Merge #260: Finish sync to upstream

394e09e musig: change test vector generation code shebang from python to python3 (Jonas Nick)
aa3edea scalar: Remove unused secp256k1_scalar_chacha20 (Tim Ruffing)
167194b rangeproof: Use util functions for writing big endian (Tim Ruffing)
82777bb bppp: Fix test for invalid sign byte (Tim Ruffing)
54b37db build: Fix linkage of extra binaries in -zkp modules (Tim Ruffing)
9e96a2e hsort tests: Don't call secp256k1_testrand_int(0) (Tim Ruffing)
4692478 ci: print $ELLSWIFT in cirrus.sh (Jonas Nick)
78ca880 build: enable ellswift module via SECP_CONFIG_DEFINES (Jonas Nick)
b097a46 util: remove unused checked_realloc (Cory Fields)
4f8c5bd refactor: Drop unused cast (Hennadii Stepanov)
6ec3731 Simplify test PRNG implementation (Pieter Wuille)
fb5bfa4 Add static test vector for Xoshiro256++ (Tim Ruffing)
723e8ca Remove randomness tests (Pieter Wuille)
c424e2f ellswift: fix probabilistic test failure when swapping sides (Jonas Nick)
981e5be ci: Fix typo in comment (Tim Ruffing)
e9e9648 ci: Reduce number of macOS tasks from 28 to 8 (Tim Ruffing)
609093b ci: Add x86_64 Linux tasks for gcc and clang snapshots (Tim Ruffing)
1deecaa ci: Install development snapshots of gcc and clang (Tim Ruffing)
b79ba8a field: Use `restrict` consistently in fe_sqrt (Tim Ruffing)
600c5ad clean up in-comment Sage code (refer to secp256k1_params.sage, update to Python3) (Sebastian Falbesoner)
c7d900f doc: minor ellswift.md updates (stratospher)
2792119 Add exhaustive test for ellswift (create+decode roundtrip) (Sebastian Falbesoner)
07c0e8b group: remove unneeded normalize_weak in `secp256k1_gej_eq_x_var` (Sebastian Falbesoner)
efa76c4 group: remove unneeded normalize_weak in `secp256k1_ge_is_valid_var` (Sebastian Falbesoner)
c6cd2b1 ci: Add task for static library on Windows + CMake (Hennadii Stepanov)
020bf69 build: Add extensive docs on visibility issues (Tim Ruffing)
0196e8a build: Introduce `SECP256k1_DLL_EXPORT` macro (Hennadii Stepanov)
9f1b190 refactor: Replace `SECP256K1_API_VAR` with `SECP256K1_API` (Hennadii Stepanov)
ae9db95 build: Introduce `SECP256K1_STATIC` macro for Windows users (Hennadii Stepanov)
b6b9834 small fixes (Alejandro)
5b9f37f ci: Add `CFLAGS: -O1` to task matrix (Hennadii Stepanov)
a6ca76c Avoid `-Wmaybe-uninitialized` when compiling with `gcc -O1` (Hennadii Stepanov)
05873bb tweak_add: fix API doc for tweak=0 (Jonas Nick)
a7bec34 ci: Print commit in Windows container (Hennadii Stepanov)
98579e2 ci: Drop manual checkout of merge commit (Tim Ruffing)
5a95a26 tests: introduce helper for non-zero `random_fe_test` results (Sebastian Falbesoner)
304421d tests: refactor: remove duplicate function `random_field_element_test` (Sebastian Falbesoner)
be8ff3a field: Static-assert that int args affecting magnitude are constant (Tim Ruffing)
7d8d5c8 tests: refactor: take use of `secp256k1_ge_x_on_curve_var` (Sebastian Falbesoner)
525b661 bppp/build: Fix linkage of benchmark (Tim Ruffing)
4c70cc9 Suppress wrong/buggy warning in MSVC <19.33 (Tim Ruffing)
579999b scalar: adjust muladd2 to new int128 interface (Jonas Nick)
b160486 ecdsa_adaptor: add missing include (Jonas Nick)
c862a9f ci: Adjust Docker image to Debian 12 "bookworm" (Hennadii Stepanov)
a178209 ci: Force DWARF v4 for Clang when Valgrind tests are expected (Hennadii Stepanov)
8a72734 Help the compiler prove that a loop is entered (Tim Ruffing)
67887ae Fix a typo in the error message (Hennadii Stepanov)
7c7467a Refer to ellswift.md in API docs (Pieter Wuille)
c32ffd8 Add ellswift to CHANGELOG (Pieter Wuille)
bc7c8db abi: Use dllexport for mingw builds (Cory Fields)
5b7bf2e Use `__shiftright128` intrinsic in `secp256k1_u128_rshift` on MSVC (Hennadii Stepanov)
5779137 field: Document return value of fe_sqrt() (Tim Ruffing)
90e360a Add doc/ellswift.md with ElligatorSwift explanation (Pieter Wuille)
4f09184 Add ellswift testing to CI (Pieter Wuille)
1bcea8c Add benchmarks for ellswift module (Pieter Wuille)
2d1d41a Add ctime tests for ellswift module (Pieter Wuille)
df633cd Add _prefix and _bip324 ellswift_xdh hash functions (Pieter Wuille)
