Merge rust-bitcoin#670: fix incorrect FFI binding for pubkey_combine

3373cc9 secp256k1-sys: update all symbols from 0.9.1 to 0.9.2 (Andrew Poelstra)
484e5d8 fix incorrect FFI binding for pubkey_combine (Andrew Poelstra)

Pull request description:

  Fixes rust-bitcoin#669.

  Needs backport.

ACKs for top commit:
  Kixunil:
    ACK 3373cc9

Tree-SHA512: 602a5baa8095cc744a341d64e300185bce26c8c56e7a538d3b17c7ca4c98cb3244217cd34169e1e69dc904a9f9f28ed75fe096ffa95ea42d1ad3456d395f7ce5

Cargo-minimal.lock

@@ -273,7 +273,7 @@ dependencies = [
 
 [[package]]
 name = "secp256k1-sys"
-version = "0.9.1"
+version = "0.9.2"
 dependencies = [
  "cc",
  "libc",

Cargo-recent.lock

@@ -194,7 +194,7 @@ dependencies = [
 
 [[package]]
 name = "secp256k1-sys"
-version = "0.9.1"
+version = "0.9.2"
 dependencies = [
  "cc",
  "libc",

secp256k1-sys/CHANGELOG.md

@@ -1,3 +1,7 @@
+# 0.9.2 - 2023-12-18
+
+* Fix incorrect FFI binding for `secp256k1_pubkey_combine`
+
 # 0.9.1 - 2023-12-07
 
 * Patch out any instances of printf in upstream [#663](https://github.com/rust-bitcoin/rust-secp256k1/pull/663)

secp256k1-sys/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "secp256k1-sys"
-version = "0.9.1"
+version = "0.9.2"
 authors = [ "Dawid Ciężarkiewicz <[email protected]>",
             "Andrew Poelstra <[email protected]>",
             "Steven Roose <[email protected]>" ]
@@ -12,7 +12,7 @@ description = "FFI for Pieter Wuille's `libsecp256k1` library."
 keywords = [ "secp256k1", "libsecp256k1", "ffi" ]
 readme = "README.md"
 build = "build.rs"
-links = "rustsecp256k1_v0_9_1"
+links = "rustsecp256k1_v0_9_2"
 edition = "2018"
 
 [package.metadata.docs.rs]

secp256k1-sys/depend/secp256k1/Makefile.am

@@ -6,7 +6,7 @@ AM_CFLAGS = $(SECP_CFLAGS)
 
 lib_LTLIBRARIES = libsecp256k1.la
 include_HEADERS = include/secp256k1.h
-include_HEADERS += include/rustsecp256k1_v0_9_1_preallocated.h
+include_HEADERS += include/rustsecp256k1_v0_9_2_preallocated.h
 noinst_HEADERS =
 noinst_HEADERS += src/scalar.h
 noinst_HEADERS += src/scalar_4x64.h
@@ -63,22 +63,22 @@ noinst_HEADERS += src/hash_impl.h
 noinst_HEADERS += src/field.h
 noinst_HEADERS += src/field_impl.h
 noinst_HEADERS += src/bench.h
-noinst_HEADERS += src/wycheproof/ecdsa_rustsecp256k1_v0_9_1_sha256_bitcoin_test.h
+noinst_HEADERS += src/wycheproof/ecdsa_rustsecp256k1_v0_9_2_sha256_bitcoin_test.h
 noinst_HEADERS += contrib/lax_der_parsing.h
 noinst_HEADERS += contrib/lax_der_parsing.c
 noinst_HEADERS += contrib/lax_der_privatekey_parsing.h
 noinst_HEADERS += contrib/lax_der_privatekey_parsing.c
 noinst_HEADERS += examples/examples_util.h
 
