PIVX Core  5.6.99
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
20 
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
28 # endif
29 #endif
30 
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
33 
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
39 # else
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
42 # endif
43 #endif
44 
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
47 
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49  /* Dummy callback function that just counts. */
50  int32_t *p;
51  (void)str;
52  p = data;
53  (*p)++;
54 }
55 
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57  /* Dummy callback function that just counts (backwards). */
58  int32_t *p;
59  (void)str;
60  p = data;
61  (*p)--;
62 }
63 
64 void random_field_element_test(secp256k1_fe *fe) {
65  do {
66  unsigned char b32[32];
67  secp256k1_rand256_test(b32);
68  if (secp256k1_fe_set_b32(fe, b32)) {
69  break;
70  }
71  } while(1);
72 }
73 
74 void random_field_element_magnitude(secp256k1_fe *fe) {
75  secp256k1_fe zero;
76  int n = secp256k1_rand_int(9);
77  secp256k1_fe_normalize(fe);
78  if (n == 0) {
79  return;
80  }
81  secp256k1_fe_clear(&zero);
82  secp256k1_fe_negate(&zero, &zero, 0);
83  secp256k1_fe_mul_int(&zero, n - 1);
84  secp256k1_fe_add(fe, &zero);
85  VERIFY_CHECK(fe->magnitude == n);
86 }
87 
88 void random_group_element_test(secp256k1_ge *ge) {
89  secp256k1_fe fe;
90  do {
91  random_field_element_test(&fe);
92  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93  secp256k1_fe_normalize(&ge->y);
94  break;
95  }
96  } while(1);
97 }
98 
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
100  secp256k1_fe z2, z3;
101  do {
102  random_field_element_test(&gej->z);
103  if (!secp256k1_fe_is_zero(&gej->z)) {
104  break;
105  }
106  } while(1);
107  secp256k1_fe_sqr(&z2, &gej->z);
108  secp256k1_fe_mul(&z3, &z2, &gej->z);
109  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111  gej->infinity = ge->infinity;
112 }
113 
114 void random_scalar_order_test(secp256k1_scalar *num) {
115  do {
116  unsigned char b32[32];
117  int overflow = 0;
118  secp256k1_rand256_test(b32);
119  secp256k1_scalar_set_b32(num, b32, &overflow);
120  if (overflow || secp256k1_scalar_is_zero(num)) {
121  continue;
122  }
123  break;
124  } while(1);
125 }
126 
127 void random_scalar_order(secp256k1_scalar *num) {
128  do {
129  unsigned char b32[32];
130  int overflow = 0;
131  secp256k1_rand256(b32);
132  secp256k1_scalar_set_b32(num, b32, &overflow);
133  if (overflow || secp256k1_scalar_is_zero(num)) {
134  continue;
135  }
136  break;
137  } while(1);
138 }
139 
140 void run_context_tests(void) {
141  secp256k1_pubkey pubkey;
142  secp256k1_pubkey zero_pubkey;
143  secp256k1_ecdsa_signature sig;
144  unsigned char ctmp[32];
145  int32_t ecount;
146  int32_t ecount2;
147  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
151 
152  secp256k1_gej pubj;
153  secp256k1_ge pub;
154  secp256k1_scalar msg, key, nonce;
155  secp256k1_scalar sigr, sigs;
156 
157  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
158 
159  ecount = 0;
160  ecount2 = 10;
161  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
165 
166  /*** clone and destroy all of them to make sure cloning was complete ***/
167  {
168  secp256k1_context *ctx_tmp;
169 
170  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
174  }
175 
176  /* Verify that the error callback makes it across the clone. */
177  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178  /* And that it resets back to default. */
179  secp256k1_context_set_error_callback(sign, NULL, NULL);
180  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
181 
182  /*** attempt to use them ***/
183  random_scalar_order_test(&msg);
184  random_scalar_order_test(&key);
185  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186  secp256k1_ge_set_gej(&pub, &pubj);
187 
188  /* Verify context-type checking illegal-argument errors. */
189  memset(ctmp, 1, 32);
190  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
191  CHECK(ecount == 1);
192  VG_UNDEF(&pubkey, sizeof(pubkey));
193  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194  VG_CHECK(&pubkey, sizeof(pubkey));
195  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
196  CHECK(ecount == 2);
197  VG_UNDEF(&sig, sizeof(sig));
198  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199  VG_CHECK(&sig, sizeof(sig));
200  CHECK(ecount2 == 10);
201  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202  CHECK(ecount2 == 11);
203  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
204  CHECK(ecount == 2);
205  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206  CHECK(ecount2 == 12);
207  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
208  CHECK(ecount == 2);
209  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210  CHECK(ecount2 == 13);
211  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
212  CHECK(ecount == 2);
213  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
214  CHECK(ecount == 2);
215  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216  CHECK(ecount2 == 14);
217  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
218  CHECK(ecount == 3);
219  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
220  CHECK(ecount == 3);
221  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
222  CHECK(ecount == 4);
223  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
224  CHECK(ecount2 == 14);
225  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
226  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
227 
228  /* This shouldn't leak memory, due to already-set tests. */
229  secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
230  secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
231 
232  /* obtain a working nonce */
233  do {
234  random_scalar_order_test(&nonce);
235  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
236 
237  /* try signing */
238  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
239  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
240 
241  /* try verifying */
242  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
243  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
244 
245  /* cleanup */
246  secp256k1_context_destroy(none);
247  secp256k1_context_destroy(sign);
248  secp256k1_context_destroy(vrfy);
249  secp256k1_context_destroy(both);
250  /* Defined as no-op. */
251  secp256k1_context_destroy(NULL);
252 }
253 
254 void run_scratch_tests(void) {
255  int32_t ecount = 0;
256  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
257  secp256k1_scratch_space *scratch;
258 
259  /* Test public API */
260  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
261 
262  scratch = secp256k1_scratch_space_create(none, 1000);
263  CHECK(scratch != NULL);
264  CHECK(ecount == 0);
265 
266  /* Test internal API */
267  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
268  CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
269 
270  /* Allocating 500 bytes with no frame fails */
271  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
272  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
273 
274  /* ...but pushing a new stack frame does affect the max allocation */
275  CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
276  CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
277  CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
278  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
279 
280  CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
281 
282  /* ...and this effect is undone by popping the frame */
283  secp256k1_scratch_deallocate_frame(scratch);
284  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
285  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
286 
287  /* cleanup */
288  secp256k1_scratch_space_destroy(scratch);
289  secp256k1_context_destroy(none);
290 }
291 
292 /***** HASH TESTS *****/
293 
294 void run_sha256_tests(void) {
295  static const char *inputs[8] = {
296  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
297  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
298  "For this sample, this 63-byte string will be used as input data",
299  "This is exactly 64 bytes long, not counting the terminating byte"
300  };
301  static const unsigned char outputs[8][32] = {
302  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
303  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
304  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
305  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
306  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
307  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
308  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
309  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
310  };
311  int i;
312  for (i = 0; i < 8; i++) {
313  unsigned char out[32];
314  secp256k1_sha256 hasher;
315  secp256k1_sha256_initialize(&hasher);
316  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
317  secp256k1_sha256_finalize(&hasher, out);
318  CHECK(memcmp(out, outputs[i], 32) == 0);
319  if (strlen(inputs[i]) > 0) {
320  int split = secp256k1_rand_int(strlen(inputs[i]));
321  secp256k1_sha256_initialize(&hasher);
322  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
323  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
324  secp256k1_sha256_finalize(&hasher, out);
325  CHECK(memcmp(out, outputs[i], 32) == 0);
326  }
327  }
328 }
329 
330 void run_hmac_sha256_tests(void) {
331  static const char *keys[6] = {
332  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
333  "\x4a\x65\x66\x65",
334  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
335  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
336  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
337  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
338  };
339  static const char *inputs[6] = {
340  "\x48\x69\x20\x54\x68\x65\x72\x65",
341  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
342  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
343  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
344  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
345  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
346  };
347  static const unsigned char outputs[6][32] = {
348  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
349  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
350  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
351  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
352  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
353  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
354  };
355  int i;
356  for (i = 0; i < 6; i++) {
357  secp256k1_hmac_sha256 hasher;
358  unsigned char out[32];
359  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
360  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
361  secp256k1_hmac_sha256_finalize(&hasher, out);
362  CHECK(memcmp(out, outputs[i], 32) == 0);
363  if (strlen(inputs[i]) > 0) {
364  int split = secp256k1_rand_int(strlen(inputs[i]));
365  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
366  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
367  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
368  secp256k1_hmac_sha256_finalize(&hasher, out);
369  CHECK(memcmp(out, outputs[i], 32) == 0);
370  }
371  }
372 }
373 
374 void run_rfc6979_hmac_sha256_tests(void) {
375  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
376  static const unsigned char out1[3][32] = {
377  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
378  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
379  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
380  };
381 
382  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
383  static const unsigned char out2[3][32] = {
384  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
385  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
386  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
387  };
388 
389  secp256k1_rfc6979_hmac_sha256 rng;
390  unsigned char out[32];
391  int i;
392 
393  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
394  for (i = 0; i < 3; i++) {
395  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
396  CHECK(memcmp(out, out1[i], 32) == 0);
397  }
398  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
399 
400  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
401  for (i = 0; i < 3; i++) {
402  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
403  CHECK(memcmp(out, out1[i], 32) != 0);
404  }
405  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
406 
407  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
408  for (i = 0; i < 3; i++) {
409  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
410  CHECK(memcmp(out, out2[i], 32) == 0);
411  }
412  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
413 }
414 
415 /***** RANDOM TESTS *****/
416 
417 void test_rand_bits(int rand32, int bits) {
418  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
419  * get a false negative chance below once in a billion */
420  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
421  /* We try multiplying the results with various odd numbers, which shouldn't
422  * influence the uniform distribution modulo a power of 2. */
423  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
