Squashed 'src/secp256k1/' changes from 4187a46649..51d2ecd6e9

hebasto · hebasto · commit eb3b9cc61274 · 2025-06-05T20:27:25.000+01:00
51d2ecd6e9 cmake: add a helper for linking into static libs 201b2b8f06 Merge bitcoin-core/secp256k1#1675: cmake: Bump minimum required CMake version to 3.22 3af71987a8 cmake: Bump minimum required CMake version to 3.22 92394476e9 Merge bitcoin-core/secp256k1#1673: Assert field magnitude at control-flow join 3a4f448cb4 Assert field magnitude at control-flow join 9fab425256 Merge bitcoin-core/secp256k1#1668: bench_ecmult: add benchmark for ecmult_const_xonly 05445377f4 bench_ecmult: add benchmark for ecmult_const_xonly bb597b3d39 Merge bitcoin-core/secp256k1#1670: tests: update wycheproof files d73ed99479 tests: update wycheproof files git-subtree-dir: src/secp256k1 git-subtree-split: 51d2ecd6e9f8ec1048d04fae34c2430c749d3bff
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -115,7 +115,7 @@ We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to
  - Fix "constant-timeness" issue with Clang >=14 that could leave applications using libsecp256k1 vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow and secret-dependent memory accesses in conditional moves of memory objects when libsecp256k1 is compiled with Clang >=14.
 
 #### Added
-  - Added tests against [Project Wycheproof's](https://github.com/google/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.
+  - Added tests against [Project Wycheproof's](https://github.com/C2SP/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.
 
 #### Changed
  - Increased minimum required CMake version to 3.13. CMake builds remain experimental.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -1,4 +1,4 @@
-cmake_minimum_required(VERSION 3.16)
+cmake_minimum_required(VERSION 3.22)
 
 #=============================
 # Project / Package metadata
@@ -15,17 +15,6 @@ project(libsecp256k1
 enable_testing()
 list(APPEND CMAKE_MODULE_PATH ${PROJECT_SOURCE_DIR}/cmake)
 
-if(CMAKE_VERSION VERSION_LESS 3.21)
-  # Emulates CMake 3.21+ behavior.
-  if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
-    set(PROJECT_IS_TOP_LEVEL ON)
-    set(${PROJECT_NAME}_IS_TOP_LEVEL ON)
-  else()
-    set(PROJECT_IS_TOP_LEVEL OFF)
-    set(${PROJECT_NAME}_IS_TOP_LEVEL OFF)
-  endif()
-endif()
-
 # The library version is based on libtool versioning of the ABI. The set of
 # rules for updating the version can be found here:
 # https://www.gnu.org/software/libtool/manual/html_node/Updating-version-info.html
diff --git a/CMakePresets.json b/CMakePresets.json
@@ -1,5 +1,4 @@
 {
-  "cmakeMinimumRequired": {"major": 3, "minor": 21, "patch": 0}, 
   "version": 3,
   "configurePresets": [
     {
diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt
@@ -10,13 +10,19 @@ add_library(secp256k1_precomputed OBJECT EXCLUDE_FROM_ALL
 # from being exported.
 add_library(secp256k1 secp256k1.c $<TARGET_OBJECTS:secp256k1_precomputed>)
 
+# Create a helper lib that parent projects can use to link secp256k1 into a
+# static lib.
+add_library(secp256k1_objs INTERFACE)
+target_sources(secp256k1_objs INTERFACE $<TARGET_OBJECTS:secp256k1> $<TARGET_OBJECTS:secp256k1_precomputed>)
+
 add_library(secp256k1_asm INTERFACE)
 if(SECP256K1_ASM STREQUAL "arm32")
   add_library(secp256k1_asm_arm OBJECT EXCLUDE_FROM_ALL)
   target_sources(secp256k1_asm_arm PUBLIC
     asm/field_10x26_arm.s
   )
   target_sources(secp256k1 PRIVATE $<TARGET_OBJECTS:secp256k1_asm_arm>)
+  target_sources(secp256k1_objs INTERFACE $<TARGET_OBJECTS:secp256k1_asm_arm>)
   target_link_libraries(secp256k1_asm INTERFACE secp256k1_asm_arm)
 endif()
 
