Upstream PRs 1268, 1276, 1267, 1265, 1230, 1279, 1273, 1263, 1231, 1285, 1283, 1205, 1286, 1275, 1234, 1239, 1240, 1284, 1277, 1289, 1270, 1296, 1301, 1299, 1066, 1300, 1292, 1305, 1303, 1133, 1306, 1207, 1304, 1307, 1311, 1309, 1312 #256

Also remove the interface it was attached to since it's no longer needed. This removal simplifies the next commit.

…r 0.3.1 656c6ea release cleanup: bump version after 0.3.1 (Jonas Nick) Pull request description: ACKs for top commit: sipa: ACK 656c6ea real-or-random: ACK 656c6ea Tree-SHA512: da24326ed5feaa6a432522bddd64e6c129455cfe55a9e2decfce8c6039f4ce1a1da64233d17200f45d2c142f5414505b9a9b2ef5d136e047c1dd6cfdde1b560d

Pregenerated files that we distribute should not have dependencies in Makefile.am. For rationale, see the comments about the precomputed table files. See also bitcoin/bitcoin#27445 (comment) .

…roof header automatically 06c67de autotools: Don't regenerate Wycheproof header automatically (Tim Ruffing) Pull request description: This is a hot fix for bitcoin/bitcoin#27445 . --- Pregenerated files that we distribute should not have dependencies in Makefile.am. For rationale, see the comments about the precomputed table files. See also bitcoin/bitcoin#27445 (comment) . ACKs for top commit: hebasto: ACK 06c67de RandomLattice: ACK bitcoin-core/secp256k1@06c67de Tree-SHA512: fa7f44eaa1c7e42ecba5829ac1b8ae8b5826d1a1551e01c3caf37af780bd5c102c8f54e88520723937f7016d93c67b62a334c7a28b96c4f422a38fcf8e6a1984

This PR lints tests_wycheproof_generate.py according to pylint. This is a follow-up to PR #1245. Co-authored-by: Sean Andersen <[email protected]>

…eases 1b6fb55 doc: clarify process for patch releases (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: ACK 1b6fb55 Tree-SHA512: 5c1da34c920f66327b91c1fd11ad2eccbb55c5befdb3ba59138faf921ce83d0e7c62de84f2431b0a63433f1edc0f7f0f025a852a76dd3638e3fd583ca13b83e4

…1_wnaf_const{_xonly} a575339 Remove bits argument from secp256k1_wnaf_const (always 256) (Pieter Wuille) Pull request description: There is little reason for having the number of bits in the scalar as a parameter, as I don't think there are any (current) use cases for non-256-bit scalars. ACKs for top commit: jonasnick: ACK a575339 real-or-random: utACK a575339 Tree-SHA512: 994b1f19b4c513f6d070ed259a5d6f221a0c2450271ec824c5eba1cd0ecace276de391c170285bfeae96aaf8f1e0f7fe6260966ded0336c75c522ab6c56d182c

…not both ef49a11 build: allow static or shared but not both (Cory Fields) 36b0adf build: remove warning until it's reproducible (Cory Fields) Pull request description: Continuing from here: bitcoin-core/secp256k1#1224 (comment) Unfortunately it wasn't really possible to keep a clean diff here because of the nature of the change. I suggest reviewing the lib creation stuff in its entirety, sorry about that :\ Rather than allowing for shared and static libs to be built at the same time like autotools, this PR switches to the CMake convention of allowing only 1. A new `BUILD_SHARED_LIBS` option is added to match CMake convention, as well as a `SECP256K1_DISABLE_SHARED` option which overrides it. That way even projects which have `BUILD_SHARED_LIBS=1` can opt-into a static libsecp in particular. Details: Two object libraries are created: `secp256k1_asm` and `secp256k1_precomputed_objs`. Some tests/benchmarks use the object libraries directly, some link against the real lib: `secp256k1`. Because the objs don't know what they're going to be linked into, they need to be told how to deal with PIC. The `DEFINE_SYMBOL` property sets the `DLL_EXPORT` define as necessary (when building a shared lib) ACKs for top commit: hebasto: re-ACK ef49a11, only [suggested](bitcoin-core/secp256k1#1230 (review)) changes since my recent [review](bitcoin-core/secp256k1#1230 (review)). real-or-random: ACK ef49a11 Tree-SHA512: 8870de305176fdb677caff0fdfc6f8c59c0e906489cb72bc9980e551002812685e59e20d731f2a82e33628bdfbb7261eafd6f228038cad3ec83bd74335959600

