Add usage examples #748

pull elichai wants to merge 6 commits into bitcoin-core:master from elichai:2020-04-examples changing 11 files +658 −0
  1. elichai commented at 12:12 pm on April 30, 2020: contributor

    Resolves #184

    I didn’t add a sign/verify/recover example yet because I’d prefer that the example included hashing a message, but we don’t provide a hash function so I decided to start only with key generation and ECDH, and get feedback.

    I did not check the example on windows, but did try to implement it correctly, if anyone has access to a windows machine(and knows how to build on windows hehe) please test this :)

    P.S. Should the usage examples be MIT or CC0(Public Domain)?

  2. elichai force-pushed on Apr 30, 2020
  3. elichai renamed this:
    Add usage example
    Add usage examples
    on Apr 30, 2020
  4. in examples/ecdh.c:33 in 2e7decf546 outdated
    28+    secp256k1_pubkey pubkey2;
    29+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
    30+    while (1) {
    31+        if (!fill_random(seckey1, sizeof(seckey1)) || !fill_random(seckey2, sizeof(seckey2))) {
    32+            printf("Failed to generate randomness\n");
    33+                return 1;
    


    jonasnick commented at 5:39 pm on April 30, 2020:
    indentation

    elichai commented at 7:30 pm on May 2, 2020:
    Thanks. Done
  5. in examples/random.h:30 in 2e7decf546 outdated
    25+    close(fd);
    26+    if (res != (ssize_t)size) {
    27+        return 0;
    28+    }
    29+#endif
    30+    return 1;
    


    jonasnick commented at 5:56 pm on April 30, 2020:
    nit: would be less fragile when the function would return 0 if none of the above branches are taken

    elichai commented at 7:05 pm on April 30, 2020:
    That should never happen because there’s an #error at the top of the file if none were taken.

    jonasnick commented at 7:25 pm on April 30, 2020:
    Yeah but if you add a branch above to add another OS, you may forget to add it here here as well (or accidentally branch on something else).

    elichai commented at 7:30 pm on May 2, 2020:
    Done
  6. in examples/ecdh.c:38 in 2e7decf546 outdated
    24+    unsigned char shared_secret1[32];
    25+    unsigned char shared_secret2[32];
    26+    size_t len;
    27+    secp256k1_pubkey pubkey1;
    28+    secp256k1_pubkey pubkey2;
    29+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
    


    jonasnick commented at 5:58 pm on April 30, 2020:
    Would it make sense to mention why the CONTEXT_SIGN flag is chosen?

    elichai commented at 7:05 pm on April 30, 2020:
    Great Idea! I’ll try to phrase something :)

    elichai commented at 7:30 pm on May 2, 2020:
    Is it better?

    jonasnick commented at 7:58 am on May 4, 2020:
    Yeah, I think it’s helpful (if only for making sure that people pay attention to the flags).
  7. in examples/random.h:22 in 2e7decf546 outdated
    15+    if (res != STATUS_SUCCESS) {
    16+        return 0;
    17+    }
    18+#elif defined(__linux__)
    19+    ssize_t res;
    20+    int fd = open("/dev/urandom", O_RDONLY);
    


    jonasnick commented at 6:19 pm on April 30, 2020:
    Would be better if we’d use getrandom if available.

    elichai commented at 7:07 pm on April 30, 2020:

    I really wanted to use getrandom but it’s not available in the libc in our travis. We could add dist: bionic and that will probably solve this, but my thought was “if even our travis doesn’t support it then we should probably not use this in the examples”

    See: https://travis-ci.org/github/elichai/secp256k1/jobs/681424984#L403


    jonasnick commented at 7:23 pm on April 30, 2020:
    Good point. We can update this later.

    real-or-random commented at 8:56 am on May 1, 2020:

    Oh weird, it’s really not in Ubuntu LTS 16.04. You need glibc 2.25 at least. -.- I wanted to point out getrandom too…

    I think we should at least add an explanatory comment or a link to an explanation. And to be honest, I’d prefer to use getrandom here and have an example that breaks compilation if it’s not available and refer people to /dev/urandom then.

    At least LTS 16.04 will have “end of standard support” in 2021.


    elichai commented at 10:19 am on May 1, 2020:

    I thought about that, but how do you propose to do this? like should I involve autotools in this now?(to detect getrandom) I really preferred to keep the examples minimal and self standing.

    another advantage of /dev/urandom is that I can just stick MacOS and BSD variants on it and it should work


    real-or-random commented at 11:07 am on May 1, 2020:

    like should I involve autotools in this now?(to detect getrandom) I really preferred to keep the examples minimal and self standing.

    Hm ok, what I had in mind was rather not compiling the examples at all in our build system. But I see that this is not great either….

    edit: see discussion below

  8. in examples/random.h:28 in 2e7decf546 outdated
    0@@ -0,0 +1,31 @@
    1+#if defined(_WIN32)
    2+#include <bcrypt.h>
    3+#elif defined(__linux__)
    4+#include <fcntl.h>
    5+#include <unistd.h>
    6+#else
    7+#error "Couldn't identify the OS"
    


    jonasnick commented at 6:22 pm on April 30, 2020:
    Seems like this would happen on many common OSes (macOS, BSDs, …). How about not compiling the examples by default?

    elichai commented at 7:10 pm on April 30, 2020:

    I skipped BSD because I didn’t think anyone is really using it, but forgot about OSX. I’ll look into adding them both, see how compilcated it gets (I want to avoid something like https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp and only support mostly recent OS versions)

    Now that I re-read my last sentence :) you might be right about not compiling them by default, I just find that whatever’s not compiled by default I always break and find out in the CI lol


    real-or-random commented at 11:10 am on May 1, 2020:
    Okay, I hadn’t read this conversation here before. Maybe it’s really better not to compile the examples in our build system. If the concern is CI, we can compile them in the CI. If we want, we could add a super simple standalone Makefile that’s entirely decoupled from our autoconf stuff.

    elichai commented at 11:18 am on May 1, 2020:

    I’m trying to redo the travis and at least add MacOS to the CI hmm stand alone make can be interesting, should that compile libsecp by it self? I can write something simple.

    Otherwise we can still compile it in our CI, turn it off by default and bump our travis to bionic


    elichai commented at 7:32 pm on May 2, 2020:
    Added macOS and BSD, and will add macOS to the CI soon so we could actually test this. rn they all use /dev/urandom, but if we bump to bionic I can replace with getrandom/getentropy

    jonasnick commented at 7:30 am on May 4, 2020:
    I think the advantage of covering anything other than Linux for now is small compared to the maintenance overhead and bikeshedding. I’d suggest to do Linux only, use /dev/urandom, add comment to use getrandom if available, not compile by default, but add a travis test. Easy to revisit this later if there is demand for other systems but most important is the code, and not that it compiles on every user’s system.

    real-or-random commented at 8:34 am on May 6, 2020:

    Oh I didn’t see your comment here. I suggested Linux/MacOS/Windows here: #749 (comment) But I’d also be okay with just Linux. I think the main point is that we good documentation.

