secp256k1/CHANGELOG.md

# Changelog

All notable changes to this project will be documented in this file.

The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

## [0.3.1] - 2023-04-10
We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to compile libsecp256k1, e.g., Xcode >=14 on macOS has Clang >=14. When in doubt, check the Clang version using `clang -v`.

#### Security
 - Fix "constant-timeness" issue with Clang >=14 that could leave applications using libsecp256k1 vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow and secret-dependent memory accesses in conditional moves of memory objects when libsecp256k1 is compiled with Clang >=14.

#### Added
  - Added tests against [Project Wycheproof's](https://github.com/google/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.

#### Changed
 - Increased minimum required CMake version to 3.13. CMake builds remain experimental.

#### ABI Compatibility
The ABI is compatible with version 0.3.0.

## [0.3.0] - 2023-03-08

#### Added
 - Added experimental support for CMake builds. Traditional GNU Autotools builds (`./configure` and `make`) remain fully supported.
 - Usage examples: Added a recommended method for securely clearing sensitive data, e.g., secret keys, from memory.
 - Tests: Added a new test binary `noverify_tests`. This binary runs the tests without some additional checks present in the ordinary `tests` binary and is thereby closer to production binaries. The `noverify_tests` binary is automatically run as part of the `make check` target.

#### Fixed
 - Fixed declarations of API variables for MSVC (`__declspec(dllimport)`). This fixes MSVC builds of programs which link against a libsecp256k1 DLL dynamically and use API variables (and not only API functions). Unfortunately, the MSVC linker now will emit warning `LNK4217` when trying to link against libsecp256k1 statically. Pass `/ignore:4217` to the linker to suppress this warning.

#### Changed
 - Forbade cloning or destroying `secp256k1_context_static`. Create a new context instead of cloning the static context. (If this change breaks your code, your code is probably wrong.)
 - Forbade randomizing (copies of) `secp256k1_context_static`. Randomizing a copy of `secp256k1_context_static` did not have any effect and did not provide defense-in-depth protection against side-channel attacks. Create a new context if you want to benefit from randomization.

#### Removed
 - Removed the configuration header `src/libsecp256k1-config.h`. We recommend passing flags to `./configure` or `cmake` to set configuration options (see `./configure --help` or `cmake -LH`). If you cannot or do not want to use one of the supported build systems, pass configuration flags such as `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG` manually to the compiler (see the file `configure.ac` for supported flags).

#### ABI Compatibility
Due to changes in the API regarding `secp256k1_context_static` described above, the ABI is *not* compatible with previous versions.

## [0.2.0] - 2022-12-12

#### Added
 - Added usage examples for common use cases in a new `examples/` directory.
 - Added `secp256k1_selftest`, to be used in conjunction with `secp256k1_context_static`.
 - Added support for 128-bit wide multiplication on MSVC for x86_64 and arm64, giving roughly a 20% speedup on those platforms.

#### Changed
 - Enabled modules `schnorrsig`, `extrakeys` and `ecdh` by default in `./configure`.
 - The `secp256k1_nonce_function_rfc6979` nonce function, used by default by `secp256k1_ecdsa_sign`, now reduces the message hash modulo the group order to match the specification. This only affects improper use of ECDSA signing API.

#### Deprecated
 - Deprecated context flags `SECP256K1_CONTEXT_VERIFY` and `SECP256K1_CONTEXT_SIGN`. Use `SECP256K1_CONTEXT_NONE` instead.
 - Renamed `secp256k1_context_no_precomp` to `secp256k1_context_static`.
 - Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`.

#### ABI Compatibility
Since this is the first release, we do not compare application binary interfaces.
However, there are earlier unreleased versions of libsecp256k1 that are *not* ABI compatible with this version.

## [0.1.0] - 2013-03-05 to 2021-12-25

This version was in fact never released.
The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).
Therefore, this version number does not uniquely identify a set of source files.

