableSignature { #[cfg(not(feature = "fuzztarget"))] extern "C" { - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_parse_compact")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_parse_compact")] pub fn secp256k1_ecdsa_recoverable_signature_parse_compact(cx: *const Context, sig: *mut RecoverableSignature, input64: *const c_uchar, recid: c_int) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_serialize_compact")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_serialize_compact")] pub fn secp256k1_ecdsa_recoverable_signature_serialize_compact(cx: *const Context, output64: *mut c_uchar, recid: *mut c_int, sig: *const RecoverableSignature) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_recoverable_signature_convert")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_recoverable_signature_convert")] pub fn secp256k1_ecdsa_recoverable_signature_convert(cx: *const Context, sig: *mut Signature, input: *const RecoverableSignature) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_sign_recoverable")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_sign_recoverable")] pub fn secp256k1_ecdsa_sign_recoverable(cx: *const Context, sig: *mut RecoverableSignature, msg32: *const c_uchar, @@ -64,7 +64,7 @@ extern "C" { noncedata: *const c_void) -> c_int; - #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_1_ecdsa_recover")] + #[cfg_attr(not(feature = "external-symbols"), link_name = "rustsecp256k1_v0_1_2_ecdsa_recover")] pub fn secp256k1_ecdsa_recover(cx: *const Context, pk: *mut PublicKey, sig: *const RecoverableSignature, diff --git a/src/key.rs b/src/key.rs index ba1d22177..3c88ae39e 100644 --- a/src/key.rs +++ b/src/key.rs @@ -160,7 +160,7 @@ impl SecretKey { return Err(Error::InvalidTweak); } unsafe { - if ffi::secp256k1_ec_privkey_tweak_add( + if ffi::secp256k1_ec_seckey_tweak_add( ffi::secp256k1_context_no_precomp, self.as_mut_c_ptr(), other.as_c_ptr(), @@ -185,7 +185,7 @@ impl SecretKey { return Err(Error::InvalidTweak); } unsafe { - if ffi::secp256k1_ec_privkey_tweak_mul( + if ffi::secp256k1_ec_seckey_tweak_mul( ffi::secp256k1_context_no_precomp, self.as_mut_c_ptr(), other.as_c_ptr(),