Squashed 'src/secp256k1/' changes from 4258c54..705ce7e

705ce7e Merge bitcoin-core/secp256k1#1129: ElligatorSwift + integrated x-only DH
0702ecb Merge bitcoin-core/secp256k1#1338: Drop no longer needed `#include "../include/secp256k1.h"`
90e360a Add doc/ellswift.md with ElligatorSwift explanation
4f09184 Add ellswift testing to CI
1bcea8c Add benchmarks for ellswift module
2d1d41a Add ctime tests for ellswift module
df633cd Add _prefix and _bip324 ellswift_xdh hash functions
9695deb Add tests for ellswift module
c47917b Add ellswift module implementing ElligatorSwift
79e5b2a Add functions to test if X coordinate is valid
a597a5a Add benchmark for key generation
30574f2 Merge bitcoin-core/secp256k1#1349: Normalize ge produced from secp256k1_pubkey_load
45c5ca7 Merge bitcoin-core/secp256k1#1350: scalar: introduce and use `secp256k1_{read,write}_be64` helpers
f165252 Normalize ge produced from secp256k1_pubkey_load
7067ee5 tests: add tests for `secp256k1_{read,write}_be64`
740528c scalar: use newly introduced `secp256k1_{read,write}_be64` helpers (4x64 impl.)
67214f5 Merge bitcoin-core/secp256k1#1339: scalar: refactor: use `secp256k1_{read,write}_be32` helpers
cb1a592 Merge bitcoin-core/secp256k1#1341: docs: correct `pubkey` param descriptions for `secp256k1_keypair_{xonly_,}pub`
f364428 docs: correct `pubkey` param descriptions for `secp256k1_keypair_{xonly_,}pub`
887183e scalar: use `secp256k1_{read,write}_be32` helpers (4x64 impl.)
52b8423 scalar: use `secp256k1_{read,write}_be32` helpers (8x32 impl.)
e449af6 Drop no longer needed `#include "../include/secp256k1.h"`
60556c9 Merge bitcoin-core/secp256k1#1337: ci: Fix error D8037 in `cl.exe` (attempt 2)
db29bf2 ci: Remove quirk that runs dummy command after wineserver
c7db494 ci: Fix error D8037 in `cl.exe`
7dae115 Revert "ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe"
bf29f8d Merge bitcoin-core/secp256k1#1334: fix input range comment for `secp256k1_fe_add_int`
605e07e fix input range comment for `secp256k1_fe_add_int`
debf3e5 Merge bitcoin-core/secp256k1#1330: refactor: take use of `secp256k1_scalar_{zero,one}` constants
d75dc59 Merge bitcoin-core/secp256k1#1333: test: Warn if both `VERIFY` and `COVERAGE` are defined
ade5b36 tests: add checks for scalar constants `secp256k1_scalar_{zero,one}`
e83801f test: Warn if both `VERIFY` and `COVERAGE` are defined
654246c refactor: take use of `secp256k1_scalar_{zero,one}` constants
908e02d Merge bitcoin-core/secp256k1#1328: build: Bump MSVC warning level up to W3
1549db0 build: Level up MSVC warnings
20a5da5 Merge bitcoin-core/secp256k1#1310: Refine release process
ad84603 release process: clarify change log updates
6348bc7 release process: fix process for maintenance release
79fa50b release process: mention targeted release schedule
1652067 release process: add sanity checks
09df0bf Merge bitcoin-core/secp256k1#1327: ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe
27504d5 ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe
d373a72 Merge bitcoin-core/secp256k1#1316: Do not invoke fe_is_zero on failed set_b32_limit
6433175 Do not invoke fe_is_zero on failed set_b32_limit
5f7903c Merge bitcoin-core/secp256k1#1318: build: Enable -DVERIFY for precomputation binaries
e9e4526 Merge bitcoin-core/secp256k1#1317: Make fe_cmov take max of magnitudes
5768b50 build: Enable -DVERIFY for precomputation binaries
31b4bbe Make fe_cmov take max of magnitudes
83186db Merge bitcoin-core/secp256k1#1314: release cleanup: bump version after 0.3.2
95448ef release cleanup: bump version after 0.3.2
acf5c55 Merge bitcoin-core/secp256k1#1312: release: Prepare for 0.3.2
d490ca2 release: Prepare for 0.3.2
3e3d125 Merge bitcoin-core/secp256k1#1309: changelog: Catch up
e8295d0 Merge bitcoin-core/secp256k1#1311: Revert "Remove unused scratch space from API"
697e1cc changelog: Catch up
3ad1027 Revert "Remove unused scratch space from API"
76b43f3 changelog: Add entry for bitcoin#1303
7d4f86d Merge bitcoin-core/secp256k1#1307: Mark more assembly outputs as early clobber
b54a067 Merge bitcoin-core/secp256k1#1304: build: Rename arm to arm32 and check if it's really supported