-PRECOMPUTED_LIB = librustsecp256k1_v0_9_1_precomputed.la
+PRECOMPUTED_LIB = librustsecp256k1_v0_9_2_precomputed.la
 noinst_LTLIBRARIES = $(PRECOMPUTED_LIB)
-librustsecp256k1_v0_9_1_precomputed_la_SOURCES =  src/precomputed_ecmult.c src/precomputed_ecmult_gen.c
-# We need `-I$(top_srcdir)/src` in VPATH builds if librustsecp256k1_v0_9_1_precomputed_la_SOURCES have been recreated in the build tree.
+librustsecp256k1_v0_9_2_precomputed_la_SOURCES =  src/precomputed_ecmult.c src/precomputed_ecmult_gen.c
+# We need `-I$(top_srcdir)/src` in VPATH builds if librustsecp256k1_v0_9_2_precomputed_la_SOURCES have been recreated in the build tree.
 # This helps users and packagers who insist on recreating the precomputed files (e.g., Gentoo).
-librustsecp256k1_v0_9_1_precomputed_la_CPPFLAGS = -I$(top_srcdir)/src $(SECP_CONFIG_DEFINES)
+librustsecp256k1_v0_9_2_precomputed_la_CPPFLAGS = -I$(top_srcdir)/src $(SECP_CONFIG_DEFINES)
 
 if USE_EXTERNAL_ASM
-COMMON_LIB = librustsecp256k1_v0_9_1_common.la
+COMMON_LIB = librustsecp256k1_v0_9_2_common.la
 else
 COMMON_LIB =
 endif
@@ -89,14 +89,14 @@ pkgconfig_DATA = libsecp256k1.pc
 
 if USE_EXTERNAL_ASM
 if USE_ASM_ARM
-librustsecp256k1_v0_9_1_common_la_SOURCES = src/asm/field_10x26_arm.s
+librustsecp256k1_v0_9_2_common_la_SOURCES = src/asm/field_10x26_arm.s
 endif
 endif
 
-librustsecp256k1_v0_9_1_la_SOURCES = src/secp256k1.c
-librustsecp256k1_v0_9_1_la_CPPFLAGS = $(SECP_CONFIG_DEFINES)
-librustsecp256k1_v0_9_1_la_LIBADD = $(COMMON_LIB) $(PRECOMPUTED_LIB)
-librustsecp256k1_v0_9_1_la_LDFLAGS = -no-undefined -version-info $(LIB_VERSION_CURRENT):$(LIB_VERSION_REVISION):$(LIB_VERSION_AGE)
+librustsecp256k1_v0_9_2_la_SOURCES = src/secp256k1.c
+librustsecp256k1_v0_9_2_la_CPPFLAGS = $(SECP_CONFIG_DEFINES)
+librustsecp256k1_v0_9_2_la_LIBADD = $(COMMON_LIB) $(PRECOMPUTED_LIB)
+librustsecp256k1_v0_9_2_la_LDFLAGS = -no-undefined -version-info $(LIB_VERSION_CURRENT):$(LIB_VERSION_REVISION):$(LIB_VERSION_AGE)
 
 noinst_PROGRAMS =
 if USE_BENCHMARK
@@ -223,11 +223,11 @@ maintainer-clean-local: clean-precomp
 
 ### Pregenerated test vectors
 ### (see the comments in the previous section for detailed rationale)
-TESTVECTORS = src/wycheproof/ecdsa_rustsecp256k1_v0_9_1_sha256_bitcoin_test.h
+TESTVECTORS = src/wycheproof/ecdsa_rustsecp256k1_v0_9_2_sha256_bitcoin_test.h
 
-src/wycheproof/ecdsa_rustsecp256k1_v0_9_1_sha256_bitcoin_test.h:
+src/wycheproof/ecdsa_rustsecp256k1_v0_9_2_sha256_bitcoin_test.h:
 	mkdir -p $(@D)
-	python3 $(top_srcdir)/tools/tests_wycheproof_generate.py $(top_srcdir)/src/wycheproof/ecdsa_rustsecp256k1_v0_9_1_sha256_bitcoin_test.json > $@
+	python3 $(top_srcdir)/tools/tests_wycheproof_generate.py $(top_srcdir)/src/wycheproof/ecdsa_rustsecp256k1_v0_9_2_sha256_bitcoin_test.json > $@
 
 testvectors: $(TESTVECTORS)
 
