21-DOT-DEV · csjones · Mar 4, 2026 · Mar 4, 2026
@@ -349,7 +349,7 @@ SECP256K1_API void secp256k1_context_destroy(
  *  writes the message to stderr and calls abort. This default callback can be
  *  replaced at link time if the preprocessor macro
  *  USE_EXTERNAL_DEFAULT_CALLBACKS is defined, which is the case if the build
- *  has been configured with --enable-external-default-callbacks (GNU Autotools) or 
+ *  has been configured with --enable-external-default-callbacks (GNU Autotools) or
  *  -DSECP256K1_USE_EXTERNAL_DEFAULT_CALLBACKS=ON (CMake). Then the
  *  following two symbols must be provided to link against:
  *   - void secp256k1_default_illegal_callback_fn(const char *message, void *data);

@@ -78,10 +78,15 @@
 #  if defined(__clang__) && defined(__APPLE__)
 #    pragma clang diagnostic push
 #    pragma clang diagnostic ignored "-Wreserved-identifier"
+#  elif defined(__GNUC__) && (__GNUC__ >= 15)
+#    pragma GCC diagnostic push
+#    pragma GCC diagnostic ignored "-Wtrailing-whitespace"
 #  endif
 #    include <valgrind/memcheck.h>
 #  if defined(__clang__) && defined(__APPLE__)
 #    pragma clang diagnostic pop
+#  elif defined(__GNUC__) && (__GNUC__ >= 15)
+#    pragma GCC diagnostic pop
 #  endif
 #    define SECP256K1_CHECKMEM_ENABLED 1
 #    define SECP256K1_CHECKMEM_UNDEFINE(p, len) VALGRIND_MAKE_MEM_UNDEFINED((p), (len))

@@ -38,7 +38,7 @@
 #endif
 
 /** The number of entries a table with precomputed multiples needs to have. */
-#define ECMULT_TABLE_SIZE(w) (1L << ((w)-2))
+#define ECMULT_TABLE_SIZE(w) ((size_t)1 << ((w)-2))
 
 /** Double multiply: R = na*A + ng*G */
 static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng);

@@ -16,7 +16,7 @@
 static void secp256k1_ecmult_compute_table(secp256k1_ge_storage* table, int window_g, const secp256k1_gej* gen) {
     secp256k1_gej gj;
     secp256k1_ge ge, dgen;
-    int j;
+    size_t j;
 
     gj = *gen;
     secp256k1_ge_set_gej_var(&ge, &gj);

@@ -70,10 +70,10 @@
  *  Lastly the zr[0] value, which isn't used above, is set so that:
  *  - a.z = z(pre_a[0]) / zr[0]
  */
-static void secp256k1_ecmult_odd_multiples_table(int n, secp256k1_ge *pre_a, secp256k1_fe *zr, secp256k1_fe *z, const secp256k1_gej *a) {
+static void secp256k1_ecmult_odd_multiples_table(size_t n, secp256k1_ge *pre_a, secp256k1_fe *zr, secp256k1_fe *z, const secp256k1_gej *a) {
     secp256k1_gej d, ai;
     secp256k1_ge d_ge;
-    int i;
+    size_t i;
 
     VERIFY_CHECK(!secp256k1_gej_is_infinity(a));
 
@@ -311,8 +311,9 @@ static void secp256k1_ecmult_strauss_wnaf(const struct secp256k1_strauss_state *
     }
 
     for (np = 0; np < no; ++np) {
-        for (i = 0; i < ECMULT_TABLE_SIZE(WINDOW_A); i++) {
-            secp256k1_fe_mul(&state->aux[np * ECMULT_TABLE_SIZE(WINDOW_A) + i], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + i].x, &secp256k1_const_beta);
+        size_t j;
+        for (j = 0; j < ECMULT_TABLE_SIZE(WINDOW_A); j++) {
+            secp256k1_fe_mul(&state->aux[np * ECMULT_TABLE_SIZE(WINDOW_A) + j], &state->pre_a[np * ECMULT_TABLE_SIZE(WINDOW_A) + j].x, &secp256k1_const_beta);
         }
     }
 