c6bb29b build: Rename `64bit` to `x86_64`
8c9ae37 Add release note
0324645 autotools: Add `SECP_ARM32_ASM_CHECK` macro
ed4ba23 cmake: Add `check_arm32_assembly` function
350b4bd Mark stack variables as early clobber for technical correctness
0c729ba Bugfix: mark outputs as early clobber in scalar x86_64 asm
3353d3c Merge bitcoin-core/secp256k1#1207: Split fe_set_b32 into reducing and normalizing variants
5b32602 Split fe_set_b32 into reducing and normalizing variants
006ddc1 Merge bitcoin-core/secp256k1#1306: build: Make tests work with external default callbacks
1907f0f build: Make tests work with external default callbacks
fb3a806 Merge bitcoin-core/secp256k1#1133: schnorrsig: Add test vectors for variable-length messages
cd54ac7 schnorrsig: Improve docs of schnorrsig_sign_custom
28687b0 schnorrsig: Add BIP340 varlen test vectors
97a98be schnorrsig: Refactor test vector code to allow varlen messages
ab5a917 Merge bitcoin-core/secp256k1#1303: ct: Use more volatile
9eb6934 Merge bitcoin-core/secp256k1#1305: Remove unused scratch space from API
073d98a Merge bitcoin-core/secp256k1#1292: refactor: Make 64-bit shift explicit
17fa217 ct: Be cautious and use volatile trick in more "conditional" paths
5fb336f ct: Use volatile trick in scalar_cond_negate
712e7f8 Remove unused scratch space from API
54d34b6 Merge bitcoin-core/secp256k1#1300: Avoid normalize conditional on VERIFY
c63ec88 Merge bitcoin-core/secp256k1#1066: Abstract out and merge all the magnitude/normalized logic
7fc642f Simplify secp256k1_fe_{impl_,}verify
4e176ad Abstract out verify logic for fe_is_square_var
4371f98 Abstract out verify logic for fe_add_int
89e324c Abstract out verify logic for fe_half
283cd80 Abstract out verify logic for fe_get_bounds
d5aa2f0 Abstract out verify logic for fe_inv{,_var}
3167646 Abstract out verify logic for fe_from_storage
76d31e5 Abstract out verify logic for fe_to_storage
1e6894b Abstract out verify logic for fe_cmov
be82bd8 Improve comments/checks for fe_sqrt
6ab3508 Abstract out verify logic for fe_sqr
4c25f6e Abstract out verify logic for fe_mul
e179e65 Abstract out verify logic for fe_add
7e7ad7f Abstract out verify logic for fe_mul_int
65d82a3 Abstract out verify logic for fe_negate
1446708 Abstract out verify logic for fe_get_b32
f7a7666 Abstract out verify logic for fe_set_b32
ce4d209 Abstract out verify logic for fe_cmp_var
7d7d43c Improve comments/check for fe_equal{,_var}
c5e788d Abstract out verify logic for fe_is_odd
d3f3fe8 Abstract out verify logic for fe_is_zero
c701d9a Abstract out verify logic for fe_clear
19a2bfe Abstract out verify logic for fe_set_int
864f9db Abstract out verify logic for fe_normalizes_to_zero{,_var}
6c31371 Abstract out verify logic for fe_normalize_var
e28b51f Abstract out verify logic for fe_normalize_weak
b6b6f9c Abstract out verify logic for fe_normalize
7fa5195 Bugfix: correct SECP256K1_FE_CONST mag/norm fields
e5cf4bf build: Rename `arm` to `arm32`
b29566c Merge magnitude/normalized fields, move/improve comments
97c63b9 Avoid normalize conditional on VERIFY
341cc19 Merge bitcoin-core/secp256k1#1299: Infinity handling: ecmult_const(infinity) works, and group verification
bbc8344 Avoid secp256k1_ge_set_gej_zinv with uninitialized z
0a2e0b2 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY
f202667 Add invariant checking to group elements
a18821d Always initialize output coordinates in secp256k1_ge_set_gej
3086cb9 Expose secp256k1_fe_verify to other modules
a0e696f Make secp256k1_ecmult_const handle infinity
24c768a Merge bitcoin-core/secp256k1#1301: Avoid using bench_verify_data as bench_sign_data; merge them
2e65f1f Avoid using bench_verify_data as bench_sign_data; merge them
1cf15eb Merge bitcoin-core/secp256k1#1296: docs: complete interface description for `secp256k1_schnorrsig_sign_custom`
149c41c docs: complete interface description for `secp256k1_schnorrsig_sign_custom`
f30c748 Merge bitcoin-core/secp256k1#1270: cmake: Fix library ABI versioning
d1e48e5 refactor: Make 64-bit shift explicit
