Merge bitcoin#19228: Update libsecp256k1 subtree

e10439c scripted-diff: rename privkey with seckey in secp256k1 interface (Pieter Wuille)
ca8bc42 Drop --disable-jni from libsecp256k1 configure options (Pieter Wuille)
ddc2419 Update MSVC build config for libsecp256k1 (Pieter Wuille)
67f232b Squashed 'src/secp256k1/' changes from b19c000..2ed54da (Pieter Wuille)

Pull request description:

  It's been abound a year since the subtree was updated.

  Here is a list of the included PRs:

  * bitcoin-core/secp256k1#755: Recovery signing: add to constant time test, and eliminate non ct operators
  * bitcoin-core/secp256k1#754: Fix uninit values passed into cmov
  * bitcoin-core/secp256k1#752: autoconf: Use ":" instead of "dnl" as a noop
  * bitcoin-core/secp256k1#750: Add macOS to the CI
  * bitcoin-core/secp256k1#701: Make ec_ arithmetic more consistent and add documentation
  * bitcoin-core/secp256k1#732: Retry if r is zero during signing
  * bitcoin-core/secp256k1#742: Fix typo in ecmult_const_impl.h
  * bitcoin-core/secp256k1#740: Make recovery/main_impl.h non-executable
  * bitcoin-core/secp256k1#735: build: fix OpenSSL EC detection on macOS
  * bitcoin-core/secp256k1#728: Suppress a harmless variable-time optimization by clang in memczero
  * bitcoin-core/secp256k1#722: Context isn't freed in the ECDH benchmark
  * bitcoin-core/secp256k1#700: Allow overriding default flags
  * bitcoin-core/secp256k1#708: Constant-time behaviour test using valgrind memtest.
  * bitcoin-core/secp256k1#710: Eliminate harmless non-constant time operations on secret data.
  * bitcoin-core/secp256k1#718: Clarify that a secp256k1_ecdh_hash_function must return 0 or 1
  * bitcoin-core/secp256k1#714: doc: document the length requirements of output parameter.
  * bitcoin-core/secp256k1#682: Remove Java Native Interface
  * bitcoin-core/secp256k1#713: Docstrings
  * bitcoin-core/secp256k1#704: README: add a section for test coverage
  * bitcoin-core/secp256k1#709: Remove secret-dependant non-constant time operation in ecmult_const.
  * bitcoin-core/secp256k1#703: Overhaul README.md
  * bitcoin-core/secp256k1#689: Remove "except in benchmarks" exception for fp math
  * bitcoin-core/secp256k1#679: Add SECURITY.md
  * bitcoin-core/secp256k1#685: Fix issue where travis does not show the ./tests seed…
  * bitcoin-core/secp256k1#690: Add valgrind check to travis
  * bitcoin-core/secp256k1#678: Preventing compiler optimizations in benchmarks without a memory fence
  * bitcoin-core/secp256k1#688: Fix ASM setting in travis
  * bitcoin-core/secp256k1#684: Make no-float policy explicit
  * bitcoin-core/secp256k1#677: Remove note about heap allocation in secp256k1_ecmult_odd_multiples_table_storage_var
  * bitcoin-core/secp256k1#647: Increase robustness against UB in secp256k1_scalar_cadd_bit
  * bitcoin-core/secp256k1#664: Remove mention of ec_privkey_export because it doesn't exist
  * bitcoin-core/secp256k1#337: variable sized precomputed table for signing
  * bitcoin-core/secp256k1#661: Make ./configure string consistent
  * bitcoin-core/secp256k1#657: Fix a nit in the recovery tests
  * bitcoin-core/secp256k1#650: secp256k1/src/tests.c:  Properly handle sscanf return value
  * bitcoin-core/secp256k1#654: Fix typo (∞)
  * bitcoin-core/secp256k1#583: JNI: fix use sig array
  * bitcoin-core/secp256k1#644: Avoid optimizing out a verify_check
  * bitcoin-core/secp256k1#652: README.md: update instruction to run tests
  * bitcoin-core/secp256k1#651: Fix typo in secp256k1_preallocated.h
  * bitcoin-core/secp256k1#640: scalar_impl.h: fix includes
  * bitcoin-core/secp256k1#655: jni: Use only Guava for hex encoding and decoding
  * bitcoin-core/secp256k1#634: Add a descriptive comment for secp256k1_ecmult_const.
  * bitcoin-core/secp256k1#631: typo in comment for secp256k1_ec_pubkey_tweak_mul ()
  * bitcoin-core/secp256k1#629: Avoid calling _is_zero when _set_b32 fails.
  * bitcoin-core/secp256k1#630: Note intention of timing sidechannel freeness.
  * bitcoin-core/secp256k1#628: Fix ability to compile tests without -DVERIFY.
  * bitcoin-core/secp256k1#627: Guard memcmp in tests against mixed size inputs.
  * bitcoin-core/secp256k1#578: Avoid implementation-defined and undefined behavior when dealing with sizes
  * bitcoin-core/secp256k1#595: Allow to use external default callbacks
  * bitcoin-core/secp256k1#600: scratch space: use single allocation
  * bitcoin-core/secp256k1#592: Use trivial algorithm in ecmult_multi if scratch space is small
  * bitcoin-core/secp256k1#566: Enable context creation in preallocated memory
  * bitcoin-core/secp256k1#596: Make WINDOW_G configurable
  * bitcoin-core/secp256k1#561: Respect LDFLAGS and #undef STATIC_PRECOMPUTATION if using basic config
  * bitcoin-core/secp256k1#533: Make sure we're not using an uninitialized variable in secp256k1_wnaf_const(...)
  * bitcoin-core/secp256k1#617: Pass scalar by reference in secp256k1_wnaf_const()
  * bitcoin-core/secp256k1#619: Clear a copied secret key after negation
  * bitcoin-core/secp256k1#612: Allow field_10x26_arm.s to compile for ARMv7 architecture

