Squashed 'src/secp256k1/' changes from 0559fc6e41..8746600eec

8746600eec Merge bitcoin-core/secp256k1#1093: hash: Make code agnostic of endianness
37d36927df tests: Add tests for _read_be32 and _write_be32
912b7ccc44 Merge bitcoin-core/secp256k1#1094: doc: Clarify configure flags for optional modules
55512d30b7 doc: clean up module help text in configure.ac
d9d94a9969 doc: mention optional modules in README
616b43dd3b util: Remove endianness detection
8d89b9e6e5 hash: Make code agnostic of endianness
d0ad5814a5 Merge bitcoin-core/secp256k1#995: build: stop treating schnorrsig, extrakeys modules as experimental
1ac7e31c5b Merge bitcoin-core/secp256k1#1089: Schnorrsig API improvements
587239dbe3 Merge bitcoin-core/secp256k1#731: Change SHA256 byte counter from size_t to uint64_t
f8d9174357 Add SHA256 bit counter tests
7f09d0f311 README: mention that ARM assembly is experimental
b8f8b99f0f docs: Fix return value for functions that don't have invalid inputs
f813bb0df3 schnorrsig: Adapt example to new API
99e6568fc6 schnorrsig: Rename schnorrsig_sign to schnorsig_sign32 and deprecate
fc94a2da44 Use SECP256K1_DEPRECATED for existing deprecated API functions
3db0560606 Add SECP256K1_DEPRECATED attribute for marking API parts as deprecated
80cf4eea5f build: stop treating schnorrsig, extrakeys modules as experimental
e0508ee9db Merge bitcoin-core/secp256k1#1090: configure: Remove redundant pkg-config code
21b2ebaf74 configure: Remove redundant pkg-config code
0e5cbd01b3 Merge bitcoin-core/secp256k1#1088: configure: Use modern way to set AR
0d253d52e8 configure: Use modern way to set AR
9b514ce1d2 Add test vector for very long SHA256 messages
8e3dde1137 Simplify struct initializer for SHA256 padding
eb28464a8b Change SHA256 byte counter from size_t to uint64_t
ac83be33d0 Merge bitcoin-core/secp256k1#1079: configure: Add hidden --enable-dev-mode to enable all the stuff
e0838d663d configure: Add hidden --enable-dev-mode to enable all the stuff
fabd579dfa configure: Remove redundant code that sets _enable variables
0d4226c051 configure: Use canonical variable prefix _enable consistently
64b34979ed Merge bitcoin-core/secp256k1#748: Add usage examples
7c9502cece Add a copy of the CC0 license to the examples
42e03432e6 Add usage examples to the readme
517644eab1 Optionally compile the examples in autotools, compile+run in travis
422a7cc86a Add a ecdh shared secret example
b0cfbcc143 Add a Schnorr signing and verifying example
fee7d4bf9e Add an ECDSA signing and verifying example
1253a27756 Merge bitcoin-core/secp256k1#1033: Add _fe_half and use in _gej_add_ge and _gej_double
3ef94aa5ba Merge bitcoin-core/secp256k1#1026: ecdh: Add test computing shared_secret=basepoint with random inputs
3531a43b5b ecdh: Make generator_basepoint test depend on global iteration count
c881dd49bd ecdh: Add test computing shared_secret=basepoint with random inputs
077528317d Merge bitcoin-core/secp256k1#1074: ci: Retry brew update a few times to avoid random failures
e51ad3b737 ci: Retry `brew update` a few times to avoid random failures
b1cb969e8a ci: Revert "Attempt to make macOS builds more reliable"
5dcc6f8dbd Merge bitcoin-core/secp256k1#1069: build: Replace use of deprecated autoconf macro AC_PROG_CC_C89
59547943d6 Merge bitcoin-core/secp256k1#1072: ci: Attempt to make macOS builds more reliable
85b00a1c65 Merge bitcoin-core/secp256k1#1068: sage: Fix incompatibility with sage 9.4
ebb1beea78 sage: Ensure that constraints are always fastfracs
d8d54859ed ci: Run sage prover on CI
77cfa98dbc sage: Normalize sign of polynomial factors in prover
eae75869cf sage: Exit with non-zero status in case of failures
d9396a56da ci: Attempt to make macOS builds more reliable
e0db3f8a25 build: Replace use of deprecated autoconf macro AC_PROG_CC_C89
e848c3799c Update sage files for new formulae
d64bb5d4f3 Add fe_half tests for worst-case inputs
b54d843eac sage: Fix printing of errors
4eb8b932ff Further improve doubling formula using fe_half
557b31fac3 Doubling formula using fe_half
2cbb4b1a42 Run more iterations of run_field_misc