9695deb Add tests for ellswift module (Pieter Wuille)
c47917b Add ellswift module implementing ElligatorSwift (Pieter Wuille)
79e5b2a Add functions to test if X coordinate is valid (Pieter Wuille)
a597a5a Add benchmark for key generation (Pieter Wuille)
e449af6 Drop no longer needed `#include "../include/secp256k1.h"` (Hennadii Stepanov)
f165252 Normalize ge produced from secp256k1_pubkey_load (stratospher)
7067ee5 tests: add tests for `secp256k1_{read,write}_be64` (Sebastian Falbesoner)
740528c scalar: use newly introduced `secp256k1_{read,write}_be64` helpers (4x64 impl.) (Sebastian Falbesoner)
887183e scalar: use `secp256k1_{read,write}_be32` helpers (4x64 impl.) (Sebastian Falbesoner)
52b8423 scalar: use `secp256k1_{read,write}_be32` helpers (8x32 impl.) (Sebastian Falbesoner)
f364428 docs: correct `pubkey` param descriptions for `secp256k1_keypair_{xonly_,}pub` (Sebastian Falbesoner)
db29bf2 ci: Remove quirk that runs dummy command after wineserver (Tim Ruffing)
c7db494 ci: Fix error D8037 in `cl.exe` (Hennadii Stepanov)
7dae115 Revert "ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe" (Hennadii Stepanov)
605e07e fix input range comment for `secp256k1_fe_add_int` (Sebastian Falbesoner)
ade5b36 tests: add checks for scalar constants `secp256k1_scalar_{zero,one}` (Sebastian Falbesoner)
654246c refactor: take use of `secp256k1_scalar_{zero,one}` constants (Sebastian Falbesoner)
e83801f test: Warn if both `VERIFY` and `COVERAGE` are defined (Hennadii Stepanov)
1549db0 build: Level up MSVC warnings (Hennadii Stepanov)
ad84603 release process: clarify change log updates (Jonas Nick)
6348bc7 release process: fix process for maintenance release (Jonas Nick)
79fa50b release process: mention targeted release schedule (Jonas Nick)
1652067 release process: add sanity checks (Jonas Nick)
27504d5 ci: Move wine prefix to /tmp to avoid error D8037 in cl.exe (Tim Ruffing)
6433175 Do not invoke fe_is_zero on failed set_b32_limit (Pieter Wuille)
5768b50 build: Enable -DVERIFY for precomputation binaries (Tim Ruffing)
31b4bbe Make fe_cmov take max of magnitudes (Pieter Wuille)
95448ef release cleanup: bump version after 0.3.2 (Pieter Wuille)
e593ed5 musig: ensure point_load output is normalized (Jonas Nick)
d490ca2 release: Prepare for 0.3.2 (Tim Ruffing)
697e1cc changelog: Catch up (Tim Ruffing)
76b43f3 changelog: Add entry for #1303 (Tim Ruffing)
3ad1027 Revert "Remove unused scratch space from API" (Jonas Nick)
8c9ae37 Add release note (Pieter Wuille)
350b4bd Mark stack variables as early clobber for technical correctness (Pieter Wuille)
0c729ba Bugfix: mark outputs as early clobber in scalar x86_64 asm (Pieter Wuille)
c6bb29b build: Rename `64bit` to `x86_64` (Hennadii Stepanov)
0324645 autotools: Add `SECP_ARM32_ASM_CHECK` macro (Hennadii Stepanov)
ed4ba23 cmake: Add `check_arm32_assembly` function (Hennadii Stepanov)
e5cf4bf build: Rename `arm` to `arm32` (Hennadii Stepanov)
5b32602 Split fe_set_b32 into reducing and normalizing variants (Pieter Wuille)
1907f0f build: Make tests work with external default callbacks (Tim Ruffing)
cd54ac7 schnorrsig: Improve docs of schnorrsig_sign_custom (Tim Ruffing)
28687b0 schnorrsig: Add BIP340 varlen test vectors (Tim Ruffing)
97a98be schnorrsig: Refactor test vector code to allow varlen messages (Tim Ruffing)
17fa217 ct: Be cautious and use volatile trick in more "conditional" paths (Tim Ruffing)
5fb336f ct: Use volatile trick in scalar_cond_negate (Tim Ruffing)
712e7f8 Remove unused scratch space from API (Jonas Nick)
d1e48e5 refactor: Make 64-bit shift explicit (Hennadii Stepanov)
b2e29e4 ci: Treat all compiler warnings as errors in "Windows (VS 2022)" task (Hennadii Stepanov)
97c63b9 Avoid normalize conditional on VERIFY (Pieter Wuille)
7fc642f Simplify secp256k1_fe_{impl_,}verify (Pieter Wuille)
4e176ad Abstract out verify logic for fe_is_square_var (Pieter Wuille)
4371f98 Abstract out verify logic for fe_add_int (Pieter Wuille)
89e324c Abstract out verify logic for fe_half (Pieter Wuille)
283cd80 Abstract out verify logic for fe_get_bounds (Pieter Wuille)