ACKs for top commit:
  real-or-random:
    ACK e10439c I verified the diff (subtree matches my local tree, manual inspection of other commits) but I didn't tested the resulting code
  fanquake:
    ACK e10439c
  Sjors:
    ACK e10439c
  jonasnick:
    reACK e10439c

Tree-SHA512: eb6284a485da78e9d2ed3f771df85560d47c770ebf480a0d4121ab356ad26be101a2b973efe412f26e6c142bc1dbd2efbb5cc08774233e41918c59fe3dff3387

configure.ac

@@ -1634,7 +1634,7 @@ if test x$need_bundled_univalue = xyes; then
   AC_CONFIG_SUBDIRS([src/univalue])
 fi
 
-ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --with-bignum=no --enable-module-recovery --disable-jni"
+ac_configure_args="${ac_configure_args} --disable-shared --with-pic --enable-benchmark=no --with-bignum=no --enable-module-recovery"
 AC_CONFIG_SUBDIRS([src/secp256k1])
 
 AC_OUTPUT

src/key.cpp

@@ -32,46 +32,46 @@ static secp256k1_context* secp256k1_context_sign = nullptr;
  *
  * out32 must point to an output buffer of length at least 32 bytes.
  */
-static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) {
-    const unsigned char *end = privkey + privkeylen;
+static int ec_seckey_import_der(const secp256k1_context* ctx, unsigned char *out32, const unsigned char *seckey, size_t seckeylen) {
+    const unsigned char *end = seckey + seckeylen;
     memset(out32, 0, 32);
     /* sequence header */
-    if (end - privkey < 1 || *privkey != 0x30u) {
+    if (end - seckey < 1 || *seckey != 0x30u) {
         return 0;
     }
-    privkey++;
+    seckey++;
     /* sequence length constructor */
-    if (end - privkey < 1 || !(*privkey & 0x80u)) {
+    if (end - seckey < 1 || !(*seckey & 0x80u)) {
         return 0;
     }
-    ptrdiff_t lenb = *privkey & ~0x80u; privkey++;
+    ptrdiff_t lenb = *seckey & ~0x80u; seckey++;
     if (lenb < 1 || lenb > 2) {
         return 0;
     }
-    if (end - privkey < lenb) {
+    if (end - seckey < lenb) {
         return 0;
     }
     /* sequence length */
-    ptrdiff_t len = privkey[lenb-1] | (lenb > 1 ? privkey[lenb-2] << 8 : 0u);
-    privkey += lenb;
-    if (end - privkey < len) {
+    ptrdiff_t len = seckey[lenb-1] | (lenb > 1 ? seckey[lenb-2] << 8 : 0u);
+    seckey += lenb;
+    if (end - seckey < len) {
         return 0;
     }
     /* sequence element 0: version number (=1) */
-    if (end - privkey < 3 || privkey[0] != 0x02u || privkey[1] != 0x01u || privkey[2] != 0x01u) {
+    if (end - seckey < 3 || seckey[0] != 0x02u || seckey[1] != 0x01u || seckey[2] != 0x01u) {
         return 0;
     }
-    privkey += 3;
+    seckey += 3;
     /* sequence element 1: octet string, up to 32 bytes */
-    if (end - privkey < 2 || privkey[0] != 0x04u) {
+    if (end - seckey < 2 || seckey[0] != 0x04u) {
         return 0;
     }
-    ptrdiff_t oslen = privkey[1];
-    privkey += 2;
-    if (oslen > 32 || end - privkey < oslen) {
+    ptrdiff_t oslen = seckey[1];
+    seckey += 2;
+    if (oslen > 32 || end - seckey < oslen) {
         return 0;
     }
-    memcpy(out32 + (32 - oslen), privkey, oslen);
+    memcpy(out32 + (32 - oslen), seckey, oslen);
     if (!secp256k1_ec_seckey_verify(ctx, out32)) {
