Upstream PRs 1228, 1236, 1243, 1238, 1246, 1247, 1242, 1250, 1244, 1241, 1257, 1226, 1252, 1118, 1245, 1266, 1269 #253

… group.h 069aba8 Fix sepc256k1 -> secp256k1 typo in group.h (henopied) Pull request description: ACKs for top commit: real-or-random: ACK 069aba8 Tree-SHA512: 0fcb7d042f201737870da99f5425c8449e9ec3f5f8e9bbe5eb719e46cdf230db057509fb9102d4ce50a94d616015233c29249665c754e726899174fea3ea9f40

This simplifies building without a build system. This is in line with #925; the paths fixed here were either forgotten there or only introduced later. This commit also makes the Makefile stricter so that further "wrong" #include paths will lead to build errors even in autotools builds. This belongs to #929. Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>

… get rid of further -I arguments 40a3473 build: Fix #include "..." paths to get rid of further -I arguments (Tim Ruffing) Pull request description: This simplifies building without a build system. This is in line with #925; the paths fixed here were either forgotten there or only introduced later. This commit also makes the Makefile stricter so that further "wrong" #include paths will lead to build errors even in autotools builds. This belongs to #929. ACKs for top commit: hebasto: ACK 40a3473 Tree-SHA512: 6f4d825ea3cf86b13f294e2ec19fafc29660fa99450e6b579157d7a6e9bdb3404d761edf89c1135fa89b984d6431a527beeb97031dc90f2fae9761528f4d06d1

Running the RNG is pointless if no seed is available because the key will be fixed. The computation just wastes time. Previously, users could avoid this computation at least by asking for a context without signing capabilities. But since 3b0c218 we always build an ecmult_gen context, ignoring the context flags. Moreover, users could never avoid this pointless computation when asking for the creation of a signing context.

Whenever I read this code, I first think that rescaling ctx->initial is a dead store because we overwrite it later with gb. But that's wrong. The rescaling blinds the computation of gb and affects its result.

This simplifies manual builds and solves one item in #929.

… blinding if no seed is available 55f8bc9 ecmult_gen: Improve comments about projective blinding (Tim Ruffing) 7a86955 ecmult_gen: Simplify code (no observable change) (Tim Ruffing) 4cc0b1b ecmult_gen: Skip RNG when creating blinding if no seed is available (Tim Ruffing) Pull request description: Running the RNG is pointless if no seed is available because the key will be fixed. The computation just wastes time. Previously, users could avoid this computation at least by asking for a context without signing capabilities. But since 3b0c218 we always build an ecmult_gen context, ignoring the context flags. Moreover, users could never avoid this pointless computation when asking for the creation of a signing context. This fixes one item in #1065. ACKs for top commit: sipa: ACK 55f8bc9 apoelstra: ACK 55f8bc9 Tree-SHA512: 5ccba56041f94fa8f40a8a56ce505369ff2e0ed20cd7f0bfc3fdfffa5fa7bf826a93602b9b2455a352865a9548ab4928e858c19bb5af7ec221594a3bf25c4f3d

It's unused and thus potentially confusing.

…probability 15/16 instead of 1/4 17065f4 tests: Randomize the context with probability 15/16 instead of 1/4 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 17065f4 jonasnick: ACK 17065f4 Tree-SHA512: 3b7005770007b922a294be610f23da60b0dde74dfd7585d64a2cb04eaa6ec879de8d21a0ade31c1857019a8dd97260fa3aa167ae16fc55027ef280a3e3feaa6d

…for ECMULT_* config values c27ae45 config: Remove basic-config.h (Tim Ruffing) da6514a config: Introduce DEBUG_CONFIG macro for debug output of config (Tim Ruffing) d0cf55e config: Set preprocessor defaults for ECMULT_* config values (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK c27ae45 hebasto: ACK c27ae45, I have reviewed the code and it looks correct. jonasnick: ACK c27ae45 Tree-SHA512: 56b0f384bd9f42cf7c903bec08f4807db1415ddf9a06676dfe1e638e4d02431c522ef0422585e85429074e0dbb51da4f400cf53e8f883d6e07122731c57be1e3

We had removed `PKG_PROG_PKG_CONFIG` in 21b2eba (#1090). But then then the not rebased (!) merge of 2be6ba0 (#1084) brought that macro back at another location, without git complaining about a conflict. Fixes #1127.

… again (reintroduced by mismerge) cabe085 configure: Remove pkgconfig macros again (reintroduced by mismerge) (Tim Ruffing) Pull request description: We had removed `PKG_PROG_PKG_CONFIG` in 21b2eba (#1090). But then then the not rebased (!) merge of 2be6ba0 (#1084) brought that macro back at another location, without git complaining about a conflict. Fixes #1127. ACKs for top commit: fanquake: ACK cabe085 hebasto: ACK cabe085 jonasnick: ACK cabe085 Tree-SHA512: ba497503db3a11e631b15c4fe875e62d892971c2c708d90b2f6be684e85d164043ea97c13af0452831eef41f3cf8230cd8a9eafa332dc5b5ae18e118b87c3828

88b0089 readme: Fix line break (Tim Ruffing) 78f5296 readme: Sell "no runtime dependencies" (Tim Ruffing) ef48f08 readme: Add IRC channel (Tim Ruffing) Pull request description: ACKs for top commit: apoelstra: utACK 88b0089 sipa: ACK 88b0089 Tree-SHA512: 174f1596406f98a19059a18cd4fb993102e5ffb8ec29fcc6d03e27f135fcb526b37204b64055b5e4f0a273daab05d395cf335f26241cf3a29a060041c9ef109b

We don't enable the ECDSA recovery module, because we don't recommend ECDSA recovery for new protocols. In particular, the recovery API is prone to misuse: It invites the caller to forget to check the public key (and the verification function always returns 1). In general, we also don't recommend ordinary ECDSA for new protocols. But disabling the ECDSA functions is not possible because they're not in a module, and let's be honest: disabling ECDSA would mean to ignore reality blatantly.

This reverts commit bceefd6.

The removed line was introduced for `obj/.gitignore` file. Since the `obj` directory has been removed, it is not longer required.

f5039cb Cleanup `.gitignore` file (Hennadii Stepanov) 798727a Revert "Add test logs to gitignore" (Hennadii Stepanov) Pull request description: ACKs for top commit: jonasnick: ACK f5039cb real-or-random: ACK f5039cb Tree-SHA512: 3586329e77958a9bfa06dd84e5b121cd456e93332670d5afc1a6691e165cdfa5a6fd6a61f82be12ec33f2a58b26a13adfedeb177ae1056202e53a530949fc549

$CC, $WRAPPER_CMD and valgrind are not necessarily defined

Currently CHECK is used only in test and bench mark files except for one usage in `ecmult_impl.h`. We would like to move the definition of CHECK out of `util.h` so that `util.h` no longer has a hard dependency on `stdio.h`. Done in preparation for moving the definition of `CHECK` as part of an effort to allow secp256k1 to be compiled to WASM as part of `rust-secp256k1`.

After this commit, int128.h and int128_impl.h are included as follows: - .c files which use int128 include int128_impl.h (after util.h) - .h files which use int128 include int128.h (after util.h) This list is exhaustive. util.h needs to included first because it sets up necessary #defines.

5c9f1a5 ci: always cat all logs_snippets (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: ACK 5c9f1a5 Tree-SHA512: fc715c5fc4006d80a4b0c2faa8ef81ed23c4479614945ffa7c96665a3acc38fe956dd6d148bcf97043232ceee055b724ea9490e4ac4142a210e4488fed8dd299

…nd" irrelevant error 49ae843 ci: mostly prevent "-v/--version: not found" irrelevant error (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: ACK 49ae843 Tree-SHA512: 2e048b037826dff372e26103f198e0d490494e7909d17d8632b51f6d9e0629b51bcd0b55b65b2c21d63d522394ccfed481ce126cea165c087df670556bc8ccf6

… the job outside of CI 4e54c03 ci: print env to allow reproducing the job outside of CI (Jonas Nick) Pull request description: Example output: ``` WERROR_CFLAGS="-Werror -pedantic-errors" MAKEFLAGS="-j4" BUILD="check" ECMULTWINDOW="auto" ECMULTGENPRECISION="auto" ASM="no" WIDEMUL="int64" WITH_VALGRIND="no" EXTRAFLAGS="" EXPERIMENTAL="no" ECDH="no" RECOVERY="yes" SCHNORRSIG="no" SECP256K1_TEST_ITERS="" BENCH="yes" SECP256K1_BENCH_ITERS="2" CTIMETEST="yes" EXAMPLES="yes" WRAPPER_CMD="" CC="gcc" AR="" NM="" HOST="" ./ci/cirrus.sh ``` ACKs for top commit: sipa: ACK 4e54c03 real-or-random: ACK bitcoin-core/secp256k1@4e54c03 Tree-SHA512: b74a8724e72b3de7884e4d93fe933dc5043aec37020672b7997a8faebda3b0cbbba1bca69c344109729261ab4a94e76f4eca0d8773dc101a443fdf9e0d7d54f5