d5aa2f0 Abstract out verify logic for fe_inv{,_var} (Pieter Wuille)
3167646 Abstract out verify logic for fe_from_storage (Pieter Wuille)
76d31e5 Abstract out verify logic for fe_to_storage (Pieter Wuille)
1e6894b Abstract out verify logic for fe_cmov (Pieter Wuille)
be82bd8 Improve comments/checks for fe_sqrt (Pieter Wuille)
6ab3508 Abstract out verify logic for fe_sqr (Pieter Wuille)
4c25f6e Abstract out verify logic for fe_mul (Pieter Wuille)
e179e65 Abstract out verify logic for fe_add (Pieter Wuille)
7e7ad7f Abstract out verify logic for fe_mul_int (Pieter Wuille)
65d82a3 Abstract out verify logic for fe_negate (Pieter Wuille)
1446708 Abstract out verify logic for fe_get_b32 (Pieter Wuille)
f7a7666 Abstract out verify logic for fe_set_b32 (Pieter Wuille)
ce4d209 Abstract out verify logic for fe_cmp_var (Pieter Wuille)
7d7d43c Improve comments/check for fe_equal{,_var} (Pieter Wuille)
c5e788d Abstract out verify logic for fe_is_odd (Pieter Wuille)
d3f3fe8 Abstract out verify logic for fe_is_zero (Pieter Wuille)
c701d9a Abstract out verify logic for fe_clear (Pieter Wuille)
19a2bfe Abstract out verify logic for fe_set_int (Pieter Wuille)
864f9db Abstract out verify logic for fe_normalizes_to_zero{,_var} (Pieter Wuille)
6c31371 Abstract out verify logic for fe_normalize_var (Pieter Wuille)
e28b51f Abstract out verify logic for fe_normalize_weak (Pieter Wuille)
b6b6f9c Abstract out verify logic for fe_normalize (Pieter Wuille)
7fa5195 Bugfix: correct SECP256K1_FE_CONST mag/norm fields (Pieter Wuille)
b29566c Merge magnitude/normalized fields, move/improve comments (Pieter Wuille)
bbc8344 Avoid secp256k1_ge_set_gej_zinv with uninitialized z (Pieter Wuille)
0a2e0b2 Make secp256k1_{fe,ge,gej}_verify work as no-op if non-VERIFY (Pieter Wuille)
f202667 Add invariant checking to group elements (Pieter Wuille)
a18821d Always initialize output coordinates in secp256k1_ge_set_gej (Pieter Wuille)
3086cb9 Expose secp256k1_fe_verify to other modules (Pieter Wuille)
a0e696f Make secp256k1_ecmult_const handle infinity (Gregory Maxwell)
2e65f1f Avoid using bench_verify_data as bench_sign_data; merge them (Pieter Wuille)
149c41c docs: complete interface description for `secp256k1_schnorrsig_sign_custom` (Sebastian Falbesoner)
bef448f cmake: Fix library ABI versioning (Hennadii Stepanov)
755629b cmake: Use full signature of `add_test()` command (Hennadii Stepanov)
7e977b3 autotools: Take VPATH builds into account when generating testvectors (Tim Ruffing)
2418d32 autotools: Create src/wycheproof dir before creating file in it (Tim Ruffing)
8764034 autotools: Make all "pregenerated" targets .PHONY (Tim Ruffing)
e1b9ce8 autotools: Use same conventions for all pregenerated files (Tim Ruffing)
08f4b16 autotools: Move code around to tidy Makefile (Tim Ruffing)
529b54d autotools: Move Wycheproof header from EXTRA_DIST to noinst_HEADERS (Tim Ruffing)
71f746c cmake: Include `include` directory for subtree builds (Hennadii Stepanov)
5431b9d cmake: Make `SECP256K1_INSTALL` default depend on `PROJECT_IS_TOP_LEVEL` (Hennadii Stepanov)
162608c cmake: Emulate `PROJECT_IS_TOP_LEVEL` for CMake<3.21 (Hennadii Stepanov)
a8d059f cmake, doc: Document compiler flags (Hennadii Stepanov)
6ece150 cmake, refactor: Rename `try_add_compile_option` to `try_append_cflags` (Hennadii Stepanov)
19516ed cmake: Use `add_compile_options()` in `try_add_compile_option()` (Hennadii Stepanov)
a273d74 cmake: Improve version comparison (Hennadii Stepanov)
6a58b48 cmake: Use `if(... IN_LIST ...)` command (Hennadii Stepanov)
2445808 cmake: Use dedicated `GENERATOR_IS_MULTI_CONFIG` property (Hennadii Stepanov)
9f8703e cmake: Use dedicated `CMAKE_HOST_APPLE` variable (Hennadii Stepanov)
8c20170 cmake: Use recommended `add_compile_definitions` command (Hennadii Stepanov)
04d4cc0 cmake: Add `DESCRIPTION` and `HOMEPAGE_URL` options to `project` command (Hennadii Stepanov)
8a8b653 cmake: Use `SameMinorVersion` compatibility mode (Hennadii Stepanov)
ce5ba9e gitignore: Add CMakeUserPresets.json (Tim Ruffing)
0a446a3 cmake: Add dev-mode CMake preset (Tim Ruffing)