    And I have a somewhat strong opinion on /dev/urandom vs getrandom. The issue with /dev/urandom is that it never blocks, i.e., it doesn’t block at early boot when there has never been enough entropy. That’s rare for Linux on the desktop but may be the case for a lightweight Linux on some device. So I’d really prefer getrandom and a comment to use /dev/urandom if getrandom is not available. If we don’t compile the examples, then it does not matter if it’s not available.

    As I said, I’ll try to find some refs. If you want, go ahead with this PR and I’ll open a PR on top of it.


    jonasnick commented at 3:01 pm on May 6, 2020:
    Since we’re updating travis to bionic in #750 (which I support), what you’re suggesting sounds good to me (getrandom or gtfo) and test that in travis.

    elichai commented at 6:46 am on May 19, 2020:
    Done :)

    elichai commented at 6:49 am on May 19, 2020:
    Fixed, And added explanations about the different random sources for each platform
  9. jonasnick commented at 6:44 pm on April 30, 2020: contributor

    Very nice!

    Alternatively the module-specific examples could be in their respective module directory. But I think either way is fine.

  10. elichai commented at 7:04 pm on April 30, 2020: contributor

    Alternatively the module-specific examples could be in their respective module directory. But I think either way is fine.

    I thought about it, but I think that for newcomers it’s easier to see an examples directory at the top level and start from there.

  11. in examples/ecdh.c:125 in 2e7decf546 outdated
    70+    printf("Compressed Pubkey2: ");
    71+    print_hex(compressed_pubkey2, sizeof(compressed_pubkey2));
    72+    printf("\nShared Secret: ");
    73+    print_hex(shared_secret1, sizeof(shared_secret1));
    74+
    75+
    


    jonasnick commented at 8:17 pm on April 30, 2020:
    We need to destroy the context here. Also can try to clear the secret keys (and add comment why we do that).

    elichai commented at 8:26 pm on April 30, 2020:
    Weird that valgrind didn’t complain about it.

    elichai commented at 8:29 pm on April 30, 2020:
    Should I do try to do some best effort in that regard? (ie #636)

    real-or-random commented at 11:22 am on May 1, 2020:
    Shall I export a function to clear memory in #636?

    elichai commented at 2:16 pm on May 2, 2020:
    I think it’s an improvement, although probably most serious users will have their own mechanism.

    elichai commented at 7:32 pm on May 2, 2020:
    Done, I added memset with a TODO, so we could either copy your function to the example, or if we actually export it use that.
  12. real-or-random commented at 11:22 am on May 1, 2020: contributor

    My feeling is this entire issue of secret key handling deserves a broader discussion.

    We don’t have a key generation function and Core won’t need one. If we’re now targeting different users more, maybe it’s time to have one. But it’s hard, see all the discussion points above. And it really depends on the user’s platform. So actually I’d be happy with good examples and some references to correct methods to get randomness on different OSes.

    On the other hand, nothing should stop us from exporting a cleaning function in #636, even if we don’t have one for key gen.

    What are other libraries doing for key generation?

  13. in examples/keygen.c:44 in 2e7decf546 outdated
    19+    unsigned char compressed_pubkey[33];
    20+    unsigned char uncompressed_pubkey[65];
    21+    size_t len;
    22+    secp256k1_pubkey pubkey;
    23+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
    24+    while (1) {
    


    real-or-random commented at 11:29 am on May 1, 2020:

    I’d prefer not to loop here and instead bail out if we hit an invalid key.

    The probability of hitting an invalid key is negligible if your randomness is good. So this loop is only relevant if your randomness is broken. And then it hides the fact that your randomness is broken.



    real-or-random commented at 8:36 am on May 6, 2020:
    Hm, I see. I still think that my argument holds up. Maybe @sipa can chime in for the code in Core.

    nickfarrow commented at 7:00 am on June 20, 2020:

    While the probability of an invalid key is negligible (something like 1/2^128?), I feel that if the verify function is provided in the library then it could still be informative to include in the examples.

    0if (!secp256k1_ec_seckey_verify(ctx, seckey)) {
    1	printf("Invalid secret key\n");
    2	return 1;
    3}
    
  14. real-or-random cross-referenced this on May 1, 2020 from issue Secret key generation and cleaning by real-or-random
  15. elichai force-pushed on May 2, 2020
  16. elichai cross-referenced this on May 3, 2020 from issue Add macOS to the CI by elichai
  17. real-or-random cross-referenced this on May 8, 2020 from issue Add basic usage information on README [skip ci] by kroggen
  18. elichai force-pushed on May 19, 2020
  19. jonasnick cross-referenced this on Jul 17, 2020 from issue Add schnorrsig module which implements BIP-340 compliant signatures by jonasnick
  20. in examples/ecdh.c:38 in 485c68b486 outdated
    35+    /* The docs in secp256k1.h above the `secp256k1_ec_pubkey_create` function say:
    36+     * "pointer to a context object, initialized for signing"
    37+     * Which is why we create a context for signing(SECP256K1_CONTEXT_SIGN).
    38+     * (The docs for `secp256k1_ecdh` don't require any special context, just some context) */
    39+
    40+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
    


    real-or-random commented at 9:55 am on July 29, 2020:
    The context should be randomized here.

    elichai commented at 8:54 am on July 30, 2020:
    Done
  21. elichai force-pushed on Jul 30, 2020
  22. jonasnick commented at 10:44 pm on November 5, 2020: contributor
    Would be cool to revive this PR since it’s really helpful, well-documented and provides best practices for getting randomness on different platforms. In particular, I don’t think this PR should be blocked on the result of the key generation discussion. @elichai if you want to add examples for the schnorrsig module, feel free to do it, but we can also add this in a different PR.
  23. elichai force-pushed on Nov 7, 2020
  24. elichai force-pushed on Nov 9, 2020
  25. elichai commented at 4:14 pm on November 9, 2020: contributor
    Rebased, and replaced the keygen example with a schnorr and ecdsa examples. Please review and comment if you think something I’ve done isn’t best practice or some comment’s wording isn’t good enough
  26. in examples/ecdsa.c:2 in 8698027d7c outdated
    0@@ -0,0 +1,124 @@
    1+/**********************************************************************
    2+ * Copyright (c) 2020 Elichai Turkel	                              *
    


    jonasnick commented at 9:16 pm on November 16, 2020:
    There’s quite a few trailing whitespaces and tabs in this PR.

    elichai commented at 2:49 pm on July 4, 2021:
    I don’t see any trailing whitespaces now, is this still an issue? do you mean the way the copyright header is?

    elichai commented at 2:49 pm on July 4, 2021:
    I don’t see any trailing whitespaces now, is this still an issue? do you mean the way the copyright header is?