9cc5c257ed Add test for secp256k1_fe_half
925f78d55e Add _fe_half and use in _gej_add_ge
e108d0039c sage: Fix incompatibility with sage 9.4
d8a2463246 Merge bitcoin-core/secp256k1#899: Reduce stratch space needed by ecmult_strauss_wnaf.
0a40a4861a Merge bitcoin-core/secp256k1#1049: Faster fixed-input ecmult tests
070e772211 Faster fixed-input ecmult tests
c8aa516b57 Merge bitcoin-core/secp256k1#1064: Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes #1063
b797a500ec Create a SECP256K1_ECMULT_TABLE_VERIFY macro.
a731200cc3 Replace ECMULT_TABLE_GET_GE_STORAGE macro with a function.
fe34d9f341 Eliminate input_pos state field from ecmult_strauss_wnaf.
0397d00ba0 Eliminate na_1 and na_lam state fields from ecmult_strauss_wnaf.
7ba3ffcca0 Remove the unused pre_a_lam allocations.
b3b57ad6ee Eliminate the pre_a_lam array from ecmult_strauss_wnaf.
ae7ba0f922 Remove the unused prej allocations.
e5c18892db Eliminate the prej array from ecmult_strauss_wnaf.
c9da1baad1 Move secp256k1_fe_one to field.h
45f37b6506 Modulo-reduce msg32 inside RFC6979 nonce fn to match spec. Fixes #1063.
a1102b1219 Merge bitcoin-core/secp256k1#1029: Simpler and faster ecdh skew fixup
e82144edfb Fixup skew before global Z fixup
40b624c90b Add tests for _gej_cmov
8c13a9bfe1 ECDH skews by 0 or 1
1515099433 Simpler and faster ecdh skew fixup
39a36db94a Merge bitcoin-core/secp256k1#1054: tests: Fix test whose result is implementation-defined
a310e79ee5 Merge bitcoin-core/secp256k1#1052: Use xoshiro256++ instead of RFC6979 for tests
423b6d19d3 Merge bitcoin-core/secp256k1#964: Add release-process.md
9281c9f4e1 Merge bitcoin-core/secp256k1#1053: ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
77a19750b4 Use xoshiro256++ PRNG instead of RFC6979 in tests
5f2efe684e secp256k1_testrand_int(2**N) -> secp256k1_testrand_bits(N)
05e049b73c ecmult: move `_ecmult_odd_multiples_table_globalz_windowa`
3d7cbafb5f tests: Fix test whose result is implementation-defined
3ed0d02bf7 doc: add CHANGELOG template
6f42dc16c8 doc: add release_process.md
0bd3e4243c build: set library version to 0.0.0 explicitly
b4b02fd8c4 build: change libsecp version from 0.1 to 0.1.0-pre
09971a3ffd Merge bitcoin-core/secp256k1#1047: ci: Various improvements
0b83b203e1 Merge bitcoin-core/secp256k1#1030: doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
1287786c7a doc: Add comment to top of field_10x26_impl.h
58da5bd589 doc: Fix upper bounds + cleanup in field_5x52_impl.h comment
b39d431aed Merge bitcoin-core/secp256k1#1044: Add another ecmult_multi test
b4ac1a1d5f ci: Run valgrind/memcheck tasks with 2 CPUs
e70acab601 ci: Use Cirrus "greedy" flag to use idle CPU time when available
d07e30176e ci: Update brew on macOS
22382f0ea0 ci: Test different ecmult window sizes
a69df3ad24 Merge bitcoin-core/secp256k1#816: Improve checks at top of _fe_negate methods
22d25c8e0a Add another ecmult_multi test
515e7953ca Improve checks at top of _fe_negate methods
26a022a3a0 ci: Remove STATICPRECOMPUTATION
10461d8bd3 precompute_ecmult: Always compute all tables up to default WINDOW_G
be6944ade9 Merge bitcoin-core/secp256k1#1042: Follow-ups to making all tables fully static
e05da9e480 Fix c++ build
c45386d994 Cleanup preprocessor indentation in precompute{,d}_ecmult{,_gen}
19d96e15f9 Split off .c file from precomputed_ecmult.h
1a6691adae Split off .c file from precomputed_ecmult_gen.h
bb36331412 Simplify precompute_ecmult_print_*
38cd84a0cb Compute ecmult tables at runtime for tests_exhaustive
e458ec26d6 Move ecmult table computation code to separate file
fc1bf9f15f Split ecmult table computation and printing
31feab053b Rename function secp256k1_ecmult_gen_{create_prec -> compute}_table
725370c3f2 Rename ecmult_gen_prec -> ecmult_gen_compute_table
075252c1b7 Rename ecmult_static_pre_g -> precomputed_ecmult
7cf47f72bc Rename ecmult_gen_static_prec_table -> precomputed_ecmult_gen
f95b8106d0 Rename gen_ecmult_static_pre_g -> precompute_ecmult
bae77685eb Rename gen_ecmult_gen_static_prec_table -> precompute_ecmult_gen