@@ -31,12 +37,21 @@ endif()
 get_target_property(use_pic secp256k1 POSITION_INDEPENDENT_CODE)
 set_target_properties(secp256k1_precomputed PROPERTIES POSITION_INDEPENDENT_CODE ${use_pic})
 
-target_include_directories(secp256k1 INTERFACE
-  # Add the include path for parent projects so that they don't have to manually add it.
+# Add the include path for parent projects so that they don't have to manually add it.
+set(_include_directory_for_parent_projects
   $<BUILD_INTERFACE:$<$<NOT:$<BOOL:${PROJECT_IS_TOP_LEVEL}>>:${PROJECT_SOURCE_DIR}/include>>
+)
+
+target_include_directories(secp256k1 INTERFACE
+  ${_include_directory_for_parent_projects}
   $<INSTALL_INTERFACE:${CMAKE_INSTALL_INCLUDEDIR}>
 )
 
+target_include_directories(secp256k1_objs INTERFACE
+  ${_include_directory_for_parent_projects}
+)
+unset(_include_directory_for_parent_projects)
+
 # This emulates Libtool to make sure Libtool and CMake agree on the ABI version,
 # see below "Calculate the version variables" in build-aux/ltmain.sh.
 math(EXPR ${PROJECT_NAME}_soversion "${${PROJECT_NAME}_LIB_VERSION_CURRENT} - ${${PROJECT_NAME}_LIB_VERSION_AGE}")
@@ -48,20 +63,12 @@ if(CMAKE_SYSTEM_NAME STREQUAL "Linux")
     VERSION ${${PROJECT_NAME}_soversion}.${${PROJECT_NAME}_LIB_VERSION_AGE}.${${PROJECT_NAME}_LIB_VERSION_REVISION}
   )
 elseif(APPLE)
-  if(CMAKE_VERSION VERSION_GREATER_EQUAL 3.17)
-    math(EXPR ${PROJECT_NAME}_compatibility_version "${${PROJECT_NAME}_LIB_VERSION_CURRENT} + 1")
-    set_target_properties(secp256k1 PROPERTIES
-      MACHO_COMPATIBILITY_VERSION ${${PROJECT_NAME}_compatibility_version}
-      MACHO_CURRENT_VERSION ${${PROJECT_NAME}_compatibility_version}.${${PROJECT_NAME}_LIB_VERSION_REVISION}
-    )
-    unset(${PROJECT_NAME}_compatibility_version)
-  elseif(BUILD_SHARED_LIBS)
-    message(WARNING
-      "The 'compatibility version' and 'current version' values of the DYLIB "
-      "will diverge from the values set by the GNU Libtool. To ensure "
-      "compatibility, it is recommended to upgrade CMake to at least version 3.17."
-    )
-  endif()
+  math(EXPR ${PROJECT_NAME}_compatibility_version "${${PROJECT_NAME}_LIB_VERSION_CURRENT} + 1")
+  set_target_properties(secp256k1 PROPERTIES
+    MACHO_COMPATIBILITY_VERSION ${${PROJECT_NAME}_compatibility_version}
+    MACHO_CURRENT_VERSION ${${PROJECT_NAME}_compatibility_version}.${${PROJECT_NAME}_LIB_VERSION_REVISION}
+  )
+  unset(${PROJECT_NAME}_compatibility_version)
 elseif(CMAKE_SYSTEM_NAME STREQUAL "Windows")
   set(${PROJECT_NAME}_windows "secp256k1")
   if(MSVC)
diff --git a/src/bench_ecmult.c b/src/bench_ecmult.c
@@ -56,6 +56,7 @@ typedef struct {
 
     /* Benchmark output. */
     secp256k1_gej* output;
+    secp256k1_fe* output_xonly;
 } bench_data;
 
 /* Hashes x into [0, POINTS) twice and store the result in offset1 and offset2. */
@@ -123,6 +124,32 @@ static void bench_ecmult_const_teardown(void* arg, int iters) {
     bench_ecmult_teardown_helper(data, &data->offset1, &data->offset2, NULL, iters);
 }
 