424  /* We only select up to 6 bits from the output to analyse */
425  unsigned int usebits = bits > 6 ? 6 : bits;
426  unsigned int maxshift = bits - usebits;
427  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
428  number, track all observed outcomes, one per bit in a uint64_t. */
429  uint64_t x[6][27] = {{0}};
430  unsigned int i, shift, m;
431  /* Multiply the output of all rand calls with the odd number m, which
432  should not change the uniformity of its distribution. */
433  for (i = 0; i < rounds[usebits]; i++) {
434  uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
435  CHECK((((uint64_t)r) >> bits) == 0);
436  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
437  uint32_t rm = r * mults[m];
438  for (shift = 0; shift <= maxshift; shift++) {
439  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
440  }
441  }
442  }
443  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
444  for (shift = 0; shift <= maxshift; shift++) {
445  /* Test that the lower usebits bits of x[shift] are 1 */
446  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
447  }
448  }
449 }
450 
451 /* Subrange must be a whole divisor of range, and at most 64 */
452 void test_rand_int(uint32_t range, uint32_t subrange) {
453  /* (1-1/subrange)^rounds < 1/10^9 */
454  int rounds = (subrange * 2073) / 100;
455  int i;
456  uint64_t x = 0;
457  CHECK((range % subrange) == 0);
458  for (i = 0; i < rounds; i++) {
459  uint32_t r = secp256k1_rand_int(range);
460  CHECK(r < range);
461  r = r % subrange;
462  x |= (((uint64_t)1) << r);
463  }
464  /* Test that the lower subrange bits of x are 1. */
465  CHECK(((~x) << (64 - subrange)) == 0);
466 }
467 
468 void run_rand_bits(void) {
469  size_t b;
470  test_rand_bits(1, 32);
471  for (b = 1; b <= 32; b++) {
472  test_rand_bits(0, b);
473  }
474 }
475 
476 void run_rand_int(void) {
477  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
478  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
479  unsigned int m, s;
480  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
481  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
482  test_rand_int(ms[m] * ss[s], ss[s]);
483  }
484  }
485 }
486 
487 /***** NUM TESTS *****/
488 
489 #ifndef USE_NUM_NONE
490 void random_num_negate(secp256k1_num *num) {
491  if (secp256k1_rand_bits(1)) {
492  secp256k1_num_negate(num);
493  }
494 }
495 
496 void random_num_order_test(secp256k1_num *num) {
497  secp256k1_scalar sc;
498  random_scalar_order_test(&sc);
499  secp256k1_scalar_get_num(num, &sc);
500 }
501 
502 void random_num_order(secp256k1_num *num) {
503  secp256k1_scalar sc;
504  random_scalar_order(&sc);
505  secp256k1_scalar_get_num(num, &sc);
506 }
507 
508 void test_num_negate(void) {
509  secp256k1_num n1;
510  secp256k1_num n2;
511  random_num_order_test(&n1); /* n1 = R */
512  random_num_negate(&n1);
513  secp256k1_num_copy(&n2, &n1); /* n2 = R */
514  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
515  CHECK(secp256k1_num_is_zero(&n1));
516  secp256k1_num_copy(&n1, &n2); /* n1 = R */
517  secp256k1_num_negate(&n1); /* n1 = -R */
518  CHECK(!secp256k1_num_is_zero(&n1));
519  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
520  CHECK(secp256k1_num_is_zero(&n1));
521  secp256k1_num_copy(&n1, &n2); /* n1 = R */
522  secp256k1_num_negate(&n1); /* n1 = -R */
523  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
524  secp256k1_num_negate(&n1); /* n1 = R */
525  CHECK(secp256k1_num_eq(&n1, &n2));
526 }
527 
528 void test_num_add_sub(void) {
529  int i;
530  secp256k1_scalar s;
531  secp256k1_num n1;
532  secp256k1_num n2;
533  secp256k1_num n1p2, n2p1, n1m2, n2m1;
534  random_num_order_test(&n1); /* n1 = R1 */
535  if (secp256k1_rand_bits(1)) {
536  random_num_negate(&n1);
537  }
538  random_num_order_test(&n2); /* n2 = R2 */
539  if (secp256k1_rand_bits(1)) {
540  random_num_negate(&n2);
541  }
542  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
543  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
544  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
545  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
546  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
547  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
548  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
549  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
550  CHECK(!secp256k1_num_eq(&n2m1, &n1));
551  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
552  CHECK(secp256k1_num_eq(&n2m1, &n1));
553  CHECK(!secp256k1_num_eq(&n2p1, &n1));
554  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
555  CHECK(secp256k1_num_eq(&n2p1, &n1));
556 
557  /* check is_one */
558  secp256k1_scalar_set_int(&s, 1);
559  secp256k1_scalar_get_num(&n1, &s);
560  CHECK(secp256k1_num_is_one(&n1));
561  /* check that 2^n + 1 is never 1 */
562  secp256k1_scalar_get_num(&n2, &s);
563  for (i = 0; i < 250; ++i) {
564  secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
565  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
566  CHECK(!secp256k1_num_is_one(&n1p2));
567  }
568 }
569 
570 void test_num_mod(void) {
571  int i;
572  secp256k1_scalar s;
573  secp256k1_num order, n;
574 
575  /* check that 0 mod anything is 0 */
576  random_scalar_order_test(&s);
577  secp256k1_scalar_get_num(&order, &s);
578  secp256k1_scalar_set_int(&s, 0);
579  secp256k1_scalar_get_num(&n, &s);
580  secp256k1_num_mod(&n, &order);
581  CHECK(secp256k1_num_is_zero(&n));
582 
583  /* check that anything mod 1 is 0 */
584  secp256k1_scalar_set_int(&s, 1);
585  secp256k1_scalar_get_num(&order, &s);
586  secp256k1_scalar_get_num(&n, &s);
587  secp256k1_num_mod(&n, &order);
588  CHECK(secp256k1_num_is_zero(&n));
589 
590  /* check that increasing the number past 2^256 does not break this */
591  random_scalar_order_test(&s);
592  secp256k1_scalar_get_num(&n, &s);
593  /* multiply by 2^8, which'll test this case with high probability */
594  for (i = 0; i < 8; ++i) {
595  secp256k1_num_add(&n, &n, &n);
596  }
597  secp256k1_num_mod(&n, &order);
598  CHECK(secp256k1_num_is_zero(&n));
599 }
600 
601 void test_num_jacobi(void) {
602  secp256k1_scalar sqr;
603  secp256k1_scalar small;
604  secp256k1_scalar five; /* five is not a quadratic residue */
605  secp256k1_num order, n;
606  int i;
607  /* squares mod 5 are 1, 4 */
608  const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
609 
610  /* check some small values with 5 as the order */
611  secp256k1_scalar_set_int(&five, 5);
612  secp256k1_scalar_get_num(&order, &five);
613  for (i = 0; i < 10; ++i) {
614  secp256k1_scalar_set_int(&small, i);
615  secp256k1_scalar_get_num(&n, &small);
616  CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
617  }
618 
620  secp256k1_scalar_get_num(&order, &five);
621  /* we first need a scalar which is not a multiple of 5 */
622  do {
623  secp256k1_num fiven;
624  random_scalar_order_test(&sqr);
625  secp256k1_scalar_get_num(&fiven, &five);
626  secp256k1_scalar_get_num(&n, &sqr);
627  secp256k1_num_mod(&n, &fiven);
628  } while (secp256k1_num_is_zero(&n));
629  /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
630  * just multiply by two, i.e. add the number to itself */
631  if (secp256k1_num_jacobi(&n, &order) == -1) {
632  secp256k1_num_add(&n, &n, &n);
633  }
634 
635  /* test residue */
636  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
637  /* test nonresidue */
638  secp256k1_num_add(&n, &n, &n);
639  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
640 
642  secp256k1_scalar_order_get_num(&order);
643  random_scalar_order_test(&sqr);
644  secp256k1_scalar_sqr(&sqr, &sqr);
645  /* test residue */
646  secp256k1_scalar_get_num(&n, &sqr);
647  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
648  /* test nonresidue */
649  secp256k1_scalar_mul(&sqr, &sqr, &five);
650  secp256k1_scalar_get_num(&n, &sqr);
651  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
652  /* test multiple of the order*/
653  CHECK(secp256k1_num_jacobi(&order, &order) == 0);
654 
655  /* check one less than the order */
656  secp256k1_scalar_set_int(&small, 1);
657  secp256k1_scalar_get_num(&n, &small);
658  secp256k1_num_sub(&n, &order, &n);
659  CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
660 }
661 
662 void run_num_smalltests(void) {
663  int i;
664  for (i = 0; i < 100*count; i++) {
665  test_num_negate();
666  test_num_add_sub();
667  test_num_mod();
668  test_num_jacobi();
669  }
670 }
671 #endif
672 
673 /***** SCALAR TESTS *****/
674 
675 void scalar_test(void) {
676  secp256k1_scalar s;
677  secp256k1_scalar s1;
678  secp256k1_scalar s2;
679 #ifndef USE_NUM_NONE
680  secp256k1_num snum, s1num, s2num;
681  secp256k1_num order, half_order;
682 #endif
683  unsigned char c[32];
684 
685  /* Set 's' to a random scalar, with value 'snum'. */
686  random_scalar_order_test(&s);
687 
688  /* Set 's1' to a random scalar, with value 's1num'. */
689  random_scalar_order_test(&s1);
690 
691  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
692  random_scalar_order_test(&s2);
693  secp256k1_scalar_get_b32(c, &s2);
694 
695 #ifndef USE_NUM_NONE
696  secp256k1_scalar_get_num(&snum, &s);
697  secp256k1_scalar_get_num(&s1num, &s1);
698  secp256k1_scalar_get_num(&s2num, &s2);
699 
700  secp256k1_scalar_order_get_num(&order);
701  half_order = order;
702  secp256k1_num_shift(&half_order, 1);
703 #endif
704 
705  {
706  int i;
707  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
708  secp256k1_scalar n;
709  secp256k1_scalar_set_int(&n, 0);
710  for (i = 0; i < 256; i += 4) {
711  secp256k1_scalar t;
712  int j;
713  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
714  for (j = 0; j < 4; j++) {
715  secp256k1_scalar_add(&n, &n, &n);
716  }
717  secp256k1_scalar_add(&n, &n, &t);
718  }
719  CHECK(secp256k1_scalar_eq(&n, &s));
720  }
721 
722  {
723  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
724  secp256k1_scalar n;
725  int i = 0;
726  secp256k1_scalar_set_int(&n, 0);
727  while (i < 256) {
728  secp256k1_scalar t;
729  int j;
730  int now = secp256k1_rand_int(15) + 1;
731  if (now + i > 256) {
732  now = 256 - i;
733  }
734  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
735  for (j = 0; j < now; j++) {
736  secp256k1_scalar_add(&n, &n, &n);
737  }
738  secp256k1_scalar_add(&n, &n, &t);
739  i += now;
740  }
741  CHECK(secp256k1_scalar_eq(&n, &s));
742  }
743 
744 #ifndef USE_NUM_NONE
745  {
746  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
747  secp256k1_num rnum;
748  secp256k1_num r2num;
749  secp256k1_scalar r;
750  secp256k1_num_add(&rnum, &snum, &s2num);
751  secp256k1_num_mod(&rnum, &order);
752  secp256k1_scalar_add(&r, &s, &s2);
753  secp256k1_scalar_get_num(&r2num, &r);
754  CHECK(secp256k1_num_eq(&rnum, &r2num));
755  }
756 
757  {
758  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
759  secp256k1_scalar r;
760  secp256k1_num r2num;
761  secp256k1_num rnum;
762  secp256k1_num_mul(&rnum, &snum, &s2num);
763  secp256k1_num_mod(&rnum, &order);
764  secp256k1_scalar_mul(&r, &s, &s2);
765  secp256k1_scalar_get_num(&r2num, &r);
766  CHECK(secp256k1_num_eq(&rnum, &r2num));
767  /* The result can only be zero if at least one of the factors was zero. */
768  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
769  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
770  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
771  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
772  }
773 
774  {
775  secp256k1_scalar neg;
776  secp256k1_num negnum;
777  secp256k1_num negnum2;
778  /* Check that comparison with zero matches comparison with zero on the number. */
779  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
780  /* Check that comparison with the half order is equal to testing for high scalar. */
781  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
782  secp256k1_scalar_negate(&neg, &s);
783  secp256k1_num_sub(&negnum, &order, &snum);
784  secp256k1_num_mod(&negnum, &order);
785  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
786  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
787  /* Negating should change the high property, unless the value was already zero. */
788  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
789  secp256k1_scalar_get_num(&negnum2, &neg);
790  /* Negating a scalar should be equal to (order - n) mod order on the number. */
791  CHECK(secp256k1_num_eq(&negnum, &negnum2));
792  secp256k1_scalar_add(&neg, &neg, &s);
793  /* Adding a number to its negation should result in zero. */
794  CHECK(secp256k1_scalar_is_zero(&neg));
795  secp256k1_scalar_negate(&neg, &neg);
796  /* Negating zero should still result in zero. */
797  CHECK(secp256k1_scalar_is_zero(&neg));
798  }
799 
800  {
801  /* Test secp256k1_scalar_mul_shift_var. */
802  secp256k1_scalar r;
803  secp256k1_num one;
804  secp256k1_num rnum;
805  secp256k1_num rnum2;
806  unsigned char cone[1] = {0x01};
807  unsigned int shift = 256 + secp256k1_rand_int(257);
808  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
809  secp256k1_num_mul(&rnum, &s1num, &s2num);
810  secp256k1_num_shift(&rnum, shift - 1);
811  secp256k1_num_set_bin(&one, cone, 1);
812  secp256k1_num_add(&rnum, &rnum, &one);
813  secp256k1_num_shift(&rnum, 1);
814  secp256k1_scalar_get_num(&rnum2, &r);
815  CHECK(secp256k1_num_eq(&rnum, &rnum2));
816  }
817 
818  {
819  /* test secp256k1_scalar_shr_int */
820  secp256k1_scalar r;
821  int i;
