mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-02-02 09:46:52 -05:00
ff061fde18
c545fdc374 Merge bitcoin-core/secp256k1#1298: Remove randomness tests b40e2d30b7 Merge bitcoin-core/secp256k1#1378: ellswift: fix probabilistic test failure when swapping sides c424e2fb43 ellswift: fix probabilistic test failure when swapping sides 907a67212e Merge bitcoin-core/secp256k1#1313: ci: Test on development snapshots of GCC and Clang 0f7657d59c Merge bitcoin-core/secp256k1#1366: field: Use `restrict` consistently in fe_sqrt cc55757552 Merge bitcoin-core/secp256k1#1340: clean up in-comment Sage code (refer to secp256k1_params.sage, update to Python3) 600c5adcd5 clean up in-comment Sage code (refer to secp256k1_params.sage, update to Python3) 981e5be38c ci: Fix typo in comment e9e9648219 ci: Reduce number of macOS tasks from 28 to 8 609093b387 ci: Add x86_64 Linux tasks for gcc and clang snapshots 1deecaaf3b ci: Install development snapshots of gcc and clang b79ba8aa4c field: Use `restrict` consistently in fe_sqrt c9ebca95f9 Merge bitcoin-core/secp256k1#1363: doc: minor ellswift.md updates afd7eb4a55 Merge bitcoin-core/secp256k1#1371: Add exhaustive tests for ellswift (with create+decode roundtrip) 2792119278 Add exhaustive test for ellswift (create+decode roundtrip) c7d900ffd1 doc: minor ellswift.md updates 332af315fc Merge bitcoin-core/secp256k1#1344: group: save normalize_weak calls in `secp256k1_ge_is_valid_var`/`secp256k1_gej_eq_x_var` 9e6d1b0e9b Merge bitcoin-core/secp256k1#1367: build: Improvements to symbol visibility logic on Windows (attempt 3) 0aacf64352 Merge bitcoin-core/secp256k1#1370: Corrected some typos b6b9834e8d small fixes 07c0e8b82e group: remove unneeded normalize_weak in `secp256k1_gej_eq_x_var` 3fc1de5c55 Merge bitcoin-core/secp256k1#1364: Avoid `-Wmaybe-uninitialized` when compiling with `gcc -O1` fb758fe8d6 Merge bitcoin-core/secp256k1#1323: tweak_add: fix API doc for tweak=0 c6cd2b15a0 ci: Add task for static library on Windows + CMake 020bf69a44 build: Add extensive docs on visibility issues 0196e8ade1 build: Introduce `SECP256k1_DLL_EXPORT` macro 9f1b1904a3 refactor: Replace `SECP256K1_API_VAR` with `SECP256K1_API` ae9db95cea build: Introduce `SECP256K1_STATIC` macro for Windows users 7966aee31d Merge bitcoin-core/secp256k1#1369: ci: Print commit in Windows container a7bec34231 ci: Print commit in Windows container 249c81eaa3 Merge bitcoin-core/secp256k1#1368: ci: Drop manual checkout of merge commit 98579e297b ci: Drop manual checkout of merge commit 5b9f37f136 ci: Add `CFLAGS: -O1` to task matrix a6ca76cdf2 Avoid `-Wmaybe-uninitialized` when compiling with `gcc -O1` 0fa84f869d Merge bitcoin-core/secp256k1#1358: tests: introduce helper for non-zero `random_fe_test()` results 5a95a268b9 tests: introduce helper for non-zero `random_fe_test` results 304421d57b tests: refactor: remove duplicate function `random_field_element_test` 3aef6ab8e1 Merge bitcoin-core/secp256k1#1345: field: Static-assert that int args affecting magnitude are constant 4494a369b6 Merge bitcoin-core/secp256k1#1357: tests: refactor: take use of `secp256k1_ge_x_on_curve_var` 799f4eec27 Merge bitcoin-core/secp256k1#1356: ci: Adjust Docker image to Debian 12 "bookworm" c862a9fb49 