…t file 6a965b6 Remove usage of CHECK from non-test file (Tobin C. Harding) Pull request description: Currently CHECK is used only in test and bench mark files except for one usage in `ecmult_impl.h`. We would like to move the definition of CHECK out of `util.h` so that `util.h` no longer has a hard dependency on `stdio.h`. Done as part of an effort to allow secp256k1 to be compiled to WASM as part of `rust-secp256k1`. ### Note to reviewers Please review carefully, I don't actually know if this patch is correct. Done while working on #1095. I'm happy to make any changes both in concept and execution - I'm super rusty at C programming. cc real-or-random ACKs for top commit: sipa: utACK 6a965b6 real-or-random: utACK 6a965b6 Tree-SHA512: 6bfb456bdb92a831acd3bc202607e80f6d0a194d6b2cf745c8eceb12ba675d03a319d6d105332b0cbca474e443969295e5a8e938635453e21e057d0ee597440b

a340d95 ci: add int128_struct tests (Jonas Nick) dceaa1f int128: Tidy #includes of int128.h and int128_impl.h (Tim Ruffing) 2914bcc Simulated int128 type. (Russell O'Connor) Pull request description: Abstracts the int128 type and provides an native version, if available, or a implements it using a pair of int64_t's. This is activated by setting the configuration flag `--with-test-override-wide-multiply=int128_struct`. The primary purpose of this PR is to take advantage of MSVC's [umulh](https://docs.microsoft.com/en-us/cpp/intrinsics/umulh?view=msvc-170) intrinsic that we can use to simulate an int128 type which MSVC does not have (AFAIU). This PR lays out the groundwork for this level of MSVC support, but doesn't include the configuration logic to enable it yet. For completeness, and implementation of `umulh` and `mulh` are also provided for compilers that support neither the intrinsic nor the int128 type (such as CompCert?). This also opens up the possibility of removing the 32-bit field and scalar implementations should that ever be desired. ACKs for top commit: sipa: ACK a340d95 jonasnick: ACK a340d95 Tree-SHA512: b4f2853fa3ab60ce9d77b4eaee1fd20c4b612850e19fcb3179d7e36986f420c6c4589ff72f0cf844f989584ace49a1cd23cca3f4e405dabefc8da647a0df679d

00a42b9 Add MSan CI job (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: utACK 00a42b9 jonasnick: ACK 00a42b9 Tree-SHA512: 0b9ced572430e917041c916d8cda5c94996899a6e0a8c5a13f73f2c99b58b0098f7562cd758b48f18bec8c7095fab37980aa6dc2b139b2d1c293c965ea603686

Also add a corresponding CI job

99bd335 Make int128 overflow test use secp256k1_[ui]128_mul (Pieter Wuille) 3afce0a Avoid signed overflow in MSVC AMR64 secp256k1_mul128 (Pieter Wuille) 9b5f589 Heuristically decide whether to use int128_struct (Pieter Wuille) 63ff064 int128: Add test override for testing __(u)mulh on MSVC X64 (Tim Ruffing) f2b7e88 Add int128 randomized tests (Pieter Wuille) Pull request description: This is a follow-up to #1000: * Add randomized unit tests for int128 logic. * Add CI for the `_(u)mulh` code path (on non-ARM64 MSVC). * Add heuristic logic to enable int128_struct based arithmetic on 64-bit MSVC, or systems with pointers wider than 32 bits. * Fix signed overflow in ARM64 MSVC code. ACKs for top commit: roconnor-blockstream: utACK 99bd335 real-or-random: ACK 99bd335 tested this also on MSVC locally with the override, including all the benchmark binaries jonasnick: utACK 99bd335 Tree-SHA512: 5ea897362293b45a86650593e1fdc8c4004a1d9452eed2fa070d22dffc7ed7ca1ec50a4df61e3a33dbe35e08132ad9686286ac44af6742b32b82f11c9d3341c6

…default 41e8704 build: Enable some modules by default (Tim Ruffing) Pull request description: This has been discussed in bitcoin-core/secp256k1#817 (comment) and I agree with the arguments brought up there. Alternatively, we could not enable them and add a discussion to the readme why we discourage people from using the modules. I believe enabling ECDH is not very controversial. But what about recovery? Do we want to leave it off and instead give a reason? ACKs for top commit: sipa: ACK 41e8704 jonasnick: ACK 41e8704 Tree-SHA512: 1dd21037043f2b2c94a92cd2f31e69b505ba5b43119897bc0934966d9ccd84fc4fc20e7509af634f1c3a096710db1a2253090f5f1f107b9d258945a5546e9ba4

a8494b0 Use compute credits for macOS jobs (Pieter Wuille) c0ae48c Update macOS image for CI (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK a8494b0 jonasnick: ACK a8494b0 Tree-SHA512: af99585ef68fc8305785885efaf0a0ebe45e5765661d654523a36ba843fc83e0ac40a554638437fa53804e4aa42dbcd92d597702ee6225b66a044a6304bafd45

…ogenerated by sage [skip ci] 092be61 gitignore: Add *.sage.py files autogenerated by sage (Tim Ruffing) Pull request description: ACKs for top commit: jonasnick: ACK 092be61 Tree-SHA512: ee77e8634814ccc1894eb633816da877a4d4511d9e77f5628b19e0e37006d43ae45431dfd1b30977504a5975a92a2b1824ed53c7837fb5600994d11003996b86

and improve phrasing slightly.

4386a23 examples: Switch to NONE contexts (Tim Ruffing) 7289b51 docs: Use doxygen style if and only if comment is user-facing (Tim Ruffing) e7d0185 docs: Get rid of "initialized for signing" terminology (Tim Ruffing) 0612636 docs: Tidy and improve docs about contexts and randomization (Tim Ruffing) e02d686 selftest: Expose in public API (Tim Ruffing) e383fbf selftest: Rename internal function to make name available for API (Tim Ruffing) d2c6d48 tests: Use new name of static context (Tim Ruffing) 53796d2 contexts: Rename static context (Tim Ruffing) 72fedf8 docs: Improve docs for static context (Tim Ruffing) 316ac76 contexts: Deprecate all context flags except SECP256K1_CONTEXT_NONE (Tim Ruffing) 1a553ee docs: Change signature "validation" to "verification" (Tim Ruffing) ee7341f docs: Never require a verification context (Tim Ruffing) Pull request description: ACKs for top commit: sipa: utACK 4386a23 jonasnick: ACK 4386a23 Tree-SHA512: 7bf07dfae0ecbf7de1418de64ef743a23dc5f244aeba2c1cf3ecbdc117d6ac12bb6c8f17f739605566074a9b901765ee4a32288b6edc6f9a0040a70cb472f6ee

…ith NONE in benchmarks and tests d6dc0f4 tests: Switch to NONE contexts in module tests (Jonas Nick) 0c8a5ca tests: Switch to NONE contexts in tests.c (Jonas Nick) 86540e9 tests: add test for deprecated flags and rm them from run_context (Jonas Nick) caa0ad6 group: add gej_eq_var (Jonas Nick) 37ba744 tests: Switch to NONE contexts in exhaustive and ctime tests (Jonas Nick) 8d7a9a8 benchmarks: Switch to NONE contexts (Jonas Nick) Pull request description: Based on #1126. ACKs for top commit: real-or-random: ACK d6dc0f4 diff looks good and tests pass locally sipa: utACK d6dc0f4 Tree-SHA512: 1fb1dc1336409b52827787a03c791a21ee1d6b1bdc388d1fa126600572f348ba16865a01d29bac67b36b8f29f30cda117d82913e2044ccb9d073f5d04338ac9f

The suffix -dev is slightly clearer. Also, since the package version follows semantic versioning, rename VERSION_BUILD to VERSION_PATCH for clarity.

- make version on master always equal to latest release with patch+1 - separate regular from maintenance releases - add more git commands to prevent accidents - mention that one needs to somehow deal with release dates - _LIB_VERSIONS_ -> _LIB_VERSION_ - don't push all tags in step 4 - add required message to git tag - add suggested commit messages

7e5b226 Don't use compute credits for now (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK 7e5b226 Tree-SHA512: 5f37521dede4270151f4f1ed59e021f78e39b7e3362f4c16ecf2b7733dd1d49306466cc4e9b7837be10769c86799905fb1305cb35fe5cae0366a7f7861e6e9df

There are plenty of unreleased variants of libsecp256k1 version 0.1.0 (libsecp256k1.so.0.0.0) in the wild. We choose a new version number to allow a clear distinction. There are variants of 0.1.0 that are incompatible with the initial release, hence we increase the minor version to arrive at version number 0.2.0. For the same reason, we increase the LIB_VERSION_CURRENT and keep AGE at 0. The changelog for 0.2.0 consists of the relevant changes since 2021-12-25, which is the date when the initial release process PR was merged (and the library version was set to a pre-release, see 423b6d1). This is somewhat arbitrary but at least points readers to relevant changes.

e025ccd release: prepare for initial release 0.2.0 (Jonas Nick) 6d1784a build: add missing files to EXTRA_DIST (Jonas Nick) 13bf1b6 changelog: make order of change types match keepachangelog.com (Jonas Nick) b1f992a doc: improve release process (Jonas Nick) ad39e2d build: change package version to 0.1.0-dev (Jonas Nick) 90618e9 doc: move CHANGELOG from doc/ to root directory (Jonas Nick) Pull request description: Based on #964 ACKs for top commit: sipa: ACK e025ccd Tree-SHA512: b9ab71d7362537d383a32b5e321ef44069f00e3e92340375bcd662267bc5a60c2bad60222998e6602cfac24ad65efb23d772eac37c86065036b90ef090b54c49

…r 0.2.0 02ebc29 release cleanup: bump version after 0.2.0 (Jonas Nick) b6b360e doc: improve message of cleanup commit (Jonas Nick) Pull request description: ACKs for top commit: sipa: ACK 02ebc29 Tree-SHA512: b887e31a531f7d21025558ed0a64ff5f68dee6feff8288478f7eb023189ceb20e5ca8baf0434ebd2ee49488d35d7aebc1b837888ff8c6e6420e6b86cc2f99cb1

This change eases the use of alternate build systems by moving the variables in `src/libsecp256k1-config.h` to compiler macros for each invocation, preventing duplication of these variables for each build system. Co-authored-by: Ali Sherief <ali@notatether.com>

…nset variables as an error 7a74688 ci: add missing CFLAGS & CPPFLAGS variable to print_environment (Jonas Nick) c2e0fda ci: set -u in cirrus.sh to treat unset variables as an error (Jonas Nick) Pull request description: This PR is supposed to prevent accidental misuse of cirrus.sh. Maybe there is a way to check if `CC`, `AR` and `NM` are set within the loop that deals with the other variables, but so far I did not come up with one (that's POSIX shell compliant). ACKs for top commit: real-or-random: ACK 7a74688 hebasto: re-ACK 7a74688 Tree-SHA512: 91e42b3f1192fbf86e6fb43942713e78b2bee977ddd95256ea7448f84324369399d31ec4eedd47af595bf994bbc9396e26bb5c93bdb7f58c4310b5d3d5d66731