822  random_scalar_order_test(&r);
823  for (i = 0; i < 100; ++i) {
824  int low;
825  int shift = 1 + secp256k1_rand_int(15);
826  int expected = r.d[0] % (1 << shift);
827  low = secp256k1_scalar_shr_int(&r, shift);
828  CHECK(expected == low);
829  }
830  }
831 #endif
832 
833  {
834  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
835  if (!secp256k1_scalar_is_zero(&s)) {
836  secp256k1_scalar inv;
837 #ifndef USE_NUM_NONE
838  secp256k1_num invnum;
839  secp256k1_num invnum2;
840 #endif
841  secp256k1_scalar_inverse(&inv, &s);
842 #ifndef USE_NUM_NONE
843  secp256k1_num_mod_inverse(&invnum, &snum, &order);
844  secp256k1_scalar_get_num(&invnum2, &inv);
845  CHECK(secp256k1_num_eq(&invnum, &invnum2));
846 #endif
847  secp256k1_scalar_mul(&inv, &inv, &s);
848  /* Multiplying a scalar with its inverse must result in one. */
849  CHECK(secp256k1_scalar_is_one(&inv));
850  secp256k1_scalar_inverse(&inv, &inv);
851  /* Inverting one must result in one. */
852  CHECK(secp256k1_scalar_is_one(&inv));
853 #ifndef USE_NUM_NONE
854  secp256k1_scalar_get_num(&invnum, &inv);
855  CHECK(secp256k1_num_is_one(&invnum));
856 #endif
857  }
858  }
859 
860  {
861  /* Test commutativity of add. */
862  secp256k1_scalar r1, r2;
863  secp256k1_scalar_add(&r1, &s1, &s2);
864  secp256k1_scalar_add(&r2, &s2, &s1);
865  CHECK(secp256k1_scalar_eq(&r1, &r2));
866  }
867 
868  {
869  secp256k1_scalar r1, r2;
870  secp256k1_scalar b;
871  int i;
872  /* Test add_bit. */
873  int bit = secp256k1_rand_bits(8);
874  secp256k1_scalar_set_int(&b, 1);
875  CHECK(secp256k1_scalar_is_one(&b));
876  for (i = 0; i < bit; i++) {
877  secp256k1_scalar_add(&b, &b, &b);
878  }
879  r1 = s1;
880  r2 = s1;
881  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
882  /* No overflow happened. */
883  secp256k1_scalar_cadd_bit(&r2, bit, 1);
884  CHECK(secp256k1_scalar_eq(&r1, &r2));
885  /* cadd is a noop when flag is zero */
886  secp256k1_scalar_cadd_bit(&r2, bit, 0);
887  CHECK(secp256k1_scalar_eq(&r1, &r2));
888  }
889  }
890 
891  {
892  /* Test commutativity of mul. */
893  secp256k1_scalar r1, r2;
894  secp256k1_scalar_mul(&r1, &s1, &s2);
895  secp256k1_scalar_mul(&r2, &s2, &s1);
896  CHECK(secp256k1_scalar_eq(&r1, &r2));
897  }
898 
899  {
900  /* Test associativity of add. */
901  secp256k1_scalar r1, r2;
902  secp256k1_scalar_add(&r1, &s1, &s2);
903  secp256k1_scalar_add(&r1, &r1, &s);
904  secp256k1_scalar_add(&r2, &s2, &s);
905  secp256k1_scalar_add(&r2, &s1, &r2);
906  CHECK(secp256k1_scalar_eq(&r1, &r2));
907  }
908 
909  {
910  /* Test associativity of mul. */
911  secp256k1_scalar r1, r2;
912  secp256k1_scalar_mul(&r1, &s1, &s2);
913  secp256k1_scalar_mul(&r1, &r1, &s);
914  secp256k1_scalar_mul(&r2, &s2, &s);
915  secp256k1_scalar_mul(&r2, &s1, &r2);
916  CHECK(secp256k1_scalar_eq(&r1, &r2));
917  }
918 
919  {
920  /* Test distributitivity of mul over add. */
921  secp256k1_scalar r1, r2, t;
922  secp256k1_scalar_add(&r1, &s1, &s2);
923  secp256k1_scalar_mul(&r1, &r1, &s);
924  secp256k1_scalar_mul(&r2, &s1, &s);
925  secp256k1_scalar_mul(&t, &s2, &s);
926  secp256k1_scalar_add(&r2, &r2, &t);
927  CHECK(secp256k1_scalar_eq(&r1, &r2));
928  }
929 
930  {
931  /* Test square. */
932  secp256k1_scalar r1, r2;
933  secp256k1_scalar_sqr(&r1, &s1);
934  secp256k1_scalar_mul(&r2, &s1, &s1);
935  CHECK(secp256k1_scalar_eq(&r1, &r2));
936  }
937 
938  {
939  /* Test multiplicative identity. */
940  secp256k1_scalar r1, v1;
941  secp256k1_scalar_set_int(&v1,1);
942  secp256k1_scalar_mul(&r1, &s1, &v1);
943  CHECK(secp256k1_scalar_eq(&r1, &s1));
944  }
945 
946  {
947  /* Test additive identity. */
948  secp256k1_scalar r1, v0;
949  secp256k1_scalar_set_int(&v0,0);
950  secp256k1_scalar_add(&r1, &s1, &v0);
951  CHECK(secp256k1_scalar_eq(&r1, &s1));
952  }
953 
954  {
955  /* Test zero product property. */
956  secp256k1_scalar r1, v0;
957  secp256k1_scalar_set_int(&v0,0);
958  secp256k1_scalar_mul(&r1, &s1, &v0);
959  CHECK(secp256k1_scalar_eq(&r1, &v0));
960  }
961 
962 }
963 
964 void run_scalar_tests(void) {
965  int i;
966  for (i = 0; i < 128 * count; i++) {
967  scalar_test();
968  }
969 
970  {
971  /* (-1)+1 should be zero. */
972  secp256k1_scalar s, o;
973  secp256k1_scalar_set_int(&s, 1);
974  CHECK(secp256k1_scalar_is_one(&s));
975  secp256k1_scalar_negate(&o, &s);
976  secp256k1_scalar_add(&o, &o, &s);
977  CHECK(secp256k1_scalar_is_zero(&o));
978  secp256k1_scalar_negate(&o, &o);
979  CHECK(secp256k1_scalar_is_zero(&o));
980  }
981 
982 #ifndef USE_NUM_NONE
983  {
984  /* A scalar with value of the curve order should be 0. */
985  secp256k1_num order;
986  secp256k1_scalar zero;
987  unsigned char bin[32];
988  int overflow = 0;
989  secp256k1_scalar_order_get_num(&order);
990  secp256k1_num_get_bin(bin, 32, &order);
991  secp256k1_scalar_set_b32(&zero, bin, &overflow);
992  CHECK(overflow == 1);
993  CHECK(secp256k1_scalar_is_zero(&zero));
994  }
995 #endif
996 
997  {
998  /* Does check_overflow check catch all ones? */
999  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1000  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1001  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1002  );
1003  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1004  }
1005 
1006  {
1007  /* Static test vectors.
1008  * These were reduced from ~10^12 random vectors based on comparison-decision
1009  * and edge-case coverage on 32-bit and 64-bit implementations.
1010  * The responses were generated with Sage 5.9.
1011  */
1012  secp256k1_scalar x;
1013  secp256k1_scalar y;
1014  secp256k1_scalar z;
1015  secp256k1_scalar zz;
1016  secp256k1_scalar one;
1017  secp256k1_scalar r1;
1018  secp256k1_scalar r2;
1019 #if defined(USE_SCALAR_INV_NUM)
1020  secp256k1_scalar zzv;
1021 #endif
1022  int overflow;
1023  unsigned char chal[33][2][32] = {
1024  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1025  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1026  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1027  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1028  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1029  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1030  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1031  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1032  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1033  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1034  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1035  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1036  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1037  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1038  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1039  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1040  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1042  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1043  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1044  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1045  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1046  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1047  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1048  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1049  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1051  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1052  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1053  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1054  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1055  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1056  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1057  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1058  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1059  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1060  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1061  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1062  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1063  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1064  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1065  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1067  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1068  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1069  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1070  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1071  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1072  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1073  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1074  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1075  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1076  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1077  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1078  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1079  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1080  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1081  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1082  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1083  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1084  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1085  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1086  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1087  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1088  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1089  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1090  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1091  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1092  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1094  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1095  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1096  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1097  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1098  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1099  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1100  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1101  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1102  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1103  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1104  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1105  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1106  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1107  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1108  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1109  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1110  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1111  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1112  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1113  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1114  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1115  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1116  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1117  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1118  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1119  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1120  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1121  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1122  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1123  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1124  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1125  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1126  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1127  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1128  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1130  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1131  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1132  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1133  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1134  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1135  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1136  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1137  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1138  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1139  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1140  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1141  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1142  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1144  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1145  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1148  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1149  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1150  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1151  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1152  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1153  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1155  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1156  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1158  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1159  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1160  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1162  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1163  