dc0657c build: Fix C4005 "macro redefinition" MSVC warnings in examples (Hennadii Stepanov)
c4062d6 debug: move helper for printing buffers into util.h (Jonas Nick)
3858bad tests: remove extra semicolon in macro (Jonas Nick)
162da73 tests: Add debug helper for printing buffers (Tim Ruffing)
e9fd3df field: Improve docs and tests of secp256k1_fe_set_b32 (Tim Ruffing)
ca92a35 field: Simplify code in secp256k1_fe_set_b32 (Tim Ruffing)
d93f62e field: Verify field element even after secp256k1_fe_set_b32 fails (Tim Ruffing)
69e1ec0 Get rid of secp256k1_fe_const_b (Pieter Wuille)
68b16a1 bench: Make sys/time.h a system include (Tim Ruffing)
8e142ca Move `SECP256K1_INLINE` macro definition out from `include/secp256k1.h` (Hennadii Stepanov)
7744589 Remove `SECP256K1_INLINE` usage from examples (Hennadii Stepanov)
47ac3d6 cmake: Make installation optional (Anna “CyberTailor”)
1ecb94e build: Make `SECP_VALGRIND_CHECK` preserve `CPPFLAGS` (Hennadii Stepanov)
35ada3b tests: lint wycheproof's python script (RandomLattice)
ef49a11 build: allow static or shared but not both (Cory Fields)
36b0adf build: remove warning until it's reproducible (Cory Fields)
a575339 Remove bits argument from secp256k1_wnaf_const (always 256) (Pieter Wuille)
1b6fb55 doc: clarify process for patch releases (Jonas Nick)
06c67de autotools: Don't regenerate Wycheproof header automatically (Tim Ruffing)
656c6ea release cleanup: bump version after 0.3.1 (Jonas Nick)
6a37b2a changelog: Fix link (Tim Ruffing)
898e1c6 release: Prepare for 0.3.1 (Tim Ruffing)
1d9a13f changelog: Remove inconsistent newlines (Tim Ruffing)
0e09166 changelog: Catch up in preparation of 0.3.1 (Tim Ruffing)
e5de454 tests: Add Wycheproof ECDSA vectors (RandomLattice)
0f86420 Add exhaustive tests for ecmult_const_xonly (Pieter Wuille)
4485926 Add x-only ecmult_const version for x=n/d (Pieter Wuille)
3d1f430 Make position of * in pointer declarations in include/ consistent (Jonas Nick)
0c07c82 Add CMake instructions to release process (Tim Ruffing)
4a496a3 ct: Use volatile "trick" in all fe/scalar cmov implementations (Tim Ruffing)
3addb4c build: Improve `SECP_TRY_APPEND_DEFAULT_CFLAGS` macro (Hennadii Stepanov)
5bb03c2 Replace `SECP256K1_ECMULT_TABLE_VERIFY` macro by a function (Hennadii Stepanov)
4429a8c Suppress `-Wunused-parameter` when building for coverage analysis (Hennadii Stepanov)
3e43041 No need to subtract 1 before doing a right shift (roconnor-blockstream)
fd2a408 Set ARM ASM symbol visibility to `hidden` (Hennadii Stepanov)
4ebd828 Apply Checks only in VERIFY mode. (roconnor-blockstream)
d1e7ca1 Typo (roconnor-blockstream)
96dd062 build: bump CMake minimum requirement to 3.13 (Cory Fields)
8e79c7e build: Ensure no optimization when building for coverage analysis (Hennadii Stepanov)
647f0a5 Update comment for secp256k1_modinv32_inv256 (roconnor-blockstream)
28e63f7 release cleanup: bump version after 0.3.0 (Jonas Nick)
b40adf2 release: prepare for 0.3.0 (Jonas Nick)
8be82d4 cmake: Rename project to "libsecp256k1" (Hennadii Stepanov)
756b61d readme: Use correct build type in CMake/Windows build instructions (Tim Ruffing)
92098d8 changelog: Add entry for CMake (Tim Ruffing)
e1eb337 ci: Add "x86_64: Windows (VS 2022)" task (Hennadii Stepanov)
10602b0 cmake: Export config files (Hennadii Stepanov)
5468d70 build: Add CMake-based build system (Hennadii Stepanov)
5d8f53e Remove redudent checks. (Russell O'Connor)
d232112 Update Changelog (Tim Ruffing)
b081f7e Add secp256k1_fe_add_int function (Pieter Wuille)
2ef1c9b Update overflow check (Russell O'Connor)
5660c13 prevent optimization in algorithms (Harshil Jani)
ce3cfc7 doc: Describe Jacobi calculation in safegcd_implementation.md (Elliott Jin)
6be0103 Add secp256k1_fe_is_square_var function (Pieter Wuille)
1de2a01 Native jacobi symbol algorithm (Pieter Wuille)
04c6c1b Make secp256k1_modinv64_det_check_pow2 support abs val (Pieter Wuille)
5fffb2c Make secp256k1_i128_check_pow2 support -(2^n) (Pieter Wuille)
e433034 ci: Shutdown wineserver whenever CI script exits (Tim Ruffing)
9a5a611 build: Suppress stupid MSVC linker warning (Tim Ruffing)