9c5a4d2 Do not define unused `HAVE_VALGRIND` macro (Hennadii Stepanov) ad8647f Drop no longer relevant files from `.gitignore` (Hennadii Stepanov) b627ba7 Remove dependency on `src/libsecp256k1-config.h` (Hennadii Stepanov) Pull request description: Cherry-picked the first commit from #1142 and addressed a [comment](bitcoin-core/secp256k1#1142 (comment)). ACKs for top commit: sipa: utACK 9c5a4d2 real-or-random: utACK 9c5a4d2 Tree-SHA512: c6f268261fc5edee855a7e69fdf9f6c5f4b859eb1e078e3c44c3ee4c9c445738af3de9fc2fbcca90db9b9e38681da8217faaeb0735201052b16ea397a7817db9

c30b889 Clarify that the ABI-incompatible versions are earlier (Pieter Wuille) 881fc33 Consistency in naming of modules (Pieter Wuille) 9ecf814 Reduce font size in changelog (Pieter Wuille) 2dc133a Add more changelog entries (Pieter Wuille) ac233e1 Add links to diffs to changelog (Pieter Wuille) cee8223 Mention semantic versioning in changelog (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: ACK c30b889 jonasnick: ACK c30b889 Tree-SHA512: 0f753eae0ea4d65035bfbcd81b90169111ea030cf7196dd072fb1ccc8aac1437768031f3fcef431584028da68b66873204e16e03bcde4a6ae96b08ab7f97a480

…CHECK_VOID which returns (void) a49e094 docs: Fix typo (Tim Ruffing) 2551cda tests: Fix code formatting (Tim Ruffing) c635c1b Change ARG_CHECK_NO_RETURN to ARG_CHECK_VOID which returns (void) (Tim Ruffing) cf66f23 refactor: Add helper function secp256k1_context_is_proper() (Tim Ruffing) Pull request description: ACKs for top commit: sipa: utACK a49e094 jonasnick: ACK a49e094 Tree-SHA512: 0fd4ee88510f2de0de96378ae69ce6e610a446000bb78597026c5924803e1ce5a4f76303fc6446233a6129f9c42dce1b1549f93bef935131101e47b5a69cdf2f

d216475 test secp256k1_i128_to_i64 (Russell O'Connor) 4bc4290 Add a secp256k1_i128_to_u64 function. (Russell O'Connor) Pull request description: I wanted to experiment with what would be required to split up `secp256k1_i128_to_i64` between those cases when a signed 64 bit value is being demoted, versus an unsigned 64 bit value is being extracted from the lower bits, and this is the result. I'm not sure this is a useful PR, so feel free to close it. However, since it is already written, I figured it is worth at least discussing. ACKs for top commit: sipa: utACK d216475 real-or-random: ACK d216475 Tree-SHA512: 41dbb1d33b3078bee8e71a838cfad6f1859c0bba602ae061259add8e9e8ea5aa482daa41de79dbd7433ddbef4a0bc52757f3c45d63acc9c0eb05aa3ca891b922

…o bench compilation c0a555b Bugfix: pass SECP_CONFIG_DEFINES to bench compilation (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: utACK c0a555b apoelstra: ACK c0a555b Tree-SHA512: 4ec6ca4c012166beb6c5bdd1b2ed939554415e03545c176cf281000145c4000a460e231d5da26f617a81b048cd0fa3f8f16b61a207aed9479fdd854483e35ded

User applications shouldn't need or rely on `SECP_CONFIG_DEFINES`.

…amples 2f9ca28 Drop `SECP_CONFIG_DEFINES` from examples (Hennadii Stepanov) Pull request description: User applications shouldn't need or rely on `SECP_CONFIG_DEFINES`. See bitcoin-core/secp256k1#1178 (comment). ACKs for top commit: sipa: utACK 2f9ca28 real-or-random: utACK 2f9ca28 Tree-SHA512: c8e81e6842b31e7f4ebcbb18d5962f7d7308f024025d6225330a7ec099739278bb43ad98243698c5802bcc49bf7e247ab7cae7f40008fbba87f0d0e46cbe1e85

39e8f0e refactor: Separate run_context_tests into static vs proper contexts (Tim Ruffing) a4a0937 tests: Clean up and improve run_context_tests() further (Tim Ruffing) fc90bb5 refactor: Tidy up main() (Tim Ruffing) f32a36f tests: Don't use global context for context tests (Tim Ruffing) ce4f936 tests: Tidy run_context_tests() by extracting functions (Tim Ruffing) 18e0db3 tests: Don't recreate global context in scratch space test (Tim Ruffing) b198061 tests: Use global copy of secp256k1_context_static instead of clone (Tim Ruffing) Pull request description: This is an improved version of some of the tidying/refactoring in #1170. I think it's enough to deserve a separate PR. Once this is merged, I'll get back to the actual goal of #1170 (namely, forbidding cloning and randomizing static contexts.) This PR is a general clean up of the context tests. A notable change is that this avoids a code smell where `run_context_tests()` would use the global `ctx` variable like a local one (i.e., create a context in it and destroy it afterwards). After this PR, the global `ctx` is properly initialized for all the other tests, and they can decide whether they want to use it or not. Same for a global `sttc`, which is a memcpy of the static context (we need a writable copy in order to be able to set callbacks). Note that this touches code which is also affected by #1167 but I refrained from trying to solve this issue. The goal of this PR is simply not to worsen the situation w.r.t. #1167. We should really introduce a macro to solve #1167 but that's another PR. ACKs for top commit: sipa: utACK 39e8f0e apoelstra: ACK 39e8f0e Tree-SHA512: a22471758111061a062b126a52a0de24a1a311d1a0332a4ef006882379a4f3f2b00e53089e3c374bf47c4051bb10bbc6a9fdbcf6d0cd4eca15b5703590395fba

When performing an out-of-source-tree build, regenerating the source files for the precomputed ecmult tables places them outside the source tree. Then, when they are to be compiled, they cannot find the headers they need because the source tree is absent from their include search path. This appears to have been an oversight, as the relevant -I options are present in libsecp256k1_la_CPPFLAGS but were missing from libsecp256k1_precomputed_la_CPPFLAGS. This commit adds them.

… like tests but without VERIFY 2037600 tests: Add noverify_tests which is like tests but without VERIFY (Tim Ruffing) Pull request description: mentioned in bitcoin-core/secp256k1#1037 (comment) Let's see how this affects CI time ACKs for top commit: sipa: ACK 2037600 apoelstra: ACK 2037600 Tree-SHA512: fab1ce1499d418671d3d0ecfddf15d75b7c2bbfbfb4be958a95730491244185a906c7133aba4d0bec56ee6c721cb525750eef4cafc12f386484af931e34b0e8e

…in tests 9a93f48 refactor: Rename STTC to STATIC_CTX in tests (Tim Ruffing) 3385a26 refactor: Rename global variables to uppercase in tests (Tim Ruffing) Pull request description: On top of #1186 . I feel that this is an improvement, but it touches a lot of lines and so it deserves a separate discussion. ACKs for top commit: sipa: ACK 9a93f48 Tree-SHA512: b6dad2ffff2267034bf8cefdd3ef7ea11e9bcb8142d64b460ca61e0d3ab8de22fb3ee994dea0fb32feee3864d07395c070abffab318690d09d104294895300c4

…clude,src}` to `CPPFLAGS` for precomputed e862c4a Makefile: add -I$(top_srcdir)/src to CPPFLAGS for precomputed (Matt Whitlock) Pull request description: When performing an out-of-source-tree build, regenerating the source files for the precomputed ecmult tables places them outside the source tree. Then, when they are to be compiled, they cannot find the headers they need because the source tree is absent from their include search path. This appears to have been an oversight, as the relevant `-I` options are present in `libsecp256k1_la_CPPFLAGS` but were missing from `libsecp256k1_precomputed_la_CPPFLAGS`. This PR adds them. ACKs for top commit: sipa: utACK e862c4a real-or-random: ACK e862c4a Tree-SHA512: f58b8670b2798f2ca4bd6e9fd83218afcd14cf1b796cd18fb40e7b8a148dcdfabe5f0beae81bc6b82727c97a507431e6a7c72d756587e047daf1ea81242cccf9

d4a6b58 Add `noverify_tests` to `.gitignore` (Hennadii Stepanov) Pull request description: This is a follow up of #1188. ACKs for top commit: sipa: ACK d4a6b58 real-or-random: utACK d4a6b58 Tree-SHA512: a249c949d4b1432c6a5ff05a49f51a1f605f026ce6faa01bebee12a49d1ad2e38a344c35d2a21b827ceb40190448306262af7ca9a4385ebd96115d18ace42856

…lgrind (for memcheck and ctime test) 0f088ec Rename CTIMETEST -> CTIMETESTS (Pieter Wuille) 74b026f Add runtime checking for DECLASSIFY flag (Pieter Wuille) 5e2e6fc Run ctime test in Linux MSan CI job (Pieter Wuille) 1897406 Make ctime tests building configurable (Pieter Wuille) 5048be1 Rename valgrind_ctime_test -> ctime_tests (Pieter Wuille) 6eed6c1 Update error messages to suggest msan as well (Pieter Wuille) 8e11f89 Add support for msan integration to checkmem.h (Pieter Wuille) 8dc6407 Add compile-time error to valgrind_ctime_test (Pieter Wuille) 0db05a7 Abstract interactions with valgrind behind new checkmem.h (Pieter Wuille) 4f1a54e Move valgrind CPPFLAGS into SECP_CONFIG_DEFINES (Pieter Wuille) Pull request description: This introduces an abstraction layer `src/checkmem.h`, which defines macros for interacting with memory checking tools. Depending on the environment, they're mapped to MemorySanitizer builtins, Valgrind integration macros, or nothing at all. This means that msan builds immediately benefit from existing undefined memory checks in the tests. It also means those builds result in a `ctime_tests` (new name for `valgrind_ctime_test`) binary that can usefully test constant-timeness (not inside Valgrind, and with the downside that it's not running against a production library build, but it's faster and available on more platforms). Such an msan-ctime test is added to the Linux x86_64 msan CI job, as an example. More CI cases could be added (e.g. for MacOs or ARM Linux) later. ACKs for top commit: real-or-random: ACK 0f088ec hebasto: ACK 0f088ec, I have reviewed the code and it looks OK. Able to build `ctime_tests` using MSan. Tree-SHA512: f4ffcc0c2ea794894662d9797b3a349770a4b361996f967f33d7d14b332171de5d525f50bcebaeaf7d0624957083380962079c75e490d1b7d71f8f9eb6211590