@@ -246,10 +246,10 @@ EXTRA_DIST += sage/gen_exhaustive_groups.sage
 EXTRA_DIST += sage/gen_split_lambda_constants.sage
 EXTRA_DIST += sage/group_prover.sage
 EXTRA_DIST += sage/prove_group_implementations.sage
-EXTRA_DIST += sage/rustsecp256k1_v0_9_1_params.sage
+EXTRA_DIST += sage/rustsecp256k1_v0_9_2_params.sage
 EXTRA_DIST += sage/weierstrass_prover.sage
 EXTRA_DIST += src/wycheproof/WYCHEPROOF_COPYING
-EXTRA_DIST += src/wycheproof/ecdsa_rustsecp256k1_v0_9_1_sha256_bitcoin_test.json
+EXTRA_DIST += src/wycheproof/ecdsa_rustsecp256k1_v0_9_2_sha256_bitcoin_test.json
 EXTRA_DIST += tools/tests_wycheproof_generate.py
 
 if ENABLE_MODULE_ECDH

secp256k1-sys/depend/secp256k1/cmake/TryAppendCFlags.cmake

@@ -1,6 +1,6 @@
 include(CheckCCompilerFlag)
 
-function(rustsecp256k1_v0_9_1_check_c_flags_internal flags output)
+function(rustsecp256k1_v0_9_2_check_c_flags_internal flags output)
   string(MAKE_C_IDENTIFIER "${flags}" result)
   string(TOUPPER "${result}" result)
   set(result "C_SUPPORTS_${result}")
@@ -17,7 +17,7 @@ endfunction()
 
 # Append flags to the COMPILE_OPTIONS directory property if CC accepts them.
 macro(try_append_c_flags)
-  rustsecp256k1_v0_9_1_check_c_flags_internal("${ARGV}" result)
+  rustsecp256k1_v0_9_2_check_c_flags_internal("${ARGV}" result)
   if(result)
     add_compile_options(${ARGV})
   endif()

secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.c

@@ -7,18 +7,18 @@
 #include <string.h>
 
 #include "lax_der_parsing.h"
-extern int rustsecp256k1_v0_9_1_ecdsa_signature_parse_compact(
-        const rustsecp256k1_v0_9_1_context *ctx,
-        rustsecp256k1_v0_9_1_ecdsa_signature *sig, const unsigned char *input64);
-int rustsecp256k1_v0_9_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_9_1_context* ctx, rustsecp256k1_v0_9_1_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
+extern int rustsecp256k1_v0_9_2_ecdsa_signature_parse_compact(
+        const rustsecp256k1_v0_9_2_context *ctx,
+        rustsecp256k1_v0_9_2_ecdsa_signature *sig, const unsigned char *input64);
+int rustsecp256k1_v0_9_2_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_9_2_context* ctx, rustsecp256k1_v0_9_2_ecdsa_signature* sig, const unsigned char *input, size_t inputlen) {
     size_t rpos, rlen, spos, slen;
     size_t pos = 0;
     size_t lenbyte;
     unsigned char tmpsig[64] = {0};
     int overflow = 0;
 
     /* Hack to initialize sig with a correctly-parsed but invalid signature. */
-    rustsecp256k1_v0_9_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
+    rustsecp256k1_v0_9_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
 
     /* Sequence tag byte */
     if (pos == inputlen || input[pos] != 0x30) {
@@ -139,11 +139,11 @@ int rustsecp256k1_v0_9_1_ecdsa_signature_parse_der_lax(const rustsecp256k1_v0_9_
     }
 
     if (!overflow) {
-        overflow = !rustsecp256k1_v0_9_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
+        overflow = !rustsecp256k1_v0_9_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
     }
     if (overflow) {
         memset(tmpsig, 0, 64);
-        rustsecp256k1_v0_9_1_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
+        rustsecp256k1_v0_9_2_ecdsa_signature_parse_compact(ctx, sig, tmpsig);
     }
     return 1;
 }

