Squashed 'src/secp256k1/' changes from 0b70241850..b19c000063

b19c000063 Merge #607: Use size_t shifts when computing a size_t
4d01bc2d9c Merge #606: travis: Remove unused sudo:false
e6d01e9347 Use size_t shifts when computing a size_t
7667532bd7 travis: Remove unused sudo:false
ee99f12f3d Merge #599: Switch x86_64 asm to use "i" instead of "n" for immediate values.
d58bc93f2c Switch x86_64 asm to use "i" instead of "n" for immediate values.
05362ee042 Merge #597: Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
83483869ac Add $(COMMON_LIB) to exhaustive tests to fix ARM asm build
aa15154a48 Merge #568: Fix integer overflow in ecmult_multi_var when n is large
2277af5ff0 Fix integer overflow in ecmult_multi_var when n is large
85d0e1bcce Merge #591: Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
14196379ec Merge #580: Add trivial ecmult_multi algorithm which does not require a scratch space
a697d82da9 Add trivial ecmult_multi to the benchmark tool
bade617417 Add trivial ecmult_multi algorithm. It is selected when no scratch space is given and just multiplies and adds the points.
5545e13dea Merge #584: configure: Use CFLAGS_FOR_BUILD when checking native compiler
20c5869df2 Merge #516: improvements to random seed in src/tests.c
b76e45d5d6 Make bench_internal obey secp256k1_fe_sqrt's contract wrt aliasing.
870a977644 Merge #562: Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
be40c4d0b5 Fixup for C90 mixed declarations.
c71dd2c08f Merge #509: Fix algorithm selection in bench_ecmult
6492bf88cc Merge #518: Summarize build options after running configure
0e9ada1941 Merge #567: Correct order of libs returned on pkg-config --libs --static libsecp2…
e96901a4b9 Merge #587: Make randomization of a non-signing context a noop
58df8d03ad Merge #511: Portability fix for the configure scripts generated
2ebdad772a Merge #552: Make constants static:
1c131affd3 Merge #551: secp256k1_fe_sqrt: Verify that the arguments don't alias.
ba698f883b Merge #539: Assorted minor corrections
949e85b009 Merge #550: Optimize secp256k1_fe_normalize_weak calls.
a34bcaadf1 Actually pass CFLAGS_FOR_BUILD and LDFLAGS_FOR_BUILD to linker
2d5f4cebdc configure: Use CFLAGS_FOR_BUILD when checking native compiler
b408c6a8b2 Merge #579: Use __GNUC_PREREQ for detecting __builtin_expect
6198375218 Make randomization of a non-signing context a noop
c663397f46 Use __GNUC_PREREQ for detecting __builtin_expect
e34ceb333b Merge #557: Eliminate scratch memory used when generating contexts
b3bf5f99a3 ecmult_impl: expand comment to explain how effective affine interacts with everything
efa783f8f0 Store z-ratios in the 'x' coord they'll recover
ffd3b346fe add `secp256k1_ge_set_all_gej_var` test which deals with many infinite points
84740acd2a ecmult_impl: save one fe_inv_var
47045270fa ecmult_impl: eliminate scratch memory used when generating context
7f7a2ed3a8 ecmult_gen_impl: eliminate scratch memory used when generating context
314a61d724 Merge #553: add static context object which has no capabilities
89a20a8945 Correct order of libs returned on pkg-config --libs --static libsecp256k1 call.
1086fda4c1 Merge #354: [ECDH API change] Support custom hash function
d3cb1f95eb Make use of TAG_PUBKEY constants in secp256k1_eckey_pubkey_parse
40fde611bd prevent attempts to modify `secp256k1_context_no_precomp`
ed7c08417a add static context object which has no capabilities
496c5b43b8 Make constants static: static const secp256k1_ge secp256k1_ge_const_g; static const int CURVE_B;
bf8b86cc07 secp256k1_fe_sqrt: Verify that the arguments don't alias.
9bd89c836b Optimize secp256k1_fe_normalize_weak calls. Move secp256k1_fe_normalize_weak calls out of ECMULT_TABLE_GET_GE and ECMULT_TABLE_GET_GE_STORAGE and into secp256k1_ge_globalz_set_table_gej instead.