…ript 35ada3b tests: lint wycheproof's python script (RandomLattice) Pull request description: This PR lints tests_wycheproof_generate.py according to bitcoin's python linting scripts. This is a follow-up to PR #1245. ACKs for top commit: sipa: utACK 35ada3b real-or-random: utACK 35ada3b Tree-SHA512: ea405060d2e73ff3543626687de5bc5282be923b914bd5c8c53e65df8dca9bea0000c416603095efff29bc7ae43c2081454c4e506db0f6805443d023fbffaf4c

…preserve `CPPFLAGS` 1ecb94e build: Make `SECP_VALGRIND_CHECK` preserve `CPPFLAGS` (Hennadii Stepanov) Pull request description: It was overlooked in #862 and #1027. ACKs for top commit: real-or-random: utACK 1ecb94e Tree-SHA512: 263fc600ce9743e4aad767150f706bf7d4325dabb9c363ed57f08fe38faea94d7d1999804947cffeacbe698bb6d959ee6de3f6e50400050a390ecc0db957e426

Useful for embedding secp256k1 in a subproject.

47ac3d6 cmake: Make installation optional (Anna “CyberTailor”) Pull request description: Useful for embedding secp256k1 in a subproject. ACKs for top commit: theuni: ACK 47ac3d6. real-or-random: utACK 47ac3d6 hebasto: ACK 47ac3d6, tested on Ubuntu 23.04. Tree-SHA512: 12ac0ba9dc38adf45684055386280b669384b5a4e528a3f6f4470fd0b7f57d64dfed6a8bb9f0a84cacfcb72f509534d71676c5ba37b27297b1a96676eea44e6e

Available in CMake 3.11+.

`DESCRIPTION` is available in CMake 3.9+. `HOMEPAGE_URL` is available in CMake 3.12+.

Available in CMake 3.12+.

Available in CMake 3.9+.

Available in CMake 3.3+.

…nition out from `include/secp256k1.h` 8e142ca Move `SECP256K1_INLINE` macro definition out from `include/secp256k1.h` (Hennadii Stepanov) 7744589 Remove `SECP256K1_INLINE` usage from examples (Hennadii Stepanov) Pull request description: From [IRC](https://gnusha.org/secp256k1/2023-01-31.log): > 06:29 \< hebasto\> What are reasons to define the `SECP256K1_INLINE` macro in user's `include/secp256k1.h` header, while it is used internally only? > 06:32 \< hebasto\> I mean, any other (or a new dedicated) header in `src` looks more appropriate, no? > 06:35 \< sipa\> I think it may just predate any "utility" internal headers. > 06:42 \< sipa\> I think it makes sense to move it to util.h Pros: - it is a step in direction to better organized headers (in context of #924, #1039) Cons: - code duplication for `SECP256K1_GNUC_PREREQ` macro ACKs for top commit: sipa: utACK 8e142ca real-or-random: utACK bitcoin-core/secp256k1@8e142ca Tree-SHA512: 180e0ba7c2ef242b765f20698b67d06c492b7b70866c21db27c18d8b2e85c3e11f86c6cb99ffa88bbd23891ce3ee8a24bc528f2c91167ec2fddc167463f78eac

To use, invoke `cmake` with argument `--preset dev-mode`. Solves one item in #1235. One disadvantage over `./configure --enable-dev-mode` is that CMake does not provide a way to "hide" presets from users. That is, `cmake --list-presets` will list dev-mode, and it will also appear in `cmake-gui`, even though it's not selectable there due to bug https://gitlab.kitware.com/cmake/cmake/-/issues/23341. (So in our case, that's probably rather a feature than a bug.) We curently use version 3 presets which require CMake 3.21+. Unfortunately, CMake versions before 3.19 may ignore the `--preset` argument silently. So if the preset is not picked up, make sure you have a recent enough CMake version. More unfortunately, we can't even spell this warning out in CMakePresets.json because CMake does not support officially support comments in JSON, see - https://gitlab.kitware.com/cmake/cmake/-/issues/21858 - https://gitlab.kitware.com/cmake/cmake/-/merge_requests/5853 . We could use a hack hinted at in https://gitlab.kitware.com/cmake/cmake/-/issues/21858#note_908543 but that's risky, because it could simply break for future versions, and we probably want to use presets not only for dev mode.