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1164  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1165  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1166  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1168  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1169  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1170  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1171  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1172  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1173  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1174  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1175  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1176  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1177  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1178  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1179  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1180  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1181  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1182  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1183  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1184  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1185  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1186  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1188  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1189  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1190  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1191  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1192  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1195  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1196  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1200  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1201  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1204  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1208  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1209  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1211  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1212  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1213  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1214  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1215  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1216  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1217  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1218  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1219  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1220  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1221  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1222  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1224  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1226  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1227  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1228  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1229  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1230  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1231  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1232  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1233  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1234  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1235  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1236  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1237  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1238  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1239  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1240  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1241  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1242  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1243  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1244  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1245  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1246  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1248  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1249  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1250  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1251  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1252  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1253  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1254  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1255  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1256  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1257  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1258  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1259  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1260  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1261  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1262  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1263  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1264  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1265  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1266  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1267  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1268  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1269  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1270  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1271  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1272  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1273  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1274  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1275  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1276  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1277  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1278  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1279  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1280  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1281  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1282  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1283  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1284  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1288  };
1289  unsigned char res[33][2][32] = {
1290  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1291  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1292  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1293  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1294  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1295  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1296  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1297  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1298  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1299  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1300  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1301  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1302  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1303  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1304  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1305  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1306  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1307  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1308  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1309  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1310  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1311  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1312  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1313  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1314  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1315  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1316  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1317  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1318  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1319  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1320  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1321  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1322  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1323  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1324  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1325  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1326  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1327  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1328  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1329  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1330  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1331  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1332  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1333  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1334  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1335  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1336  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1337  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1338  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1339  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1340  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1341  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1342  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1343  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1344  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1345  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1346  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1347  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1348  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1349  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1350  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1351  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1352  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1353  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1354  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1355  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1356  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1357  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1358  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1359  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1360  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1361  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1362  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1363  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1364  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1365  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1366  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1367  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1368  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1369  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1370  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1371  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1372  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1373  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1374  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1375  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1376  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1377  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1378  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1379  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1380  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1381  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1382  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1383  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1384  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1385  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1386  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1387  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1388  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1389  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1390  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1391  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1392  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1393  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1394  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1395  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1396  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1397  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1398  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1399  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1400  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1401  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1402  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1403  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1404  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1405  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1406  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1407  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1408  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1409  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1410  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1411  