-
Notifications
You must be signed in to change notification settings - Fork 270
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add no-std support #100
Add no-std support #100
Conversation
Ok, I don't like the |
So this might influence your thoughts on types.rs vs libc feature, |
|
|
Ok, so about 1, I see a few possibilities.
|
It's really surprising to me that there aren't different types for different architectures. Regarding accepting an Regarding the |
It's in runtime. Maybe adding a new serliaze_mut or serialize_no_vec or something similiar and the regular one won't be available without std |
Wait. Not on compilation, it's in runtime. Sorry my mistake. |
Yeah, good idea naming the alternate And if there are runtime issues this is fine; during context creation we can use the FFI functions |
@apoelstra Thanks for the feedback. BTW how does this work? https://github.com/rust-bitcoin/rust-secp256k1/blob/master/src/lib.rs#L338 |
No, the C code does not do allocations. My understanding was that |
@apoelstra It's stored in the RawVec struct: https://doc.rust-lang.org/1.26.0/src/alloc/raw_vec.rs.html#52 You can also see the docs about |
@elichai The |
If you're using "allocate" to refer to setting the vector's length, we do this manually after the FFI call by calling the unsafe |
@apoelstra Ok, I were wrong and you were right. I'm really Sorry for the confusion |
So my problems appears neither in compilation nor in runtime.
|
@apoelstra how do you want to proceed with this? |
@elichai I'll create a simple PR to secp256k1 tomorrow that should make it possible to build it without stdio.h (I'm runing into similar problems with a different project). |
@real-or-random Thanks! tag me in it so i'll follow when it gets merged :) |
So I think it's best to put this on hold until these two are figured out: |
I just thought of another interesting way to make the |
Oh! Yeah, I like this idea. We could call it a |
Should that be as part of |
I think we should go ahead and break the API and change |
BTW, is it using this: https://github.com/rust-bitcoin/rust-secp256k1/blob/master/src/ffi.rs#L419 or the one from the bindings? (https://github.com/rust-bitcoin/rust-secp256k1/blob/master/src/ffi.rs#L198) If the rust one, what do you think about a re-implementation in safe rust? |
We are using the FFI one. The other is something Matt wrote for fuzzing; I doubt that it actually serializes a signature (though it might); these implementations are there to provide low-complexity mock implementations of the crypto, to prevent the fuzzer getting lost trying to break cryptography. I like the idea of a safe reimplementation, though it does create a layer violation: the types exposed by the underlying |
Cool. I'm happy with the result. Can you rebase/squash so that we don't go through the |
Done. (the changes from before the rebasing to after are here if you're interested: https://github.com/rust-bitcoin/rust-secp256k1/compare/0e0d8df84b001da2ba42c07205ad39e739c532ad..41af612ae277962b4b1747c5b58704bd40e1819d ) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
looks good to me overall :)
src/types.rs
Outdated
pub type c_int = i32; | ||
pub type c_uchar = u8; | ||
pub type c_uint = u32; | ||
pub type c_void = c_uchar; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is it really correct to just use u8
for c_void
? That comment makes me think otherwise https://doc.rust-lang.org/src/core/ffi.rs.html#21 (though I don't understand it).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In one of the comments here I think @apoelstra pointed out that *void is almost equivalent to *char, it's hard to look for resolved comments on the phone.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
But wouldn't it be cleaner to copy the enum implementation with the two variants? It's just three lines of code, so it wouldn't hurt I guess.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agree with real-or-random. I don't mind type-punning *c_void
for *c_uchar
but the base types c_void
and c_uchar
are very different.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So I see two options.
one is to remove the c_void
type and replace the pointers to *c_uchar
, another is what @real-or-random suggested and copy the enum implementation.
I'm really no expert in C and don't know the implications if someone later on misuse c_void
with c_uchar
so I don't have any opinion on this, I think it should be as foolproof as possible.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should copy the enum implementation and link to the libc code, and mention that in Rust 1.30 we will be able to just use core::ffi
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, FYI c_void != void
.
but *const c_void == const void*
and *mut c_void == void*
5f04fcb
to
f42cfcb
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK. Thank you for your patience!!
cc @real-or-random @jonasnick can you also approve since you've been guiding this PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ACK
See rust-bitcoin/rust-secp256k1#100 to review commit that caused failure
e49f799 Add missing #(un)defines to base-config.h (Tim Ruffing) 77defd2 Add secp256k1_ prefix to default callback functions (Tim Ruffing) 908bdce Include stdio.h and stdlib.h explicitly in secp256k1.c (Tim Ruffing) 5db782e Allow usage of external default callbacks (Tim Ruffing) 6095a86 Replace CHECKs for no_precomp ctx by ARG_CHECKs without a return (Tim Ruffing) Pull request description: This is intended for environments without implementations for `abort()`, `fprintf()`, and `stderr`. e.g., embedded systems. Those can provide their own implementations of `default_illegal_callback_fn` and `default_error_callback_fn` at compile time. If you want to use your own default callback, things will be somewhat inconsistent unfortunately: We cannot make the callback data `extern` too, because then the initialization lists for `default_illegal_callback` won't contain only constants. (`const` variables are not compile-time constants). So you cannot take callback data in your own default callback function. As a more drastic/breaking alternative I suggest to remove the callback data entirely. I don't think it's a big loss and I would be surprised if anyone uses it. Additionally, we could even remove the possibility to set the callback function at runtime after this PR. This will simplify things a lot, and again I don't think it's a big loss. Note that `abort()`, `fprintf()`, and `stderr` are also used in `CHECK`, which is still used in production code if we rely on gmp for scalar and field inversions (e.g., https://github.com/bitcoin-core/secp256k1/blob/master/src/scalar_impl.h#L240). This is not an issue for embedded system which probably don't want to use gmp anyway, but it is probably an issue for the reasons explained in #566 (comment). (related downstream: rust-bitcoin/rust-secp256k1#100 @elichai) ACKs for commit e49f79: Tree-SHA512: 4dec0821eef4156cbe162bd8cdf0531c1fae8c98cd9db8438170ff1aa0e59b199739eeab293695bb582246812bea5309959f02f1fb74bb57872da54ebc52313f
Hi,
This make this library support
no-std
.first I replaced everything from std to get it from core.
then I had 2 things that I had to change and would love you input:
the C types from
std::os::raw
, I see few options. one which I did is just declare it manually which I don't really love, another is to make a feature if it will be received from std or libc.Replacing the Vec in the DER serialization. I talked with Maxwell and he told me that the signature can be anywhere between 8 and 72 bytes, so the only way I thought I can achieve this without breaking the API is using the ArrayVec crate which initializes the Vector on the stack,
A different approach will be accepting
&mut [u8; 72]
and returning a slice to the correct signature that will be a part of that mutable.