bbc834467c5d14e3e53744211e7c4fa9d8fabe41 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2ae456c7ae60e92ddc354071f21fb6aa62 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f20266722ac93ca66d1beb0d2f2d2469b95aafea Add invariant checking to group elements (Pieter Wuille)
a18821d5b1d44db0e7c8335f338cc9876bec98cb Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb90acd9d61c5b38e862877fdeacaff74a50 Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696fd4da3788758bb3fdae66c7ae262dbf224 Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)
Pull request description:
Rebase of #791.
* Clean up infinity handling, make x/y/z always initialized for infinity.
* Make secp256k1_ecmult_const handle infinity.
* Infinity isn't currently needed here, but correctly handling it is a little more safe against future changes.
* Update docs for it to make it clear that it is not constant time in Q. It never was constant time in Q (and would be a little complicated to make constant time in Q: needs a constant time addition function that tracks RZR). It isn't typical for ECDH to be constant time in terms of the pubkey. If it was later made constant time in Q infinity support would be easy to preserve, e.g. by running it on a dummy value and cmoving infinity into the output.
* Add group verification (`secp256k1_ge_verify` and `secp256k1_gej_verify`, mimicking `secp256k1_fe_verify`).
* Make the `secp256k1_{fe,ge,gej}_verify` functions also defined (as no-ops) in non-VERIFY mode.
ACKs for top commit:
jonasnick:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
real-or-random:
ACK bbc834467c5d14e3e53744211e7c4fa9d8fabe41
Tree-SHA512: 82cb51faa2c207603aa10359a311ea618fcb5a81ba175bf15515bf84043223db6428434875854cdfce9ae95f9cfd68c74e4e415f26bd574f1791b5dec1615d19
Infinity isn't currently needed here, but correctly handling it is a
little more safe against future changes.
Update docs for it to make it clear that it is not constant time in A
(the input point). It never was constant time in Q (and would be a little
complicated to make constant time in A).
If it was later made constant time in A, infinity support would be easy
to preserve, e.g. by running it on a dummy value and cmoving infinity into
the output.
2e65f1fdbcc87e2ef8c0baf4abc8ee0f56daf7fe Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille)
Pull request description:
The existing bench.c code defines `bench_verify_data data` variable, but some of the benchmarks then use it as `bench_sign`. Fix this by merging the two types into one.
ACKs for top commit:
stratospher:
ACK 2e65f1f.
real-or-random:
utACK 2e65f1fdbc
Tree-SHA512: 676b43e5d30abd13bfd9595378b1a0bd90a2e713be4f8f713260f989ea8c971b229dfb683cd7a1614665b1688a0bdda7a4019f358dd6cd645e1b3d9f8d71e814
For the sake of completeness, add the missing descriptions for the
return value and parameters (`ctx`, `sig64`, `keypair`), in the same
wording/style as for the function `secp256k1_schnorrsig_sign32`.
bef448f9af248dba016883401de07b431f3e686e cmake: Fix library ABI versioning (Hennadii Stepanov)
Pull request description:
This change emulates Libtool to make sure Libtool and CMake agree on the ABI version.
To test, one needs to simulate a release with backward-compatible API changes, which means the following changes in `configure.ac` and `CMakeLists.txt`:
- incrementing of `*_LIB_VERSION_CURRENT`
- setting `*_LIB_VERSION_REVISION` to zero
- incrementing of `*_LIB_VERSION_AGE`
ACKs for top commit:
real-or-random:
ACK bef448f9af248dba016883401de07b431f3e686e diff looks good and I tested on Linux
Tree-SHA512: f7551fc7377ea50c8bc32d14108a034a1f91ebbb63d5fec562e5cc28416637834b9a4dcba3692df1780adcd1212ad4f238dc0219ab5add68bd88a5a458572ee5
An executable target in the `COMMAND` option will automatically be
replaced by the location of the executable created at build time.
This change fixes tests for Windows binaries using Wine.
7e977b3c5071fc17575ff88ebbc9db7b17c70497 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing)
2418d3260ac51ba0f148fb20e19c8f41bba8a135 autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing)
8764034ed55bffc8a26fbe377ac505359f8828e9 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing)
e1b9ce881159e8e2572467f1426f200e987a4d44 autotools: Use same conventions for all pregenerated files (Tim Ruffing)
08f4b1632d0ad976fe00ee606f3a95894555a2e1 autotools: Move code around to tidy Makefile (Tim Ruffing)
529b54d9224e680197e6052b505d2a66398e0d36 autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing)
Pull request description:
Follow-up to https://github.com/bitcoin-core/secp256k1/pull/1245.
This builds on top of https://github.com/bitcoin-core/secp256k1/pull/1276. Let's only merge https://github.com/bitcoin-core/secp256k1/pull/1276 as a hotfix for the Core build.
ACKs for top commit:
hebasto:
ACK 7e977b3c5071fc17575ff88ebbc9db7b17c70497
Tree-SHA512: 42e09feaed15d903e759360e1dfbd1afce9da07a55512e2e791147b72d9b6477e34ae6028439af57dbcae318081a37ddcf3a630f9617bfea95c130135ba2313f
71f746c057a66d5ae0dfdb5d439bc49592c0d16e cmake: Include `include` directory for subtree builds (Hennadii Stepanov)
5431b9decdbbdf30c5c5f2aed4b59662f5c681a2 cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL` (Hennadii Stepanov)
162608cc982538906e775d0c549aff2de5dee413 cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21 (Hennadii Stepanov)
Pull request description:
This PR:
1. Emulates [`PROJECT_IS_TOP_LEVEL`](https://cmake.org/cmake/help/latest/variable/PROJECT_IS_TOP_LEVEL.html) variable for CMake versions where it is not available.
2. Makes the `SECP256K1_INSTALL` option dependent on `PROJECT_IS_TOP_LEVEL` (a [follow up](https://github.com/bitcoin-core/secp256k1/pull/1263#issuecomment-1516564300) of https://github.com/bitcoin-core/secp256k1/pull/1263).
3. Makes integration of this project as a subtree easier. A top project can `#include <secp256k1.h>` with no additional `target_include_directories()` commands. For example, see https://github.com/hebasto/secp256k1-CMake-example/tree/subtree.
ACKs for top commit:
theuni:
utACK 71f746c057a66d5ae0dfdb5d439bc49592c0d16e.
Tree-SHA512: 8ccdbcc94b26f36e772611ebaab0f2846debd6ad20f9e361be31a8d2128a14273acb692b0631026e12cc6cdef6d445dce0fd3beb4f71af47b46dfcf840a18879
