Squashed 'src/secp256k1/' changes from bdf3900..4258c54

4258c54 Merge bitcoin-core/secp256k1#1276: autotools: Don't regenerate Wycheproof header automatically
06c67de autotools: Don't regenerate Wycheproof header automatically
3bab71c Merge bitcoin-core/secp256k1#1268: release cleanup: bump version after 0.3.1
656c6ea release cleanup: bump version after 0.3.1
346a053 Merge bitcoin-core/secp256k1#1269: changelog: Fix link
6a37b2a changelog: Fix link
ec98fce Merge bitcoin-core/secp256k1#1266: release: Prepare for 0.3.1
898e1c6 release: Prepare for 0.3.1
1d9a13f changelog: Remove inconsistent newlines
0e09166 changelog: Catch up in preparation of 0.3.1
7b7503d Merge bitcoin-core/secp256k1#1245: tests: Add Wycheproof ECDSA vectors
145078c Merge bitcoin-core/secp256k1#1118: Add x-only ecmult_const version with x specified as n/d
e5de454 tests: Add Wycheproof ECDSA vectors
0f86420 Add exhaustive tests for ecmult_const_xonly
4485926 Add x-only ecmult_const version for x=n/d
a0f4644 Merge bitcoin-core/secp256k1#1252: Make position of * in pointer declarations in include/ consistent
4e68262 Merge bitcoin-core/secp256k1#1226: Add CMake instructions to release process
2d51a45 Merge bitcoin-core/secp256k1#1257: ct: Use volatile "trick" in all fe/scalar cmov implementations
4a496a3 ct: Use volatile "trick" in all fe/scalar cmov implementations
3d1f430 Make position of * in pointer declarations in include/ consistent
2bca0a5 Merge bitcoin-core/secp256k1#1241: build: Improve `SECP_TRY_APPEND_DEFAULT_CFLAGS` macro
afd8b23 Merge bitcoin-core/secp256k1#1244: Suppress `-Wunused-parameter` when building for coverage analysis
1d8f367 Merge bitcoin-core/secp256k1#1250: No need to subtract 1 before doing a right shift
3e43041 No need to subtract 1 before doing a right shift
3addb4c build: Improve `SECP_TRY_APPEND_DEFAULT_CFLAGS` macro
0c07c82 Add CMake instructions to release process
464a911 Merge bitcoin-core/secp256k1#1242: Set ARM ASM symbol visibility to `hidden`
f16a709 Merge bitcoin-core/secp256k1#1247: Apply Checks only in VERIFY mode.
70be3ca Merge bitcoin-core/secp256k1#1246: Typo
4ebd828 Apply Checks only in VERIFY mode.
d1e7ca1 Typo
5bb03c2 Replace `SECP256K1_ECMULT_TABLE_VERIFY` macro by a function
9c8c4f4 Merge bitcoin-core/secp256k1#1238: build: bump CMake minimum requirement to 3.13
0cf2fb9 Merge bitcoin-core/secp256k1#1243: build: Ensure no optimization when building for coverage analysis
fd2a408 Set ARM ASM symbol visibility to `hidden`
4429a8c Suppress `-Wunused-parameter` when building for coverage analysis
8e79c7e build: Ensure no optimization when building for coverage analysis
96dd062 build: bump CMake minimum requirement to 3.13
427bc3c Merge bitcoin-core/secp256k1#1236: Update comment for secp256k1_modinv32_inv256
647f0a5 Update comment for secp256k1_modinv32_inv256
5658209 Merge bitcoin-core/secp256k1#1228: release cleanup: bump version after 0.3.0
28e63f7 release cleanup: bump version after 0.3.0

git-subtree-dir: src/secp256k1
git-subtree-split: 4258c54

Author: sipa

Makefile.am

@@ -350,3 +350,20 @@ if TARGET_LINUX
 	$(AM_V_at) CC='$(CC)' CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-security-check.py TestSecurityChecks.test_ELF
 	$(AM_V_at) CC='$(CC)' CFLAGS='$(CFLAGS)' CPPFLAGS='$(CPPFLAGS)' LDFLAGS='$(LDFLAGS)' $(PYTHON) $(top_srcdir)/contrib/devtools/test-symbol-check.py TestSymbolChecks.test_ELF
 endif
+
+EXTRA_DIST += src/wycheproof/WYCHEPROOF_COPYING
+EXTRA_DIST += src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h
+EXTRA_DIST += src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.json
+EXTRA_DIST += tools/tests_wycheproof_generate.py
+
+TESTVECTORS = src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h
+
+src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h:
+	python3 tools/tests_wycheproof_generate.py src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.json > $@
+
+testvectors: $(TESTVECTORS)
+
+maintainer-clean-testvectors: clean-testvectors
+
+clean-testvectors:
+	rm -f $(TESTVECTORS)