[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...HEAD
[0.3.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...v0.3.1
[0.3.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...v0.3.0
[0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0
[0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93
doc: add CHANGELOG template 2021-07-06 21:51:36 +00:00			`# Changelog`

Mention semantic versioning in changelog 2022-12-13 16:50:32 +00:00			`All notable changes to this project will be documented in this file.`

			`The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),`
			`and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).`
doc: add CHANGELOG template 2021-07-06 21:51:36 +00:00
release: Prepare for 0.3.1 2023-04-10 13:52:26 +00:00			`## [0.3.1] - 2023-04-10`
			We strongly recommend updating to 0.3.1 if you use or plan to use Clang >=14 to compile libsecp256k1, e.g., Xcode >=14 on macOS has Clang >=14. When in doubt, check the Clang version using `clang -v`.
doc: add CHANGELOG template 2021-07-06 21:51:36 +00:00
changelog: Catch up in preparation of 0.3.1 Co-authored-by: Pieter Wuille <pieter@wuille.net> 2023-04-10 13:16:10 +00:00			`#### Security`
			`- Fix "constant-timeness" issue with Clang >=14 that could leave applications using libsecp256k1 vulnerable to a timing side-channel attack. The fix avoids secret-dependent control flow and secret-dependent memory accesses in conditional moves of memory objects when libsecp256k1 is compiled with Clang >=14.`

			`#### Added`
			`- Added tests against [Project Wycheproof's](https://github.com/google/wycheproof/) set of ECDSA test vectors (Bitcoin "low-S" variant), a fixed set of test cases designed to trigger various edge cases.`

			`#### Changed`
			`- Increased minimum required CMake version to 3.13. CMake builds remain experimental.`

release: Prepare for 0.3.1 2023-04-10 13:52:26 +00:00			`#### ABI Compatibility`
			`The ABI is compatible with version 0.3.0.`

release: prepare for 0.3.0 2023-03-07 14:18:36 +00:00			`## [0.3.0] - 2023-03-08`

Update Changelog Fixes #1220. 2023-03-07 11:01:23 +00:00			`#### Added`
changelog: Add entry for CMake 2023-03-08 16:46:20 +00:00			- Added experimental support for CMake builds. Traditional GNU Autotools builds (`./configure` and `make`) remain fully supported.
Update Changelog Fixes #1220. 2023-03-07 11:01:23 +00:00			`- Usage examples: Added a recommended method for securely clearing sensitive data, e.g., secret keys, from memory.`
changelog: Add entry for CMake 2023-03-08 16:46:20 +00:00			- Tests: Added a new test binary `noverify_tests`. This binary runs the tests without some additional checks present in the ordinary `tests` binary and is thereby closer to production binaries. The `noverify_tests` binary is automatically run as part of the `make check` target.
Update Changelog Fixes #1220. 2023-03-07 11:01:23 +00:00
			`#### Fixed`
			- Fixed declarations of API variables for MSVC (`__declspec(dllimport)`). This fixes MSVC builds of programs which link against a libsecp256k1 DLL dynamically and use API variables (and not only API functions). Unfortunately, the MSVC linker now will emit warning `LNK4217` when trying to link against libsecp256k1 statically. Pass `/ignore:4217` to the linker to suppress this warning.

contexts: Forbid cloning/destroying secp256k1_context_static 2022-12-07 13:38:45 +00:00			`#### Changed`
			- Forbade cloning or destroying `secp256k1_context_static`. Create a new context instead of cloning the static context. (If this change breaks your code, your code is probably wrong.)
contexts: Forbid randomizing secp256k1_context_static 2022-12-07 13:50:14 +00:00			- Forbade randomizing (copies of) `secp256k1_context_static`. Randomizing a copy of `secp256k1_context_static` did not have any effect and did not provide defense-in-depth protection against side-channel attacks. Create a new context if you want to benefit from randomization.
contexts: Forbid cloning/destroying secp256k1_context_static 2022-12-07 13:38:45 +00:00
Update Changelog Fixes #1220. 2023-03-07 11:01:23 +00:00			`#### Removed`
changelog: Add entry for CMake 2023-03-08 16:46:20 +00:00			- Removed the configuration header `src/libsecp256k1-config.h`. We recommend passing flags to `./configure` or `cmake` to set configuration options (see `./configure --help` or `cmake -LH`). If you cannot or do not want to use one of the supported build systems, pass configuration flags such as `-DSECP256K1_ENABLE_MODULE_SCHNORRSIG` manually to the compiler (see the file `configure.ac` for supported flags).
Update Changelog Fixes #1220. 2023-03-07 11:01:23 +00:00
release: prepare for 0.3.0 2023-03-07 14:18:36 +00:00			`#### ABI Compatibility`
			Due to changes in the API regarding `secp256k1_context_static` described above, the ABI is not compatible with previous versions.