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1412  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1413  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1414  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1415  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1416  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1417  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1418  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1419  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1420  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1421  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1422  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1423  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1424  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1425  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1426  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1427  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1428  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1429  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1430  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1431  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1432  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1433  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1434  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1435  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1436  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1437  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1438  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1439  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1440  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1441  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1442  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1443  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1444  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1445  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1446  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1447  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1448  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1449  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1450  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1451  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1452  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1454  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1458  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1462  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1466  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1467  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1468  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1469  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1470  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1474  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1475  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1476  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1477  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1478  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1479  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1480  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1481  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1482  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1483  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1484  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1485  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1486  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1487  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1488  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1489  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1490  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1491  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1492  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1493  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1494  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1495  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1498  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1499  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1500  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1501  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1502  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1503  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1504  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1505  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1506  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1507  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1508  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1509  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1510  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1511  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1512  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1513  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1514  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1515  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1516  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1517  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1518  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1519  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1520  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1521  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1522  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1523  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1524  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1525  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1526  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1527  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1528  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1529  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1530  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1531  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1532  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1533  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1534  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1535  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1536  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1537  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1538  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1539  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1540  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1541  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1542  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1543  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1544  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1545  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1546  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1547  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1548  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1549  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1550  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1554  };
1555  secp256k1_scalar_set_int(&one, 1);
1556  for (i = 0; i < 33; i++) {
1557  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1558  CHECK(!overflow);
1559  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1560  CHECK(!overflow);
1561  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1562  CHECK(!overflow);
1563  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1564  CHECK(!overflow);
1565  secp256k1_scalar_mul(&z, &x, &y);
1566  CHECK(!secp256k1_scalar_check_overflow(&z));
1567  CHECK(secp256k1_scalar_eq(&r1, &z));
1568  if (!secp256k1_scalar_is_zero(&y)) {
1569  secp256k1_scalar_inverse(&zz, &y);
1570  CHECK(!secp256k1_scalar_check_overflow(&zz));
1571 #if defined(USE_SCALAR_INV_NUM)
1572  secp256k1_scalar_inverse_var(&zzv, &y);
1573  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1574 #endif
1575  secp256k1_scalar_mul(&z, &z, &zz);
1576  CHECK(!secp256k1_scalar_check_overflow(&z));
1577  CHECK(secp256k1_scalar_eq(&x, &z));
1578  secp256k1_scalar_mul(&zz, &zz, &y);
1579  CHECK(!secp256k1_scalar_check_overflow(&zz));
1580  CHECK(secp256k1_scalar_eq(&one, &zz));
1581  }
1582  secp256k1_scalar_mul(&z, &x, &x);
1583  CHECK(!secp256k1_scalar_check_overflow(&z));
1584  secp256k1_scalar_sqr(&zz, &x);
1585  CHECK(!secp256k1_scalar_check_overflow(&zz));
1586  CHECK(secp256k1_scalar_eq(&zz, &z));
1587  CHECK(secp256k1_scalar_eq(&r2, &zz));
1588  }
1589  }
1590 }
1591 
1592 /***** FIELD TESTS *****/
1593 
1594 void random_fe(secp256k1_fe *x) {
1595  unsigned char bin[32];
1596  do {
1597  secp256k1_rand256(bin);
1598  if (secp256k1_fe_set_b32(x, bin)) {
1599  return;
1600  }
1601  } while(1);
1602 }
1603 
1604 void random_fe_test(secp256k1_fe *x) {
1605  unsigned char bin[32];
1606  do {
1607  secp256k1_rand256_test(bin);
1608  if (secp256k1_fe_set_b32(x, bin)) {
1609  return;
1610  }
1611  } while(1);
1612 }
1613 
1614 void random_fe_non_zero(secp256k1_fe *nz) {
1615  int tries = 10;
1616  while (--tries >= 0) {
1617  random_fe(nz);
1618  secp256k1_fe_normalize(nz);
1619  if (!secp256k1_fe_is_zero(nz)) {
1620  break;
1621  }
1622  }
1623  /* Infinitesimal probability of spurious failure here */
1624  CHECK(tries >= 0);
1625 }
1626 
1627 void random_fe_non_square(secp256k1_fe *ns) {
1628  secp256k1_fe r;
1629  random_fe_non_zero(ns);
1630  if (secp256k1_fe_sqrt(&r, ns)) {
1631  secp256k1_fe_negate(ns, ns, 1);
1632  }
1633 }
1634 
1635 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1636  secp256k1_fe an = *a;
1637  secp256k1_fe bn = *b;
1638  secp256k1_fe_normalize_weak(&an);
1639  secp256k1_fe_normalize_var(&bn);
1640  return secp256k1_fe_equal_var(&an, &bn);
1641 }
1642 
1643 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1644  secp256k1_fe x;
1645  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1646  secp256k1_fe_mul(&x, a, ai);
1647  return check_fe_equal(&x, &one);
1648 }
1649 
1650 void run_field_convert(void) {
1651  static const unsigned char b32[32] = {
1652  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1653  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1654  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1655  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1656  };
1657  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1658  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1659  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1660  );
1661  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1662  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1664  );
1665  secp256k1_fe fe2;
1666  unsigned char b322[32];
1667  secp256k1_fe_storage fes2;
1668  /* Check conversions to fe. */
1669  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1670  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1671  secp256k1_fe_from_storage(&fe2, &fes);
1672  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1673  /* Check conversion from fe. */
1674  secp256k1_fe_get_b32(b322, &fe);
1675  CHECK(memcmp(b322, b32, 32) == 0);
1676  secp256k1_fe_to_storage(&fes2, &fe);
1677  CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1678 }
1679 
1680 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1681  secp256k1_fe t = *b;
1682 #ifdef VERIFY
1683  t.magnitude = a->magnitude;
1684  t.normalized = a->normalized;
1685 #endif
1686  return memcmp(a, &t, sizeof(secp256k1_fe));
1687 }
1688 
1689 void run_field_misc(void) {
1690  secp256k1_fe x;
1691  secp256k1_fe y;
1692  secp256k1_fe z;
1693  secp256k1_fe q;
1694  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1695  int i, j;
1696  for (i = 0; i < 5*count; i++) {
1697  secp256k1_fe_storage xs, ys, zs;
1698  random_fe(&x);
1699  random_fe_non_zero(&y);
1700  /* Test the fe equality and comparison operations. */
1701  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1702  CHECK(secp256k1_fe_equal_var(&x, &x));
1703  z = x;
1704  secp256k1_fe_add(&z,&y);
1705  /* Test fe conditional move; z is not normalized here. */
1706  q = x;
1707  secp256k1_fe_cmov(&x, &z, 0);
1708  VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1709  secp256k1_fe_cmov(&x, &x, 1);
1710  CHECK(fe_memcmp(&x, &z) != 0);
1711  CHECK(fe_memcmp(&x, &q) == 0);
1712  secp256k1_fe_cmov(&q, &z, 1);
1713  VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1714  CHECK(fe_memcmp(&q, &z) == 0);
1715  secp256k1_fe_normalize_var(&x);
1716  secp256k1_fe_normalize_var(&z);
1717  CHECK(!secp256k1_fe_equal_var(&x, &z));
1718  secp256k1_fe_normalize_var(&q);
1719  secp256k1_fe_cmov(&q, &z, (i&1));
1720  VERIFY_CHECK(q.normalized && q.magnitude == 1);
1721  for (j = 0; j < 6; j++) {
1722  secp256k1_fe_negate(&z, &z, j+1);
1723  secp256k1_fe_normalize_var(&q);
1724  secp256k1_fe_cmov(&q, &z, (j&1));
1725  VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1726  }
1727  secp256k1_fe_normalize_var(&z);
1728  /* Test storage conversion and conditional moves. */
1729  secp256k1_fe_to_storage(&xs, &x);
1730  secp256k1_fe_to_storage(&ys, &y);
1731  secp256k1_fe_to_storage(&zs, &z);