b2e29e4 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task
3c81838 Merge bitcoin-core/secp256k1#1289: cmake: Use full signature of `add_test()` command
755629b cmake: Use full signature of `add_test()` command
bef448f cmake: Fix library ABI versioning
4b0f711 Merge bitcoin-core/secp256k1#1277: autotools: Clean up after adding Wycheproof
222ecaf Merge bitcoin-core/secp256k1#1284: cmake: Some improvements using `PROJECT_IS_TOP_LEVEL` variable
71f746c cmake: Include `include` directory for subtree builds
024a409 Merge bitcoin-core/secp256k1#1240: cmake: Improve and document compiler flag checks
a8d059f cmake, doc: Document compiler flags
6ece150 cmake, refactor: Rename `try_add_compile_option` to `try_append_cflags`
19516ed cmake: Use `add_compile_options()` in `try_add_compile_option()`
4b84f4b Merge bitcoin-core/secp256k1#1239: cmake: Bugfix and other improvements after bumping CMake up to 3.13
596b336 Merge bitcoin-core/secp256k1#1234: cmake: Add dev-mode
6b7e5b7 Merge bitcoin-core/secp256k1#1275: build: Fix C4005 "macro redefinition" MSVC warnings in examples
1c89536 Merge bitcoin-core/secp256k1#1286: tests: remove extra semicolon in macro
c4062d6 debug: move helper for printing buffers into util.h
7e977b3 autotools: Take VPATH builds into account when generating testvectors
2418d32 autotools: Create src/wycheproof dir before creating file in it
8764034 autotools: Make all "pregenerated" targets .PHONY
e1b9ce8 autotools: Use same conventions for all pregenerated files
3858bad tests: remove extra semicolon in macro
1f33bb2 Merge bitcoin-core/secp256k1#1205: field: Improve docs +tests of secp256k1_fe_set_b32
162da73 tests: Add debug helper for printing buffers
e9fd3df field: Improve docs and tests of secp256k1_fe_set_b32
f6bef03 Merge bitcoin-core/secp256k1#1283: Get rid of secp256k1_fe_const_b
5431b9d cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL`
5ec1333 Merge bitcoin-core/secp256k1#1285: bench: Make sys/time.h a system include
68b16a1 bench: Make sys/time.h a system include
162608c cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21
69e1ec0 Get rid of secp256k1_fe_const_b
ce5ba9e gitignore: Add CMakeUserPresets.json
0a446a3 cmake: Add dev-mode CMake preset
a6f4bcf Merge bitcoin-core/secp256k1#1231: Move `SECP256K1_INLINE` macro definition out from `include/secp256k1.h`
a273d74 cmake: Improve version comparison
6a58b48 cmake: Use `if(... IN_LIST ...)` command
2445808 cmake: Use dedicated `GENERATOR_IS_MULTI_CONFIG` property
9f8703e cmake: Use dedicated `CMAKE_HOST_APPLE` variable
8c20170 cmake: Use recommended `add_compile_definitions` command
04d4cc0 cmake: Add `DESCRIPTION` and `HOMEPAGE_URL` options to `project` command
8a8b653 cmake: Use `SameMinorVersion` compatibility mode
5b0444a Merge bitcoin-core/secp256k1#1263: cmake: Make installation optional
47ac3d6 cmake: Make installation optional
2e035af Merge bitcoin-core/secp256k1#1273: build: Make `SECP_VALGRIND_CHECK` preserve `CPPFLAGS`
5be353d Merge bitcoin-core/secp256k1#1279: tests: lint wycheproof's python script
08f4b16 autotools: Move code around to tidy Makefile
04bf3f6 Merge bitcoin-core/secp256k1#1230: Build: allow static or shared but not both
9ce9984 Merge bitcoin-core/secp256k1#1265: Remove bits argument from secp256k1_wnaf_const{_xonly}
566faa1 Merge bitcoin-core/secp256k1#1267: doc: clarify process for patch releases
ef49a11 build: allow static or shared but not both
35ada3b tests: lint wycheproof's python script
529b54d autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS
dc0657c build: Fix C4005 "macro redefinition" MSVC warnings in examples
1ecb94e build: Make `SECP_VALGRIND_CHECK` preserve `CPPFLAGS`
1b6fb55 doc: clarify process for patch releases
a575339 Remove bits argument from secp256k1_wnaf_const (always 256)
36b0adf build: remove warning until it's reproducible
8e142ca Move `SECP256K1_INLINE` macro definition out from `include/secp256k1.h`
7744589 Remove `SECP256K1_INLINE` usage from examples
ca92a35 field: Simplify code in secp256k1_fe_set_b32
d93f62e field: Verify field element even after secp256k1_fe_set_b32 fails