This file is specifically intended for *local* CMake templates (as opposed to CMakePresets.json).

…clude 68b16a1 bench: Make sys/time.h a system include (Tim Ruffing) Pull request description: just because it is minimally more correct ACKs for top commit: hebasto: ACK 68b16a1, I've skimmed through the whole codebase and did not find any more similar cases. Tree-SHA512: 0a929b36202100abf0d14e9328a2dc2b4c9db5532f95514315cb04dd0a970dbbb1dc02c6275be0ec109dc88f6090f6ce48a65003c852fd4dc750decf07e563c4

Also full stops have been added to the option help texts for consistency in cmake-gui.

69e1ec0 Get rid of secp256k1_fe_const_b (Pieter Wuille) Pull request description: Replaces #1282. Its only remaining use is in a test introduced in #1118, and it is easily replaced by the new `secp256k1_fe_add_int` from #1217. ACKs for top commit: real-or-random: utACK 69e1ec0 Tree-SHA512: 6ada192e0643fc5326198b60f019a5081444f9ba0a5b8ba6236f2a526829d8e5e479556600a604d9bc96c7ba86e3aab813f93c66679287d2135e95a2b75f5d3e

…256k1_fe_set_b32 162da73 tests: Add debug helper for printing buffers (Tim Ruffing) e9fd3df field: Improve docs and tests of secp256k1_fe_set_b32 (Tim Ruffing) ca92a35 field: Simplify code in secp256k1_fe_set_b32 (Tim Ruffing) d93f62e field: Verify field element even after secp256k1_fe_set_b32 fails (Tim Ruffing) Pull request description: ACKs for top commit: jonasnick: ACK 162da73 Tree-SHA512: b3ed8e45c969d0420275ff154462f3820b72b57832ccba1f6f427e0cfd9cff3e27440c20994f69ea33a576b1903eb7f04a989f0dbd574bbd96ee56c6dd4500f7

This follows the automake conventions more, see: https://www.gnu.org/software/automake/manual/html_node/Clean.html

This directory may not exist in a VPATH build, see bitcoin/bitcoin#27445 (comment) .

…acro c4062d6 debug: move helper for printing buffers into util.h (Jonas Nick) 3858bad tests: remove extra semicolon in macro (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: utACK c4062d6 hebasto: ACK c4062d6, I have reviewed the code and it looks OK. Tree-SHA512: a2c97433d82c1ab2ba976c4fd8aaf337de5f225abcd459e84dcdab689e77e43d4ed654c971ab7f11f27af12e7a744122a0fdd9ece8e635d7a7041c45e9484de8

…on" MSVC warnings in examples dc0657c build: Fix C4005 "macro redefinition" MSVC warnings in examples (Hennadii Stepanov) Pull request description: This PR: - fixes C4005 "macro redefinition" MSVC warnings in examples - removes warning suppressions in both build systems, Autotools-based and CMake-based ones ACKs for top commit: real-or-random: utACK dc0657c Tree-SHA512: fe3bb8f06b3ff1d51e5e20754a289e0e6b99ddf4c0bd4e6e4786e2558e71e043ab23ff7782a83a902df5db28d18ae65312674c373fdc49f5af252763a22bd0fb

ce5ba9e gitignore: Add CMakeUserPresets.json (Tim Ruffing) 0a446a3 cmake: Add dev-mode CMake preset (Tim Ruffing) Pull request description: To use, invoke `cmake` with argument `--preset dev-mode`. One disadvantage over `./configure --enable-dev-mode` is that CMake does not provide a way to "hide" presets from users. That is, `cmake --list-presets` will list dev-mode, and it will also appear in `cmake-gui`, even though it's not selectable there due to a bug in cmake-gui. Solves one item in #1224. ACKs for top commit: hebasto: ACK ce5ba9e theuni: ACK ce5ba9e Tree-SHA512: c14bd283bd5bf64006bf3a23d72e6e55777b084aff71eb2a002f8ddde1d3549ccb2f08feb2b83366a24272209ab579cac8b73cfc020919adf7f039beb65bc9cc