secp256k1-sys/depend/secp256k1/contrib/lax_der_parsing.h

@@ -26,8 +26,8 @@
  * certain violations are easily supported. You may need to adapt it.
  *
  * Do not use this for new systems. Use well-defined DER or compact signatures
- * instead if you have the choice (see rustsecp256k1_v0_9_1_ecdsa_signature_parse_der and
- * rustsecp256k1_v0_9_1_ecdsa_signature_parse_compact).
+ * instead if you have the choice (see rustsecp256k1_v0_9_2_ecdsa_signature_parse_der and
+ * rustsecp256k1_v0_9_2_ecdsa_signature_parse_compact).
  *
  * The supported violations are:
  * - All numbers are parsed as nonnegative integers, even though X.609-0207
@@ -83,9 +83,9 @@ extern "C" {
  *  encoded numbers are out of range, signature validation with it is
  *  guaranteed to fail for every message and public key.
  */
-int rustsecp256k1_v0_9_1_ecdsa_signature_parse_der_lax(
-    const rustsecp256k1_v0_9_1_context* ctx,
-    rustsecp256k1_v0_9_1_ecdsa_signature* sig,
+int rustsecp256k1_v0_9_2_ecdsa_signature_parse_der_lax(
+    const rustsecp256k1_v0_9_2_context* ctx,
+    rustsecp256k1_v0_9_2_ecdsa_signature* sig,
     const unsigned char *input,
     size_t inputlen
 ) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3);

secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.c

@@ -8,7 +8,7 @@
 
 #include "lax_der_privatekey_parsing.h"
 
-int ec_privkey_import_der(const rustsecp256k1_v0_9_1_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) {
+int ec_privkey_import_der(const rustsecp256k1_v0_9_2_context* ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen) {
     const unsigned char *end = privkey + privkeylen;
     int lenb = 0;
     int len = 0;
@@ -45,17 +45,17 @@ int ec_privkey_import_der(const rustsecp256k1_v0_9_1_context* ctx, unsigned char
         return 0;
     }
     if (privkey[1]) memcpy(out32 + 32 - privkey[1], privkey + 2, privkey[1]);
-    if (!rustsecp256k1_v0_9_1_ec_seckey_verify(ctx, out32)) {
+    if (!rustsecp256k1_v0_9_2_ec_seckey_verify(ctx, out32)) {
         memset(out32, 0, 32);
         return 0;
     }
     return 1;
 }
 
-int ec_privkey_export_der(const rustsecp256k1_v0_9_1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) {
-    rustsecp256k1_v0_9_1_pubkey pubkey;
+int ec_privkey_export_der(const rustsecp256k1_v0_9_2_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed) {
+    rustsecp256k1_v0_9_2_pubkey pubkey;
     size_t pubkeylen = 0;
-    if (!rustsecp256k1_v0_9_1_ec_pubkey_create(ctx, &pubkey, key32)) {
+    if (!rustsecp256k1_v0_9_2_ec_pubkey_create(ctx, &pubkey, key32)) {
         *privkeylen = 0;
         return 0;
     }
@@ -79,7 +79,7 @@ int ec_privkey_export_der(const rustsecp256k1_v0_9_1_context *ctx, unsigned char
         memcpy(ptr, key32, 32); ptr += 32;
         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
         pubkeylen = 33;
-        rustsecp256k1_v0_9_1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
+        rustsecp256k1_v0_9_2_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_COMPRESSED);
         ptr += pubkeylen;
         *privkeylen = ptr - privkey;
     } else {
@@ -104,7 +104,7 @@ int ec_privkey_export_der(const rustsecp256k1_v0_9_1_context *ctx, unsigned char
         memcpy(ptr, key32, 32); ptr += 32;
         memcpy(ptr, middle, sizeof(middle)); ptr += sizeof(middle);
         pubkeylen = 65;
-        rustsecp256k1_v0_9_1_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
+        rustsecp256k1_v0_9_2_ec_pubkey_serialize(ctx, ptr, &pubkeylen, &pubkey, SECP256K1_EC_UNCOMPRESSED);
         ptr += pubkeylen;
         *privkeylen = ptr - privkey;
     }