+static void bench_ecmult_const_xonly(void* arg, int iters) {
+    bench_data* data = (bench_data*)arg;
+    int i;
+
+    for (i = 0; i < iters; ++i) {
+        const secp256k1_ge* pubkey = &data->pubkeys[(data->offset1+i) % POINTS];
+        const secp256k1_scalar* scalar = &data->scalars[(data->offset2+i) % POINTS];
+        int known_on_curve = 1;
+        secp256k1_ecmult_const_xonly(&data->output_xonly[i], &pubkey->x, NULL, scalar, known_on_curve);
+    }
+}
+
+static void bench_ecmult_const_xonly_teardown(void* arg, int iters) {
+    bench_data* data = (bench_data*)arg;
+    int i;
+
+    /* verify by comparing with x coordinate of regular ecmult result */
+    for (i = 0; i < iters; ++i) {
+        const secp256k1_gej* pubkey_gej = &data->pubkeys_gej[(data->offset1+i) % POINTS];
+        const secp256k1_scalar* scalar = &data->scalars[(data->offset2+i) % POINTS];
+        secp256k1_gej expected_gej;
+        secp256k1_ecmult(&expected_gej, pubkey_gej, scalar, NULL);
+        CHECK(secp256k1_gej_eq_x_var(&data->output_xonly[i], &expected_gej));
+    }
+}
+
 static void bench_ecmult_1p(void* arg, int iters) {
     bench_data* data = (bench_data*)arg;
     int i;
@@ -171,6 +198,8 @@ static void run_ecmult_bench(bench_data* data, int iters) {
     run_benchmark(str, bench_ecmult_gen, bench_ecmult_setup, bench_ecmult_gen_teardown, data, 10, iters);
     sprintf(str, "ecmult_const");
     run_benchmark(str, bench_ecmult_const, bench_ecmult_setup, bench_ecmult_const_teardown, data, 10, iters);
+    sprintf(str, "ecmult_const_xonly");
+    run_benchmark(str, bench_ecmult_const_xonly, bench_ecmult_setup, bench_ecmult_const_xonly_teardown, data, 10, iters);
     /* ecmult with non generator point */
     sprintf(str, "ecmult_1p");
     run_benchmark(str, bench_ecmult_1p, bench_ecmult_setup, bench_ecmult_1p_teardown, data, 10, iters);
@@ -319,6 +348,7 @@ int main(int argc, char **argv) {
     data.pubkeys_gej = malloc(sizeof(secp256k1_gej) * POINTS);
     data.expected_output = malloc(sizeof(secp256k1_gej) * (iters + 1));
     data.output = malloc(sizeof(secp256k1_gej) * (iters + 1));
+    data.output_xonly = malloc(sizeof(secp256k1_fe) * (iters + 1));
 
     /* Generate a set of scalars, and private/public keypairs. */
     secp256k1_gej_set_ge(&data.pubkeys_gej[0], &secp256k1_ge_const_g);
@@ -361,6 +391,7 @@ int main(int argc, char **argv) {
     free(data.pubkeys);
     free(data.pubkeys_gej);
     free(data.seckeys);
+    free(data.output_xonly);
     free(data.output);
     free(data.expected_output);
 
diff --git a/src/ecmult_const_impl.h b/src/ecmult_const_impl.h
@@ -373,6 +373,8 @@ static int secp256k1_ecmult_const_xonly(secp256k1_fe* r, const secp256k1_fe *n,
         }
     }
 
+    SECP256K1_FE_VERIFY_MAGNITUDE(&g, 2);
+
     /* Compute base point P = (n*g, g^2), the effective affine version of (n*g, g^2, v), which has
      * corresponding affine X coordinate n/d. */
     secp256k1_fe_mul(&p.x, &g, n);
diff --git a/src/wycheproof/WYCHEPROOF_COPYING b/src/wycheproof/WYCHEPROOF_COPYING
@@ -1,12 +1,12 @@
 * The file `ecdsa_secp256k1_sha256_bitcoin_test.json` in this directory
-  comes from Google's project Wycheproof with git commit
-  `b063b4aedae951c69df014cd25fa6d69ae9e8cb9`, see
-  https://github.com/google/wycheproof/blob/b063b4aedae951c69df014cd25fa6d69ae9e8cb9/testvectors_v1/ecdsa_secp256k1_sha256_bitcoin_test.json
+  comes from project Wycheproof with git commit
+  `df4e933efef449fc88af0c06e028d425d84a9495`, see
+  https://github.com/C2SP/wycheproof/blob/df4e933efef449fc88af0c06e028d425d84a9495/testvectors_v1/ecdsa_secp256k1_sha256_bitcoin_test.json
 