739c53b examples: Extend sig examples by call that uses static context (Tim Ruffing)
914276e build: Add SECP256K1_API_VAR to fix importing variables from DLLs (Tim Ruffing)
e089eec group: Further simply gej_add_ge (Tim Ruffing)
ac71020 group: Save a normalize_to_zero in gej_add_ge (Tim Ruffing)
8c7e0fc build: Add -Wreserved-identifier supported by clang (Tim Ruffing)
9b60e31 ci: Do not set git's `user.{email,name}` config options (Hennadii Stepanov)
ef39721 Do not link `bench` and `ctime_tests` to `COMMON_LIB` (Hennadii Stepanov)
c241586 ci: Don't fetch git history (Tim Ruffing)
0ecf318 ci: Use remote pull/merge ref instead of local git merge (Tim Ruffing)
9b7d186 Drop no longer used Autoheader macros (Hennadii Stepanov)
eb6beba scalar: restrict split_lambda args, improve doc and VERIFY_CHECKs (Jonas Nick)
7f49aa7 ci: add test job with -DVERIFY (Jonas Nick)
620ba3d benchmarks: fix bench_scalar_split (Jonas Nick)
e39d954 tests: Add CHECK_ILLEGAL(_VOID) macros and use in static ctx tests (Tim Ruffing)
61841fc contexts: Forbid randomizing secp256k1_context_static (Tim Ruffing)
4b6df5e contexts: Forbid cloning/destroying secp256k1_context_static (Tim Ruffing)
8f51229 ctime_tests: improve output when CHECKMEM_RUNNING is not defined (Jonas Nick)
2cd4e3c Drop no longer used `SECP_{LIBS,INCLUDE}` variables (Hennadii Stepanov)
613626f Drop no longer used `SECP_TEST_{LIBS,INCLUDE}` variables (Hennadii Stepanov)
d6ff738 Ensure safety of ctz_debruijn implementation. (Russell O'Connor)
ce60785 Introduce SECP256K1_B macro for curve b coefficient (Pieter Wuille)
4934aa7 Switch to exhaustive groups with small B coefficient (Pieter Wuille)
e03ef86 Make all non-API functions (except main) static (Pieter Wuille)
0f088ec Rename CTIMETEST -> CTIMETESTS (Pieter Wuille)
74b026f Add runtime checking for DECLASSIFY flag (Pieter Wuille)
5e2e6fc Run ctime test in Linux MSan CI job (Pieter Wuille)
1897406 Make ctime tests building configurable (Pieter Wuille)
5048be1 Rename valgrind_ctime_test -> ctime_tests (Pieter Wuille)
6eed6c1 Update error messages to suggest msan as well (Pieter Wuille)
8e11f89 Add support for msan integration to checkmem.h (Pieter Wuille)
8dc6407 Add compile-time error to valgrind_ctime_test (Pieter Wuille)
0db05a7 Abstract interactions with valgrind behind new checkmem.h (Pieter Wuille)
4f1a54e Move valgrind CPPFLAGS into SECP_CONFIG_DEFINES (Pieter Wuille)
d4a6b58 Add `noverify_tests` to `.gitignore` (Hennadii Stepanov)
e862c4a Makefile: add -I$(top_srcdir)/src to CPPFLAGS for precomputed (Matt Whitlock)
9a93f48 refactor: Rename STTC to STATIC_CTX in tests (Tim Ruffing)
3385a26 refactor: Rename global variables to uppercase in tests (Tim Ruffing)
2037600 tests: Add noverify_tests which is like tests but without VERIFY (Tim Ruffing)
39e8f0e refactor: Separate run_context_tests into static vs proper contexts (Tim Ruffing)
a4a0937 tests: Clean up and improve run_context_tests() further (Tim Ruffing)
fc90bb5 refactor: Tidy up main() (Tim Ruffing)
f32a36f tests: Don't use global context for context tests (Tim Ruffing)
ce4f936 tests: Tidy run_context_tests() by extracting functions (Tim Ruffing)
18e0db3 tests: Don't recreate global context in scratch space test (Tim Ruffing)
b198061 tests: Use global copy of secp256k1_context_static instead of clone (Tim Ruffing)
2f9ca28 Drop `SECP_CONFIG_DEFINES` from examples (Hennadii Stepanov)
c0a555b Bugfix: pass SECP_CONFIG_DEFINES to bench compilation (Pieter Wuille)
d216475 test secp256k1_i128_to_i64 (Russell O'Connor)
4bc4290 Add a secp256k1_i128_to_u64 function. (Russell O'Connor)
a49e094 docs: Fix typo (Tim Ruffing)
2551cda tests: Fix code formatting (Tim Ruffing)
c635c1b Change ARG_CHECK_NO_RETURN to ARG_CHECK_VOID which returns (void) (Tim Ruffing)
cf66f23 refactor: Add helper function secp256k1_context_is_proper() (Tim Ruffing)
c30b889 Clarify that the ABI-incompatible versions are earlier (Pieter Wuille)
881fc33 Consistency in naming of modules (Pieter Wuille)
9ecf814 Reduce font size in changelog (Pieter Wuille)
2dc133a Add more changelog entries (Pieter Wuille)