    jonasnick commented at 4:39 pm on July 6, 2021:
    I don’t see them either now.
  27. in README.md:73 in 0be44b4132 outdated
    67@@ -68,6 +68,13 @@ libsecp256k1 is built using autotools:
    68     $ make check
    69     $ sudo make install  # optional
    70 
    71+Usage Examples
    72+-----------
    73+  Usage Examples can be found in the [examples](examples) directory:
    


    jonasnick commented at 9:18 pm on November 16, 2020:
    Would be helpful to mention the --enable-examples configuration flag.

    elichai commented at 2:49 pm on July 4, 2021:
    Added, Thanks :)
  28. in .gitignore:13 in 0be44b4132 outdated
     9@@ -10,10 +10,14 @@ tests
    10 exhaustive_tests
    11 gen_context
    12 valgrind_ctime_test
    13+keygen_example
    


    jonasnick commented at 9:19 pm on November 16, 2020:
    This doesn’t exist anymore and ecdsa_example and schnorr_example are missing.

    elichai commented at 2:49 pm on July 4, 2021:
    Thanks! Fixed
  29. in Makefile.am:151 in 0be44b4132 outdated
    129+ecdsa_example_SOURCES = examples/ecdsa.c
    130+ecdsa_example_CPPFLAGS = -I$(top_srcdir)/include $(SECP_INCLUDES)
    131+ecdsa_example_LDADD = libsecp256k1.la $(SECP_LIBS)
    132+ecdsa_example_LDFLAGS = -static
    133+TESTS += ecdsa_example
    134+endif
    


    jonasnick commented at 9:21 pm on November 16, 2020:
    Is it intentional that this endif is here? I would have expected USE_EXAMPLES applies to all examples.

    elichai commented at 9:27 am on November 17, 2020:
    Nope, accidentally moved it when added schnorrsig
  30. in examples/random.h:15 in 0be44b4132 outdated
     7+ * In this file only the best practice randomness sources are used
     8+ * Platform randomness sources:
     9+ * Linux   -> `getrandom(2)`(`sys/random.h`), if not available `/dev/urandom` should be used. http://man7.org/linux/man-pages/man2/getrandom.2.html, https://linux.die.net/man/4/urandom
    10+ * macOS   -> `getentropy(2)`(`sys/random.h`), if not available `/dev/urandom` should be used. https://www.unix.com/man-page/mojave/2/getentropy, https://opensource.apple.com/source/xnu/xnu-517.12.7/bsd/man/man4/random.4.auto.html
    11+ * FreeBSD -> `getrandom(2)`(`sys/random.h`), if not available `kern.arandom` should be used. https://www.freebsd.org/cgi/man.cgi?query=getrandom, https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4
    12+ * OpenBSD -> `getentropy(2)`(`unistd.h`), if not available `/dev/urandom` should be used. https://man.openbsd.org/getentropy, https://man.openbsd.org/urandom
    


    jonasnick commented at 9:29 pm on November 16, 2020:
    Why not arc4random as recommended in the getentropy man page? Same for macOS.

    elichai commented at 1:30 pm on March 29, 2021:

    I think the reason was that some platforms still use RC4 for that syscall: https://security.stackexchange.com/a/172905/188909

    Looking over implementations, it looks like OpenSSL[0], libsodium internal[1], Rust’s getrandom[2], Go’s[3], CPython[4], GnuTLS[5], Bitcoin[6] all use getentropy in OpenBSD, but libsodium’s external API uses arc4random[7]. Arguably, OpenSSL, libsodium internal, GnuTLS and bitcoin all use it to seed a CPRNG, but Rust, Go, and Python’s implementations are generally meant for end users AFAIU(and are used like that). The only implementation I’ve found that uses arc4random is libsodium’s external randomness (you could argue that it’s the only one that’s explicitly meant for cryptography end users)

    So yeah, maybe for user facing API’s arc4random is better, I’m not sure though (note that these days getentropy->arc4random: https://github.com/openbsd/src/blob/master/sys/dev/rnd.c#L814)

    [0] https://github.com/openssl/openssl/blob/c8830891e6cb8d0782986662ca50b8fa7c97f49f/providers/implementations/rands/seeding/rand_unix.c#L362 [1] https://github.com/jedisct1/libsodium/blob/ae4add868124a32d4e54da10f9cd99240aecc0aa/src/libsodium/randombytes/internal/randombytes_internal_random.c#L189 [2] https://github.com/rust-random/getrandom/blob/master/src/openbsd.rs#L14 [3] https://golang.org/src/crypto/rand/rand_openbsd.go#L23 [4] https://github.com/python/cpython/blob/41761933c1c30bb6003b65eef1ba23a83db4eae4/Python/bootstrap_hash.c#L463 [5] https://gitlab.com/gnutls/gnutls/-/blob/master/lib/nettle/sysrng-getentropy.c#L57 [6] https://github.com/bitcoin/bitcoin/blob/master/src/random.cpp#L314 [7] https://github.com/jedisct1/libsodium/blob/ae4add868124a32d4e54da10f9cd99240aecc0aa/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c#L101


    jonasnick commented at 4:39 pm on July 6, 2021:

    I think the reason was that some platforms still use RC4 for that syscall:

    Urgh. But we’re only targeting APPLE and OpenBSD here, whose manpages both recommend arc4random. But agree that getentropy should be ok too.

    How about we replace the sentence “In this file only the best practice randomness sources are used” at the top of the file with: “This file is an attempt at collecting best practice methods for obtaining randomness with different operating systems. It may be out-of-date. Consult the documentation of the operating system before considering to use the methods below.”


    elichai commented at 10:07 am on July 7, 2021:
    That sounds good. I hate that OSs are so bad that no one can actually tell what it actually the best practice

    jonasnick commented at 8:11 pm on July 7, 2021:

    nit: better formatting

    0 * This file is an attempt at collecting best practice methods for obtaining
    1 * randomness with different operating systems. It may be out-of-date. Consult
    2 * the documentation of the operating system before considering to use the
    3 * methods below.
    4 *
    5 * Platform randomness sources:
    
  31. in examples/random.h:39 in 0be44b4132 outdated
    25+
    26+
    27+/* Returns 1 on success, and 0 on failure. */
    28+static int fill_random(unsigned char* data, unsigned long size) {
    29+#if defined(_WIN32)
    30+    NTSTATUS res = BCryptGenRandom(NULL, data, size, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
    


    jonasnick commented at 9:33 pm on November 16, 2020:
    What does the BCRYPT_USE_SYSTEM_PREFERRED_RNG flag do?

    elichai commented at 2:48 pm on March 29, 2021:
    AFAIU this means use the default CPRNG, otherwise we can’t pass in NULL as the hAlgorithm and we need to instead need to pass a specific algorithm

    jonasnick commented at 4:39 pm on July 6, 2021:
    I see, thx
  32. in examples/schnorr.c:53 in 0be44b4132 outdated
    48+     * Should never fail */
    49+    assert(secp256k1_context_randomize(ctx, randomize));
    50+
    51+    /*** Key Generation ***/
    52+
    53+    /* If the secret key is zero or out of range (bigger than secp256k1 order), the probablity of this happening is negligble
    


    jonasnick commented at 9:42 pm on November 16, 2020:
    the second half of this sentence isn’t a consequence of the first. Generally I think the quality of the doc would be improved quite a bit by using proper punctuation because there are a lot of places where a dot is missing or a comma is used instead of a dot.