…ts after bumping CMake up to 3.13 a273d74 cmake: Improve version comparison (Hennadii Stepanov) 6a58b48 cmake: Use `if(... IN_LIST ...)` command (Hennadii Stepanov) 2445808 cmake: Use dedicated `GENERATOR_IS_MULTI_CONFIG` property (Hennadii Stepanov) 9f8703e cmake: Use dedicated `CMAKE_HOST_APPLE` variable (Hennadii Stepanov) 8c20170 cmake: Use recommended `add_compile_definitions` command (Hennadii Stepanov) 04d4cc0 cmake: Add `DESCRIPTION` and `HOMEPAGE_URL` options to `project` command (Hennadii Stepanov) 8a8b653 cmake: Use `SameMinorVersion` compatibility mode (Hennadii Stepanov) Pull request description: This PR: - resolves two items from #1235, including a bugfix with package version compatibility - includes other improvements which have become available for CMake 3.13+. To test the `GENERATOR_IS_MULTI_CONFIG` property on Linux, one can use the "[Ninja Multi-Config](https://cmake.org/cmake/help/latest/generator/Ninja%20Multi-Config.html)" generator: ```sh cmake -S . -B build -G "Ninja Multi-Config" ``` ACKs for top commit: real-or-random: ACK a273d74 theuni: ACK a273d74 Tree-SHA512: f31c4f0f30bf368303e70ab8952cde5cc8c70a5e79a04f879abcbee3d0a8d8c598379fb38f5142cb1f8ff5f9dcfc8b8eb4c13c975a1d05fdcc92d9c805a59d9a

This change drops tinkering with the `COMPILE_OPTIONS` directory property. Also `try_add_compile_option()` can handle a list of flags now, if they are required to be checked simultaneously. An explanatory comments have been added as well.

Actually, `try_append_cflags()` can handle a list of flags, and the new name is similar to the one used in `configure.ac`.

…er flag checks a8d059f cmake, doc: Document compiler flags (Hennadii Stepanov) 6ece150 cmake, refactor: Rename `try_add_compile_option` to `try_append_cflags` (Hennadii Stepanov) 19516ed cmake: Use `add_compile_options()` in `try_add_compile_option()` (Hennadii Stepanov) Pull request description: This PR: - drops tinkering with the `COMPILE_OPTIONS` directory property in `try_add_compile_option()` and renames it to `try_append_cflags()` - copies related comments from `configure.ac` ACKs for top commit: theuni: ACK bitcoin-core/secp256k1@a8d059f . Tree-SHA512: 7ac011c135e12a65c45f4feb7cd74fd2d961ed77252afecf3a66e2af1d57facab446120c63696507b5ecd5bdb3eee1521760a53028b914c429652d00d03a4462

…OJECT_IS_TOP_LEVEL` variable 71f746c cmake: Include `include` directory for subtree builds (Hennadii Stepanov) 5431b9d cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL` (Hennadii Stepanov) 162608c cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21 (Hennadii Stepanov) Pull request description: This PR: 1. Emulates [`PROJECT_IS_TOP_LEVEL`](https://cmake.org/cmake/help/latest/variable/PROJECT_IS_TOP_LEVEL.html) variable for CMake versions where it is not available. 2. Makes the `SECP256K1_INSTALL` option dependent on `PROJECT_IS_TOP_LEVEL` (a [follow up](bitcoin-core/secp256k1#1263 (comment)) of bitcoin-core/secp256k1#1263). 3. Makes integration of this project as a subtree easier. A top project can `#include <secp256k1.h>` with no additional `target_include_directories()` commands. For example, see https://github.com/hebasto/secp256k1-CMake-example/tree/subtree. ACKs for top commit: theuni: utACK 71f746c. Tree-SHA512: 8ccdbcc94b26f36e772611ebaab0f2846debd6ad20f9e361be31a8d2128a14273acb692b0631026e12cc6cdef6d445dce0fd3beb4f71af47b46dfcf840a18879

…ycheproof 7e977b3 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing) 2418d32 autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing) 8764034 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing) e1b9ce8 autotools: Use same conventions for all pregenerated files (Tim Ruffing) 08f4b16 autotools: Move code around to tidy Makefile (Tim Ruffing) 529b54d autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing) Pull request description: Follow-up to bitcoin-core/secp256k1#1245. This builds on top of bitcoin-core/secp256k1#1276. Let's only merge bitcoin-core/secp256k1#1276 as a hotfix for the Core build. ACKs for top commit: hebasto: ACK 7e977b3 Tree-SHA512: 42e09feaed15d903e759360e1dfbd1afce9da07a55512e2e791147b72d9b6477e34ae6028439af57dbcae318081a37ddcf3a630f9617bfea95c130135ba2313f

This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.