release: prepare for initial release 0.2.0 There are plenty of unreleased variants of libsecp256k1 version 0.1.0 (libsecp256k1.so.0.0.0) in the wild. We choose a new version number to allow a clear distinction. There are variants of 0.1.0 that are incompatible with the initial release, hence we increase the minor version to arrive at version number 0.2.0. For the same reason, we increase the LIB_VERSION_CURRENT and keep AGE at 0. The changelog for 0.2.0 consists of the relevant changes since 2021-12-25, which is the date when the initial release process PR was merged (and the library version was set to a pre-release, see 423b6d19d373f1224fd671a982584d7e7900bc93). This is somewhat arbitrary but at least points readers to relevant changes. 2021-12-23 22:13:11 +00:00			`## [0.2.0] - 2022-12-12`

Reduce font size in changelog 2022-12-13 17:05:45 +00:00			`#### Added`
Add more changelog entries 2022-12-13 17:05:10 +00:00			- Added usage examples for common use cases in a new `examples/` directory.
changelog: make order of change types match keepachangelog.com 2022-12-12 14:16:48 +00:00			- Added `secp256k1_selftest`, to be used in conjunction with `secp256k1_context_static`.
Add more changelog entries 2022-12-13 17:05:10 +00:00			`- Added support for 128-bit wide multiplication on MSVC for x86_64 and arm64, giving roughly a 20% speedup on those platforms.`
changelog: make order of change types match keepachangelog.com 2022-12-12 14:16:48 +00:00
Reduce font size in changelog 2022-12-13 17:05:45 +00:00			`#### Changed`
Consistency in naming of modules 2022-12-20 16:09:13 +00:00			- Enabled modules `schnorrsig`, `extrakeys` and `ecdh` by default in `./configure`.
Add more changelog entries 2022-12-13 17:05:10 +00:00			- The `secp256k1_nonce_function_rfc6979` nonce function, used by default by `secp256k1_ecdsa_sign`, now reduces the message hash modulo the group order to match the specification. This only affects improper use of ECDSA signing API.
build: Enable some modules by default We don't enable the ECDSA recovery module, because we don't recommend ECDSA recovery for new protocols. In particular, the recovery API is prone to misuse: It invites the caller to forget to check the public key (and the verification function always returns 1). In general, we also don't recommend ordinary ECDSA for new protocols. But disabling the ECDSA functions is not possible because they're not in a module, and let's be honest: disabling ECDSA would mean to ignore reality blatantly. 2021-10-19 12:03:01 +00:00
Reduce font size in changelog 2022-12-13 17:05:45 +00:00			`#### Deprecated`
contexts: Deprecate all context flags except SECP256K1_CONTEXT_NONE 2022-07-06 08:39:14 +00:00			- Deprecated context flags `SECP256K1_CONTEXT_VERIFY` and `SECP256K1_CONTEXT_SIGN`. Use `SECP256K1_CONTEXT_NONE` instead.
contexts: Rename static context 2022-07-06 15:09:31 +00:00			- Renamed `secp256k1_context_no_precomp` to `secp256k1_context_static`.
Consistency in naming of modules 2022-12-20 16:09:13 +00:00			- Module `schnorrsig`: renamed `secp256k1_schnorrsig_sign` to `secp256k1_schnorrsig_sign32`.
contexts: Deprecate all context flags except SECP256K1_CONTEXT_NONE 2022-07-06 08:39:14 +00:00
Reduce font size in changelog 2022-12-13 17:05:45 +00:00			`#### ABI Compatibility`