… main) static e03ef86 Make all non-API functions (except main) static (Pieter Wuille) Pull request description: ACKs for top commit: real-or-random: utACK e03ef86 hebasto: ACK e03ef86. Tree-SHA512: 36a35d9a8da05411c88644aec81e79883febce3e08c9eb6b0ec95cfc3705fd6abfd66f7ee10dfa081ca20786d26b0a060ead7f5c8109bf02a73dde7ef811144b

…mall B coefficient ce60785 Introduce SECP256K1_B macro for curve b coefficient (Pieter Wuille) 4934aa7 Switch to exhaustive groups with small B coefficient (Pieter Wuille) Pull request description: This has the advantage that in the future, multiplication with B can be done using `secp256k1_fe_mul_int` rather than the slower `secp256k1_fe_mul`. ACKs for top commit: real-or-random: ACK ce60785 also ran the exhaustive tests with the group of size 7 apoelstra: ACK ce60785 Tree-SHA512: 006041189d18319ddb9c0ed54e479f393b83ab2a368d198bd24860d1d2574c0c1a311aea24fbef2e74bb7859a687dfc803b9e963e6dc5c61cb707e20f52b5a70

Adding U to the magic constants ensures that we are not mixing unsigned and signed value during multiplication, and ensures that the multiplication will not be subject to integer promotion. The (uint32_t)/(uint64_t) casts ensure the values are properly truncated no matter the size of an int. Prior to this commit, if secp256k1_ctz32_var_debruijn were some how managed to be built on a platform with 64-bit ints, (though this function is specifically only intended to be used on 32-bit platforms) it would perform an out-of-bounds array access.

…ementation. d6ff738 Ensure safety of ctz_debruijn implementation. (Russell O'Connor) Pull request description: Adding `U` to the magic constants ensures that we are not mixing unsigned and signed value during multiplication, and ensures that the multiplication will not be subject to integer promotion. The `(uint32_t)`/`(uint64_t)` casts ensure the values are properly truncated no matter the size of an int. Prior to this commit, if `secp256k1_ctz32_var_debruijn` were some how managed to be built on a platform with 64-bit ints, (though this function is specifically only intended to be used on 32-bit platforms) it would perform an out-of-bounds array access. ACKs for top commit: real-or-random: utACK d6ff738 apoelstra: ACK d6ff738 Tree-SHA512: f2292fa6e03deff4598514f9070b1357ce307ce1d2b34c15da120198c2f9171dfae9e0aaddb99f2c577ec368a903337eb68281518e93e43c381c9875aa84144e

The last usage of the `SECP_TEST_{LIBS,INCLUDE}` variables was removed in bitcoin-core/secp256k1#983.

The last usage of the `SECP_INCLUDE` variable was removed in bitcoin-core/secp256k1#1169.

… the build system 2cd4e3c Drop no longer used `SECP_{LIBS,INCLUDE}` variables (Hennadii Stepanov) 613626f Drop no longer used `SECP_TEST_{LIBS,INCLUDE}` variables (Hennadii Stepanov) Pull request description: `SECP_INCLUDES`, `SECP_LIBS`, `SECP_TEST_LIBS` and `SECP_TEST_INCLUDES` were introduced in 78cd96b. The last usage of the `SECP_TEST_{LIBS,INCLUDE}` variables was removed in bitcoin-core/secp256k1#983. The last usage of the `SECP_LIBS` variable was removed in bitcoin-core/secp256k1#831. The last usage of the `SECP_INCLUDE` variable was removed in bitcoin-core/secp256k1#1169. ACKs for top commit: sipa: utACK 2cd4e3c real-or-random: utACK 2cd4e3c Tree-SHA512: ceee39dfb74aaeaa9a1e52fba819f32cee8e08922872bca2bfd6db8575c9b4695da476a4b8e8579abb92d6484fbf461e691369b160ecbc792261dbb454349efb

…HECKMEM_RUNNING is not defined 8f51229 ctime_tests: improve output when CHECKMEM_RUNNING is not defined (Jonas Nick) Pull request description: When seeing the output ``` Unless compiled under msan, this test can only usefully be run inside valgrind. ``` I thought that I would have to go back to the `configure` output to manually check if it was compiled under memsan to determine whether this test can be usefully run outside valgrind. But when we go into this branch then it was definitely not compiled under msan, which means that we can make the output clearer. ACKs for top commit: sipa: utACK 8f51229 real-or-random: utACK bitcoin-core/secp256k1@8f51229 Tree-SHA512: a4953a158b1375d8fc3a2ee29e7014c5399becf5f75ffd3765c0141861e092fbc120003e00dfd25ec54b92a466e133377b96d5a9f4017c100aaf64fb9a045df1

…ng and randomizing the static context e39d954 tests: Add CHECK_ILLEGAL(_VOID) macros and use in static ctx tests (Tim Ruffing) 61841fc contexts: Forbid randomizing secp256k1_context_static (Tim Ruffing) 4b6df5e contexts: Forbid cloning/destroying secp256k1_context_static (Tim Ruffing) Pull request description: As discussed in #1126. For randomization, this has a history. Initially, this threw the illegal callback but then we changed it to be a no-op on non-signing contexts: bitcoin-core/secp256k1@6198375 But this was with (non-static) none/verification contexts in mind, not with the static context. If we anyway forbid cloning the static context, you should never a way to randomize a copy of the static context. (You need a copy because the static context itself is not writable. But you cannot obtain a copy except when using memcpy etc.) ACKs for top commit: sipa: utACK e39d954 apoelstra: ACK e39d954 Tree-SHA512: dc804b15652d536b5d67db7297ac0e65eab3a64cbb35a9856329cb87e7ea0fe8ea733108104b3bba580077fe03d6ad6b161c797cf866a74722bab7849f0bb60c

scalar_split_lambda requires that the input pointer is different to both output pointers. Without this fix, the internal benchmarks crash when compiled with -DVERIFY. This was introduced in commit 362bb25 (which requires configuring with --enable-endomorphism to exhibit the crash).

This detects benchmarks that crash when VERIFY is defined.

VERIFY_CHECK(r1 != r2) is added because otherwise the verify_scalar_split fails.

eb6beba scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs (Jonas Nick) 7f49aa7 ci: add test job with -DVERIFY (Jonas Nick) 620ba3d benchmarks: fix bench_scalar_split (Jonas Nick) Pull request description: scalar_split_lambda requires that the input pointer is different to both output pointers. Without this fix, the internal benchmarks crash when compiled with -DVERIFY. This was introduced in commit bitcoin-core/secp256k1@362bb25 (which requires configuring with --enable-endomorphism to exhibit the crash). I tested that the new CI job would have caught this bug. ACKs for top commit: sipa: utACK eb6beba real-or-random: utACK eb6beba Tree-SHA512: c810545aefb01561ddb77b53618fa7acbb156ec13ab809c00523d4758492cafab1dfa01b6ebfb6195a3803bb49b16e63e8b0efcd1abb76ecefdb0476c3e483a3

The merge strategy on the remote may be different than the local one. This may cause local merges to be different or fail completely. Fix this by using the result of the remote merge. (copied from bitcoin/bitcoin@fad7281)

(copied from bitcoin/bitcoin@faa65f1)

9b7d186 Drop no longer used Autoheader macros (Hennadii Stepanov) Pull request description: A cleanup after #1178. ACKs for top commit: kevkevinpal: utACK [9b7d186](bitcoin-core/secp256k1@9b7d186) sipa: utACK 9b7d186 real-or-random: utACK 9b7d186 Tree-SHA512: ce95547683580bde46a55a6adc3dc46aca02fc86b0300ce0598d62ed47f1d77c4fa9ffd38dcda858655cefa6c940260d05f42cca294e7f3e7a46394b117c9ce9

… Bitcoin Core c241586 ci: Don't fetch git history (Tim Ruffing) 0ecf318 ci: Use remote pull/merge ref instead of local git merge (Tim Ruffing) Pull request description: This steals two recent CI improvements from bitcoin/bitcoin. See individual commit messages. ACKs for top commit: sipa: utACK c241586 Tree-SHA512: 966130f45767c6bee8bc041d7e90a3166591a54c7cfccdcf4dff99aa4f6ccc2d02544fa7dca9fd020241349775da3cbd9bdbb041fcdd32de7426efd9dcc9c7f8

git's `user.{email,name}` config options have been no longer required since 0ecf318.

The `bench` and `ctime_tests` are users of the library, they should only be linked to the library, not the objects it was built from.