         memset(out32, 0, 32);
         return 0;
@@ -84,17 +84,17 @@ static int ec_privkey_import_der(const secp256k1_context* ctx, unsigned char *ou
  * <http://www.secg.org/sec1-v2.pdf>. The optional parameters and publicKey fields are
  * included.
  *
- * privkey must point to an output buffer of length at least CKey::SIZE bytes.
- * privkeylen must initially be set to the size of the privkey buffer. Upon return it
+ * seckey must point to an output buffer of length at least CKey::SIZE bytes.
+ * seckeylen must initially be set to the size of the seckey buffer. Upon return it
  * will be set to the number of bytes used in the buffer.
  * key32 must point to a 32-byte raw private key.
  */
-static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, bool compressed) {
-    assert(*privkeylen >= CKey::SIZE);
+static int ec_seckey_export_der(const secp256k1_context *ctx, unsigned char *seckey, size_t *seckeylen, const unsigned char *key32, bool compressed) {
+    assert(*seckeylen >= CKey::SIZE);
     secp256k1_pubkey pubkey;
     size_t pubkeylen = 0;
     if (!secp256k1_ec_pubkey_create(ctx, &pubkey, key32)) {
-        *privkeylen = 0;
+        *seckeylen = 0;
         return 0;
     }
     if (compressed) {
@@ -112,15 +112,15 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x24,0x03,0x22,0x00
         };
-        unsigned char *ptr = privkey;
+        unsigned char *ptr = seckey;
         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
         memcpy(ptr, key32, 32); ptr += 32;
         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
         pubkeylen = CPubKey::COMPRESSED_SIZE;
         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
         ptr += pubkeylen;
-        *privkeylen = ptr - privkey;
-        assert(*privkeylen == CKey::COMPRESSED_SIZE);
+        *seckeylen = ptr - seckey;
+        assert(*seckeylen == CKey::COMPRESSED_SIZE);
     } else {
         static const unsigned char begin[] = {
             0x30,0x82,0x01,0x13,0x02,0x01,0x01,0x04,0x20
@@ -138,15 +138,15 @@ static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *pr
             0xFF,0xFF,0xFF,0xFF,0xFE,0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,0xBF,0xD2,0x5E,
             0x8C,0xD0,0x36,0x41,0x41,0x02,0x01,0x01,0xA1,0x44,0x03,0x42,0x00
         };
-        unsigned char *ptr = privkey;
+        unsigned char *ptr = seckey;
         memcpy(ptr, begin, sizeof(begin)); ptr += sizeof(begin);
         memcpy(ptr, key32, 32); ptr += 32;
         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
         pubkeylen = CPubKey::SIZE;
         secp256k1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
         ptr += pubkeylen;
-        *privkeylen = ptr - privkey;
-        assert(*privkeylen == CKey::SIZE);
+        *seckeylen = ptr - seckey;
+        assert(*seckeylen == CKey::SIZE);
     }
     return 1;
 }
@@ -166,20 +166,20 @@ void CKey::MakeNewKey(bool fCompressedIn) {
 bool CKey::Negate()
 {
     assert(fValid);
-    return secp256k1_ec_privkey_negate(secp256k1_context_sign, keydata.data());
+    return secp256k1_ec_seckey_negate(secp256k1_context_sign, keydata.data());
 }
 
