bitcoin-core · gmaxwell · Feb 17, 2015 · Mar 8, 2015
diff --git a/Makefile.am b/Makefile.am
@@ -38,6 +38,8 @@ noinst_HEADERS += src/hash_impl.h
 noinst_HEADERS += src/field.h
 noinst_HEADERS += src/field_impl.h
 noinst_HEADERS += src/bench.h
+noinst_HEADERS += src/bist.h
+noinst_HEADERS += src/bist_impl.h
 
 pkgconfigdir = $(libdir)/pkgconfig
 pkgconfig_DATA = libsecp256k1.pc

diff --git a/configure.ac b/configure.ac
@@ -80,6 +80,10 @@ AC_COMPILE_IFELSE([AC_LANG_SOURCE([[char foo;]])],
       CFLAGS="$saved_CFLAGS"
     ])
 
+AC_ARG_ENABLE(bist,
+    AS_HELP_STRING([--enable-bist],[enable tests at library start (default is yes)]),
+    [use_bist=$enableval],
+    [use_bist=yes])
 
 AC_ARG_ENABLE(benchmark,
     AS_HELP_STRING([--enable-benchmark],[compile benchmark (default is no)]),
@@ -301,12 +305,17 @@ if test x"$set_bignum" = x"gmp"; then
   SECP_INCLUDES="$SECP_INCLUDES $GMP_CPPFLAGS"
 fi
 
+if test x"$use_bist" = x"yes"; then
+  AC_DEFINE(USE_BIST, 1, [Define this symbol to enable built-in self-tests at library start])
+fi
+
 if test x"$use_endomorphism" = x"yes"; then
   AC_DEFINE(USE_ENDOMORPHISM, 1, [Define this symbol to use endomorphism optimization])
 fi
 
 AC_C_BIGENDIAN()
 
+AC_MSG_NOTICE([Using built-in self-tests: $use_bist])
 AC_MSG_NOTICE([Using assembly optimizations: $set_asm])
 AC_MSG_NOTICE([Using field implementation: $set_field])
 AC_MSG_NOTICE([Using bignum implementation: $set_bignum])

diff --git a/src/bench_internal.c b/src/bench_internal.c
@@ -14,6 +14,7 @@
 #include "group_impl.h"
 #include "scalar_impl.h"
 #include "ecmult_impl.h"
+#include "secp256k1.c"
 #include "bench.h"
 
 typedef struct {

diff --git a/src/bist.h b/src/bist.h
@@ -0,0 +1,17 @@
+/**********************************************************************
+ * Copyright (c) 2014, 2015 Gregory Maxwell                           *
+ * Distributed under the MIT software license, see the accompanying   *
+ * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
+ **********************************************************************/
+
+#ifndef _SECP256K1_BIST_H_
+#define _SECP256K1_BIST_H_
+
+#if defined HAVE_CONFIG_H
+#include "libsecp256k1-config.h"
+#endif
+
+void secp256k1_ecdsa_verify_bist(void);
+void secp256k1_pubkey_bist(void);
+
+#endif
diff --git a/src/bist_impl.h b/src/bist_impl.h
diff --git a/src/eckey_impl.h b/src/eckey_impl.h
@@ -34,6 +34,7 @@ static int secp256k1_eckey_pubkey_parse(secp256k1_ge_t *elem, const unsigned cha
 
 static int secp256k1_eckey_pubkey_serialize(secp256k1_ge_t *elem, unsigned char *pub, int *size, int compressed) {
     if (secp256k1_ge_is_infinity(elem)) {
+        *size = 0;
         return 0;
     }
     secp256k1_fe_normalize_var(&elem->x);

diff --git a/src/ecmult_gen_impl.h b/src/ecmult_gen_impl.h
@@ -10,6 +10,7 @@
 #include "scalar.h"
 #include "group.h"
 #include "ecmult_gen.h"
+#include "bist.h"
 
 typedef struct {
     /* For accelerating the computation of a*G:
@@ -91,6 +92,12 @@ static void secp256k1_ecmult_gen_start(void) {
 
     /* Set the global pointer to the precomputation table. */
     secp256k1_ecmult_gen_consts = ret;
+
+#if (defined(USE_BIST) || defined(VERIFY))
+    /* Run built-in self-tests. */
+    secp256k1_pubkey_bist();
+    secp256k1_ecdsa_sign_bist();
+#endif
 }
 
 static void secp256k1_ecmult_gen_stop(void) {

diff --git a/src/ecmult_impl.h b/src/ecmult_impl.h
@@ -10,6 +10,7 @@
 #include "group.h"
 #include "scalar.h"
 #include "ecmult.h"
+#include "bist.h"
 
 /* optimal for 128-bit and 256-bit exponents. */
 #define WINDOW_A 5
@@ -130,6 +131,11 @@ static void secp256k1_ecmult_start(void) {
 
     /* Set the global pointer to the precomputation table. */
     secp256k1_ecmult_consts = ret;
+
+#if (defined(USE_BIST) || defined(VERIFY))
+    /* Run built-in self-tests. */
+    secp256k1_ecdsa_verify_bist();
+#endif
 }
 
 static void secp256k1_ecmult_stop(void) {

diff --git a/src/secp256k1.c b/src/secp256k1.c
@@ -9,6 +9,9 @@
 #include "include/secp256k1.h"
 
 #include "util.h"
+#if defined(USE_BIST) || defined(VERIFY)
+# include "bist_impl.h"
+#endif
 #include "num_impl.h"
 #include "field_impl.h"
 #include "scalar_impl.h"
@@ -220,12 +223,17 @@ int secp256k1_ec_pubkey_create(unsigned char *pubkey, int *pubkeylen, const unsi
     secp256k1_gej_t pj;
     secp256k1_ge_t p;
     secp256k1_scalar_t sec;
+    int overflow;
     DEBUG_CHECK(secp256k1_ecmult_gen_consts != NULL);
     DEBUG_CHECK(pubkey != NULL);
     DEBUG_CHECK(pubkeylen != NULL);
     DEBUG_CHECK(seckey != NULL);
 
-    secp256k1_scalar_set_b32(&sec, seckey, NULL);
+    secp256k1_scalar_set_b32(&sec, seckey, &overflow);
+    if (overflow) {
+        *pubkeylen = 0;
+        return 0;
+    }
     secp256k1_ecmult_gen(&pj, &sec);
     secp256k1_scalar_clear(&sec);
     secp256k1_ge_set_gej(&p, &pj);