52ab96fedb clean dependendies in field_*_impl.h
deff5edd42 Correct math typos in field_*.h
4efb3f8dd1 Add check that restrict pointers don't alias with all parameters.
1e6f1f5ad5 Merge #529: fix tests.c in the count == 0 case
c8fbc3c397 [ECDH API change] Allow pass arbitrary data to hash function
b00be65056 [ECDH API change] Support custom hash function
95e99f196f fix tests.c in the count == 0 case
452d8e4d2a Merge #523: scratch: add stack frame support
6fe50439ae scratch: add stack frame support
9bc2e26502 Merge #522: parameterize ecmult_const over input size
7c1b91ba4b parameterize ecmult_const over input size
dbc3ddd5e2 Merge #513: Increase sparsity of pippenger fixed window naf representation
3965027c81 Summarize build options in configure script
0f0517369c Fix algorithm selection in bench_ecmult
fb9271dcf0 Merge #510: add a couple missing `const`s to ecmult_pippenger_wnaf
cd5f6028e5 Merge #515: Fix typo
09146ae854 Merge #512: secp256k1_ec_privkey_negate - fix documentation
ec0a7b3ae3 Don't touch leading zeros in wnaf_fixed.
9e36d1bfe2 Fix bug in wnaf_fixed where the wnaf array is not completely zeroed when given a 0 scalar.
96f68a0afc Don't invert scalar in wnaf_fixed when it is even because a caller might intentionally give a scalar with many leading zeros.
8b3841c91d fix bug in fread() failure check
cddef0c0be tests: add warning message when /dev/urandom fails
9b7c47a21e Fix typo
6dbb007869 Increase sparsity of pippenger fixed window naf representation
1646ace4d5 secp256k1_ec_privkey_negate - fix documentation
270f6c80db Portability fix for the configure scripts generated
9b3ff0309d add a couple missing `const`s to ecmult_pippenger_wnaf
cd329dbc3e Merge #460: [build] Update ax_jni_include_dir.m4 macro
7f9c1a1565 Merge #498: tests: Avoid calling fclose(...) with an invalid argument
f99aa8d4d3 Merge #499: tests: Make sure we get the requested number of bytes from /dev/urandom
b549d3d5f7 Merge #472: [build] Set --enable-jni to no by default instead of auto.
d333521516 Merge #494: Support OpenSSL versions >= 1.1 for ENABLE_OPENSSL_TESTS
2ef8ea5d21 Merge #495: Add bench_ecmult to .gitignore
82a96e4587 tests: Make sure we get the requested number of bytes from /dev/urandom
5aae5b5bb2 Avoid calling fclose(...) with an invalid argument
cb32940df3 Add bench_ecmult to .gitignore
31abd3ab8d Support OpenSSL versions >= 1.1 for ENABLE_OPENSSL_TESTS
c95f6f1360 Merge #487: fix tests typo, s/changed/unchanged
fb46c83881 Merge #463: Reduce usage of hardcoded size constants
02f5001dfc Merge #490: Disambiguate bench functions and types
1f46d6089e Disambiguate bench functions and types
f54c6c5083 Merge #480: Enable benchmark building by default
c77fc08597 Merge #486: Add pippenger_wnaf for multi-multiplication
d2f9c6b5dc Use more precise pippenger bucket windows
4c950bbeaf Save some additions per window in _pippenger_wnaf
a58f543f5a Add flags for choosing algorithm in ecmult_multi benchmark
36b22c9337 Use scratch space dependent batching in ecmult_multi
355a38f113 Add pippenger_wnaf ecmult_multi
bc65aa794e Add bench_ecmult
dba5471b69 Add ecmult_multi tests
8c1c831bdb Generalize Strauss to support multiple points
548de42ecf add resizeable scratch space API
0e96cdc6b6 fix typo, s/changed/unchanged
c7680e570f Reduce usage of hardcoded size constants
6ad5cdb42a Merge #479: Get rid of reserved _t in type names
7a78f60598 Print whether we're building benchmarks
4afec9f1ae Build benchmarks by default
d1dc9dfc0a Get rid of reserved _t in type names
57752d28b3 [build] Set --enable-jni to no by default instead of auto.
e7daa9b3c2 [build] Tweak JNI macro to warn instead of error for JNI not found.
5b22977922 [build] Update ax_jni_include_dir.m4 macro to deal with recent versions of macOS