 CPrivKey CKey::GetPrivKey() const {
     assert(fValid);
-    CPrivKey privkey;
+    CPrivKey seckey;
     int ret;
-    size_t privkeylen;
-    privkey.resize(SIZE);
-    privkeylen = SIZE;
-    ret = ec_privkey_export_der(secp256k1_context_sign, privkey.data(), &privkeylen, begin(), fCompressed);
+    size_t seckeylen;
+    seckey.resize(SIZE);
+    seckeylen = SIZE;
+    ret = ec_seckey_export_der(secp256k1_context_sign, seckey.data(), &seckeylen, begin(), fCompressed);
     assert(ret);
-    privkey.resize(privkeylen);
-    return privkey;
+    seckey.resize(seckeylen);
+    return seckey;
 }
 
 CPubKey CKey::GetPubKey() const {
@@ -259,8 +259,8 @@ bool CKey::SignCompact(const uint256 &hash, std::vector<unsigned char>& vchSig)
     return true;
 }
 
-bool CKey::Load(const CPrivKey &privkey, const CPubKey &vchPubKey, bool fSkipCheck=false) {
-    if (!ec_privkey_import_der(secp256k1_context_sign, (unsigned char*)begin(), privkey.data(), privkey.size()))
+bool CKey::Load(const CPrivKey &seckey, const CPubKey &vchPubKey, bool fSkipCheck=false) {
+    if (!ec_seckey_import_der(secp256k1_context_sign, (unsigned char*)begin(), seckey.data(), seckey.size()))
         return false;
     fCompressed = vchPubKey.IsCompressed();
     fValid = true;
@@ -285,7 +285,7 @@ bool CKey::Derive(CKey& keyChild, ChainCode &ccChild, unsigned int nChild, const
     }
     memcpy(ccChild.begin(), vout.data()+32, 32);
     memcpy((unsigned char*)keyChild.begin(), begin(), 32);
-    bool ret = secp256k1_ec_privkey_tweak_add(secp256k1_context_sign, (unsigned char*)keyChild.begin(), vout.data());
+    bool ret = secp256k1_ec_seckey_tweak_add(secp256k1_context_sign, (unsigned char*)keyChild.begin(), vout.data());
     keyChild.fCompressed = true;
     keyChild.fValid = ret;
     return ret;

src/secp256k1/.gitignore

@@ -9,6 +9,7 @@ bench_internal
 tests
 exhaustive_tests
 gen_context
+valgrind_ctime_test
 *.exe
 *.so
 *.a