An executable target in the `COMMAND` option will automatically be replaced by the location of the executable created at build time. This change fixes tests for Windows binaries using Wine.

…test()` command 755629b cmake: Use full signature of `add_test()` command (Hennadii Stepanov) Pull request description: This PR fixes tests for Windows binaries using Wine: ``` $ cmake -S . -B ../mingw -DCMAKE_TOOLCHAIN_FILE=cmake/x86_64-w64-mingw32.toolchain.cmake $ cmake --build ../mingw $ cmake --build ../mingw -t check Test project /home/hebasto/git/secp256k1/mingw Start 1: noverify_tests Could not find executable noverify_tests ... ``` ACKs for top commit: real-or-random: ACK 755629b Tree-SHA512: d1b24a1f1de2e8b70203132f4f6e685b9a120a987302cefe033fa916dfe7a135dbacaf8174d4046e30be170e92a16d070db54292c038cd2acdecc334f7f516dd

This change fixes MSVC level-3 warning C4334. See: https://learn.microsoft.com/en-us/cpp/error-messages/compiler-warnings/compiler-warning-level-3-c4334 Required to enable level 3 warnings (/W3).

bef448f cmake: Fix library ABI versioning (Hennadii Stepanov) Pull request description: This change emulates Libtool to make sure Libtool and CMake agree on the ABI version. To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`: - incrementing of `*_LIB_VERSION_CURRENT` - setting `*_LIB_VERSION_REVISION` to zero - incrementing of `*_LIB_VERSION_AGE` ACKs for top commit: real-or-random: ACK bef448f diff looks good and I tested on Linux Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5

…ustom` For the sake of completeness, add the missing descriptions for the return value and parameters (`ctx`, `sig64`, `keypair`), in the same wording/style as for the function `secp256k1_schnorrsig_sign32`.

…on for `secp256k1_schnorrsig_sign_custom` 149c41c docs: complete interface description for `secp256k1_schnorrsig_sign_custom` (Sebastian Falbesoner) Pull request description: ACKs for top commit: real-or-random: utACK 149c41c jonasnick: ACK 149c41c Tree-SHA512: ee677ed6b474b547066ce149688edab7ba6d2572acfbc0989256a669341fff4cf2e17b451cd3fc6fff3944a896647f0f5c1411056678505fa85ba71e8cfe6229

…ench_sign_data; merge them 2e65f1f Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille) Pull request description: The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one. ACKs for top commit: stratospher: ACK 2e65f1f. real-or-random: utACK bitcoin-core/secp256k1@2e65f1f Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814

Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. Update docs for it to make it clear that it is not constant time in A (the input point). It never was constant time in Q (and would be a little complicated to make constant time in A). If it was later made constant time in A, infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.

…finity) works, and group verification bbc8344 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille) 0a2e0b2 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille) f202667 Add invariant checking to group elements (Pieter Wuille) a18821d Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille) 3086cb9 Expose secp256k1_fe_verify to other modules (Pieter Wuille) a0e696f Make secp256k1_ecmult_const handle infinity (Gregory Maxwell) Pull request description: Rebase of #791. * Clean up infinity handling, make x/y/z always initialized for infinity. * Make secp256k1_ecmult_const handle infinity. * Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes. * Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output. * Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`). * Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode. ACKs for top commit: jonasnick: ACK bbc8344 real-or-random: ACK bbc8344 Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19

Also split secp256k1_fe_verify into a generic and an implementation specific part.