git-subtree-dir: src/secp256k1
git-subtree-split: b19c000063be11018b4d1a6b0a85871ab9d0bdcf

include/secp256k1.h

@@ -42,6 +42,19 @@ extern "C" {
  */
 typedef struct secp256k1_context_struct secp256k1_context;
 
+/** Opaque data structure that holds rewriteable "scratch space"
+ *
+ *  The purpose of this structure is to replace dynamic memory allocations,
+ *  because we target architectures where this may not be available. It is
+ *  essentially a resizable (within specified parameters) block of bytes,
+ *  which is initially created either by memory allocation or TODO as a pointer
+ *  into some fixed rewritable space.
+ *
+ *  Unlike the context object, this cannot safely be shared between threads
+ *  without additional synchronization logic.
+ */
+typedef struct secp256k1_scratch_space_struct secp256k1_scratch_space;
+
 /** Opaque data structure that holds a parsed and valid public key.
  *
  *  The exact representation of data inside is implementation defined and not
@@ -166,6 +179,13 @@ typedef int (*secp256k1_nonce_function)(
 #define SECP256K1_TAG_PUBKEY_HYBRID_EVEN 0x06
 #define SECP256K1_TAG_PUBKEY_HYBRID_ODD 0x07
 
+/** A simple secp256k1 context object with no precomputed tables. These are useful for
+ *  type serialization/parsing functions which require a context object to maintain
+ *  API consistency, but currently do not require expensive precomputations or dynamic
+ *  allocations.
+ */
+SECP256K1_API extern const secp256k1_context *secp256k1_context_no_precomp;
+
 /** Create a secp256k1 context object.
  *
  *  Returns: a newly created context object.
@@ -243,6 +263,26 @@ SECP256K1_API void secp256k1_context_set_error_callback(
     const void* data
 ) SECP256K1_ARG_NONNULL(1);
 
+/** Create a secp256k1 scratch space object.
+ *
+ *  Returns: a newly created scratch space.
+ *  Args: ctx:  an existing context object (cannot be NULL)
+ *  In:   max_size: maximum amount of memory to allocate
+ */
+SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space* secp256k1_scratch_space_create(
+    const secp256k1_context* ctx,
+    size_t max_size
+) SECP256K1_ARG_NONNULL(1);
+
+/** Destroy a secp256k1 scratch space.
+ *
+ *  The pointer may not be used afterwards.
+ *  Args:   scratch: space to destroy
+ */
+SECP256K1_API void secp256k1_scratch_space_destroy(
+    secp256k1_scratch_space* scratch
+);
+
 /** Parse a variable-length public key into the pubkey object.
  *
  *  Returns: 1 if the public key was fully valid.
@@ -498,7 +538,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(
  *
  *  Returns: 1 always
  *  Args:   ctx:        pointer to a context object
- *  In/Out: pubkey:     pointer to the public key to be negated (cannot be NULL)
+ *  In/Out: seckey:     pointer to the 32-byte private key to be negated (cannot be NULL)
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(
     const secp256k1_context* ctx,
@@ -575,7 +615,7 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);
 
 /** Updates the context randomization to protect against side-channel leakage.
- *  Returns: 1: randomization successfully updated
+ *  Returns: 1: randomization successfully updated or nothing to randomize
  *           0: error
  *  Args:    ctx:       pointer to a context object (cannot be NULL)
  *  In:      seed32:    pointer to a 32-byte random seed (NULL resets to initial state)
@@ -590,6 +630,11 @@ SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(
  * that it does not affect function results, but shields against attacks which
  * rely on any input-dependent behaviour.
  *
+ * This function has currently an effect only on contexts initialized for signing
+ * because randomization is currently used only for signing. However, this is not
+ * guaranteed and may change in the future. It is safe to call this function on
+ * contexts not initialized for signing; then it will have no effect and return 1.
+ *
  * You should call this after secp256k1_context_create or
  * secp256k1_context_clone, and may call this repeatedly afterwards.
  */

include/secp256k1_ecdh.h

@@ -7,21 +7,45 @@
 extern "C" {
 #endif
 
+/** A pointer to a function that applies hash function to a point
+ *
+ *  Returns: 1 if a point was successfully hashed. 0 will cause ecdh to fail
+ *  Out:    output:     pointer to an array to be filled by the function
+ *  In:     x:          pointer to a 32-byte x coordinate
+ *          y:          pointer to a 32-byte y coordinate
+ *          data:       Arbitrary data pointer that is passed through
+ */
+typedef int (*secp256k1_ecdh_hash_function)(
+  unsigned char *output,
+  const unsigned char *x,
+  const unsigned char *y,
+  void *data
+);
+
+/** An implementation of SHA256 hash function that applies to compressed public key. */
+SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_sha256;
+
+/** A default ecdh hash function (currently equal to secp256k1_ecdh_hash_function_sha256). */
+SECP256K1_API extern const secp256k1_ecdh_hash_function secp256k1_ecdh_hash_function_default;
+
 /** Compute an EC Diffie-Hellman secret in constant time
  *  Returns: 1: exponentiation was successful
  *           0: scalar was invalid (zero or overflow)
  *  Args:    ctx:        pointer to a context object (cannot be NULL)
- *  Out:     result:     a 32-byte array which will be populated by an ECDH
- *                       secret computed from the point and scalar
+ *  Out:     output:     pointer to an array to be filled by the function
  *  In:      pubkey:     a pointer to a secp256k1_pubkey containing an
  *                       initialized public key
  *           privkey:    a 32-byte scalar with which to multiply the point
+ *           hashfp:     pointer to a hash function. If NULL, secp256k1_ecdh_hash_function_sha256 is used
+ *           data:       Arbitrary data pointer that is passed through
  */
 SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdh(
   const secp256k1_context* ctx,
-  unsigned char *result,
+  unsigned char *output,
   const secp256k1_pubkey *pubkey,
-  const unsigned char *privkey
+  const unsigned char *privkey,
+  secp256k1_ecdh_hash_function hashfp,
+  void *data
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4);
 
 #ifdef __cplusplus