git-subtree-dir: src/secp256k1
git-subtree-split: 8746600eec5e7fcd35dabd480839a3a4bdfee87b

1 files changed, 23 insertions, 20 deletions

diff --git a/src/modules/schnorrsig/tests_impl.h b/src/modules/schnorrsig/tests_impl.h
index 2efec8a2b9..25840b8fa7 100644
--- a/src/modules/schnorrsig/tests_impl.h
+++ b/src/modules/schnorrsig/tests_impl.h
@@ -87,7 +87,7 @@ void run_nonce_function_bip340_tests(void) {
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, NULL, 0, NULL) == 0);
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
     /* Other algo is fine */
-    secp256k1_rfc6979_hmac_sha256_generate(&secp256k1_test_rng, algo, algolen);
+    secp256k1_testrand_bytes_test(algo, algolen);
     CHECK(nonce_function_bip340(nonce, msg, msglen, key, pk, algo, algolen, NULL) == 1);
 
     for (i = 0; i < count; i++) {
@@ -160,21 +160,21 @@ void test_schnorrsig_api(void) {
 
     /** main test body **/
     ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign(none, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(none, sig, msg, &keypairs[0], NULL) == 1);
     CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_sign(vrfy, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(vrfy, sig, msg, &keypairs[0], NULL) == 1);
     CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
     CHECK(ecount == 0);
-    CHECK(secp256k1_schnorrsig_sign(sign, NULL, msg, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(sign, NULL, msg, &keypairs[0], NULL) == 0);
     CHECK(ecount == 1);
-    CHECK(secp256k1_schnorrsig_sign(sign, sig, NULL, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(sign, sig, NULL, &keypairs[0], NULL) == 0);
     CHECK(ecount == 2);
-    CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, NULL, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, NULL, NULL) == 0);
     CHECK(ecount == 3);
-    CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &invalid_keypair, NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &invalid_keypair, NULL) == 0);
     CHECK(ecount == 4);
-    CHECK(secp256k1_schnorrsig_sign(sttc, sig, msg, &keypairs[0], NULL) == 0);
+    CHECK(secp256k1_schnorrsig_sign32(sttc, sig, msg, &keypairs[0], NULL) == 0);
     CHECK(ecount == 5);
 
     ecount = 0;
@@ -202,7 +202,7 @@ void test_schnorrsig_api(void) {
     CHECK(ecount == 6);
 
     ecount = 0;
-    CHECK(secp256k1_schnorrsig_sign(sign, sig, msg, &keypairs[0], NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(sign, sig, msg, &keypairs[0], NULL) == 1);
     CHECK(secp256k1_schnorrsig_verify(none, sig, msg, sizeof(msg), &pk[0]) == 1);
     CHECK(ecount == 0);
     CHECK(secp256k1_schnorrsig_verify(sign, sig, msg, sizeof(msg), &pk[0]) == 1);
@@ -247,7 +247,7 @@ void test_schnorrsig_bip_vectors_check_signing(const unsigned char *sk, const un
     secp256k1_xonly_pubkey pk, pk_expected;
 
     CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg32, &keypair, aux_rand));
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg32, &keypair, aux_rand));
     CHECK(secp256k1_memcmp_var(sig, expected_sig, 64) == 0);
 