src/secp256k1/.travis.yml

@@ -1,18 +1,23 @@
 language: c
-os: linux
+os:
+  - linux
+  - osx
+
+dist: bionic
+# Valgrind currently supports upto macOS 10.13, the latest xcode of that version is 10.1
+osx_image: xcode10.1
 addons:
   apt:
-    packages: libgmp-dev
+    packages:
+      - libgmp-dev
+      - valgrind
+      - libtool-bin
 compiler:
   - clang
   - gcc
-cache:
-  directories:
-  - src/java/guava/
 env:
   global:
-    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no  JNI=no
-    - GUAVA_URL=https://search.maven.org/remotecontent?filepath=com/google/guava/guava/18.0/guava-18.0.jar GUAVA_JAR=src/java/guava/guava-18.0.jar
+    - FIELD=auto  BIGNUM=auto  SCALAR=auto  ENDOMORPHISM=no  STATICPRECOMPUTATION=yes  ECMULTGENPRECISION=auto  ASM=no  BUILD=check  EXTRAFLAGS=  HOST=  ECDH=no  RECOVERY=no  EXPERIMENTAL=no CTIMETEST=yes BENCH=yes ITERS=2
   matrix:
     - SCALAR=32bit    RECOVERY=yes
     - SCALAR=32bit    FIELD=32bit       ECDH=yes  EXPERIMENTAL=yes
@@ -26,43 +31,78 @@ env:
     - BIGNUM=no
     - BIGNUM=no       ENDOMORPHISM=yes RECOVERY=yes EXPERIMENTAL=yes
     - BIGNUM=no       STATICPRECOMPUTATION=no
-    - BUILD=distcheck
-    - EXTRAFLAGS=CPPFLAGS=-DDETERMINISTIC
-    - EXTRAFLAGS=CFLAGS=-O0
-    - BUILD=check-java JNI=yes ECDH=yes EXPERIMENTAL=yes
+    - BUILD=distcheck CTIMETEST= BENCH=
+    - CPPFLAGS=-DDETERMINISTIC
+    - CFLAGS=-O0 CTIMETEST=
+    - ECMULTGENPRECISION=2
+    - ECMULTGENPRECISION=8
+    - VALGRIND=yes ENDOMORPHISM=yes BIGNUM=no ASM=x86_64 EXPERIMENTAL=yes ECDH=yes  RECOVERY=yes EXTRAFLAGS="--disable-openssl-tests" CPPFLAGS=-DVALGRIND BUILD=
+    - VALGRIND=yes                  BIGNUM=no ASM=x86_64 EXPERIMENTAL=yes ECDH=yes  RECOVERY=yes EXTRAFLAGS="--disable-openssl-tests" CPPFLAGS=-DVALGRIND BUILD=
 matrix:
   fast_finish: true
   include:
     - compiler: clang
+      os: linux
       env: HOST=i686-linux-gnu ENDOMORPHISM=yes
       addons:
         apt:
           packages:
             - gcc-multilib
             - libgmp-dev:i386
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
     - compiler: clang
       env: HOST=i686-linux-gnu
+      os: linux
       addons:
         apt:
           packages:
             - gcc-multilib
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
     - compiler: gcc
       env: HOST=i686-linux-gnu ENDOMORPHISM=yes
+      os: linux
       addons:
         apt:
           packages:
             - gcc-multilib
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
     - compiler: gcc
+      os: linux
       env: HOST=i686-linux-gnu
       addons:
         apt:
           packages:
             - gcc-multilib
             - libgmp-dev:i386
-before_install: mkdir -p `dirname $GUAVA_JAR`
-install: if [ ! -f $GUAVA_JAR ]; then wget $GUAVA_URL -O $GUAVA_JAR; fi
+            - valgrind
+            - libtool-bin
+            - libc6-dbg:i386
+
+# We use this to install macOS dependencies instead of the built in `homebrew` plugin,
+# because in xcode earlier than 11 they have a bug requiring updating the system which overall takes ~8 minutes.
+# https://travis-ci.community/t/macos-build-fails-because-of-homebrew-bundle-unknown-command/7296
+before_install:
+ - if [ "${TRAVIS_OS_NAME}" = "osx" ]; then HOMEBREW_NO_AUTO_UPDATE=1 brew install gmp valgrind gcc@9; fi
+
 before_script: ./autogen.sh
+
+# travis auto terminates jobs that go for 10 minutes without printing to stdout, but travis_wait doesn't work well with forking programs like valgrind (https://docs.travis-ci.com/user/common-build-problems/#build-times-out-because-no-output-was-received https://github.com/bitcoin-core/secp256k1/pull/750#issuecomment-623476860)
 script:
- - if [ -n "$HOST" ]; then export USE_HOST="--host=$HOST"; fi
- - if [ "x$HOST" = "xi686-linux-gnu" ]; then export CC="$CC -m32"; fi
- - ./configure --enable-experimental=$EXPERIMENTAL --enable-endomorphism=$ENDOMORPHISM --with-field=$FIELD --with-bignum=$BIGNUM --with-scalar=$SCALAR --enable-ecmult-static-precomputation=$STATICPRECOMPUTATION --enable-module-ecdh=$ECDH --enable-module-recovery=$RECOVERY --enable-jni=$JNI $EXTRAFLAGS $USE_HOST && make -j2 $BUILD
+  - function keep_alive() { while true; do echo -en "\a"; sleep 60; done }
+  - keep_alive &
+  - ./contrib/travis.sh
+  - kill %keep_alive
+
+after_script:
+    - cat ./tests.log
+    - cat ./exhaustive_tests.log
+    - cat ./valgrind_ctime_test.log
+    - cat ./bench.log
+    - $CC --version
+    - valgrind --version