@@ -517,7 +518,6 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
     size_t np;
     size_t no = 0;
     int i;
-    int j;
 
     for (np = 0; np < num; ++np) {
         if (secp256k1_scalar_is_zero(&sc[np]) || secp256k1_ge_is_infinity(&pt[np])) {
@@ -535,16 +535,17 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
 
     for (i = n_wnaf - 1; i >= 0; i--) {
         secp256k1_gej running_sum;
+        int j;
+        size_t buc;
 
-        for(j = 0; j < ECMULT_TABLE_SIZE(bucket_window+2); j++) {
-            secp256k1_gej_set_infinity(&buckets[j]);
+        for (buc = 0; buc < ECMULT_TABLE_SIZE(bucket_window+2); buc++) {
+            secp256k1_gej_set_infinity(&buckets[buc]);
         }
 
         for (np = 0; np < no; ++np) {
             int n = state->wnaf_na[np*n_wnaf + i];
             struct secp256k1_pippenger_point_state point_state = state->ps[np];
             secp256k1_ge tmp;
-            int idx;
 
             if (i == 0) {
                 /* correct for wnaf skew */
@@ -555,16 +556,16 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
                 }
             }
             if (n > 0) {
-                idx = (n - 1)/2;
-                secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &pt[point_state.input_pos], NULL);
+                buc = (n - 1)/2;
+                secp256k1_gej_add_ge_var(&buckets[buc], &buckets[buc], &pt[point_state.input_pos], NULL);
             } else if (n < 0) {
-                idx = -(n + 1)/2;
+                buc = -(n + 1)/2;
                 secp256k1_ge_neg(&tmp, &pt[point_state.input_pos]);
-                secp256k1_gej_add_ge_var(&buckets[idx], &buckets[idx], &tmp, NULL);
+                secp256k1_gej_add_ge_var(&buckets[buc], &buckets[buc], &tmp, NULL);
             }
         }
 
-        for(j = 0; j < bucket_window; j++) {
+        for (j = 0; j < bucket_window; j++) {
             secp256k1_gej_double_var(r, r, NULL);
         }
 
@@ -577,8 +578,8 @@ static int secp256k1_ecmult_pippenger_wnaf(secp256k1_gej *buckets, int bucket_wi
          *
          * The doubling is done implicitly by deferring the final window doubling (of 'r').
          */
-        for(j = ECMULT_TABLE_SIZE(bucket_window+2) - 1; j > 0; j--) {
-            secp256k1_gej_add_var(&running_sum, &running_sum, &buckets[j], NULL);
+        for (buc = ECMULT_TABLE_SIZE(bucket_window+2) - 1; buc > 0; buc--) {
+            secp256k1_gej_add_var(&running_sum, &running_sum, &buckets[buc], NULL);
             secp256k1_gej_add_var(r, r, &running_sum, NULL);
         }
 

@@ -233,7 +233,7 @@ static void secp256k1_fe_add_int(secp256k1_fe *r, int a);
 #define secp256k1_fe_mul_int(r, a) ASSERT_INT_CONST_AND_DO(a, secp256k1_fe_mul_int_unchecked(r, a))
 
 /** Like secp256k1_fe_mul_int but a is not checked to be an integer constant expression.
- * 
+ *
  * Should not be called directly outside of tests.
  */
 static void secp256k1_fe_mul_int_unchecked(secp256k1_fe *r, int a);

@@ -17,6 +17,10 @@ typedef struct {
 } secp256k1_sha256;
 
 static void secp256k1_sha256_initialize(secp256k1_sha256 *hash);
+/* Initialize a SHA256 hash state with a precomputed midstate.
+ * The byte counter must be a multiple of 64, i.e., there must be no unwritten
+ * bytes in the buffer. */
+static void secp256k1_sha256_initialize_midstate(secp256k1_sha256 *hash, uint64_t bytes, const uint32_t state[8]);
 static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size);
 static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32);
 static void secp256k1_sha256_clear(secp256k1_sha256 *hash);

@@ -40,6 +40,13 @@ static void secp256k1_sha256_initialize(secp256k1_sha256 *hash) {
     hash->bytes = 0;
 }
 