1732  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1733  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1734  CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1735  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1736  CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1737  secp256k1_fe_from_storage(&x, &xs);
1738  secp256k1_fe_from_storage(&y, &ys);
1739  secp256k1_fe_from_storage(&z, &zs);
1740  /* Test that mul_int, mul, and add agree. */
1741  secp256k1_fe_add(&y, &x);
1742  secp256k1_fe_add(&y, &x);
1743  z = x;
1744  secp256k1_fe_mul_int(&z, 3);
1745  CHECK(check_fe_equal(&y, &z));
1746  secp256k1_fe_add(&y, &x);
1747  secp256k1_fe_add(&z, &x);
1748  CHECK(check_fe_equal(&z, &y));
1749  z = x;
1750  secp256k1_fe_mul_int(&z, 5);
1751  secp256k1_fe_mul(&q, &x, &fe5);
1752  CHECK(check_fe_equal(&z, &q));
1753  secp256k1_fe_negate(&x, &x, 1);
1754  secp256k1_fe_add(&z, &x);
1755  secp256k1_fe_add(&q, &x);
1756  CHECK(check_fe_equal(&y, &z));
1757  CHECK(check_fe_equal(&q, &y));
1758  }
1759 }
1760 
1761 void run_field_inv(void) {
1762  secp256k1_fe x, xi, xii;
1763  int i;
1764  for (i = 0; i < 10*count; i++) {
1765  random_fe_non_zero(&x);
1766  secp256k1_fe_inv(&xi, &x);
1767  CHECK(check_fe_inverse(&x, &xi));
1768  secp256k1_fe_inv(&xii, &xi);
1769  CHECK(check_fe_equal(&x, &xii));
1770  }
1771 }
1772 
1773 void run_field_inv_var(void) {
1774  secp256k1_fe x, xi, xii;
1775  int i;
1776  for (i = 0; i < 10*count; i++) {
1777  random_fe_non_zero(&x);
1778  secp256k1_fe_inv_var(&xi, &x);
1779  CHECK(check_fe_inverse(&x, &xi));
1780  secp256k1_fe_inv_var(&xii, &xi);
1781  CHECK(check_fe_equal(&x, &xii));
1782  }
1783 }
1784 
1785 void run_field_inv_all_var(void) {
1786  secp256k1_fe x[16], xi[16], xii[16];
1787  int i;
1788  /* Check it's safe to call for 0 elements */
1789  secp256k1_fe_inv_all_var(xi, x, 0);
1790  for (i = 0; i < count; i++) {
1791  size_t j;
1792  size_t len = secp256k1_rand_int(15) + 1;
1793  for (j = 0; j < len; j++) {
1794  random_fe_non_zero(&x[j]);
1795  }
1796  secp256k1_fe_inv_all_var(xi, x, len);
1797  for (j = 0; j < len; j++) {
1798  CHECK(check_fe_inverse(&x[j], &xi[j]));
1799  }
1800  secp256k1_fe_inv_all_var(xii, xi, len);
1801  for (j = 0; j < len; j++) {
1802  CHECK(check_fe_equal(&x[j], &xii[j]));
1803  }
1804  }
1805 }
1806 
1807 void run_sqr(void) {
1808  secp256k1_fe x, s;
1809 
1810  {
1811  int i;
1812  secp256k1_fe_set_int(&x, 1);
1813  secp256k1_fe_negate(&x, &x, 1);
1814 
1815  for (i = 1; i <= 512; ++i) {
1816  secp256k1_fe_mul_int(&x, 2);
1817  secp256k1_fe_normalize(&x);
1818  secp256k1_fe_sqr(&s, &x);
1819  }
1820  }
1821 }
1822 
1823 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1824  secp256k1_fe r1, r2;
1825  int v = secp256k1_fe_sqrt(&r1, a);
1826  CHECK((v == 0) == (k == NULL));
1827 
1828  if (k != NULL) {
1829  /* Check that the returned root is +/- the given known answer */
1830  secp256k1_fe_negate(&r2, &r1, 1);
1831  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1832  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1833  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1834  }
1835 }
1836 
1837 void run_sqrt(void) {
1838  secp256k1_fe ns, x, s, t;
1839  int i;
1840 
1841  /* Check sqrt(0) is 0 */
1842  secp256k1_fe_set_int(&x, 0);
1843  secp256k1_fe_sqr(&s, &x);
1844  test_sqrt(&s, &x);
1845 
1846  /* Check sqrt of small squares (and their negatives) */
1847  for (i = 1; i <= 100; i++) {
1848  secp256k1_fe_set_int(&x, i);
1849  secp256k1_fe_sqr(&s, &x);
1850  test_sqrt(&s, &x);
1851  secp256k1_fe_negate(&t, &s, 1);
1852  test_sqrt(&t, NULL);
1853  }
1854 
1855  /* Consistency checks for large random values */
1856  for (i = 0; i < 10; i++) {
1857  int j;
1858  random_fe_non_square(&ns);
1859  for (j = 0; j < count; j++) {
1860  random_fe(&x);
1861  secp256k1_fe_sqr(&s, &x);
1862  test_sqrt(&s, &x);
1863  secp256k1_fe_negate(&t, &s, 1);
1864  test_sqrt(&t, NULL);
1865  secp256k1_fe_mul(&t, &s, &ns);
1866  test_sqrt(&t, NULL);
1867  }
1868  }
1869 }
1870 
1871 /***** GROUP TESTS *****/
1872 
1873 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1874  CHECK(a->infinity == b->infinity);
1875  if (a->infinity) {
1876  return;
1877  }
1878  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1879  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1880 }
1881 
1882 /* This compares jacobian points including their Z, not just their geometric meaning. */
1883 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1884  secp256k1_gej a2;
1885  secp256k1_gej b2;
1886  int ret = 1;
1887  ret &= a->infinity == b->infinity;
1888  if (ret && !a->infinity) {
1889  a2 = *a;
1890  b2 = *b;
1891  secp256k1_fe_normalize(&a2.x);
1892  secp256k1_fe_normalize(&a2.y);
1893  secp256k1_fe_normalize(&a2.z);
1894  secp256k1_fe_normalize(&b2.x);
1895  secp256k1_fe_normalize(&b2.y);
1896  secp256k1_fe_normalize(&b2.z);
1897  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1898  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1899  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1900  }
1901  return ret;
1902 }
1903 
1904 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1905  secp256k1_fe z2s;
1906  secp256k1_fe u1, u2, s1, s2;
1907  CHECK(a->infinity == b->infinity);
1908  if (a->infinity) {
1909  return;
1910  }
1911  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1912  secp256k1_fe_sqr(&z2s, &b->z);
1913  secp256k1_fe_mul(&u1, &a->x, &z2s);
1914  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1915  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1916  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1917  CHECK(secp256k1_fe_equal_var(&u1, &u2));
1918  CHECK(secp256k1_fe_equal_var(&s1, &s2));
1919 }
1920 
1921 void test_ge(void) {
1922  int i, i1;
1923 #ifdef USE_ENDOMORPHISM
1924  int runs = 6;
1925 #else
1926  int runs = 4;
1927 #endif
1928  /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1929  * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1930  * All magnitudes are randomized.
1931  * All 17*17 combinations of points are added to each other, using all applicable methods.
1932  *
1933  * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1934  */
1935  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1936  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1937  secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1938  secp256k1_fe zf;
1939  secp256k1_fe zfi2, zfi3;
1940 
1941  secp256k1_gej_set_infinity(&gej[0]);
1942  secp256k1_ge_clear(&ge[0]);
1943  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1944  for (i = 0; i < runs; i++) {
1945  int j;
1946  secp256k1_ge g;
1947  random_group_element_test(&g);
1948 #ifdef USE_ENDOMORPHISM
1949  if (i >= runs - 2) {
1950  secp256k1_ge_mul_lambda(&g, &ge[1]);
1951  }
1952  if (i >= runs - 1) {
1953  secp256k1_ge_mul_lambda(&g, &g);
1954  }
1955 #endif
1956  ge[1 + 4 * i] = g;
1957  ge[2 + 4 * i] = g;
1958  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1959  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1960  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1961  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1962  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1963  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1964  for (j = 0; j < 4; j++) {
1965  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1966  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1967  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1968  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1969  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1970  }
1971  }
1972 
1973  /* Compute z inverses. */
1974  {
1975  secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1976  for (i = 0; i < 4 * runs + 1; i++) {
1977  if (i == 0) {
1978  /* The point at infinity does not have a meaningful z inverse. Any should do. */
1979  do {
1980  random_field_element_test(&zs[i]);
1981  } while(secp256k1_fe_is_zero(&zs[i]));
1982  } else {
1983  zs[i] = gej[i].z;
1984  }
1985  }
1986  secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1987  free(zs);
1988  }
1989 
1990  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1991  do {
1992  random_field_element_test(&zf);
1993  } while(secp256k1_fe_is_zero(&zf));
1994  random_field_element_magnitude(&zf);
1995  secp256k1_fe_inv_var(&zfi3, &zf);
1996  secp256k1_fe_sqr(&zfi2, &zfi3);
1997  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1998 
1999  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2000  int i2;
2001  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2002  /* Compute reference result using gej + gej (var). */
2003  secp256k1_gej refj, resj;
2004  secp256k1_ge ref;
2005  secp256k1_fe zr;
2006  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2007  /* Check Z ratio. */
2008  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2009  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2010  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2011  }
2012  secp256k1_ge_set_gej_var(&ref, &refj);
2013 
2014  /* Test gej + ge with Z ratio result (var). */
2015  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2016  ge_equals_gej(&ref, &resj);
2017  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2018  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2019  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2020  }
2021 
2022  /* Test gej + ge (var, with additional Z factor). */
2023  {
2024  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2025  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2026  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2027  random_field_element_magnitude(&ge2_zfi.x);
2028  random_field_element_magnitude(&ge2_zfi.y);
2029  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2030  ge_equals_gej(&ref, &resj);
2031  }
2032 
2033  /* Test gej + ge (const). */
2034  if (i2 != 0) {
2035  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2036  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2037  ge_equals_gej(&ref, &resj);
2038  }
2039 
2040  /* Test doubling (var). */
2041  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2042  secp256k1_fe zr2;
2043  /* Normal doubling with Z ratio result. */
2044  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2045  ge_equals_gej(&ref, &resj);
2046  /* Check Z ratio. */
2047  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2048  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2049  /* Normal doubling. */
2050  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2051  ge_equals_gej(&ref, &resj);
2052  }
2053 
2054  /* Test adding opposites. */
2055  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2056  CHECK(secp256k1_ge_is_infinity(&ref));
2057  }
2058 
2059  /* Test adding infinity. */
2060  if (i1 == 0) {
2061  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2062  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2063  ge_equals_gej(&ref, &gej[i2]);
2064  }
2065  if (i2 == 0) {
2066  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2067  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2068  ge_equals_gej(&ref, &gej[i1]);
2069  }
2070  }
2071  }
2072 
2073  /* Test adding all points together in random order equals infinity. */
2074  {
2075  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2076  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2077  for (i = 0; i < 4 * runs + 1; i++) {
2078  gej_shuffled[i] = gej[i];
2079  }
2080  for (i = 0; i < 4 * runs + 1; i++) {
2081  int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2082  if (swap != i) {
2083  secp256k1_gej t = gej_shuffled[i];
2084  gej_shuffled[i] = gej_shuffled[swap];
2085  gej_shuffled[swap] = t;
2086  }
2087  }
2088  for (i = 0; i < 4 * runs + 1; i++) {
2089  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2090  }
2091  CHECK(secp256k1_gej_is_infinity(&sum));
2092  free(gej_shuffled);
2093  }
2094 
2095  /* Test batch gej -> ge conversion with and without known z ratios. */
2096  {
2097  secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2098  secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2099  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2100  for (i = 0; i < 4 * runs + 1; i++) {
2101  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2102  if (i < 4 * runs) {
2103  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2104  }
2105  }
2106  secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2107  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2108  for (i = 0; i < 4 * runs + 1; i++) {
2109  secp256k1_fe s;
2110  random_fe_non_zero(&s);
2111  secp256k1_gej_rescale(&gej[i], &s);
2112  ge_equals_gej(&ge_set_table[i], &gej[i]);
2113  ge_equals_gej(&ge_set_all[i], &gej[i]);
2114  }
2115  free(ge_set_table);
2116  free(ge_set_all);
2117  free(zr);
2118  }
2119 
2120  free(ge);
2121  free(gej);
2122  free(zinv);
2123 }
2124 
2125 void test_add_neg_y_diff_x(void) {
2126  /* The point of this test is to check that we can add two points
2127  * whose y-coordinates are negatives of each other but whose x
2128  * coordinates differ. If the x-coordinates were the same, these
2129  * points would be negatives of each other and their sum is
2130  * infinity. This is cool because it "covers up" any degeneracy
2131  * in the addition algorithm that would cause the xy coordinates
2132  * of the sum to be wrong (since infinity has no xy coordinates).