git-subtree-dir: src/secp256k1
git-subtree-split: 705ce7e

Author: sipa

.cirrus.yml

@@ -21,6 +21,7 @@ env:
   ECDH: no
   RECOVERY: no
   SCHNORRSIG: no
+  ELLSWIFT: no
   ### test options
   SECP256K1_TEST_ITERS:
   BENCH: yes
@@ -74,12 +75,12 @@ task:
   << : *LINUX_CONTAINER
   matrix: &ENV_MATRIX
     - env: {WIDEMUL:  int64,  RECOVERY: yes}
-    - env: {WIDEMUL:  int64,                 ECDH: yes, SCHNORRSIG: yes}
+    - env: {WIDEMUL:  int64,                 ECDH: yes, SCHNORRSIG: yes, ELLSWIFT: yes}
     - env: {WIDEMUL: int128}
-    - env: {WIDEMUL: int128_struct}
-    - env: {WIDEMUL: int128,  RECOVERY: yes,            SCHNORRSIG: yes}
+    - env: {WIDEMUL: int128_struct,                                      ELLSWIFT: yes}
+    - env: {WIDEMUL: int128,  RECOVERY: yes,            SCHNORRSIG: yes, ELLSWIFT: yes}
     - env: {WIDEMUL: int128,                 ECDH: yes, SCHNORRSIG: yes}
-    - env: {WIDEMUL: int128,  ASM: x86_64}
+    - env: {WIDEMUL: int128,  ASM: x86_64                              , ELLSWIFT: yes}
     - env: {                  RECOVERY: yes,            SCHNORRSIG: yes}
     - env: {CTIMETESTS: no,    RECOVERY: yes, ECDH: yes, SCHNORRSIG: yes, CPPFLAGS: -DVERIFY}
     - env: {BUILD: distcheck, WITH_VALGRIND: no, CTIMETESTS: no, BENCH: no}
@@ -154,6 +155,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -173,10 +175,11 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   matrix:
     - env: {}
-    - env: {EXPERIMENTAL: yes, ASM: arm}
+    - env: {EXPERIMENTAL: yes, ASM: arm32}
   << : *MERGE_BASE
   test_script:
     - ./ci/cirrus.sh
@@ -193,6 +196,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -210,6 +214,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   << : *MERGE_BASE
   test_script:
@@ -247,6 +252,7 @@ task:
     RECOVERY: yes
     EXPERIMENTAL: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
     # Use a MinGW-w64 host to tell ./configure we're building for Windows.
     # This will detect some MinGW-w64 tools but then make will need only
@@ -286,6 +292,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
     CTIMETESTS: no
   matrix:
     - name: "Valgrind (memcheck)"
@@ -361,6 +368,7 @@ task:
     ECDH: yes
     RECOVERY: yes
     SCHNORRSIG: yes
+    ELLSWIFT: yes
   << : *MERGE_BASE
   test_script:
     - ./ci/cirrus.sh
@@ -397,13 +405,13 @@ task:
     - PowerShell -NoLogo -Command if ($env:CIRRUS_PR -ne $null) { git fetch $env:CIRRUS_REPO_CLONE_URL pull/$env:CIRRUS_PR/merge; git reset --hard FETCH_HEAD; }
   configure_script:
     - '%x64_NATIVE_TOOLS%'
-    - cmake -G "Visual Studio 17 2022" -A x64 -S . -B build -DSECP256K1_ENABLE_MODULE_RECOVERY=ON -DSECP256K1_BUILD_EXAMPLES=ON
+    - cmake -E env CFLAGS="/WX" cmake -G "Visual Studio 17 2022" -A x64 -S . -B build -DSECP256K1_ENABLE_MODULE_RECOVERY=ON -DSECP256K1_BUILD_EXAMPLES=ON
   build_script:
     - '%x64_NATIVE_TOOLS%'
     - cmake --build build --config RelWithDebInfo -- -property:UseMultiToolTask=true;CL_MPcount=5
   check_script:
     - '%x64_NATIVE_TOOLS%'
-    - ctest --test-dir build -j 5
+    - ctest -C RelWithDebInfo --test-dir build -j 5
     - build\src\RelWithDebInfo\bench_ecmult.exe
     - build\src\RelWithDebInfo\bench_internal.exe
     - build\src\RelWithDebInfo\bench.exe