…ts` to `COMMON_LIB` ef39721 Do not link `bench` and `ctime_tests` to `COMMON_LIB` (Hennadii Stepanov) Pull request description: The `bench` and `ctime_tests` binaries are users of the library, they should only be linked to the library, not the objects it was built from. ACKs for top commit: sipa: utACK ef39721 real-or-random: utACK ef39721 Tree-SHA512: 8bf8330adcce9bf6b21aceacf86e6aff7594762ab68b09257cfe2904fa0ce827377d5a13c0bed5acde74a2b420bb49460657c66d0068ecbe36dc162140876be4

…name}` config options 9b60e31 ci: Do not set git's `user.{email,name}` config options (Hennadii Stepanov) Pull request description: A cleanup after bitcoin-core/secp256k1#1199. git's `user.{email,name}` config options have been no longer required since 0ecf318. ACKs for top commit: real-or-random: utACK 9b60e31 Tree-SHA512: 04f737b0549a91ca992cd1410420e041549a07869eeef068e08971781ea8a4c88a2486e789df36a5ad370ccbbf5d9f7e49ab5f7c1d01faef358ffc4863aaf8e4

This warns on certain identifiers reserved by the C standard, namely * identifiers that begin with an underscore followed by an uppercase letter, and * identifiers in the global namespace that begin with an underscore. We had used such identifiers in the past for macros in include guards, and we should make sure that we don't reintroduce such identifiers going forward. Note that C reserves more identifiers for "future library directions", e.g., identifiers that begin with "str" followed by a lowercase letter. But even the C standards committee has decided that this is somewhat silly and adopted a proposal [1] for C23 that removes the restriction that programs using these identifiers have UB. Instead, these identifiers are now "potentially reserved", which is not a normative restriction but simply an informative warning that the identifiers may become fully reserved in the future. [1] https://www.open-std.org/jtc1/sc22/WG14/www/docs/n2625.pdf

…upported by clang 8c7e0fc build: Add -Wreserved-identifier supported by clang (Tim Ruffing) Pull request description: This warns on certain identifiers reserved by the C standard, namely * identifiers that begin with an underscore followed by an uppercase letter, and * identifiers in the global namespace that begin with an underscore. We had used such identifiers in the past for macros in include guards, and we should make sure that we don't reintroduce such identifiers going forward. Note that C reserves more identifiers for "future library directions", e.g., identifiers that begin with "str" followed by a lowercase letter. But even the C standards committee has decided that this is somewhat silly and adopted a proposal [1] for C23 that removes the restriction that programs using these identifiers have UB. Instead, these identifiers are now "potentially reserved", which is not a normative restriction but simply an informative warning that the identifiers may become fully reserved in the future. [1] https://www.open-std.org/jtc1/sc22/WG14/www/docs/n2625.pdf ACKs for top commit: sipa: utACK 8c7e0fc jonasnick: tested ACK 8c7e0fc Tree-SHA512: da0c5f1e36cffad2ab2f0b8055c8b3cb56e904d8bfea5a9eed9d6fa984359217b3ef3b9232bfb455cf4071c04a6c2a077e26d2a15b20d1eabc99b1fc61d2025c

This fixes a build issue with MSVC. While MSVC imports *functions* from DLLs automatically when building a consumer of the DLL, it does not import *variables* automatically. In these cases, we need an explicit __declspec(dllimport). This commit simply changes our logic to what the libtool manual suggests, which has a very comprehensive writeup on the topic. Note that in particular, this solution is carefully designed not to break static linking. However, as described in the libtool manual, statically linking the library with MSVC will output warning LNK4217. This is still the best solution overall, because the warning is merely a cosmetic issue.

Besides improving the examples, this makes sure that the examples import a variable (instead of a function), namely the static context, from the library. This is helpful when testing MSVC builds, because the MSVC linker tends to be awkward when importing variables.

... and use correct format to pass linker flags

Before: CI times out when a wine task fails. After: Wine tasks exit properly when they fail.

… gej_add_ge e089eec group: Further simply gej_add_ge (Tim Ruffing) ac71020 group: Save a normalize_to_zero in gej_add_ge (Tim Ruffing) Pull request description: As discovered by sipa in #1033. See commit message for reasoning but note that the infinity handling will be replaced in the second commit again. ACKs for top commit: sipa: ACK e089eec apoelstra: ACK e089eec Tree-SHA512: fb1b5742e73dd8b2172b4d3e2852490cfd626e8673b72274d281fa34b04e9368a186895fb9cd232429c22b14011df136f4c09bdc7332beef2b3657f7f2798d66

…x importing variables from DLLs e433034 ci: Shutdown wineserver whenever CI script exits (Tim Ruffing) 9a5a611 build: Suppress stupid MSVC linker warning (Tim Ruffing) 739c53b examples: Extend sig examples by call that uses static context (Tim Ruffing) 914276e build: Add SECP256K1_API_VAR to fix importing variables from DLLs (Tim Ruffing) Pull request description: ... and more Windows fixes, please see the individual commits. The fixed issues were discovered in bitcoin-core/secp256k1#1198. ACKs for top commit: sipa: utACK e433034 hebasto: ACK e433034, tested on Windows using [CMake](bitcoin-core/secp256k1#1113) (which means that the 3rd commit is reviewed only, but not tested). FWIW, `LNK4217` warnings have been indeed observed. Tree-SHA512: ce7845b106190cdc517988c30aaf2cc9f1d6da22904dfc5cb6bf4ee05f063929dc8b3038479e703b6cebac79d1c21d0c84560344d2478cb1c1740087383f40e3

This introduces variants of the divsteps-based GCD algorithm used for modular inverses to compute Jacobi symbols. Changes compared to the normal vartime divsteps: * Only positive matrices are used, guaranteeing that f and g remain positive. * An additional jac variable is updated to track sign changes during matrix computation. * There is (so far) no proof that this algorithm terminates within reasonable amount of time for every input, but experimentally it appears to almost always need less than 900 iterations. To account for that, only a bounded number of iterations is performed (1500), after which failure is returned. In VERIFY mode a lower iteration count is used to make sure that callers exercise their fallback. * The algorithm converges to f=g=gcd(f0,g0) rather than g=0. To keep this test simple, the end condition is f=1, which won't be reached if started with non-coprime or g=0 inputs. Because of that we only support coprime non-zero inputs.

The implementation calls the secp256k1_modinvNN_jacobi_var code, falling back to computing a square root in the (extremely rare) case it failed converge.

ce3cfc7 doc: Describe Jacobi calculation in safegcd_implementation.md (Elliott Jin) 6be0103 Add secp256k1_fe_is_square_var function (Pieter Wuille) 1de2a01 Native jacobi symbol algorithm (Pieter Wuille) 04c6c1b Make secp256k1_modinv64_det_check_pow2 support abs val (Pieter Wuille) 5fffb2c Make secp256k1_i128_check_pow2 support -(2^n) (Pieter Wuille) Pull request description: This introduces variants of the vartime divsteps-based GCD algorithm used for modular inverses to compute Jacobi symbols. Changes compared to the normal vartime divsteps: * Only positive matrices are used, guaranteeing that f and g remain positive. * An additional jac variable is updated to track sign changes during matrix computation. * There is (so far) no proof that this algorithm terminates within reasonable amount of time for every input, but experimentally it appears to almost always need less than 900 iterations. To account for that, only a bounded number of iterations is performed (1500), after which failure is returned. The field logic then falls back to using square roots to determining the result. * The algorithm converges to f=g=gcd(f0,g0) rather than g=0. To keep this test simple, the end condition is f=1, which won't be reached if started with g=0. That case is dealt with specially. This code is currently unused, except for tests. I don't aim for it to be merged until there is a need for it, but this demonstrates its feasibility. In terms of performance: ``` field_inverse: min 1.76us / avg 1.76us / max 1.78us field_inverse_var: min 0.991us / avg 0.993us / max 0.996us field_jacobi_var: min 1.31us / avg 1.31us / max 1.31us field_sqrt: min 4.36us / avg 4.37us / max 4.40us ``` while with the older (f24e122) libgmp based Jacobi code on the same system: ``` num_jacobi: min 1.53us / avg 1.54us / max 1.55us ``` ACKs for top commit: jonasnick: ACK ce3cfc7 real-or-random: reACK ce3cfc7 diff and writeup is good and I tested every commit Tree-SHA512: 8a6204a7a108d8802d942a54faca39917f90ea5923130683bbd870f9025f4ec8ef256ffa1d939a793f0b32d4cdfcdcd1d3f8ae5ed74a0193be7ad98362ce027e

Signed-off-by: Harshil Jani <harshiljani2002@gmail.com> Add secure_erase function to clear secrets Signed-off-by: Harshil Jani <harshiljani2002@gmail.com> Update the function with good practices Signed-off-by: Harshil Jani <harshiljani2002@gmail.com> Renaming random.h to examples_util.h Signed-off-by: Harshil Jani <harshiljani2002@gmail.com>

…n clearing secrets in examples 5660c13 prevent optimization in algorithms (Harshil Jani) Pull request description: Signed-off-by: Harshil Jani <harshiljani2002@gmail.com> ACKs for top commit: sipa: utACK 5660c13 real-or-random: utACK 5660c13 Tree-SHA512: 90024b7445c04e18a88af4099fc1ac6d1b9b2309b88dd22ae2b1f50aed7bac28b2c180cc28e1a95d5e9ec94b4c4adc44b9ada1477e6abe8efae7884c2382645c

One does not simply check for integer overlow.