    elichai commented at 2:48 pm on July 4, 2021:
    Rephrased, is it better now?

    jonasnick commented at 4:41 pm on July 6, 2021:
    The sentence is better now. I pushed a commit that improves the punctuation (and layout) of the doc comments here https://github.com/jonasnick/secp256k1/commits/2020-07-docs-jn. Feel free to cherry-pick (and squash) if you agree.

    elichai commented at 10:19 am on July 7, 2021:
    Thanks! cherry-picked
  33. in examples/schnorr.c:54 in 0be44b4132 outdated
    49+    assert(secp256k1_context_randomize(ctx, randomize));
    50+
    51+    /*** Key Generation ***/
    52+
    53+    /* If the secret key is zero or out of range (bigger than secp256k1 order), the probablity of this happening is negligble
    54+     * non the less we try generating a new key if failed  */
    


    jonasnick commented at 9:43 pm on November 16, 2020:
    non the less -> nonetheless

    elichai commented at 2:48 pm on July 4, 2021:
    I just removed that word :)
  34. in examples/schnorr.c:66 in 0be44b4132 outdated
    61+        if (secp256k1_keypair_create(ctx, &keypair, seckey)) {
    62+            break;
    63+        }
    64+    }
    65+
    66+    /* Extract the XOnly Public Key from the Keypair, 
    


    jonasnick commented at 9:44 pm on November 16, 2020:
    XOnly -> X-only as in the bip.

    elichai commented at 2:48 pm on July 4, 2021:
    Fixed, Thanks!
  35. in examples/schnorr.c:60 in 0be44b4132 outdated
    55+    while (1) {
    56+        if (!fill_random(seckey, sizeof(seckey))) {
    57+            printf("Failed to generate randomness\n");
    58+            return 1;
    59+        }
    60+        /* Try to create a keypair wit a valid context, it should only fail if the seckey is zero or out of range. */
    


    jonasnick commented at 9:44 pm on November 16, 2020:
    typo “wit”

    elichai commented at 2:48 pm on July 4, 2021:
    Fixed, Thanks!
  36. in examples/schnorr.c:30 in 0be44b4132 outdated
    25+
    26+int main(void) {
    27+    unsigned char msg_hash[32] = {0}; /* This should be a hash of the message. */
    28+    unsigned char seckey[32];
    29+    unsigned char randomize[32];
    30+    unsigned char auxilary_rand[32];
    


    jonasnick commented at 9:45 pm on November 16, 2020:
    auxilary -> auxiliary

    elichai commented at 2:48 pm on July 4, 2021:
    Fixed, Thanks!
  37. in examples/ecdh.c:54 in 0be44b4132 outdated
    46+    /* Randomizing the context is recommended to protect against side-channel leakage
    47+     * See `secp256k1_context_randomize` in secp256k1.h for more information about it
    48+     * Should never fail */
    49+    assert(secp256k1_context_randomize(ctx, randomize));
    50+
    51+    while (1) {
    


    jonasnick commented at 9:50 pm on November 16, 2020:
    In the other example files you have a comment here explaining why there’s a loop and why we verify the seckey.

    elichai commented at 2:47 pm on July 4, 2021:
    Added
  38. in examples/ecdsa.c:14 in 0be44b4132 outdated
    10+
    11+#include "random.h"
    12+#include "secp256k1.h"
    13+
    14+
    15+static void print_hex(unsigned char* data, size_t size) {
    


    jonasnick commented at 9:52 pm on November 16, 2020:
    nit: would be slightly better if this wasn’t repeated in every example.

    elichai commented at 12:57 pm on July 4, 2021:
    Should I move it to random.h? should I rename random.h to util.h?

    jonasnick commented at 4:41 pm on July 6, 2021:
    sgtm
  39. in Makefile.am:131 in 0be44b4132 outdated
    123@@ -123,6 +124,31 @@ exhaustive_tests_LDFLAGS = -static
    124 TESTS += exhaustive_tests
    125 endif
    126 
    127+if USE_EXAMPLES
    128+noinst_PROGRAMS += ecdsa_example
    129+ecdsa_example_SOURCES = examples/ecdsa.c
    130+ecdsa_example_CPPFLAGS = -I$(top_srcdir)/include $(SECP_INCLUDES)
    131+ecdsa_example_LDADD = libsecp256k1.la $(SECP_LIBS)
    


    jonasnick commented at 9:58 pm on November 16, 2020:
    Seems like we don’t need to specify $(SECP_LIBS)$ nor $CPPFLAGS$ for any of the examples, except that schnorrsig needs CPPFLAGS(but no$(SECP_INCLUDES)` necessary).

    elichai commented at 2:47 pm on July 4, 2021:
    I removed $(SECP_INCLUDES) and $(SECP_LIBS), anything else I should change in the automake?

    jonasnick commented at 4:41 pm on July 6, 2021:
    I think you can remove ecdsa_example_CPPFLAGS and ecdh_example_CPPFLAGS.

    elichai commented at 8:49 am on July 7, 2021:
    I can’t as they’re importing #include "secp256k1.h", I could remove it if I change it to #include "include/secp256k1.h" But I think actual users will pass -Isecp256k1/include

    jonasnick commented at 8:13 pm on July 7, 2021:
    hm okay
  40. in examples/random.h:39 in 0be44b4132 outdated
    34+        return 0;
    35+    }
    36+#elif defined(__linux__) || defined(__FreeBSD__)
    37+    /* If `getrandom(2)` is not available you should fallback to /dev/urandom */
    38+    ssize_t res = getrandom(data, size, 0);
    39+    if (res == (ssize_t)size) {
    


    jonasnick commented at 10:13 pm on November 16, 2020:
    unsigned long may not fit in an ssize_t. On 32 bit systems it can therefore happen that getrandom returns -1 but fill_random returns 1. Perhaps change the size argument of fill_random to size_t, add res != -1 to this if condition and, for WIN32, check whether size exceeds unsigned long?

    real-or-random commented at 10:31 am on November 17, 2020:
    Nice catch. I hate C integers.

    elichai commented at 1:11 pm on July 4, 2021:

    Argh,how do I check if size exceeds ULONG_MAX if the standard doesn’t even tell me what’s bigger size_t or unsigned long?.