.gitignore

@@ -59,5 +59,7 @@ build-aux/compile
 build-aux/test-driver
 libsecp256k1.pc
 
+### CMake
+/CMakeUserPresets.json
 # Default CMake build directory.
 /build

CHANGELOG.md

@@ -7,6 +7,25 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [0.3.2] - 2023-05-13
+We strongly recommend updating to 0.3.2 if you use or plan to use GCC >=13 to compile libsecp256k1. When in doubt, check the GCC version using `gcc -v`.
+
+#### Security
+ - Module `ecdh`: Fix "constant-timeness" issue with GCC 13.1 (and potentially future versions of GCC) that could leave applications using libsecp256k1's ECDH module vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow during ECDH computations when libsecp256k1 is compiled with GCC 13.1.
+
+#### Fixed
+ - Fixed an old bug that permitted compilers to potentially output bad assembly code on x86_64. In theory, it could lead to a crash or a read of unrelated memory, but this has never been observed on any compilers so far.
+
+#### Changed
+ - Various improvements and changes to CMake builds. CMake builds remain experimental.
+   - Made API versioning consistent with GNU Autotools builds.
+   - Switched to `BUILD_SHARED_LIBS` variable for controlling whether to build a static or a shared library.
+   - Added `SECP256K1_INSTALL` variable for the controlling whether to install the build artefacts.
+ - Renamed asm build option `arm` to `arm32`. Use `--with-asm=arm32` instead of `--with-asm=arm` (GNU Autotools), and `-DSECP256K1_ASM=arm32` instead of `-DSECP256K1_ASM=arm` (CMake).
+
+#### ABI Compatibility
+The ABI is compatible with versions 0.3.0 and 0.3.1.
+
 ## [0.3.1] - 2023-04-10
 We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to compile libsecp256k1, e.g., Xcode >=14 on macOS has Clang >=14. When in doubt, check the Clang version using `clang -v`.
 
@@ -68,7 +87,8 @@ This version was in fact never released.
 The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
 Therefore, this version number does not uniquely identify a set of source files.
 
-[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.1...HEAD
+[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.2...HEAD
+[0.3.2]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.1...v0.3.2
 [0.3.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...v0.3.1
 [0.3.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...v0.3.0
 [0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0