2ef1c9b Update overflow check (Russell O'Connor) Pull request description: One does not simply check for integer overlow. ACKs for top commit: sipa: ACK 2ef1c9b real-or-random: ACK 2ef1c9b Tree-SHA512: 61238b7b59b3840aa04c4c3ff768789eba95d8d9cbd16507b86bae585fe8d077ac1ac234f9d8aea7fa342c7278a30d2d888df3a93d7ab24730e73b682b11a7fe

Fixes #1220.

b081f7e Add secp256k1_fe_add_int function (Pieter Wuille) Pull request description: ACKs for top commit: jonasnick: ACK b081f7e real-or-random: utACK b081f7e Tree-SHA512: daf9956c81a328505faee7fb59d29ec0c5a326bce7c48159a8e0ed7590505b430785d750d0c34f152b9119ad130030063be999da0c2035747a27fe501e77560a

These abs checks are implied by the subsequent line, and with the subsequent line written as it is, no underflow is possible with signed integers.

d232112 Update Changelog (Tim Ruffing) Pull request description: Fixes #1220. ACKs for top commit: sipa: ACK d232112 jonasnick: ACK d232112 Tree-SHA512: 86c0b9ec54480b87772bb3458ba3016676f747ea76148326b1c9c7fa3f0d8f3cee26bb68c1f2cb736f69a00811691b4d8c02e27c2de799552c547e824fbbb7ec

5d8f53e Remove redudent checks. (Russell O'Connor) Pull request description: These abs checks are implied by the subsequent line, and with the subsequent line written as it is, no underflow is possible with signed integers. Follows up on bitcoin-core/secp256k1#1218. ACKs for top commit: sipa: utACK 5d8f53e real-or-random: ACK 5d8f53e Tree-SHA512: ddd6758638fe634866fdaf900224372e2e51cb81ef4d024f169fbc39fff38ef1b29e90e0732877e8910158b82bc428ee9c3a4031882c2850b22ad87cc63ee305

Co-authored-by: Tim Ruffing <crypto@timruffing.de>

e1eb337 ci: Add "x86_64: Windows (VS 2022)" task (Hennadii Stepanov) 10602b0 cmake: Export config files (Hennadii Stepanov) 5468d70 build: Add CMake-based build system (Hennadii Stepanov) Pull request description: This PR adds a [CMake](https://cmake.org/)-based build system. Added build instructions and examples to the [`README.md`](https://github.com/hebasto/secp256k1/blob/220628-cmake/README.md#building-with-cmake-experimental) file. Ways to integrate with downstream CMake-based projects: - if `secp256k1` is a subtree (including Bitcoin Core project) -- `add_subdirectory(secp256k1)` - if `secp256k1` has been installed -- `find_package(secp256k1 0.2.1 CONFIG)`, see https://github.com/hebasto/secp256k1-CMake-example Added a few toolchain files for easy cross compiling. Discussions on IRC: - https://gnusha.org/secp256k1/2022-06-23.log - https://gnusha.org/secp256k1/2022-06-24.log - https://gnusha.org/secp256k1/2022-06-27.log - https://gnusha.org/secp256k1/2023-01-30.log --- Related PRs: - #315 - #549 - #761 --- **Implementation notes** Minimum required CMake version is 3.1. This was required to provide [`C_STANDARD`](https://cmake.org/cmake/help/latest/prop_tgt/C_STANDARD.html) property. In turn, this choice of CMake version implies it is not possible to build with default CMake on Debian 8, which has CMake v3.0.2 only. Also see: - [CMake Versions on Linux Distros](https://gitlab.kitware.com/cmake/community/-/wikis/CMake-Versions-on-Linux-Distros) - https://repology.org/project/cmake/versions --- # Autotools -- CMake Feature Parity Tables ## 1. Configuration options Autotool-based build system features being listed according to the `./configure --help` output. | Autotools | CMake | |---|---| | `--prefix` | `-DCMAKE_INSTALL_PREFIX` | `--enable-shared` | `-DSECP256K1_BUILD_SHARED` | | `--enable-static` | `-DSECP256K1_BUILD_STATIC` | | `--enable-dev-mode` _hidden_ | N/A, see bitcoin-core/secp256k1#1113 (comment) | | `--enable-benchmark` | `-DSECP256K1_BUILD_BENCHMARK` | | `--enable-coverage` | `-DCMAKE_BUILD_TYPE=Coverage` | | `--enable-tests` | `-DSECP256K1_BUILD_TESTS` | | `--enable-ctime-tests` | `-DSECP256K1_BUILD_CTIME_TESTS` | | `--enable-experimental` | `-DSECP256K1_EXPERIMENTAL` | | `--enable-exhaustive-tests` | `-DSECP256K1_BUILD_EXHAUSTIVE_TESTS` | | `--enable-examples` | `-DSECP256K1_BUILD_EXAMPLES` | | `--enable-module-ecdh` | `-DSECP256K1_ENABLE_MODULE_ECDH` | | `--enable-module-recovery` | `-DSECP256K1_ENABLE_MODULE_RECOVERY` | | `--enable-module-extrakeys` | `-DSECP256K1_ENABLE_MODULE_EXTRAKEYS` | | `--enable-module-schnorrsig` | `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG` | | `--enable-external-default-callbacks` | `-DSECP256K1_USE_EXTERNAL_DEFAULT_CALLBACKS` | | `--with-test-override-wide-multiply` _hidden_ | `-DSECP256K1_TEST_OVERRIDE_WIDE_MULTIPLY` | | `--with-asm` | `-DSECP256K1_ASM` | | `--with-ecmult-window` | `-DSECP256K1_ECMULT_WINDOW_SIZE` | | `--with-ecmult-gen-precision` | `-DSECP256K1_ECMULT_GEN_PREC_BITS` | | `--with-valgrind` | `-DSECP256K1_VALGRING` | A screenshot of grouped options from `cmake-gui`: ![image](https://user-images.githubusercontent.com/32963518/214821305-fc3ffe82-4d05-4dd7-b2c2-7ca2d5d12e86.png) ## 2. `make` targets | Autotools | CMake | |---|---| | `make` | `make` | | `make check` | `make check` | | `make install` | `make install` * | * Installation of `lib/pkgconfig/libsecp256k1.pc` not implemented. ACKs for top commit: theuni: ACK e1eb337. sipa: ACK e1eb337 real-or-random: ACK e1eb337 Tree-SHA512: ebe2772eeb1a430a0a7ae767fb1a9a82d52d5e9bf2306956cd08f7b442c862be2539774dd10d5555817353d37d1c6add78b8fe5a85bb71239304fb42c98ff337

92098d8 changelog: Add entry for CMake (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 92098d8 jonasnick: ACK 92098d8 hebasto: ACK 92098d8 Tree-SHA512: d81ee4f7e1cd31c85a738fb7caaa96fe02add936732b5cdfd74a77191206709fa18157e949b84c04b1932fbcba8f082106acd303924be8312b4ea2f012ecae53

…CMake/Windows build instructions 756b61d readme: Use correct build type in CMake/Windows build instructions (Tim Ruffing) Pull request description: ACKs for top commit: hebasto: ACK 756b61d, it is correct to provide the "RelWithDebInfo" configuration in multi-config setup, as the same build type is the default in single-config setups. Tree-SHA512: e98a1519fdae4a29c7e06ecd0e68083acaf0f4fc14dfcd12282b89468052bb7c6c2fc7517c8526c9f7555a822a64b2f7c3f1ecc70d17e37a11d831d213f1daef

…56k1" 8be82d4 cmake: Rename project to "libsecp256k1" (Hennadii Stepanov) Pull request description: Was discussed today on IRC. ACKs for top commit: sipa: ACK 8be82d4 real-or-random: ACK 8be82d4 Tree-SHA512: 4ea0fe6722c34acc50ebfba9f3c0503c773e268f8c3df6368e20c829ea800e3cb96758eec2813ed9f56ae4aae1f3919d8ae2755d55582e8c1811a08386f1b925

b40adf2 release: prepare for 0.3.0 (Jonas Nick) Pull request description: ACKs for top commit: sipa: ACK b40adf2 real-or-random: ACK b40adf2 hebasto: ACK b40adf2 Tree-SHA512: 221ba2d846804cefa139bee28b985414e293106cf63ef71ce4b34f815a62e5efd58d4ca6a03d6bcd5d843010d18f5be8d1cf43721a92e5196d732f5325499377

…r 0.3.0 28e63f7 release cleanup: bump version after 0.3.0 (Jonas Nick) Pull request description: Based on #1223. Should be merged only after tagging the release. ACKs for top commit: sipa: ACK 28e63f7 real-or-random: ACK 28e63f7 Tree-SHA512: d219f836c9258af52389f62c167adb79a0f83f520ede514e286e84f0540d35234322e67d582409c332662db17114da1681419d5d400ed88ad2be66a0f6a06089

…v32_inv256 647f0a5 Update comment for secp256k1_modinv32_inv256 (roconnor-blockstream) Pull request description: ACKs for top commit: sipa: ACK 647f0a5 real-or-random: utACK bitcoin-core/secp256k1@647f0a5 Tree-SHA512: 7c2ec02acf985bb6edfc619ce31bd63511ff634d847a25888927b48b5164353a912d470421b0b969a868fbc5b865cbea188e14357557f44be42d5702af7c5a6b

Among other things this allows us to link against object libraries.

Co-authored-by: Cory Fields <cory-nospam-@coryfields.com>

… building for coverage analysis 8e79c7e build: Ensure no optimization when building for coverage analysis (Hennadii Stepanov) Pull request description: #944 introduced a regression when building for coverage analysis. The `-O2` flag from the default Autoconf's `CFLAGS` overrides the coverage-specific `-O0` one, which makes coverage analysis results [less reliable](https://gcc.gnu.org/onlinedocs/gcc/Gcov-and-Optimization.html). This PR restores the pre-#944 behaviour. In contrast to an alternative smaller diff: ```diff --- a/configure.ac +++ b/configure.ac @@ -240,7 +240,7 @@ fi if test x"$enable_coverage" = x"yes"; then SECP_CONFIG_DEFINES="$SECP_CONFIG_DEFINES -DCOVERAGE=1" - SECP_CFLAGS="-O0 --coverage $SECP_CFLAGS" + CFLAGS="$CFLAGS -O0 --coverage " LDFLAGS="--coverage $LDFLAGS" else # Most likely the CFLAGS already contain -O2 because that is autoconf's default. ``` this PR ensures that the user always has the last word. FWIW, Bitcoin Core uses a similar [approach](https://github.com/bitcoin/bitcoin/blob/460e394625fab2942748aaeec9be31f460f91c58/configure.ac#L879-L884). ACKs for top commit: jonasnick: tested ACK 8e79c7e real-or-random: utACK 8e79c7e Tree-SHA512: f04b55921d397bd7c003ec0283101d3908f3fb507789c855e1b6d5abd150e7d6281d5eeb8fefbb7d6a55b3c6f29a19324f570eee009794f8fa9bca956229e7ce