     CHECK(secp256k1_xonly_pubkey_parse(ctx, &pk_expected, pk_serialized));
@@ -740,8 +740,11 @@ void test_schnorrsig_sign(void) {
     secp256k1_testrand256(aux_rand);
     CHECK(secp256k1_keypair_create(ctx, &keypair, sk));
     CHECK(secp256k1_keypair_xonly_pub(ctx, &pk, NULL, &keypair));
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &pk));
+    /* Check that deprecated alias gives the same result */
+    CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
 
     /* Test different nonce functions */
     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
@@ -764,7 +767,7 @@ void test_schnorrsig_sign(void) {
     extraparams.noncefp = NULL;
     extraparams.ndata = aux_rand;
     CHECK(secp256k1_schnorrsig_sign_custom(ctx, sig, msg, sizeof(msg), &keypair, &extraparams) == 1);
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig2, msg, &keypair, extraparams.ndata) == 1);
     CHECK(secp256k1_memcmp_var(sig, sig2, sizeof(sig)) == 0);
 }
 
@@ -787,7 +790,7 @@ void test_schnorrsig_sign_verify(void) {
 
     for (i = 0; i < N_SIGS; i++) {
         secp256k1_testrand256(msg[i]);
-        CHECK(secp256k1_schnorrsig_sign(ctx, sig[i], msg[i], &keypair, NULL));
+        CHECK(secp256k1_schnorrsig_sign32(ctx, sig[i], msg[i], &keypair, NULL));
         CHECK(secp256k1_schnorrsig_verify(ctx, sig[i], msg[i], sizeof(msg[i]), &pk));
     }
 
@@ -795,18 +798,18 @@ void test_schnorrsig_sign_verify(void) {
         /* Flip a few bits in the signature and in the message and check that
          * verify and verify_batch (TODO) fail */
         size_t sig_idx = secp256k1_testrand_int(N_SIGS);
-        size_t byte_idx = secp256k1_testrand_int(32);
+        size_t byte_idx = secp256k1_testrand_bits(5);
         unsigned char xorbyte = secp256k1_testrand_int(254)+1;
         sig[sig_idx][byte_idx] ^= xorbyte;
         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
         sig[sig_idx][byte_idx] ^= xorbyte;
 
-        byte_idx = secp256k1_testrand_int(32);
+        byte_idx = secp256k1_testrand_bits(5);
         sig[sig_idx][32+byte_idx] ^= xorbyte;
         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
         sig[sig_idx][32+byte_idx] ^= xorbyte;
 
-        byte_idx = secp256k1_testrand_int(32);
+        byte_idx = secp256k1_testrand_bits(5);
         msg[sig_idx][byte_idx] ^= xorbyte;
         CHECK(!secp256k1_schnorrsig_verify(ctx, sig[sig_idx], msg[sig_idx], sizeof(msg[sig_idx]), &pk));
         msg[sig_idx][byte_idx] ^= xorbyte;
@@ -816,13 +819,13 @@ void test_schnorrsig_sign_verify(void) {
     }
 
     /* Test overflowing s */
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
     CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
     memset(&sig[0][32], 0xFF, 32);
     CHECK(!secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
 
     /* Test negative s */
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig[0], msg[0], &keypair, NULL));
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig[0], msg[0], &keypair, NULL));
     CHECK(secp256k1_schnorrsig_verify(ctx, sig[0], msg[0], sizeof(msg[0]), &pk));
     secp256k1_scalar_set_b32(&s, &sig[0][32], NULL);
     secp256k1_scalar_negate(&s, &s);
@@ -873,7 +876,7 @@ void test_schnorrsig_taproot(void) {
 
     /* Key spend */
     secp256k1_testrand256(msg);
-    CHECK(secp256k1_schnorrsig_sign(ctx, sig, msg, &keypair, NULL) == 1);
+    CHECK(secp256k1_schnorrsig_sign32(ctx, sig, msg, &keypair, NULL) == 1);
     /* Verify key spend */
     CHECK(secp256k1_xonly_pubkey_parse(ctx, &output_pk, output_pk_bytes) == 1);
     CHECK(secp256k1_schnorrsig_verify(ctx, sig, msg, sizeof(msg), &output_pk) == 1);