release: prepare for initial release 0.2.0 There are plenty of unreleased variants of libsecp256k1 version 0.1.0 (libsecp256k1.so.0.0.0) in the wild. We choose a new version number to allow a clear distinction. There are variants of 0.1.0 that are incompatible with the initial release, hence we increase the minor version to arrive at version number 0.2.0. For the same reason, we increase the LIB_VERSION_CURRENT and keep AGE at 0. The changelog for 0.2.0 consists of the relevant changes since 2021-12-25, which is the date when the initial release process PR was merged (and the library version was set to a pre-release, see 423b6d19d373f1224fd671a982584d7e7900bc93). This is somewhat arbitrary but at least points readers to relevant changes. 2021-12-23 22:13:11 +00:00			`Since this is the first release, we do not compare application binary interfaces.`
Clarify that the ABI-incompatible versions are earlier 2022-12-20 16:09:37 +00:00			`However, there are earlier unreleased versions of libsecp256k1 that are not ABI compatible with this version.`
release: prepare for initial release 0.2.0 There are plenty of unreleased variants of libsecp256k1 version 0.1.0 (libsecp256k1.so.0.0.0) in the wild. We choose a new version number to allow a clear distinction. There are variants of 0.1.0 that are incompatible with the initial release, hence we increase the minor version to arrive at version number 0.2.0. For the same reason, we increase the LIB_VERSION_CURRENT and keep AGE at 0. The changelog for 0.2.0 consists of the relevant changes since 2021-12-25, which is the date when the initial release process PR was merged (and the library version was set to a pre-release, see 423b6d19d373f1224fd671a982584d7e7900bc93). This is somewhat arbitrary but at least points readers to relevant changes. 2021-12-23 22:13:11 +00:00
			`## [0.1.0] - 2013-03-05 to 2021-12-25`
doc: add CHANGELOG template 2021-07-06 21:51:36 +00:00
release: prepare for initial release 0.2.0 There are plenty of unreleased variants of libsecp256k1 version 0.1.0 (libsecp256k1.so.0.0.0) in the wild. We choose a new version number to allow a clear distinction. There are variants of 0.1.0 that are incompatible with the initial release, hence we increase the minor version to arrive at version number 0.2.0. For the same reason, we increase the LIB_VERSION_CURRENT and keep AGE at 0. The changelog for 0.2.0 consists of the relevant changes since 2021-12-25, which is the date when the initial release process PR was merged (and the library version was set to a pre-release, see 423b6d19d373f1224fd671a982584d7e7900bc93). This is somewhat arbitrary but at least points readers to relevant changes. 2021-12-23 22:13:11 +00:00			`This version was in fact never released.`
			`The number was given by the build system since the introduction of autotools in Jan 2014 (ea0fe5a5bf0c04f9cc955b2966b614f5f378c6f6).`
			`Therefore, this version number does not uniquely identify a set of source files.`
Add links to diffs to changelog 2022-12-13 16:53:50 +00:00
release: prepare for 0.3.0 2023-03-07 14:18:36 +00:00			`[unreleased]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...HEAD`
changelog: Fix link 2023-04-10 18:52:11 +00:00			`[0.3.1]: https://github.com/bitcoin-core/secp256k1/compare/v0.3.0...v0.3.1`
release: prepare for 0.3.0 2023-03-07 14:18:36 +00:00			`[0.3.0]: https://github.com/bitcoin-core/secp256k1/compare/v0.2.0...v0.3.0`
Add links to diffs to changelog 2022-12-13 16:53:50 +00:00			`[0.2.0]: https://github.com/bitcoin-core/secp256k1/compare/423b6d19d373f1224fd671a982584d7e7900bc93..v0.2.0`
			`[0.1.0]: https://github.com/bitcoin-core/secp256k1/commit/423b6d19d373f1224fd671a982584d7e7900bc93`