    What’s the “right” way to do this? :(


    jonasnick commented at 4:42 pm on July 6, 2021:
    What’s wrong with if (size > ULONG_MAX) return 0;? Also, instead of checking res != 1, I think it would be better to check that size <= SSIZE_MAX.

    elichai commented at 8:32 am on July 7, 2021:
    I was worried about what if size_t is smaller than unsigned long, the constant will overflow and the condition won’t be the one it seems to be. But I re-read the integer promotion rules and I think it checks out, if I don’t explicitly convert them to a specific type then they’ll be converted to the integer with the higher rank, preserving the right values.

    real-or-random commented at 9:50 am on July 7, 2021:
    Yep, sounds correct what you say about the promotion rules.
  41. real-or-random commented at 10:34 am on November 17, 2020: contributor

    P.S. Should the usage examples be MIT or CC0(Public Domain)?

    I think we should make them CC0 to avoid any doubt.

  42. ssocolow commented at 5:19 pm on April 30, 2021: none
    As a new user, simple example programs are really great. Thanks!
  43. elichai force-pushed on Jul 4, 2021
  44. elichai commented at 2:45 pm on July 4, 2021: contributor
    Rebased and fixed review comments, Feel free to suggest alternative phrasings to the comments I wrote (English is my 2nd language)
  45. elichai force-pushed on Jul 7, 2021
  46. elichai commented at 10:20 am on July 7, 2021: contributor
    Rebasing on master again so the CI will work
  47. elichai force-pushed on Jul 7, 2021
  48. in examples/random.h:45 in 99fbf6816b outdated
    40+        return 1;
    41+    }
    42+#elif defined(__linux__) || defined(__FreeBSD__)
    43+    /* If `getrandom(2)` is not available you should fallback to /dev/urandom */
    44+    ssize_t res = getrandom(data, size, 0);
    45+    if (res != (ssize_t)size || size > SSIZE_MAX) {
    


    jonasnick commented at 8:12 pm on July 7, 2021:
    Better to first check SSIZE, otherwise the function can return 1 even though not enough random bytes have been read.

    elichai commented at 8:17 am on July 8, 2021:
    I don’t mind checking it first, but how can it return 1 even though not enough random bytes have been read? if size is bigger than SSIZE_MAX or size isn’t the same as res this will return 0.

    jonasnick commented at 12:07 pm on July 8, 2021:
    right, sorry, nevermind

    elichai commented at 1:01 pm on January 7, 2022:
    So to access SSIZE_MAX I’ll need to define some weird POSIX macros, I’ll instead use if (res < 0 || (size_t)res != size ) which should work assuming ssize_t = signed size_t which honestly I’m not 100% sure I can assume. sigh. I could also cast to unsigned long as both man size_t and man ssize_t say that they’re no greater than the width of long

    jonasnick commented at 7:53 pm on January 8, 2022:
    Looks good to me.
  49. elichai cross-referenced this on Sep 23, 2021 from issue Manual to use the API by fabregasf
  50. real-or-random cross-referenced this on Dec 8, 2021 from issue Replace MuSig(1) module with MuSig2 by jonasnick
  51. jonasnick referenced this in commit 804bfe43ce on Dec 8, 2021
  52. elichai force-pushed on Jan 7, 2022
  53. elichai commented at 3:30 pm on January 7, 2022: contributor

    Added a commit fixing some mingw linking bugs:

    1. Need to include windows.h and ntstatus.h even though they’re used in bcrypt.h (https://sourceforge.net/p/mingw-w64/bugs/903/)
    2. Had to explicitly link to libbcrypt
  54. in examples/schnorr.c:41 in 60c3f7bc72 outdated
    36+        return 1;
    37+    }
    38+    /* Randomizing the context is recommended to protect against side-channel
    39+     * leakage See `secp256k1_context_randomize` in secp256k1.h for more
    40+     * information about it. This should never fail. */
    41+    assert(secp256k1_context_randomize(ctx, randomize));
    


    sipa commented at 2:12 pm on January 8, 2022:
    I would not put code with side-effects in assert(), as those get removed when compiled with -DNDEBUG.

    elichai commented at 9:13 am on January 9, 2022:
    Oh you’re 100% right

    elichai commented at 10:12 am on January 9, 2022:
    Do you think users should even assert the return value? if so then only in debug or also in release?

    sipa commented at 6:28 pm on January 9, 2022:

    I think for secp256k1_context_randomize it’s reasonable to change the API documentation that it always returns 1. I don’t see under what conditions you’d ever want to return failure here. In that case, it seems unnecessary to check.

    There are lots of operations that only returns 0 if you pass in invalid arguments (e.g. serializing a public key to an area that’s too small). For those I think it can be recommended practice to check, but I wouldn’t consider it incorrect usage not to check if you know your code will always provide enough space.

  55. in examples/schnorr.c:12 in 60c3f7bc72 outdated
     7+#include <stdio.h>
     8+#include <assert.h>
     9+#include <string.h>
    10+
    11+#include "random.h"
    12+#include "secp256k1.h"
    


    sipa commented at 3:14 pm on January 8, 2022:
    Wouldn’t it be better to use #include <...>? As people looking at examples would likely be linking from outside the project.

    elichai commented at 9:25 am on January 9, 2022:
    Doesn’t that mean that they’ve installed the library on the user’s system? If I understood this correctly then if an app ships a vendored libsecp (like bitcoin core) it technically shouldn’t be included via the system path

    sipa commented at 2:25 pm on January 9, 2022:

    If you set -I arguments to the compiler correctly, there is no problem with using <…>.

    The only difference is that “…” also looks in the current path, and as that is not where one would expect the included headers, it’s pointless and I would say confusing.

    FWIW Bitcoin Core does everything using <…> includes, also internal headers.

  56. in examples/schnorr.c:27 in 0e5437fb0d outdated
    22+    unsigned char serialized_pubkey[32];
    23+    unsigned char signature[64];
    24+    int is_signature_valid;
    25+    secp256k1_xonly_pubkey pubkey;
    26+    secp256k1_keypair keypair;
    27+    /* The docs in secp256k1_extrakeys.h above the `secp256k1_keypair_create`
    


    sipa commented at 4:52 pm on January 8, 2022:

    That’s remarkably specific, and may go outdated if the header files are restructured a bit.

    What about “The specification in secp256k1_extrakeys.h states that secp256k1_schnorrsig_verify needs …”?