ci: Adjust Docker image to Debian 12 "bookworm" a1782098a9 ci: Force DWARF v4 for Clang when Valgrind tests are expected 7d8d5c86df tests: refactor: take use of `secp256k1_ge_x_on_curve_var` 8a7273465b Help the compiler prove that a loop is entered fd491ea1bb Merge bitcoin-core/secp256k1#1355: Fix a typo in the error message ac43613d25 Merge bitcoin-core/secp256k1#1354: Add ellswift to CHANGELOG 67887ae65c Fix a typo in the error message 926dd3e962 Merge bitcoin-core/secp256k1#1295: abi: Use dllexport for mingw builds 10836832e7 Merge bitcoin-core/secp256k1#1336: Use `__shiftright128` intrinsic in `secp256k1_u128_rshift` on MSVC 7c7467ab7f Refer to ellswift.md in API docs c32ffd8d8c Add ellswift to CHANGELOG 3c1a0fd37f Merge bitcoin-core/secp256k1#1347: field: Document return value of fe_sqrt() 5779137457 field: Document return value of fe_sqrt() be8ff3a02a field: Static-assert that int args affecting magnitude are constant efa76c4bf7 group: remove unneeded normalize_weak in `secp256k1_ge_is_valid_var` 5b7bf2e9d4 Use `__shiftright128` intrinsic in `secp256k1_u128_rshift` on MSVC 05873bb6b1 tweak_add: fix API doc for tweak=0 6ec3731e8c Simplify test PRNG implementation fb5bfa4eed Add static test vector for Xoshiro256++ 723e8ca8f7 Remove randomness tests bc7c8db179 abi: Use dllexport for mingw builds git-subtree-dir: src/secp256k1 git-subtree-split: c545fdc374964424683d9dac31a828adedabe860
108 lines
4.4 KiB
C
108 lines
4.4 KiB
C
/*************************************************************************
|
|
* Copyright (c) 2020-2021 Elichai Turkel *
|
|
* Distributed under the CC0 software license, see the accompanying file *
|
|
* EXAMPLES_COPYING or https://creativecommons.org/publicdomain/zero/1.0 *
|
|
*************************************************************************/
|
|
|
|
/*
|
|
* This file is an attempt at collecting best practice methods for obtaining randomness with different operating systems.
|
|
* It may be out-of-date. Consult the documentation of the operating system before considering to use the methods below.
|
|
*
|
|
* Platform randomness sources:
|
|
* Linux -> `getrandom(2)`(`sys/random.h`), if not available `/dev/urandom` should be used. http://man7.org/linux/man-pages/man2/getrandom.2.html, https://linux.die.net/man/4/urandom
|
|
* macOS -> `getentropy(2)`(`sys/random.h`), if not available `/dev/urandom` should be used. https://www.unix.com/man-page/mojave/2/getentropy, https://opensource.apple.com/source/xnu/xnu-517.12.7/bsd/man/man4/random.4.auto.html
|
|
* FreeBSD -> `getrandom(2)`(`sys/random.h`), if not available `kern.arandom` should be used. https://www.freebsd.org/cgi/man.cgi?query=getrandom, https://www.freebsd.org/cgi/man.cgi?query=random&sektion=4
|
|
* OpenBSD -> `getentropy(2)`(`unistd.h`), if not available `/dev/urandom` should be used. https://man.openbsd.org/getentropy, https://man.openbsd.org/urandom
|
|
* Windows -> `BCryptGenRandom`(`bcrypt.h`). https://docs.microsoft.com/en-us/windows/win32/api/bcrypt/nf-bcrypt-bcryptgenrandom
|
|
*/
|
|
|
|
#if defined(_WIN32)
|
|
/*
|
|
* The defined WIN32_NO_STATUS macro disables return code definitions in
|
|
* windows.h, which avoids "macro redefinition" MSVC warnings in ntstatus.h.