2133  * HOWEVER, if the x-coordinates are different, infinity is the
2134  * wrong answer, and such degeneracies are exposed. This is the
2135  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2136  * which this test is a regression test for.
2137  *
2138  * These points were generated in sage as
2139  * # secp256k1 params
2140  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2141  * C = EllipticCurve ([F (0), F (7)])
2142  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2143  * N = FiniteField(G.order())
2144  *
2145  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2146  * x = polygen(N)
2147  * lam = (1 - x^3).roots()[1][0]
2148  *
2149  * # random "bad pair"
2150  * P = C.random_element()
2151  * Q = -int(lam) * P
2152  * print " P: %x %x" % P.xy()
2153  * print " Q: %x %x" % Q.xy()
2154  * print "P + Q: %x %x" % (P + Q).xy()
2155  */
2156  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2157  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2158  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2159  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2160  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2161  );
2162  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2163  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2164  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2165  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2166  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2167  );
2168  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2169  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2170  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2171  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2172  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2173  );
2174  secp256k1_ge b;
2175  secp256k1_gej resj;
2176  secp256k1_ge res;
2177  secp256k1_ge_set_gej(&b, &bj);
2178 
2179  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2180  secp256k1_ge_set_gej(&res, &resj);
2181  ge_equals_gej(&res, &sumj);
2182 
2183  secp256k1_gej_add_ge(&resj, &aj, &b);
2184  secp256k1_ge_set_gej(&res, &resj);
2185  ge_equals_gej(&res, &sumj);
2186 
2187  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2188  secp256k1_ge_set_gej(&res, &resj);
2189  ge_equals_gej(&res, &sumj);
2190 }
2191 
2192 void run_ge(void) {
2193  int i;
2194  for (i = 0; i < count * 32; i++) {
2195  test_ge();
2196  }
2197  test_add_neg_y_diff_x();
2198 }
2199 
2200 void test_ec_combine(void) {
2201  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2202  secp256k1_pubkey data[6];
2203  const secp256k1_pubkey* d[6];
2204  secp256k1_pubkey sd;
2205  secp256k1_pubkey sd2;
2206  secp256k1_gej Qj;
2207  secp256k1_ge Q;
2208  int i;
2209  for (i = 1; i <= 6; i++) {
2210  secp256k1_scalar s;
2211  random_scalar_order_test(&s);
2212  secp256k1_scalar_add(&sum, &sum, &s);
2213  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2214  secp256k1_ge_set_gej(&Q, &Qj);
2215  secp256k1_pubkey_save(&data[i - 1], &Q);
2216  d[i - 1] = &data[i - 1];
2217  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2218  secp256k1_ge_set_gej(&Q, &Qj);
2219  secp256k1_pubkey_save(&sd, &Q);
2220  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2221  CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2222  }
2223 }
2224 
2225 void run_ec_combine(void) {
2226  int i;
2227  for (i = 0; i < count * 8; i++) {
2228  test_ec_combine();
2229  }
2230 }
2231 
2232 void test_group_decompress(const secp256k1_fe* x) {
2233  /* The input itself, normalized. */
2234  secp256k1_fe fex = *x;
2235  secp256k1_fe fez;
2236  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2237  secp256k1_ge ge_quad, ge_even, ge_odd;
2238  secp256k1_gej gej_quad;
2239  /* Return values of the above calls. */
2240  int res_quad, res_even, res_odd;
2241 
2242  secp256k1_fe_normalize_var(&fex);
2243 
2244  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2245  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2246  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2247 
2248  CHECK(res_quad == res_even);
2249  CHECK(res_quad == res_odd);
2250 
2251  if (res_quad) {
2252  secp256k1_fe_normalize_var(&ge_quad.x);
2253  secp256k1_fe_normalize_var(&ge_odd.x);
2254  secp256k1_fe_normalize_var(&ge_even.x);
2255  secp256k1_fe_normalize_var(&ge_quad.y);
2256  secp256k1_fe_normalize_var(&ge_odd.y);
2257  secp256k1_fe_normalize_var(&ge_even.y);
2258 
2259  /* No infinity allowed. */
2260  CHECK(!ge_quad.infinity);
2261  CHECK(!ge_even.infinity);
2262  CHECK(!ge_odd.infinity);
2263 
2264  /* Check that the x coordinates check out. */
2265  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2266  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2267  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2268 
2269  /* Check that the Y coordinate result in ge_quad is a square. */
2270  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2271 
2272  /* Check odd/even Y in ge_odd, ge_even. */
2273  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2274  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2275 
2276  /* Check secp256k1_gej_has_quad_y_var. */
2277  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2278  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2279  do {
2280  random_fe_test(&fez);
2281  } while (secp256k1_fe_is_zero(&fez));
2282  secp256k1_gej_rescale(&gej_quad, &fez);
2283  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2284  secp256k1_gej_neg(&gej_quad, &gej_quad);
2285  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2286  do {
2287  random_fe_test(&fez);
2288  } while (secp256k1_fe_is_zero(&fez));
2289  secp256k1_gej_rescale(&gej_quad, &fez);
2290  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2291  secp256k1_gej_neg(&gej_quad, &gej_quad);
2292  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2293  }
2294 }
2295 
2296 void run_group_decompress(void) {
2297  int i;
2298  for (i = 0; i < count * 4; i++) {
2299  secp256k1_fe fe;
2300  random_fe_test(&fe);
2301  test_group_decompress(&fe);
2302  }
2303 }
2304 
2305 /***** ECMULT TESTS *****/
2306 
2307 void run_ecmult_chain(void) {
2308  /* random starting point A (on the curve) */
2309  secp256k1_gej a = SECP256K1_GEJ_CONST(
2310  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2311  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2312  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2313  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2314  );
2315  /* two random initial factors xn and gn */
2316  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2317  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2318  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2319  );
2320  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2321  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2322  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2323  );
2324  /* two small multipliers to be applied to xn and gn in every iteration: */
2325  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2326  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2327  /* accumulators with the resulting coefficients to A and G */
2328  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2329  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2330  /* actual points */
2331  secp256k1_gej x;
2332  secp256k1_gej x2;
2333  int i;
2334 
2335  /* the point being computed */
2336  x = a;
2337  for (i = 0; i < 200*count; i++) {
2338  /* in each iteration, compute X = xn*X + gn*G; */
2339  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2340  /* also compute ae and ge: the actual accumulated factors for A and G */
2341  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2342  secp256k1_scalar_mul(&ae, &ae, &xn);
2343  secp256k1_scalar_mul(&ge, &ge, &xn);
2344  secp256k1_scalar_add(&ge, &ge, &gn);
2345  /* modify xn and gn */
2346  secp256k1_scalar_mul(&xn, &xn, &xf);
2347  secp256k1_scalar_mul(&gn, &gn, &gf);
2348 
2349  /* verify */
2350  if (i == 19999) {
2351  /* expected result after 19999 iterations */
2352  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2353  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2354  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2355  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2356  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2357  );
2358 
2359  secp256k1_gej_neg(&rp, &rp);
2360  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2361  CHECK(secp256k1_gej_is_infinity(&rp));
2362  }
2363  }
2364  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2365  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2366  secp256k1_gej_neg(&x2, &x2);
2367  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2368  CHECK(secp256k1_gej_is_infinity(&x2));
2369 }
2370 
2371 void test_point_times_order(const secp256k1_gej *point) {
2372  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2373  secp256k1_scalar x;
2374  secp256k1_scalar nx;
2375  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2376  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2377  secp256k1_gej res1, res2;
2378  secp256k1_ge res3;
2379  unsigned char pub[65];
2380  size_t psize = 65;
2381  random_scalar_order_test(&x);
2382  secp256k1_scalar_negate(&nx, &x);
2383  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2384  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2385  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2386  CHECK(secp256k1_gej_is_infinity(&res1));
2387  CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2388  secp256k1_ge_set_gej(&res3, &res1);
2389  CHECK(secp256k1_ge_is_infinity(&res3));
2390  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2391  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2392  psize = 65;
2393  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2394  /* check zero/one edge cases */
2395  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2396  secp256k1_ge_set_gej(&res3, &res1);
2397  CHECK(secp256k1_ge_is_infinity(&res3));
2398  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2399  secp256k1_ge_set_gej(&res3, &res1);
2400  ge_equals_gej(&res3, point);
2401  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2402  secp256k1_ge_set_gej(&res3, &res1);