  57. in examples/schnorr.c:64 in 0e5437fb0d outdated
    59+
    60+    /* Extract the X-only public key from the keypair. We pass NULL for
    61+     * `pk_parity` as we don't care about the parity of the key, only advanced
    62+     * users might care about the parity. This should never fail with a valid
    63+     * context and public key. */
    64+    assert(secp256k1_keypair_xonly_pub(ctx, &pubkey, NULL, &keypair));
    


    sipa commented at 4:52 pm on January 8, 2022:
    assert with side effects
  58. in examples/schnorr.c:67 in 0e5437fb0d outdated
    62+     * users might care about the parity. This should never fail with a valid
    63+     * context and public key. */
    64+    assert(secp256k1_keypair_xonly_pub(ctx, &pubkey, NULL, &keypair));
    65+
    66+    /* Serialize the public key. Should always return 1 for a valid public key. */
    67+    assert(secp256k1_xonly_pubkey_serialize(ctx, serialized_pubkey, &pubkey));
    


    sipa commented at 4:52 pm on January 8, 2022:
    assert with side effects
  59. in examples/schnorr.c:83 in 0e5437fb0d outdated
    78+    * custom nonce function, passing `NULL` will use the BIP-340 safe default.
    79+    * BIP-340 recommends passing 32 bytes of randomness to the nonce function to
    80+    * improve security against side-channel attacks. Signing with a valid
    81+    * context, verified keypair and the default nonce function should never
    82+    * fail. */
    83+    assert(secp256k1_schnorrsig_sign(ctx, signature, msg_hash, &keypair, auxiliary_rand));
    


    sipa commented at 4:53 pm on January 8, 2022:
    assert with side effects
  60. in examples/schnorr.c:110 in 0e5437fb0d outdated
    105+
    106+    /* This will clear everything from the context and free the memory */
    107+    secp256k1_context_destroy(ctx);
    108+
    109+    /* It's best practice to try to remove secrets from memory after using them.
    110+     * This is done because some bugs can allow an attacker leak memory, for
    


    sipa commented at 4:55 pm on January 8, 2022:

    Grammar seems off here.

    Also: an attacker accessing memory through an exploit isn’t the only reason; another one is the risk that the OS swaps out the application to disk, where it may end up on permanent storage (which might be less well-protected from attackers). Secrets in general should not be kept in memory longer than necessary.

    Here and elsewhere.

  61. in configure.ac:74 in 0e5437fb0d outdated
    69@@ -68,6 +70,10 @@ case $host_os in
    70        fi
    71      fi
    72    ;;
    73+   cygwin*|mingw*)
    74+
    


    jonasnick commented at 8:07 pm on January 8, 2022:
    nit: unnecessary newline?
  62. jonasnick cross-referenced this on Jan 15, 2022 from issue Add notes for secp256k1 #748 by jonasnick
  63. elichai force-pushed on Jan 17, 2022
  64. elichai commented at 3:45 pm on January 17, 2022: contributor
    I fixed the comments in a separate commit. I’ll squash them closer to merging as I assume the Review Club will give me a bunch more things to fix.
  65. real-or-random commented at 3:55 pm on January 17, 2022: contributor
    We spend a lot of time here coming up with methods to obtain randomness on various OSes. If we’re going to maintain this in this example file, could we just go ahead and maintain a real function? (I don’t want to suggest a “yes” or “no”, I’m really asking this as an open question.) I assume the overhead of maintaining a function is larger but I’m not sure to what extent.
  66. in examples/ecdh.c:120 in 4c433823a8 outdated
    112+     * This is done because some bugs can allow an attacker to leak memory, for
    113+     * example through "out of bounds" array access (see Heartbleed), Or the OS
    114+     * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
    115+     *
    116+     * TODO: Prevent these writes from being optimized out, as any good compiler
    117+     * will remove any writes that aren't used. */
    


    kristapsk commented at 4:44 pm on January 18, 2022:
    Check for C11 (#if (__STDC_VERSION__ >= 201112L)) could be added and then memset_s() used instead.

    real-or-random commented at 5:46 pm on January 18, 2022:
    memset_s() is optional in C11, it’s in Annex K. You need more than _STDC_VERSION__ >= 201112L to check for its presence, see for example https://en.cppreference.com/w/c/string/byte/memset. Also, almost no compiler supports Annex K, so I doubt it’s useful in practice, see for example https://stackoverflow.com/a/50724865.
  67. in examples/ecdsa.c:46 in 1e5f3b1a08 outdated
    27+     * say: "pointer to a context object, initialized for signing" And the docs
    28+     * above the `secp256k1_ecdsa_verify` function say: "a secp256k1 context
    29+     * object, initialized for verification" which is why we create a context
    30+     * for both signing and verification with the SECP256K1_CONTEXT_SIGN and
    31+     * SECP256K1_CONTEXT_VERIFY flags. */
    32+    secp256k1_context* ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
    


    theStack commented at 6:24 pm on January 31, 2022:
    nit: Could assert that the context was created successfully (here and in the two other examples)? I.e. assert(ctx != NULL); IIUC returning NULL can only happen in the unlikely case that allocating dynamic memory fails, but it can’t hurt. We also do that check in Bitcoin Core: https://github.com/bitcoin/bitcoin/blob/8f137e69caeb2a2ffe1aa930bd6fbc49cee4087c/src/key.cpp#L394-L395

    jonasnick commented at 2:44 pm on February 2, 2022:

    returning NULL can only happen in the unlikely case that allocating dynamic memory fails

    If that was the case then I would agree that the examples should do the check. However, context_create calls checked_malloc which will call the “error callback” if the result of malloc is NULL. The default behavior of the error callback is crashing. It could theoretically be overriden by the user to not crash (context_set_error_callback) but that would be inadvisable given that the API docs state that after the callback the originally called API function can do anything, in particular its return values are undefined. That’s why the API doc for secp256k1_context_create says that it returns a “context object” and not a “context object or NULL”.


    theStack commented at 3:37 pm on February 2, 2022:
    Interesting, thanks for elaborating! Wasn’t aware of checked_malloc and error callbacks being used. Considering that, I agree that the assert is not needed.
  68. theStack commented at 6:26 pm on January 31, 2022: contributor

    Concept ACK

    Looking forward to the review club tomorrow! 🚀

  69. in examples/ecdsa.c:17 in 1e5f3b1a08 outdated
    12+#include "secp256k1.h"
    13+
    14+
    15+
    16+int main(void) {
    17+    unsigned char msg_hash[32] = {0}; /* This must be a hash of the message. otherwise ECDSA is easily broken. */
    


    robot-dreams commented at 8:42 pm on January 31, 2022:

    Rather than initializing the hash to all zero’s and repeatedly warning the user not to do that, how about something like this?

    0unsigned char msg_hash[32] = "This must be a hash of the msg.";
    

    elichai commented at 11:30 am on February 1, 2022:
    Can’t this make some users think that signing directly on some meaningful string with length 32 is secure? too bad we don’t have access to sha2 here.

    robot-dreams commented at 4:24 pm on February 1, 2022:

    Good point! Maybe something like this instead?