secp256k1-sys/depend/secp256k1/contrib/lax_der_privatekey_parsing.h

@@ -43,7 +43,7 @@ extern "C" {
 /** Export a private key in DER format.
  *
  *  Returns: 1 if the private key was valid.
- *  Args: ctx:        pointer to a context object (not rustsecp256k1_v0_9_1_context_static).
+ *  Args: ctx:        pointer to a context object (not rustsecp256k1_v0_9_2_context_static).
  *  Out: privkey:     pointer to an array for storing the private key in BER.
  *                    Should have space for 279 bytes, and cannot be NULL.
  *       privkeylen:  Pointer to an int where the length of the private key in
@@ -57,10 +57,10 @@ extern "C" {
  *  simple 32-byte private keys are sufficient.
  *
  *  Note that this function does not guarantee correct DER output. It is
- *  guaranteed to be parsable by rustsecp256k1_v0_9_1_ec_privkey_import_der
+ *  guaranteed to be parsable by rustsecp256k1_v0_9_2_ec_privkey_import_der
  */
 SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der(
-    const rustsecp256k1_v0_9_1_context* ctx,
+    const rustsecp256k1_v0_9_2_context* ctx,
     unsigned char *privkey,
     size_t *privkeylen,
     const unsigned char *seckey,
@@ -82,7 +82,7 @@ SECP256K1_WARN_UNUSED_RESULT int ec_privkey_export_der(
  * key.
  */
 SECP256K1_WARN_UNUSED_RESULT int ec_privkey_import_der(
-    const rustsecp256k1_v0_9_1_context* ctx,
+    const rustsecp256k1_v0_9_2_context* ctx,
     unsigned char *seckey,
     const unsigned char *privkey,
     size_t privkeylen

secp256k1-sys/depend/secp256k1/doc/ellswift.md

@@ -144,8 +144,8 @@ but the approach here is simple enough and gives fairly uniform output even in t
 **Note**: in the paper these conditions result in $\infty$ as output, due to the use of projective coordinates there.
 We wish to avoid the need for callers to deal with this special case.
 
-This is implemented in `rustsecp256k1_v0_9_1_ellswift_xswiftec_frac_var` (which decodes to an x-coordinate represented as a fraction), and
-in `rustsecp256k1_v0_9_1_ellswift_xswiftec_var` (which outputs the actual x-coordinate).
+This is implemented in `rustsecp256k1_v0_9_2_ellswift_xswiftec_frac_var` (which decodes to an x-coordinate represented as a fraction), and
+in `rustsecp256k1_v0_9_2_ellswift_xswiftec_var` (which outputs the actual x-coordinate).
 
 ## 3. The encoding function
 
@@ -247,7 +247,7 @@ the loop can be simplified to only compute one of the inverses instead of all of
   * Let $t = G_{c,u}(x).$
   * If $t \neq \bot$, return $(u, t)$; restart loop otherwise.
 
-This is implemented in `rustsecp256k1_v0_9_1_ellswift_xelligatorswift_var`.
+This is implemented in `rustsecp256k1_v0_9_2_ellswift_xelligatorswift_var`.
 
 ### 3.3 Finding the inverse
 
@@ -388,7 +388,7 @@ Specialized for odd-ordered $a=0$ curves:
   * If $c \in \\{4, 6\\}:$ return $w(\frac{-\sqrt{-3}+1}{2}u + v).$
   * If $c \in \\{5, 7\\}:$ return $w(\frac{-\sqrt{-3}-1}{2}u - v).$
 
-This is implemented in `rustsecp256k1_v0_9_1_ellswift_xswiftec_inv_var`.
+This is implemented in `rustsecp256k1_v0_9_2_ellswift_xswiftec_inv_var`.
 
 And the x-only ElligatorSwift encoding algorithm is still:
 
@@ -471,11 +471,11 @@ as decoder:
 * Let $y = \sqrt{g(x)}.$
 * Return $(x, y)$ if $sign(y) = sign(t)$; $(x, -y)$ otherwise.
 
-This is implemented in `rustsecp256k1_v0_9_1_ellswift_swiftec_var`. The used $sign(x)$ function is the parity of $x$ when represented as in integer in $[0,q).$
+This is implemented in `rustsecp256k1_v0_9_2_ellswift_swiftec_var`. The used $sign(x)$ function is the parity of $x$ when represented as in integer in $[0,q).$
 
 The corresponding encoder would invoke the x-only one, but negating the output $t$ if $sign(t) \neq sign(y).$
 
-This is implemented in `rustsecp256k1_v0_9_1_ellswift_elligatorswift_var`.
+This is implemented in `rustsecp256k1_v0_9_2_ellswift_elligatorswift_var`.
 
 Note that this is only intended for encoding points where both the x-coordinate and y-coordinate are unpredictable. When encoding x-only points
 where the y-coordinate is implicitly even (or implicitly square, or implicitly in $[0,q/2]$), the encoder in