@hebasto

…ent to 3.13 96dd062 build: bump CMake minimum requirement to 3.13 (Cory Fields) Pull request description: As requested here: bitcoin-core/secp256k1#1230 (comment) . Ping @hebasto Among other things this allows us to link against object libraries. 3.13 has been mentioned several times as a good overlap between newish features and widespread Linux availability. ACKs for top commit: hebasto: ACK 96dd062 real-or-random: utACK 96dd062 Tree-SHA512: 6c744809aa393b48ef10b3d46c6630370c388a8d375116bfad65c6c907e69c36ed71c1579b9d5c3aa976f70b1cd70e837c1a0226910a43539435125115b32568

d1e7ca1 Typo (roconnor-blockstream) Pull request description: ACKs for top commit: jonasnick: ACK d1e7ca1 Tree-SHA512: 0d53ad29cf86921a59aae3953c7d786b7ee0567c9cf92d037853e8c4f7536e45c6b50467eb95d3763f27ae3fd1a8b2b9cf88689f320cb13cebf52f70bb4affef

4ebd828 Apply Checks only in VERIFY mode. (roconnor-blockstream) Pull request description: This is already done in `field_5x52_impl.h`. ACKs for top commit: sipa: ACK 4ebd828 jonasnick: ACK 4ebd828 Tree-SHA512: c24211e5219907e41e2c5792255734bd50ca5866a4863abbb3ec174ed92d1792dd10563a94c08e8fecd6cdf776a9c49ca87e8f9806a023d9081ecc0d55ae3e66

…hidden` fd2a408 Set ARM ASM symbol visibility to `hidden` (Hennadii Stepanov) Pull request description: Solves one item in #1181. To test on arm-32bit hardware, run: ``` $ ./autogen.sh && ./configure --enable-experimental --with-asm=arm && make ``` On master branch (427bc3c): ``` $ nm -D .libs/libsecp256k1.so | grep secp256k1_fe 0000e2bc T secp256k1_fe_mul_inner 0000e8dc T secp256k1_fe_sqr_inner ``` With this PR: ``` $ nm -D .libs/libsecp256k1.so | grep secp256k1_fe | wc -l 0 ``` For reference, see https://sourceware.org/binutils/docs/as/Hidden.html. ACKs for top commit: theuni: ACK fd2a408. sipa: ACK fd2a408 Tree-SHA512: abf8ad332631672c036844f69c5599917c49e12c4402bf9066f93a692d3007b1914bd3eea8f83f0141c1b09d5c88ebc5e6c8bfbb5444b7b3471749f7b901ca59

... and make wording a bit more consistent. Co-authored-by: Hennadii Stepanov <32963518+hebasto@users.noreply.github.com>

Co-authored-by: Tim Ruffing <crypto@timruffing.de>

… a right shift 3e43041 No need to subtract 1 before doing a right shift (roconnor-blockstream) Pull request description: ACKs for top commit: real-or-random: utACK 3e43041 jonasnick: ACK 3e43041 Tree-SHA512: bcecda11eae3fb845bef7af88c6171bedcd933872d08a9849c0a250cb6c9e982a88bd45e8a8364a4a348f8be413fc91ee04cf8fa78adae44e584e3ad7ec544cf

… building for coverage analysis 5bb03c2 Replace `SECP256K1_ECMULT_TABLE_VERIFY` macro by a function (Hennadii Stepanov) 4429a8c Suppress `-Wunused-parameter` when building for coverage analysis (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK 5bb03c2 jonasnick: ACK 5bb03c2 Tree-SHA512: 19a395434ecefea201a03fc45b3f0b88f1520908926ac1207bbc6570034b1141b49c3c98e66819dcd9069dfdd28c7c6fbe957f13fb6bd178fd57ce65bfbb8fbd

…FAULT_CFLAGS` macro 3addb4c build: Improve `SECP_TRY_APPEND_DEFAULT_CFLAGS` macro (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK 3addb4c jonasnick: ACK 3addb4c Tree-SHA512: 918d906570d82be9354fba72bb55d50b8f661cf7cd4404dc244deb489c2bca95b3942ae8af830873ba825dc8ddc68b99c973fc984ff13fdd1f6668f412ca56a3

Apparently clang 15 is able to compile our cmov code into a branch, at least for fe_cmov and fe_storage_cmov. This commit makes the condition volatile in all cmov implementations (except ge but that one only calls into the fe impls). This is just a quick fix. We should still look into other methods, e.g., asm and #457. We should also consider not caring about constant-time in scalar_low_impl.h We should also consider testing on very new compilers in nightly CI, see bitcoin-core/secp256k1#864 (comment)

…/scalar cmov implementations 4a496a3 ct: Use volatile "trick" in all fe/scalar cmov implementations (Tim Ruffing) Pull request description: Apparently clang 15 is able to compile our cmov code into a branch, at least for fe_cmov and fe_storage_cmov. This commit makes the condition volatile in all cmov implementations (except ge but that one only calls into the fe impls). This is just a quick fix. We should still look into other methods, e.g., asm and #457. We should also consider not caring about constant-time in scalar_low_impl.h We should also consider testing on very new compilers in nightly CI, see bitcoin-core/secp256k1#864 (comment) ACKs for top commit: jonasnick: ACK 4a496a3 Tree-SHA512: a6010f9d752e45f01f88b804a9b27e77caf5ddf133ddcbc4235b94698bda41c9276bf588c93710e538250d1a96844bcec198ec5459e675f166ceaaa42da921d5

…process 0c07c82 Add CMake instructions to release process (Tim Ruffing) Pull request description: ACKs for top commit: hebasto: ACK 0c07c82 jonasnick: ACK 0c07c82 Tree-SHA512: a2c38f71cc96766f833f6ed79af1b560501f2d9516843b789de06c9cbffd7a1d9e8709a2f4d08bea8c1c3616301e51942cfa9f11e25e903ee4146c7733a8cb8c

…arations in include/ consistent 3d1f430 Make position of * in pointer declarations in include/ consistent (Jonas Nick) Pull request description: ACKs for top commit: sipa: utACK 3d1f430. I have not verified these are the only instances where changes would need to be made. apoelstra: utACK 3d1f430 from me too. I also value consistency more than either specific choice.' real-or-random: utACK bitcoin-core/secp256k1@3d1f430 Tree-SHA512: 6361880f4a47e58c83623f094dd121882752fa805e275033cd638d1e8d3477ade9037e5d9e34a57ae46013848648bd7ab764cad326133f2d3435c9a70a0c841b

Adds a test using the Wycheproof vectors as outlined in #1106. The vectors are taken from the Wycheproof repo. We use a python script to convert the JSON-formatted vectors into C code. Co-authored-by: Sean Andersen <6730974+andozw@users.noreply.github.com>

…th x specified as n/d 0f86420 Add exhaustive tests for ecmult_const_xonly (Pieter Wuille) 4485926 Add x-only ecmult_const version for x=n/d (Pieter Wuille) Pull request description: This implements a generalization of Peter Dettman's sqrt-less x-only random-base multiplication algorithm from BlockstreamResearch#262, using the Jacobi symbol algorithm from #979. The generalization is to permit the X coordinate of the base point to be specified as a fraction $n/d$: To compute $x(q \cdot P)$, where $x(P) = n/d$: * Compute $g=n^3 + 7d^3$. * Let $P' = (ng, g^2, 1)$ (the Jacobian coordinates of $P$ mapped to the isomorphic curve $y^2 = x^3 + 7(dg)^3$). * Compute the Jacobian coordinates $(X',Y',Z') = q \cdot P'$ on the isomorphic curve. * Return $X'/(dgZ'^2)$, which is the affine x coordinate on the isomorphic curve $X/Z'^2$ mapped back to secp256k1. This ability to specify the X coordinate as a fraction is useful in the context of x-only [Elligator Swift](https://eprint.iacr.org/2022/759), which can decode to X coordinates on the curve without inversions this way. ACKs for top commit: jonasnick: ACK 0f86420 real-or-random: ACK 0f86420 Tree-SHA512: eeedb3045bfabcb4bcaf3a1738067c83a5ea9a79b150b8fd1c00dc3f68505d34c19654885a90e2292ae40ddf40a58dfb27197d98eebcf5d6d9e25897e07ae595

e5de454 tests: Add Wycheproof ECDSA vectors (RandomLattice) Pull request description: This PR adds a test using the Wycheproof vectors as outlined in #1106. We add all 463 ECDSA test vectors. These vectors cover: - edge cases in arithmetic operations - signatures with special values for (r,s) that should be rejected - special cases of public keys The vectors are pulled from the Wycheproof project using a python script to emit C code. All the new ECDSA Wycheproof vectors pass. ACKs for top commit: sipa: ACK e5de454 real-or-random: ACK e5de454 Tree-SHA512: e9684f14ff3f5225a4a4949b490e07527d559c28aa61ed03c03bc52ea64785f0b80b9e1b1628665eacf24006526271ea0fb108629c9c3c1d758e52d214a056f1

Co-authored-by: Pieter Wuille <pieter@wuille.net>

898e1c6 release: Prepare for 0.3.1 (Tim Ruffing) 1d9a13f changelog: Remove inconsistent newlines (Tim Ruffing) 0e09166 changelog: Catch up in preparation of 0.3.1 (Tim Ruffing) Pull request description: ACKs for top commit: sipa: ACK 898e1c6 jonasnick: ACK 898e1c6 Tree-SHA512: 941b1524f8b34ca803a2ede55a7baf54d2faa69a4c5e47254297e96cc4ac2121094ed90e7cd64a708f3e9af830b0de0ef3c755dfee1b01ce958cc998fc1a1311

6a37b2a changelog: Fix link (Tim Ruffing) Pull request description: Top commit has no ACKs. Tree-SHA512: 70d50c8fe958a197eb527e51c6f8120609e3166d93bfc1bbec75a3cb565c406d5ba0e6d088a724dcfda422b6594abf53f507211946a0533515df371d5d2a91bf

…o temp-merge-1115

63a3565 6a873cc 3efeb9d 9f8a13d 694ce8f a43e982 e13fae4 c2ee917 ' into temp-merge-1146

…erge-1156

… ' into temp-merge-1055

2a39ac1 0eb3000 cbe41ac cc3b8a4 ' into temp-merge-1187

…1187 Upstream PRs 1174, 1154, 1178, 1177, 1171, 1158, 1183, 1185, 1186, 1188, 1187