    0    /* Instead of signing the message directly, we must sign a 32-byte hash.
    1     * Here the message is "Hello, world!" and the hash function was SHA-256.
    2     * An actual implementation should just call SHA-256, but this example
    3     * hardcodes the output to avoid depending on an additional library. */
    4    unsigned char msg_hash[32] = {
    5        0x31, 0x5F, 0x5B, 0xDB, 0x76, 0xD0, 0x78, 0xC4,
    6        0x3B, 0x8A, 0xC0, 0x06, 0x4E, 0x4A, 0x01, 0x64,
    7        0x61, 0x2B, 0x1F, 0xCE, 0x77, 0xC8, 0x69, 0x34,
    8        0x5B, 0xFC, 0x94, 0xC7, 0x58, 0x94, 0xED, 0xD3,
    9    };
    
  70. in examples/ecdsa.c:63 in 1e5f3b1a08 outdated
    58+    assert(secp256k1_ec_pubkey_create(ctx, &pubkey, seckey));
    59+
    60+    /* Serialize the pubkey in a compressed form(33 bytes). Should always return 1. */
    61+    len = sizeof(compressed_pubkey);
    62+    assert(secp256k1_ec_pubkey_serialize(ctx, compressed_pubkey, &len, &pubkey, SECP256K1_EC_COMPRESSED));
    63+    /* Should be the same size as the size of the output, because we passed a 33 bytes array. */
    


    robot-dreams commented at 8:45 pm on January 31, 2022:
    0    /* Should be the same size as the size of the output, because we passed a 33 byte array. */
    
  71. in examples/ecdsa.c:88 in 1e5f3b1a08 outdated
    83+    if (!secp256k1_ecdsa_signature_parse_compact(ctx, &sig, serialized_signature)) {
    84+        printf("Failed parsing the signature\n");
    85+        return 1;
    86+    }
    87+
    88+    /*** Verification ***/
    


    robot-dreams commented at 8:47 pm on January 31, 2022:
    Should this second /*** Verification ***/ label be removed?
  72. in examples/random.h:66 in 1e5f3b1a08 outdated
    58+    }
    59+#endif
    60+    return 0;
    61+}
    62+
    63+static void print_hex(unsigned char* data, size_t size) {
    


    robot-dreams commented at 8:49 pm on January 31, 2022:
    Should this go in another file like util.h?

    jnewbery commented at 1:33 pm on February 2, 2022:
    I agree that this doesn’t really fit in this file and should go in something like util.h. See also #748 (review).
  73. in examples/schnorr.c:61 in 60c3f7bc72 outdated
    56+            break;
    57+        }
    58+    }
    59+
    60+    /* Extract the X-only public key from the keypair. We pass NULL for
    61+     * `pk_parity` as we don't care about the parity of the key, only advanced
    


    robot-dreams commented at 8:54 pm on January 31, 2022:

    Instead of “only advanced users might care about the parity”, how about something like this?

    “We pass NULL for pk_parity as the parity isn’t needed for signing or verification. secp256k1_keypair_xonly_pub supports returning the parity for other use cases such as tests or verifying Taproot tweaks.”

  74. in README.md:74 in 626a56d0a8 outdated
    68@@ -69,6 +69,13 @@ libsecp256k1 is built using autotools:
    69     $ make check  # run the test suite
    70     $ sudo make install  # optional
    71 
    72+Usage Examples
    73+-----------
    74+  Usage Examples can be found in the [examples](examples) directory, to compile them you need configure with `--enable-examples`.
    


    robot-dreams commented at 9:01 pm on January 31, 2022:
    0  Usage Examples can be found in the [examples](examples) directory. To compile them you need to configure with `--enable-examples`.
    1  For experimental modules, you will also need `--enable-experimental` as well as a flag for each individual module, e.g. `--enable-module-ecdh`.
    

    real-or-random commented at 4:27 pm on February 3, 2022:
    and s/Examples/examples
  75. robot-dreams commented at 9:06 pm on January 31, 2022: contributor

    Concept ACK, thanks for adding these helpful examples!

    My comments are mostly cosmetic, and I think the PR should be ready to merge after review club.

  76. jesseposner commented at 8:01 am on February 2, 2022: none
    Tested ACK 4c433823a85cac975b0746203d94ce041c10299d
  77. in examples/schnorr.c:56 in 4c433823a8 outdated
    38+    /* Randomizing the context is recommended to protect against side-channel
    39+     * leakage See `secp256k1_context_randomize` in secp256k1.h for more
    40+     * information about it. This should never fail. */
    41+    return_val = secp256k1_context_randomize(ctx, randomize);
    42+    assert(return_val);
    43+    /*** Key Generation ***/
    


    0xB10C commented at 2:42 pm on February 2, 2022:
    minor nit: leave an empty line before this heading to match /*** Signing ***/ and /*** Verification ***/.
  78. in examples/ecdsa.c:18 in 4c433823a8 outdated
    13+#include "random.h"
    14+
    15+
    16+
    17+int main(void) {
    18+    unsigned char msg_hash[32] = {0}; /* This must be a hash of the message. otherwise ECDSA is easily broken. */
    


    0xB10C commented at 3:01 pm on February 2, 2022:
    nit: It isn’t immediately clear to me (without spending time thinking about it or looking it up) why ECDSA is easily broken if we sign the message rather than the hash of the message. Adding a keyword or simple and short explanation could be helpful.

    jonasnick commented at 3:10 pm on February 2, 2022:
  79. 0xB10C commented at 3:03 pm on February 2, 2022: none
    Concept ACK, usage examples are helpful.
  80. theStack cross-referenced this on Feb 2, 2022 from issue random: use arc4random on OpenBSD by theStack
  81. in examples/random.h:47 in 4c433823a8 outdated
    42+    } else {
    43+        return 1;
    44+    }
    45+#elif defined(__linux__) || defined(__FreeBSD__)
    46+    /* If `getrandom(2)` is not available you should fallback to /dev/urandom */
    47+    ssize_t res = getrandom(data, size, 0);
    


    siv2r commented at 4:05 pm on February 2, 2022:

    Is there any specific reason why getrandom() is used for Linux whereas getentropy() is used for macOS? availability issues?

    The GNU C library manual says this:

    Most applications should use getentropy. The getrandom function is intended for low-level applications which need additional control over blocking behavior.

    https://www.gnu.org/software/libc/manual/html_node/Unpredictable-Bytes.html


    elichai commented at 10:56 am on February 22, 2022:

    Hmm, mostly because I read the linux docs etc, and getrandom is a kernel thing, while getentropy is a glibc thing to emulate what OpenBSD does. Also, most other libs also call getrandom on linux even though they call getentropy on OpenBSD/MacOS: #748 (review)

    Not sure if this is convincing enough or not

  82. siv2r commented at 4:16 pm on February 2, 2022: contributor
    Tested ACK 4c43382. All three examples compile and run successfully on my machine (Ubuntu 20.04).
  83. Emzy commented at 6:06 pm on February 2, 2022: none
    Tested ACK 4c43382 (Ubuntu 20.04.3 LTS)
  84. laanwj referenced this in commit a7e80449c0 on Feb 10, 2022
  85. sidhujag referenced this in commit ba3551db7a on Feb 10, 2022
  86. scgbckbone commented at 10:43 am on February 12, 2022: none