ac233e1 Add links to diffs to changelog (Pieter Wuille)
cee8223 Mention semantic versioning in changelog (Pieter Wuille)
9c5a4d2 Do not define unused `HAVE_VALGRIND` macro (Hennadii Stepanov)
ad8647f Drop no longer relevant files from `.gitignore` (Hennadii Stepanov)
b627ba7 Remove dependency on `src/libsecp256k1-config.h` (Hennadii Stepanov)
7a74688 ci: add missing CFLAGS & CPPFLAGS variable to print_environment (Jonas Nick)
c2e0fda ci: set -u in cirrus.sh to treat unset variables as an error (Jonas Nick)
02ebc29 release cleanup: bump version after 0.2.0 (Jonas Nick)
b6b360e doc: improve message of cleanup commit (Jonas Nick)
e025ccd release: prepare for initial release 0.2.0 (Jonas Nick)
6d1784a build: add missing files to EXTRA_DIST (Jonas Nick)
13bf1b6 changelog: make order of change types match keepachangelog.com (Jonas Nick)
b1f992a doc: improve release process (Jonas Nick)
ad39e2d build: change package version to 0.1.0-dev (Jonas Nick)
90618e9 doc: move CHANGELOG from doc/ to root directory (Jonas Nick)
7e5b226 Don't use compute credits for now (Pieter Wuille)
d6dc0f4 tests: Switch to NONE contexts in module tests (Jonas Nick)
0c8a5ca tests: Switch to NONE contexts in tests.c (Jonas Nick)
86540e9 tests: add test for deprecated flags and rm them from run_context (Jonas Nick)
caa0ad6 group: add gej_eq_var (Jonas Nick)
37ba744 tests: Switch to NONE contexts in exhaustive and ctime tests (Jonas Nick)
8d7a9a8 benchmarks: Switch to NONE contexts (Jonas Nick)
4386a23 examples: Switch to NONE contexts (Tim Ruffing)
7289b51 docs: Use doxygen style if and only if comment is user-facing (Tim Ruffing)
e7d0185 docs: Get rid of "initialized for signing" terminology (Tim Ruffing)
0612636 docs: Tidy and improve docs about contexts and randomization (Tim Ruffing)
e02d686 selftest: Expose in public API (Tim Ruffing)
e383fbf selftest: Rename internal function to make name available for API (Tim Ruffing)
d2c6d48 tests: Use new name of static context (Tim Ruffing)
53796d2 contexts: Rename static context (Tim Ruffing)
72fedf8 docs: Improve docs for static context (Tim Ruffing)
316ac76 contexts: Deprecate all context flags except SECP256K1_CONTEXT_NONE (Tim Ruffing)
1a553ee docs: Change signature "validation" to "verification" (Tim Ruffing)
ee7341f docs: Never require a verification context (Tim Ruffing)
092be61 gitignore: Add *.sage.py files autogenerated by sage (Tim Ruffing)
a8494b0 Use compute credits for macOS jobs (Pieter Wuille)
c0ae48c Update macOS image for CI (Pieter Wuille)
41e8704 build: Enable some modules by default (Tim Ruffing)
99bd335 Make int128 overflow test use secp256k1_[ui]128_mul (Pieter Wuille)
3afce0a Avoid signed overflow in MSVC AMR64 secp256k1_mul128 (Pieter Wuille)
9b5f589 Heuristically decide whether to use int128_struct (Pieter Wuille)
63ff064 int128: Add test override for testing __(u)mulh on MSVC X64 (Tim Ruffing)
f2b7e88 Add int128 randomized tests (Pieter Wuille)
00a42b9 Add MSan CI job (Pieter Wuille)
a340d95 ci: add int128_struct tests (Jonas Nick)
dceaa1f int128: Tidy #includes of int128.h and int128_impl.h (Tim Ruffing)
2914bcc Simulated int128 type. (Russell O'Connor)
6a965b6 Remove usage of CHECK from non-test file (Tobin C. Harding)
4e54c03 ci: print env to allow reproducing the job outside of CI (Jonas Nick)
49ae843 ci: mostly prevent "-v/--version: not found" irrelevant error (Jonas Nick)
5c9f1a5 ci: always cat all logs_snippets (Jonas Nick)
f5039cb Cleanup `.gitignore` file (Hennadii Stepanov)
798727a Revert "Add test logs to gitignore" (Hennadii Stepanov)
88b0089 readme: Fix line break (Tim Ruffing)
78f5296 readme: Sell "no runtime dependencies" (Tim Ruffing)
ef48f08 readme: Add IRC channel (Tim Ruffing)
cabe085 configure: Remove pkgconfig macros again (reintroduced by mismerge) (Tim Ruffing)
c27ae45 config: Remove basic-config.h (Tim Ruffing)
da6514a config: Introduce DEBUG_CONFIG macro for debug output of config (Tim Ruffing)
d0cf55e config: Set preprocessor defaults for ECMULT_* config values (Tim Ruffing)
17065f4 tests: Randomize the context with probability 15/16 instead of 1/4 (Tim Ruffing)