…nitude/normalized logic 7fc642f Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille) 4e176ad Abstract out verify logic for fe_is_square_var (Pieter Wuille) 4371f98 Abstract out verify logic for fe_add_int (Pieter Wuille) 89e324c Abstract out verify logic for fe_half (Pieter Wuille) 283cd80 Abstract out verify logic for fe_get_bounds (Pieter Wuille) d5aa2f0 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille) 3167646 Abstract out verify logic for fe_from_storage (Pieter Wuille) 76d31e5 Abstract out verify logic for fe_to_storage (Pieter Wuille) 1e6894b Abstract out verify logic for fe_cmov (Pieter Wuille) be82bd8 Improve comments/checks for fe_sqrt (Pieter Wuille) 6ab3508 Abstract out verify logic for fe_sqr (Pieter Wuille) 4c25f6e Abstract out verify logic for fe_mul (Pieter Wuille) e179e65 Abstract out verify logic for fe_add (Pieter Wuille) 7e7ad7f Abstract out verify logic for fe_mul_int (Pieter Wuille) 65d82a3 Abstract out verify logic for fe_negate (Pieter Wuille) 1446708 Abstract out verify logic for fe_get_b32 (Pieter Wuille) f7a7666 Abstract out verify logic for fe_set_b32 (Pieter Wuille) ce4d209 Abstract out verify logic for fe_cmp_var (Pieter Wuille) 7d7d43c Improve comments/check for fe_equal{,_var} (Pieter Wuille) c5e788d Abstract out verify logic for fe_is_odd (Pieter Wuille) d3f3fe8 Abstract out verify logic for fe_is_zero (Pieter Wuille) c701d9a Abstract out verify logic for fe_clear (Pieter Wuille) 19a2bfe Abstract out verify logic for fe_set_int (Pieter Wuille) 864f9db Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille) 6c31371 Abstract out verify logic for fe_normalize_var (Pieter Wuille) e28b51f Abstract out verify logic for fe_normalize_weak (Pieter Wuille) b6b6f9c Abstract out verify logic for fe_normalize (Pieter Wuille) 7fa5195 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille) b29566c Merge magnitude/normalized fields, move/improve comments (Pieter Wuille) Pull request description: Right now, all the logic for propagating/computing the magnitude/normalized fields in `secp256k1_fe` (when `VERIFY` is defined) and the code for checking it, is duplicated across the two field implementations. I believe that is undesirable, as these properties should purely be a function of the performed fe_ functions, and not of the choice of field implementation. This becomes even uglier with #967, which would copy all that, and even needs an additional dimension that would then need to be added to the two other fields. It's also related to #1001, which I think will become easier if it doesn't need to be done/reasoned about separately for every field. This PR moves all logic around these fields (collectively called field verification) to implementations in field_impl.h, which dispatch to renamed functions in field_*_impl.h for the actual implementation. Fixes #1060. ACKs for top commit: jonasnick: ACK 7fc642f real-or-random: ACK 7fc642f Tree-SHA512: 0f94e13fedc47e47859261a182c4077308f8910495691f7e4d7877d9298385172c70e98b4a1e270b6bde4d0062b932607106306bdb35a519cdeab9695a5c71e4

97c63b9 Avoid normalize conditional on VERIFY (Pieter Wuille) Pull request description: In the old code, `secp256k1_gej_rescale` requires a normalized input in VERIFY mode, but not otherwise. Its requirements shouldn't depend on this mode being enabled or not. ACKs for top commit: real-or-random: utACK 97c63b9 I've also verified that the loop in secp256k1_ecmult_strauss_wnaf holds up the invariant that the magnitude of Z is 1, even with the normalization removed jonasnick: ACK 97c63b9 Tree-SHA512: 9598c133c6f4e488c74512089dabe0508529f20ca782be1c8fbeae9d7f132da9d570a061053acd3d245a9a187abf1f2581207441ce6aac8d0f8972cf357a349f

- secp256k1_scalar_cadd_bit - secp256k1_modinvXX_normalize_YY - secp256k1_modinvXX_divsteps_ZZ - ECMULT_CONST_TABLE_GET_GE Even though those code loations are not problematic right now (with current compilers).

d1e48e5 refactor: Make 64-bit shift explicit (Hennadii Stepanov) b2e29e4 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK d1e48e5 jonasnick: ACK d1e48e5 Tree-SHA512: fd07c8c136b1c947900d45b5a4ad4963e2c29884aca62a26be07713dfd1b0c5e7655f07a0b99217fc055bf3266e71cb5edabbd4d5c145a172b4be5d10f7ad51c