|
|
*/
|
|
#define WIN32_NO_STATUS
|
|
#include <windows.h>
|
|
#undef WIN32_NO_STATUS
|
|
#include <ntstatus.h>
|
|
#include <bcrypt.h>
|
|
#elif defined(__linux__) || defined(__APPLE__) || defined(__FreeBSD__)
|
|
#include <sys/random.h>
|
|
#elif defined(__OpenBSD__)
|
|
#include <unistd.h>
|
|
#else
|
|
#error "Couldn't identify the OS"
|
|
#endif
|
|
|
|
#include <stddef.h>
|
|
#include <limits.h>
|
|
#include <stdio.h>
|
|
|
|
|
|
/* Returns 1 on success, and 0 on failure. */
|
|
static int fill_random(unsigned char* data, size_t size) {
|
|
#if defined(_WIN32)
|
|
NTSTATUS res = BCryptGenRandom(NULL, data, size, BCRYPT_USE_SYSTEM_PREFERRED_RNG);
|
|
if (res != STATUS_SUCCESS || size > ULONG_MAX) {
|
|
return 0;
|
|
} else {
|
|
return 1;
|
|
}
|
|
#elif defined(__linux__) || defined(__FreeBSD__)
|
|
/* If `getrandom(2)` is not available you should fallback to /dev/urandom */
|
|
ssize_t res = getrandom(data, size, 0);
|
|
if (res < 0 || (size_t)res != size ) {
|
|
return 0;
|
|
} else {
|
|
return 1;
|
|
}
|
|
#elif defined(__APPLE__) || defined(__OpenBSD__)
|
|
/* If `getentropy(2)` is not available you should fallback to either
|
|
* `SecRandomCopyBytes` or /dev/urandom */
|
|
int res = getentropy(data, size);
|
|
if (res == 0) {
|
|
return 1;
|
|
} else {
|
|
return 0;
|
|
}
|
|
#endif
|
|
return 0;
|
|
}
|
|
|
|
static void print_hex(unsigned char* data, size_t size) {
|
|
size_t i;
|
|
printf("0x");
|
|
for (i = 0; i < size; i++) {
|
|
printf("%02x", data[i]);
|
|
}
|
|
printf("\n");
|
|
}
|
|
|
|
#if defined(_MSC_VER)
|
|
// For SecureZeroMemory
|
|
#include <Windows.h>
|
|
#endif
|
|
/* Cleanses memory to prevent leaking sensitive info. Won't be optimized out. */
|
|
static void secure_erase(void *ptr, size_t len) {
|
|
#if defined(_MSC_VER)
|
|
/* SecureZeroMemory is guaranteed not to be optimized out by MSVC. */
|
|
SecureZeroMemory(ptr, len);
|
|
#elif defined(__GNUC__)
|
|
/* We use a memory barrier that scares the compiler away from optimizing out the memset.
|
|
*
|
|
* Quoting Adam Langley <agl@google.com> in commit ad1907fe73334d6c696c8539646c21b11178f20f
|
|
* in BoringSSL (ISC License):
|
|
* As best as we can tell, this is sufficient to break any optimisations that
|
|
* might try to eliminate "superfluous" memsets.
|
|
* This method used in memzero_explicit() the Linux kernel, too. Its advantage is that it is
|
|
* pretty efficient, because the compiler can still implement the memset() efficiently,
|
|
* just not remove it entirely. See "Dead Store Elimination (Still) Considered Harmful" by
|
|
* Yang et al. (USENIX Security 2017) for more background.
|
|
*/
|
|
memset(ptr, 0, len);
|
|
__asm__ __volatile__("" : : "r"(ptr) : "memory");
|
|
#else
|
|
void *(*volatile const volatile_memset)(void *, int, size_t) = memset;
|
|
volatile_memset(ptr, 0, len);
|
|
#endif
|
|
}
|