+static void secp256k1_sha256_initialize_midstate(secp256k1_sha256 *hash, uint64_t bytes, const uint32_t state[8]) {
+    VERIFY_CHECK((bytes & 0x3F) == 0);
+    VERIFY_CHECK(state != NULL);
+    memcpy(hash->s, state, sizeof(hash->s));
+    hash->bytes = bytes;
+}
+
 /** Perform one SHA-256 transformation, processing 16 big endian 32-bit words. */
 static void secp256k1_sha256_transform(uint32_t* s, const unsigned char* buf) {
     uint32_t a = s[0], b = s[1], c = s[2], d = s[3], e = s[4], f = s[5], g = s[6], h = s[7];

@@ -14,17 +14,11 @@
  * SHA256 to SHA256("Bulletproofs_pp/v0/commitment")||SHA256("Bulletproofs_pp/v0/commitment").
  */
 static void secp256k1_bppp_sha256_tagged_commitment_init(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0x52fc8185ul;
-    sha->s[1] = 0x0e7debf0ul;
-    sha->s[2] = 0xb0967270ul;
-    sha->s[3] = 0x6f5abfe1ul;
-    sha->s[4] = 0x822bdec0ul;
-    sha->s[5] = 0x36db8beful;
-    sha->s[6] = 0x03d9e1f1ul;
-    sha->s[7] = 0x8a5cef6ful;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0x52fc8185ul, 0x0e7debf0ul, 0xb0967270ul, 0x6f5abfe1ul,
+        0x822bdec0ul, 0x36db8beful, 0x03d9e1f1ul, 0x8a5cef6ful
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 /* Obtain a challenge scalar from the current transcript.*/

@@ -23,11 +23,11 @@ secp256k1_bppp_generators *secp256k1_bppp_generators_create(const secp256k1_cont
 
     VERIFY_CHECK(ctx != NULL);
 
-    ret = (secp256k1_bppp_generators *)checked_malloc(&ctx->error_callback, sizeof(*ret));
+    ret = checked_malloc(&ctx->error_callback, sizeof(*ret));
     if (ret == NULL) {
         return NULL;
     }
-    ret->gens = (secp256k1_ge*)checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens));
+    ret->gens = checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens));
     if (ret->gens == NULL) {
         free(ret);
         return NULL;
@@ -60,12 +60,12 @@ secp256k1_bppp_generators* secp256k1_bppp_generators_parse(const secp256k1_conte
         return NULL;
     }
 
-    ret = (secp256k1_bppp_generators *)checked_malloc(&ctx->error_callback, sizeof(*ret));
+    ret = checked_malloc(&ctx->error_callback, sizeof(*ret));
     if (ret == NULL) {
         return NULL;
     }
     ret->n = n;
-    ret->gens = (secp256k1_ge*)checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens));
+    ret->gens = checked_malloc(&ctx->error_callback, n * sizeof(*ret->gens));
     if (ret->gens == NULL) {
         free(ret);
         return NULL;

@@ -4,17 +4,11 @@
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("DLEQ")||SHA256("DLEQ"). */
 static void secp256k1_nonce_function_dleq_sha256_tagged(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0x8cc4beacul;
-    sha->s[1] = 0x2e011f3ful;
-    sha->s[2] = 0x355c75fbul;
-    sha->s[3] = 0x3ba6a2c5ul;
-    sha->s[4] = 0xe96f3aeful;
-    sha->s[5] = 0x180530fdul;
-    sha->s[6] = 0x94582499ul;
-    sha->s[7] = 0x577fd564ul;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0x8cc4beacul, 0x2e011f3ful, 0x355c75fbul, 0x3ba6a2c5ul,
+        0xe96f3aeful, 0x180530fdul, 0x94582499ul, 0x577fd564ul
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 /* algo argument for nonce_function_ecdsa_adaptor to derive the nonce using a tagged hash function. */