55f8bc9 ecmult_gen: Improve comments about projective blinding (Tim Ruffing)
7a86955 ecmult_gen: Simplify code (no observable change) (Tim Ruffing)
4cc0b1b ecmult_gen: Skip RNG when creating blinding if no seed is available (Tim Ruffing)
40a3473 build: Fix #include "..." paths to get rid of further -I arguments (Tim Ruffing)
069aba8 Fix sepc256k1 -> secp256k1 typo in group.h (henopied)
1827c9b scratch_destroy: move VERIFY_CHECK after invalid scrach space check (siv2r)
49e2acd configure: Improve rationale for WERROR_CFLAGS (Tim Ruffing)
8dc4b03 ci: Add a C++ job that compiles the public headers without -fpermissive (Tim Ruffing)
51f296a ci: Run persistent wineserver to speed up wine (Tim Ruffing)
3fb3269 ci: Add 32-bit MinGW64 build (Tim Ruffing)
9efc2e5 ci: Add MSVC builds (Tim Ruffing)
2be6ba0 configure: Convince autotools to work with MSVC's archiver lib.exe (Tim Ruffing)
bd81f41 schnorrsig bench: Suppress a stupid warning in MSVC (Tim Ruffing)
09f3d71 configure: Add a few CFLAGS for MSVC (Tim Ruffing)
3b4f3d0 build: Reject C++ compilers in the preprocessor (Tim Ruffing)
1cc0941 configure: Don't abort if the compiler does not define __STDC__ (Tim Ruffing)
cca8cbb configure: Output message when checking for valgrind (Tim Ruffing)
1a6be57 bench: Make benchmarks compile on MSVC (Tim Ruffing)
6f6cab9 abi: Don't export symbols in static Windows libraries (Cory Fields)
7efc983 Fix the false positive of `SECP_64BIT_ASM_CHECK` (Sprite)
2f984ff Save negations in var-time group addition (Peter Dettman)

Pull request description:

ACKs for top commit:
  jonasnick:
    ACK 395e65e

Tree-SHA512: 95feaf60c5fc8c8cafde8796c50b4b9dfcae87ece3be90286278243a629bcfd91fc4ffdc707a6cc5969fbaf9cd8ea490aa34ca724462b77cd542ebcd7f013eb9

.gitignore

@@ -5,22 +5,23 @@ bench_generator
 bench_rangeproof
 bench_internal
 bench_whitelist
+noverify_tests
 tests
 example_musig
 exhaustive_tests
 precompute_ecmult_gen
 precompute_ecmult
-valgrind_ctime_test
+ctime_tests
 ecdh_example
 ecdsa_example
 schnorr_example
 *.exe
 *.so
 *.a
 *.csv
-!.gitignore
 *.log
 *.trs
+*.sage.py
 
 Makefile
 configure
@@ -39,8 +40,6 @@ libtool
 *.lo
 *.o
 *~
-*.log
-*.trs
 
 coverage/
 coverage.html
@@ -49,8 +48,6 @@ coverage.*.html
 *.gcno
 *.gcov
 
-src/libsecp256k1-config.h
-src/libsecp256k1-config.h.in
 build-aux/ar-lib
 build-aux/config.guess
 build-aux/config.sub
@@ -65,8 +62,12 @@ build-aux/m4/ltversion.m4
 build-aux/missing
 build-aux/compile
 build-aux/test-driver
-src/stamp-h1
 libsecp256k1.pc
 contrib/gh-pr-create.sh
 
 musig_example
+
+### CMake
+/CMakeUserPresets.json
+# Default CMake build directory.
+/build

CHANGELOG.md

@@ -0,0 +1,108 @@
+**This changelog is not the libsecp256k1-zkp's changelog.**
+Instead, it is the changelog of the upstream library [libsecp256k1](https://github.com/bitcoin-core/secp256k1).
+
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+#### Added
+ - New module `ellswift` implements ElligatorSwift encoding for public keys and x-only Diffie-Hellman key exchange for them.
+   ElligatorSwift permits representing secp256k1 public keys as 64-byte arrays which cannot be distinguished from uniformly random. See:
+   - Header file `include/secp256k1_ellswift.h` which defines the new API.
+   - Document `doc/ellswift.md` which explains the mathematical background of the scheme.
+   - The [paper](https://eprint.iacr.org/2022/759) on which the scheme is based.
+
+#### Changed
+ - When consuming libsecp256k1 as a static library on Windows, the user must now define the `SECP256K1_STATIC` macro before including `secp256k1.h`.
+
+## [0.3.2] - 2023-05-13
+We strongly recommend updating to 0.3.2 if you use or plan to use GCC >=13 to compile libsecp256k1. When in doubt, check the GCC version using `gcc -v`.
+
+#### Security
+ - Module `ecdh`: Fix "constant-timeness" issue with GCC 13.1 (and potentially future versions of GCC) that could leave applications using libsecp256k1's ECDH module vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow during ECDH computations when libsecp256k1 is compiled with GCC 13.1.
