replace `fuzztarget` Cargo feature with a rustc --cfg flag

It's super dangerous to use Cargo features for this, since they can be set
accidentally (or maliciously by any crate in a user's entire dep tree). Instead
we can just require users set `RUSTFLAGS` appropriately, which we can easily
do in our fuzzing scripts.

Cargo.toml

@@ -26,9 +26,6 @@ endomorphism = ["secp256k1-sys/endomorphism"]
 lowmemory = ["secp256k1-sys/lowmemory"]
 global-context = ["std", "rand-std"]
 
-# Do not use this feature! HAZMAT. (meant for Fuzzing only. this is *BROKEN CRYPTOGRAPHY*)
-fuzztarget = ["secp256k1-sys/fuzztarget"]
-
 [dependencies]
 secp256k1-sys = { version = "0.3.1", default-features = false, path = "./secp256k1-sys" }
 bitcoin_hashes = { version = "0.9", optional = true }

README.md

@@ -35,3 +35,12 @@ before_script:
     cargo generate-lockfile --verbose && cargo update -p cc --precise "1.0.41" --verbose;
     fi
 ```
+
+## Fuzzing
+
+If you want to fuzz this library, or any library which depends on it, you will
+probably want to disable the actual cryptography, since fuzzers are unable to
+forge signatures and therefore won't test many interesting codepaths. To instead
+use a trivially-broken but fuzzer-accessible signature scheme, compile with
+`--cfg=rust_secp_fuzz` in your `RUSTFLAGS` variable.
+

contrib/test.sh

@@ -31,8 +31,8 @@ if [ "$DO_FEATURE_MATRIX" = true ]; then
     done
 
     # Other combos 
-    cargo test --no-run --verbose --features="fuzztarget"
+    RUSTFLAGS='--cfg=rust_secp_fuzz' cargo test --no-run --verbose
-    cargo test --no-run --verbose --features="fuzztarget recovery"
+    RUSTFLAGS='--cfg=rust_secp_fuzz' cargo test --no-run --verbose --features="recovery"
     cargo test --verbose --features="rand rand-std"
     cargo test --verbose --features="rand serde"
 

secp256k1-sys/Cargo.toml

@@ -31,5 +31,3 @@ endomorphism = []
 lowmemory = []
 std = []
 
-# Do not use this feature! HAZMAT. (meant for Fuzzing only. this is *BROKEN CRYPTOGRAPHY*)
-fuzztarget = []

secp256k1-sys/src/lib.rs

@@ -93,7 +93,7 @@ pub type SchnorrNonceFn = unsafe extern "C" fn(
 #[derive(Clone, Debug)]
 #[repr(C)] pub struct Context(c_int);
 
-#[cfg(feature = "fuzztarget")]
+#[cfg(rust_secp_fuzz)]
 impl Context {
     pub fn flags(&self) -> u32 {
         self.0 as u32
@@ -260,7 +260,7 @@ impl hash::Hash for KeyPair {
     }
 }
 
-#[cfg(not(feature = "fuzztarget"))]
+#[cfg(not(rust_secp_fuzz))]
 extern "C" {
     /// Default ECDH hash function
     #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_ecdh_hash_function_default")]
@@ -674,7 +674,7 @@ impl<T> CPtr for [T] {
 
 
 
-#[cfg(feature = "fuzztarget")]
+#[cfg(rust_secp_fuzz)]
 mod fuzz_dummy {
     extern crate std;
     use self::std::{ptr, mem};
@@ -1156,7 +1156,8 @@ mod fuzz_dummy {
         unimplemented!();
     }
 }
-#[cfg(feature = "fuzztarget")]
+
+#[cfg(rust_secp_fuzz)]
 pub use self::fuzz_dummy::*;
 
 

secp256k1-sys/src/recovery.rs

@@ -16,7 +16,7 @@
 //! # FFI of the recovery module
 
 use ::types::*;
-#[cfg(not(feature = "fuzztarget"))]
+#[cfg(not(rust_secp_fuzz))]
 use ::{Context, Signature, NonceFn, PublicKey};
 
 /// Library-internal representation of a Secp256k1 signature + recovery ID
@@ -36,7 +36,7 @@ impl Default for RecoverableSignature {
     }
 }
 
-#[cfg(not(feature = "fuzztarget"))]
+#[cfg(not(rust_secp_fuzz))]
 extern "C" {
     #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_3_1_ecdsa_recoverable_signature_parse_compact")]
     pub fn secp256k1_ecdsa_recoverable_signature_parse_compact(cx: *const Context, sig: *mut RecoverableSignature,
@@ -70,7 +70,7 @@ extern "C" {
 }
 
 
-#[cfg(feature = "fuzztarget")]
+#[cfg(rust_secp_fuzz)]
 mod fuzz_dummy {
     extern crate std;
     use self::std::ptr;
@@ -126,6 +126,6 @@ mod fuzz_dummy {
         unimplemented!();
     }
 }
-#[cfg(feature = "fuzztarget")]
+#[cfg(rust_secp_fuzz)]
 pub use self::fuzz_dummy::*;