@@ -60,33 +60,21 @@ static int secp256k1_ecdsa_adaptor_sig_deserialize(secp256k1_ge *r, secp256k1_sc
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("ECDSAadaptor/non")||SHA256("ECDSAadaptor/non"). */
 static void secp256k1_nonce_function_ecdsa_adaptor_sha256_tagged(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0x791dae43ul;
-    sha->s[1] = 0xe52d3b44ul;
-    sha->s[2] = 0x37f9edeaul;
-    sha->s[3] = 0x9bfd2ab1ul;
-    sha->s[4] = 0xcfb0f44dul;
-    sha->s[5] = 0xccf1d880ul;
-    sha->s[6] = 0xd18f2c13ul;
-    sha->s[7] = 0xa37b9024ul;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0x791dae43ul, 0xe52d3b44ul, 0x37f9edeaul, 0x9bfd2ab1ul,
+        0xcfb0f44dul, 0xccf1d880ul, 0xd18f2c13ul, 0xa37b9024ul
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("ECDSAadaptor/aux")||SHA256("ECDSAadaptor/aux"). */
 static void secp256k1_nonce_function_ecdsa_adaptor_sha256_tagged_aux(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0xd14c7bd9ul;
-    sha->s[1] = 0x095d35e6ul;
-    sha->s[2] = 0xb8490a88ul;
-    sha->s[3] = 0xfb00ef74ul;
-    sha->s[4] = 0x0baa488ful;
-    sha->s[5] = 0x69366693ul;
-    sha->s[6] = 0x1c81c5baul;
-    sha->s[7] = 0xc33b296aul;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0xd14c7bd9ul, 0x095d35e6ul, 0xb8490a88ul, 0xfb00ef74ul,
+        0x0baa488ful, 0x69366693ul, 0x1c81c5baul, 0xc33b296aul
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 /* algo argument for nonce_function_ecdsa_adaptor to derive the nonce using a tagged hash function. */

@@ -36,33 +36,21 @@ int secp256k1_ecdsa_s2c_opening_serialize(const secp256k1_context* ctx, unsigned
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("s2c/ecdsa/point")||SHA256("s2c/ecdsa/point"). */
 static void secp256k1_s2c_ecdsa_point_sha256_tagged(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0xa9b21c7bul;
-    sha->s[1] = 0x358c3e3eul;
-    sha->s[2] = 0x0b6863d1ul;
-    sha->s[3] = 0xc62b2035ul;
-    sha->s[4] = 0xb44b40ceul;
-    sha->s[5] = 0x254a8912ul;
-    sha->s[6] = 0x0f85d0d4ul;
-    sha->s[7] = 0x8a5bf91cul;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0xa9b21c7bul, 0x358c3e3eul, 0x0b6863d1ul, 0xc62b2035ul,
+        0xb44b40ceul, 0x254a8912ul, 0x0f85d0d4ul, 0x8a5bf91cul
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 /* Initializes SHA256 with fixed midstate. This midstate was computed by applying
  * SHA256 to SHA256("s2c/ecdsa/data")||SHA256("s2c/ecdsa/data"). */
 static void secp256k1_s2c_ecdsa_data_sha256_tagged(secp256k1_sha256 *sha) {
-    secp256k1_sha256_initialize(sha);
-    sha->s[0] = 0xfeefd675ul;
-    sha->s[1] = 0x73166c99ul;
-    sha->s[2] = 0xe2309cb8ul;
-    sha->s[3] = 0x6d458113ul;
-    sha->s[4] = 0x01d3a512ul;
-    sha->s[5] = 0x00e18112ul;
-    sha->s[6] = 0x37ee0874ul;
-    sha->s[7] = 0x421fc55ful;
-
-    sha->bytes = 64;
+    static const uint32_t midstate[8] = {
+        0xfeefd675ul, 0x73166c99ul, 0xe2309cb8ul, 0x6d458113ul,
+        0x01d3a512ul, 0x00e18112ul, 0x37ee0874ul, 0x421fc55ful
+    };
+    secp256k1_sha256_initialize_midstate(sha, 64, midstate);
 }
 
 int secp256k1_ecdsa_s2c_sign(const secp256k1_context* ctx, secp256k1_ecdsa_signature* signature, secp256k1_ecdsa_s2c_opening* s2c_opening, const unsigned char