233822d 5fbff5d 2b77240 1bff200 e1817a6 5596ec5 8ebe5c5 1cca7c1 1b21aa5 cbd2555 09b1d46 5757318 8962fc9 9d1b458 eb8749f 6048e6c ' into temp-merge-1222

7e91936 ci: Always define EXPERIMENTAL variable (Tim Ruffing) 0a99156 sync-upstream.sh: Add "git show --remerge-diff" tip (Tim Ruffing) 9b6a1c3 sync-upstream.sh: Fix position of "-b" option in reproduce command (Tim Ruffing) 05b207e sync-upstream: allows providing the local branch via cli (Jonas Nick) Pull request description: ACKs for top commit: real-or-random: utACK 7e91936 Tree-SHA512: 4527cb6a2493d210eb7ba6d8f6e717b2acbc07aebdc1c4011cffe23490876a4e795d656a69df2cd50e4e3fe8742c123d9ea493914c148c8fbc93d7d3799e7447

…192, 1194, 1196, 1195, 1170, 1172, 1200, 1199, 1203, 1201, 1206, 1078, 1209, 979, 1212, 1218, 1217, 1221, 1222 5d8f53e Remove redudent checks. (Russell O'Connor) d232112 Update Changelog (Tim Ruffing) b081f7e Add secp256k1_fe_add_int function (Pieter Wuille) 2ef1c9b Update overflow check (Russell O'Connor) 5660c13 prevent optimization in algorithms (Harshil Jani) ce3cfc7 doc: Describe Jacobi calculation in safegcd_implementation.md (Elliott Jin) 6be0103 Add secp256k1_fe_is_square_var function (Pieter Wuille) 1de2a01 Native jacobi symbol algorithm (Pieter Wuille) 04c6c1b Make secp256k1_modinv64_det_check_pow2 support abs val (Pieter Wuille) 5fffb2c Make secp256k1_i128_check_pow2 support -(2^n) (Pieter Wuille) e433034 ci: Shutdown wineserver whenever CI script exits (Tim Ruffing) 9a5a611 build: Suppress stupid MSVC linker warning (Tim Ruffing) 739c53b examples: Extend sig examples by call that uses static context (Tim Ruffing) 914276e build: Add SECP256K1_API_VAR to fix importing variables from DLLs (Tim Ruffing) e089eec group: Further simply gej_add_ge (Tim Ruffing) ac71020 group: Save a normalize_to_zero in gej_add_ge (Tim Ruffing) 8c7e0fc build: Add -Wreserved-identifier supported by clang (Tim Ruffing) 9b60e31 ci: Do not set git's `user.{email,name}` config options (Hennadii Stepanov) ef39721 Do not link `bench` and `ctime_tests` to `COMMON_LIB` (Hennadii Stepanov) c241586 ci: Don't fetch git history (Tim Ruffing) 0ecf318 ci: Use remote pull/merge ref instead of local git merge (Tim Ruffing) 9b7d186 Drop no longer used Autoheader macros (Hennadii Stepanov) eb6beba scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs (Jonas Nick) 7f49aa7 ci: add test job with -DVERIFY (Jonas Nick) 620ba3d benchmarks: fix bench_scalar_split (Jonas Nick) e39d954 tests: Add CHECK_ILLEGAL(_VOID) macros and use in static ctx tests (Tim Ruffing) 61841fc contexts: Forbid randomizing secp256k1_context_static (Tim Ruffing) 4b6df5e contexts: Forbid cloning/destroying secp256k1_context_static (Tim Ruffing) 8f51229 ctime_tests: improve output when CHECKMEM_RUNNING is not defined (Jonas Nick) 2cd4e3c Drop no longer used `SECP_{LIBS,INCLUDE}` variables (Hennadii Stepanov) 613626f Drop no longer used `SECP_TEST_{LIBS,INCLUDE}` variables (Hennadii Stepanov) d6ff738 Ensure safety of ctz_debruijn implementation. (Russell O'Connor) ce60785 Introduce SECP256K1_B macro for curve b coefficient (Pieter Wuille) 4934aa7 Switch to exhaustive groups with small B coefficient (Pieter Wuille) e03ef86 Make all non-API functions (except main) static (Pieter Wuille) 0f088ec Rename CTIMETEST -> CTIMETESTS (Pieter Wuille) 74b026f Add runtime checking for DECLASSIFY flag (Pieter Wuille) 5e2e6fc Run ctime test in Linux MSan CI job (Pieter Wuille) 1897406 Make ctime tests building configurable (Pieter Wuille) 5048be1 Rename valgrind_ctime_test -> ctime_tests (Pieter Wuille) 6eed6c1 Update error messages to suggest msan as well (Pieter Wuille) 8e11f89 Add support for msan integration to checkmem.h (Pieter Wuille) 8dc6407 Add compile-time error to valgrind_ctime_test (Pieter Wuille) 0db05a7 Abstract interactions with valgrind behind new checkmem.h (Pieter Wuille) 4f1a54e Move valgrind CPPFLAGS into SECP_CONFIG_DEFINES (Pieter Wuille) d4a6b58 Add `noverify_tests` to `.gitignore` (Hennadii Stepanov) e862c4a Makefile: add -I$(top_srcdir)/src to CPPFLAGS for precomputed (Matt Whitlock) Pull request description: ACKs for top commit: real-or-random: tACK BlockstreamResearch@0d540ec Tree-SHA512: bc54ccf752163ab6e1a12bb8c4e1f9339f4421d2e4f7716c408549514b3c902f2e9f727655799f1eecb085b0026761b04735b17be3c95c6cf54e07fbf7e86477

…erge-1223

b40adf2 release: prepare for 0.3.0 (Jonas Nick) 8be82d4 cmake: Rename project to "libsecp256k1" (Hennadii Stepanov) 756b61d readme: Use correct build type in CMake/Windows build instructions (Tim Ruffing) 92098d8 changelog: Add entry for CMake (Tim Ruffing) e1eb337 ci: Add "x86_64: Windows (VS 2022)" task (Hennadii Stepanov) 10602b0 cmake: Export config files (Hennadii Stepanov) 5468d70 build: Add CMake-based build system (Hennadii Stepanov) Pull request description: ACKs for top commit: real-or-random: utACK dc73359 Tree-SHA512: ded76837ee78d3a99daf5e9dbdb3912a1f7efb8b9ea329535e5b5452f8bf6d02bc290dd2378b17a20e1d33b4811c1d88482bf46a57d6c414855b64cf55e38e99

1d8f367 afd8b23 2bca0a5 2d51a45 4e68262 a0f4644 145078c 7b7503d ec98fce 346a053 ' into temp-merge-1269

Commits on Jan 28, 2023

Drop no longer used Autoheader macros

hebasto committed Jan 28, 2023

Configuration menu

View commit details

Copy full SHA for 9b7d186

Browse repository at this point

Copy the full SHA

9b7d186 View commit details

Browse the repository at this point in the history

Upstream PRs 1228, 1236, 1243, 1238, 1246, 1247, 1242, 1250, 1244, 1241, 1257, 1226, 1252, 1118, 1245, 1266, 1269 #253

Upstream PRs 1228, 1236, 1243, 1238, 1246, 1247, 1242, 1250, 1244, 1241, 1257, 1226, 1252, 1118, 1245, 1266, 1269 #253

Commits on Jun 30, 2022

Commits on Jul 1, 2022

Commits on Jul 5, 2022

Commits on Jul 6, 2022

Commits on Jul 7, 2022

Commits on Jul 8, 2022

Commits on Jul 11, 2022

Commits on Jul 21, 2022

Commits on Aug 2, 2022

Commits on Aug 3, 2022

Commits on Oct 28, 2022

Commits on Nov 1, 2022

Commits on Nov 2, 2022

Commits on Nov 7, 2022

Commits on Nov 8, 2022

Commits on Nov 14, 2022

Commits on Nov 16, 2022

Commits on Nov 17, 2022

Commits on Nov 18, 2022

Commits on Nov 21, 2022

Commits on Nov 22, 2022

Commits on Nov 24, 2022

Commits on Nov 25, 2022

Commits on Dec 1, 2022

Commits on Dec 5, 2022

Commits on Dec 6, 2022

Commits on Dec 7, 2022

Commits on Dec 8, 2022

Commits on Dec 12, 2022

Commits on Dec 13, 2022

Commits on Dec 15, 2022

Commits on Dec 19, 2022

Commits on Dec 20, 2022

Commits on Dec 21, 2022

Commits on Dec 29, 2022

Commits on Jan 2, 2023

Commits on Jan 3, 2023

Commits on Jan 4, 2023

Commits on Jan 5, 2023

Commits on Jan 6, 2023

Commits on Jan 7, 2023

Commits on Jan 9, 2023

Commits on Jan 10, 2023

Commits on Jan 11, 2023

Commits on Jan 12, 2023

Commits on Jan 13, 2023

Commits on Jan 14, 2023

Commits on Jan 16, 2023

Commits on Jan 17, 2023

Commits on Jan 18, 2023

Commits on Jan 19, 2023

Commits on Jan 27, 2023

Commits on Jan 28, 2023

Commits on Jan 30, 2023

Commits on Jan 31, 2023

Commits on Feb 2, 2023

Commits on Feb 3, 2023

Commits on Feb 6, 2023

Commits on Feb 14, 2023

Commits on Feb 21, 2023

Commits on Feb 27, 2023

Commits on Feb 28, 2023

Commits on Mar 1, 2023

Commits on Mar 2, 2023

Commits on Mar 6, 2023

Commits on Mar 7, 2023

Commits on Mar 8, 2023

Commits on Mar 10, 2023

Commits on Mar 11, 2023

Commits on Mar 12, 2023

Commits on Mar 14, 2023

Commits on Mar 15, 2023

Commits on Mar 21, 2023

Commits on Mar 23, 2023

Commits on Mar 24, 2023

Commits on Mar 26, 2023

Commits on Mar 27, 2023

Commits on Mar 28, 2023