    Tested ACK

    • ubuntu 20.04 Linux workstation 5.13.0-28-generic [#31](/bitcoin-core-secp256k1/31/)~20.04.1-Ubuntu SMP Wed Jan 19 14:08:10 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
    • windows 10 MINGW64_NT-10.0-19044 DESKTOP-UV75MOO 3.3.3-341.x86_64 2022-01-18 13:00 UTC x86_64 Msys
  87. elichai force-pushed on Feb 22, 2022
  88. elichai commented at 11:15 am on February 22, 2022: contributor
    Fixed comments, and squashed
  89. jonasnick commented at 7:49 pm on February 22, 2022: contributor
    ACK beecb9a3b3f4936eadb678e7e931c90e8fa83de6
  90. in examples/ecdh.c:8 in beecb9a3b3 outdated
    0@@ -0,0 +1,124 @@
    1+/*************************************************************************
    2+ * Copyright (c) 2020-2021 Elichai Turkel                                *
    3+ * Distributed under the CC0 software license, see the accompanying file *
    4+ * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
    5+ *************************************************************************/
    


    real-or-random commented at 9:46 am on February 23, 2022:

    Sorry interrupting with legal stuff and not noticing earlier… I think it’s weird to say “Copyright” and CC0 at the same time. And CC0 is strictly speaking not a software license. https://wiki.creativecommons.org/wiki/CC0_FAQ#May_I_apply_CC0_to_computer_software.3F_If_so.2C_is_there_a_recommended_implementation.3F provides some boilerplate.

    Here’s a suggestion, slightly adopted from the above to make sure it applies only to a single file.

    0/*************************************************************************
    1 * Written in 2020-2022 by Elichai Turkel                                *
    2 * To the extent possible under law, the author(s) have dedicated all    *
    3 * copyright and related and neighboring rights to the software in this  *
    4 * file to the public domain worldwide. This software is distributed     *
    5 * without any warranty. For the CC0 Public Domain Dedication, see       *
    6 * EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
    7 *************************************************************************/
    

    elichai commented at 2:16 pm on February 23, 2022:
    Yeah, I hate dealing with licenses. fixed
  91. in examples/ecdsa.c:83 in 2fd3e2fda1 outdated
    78+    assert(len == sizeof(compressed_pubkey));
    79+
    80+    /*** Signing ***/
    81+
    82+    /* Generate an ECDSA signature, note that even though here `msg_hash` is set
    83+    * to zeros, it MUST contain a hash, otherwise ECDSA is easily broken.
    


    real-or-random commented at 10:33 am on February 23, 2022:
    msg_hash is not set to zeros.

    elichai commented at 2:16 pm on February 23, 2022:
    Thanks! fixed
  92. in examples/ecdsa.c:134 in 2fd3e2fda1 outdated
    127+     * example through "out of bounds" array access (see Heartbleed), Or the OS
    128+     * swapping them to disk. Hence, we overwrite the secret key buffer with zeros.
    129+     *
    130+     * TODO: Prevent these writes from being optimized out, as any good compiler
    131+     * will remove any writes that aren't used. */
    132+    memset(seckey, 0, sizeof(seckey));
    


    real-or-random commented at 10:43 am on February 23, 2022:

    I don’t like the idea of having a TODO here. I mean we spent days getting the randomness right, then this feels wrong.

    We could copy https://github.com/bitcoin/bitcoin/blob/7fcf53f7b4524572d1d0c9a5fdc388e87eb02416/src/support/cleanse.cpp#L14 and then really call the file util.h or refer to it…

    In the interest of moving this forward, we suggest to leave this as is and I’m happy to open a further PR that fixes it.

  93. in examples/ecdh.c:49 in 8312d43ba7 outdated
    41+     * leakage See `secp256k1_context_randomize` in secp256k1.h for more
    42+     * information about it. This should never fail. */
    43+    return_val = secp256k1_context_randomize(ctx, randomize);
    44+    assert(return_val);
    45+
    46+    /*** Key Generation ***/
    


    real-or-random commented at 11:00 am on February 23, 2022:

    It may be good to add a header to every code section in this part, e.g., “Party 1: " and “Party 2:” or similar, to make sure.

    This would require splitting the key generation loop but I think that’s really better than. Real code wouldn’t work like this, so I think we should avoid it in example code.

    This is also something I can do in a follow-up PR.

  94. real-or-random commented at 11:51 am on February 23, 2022: contributor

    @elichai Can you quickly fix the copyright and the msg_hash comment?

    I think then this is good to go. We had many eyes on it and I can address the other two comments in another PR.

  95. Add an ECDSA signing and verifying example
    Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>
    fee7d4bf9e
  96. Add a Schnorr signing and verifying example
    Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>
    b0cfbcc143
  97. Add a ecdh shared secret example
    Co-authored-by: Jonas Nick <jonasd.nick@gmail.com>
    422a7cc86a
  98. Optionally compile the examples in autotools, compile+run in travis 517644eab1
  99. Add usage examples to the readme 42e03432e6
  100. Add a copy of the CC0 license to the examples 7c9502cece
  101. elichai force-pushed on Feb 23, 2022
  102. real-or-random approved
  103. real-or-random commented at 3:52 pm on February 23, 2022: contributor

    ACK 7c9502cece9c9e8d811333f7ab5bb22f4eb01c04

    As I said, I can create a follow-up PR.

    The one CI failure for the sage prover is harmless and only because just sage on CI was introduced after the last rebase of this PR. It will work on master.

  104. jonasnick commented at 5:27 pm on February 23, 2022: contributor
    ACK 7c9502cece9c9e8d811333f7ab5bb22f4eb01c04
  105. jonasnick merged this on Feb 23, 2022
  106. jonasnick closed this on Feb 23, 2022

  107. fanquake referenced this in commit 8f8631d826 on Mar 17, 2022
  108. fanquake referenced this in commit 4bb1d7e62a on Mar 17, 2022
  109. fanquake referenced this in commit 465d05253a on Mar 30, 2022
  110. real-or-random referenced this in commit 6c0aecf72b on Apr 1, 2022
  111. fanquake referenced this in commit afb7a6fe06 on Apr 6, 2022
  112. gwillen referenced this in commit 35d6112a72 on May 25, 2022
  113. patricklodder referenced this in commit 21badcf9d2 on Jul 25, 2022
  114. patricklodder referenced this in commit 03002a9013 on Jul 28, 2022
  115. janus referenced this in commit 3a0652a777 on Aug 4, 2022
  116. hebasto cross-referenced this on Oct 28, 2022 from issue Cleanup `.gitignore` file by hebasto
  117. real-or-random cross-referenced this on Feb 27, 2023 from issue Use arc4random_buf() as the best practice method for obtaining randomness on OpenBSD (examples) by alpn
  118. str4d referenced this in commit 522190d5c3 on Apr 21, 2023
  119. vmta referenced this in commit e1120c94a1 on Jun 4, 2023
  120. vmta referenced this in commit 8f03457eed on Jul 1, 2023

github-metadata-mirror

This is a metadata mirror of the GitHub repository bitcoin-core/secp256k1. This site is not affiliated with GitHub. Content is generated from a GitHub metadata backup.
generated: 2024-10-30 01:15 UTC

This site is hosted by @0xB10C
More mirrored repositories can be found on mirror.b10c.me