 * The file `ecdh_secp256k1_test.json` in this directory
-  comes from Google's project Wycheproof with git commit
-  `d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d`, see
-  https://github.com/google/wycheproof/blob/d9f6ec7d8bd8c96da05368999094e4a75ba5cb3d/testvectors_v1/ecdh_secp256k1_test.json
+  comes from project Wycheproof with git commit
+  `df4e933efef449fc88af0c06e028d425d84a9495`, see
+  https://github.com/C2SP/wycheproof/blob/df4e933efef449fc88af0c06e028d425d84a9495/testvectors_v1/ecdh_secp256k1_test.json
 
 * The file `ecdsa_secp256k1_sha256_bitcoin_test.h` is generated from
   `ecdsa_secp256k1_sha256_bitcoin_test.json` using the script
diff --git a/src/wycheproof/ecdh_secp256k1_test.json b/src/wycheproof/ecdh_secp256k1_test.json
@@ -1,7 +1,6 @@
 {
   "algorithm" : "ECDH",
   "schema" : "ecdh_test_schema.json",
-  "generatorVersion" : "0.9rc5",
   "numberOfTests" : 752,
   "header" : [
     "Test vectors of type EcdhTest are intended for",
@@ -124,6 +123,10 @@
   "testGroups" : [
     {
       "type" : "EcdhTest",
+      "source" : {
+        "name" : "google-wycheproof",
+        "version" : "0.9rc5"
+      },
       "curve" : "secp256k1",
       "encoding" : "asn",
       "tests" : [
diff --git a/src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.json b/src/wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.json
@@ -10,7 +10,7 @@
   "notes" : {
     "ArithmeticError" : {
       "bugType" : "EDGE_CASE",
-      "description" : "Some implementations of ECDSA have arithmetic errors that occur when intermediate results have extreme values. This test vector has been constructed to test such occurences.",
+      "description" : "Some implementations of ECDSA have arithmetic errors that occur when intermediate results have extreme values. This test vector has been constructed to test such occurrences.",
       "cves" : [
         "CVE-2017-18146"
       ]
@@ -95,7 +95,7 @@
     },
     "SignatureMalleabilityBitcoin" : {
       "bugType" : "SIGNATURE_MALLEABILITY",
-      "description" : "\"BitCoins\"-curves are curves where signature malleability can be a serious issue. An implementation should only accept a signature s where s < n/2. If an implementation is not meant for uses cases that require signature malleability then this implemenation should be tested with another set of test vectors.",
+      "description" : "\"BitCoins\"-curves are curves where signature malleability can be a serious issue. An implementation should only accept a signature s where s < n/2. If an implementation is not meant for uses cases that require signature malleability then this implementation should be tested with another set of test vectors.",
       "effect" : "In bitcoin exchanges, it may be used to make a double deposits or double withdrawals",
       "links" : [
         "https://en.bitcoin.it/wiki/Transaction_malleability",

Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,4 @@`
`1`	`1`	`{`
`2`		`- "cmakeMinimumRequired": {"major": 3, "minor": 21, "patch": 0},`
`3`	`2`	`"version": 3,`
`4`	`3`	`"configurePresets": [`
`5`	`4`	`{`
Original file line number	Diff line number	Diff line change
`@@ -373,6 +373,8 @@ static int secp256k1_ecmult_const_xonly(secp256k1_fe* r, const secp256k1_fe *n,`
`373`	`373`	`}`
`374`	`374`	`}`
`375`	`375`
	`376`	`+ SECP256K1_FE_VERIFY_MAGNITUDE(&g, 2);`
	`377`	`+`
`376`	`378`	`/* Compute base point P = (ng, g^2), the effective affine version of (ng, g^2, v), which has`
`377`	`379`	`* corresponding affine X coordinate n/d. */`
`378`	`380`	`secp256k1_fe_mul(&p.x, &g, n);`