context: introduce global rerandomizable context (std only)

This introduces the new global context API when std is enabled, using
thread locals to allow rerandomizing the context after sensitive
operations. As you can see, even the simple case involves some unsafe
code and is a bit tricky to implement.

Author: apoelstra

src/context/internal_std.rs

@@ -0,0 +1,75 @@
+// SPDX-License-Identifier: CC0-1.0
+
+use std::cell::RefCell;
+use std::marker::PhantomData;
+use std::mem::ManuallyDrop;
+use std::ptr::NonNull;
+
+use secp256k1_sys as ffi;
+
+use crate::{All, Context, Secp256k1};
+
+thread_local! {
+    static SECP256K1: RefCell<Secp256k1<All>> = RefCell::new(Secp256k1::new());
+}
+
+/// Borrows the global context and do some operation on it.
+///
+/// If provided, after the operation is complete, [`rerandomize_global_context`]
+/// is called on the context. If you have some random data available,
+pub fn with_global_context<T, Ctx: Context, F: FnOnce(&Secp256k1<Ctx>) -> T>(
+    f: F,
+    rerandomize_seed: Option<&[u8; 32]>,
+) -> T {
+    with_raw_global_context(
+        |ctx| {
+            let secp = ManuallyDrop::new(Secp256k1 { ctx, phantom: PhantomData });
+            f(&*secp)
+        },
+        rerandomize_seed,
+    )
+}
+
+/// Borrows the global context as a raw pointer and do some operation on it.
+///
+/// If provided, after the operation is complete, [`rerandomize_global_context`]
+/// is called on the context. If you have some random data available,
+pub fn with_raw_global_context<T, F: FnOnce(NonNull<ffi::Context>) -> T>(
+    f: F,
+    rerandomize_seed: Option<&[u8; 32]>,
+) -> T {
+    SECP256K1.with(|secp| {
+        let borrow = secp.borrow();
+        let ret = f(borrow.ctx);
+        drop(borrow);
+
+        if let Some(seed) = rerandomize_seed {
+            rerandomize_global_context(seed);
+        }
+        ret
+    })
+}
+
+/// Rerandomize the global context, using the given data as a seed.
+///
+/// The provided data will be mixed with the entropy from previous calls in a timing
+/// analysis resistant way. It is safe to directly pass secret data to this function.
+pub fn rerandomize_global_context(seed: &[u8; 32]) {
+    SECP256K1.with(|secp| {
+        let mut borrow = secp.borrow_mut();
+
+        // If we have access to the thread rng then use it as well.
+        #[cfg(feature = "rand")]
+        {
+            let mut new_seed: [u8; 32] = rand::random();
+            for (new, byte) in mask.iter_mut().zip(seed.iter()) {
+                *new ^= *byte;
+            }
+            borrow.seeded_randomize(&new_seed);
+        }
+        #[cfg(not(feature = "rand"))]
+        {
+            borrow.seeded_randomize(seed);
+        }
+    });
+}

src/context/mod.rs

@@ -10,6 +10,12 @@ use crate::ffi::types::{c_uint, c_void, AlignedType};
 use crate::ffi::{self, CPtr};
 use crate::{Error, Secp256k1};
 
+#[cfg_attr(feature = "std", path = "internal_std.rs")]
+mod internal;
+
+#[cfg(feature = "std")]
+pub use internal::{rerandomize_global_context, with_global_context, with_raw_global_context};
+
 #[cfg(all(feature = "global-context", feature = "std"))]
 /// Module implementing a singleton pattern for a global `Secp256k1` context.
 pub mod global {

src/lib.rs

@@ -184,6 +184,10 @@ pub use secp256k1_sys as ffi;
 #[cfg(feature = "serde")]
 pub use serde;
 
+#[cfg(feature = "std")]
+pub use crate::context::{
+    rerandomize_global_context, with_global_context, with_raw_global_context,
+};
 #[cfg(feature = "alloc")]
 pub use crate::context::{All, SignOnly, VerifyOnly};
 pub use crate::context::{