src/secp256k1/CHANGELOG.md

@@ -7,6 +7,21 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.1] - 2023-04-10
+We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to compile libsecp256k1, e.g., Xcode >=14 on macOS has Clang >=14. When in doubt, check the Clang version using `clang -v`.
+
+#### Security
+ - Fix "constant-timeness" issue with Clang >=14 that could leave applications using libsecp256k1 vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow and secret-dependent memory accesses in conditional moves of memory objects when libsecp256k1 is compiled with Clang >=14.
+
+#### Added
+  - Added tests against [Project Wycheproof's](https://github.com/google/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.
+
+#### Changed
+ - Increased minimum required CMake version to 3.13. CMake builds remain experimental.
+
+#### ABI Compatibility
+The ABI is compatible with version 0.3.0.
+
 ## [0.3.0] - 2023-03-08
 
 #### Added
@@ -25,7 +40,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  - Removed the configuration header `src/libsecp256k1-config.h`. We recommend passing flags to `./configure` or `cmake` to set configuration options (see `./configure --help` or `cmake -LH`). If you cannot or do not want to use one of the supported build systems, pass configuration flags such as `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG` manually to the compiler (see the file `configure.ac` for supported flags).
 
 #### ABI Compatibility
-
 Due to changes in the API regarding `secp256k1_context_static` described above, the ABI is *not* compatible with previous versions.
 
 ## [0.2.0] - 2022-12-12
@@ -45,7 +59,6 @@ Due to changes in the API regarding `secp256k1_context_static` described above,
  - Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`.
 
 #### ABI Compatibility
-
 Since this is the first release, we do not compare application binary interfaces.
 However, there are earlier unreleased versions of libsecp256k1 that are *not* ABI compatible with this version.
 
@@ -55,7 +68,8 @@ This version was in fact never released.
 The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
 Therefore, this version number does not uniquely identify a set of source files.
 
-[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...HEAD
+[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.1...HEAD
+[0.3.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...v0.3.1
 [0.3.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0
 [0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93

src/secp256k1/CMakeLists.txt

@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.1)
+cmake_minimum_required(VERSION 3.13)
 
 if(CMAKE_VERSION VERSION_GREATER 3.14)
   # MSVC runtime library flags are selected by the CMAKE_MSVC_RUNTIME_LIBRARY abstraction.
@@ -10,15 +10,15 @@ endif()
 # The package (a.k.a. release) version is based on semantic versioning 2.0.0 of
 # the API. All changes in experimental modules are treated as
 # backwards-compatible and therefore at most increase the minor version.
-project(libsecp256k1 VERSION 0.3.0 LANGUAGES C)
+project(libsecp256k1 VERSION 0.3.2 LANGUAGES C)
 
 # The library version is based on libtool versioning of the ABI. The set of
 # rules for updating the version can be found here:
 # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
 # All changes in experimental modules are treated as if they don't affect the
 # interface and therefore only increase the revision.
 set(${PROJECT_NAME}_LIB_VERSION_CURRENT 2)
-set(${PROJECT_NAME}_LIB_VERSION_REVISION 0)
+set(${PROJECT_NAME}_LIB_VERSION_REVISION 2)
 set(${PROJECT_NAME}_LIB_VERSION_AGE 0)
 
 set(CMAKE_C_STANDARD 90)
@@ -147,7 +147,7 @@ else()
 endif()
 
 # Define custom "Coverage" build type.
-set(CMAKE_C_FLAGS_COVERAGE "${CMAKE_C_FLAGS_RELWITHDEBINFO} -O0 -DCOVERAGE=1 --coverage -Wno-unused-parameter" CACHE STRING
+set(CMAKE_C_FLAGS_COVERAGE "${CMAKE_C_FLAGS_RELWITHDEBINFO} -O0 -DCOVERAGE=1 --coverage" CACHE STRING
   "Flags used by the C compiler during \"Coverage\" builds."
   FORCE
 )
@@ -203,11 +203,6 @@ else()
   try_add_compile_option(-Wundef)
 endif()
 
-if(CMAKE_VERSION VERSION_GREATER 3.2)
-  # Honor visibility properties for all target types.
-  # See: https://cmake.org/cmake/help/latest/policy/CMP0063.html
-  cmake_policy(SET CMP0063 NEW)
-endif()
 set(CMAKE_C_VISIBILITY_PRESET hidden)
 
 # Ask CTest to create a "check" target (e.g., make check) as alias for the "test" target.

src/secp256k1/ci/cirrus.sh

@@ -109,8 +109,8 @@ fi
 # Rebuild precomputed files (if not cross-compiling).
 if [ -z "$HOST" ]
 then
-    make clean-precomp
-    make precomp
+    make clean-precomp clean-testvectors
+    make precomp testvectors
 fi
 
 # Check that no repo files have been modified by the build.