712e7f8 Remove unused scratch space from API (Jonas Nick) Pull request description: Not sure if we want the typedef and `secp256k1_scratch_space_{create,destroy}` but if we don't keep them then this PR will be a rather large diff. ACKs for top commit: sipa: ACK 712e7f8 real-or-random: utACK 712e7f8 Tree-SHA512: b3a8feb0fe4639d5e48b708ccbf355bca5da658a291f63899086d2bbeb6d0ab33e3dcd55d8984ec7fa803f757b7d02e71bcb7e7eeecaab52ffc70ae85dce8c44

17fa217 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing) 5fb336f ct: Use volatile trick in scalar_cond_negate (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 17fa217 jonasnick: ACK 17fa217 Tree-SHA512: 4a0fbee7b1cce4f4647bff697c0e645d93aa8fb49777feef5eb1e1eadce2116bafdcc6175c066ee4fe4bf1340047311e2d7d2c48bb288867a837ecd6c8687121

…ariable-length messages cd54ac7 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing) 28687b0 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing) 97a98be schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK cd54ac7. I didn't verify the included test vectors match the BIP. jonasnick: ACK cd54ac7 Tree-SHA512: 268140e239b703aaf79825de2263675a8c31bef999f013ea532b0cd7b80f2d600d78f3872209a93774ba4dbc0a046108e87d151fc4604882c5636876026a0816

…al default callbacks 1907f0f build: Make tests work with external default callbacks (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 1907f0f jonasnick: ACK 1907f0f Tree-SHA512: 198598f7bf5292bf5709187f9a40ddf9a0fba93e8b62afb49df2c05b4ef61c394cea43ee07615b51ceea97862228d8ad351fddef13c190cb2e6690943ed63128

… normalizing variants 5b32602 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille) Pull request description: Follow-up to #1205. This splits the `secp256k1_fe_set_b32` function into two variants: * `secp256k1_fe_set_b32_mod`, which returns `void`, reduces modulo the curve order, and only promises weakly normalized output. * `secp256k1_fe_set_b32_limit`, which returns `int` indicating success/failure, and only promises valid output in case the input is in range (but guarantees it's strongly normalized in this case). This removes one of the few cases in the codebase where normalization status depends on runtime values, making it fixed at compile-time instead. ACKs for top commit: real-or-random: ACK 5b32602 jonasnick: ACK 5b32602 Tree-SHA512: 4b93502272638c6ecdef4d74afa629e7ee540c0a20b377dccedbe567857b56c4684fad3af4b4293ed7ba35fed4aa5d0beaacdd77a903f44f24e8d87305919b61

In the existing code, the compiler is allowed to allocate the RSI register for outputs m0, m1, or m2, which are written to before the input in RSI is read from. Fix this by marking them as early clobber. Reported by ehoffman2 in bitcoin-core/secp256k1#766

In the field 5x52 asm for x86_64, stack variables are provided as outputs. The existing inputs are all forcibly allocated to registers, so cannot coincide, but mark them as early clobber anyway to make this clearer.

…ck if it's really supported c6bb29b build: Rename `64bit` to `x86_64` (Hennadii Stepanov) 0324645 autotools: Add `SECP_ARM32_ASM_CHECK` macro (Hennadii Stepanov) ed4ba23 cmake: Add `check_arm32_assembly` function (Hennadii Stepanov) e5cf4bf build: Rename `arm` to `arm32` (Hennadii Stepanov) Pull request description: Closes bitcoin-core/secp256k1#1034. Solves one item in bitcoin-core/secp256k1#1235. ACKs for top commit: real-or-random: ACK c6bb29b tested on x86_64 but not on ARM Tree-SHA512: c3615a18cfa30bb2cc53be18c09ccab08fc800b84444d8c6b333347b4db039a3981da61e7da5086dd9f4472838d7c031d554be9ddc7c435ba906852bba593982

…y clobber 8c9ae37 Add release note (Pieter Wuille) 350b4bd Mark stack variables as early clobber for technical correctness (Pieter Wuille) 0c729ba Bugfix: mark outputs as early clobber in scalar x86_64 asm (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK 8c9ae37 jonasnick: ACK 8c9ae37 Tree-SHA512: 874d01f5540d14b5188aec25f6441dbc6631f8d3980416040a3e250f1aef75150068415e7a458a9a3fb0d7cbdeb97f5c7e089b187d6d3dd79aa6e45274c241b6

This reverts commit 712e7f8.