+
+#### Fixed
+ - Fixed an old bug that permitted compilers to potentially output bad assembly code on x86_64. In theory, it could lead to a crash or a read of unrelated memory, but this has never been observed on any compilers so far.
+
+#### Changed
+ - Various improvements and changes to CMake builds. CMake builds remain experimental.
+   - Made API versioning consistent with GNU Autotools builds.
+   - Switched to `BUILD_SHARED_LIBS` variable for controlling whether to build a static or a shared library.
+   - Added `SECP256K1_INSTALL` variable for the controlling whether to install the build artefacts.
+ - Renamed asm build option `arm` to `arm32`. Use `--with-asm=arm32` instead of `--with-asm=arm` (GNU Autotools), and `-DSECP256K1_ASM=arm32` instead of `-DSECP256K1_ASM=arm` (CMake).
+
+#### ABI Compatibility
+The ABI is compatible with versions 0.3.0 and 0.3.1.
+
+## [0.3.1] - 2023-04-10
+We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to compile libsecp256k1, e.g., Xcode >=14 on macOS has Clang >=14. When in doubt, check the Clang version using `clang -v`.
+
+#### Security
+ - Fix "constant-timeness" issue with Clang >=14 that could leave applications using libsecp256k1 vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow and secret-dependent memory accesses in conditional moves of memory objects when libsecp256k1 is compiled with Clang >=14.
+
+#### Added
+  - Added tests against [Project Wycheproof's](https://github.com/google/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.
+
+#### Changed
+ - Increased minimum required CMake version to 3.13. CMake builds remain experimental.
+
+#### ABI Compatibility
+The ABI is compatible with version 0.3.0.
+
+## [0.3.0] - 2023-03-08
+
+#### Added
+ - Added experimental support for CMake builds. Traditional GNU Autotools builds (`./configure` and `make`) remain fully supported.
+ - Usage examples: Added a recommended method for securely clearing sensitive data, e.g., secret keys, from memory.
+ - Tests: Added a new test binary `noverify_tests`. This binary runs the tests without some additional checks present in the ordinary `tests` binary and is thereby closer to production binaries. The `noverify_tests` binary is automatically run as part of the `make check` target.
+
+#### Fixed
+ - Fixed declarations of API variables for MSVC (`__declspec(dllimport)`). This fixes MSVC builds of programs which link against a libsecp256k1 DLL dynamically and use API variables (and not only API functions). Unfortunately, the MSVC linker now will emit warning `LNK4217` when trying to link against libsecp256k1 statically. Pass `/ignore:4217` to the linker to suppress this warning.
+
+#### Changed
+ - Forbade cloning or destroying `secp256k1_context_static`. Create a new context instead of cloning the static context. (If this change breaks your code, your code is probably wrong.)
+ - Forbade randomizing (copies of) `secp256k1_context_static`. Randomizing a copy of `secp256k1_context_static` did not have any effect and did not provide defense-in-depth protection against side-channel attacks. Create a new context if you want to benefit from randomization.
+
+#### Removed
+ - Removed the configuration header `src/libsecp256k1-config.h`. We recommend passing flags to `./configure` or `cmake` to set configuration options (see `./configure --help` or `cmake -LH`). If you cannot or do not want to use one of the supported build systems, pass configuration flags such as `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG` manually to the compiler (see the file `configure.ac` for supported flags).
+
+#### ABI Compatibility
+Due to changes in the API regarding `secp256k1_context_static` described above, the ABI is *not* compatible with previous versions.
+
+## [0.2.0] - 2022-12-12
+
+#### Added
+ - Added usage examples for common use cases in a new `examples/` directory.
+ - Added `secp256k1_selftest`, to be used in conjunction with `secp256k1_context_static`.
+ - Added support for 128-bit wide multiplication on MSVC for x86_64 and arm64, giving roughly a 20% speedup on those platforms.
+
+#### Changed
+ - Enabled modules `schnorrsig`, `extrakeys` and `ecdh` by default in `./configure`.
+ - The `secp256k1_nonce_function_rfc6979` nonce function, used by default by `secp256k1_ecdsa_sign`, now reduces the message hash modulo the group order to match the specification. This only affects improper use of ECDSA signing API.
+
+#### Deprecated
+ - Deprecated context flags `SECP256K1_CONTEXT_VERIFY` and `SECP256K1_CONTEXT_SIGN`. Use `SECP256K1_CONTEXT_NONE` instead.
+ - Renamed `secp256k1_context_no_precomp` to `secp256k1_context_static`.
+ - Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`.
+
+#### ABI Compatibility
+Since this is the first release, we do not compare application binary interfaces.
+However, there are earlier unreleased versions of libsecp256k1 that are *not* ABI compatible with this version.
+
+## [0.1.0] - 2013-03-05 to 2021-12-25
+
+This version was in fact never released.
+The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
+Therefore, this version number does not uniquely identify a set of source files.
+
+[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.2...HEAD
+[0.3.2]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.1...v0.3.2
+[0.3.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...v0.3.1
+[0.3.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...v0.3.0
+[0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0
+[0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93