…e from API" 3ad1027 Revert "Remove unused scratch space from API" (Jonas Nick) Pull request description: This reverts commit 712e7f8. Removing the scratch space from the API may break bindings to the library. ACKs for top commit: sipa: ACK 3ad1027 real-or-random: ACK 3ad1027 Tree-SHA512: ad394c0a2f83fe3a5f400c0e8f2b9bf40037ce4141d4414e6345918f5e6003c61da02a538425a49bdeb5700f5ecb713bd58f5752c0715fb1fcc4950099fdc0e6

697e1cc changelog: Catch up (Tim Ruffing) 76b43f3 changelog: Add entry for #1303 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 697e1cc jonasnick: ACK 697e1cc Tree-SHA512: cfeb513effc69925bdedd3a298b1e2e5bf7709f68b453a5f157c584560b5400c3dc8b9ce87a775281cdea9db7f44e7e1337fbc93563f6efe350fe5defacbc4f6

d490ca2 release: Prepare for 0.3.2 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK d490ca2 hebasto: ACK d490ca2 jonasnick: ACK d490ca2 Tree-SHA512: 0785e9654974b25977dcdb00fe2e91d79a941143d278e315b96238e18c7aedd5814c2534c0aff356d8d4bb456ff8b815bea3657b99243e0a8296bbe635329cfb

5b0444a a6f4bcf 5ec1333 f6bef03 1f33bb2 1c89536 6b7e5b7 596b336 4b84f4b 024a409 222ecaf 4b0f711 3c81838 f30c748 1cf15eb 24c768a 341cc19 c63ec88 54d34b6 073d98a 9eb6934 ab5a917 fb3a806 006ddc1 3353d3c b54a067 7d4f86d e8295d0 3e3d125 acf5c55 ' into temp-merge-1312

This is similar to the upstream commit "Normalize ge produced from secp256k1_pubkey_load".

Commits on Apr 17, 2023

build: allow static or shared but not both

theuni committed Apr 17, 2023

Configuration menu

View commit details

Copy full SHA for ef49a11

Browse repository at this point

Copy the full SHA

ef49a11 View commit details

Browse the repository at this point in the history

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Upstream PRs 1268, 1276, 1267, 1265, 1230, 1279, 1273, 1263, 1231, 1285, 1283, 1205, 1286, 1275, 1234, 1239, 1240, 1284, 1277, 1289, 1270, 1296, 1301, 1299, 1066, 1300, 1292, 1305, 1303, 1133, 1306, 1207, 1304, 1307, 1311, 1309, 1312 #256

Upstream PRs 1268, 1276, 1267, 1265, 1230, 1279, 1273, 1263, 1231, 1285, 1283, 1205, 1286, 1275, 1234, 1239, 1240, 1284, 1277, 1289, 1270, 1296, 1301, 1299, 1066, 1300, 1292, 1305, 1303, 1133, 1306, 1207, 1304, 1307, 1311, 1309, 1312 #256

Commits on Feb 1, 2023

Commits on Mar 9, 2023

Commits on Mar 21, 2023

Commits on Apr 10, 2023

Commits on Apr 11, 2023

Commits on Apr 13, 2023

Commits on Apr 14, 2023

Commits on Apr 17, 2023

Commits on Apr 18, 2023

Commits on Apr 19, 2023

Commits on Apr 20, 2023

Commits on Apr 21, 2023

Commits on Apr 25, 2023

Commits on Apr 26, 2023

Commits on Apr 27, 2023

Commits on Apr 28, 2023

Commits on Apr 29, 2023

Commits on Apr 30, 2023

Commits on May 2, 2023

Commits on May 3, 2023

Commits on May 8, 2023

Commits on May 9, 2023

Commits on May 10, 2023

Commits on May 11, 2023

Commits on May 12, 2023

Commits on May 13, 2023

Commits on Jul 24, 2023

Commits on Jul 25, 2023