2403  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2404 }
2405 
2406 void run_point_times_order(void) {
2407  int i;
2408  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2409  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2410  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2411  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2412  );
2413  for (i = 0; i < 500; i++) {
2414  secp256k1_ge p;
2415  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2416  secp256k1_gej j;
2417  CHECK(secp256k1_ge_is_valid_var(&p));
2418  secp256k1_gej_set_ge(&j, &p);
2419  CHECK(secp256k1_gej_is_valid_var(&j));
2420  test_point_times_order(&j);
2421  }
2422  secp256k1_fe_sqr(&x, &x);
2423  }
2424  secp256k1_fe_normalize_var(&x);
2425  CHECK(secp256k1_fe_equal_var(&x, &xr));
2426 }
2427 
2428 void ecmult_const_random_mult(void) {
2429  /* random starting point A (on the curve) */
2430  secp256k1_ge a = SECP256K1_GE_CONST(
2431  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2432  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2433  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2434  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2435  );
2436  /* random initial factor xn */
2437  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2438  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2439  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2440  );
2441  /* expected xn * A (from sage) */
2442  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2443  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2444  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2445  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2446  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2447  );
2448  secp256k1_gej b;
2449  secp256k1_ecmult_const(&b, &a, &xn, 256);
2450 
2451  CHECK(secp256k1_ge_is_valid_var(&a));
2452  ge_equals_gej(&expected_b, &b);
2453 }
2454 
2455 void ecmult_const_commutativity(void) {
2456  secp256k1_scalar a;
2457  secp256k1_scalar b;
2458  secp256k1_gej res1;
2459  secp256k1_gej res2;
2460  secp256k1_ge mid1;
2461  secp256k1_ge mid2;
2462  random_scalar_order_test(&a);
2463  random_scalar_order_test(&b);
2464 
2465  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2466  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2467  secp256k1_ge_set_gej(&mid1, &res1);
2468  secp256k1_ge_set_gej(&mid2, &res2);
2469  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2470  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2471  secp256k1_ge_set_gej(&mid1, &res1);
2472  secp256k1_ge_set_gej(&mid2, &res2);
2473  ge_equals_ge(&mid1, &mid2);
2474 }
2475 
2476 void ecmult_const_mult_zero_one(void) {
2477  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2478  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2479  secp256k1_scalar negone;
2480  secp256k1_gej res1;
2481  secp256k1_ge res2;
2482  secp256k1_ge point;
2483  secp256k1_scalar_negate(&negone, &one);
2484 
2485  random_group_element_test(&point);
2486  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2487  secp256k1_ge_set_gej(&res2, &res1);
2488  CHECK(secp256k1_ge_is_infinity(&res2));
2489  secp256k1_ecmult_const(&res1, &point, &one, 2);
2490  secp256k1_ge_set_gej(&res2, &res1);
2491  ge_equals_ge(&res2, &point);
2492  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2493  secp256k1_gej_neg(&res1, &res1);
2494  secp256k1_ge_set_gej(&res2, &res1);
2495  ge_equals_ge(&res2, &point);
2496 }
2497 
2498 void ecmult_const_chain_multiply(void) {
2499  /* Check known result (randomly generated test problem from sage) */
2500  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2501  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2502  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2503  );
2504  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2505  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2506  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2507  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2508  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2509  );
2510  secp256k1_gej point;
2511  secp256k1_ge res;
2512  int i;
2513 
2514  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2515  for (i = 0; i < 100; ++i) {
2516  secp256k1_ge tmp;
2517  secp256k1_ge_set_gej(&tmp, &point);
2518  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2519  }
2520  secp256k1_ge_set_gej(&res, &point);
2521  ge_equals_gej(&res, &expected_point);
2522 }
2523 
2524 void run_ecmult_const_tests(void) {
2525  ecmult_const_mult_zero_one();
2526  ecmult_const_random_mult();
2527  ecmult_const_commutativity();
2528  ecmult_const_chain_multiply();
2529 }
2530 
2531 typedef struct {
2532  secp256k1_scalar *sc;
2533  secp256k1_ge *pt;
2534 } ecmult_multi_data;
2535 
2536 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2537  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2538  *sc = data->sc[idx];
2539  *pt = data->pt[idx];
2540  return 1;
2541 }
2542 
2543 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2544  (void)sc;
2545  (void)pt;
2546  (void)idx;
2547  (void)cbdata;
2548  return 0;
2549 }
2550 
2551 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2552  int ncount;
2553  secp256k1_scalar szero;
2554  secp256k1_scalar sc[32];
2555  secp256k1_ge pt[32];
2556  secp256k1_gej r;
2557  secp256k1_gej r2;
2558  ecmult_multi_data data;
2559  secp256k1_scratch *scratch_empty;
2560 
2561  data.sc = sc;
2562  data.pt = pt;
2563  secp256k1_scalar_set_int(&szero, 0);
2564 
2565  /* No points to multiply */
2566  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2567 
2568  /* Check 1- and 2-point multiplies against ecmult */
2569  for (ncount = 0; ncount < count; ncount++) {
2570  secp256k1_ge ptg;
2571  secp256k1_gej ptgj;
2572  random_scalar_order(&sc[0]);
2573  random_scalar_order(&sc[1]);
2574 
2575  random_group_element_test(&ptg);
2576  secp256k1_gej_set_ge(&ptgj, &ptg);
2577  pt[0] = ptg;
2578  pt[1] = secp256k1_ge_const_g;
2579 
2580  /* only G scalar */
2581  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2582  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2583  secp256k1_gej_neg(&r2, &r2);
2584  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2585  CHECK(secp256k1_gej_is_infinity(&r));
2586 
2587  /* 1-point */
2588  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2589  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2590  secp256k1_gej_neg(&r2, &r2);
2591  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2592  CHECK(secp256k1_gej_is_infinity(&r));
2593 
2594  /* Try to multiply 1 point, but scratch space is empty */
2595  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2596  CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2597  secp256k1_scratch_destroy(scratch_empty);
2598 
2599  /* Try to multiply 1 point, but callback returns false */
2600  CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2601 
2602  /* 2-point */
2603  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2604  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2605  secp256k1_gej_neg(&r2, &r2);
2606  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2607  CHECK(secp256k1_gej_is_infinity(&r));
2608 
2609  /* 2-point with G scalar */
2610  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2611  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2612  secp256k1_gej_neg(&r2, &r2);
2613  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2614  CHECK(secp256k1_gej_is_infinity(&r));
2615  }
2616 
2617  /* Check infinite outputs of various forms */
2618  for (ncount = 0; ncount < count; ncount++) {
2619  secp256k1_ge ptg;
2620  size_t i, j;
2621  size_t sizes[] = { 2, 10, 32 };
2622 
2623  for (j = 0; j < 3; j++) {
2624  for (i = 0; i < 32; i++) {
2625  random_scalar_order(&sc[i]);
2626  secp256k1_ge_set_infinity(&pt[i]);
2627  }
2628  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2629  CHECK(secp256k1_gej_is_infinity(&r));
2630  }
2631 
2632  for (j = 0; j < 3; j++) {
2633  for (i = 0; i < 32; i++) {
2634  random_group_element_test(&ptg);
2635  pt[i] = ptg;
2636  secp256k1_scalar_set_int(&sc[i], 0);
2637  }
2638  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2639  CHECK(secp256k1_gej_is_infinity(&r));
2640  }
2641 
2642  for (j = 0; j < 3; j++) {
2643  random_group_element_test(&ptg);
2644  for (i = 0; i < 16; i++) {
2645  random_scalar_order(&sc[2*i]);
2646  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2647  pt[2 * i] = ptg;
2648  pt[2 * i + 1] = ptg;
2649  }
2650 
2651  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2652  CHECK(secp256k1_gej_is_infinity(&r));
2653 
2654  random_scalar_order(&sc[0]);
2655  for (i = 0; i < 16; i++) {
2656  random_group_element_test(&ptg);
2657 
2658  sc[2*i] = sc[0];
2659  sc[2*i+1] = sc[0];
2660  pt[2 * i] = ptg;
2661  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2662  }
2663 
2664  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2665  CHECK(secp256k1_gej_is_infinity(&r));
2666  }
2667 
2668  random_group_element_test(&ptg);
2669  secp256k1_scalar_set_int(&sc[0], 0);
2670  pt[0] = ptg;
2671  for (i = 1; i < 32; i++) {
2672  pt[i] = ptg;
2673 
2674  random_scalar_order(&sc[i]);
2675  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2676  secp256k1_scalar_negate(&sc[i], &sc[i]);
2677  }
2678 
2679  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2680  CHECK(secp256k1_gej_is_infinity(&r));
2681  }
2682 
2683  /* Check random points, constant scalar */
2684  for (ncount = 0; ncount < count; ncount++) {
2685  size_t i;
2686  secp256k1_gej_set_infinity(&r);
2687 
2688  random_scalar_order(&sc[0]);
2689  for (i = 0; i < 20; i++) {
2690  secp256k1_ge ptg;
2691  sc[i] = sc[0];
2692  random_group_element_test(&ptg);
2693  pt[i] = ptg;
2694  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2695  }
2696 
2697  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2698  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2699  secp256k1_gej_neg(&r2, &r2);
2700  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2701  CHECK(secp256k1_gej_is_infinity(&r));
2702  }
2703 
2704  /* Check random scalars, constant point */
2705  for (ncount = 0; ncount < count; ncount++) {
2706  size_t i;
2707  secp256k1_ge ptg;
2708  secp256k1_gej p0j;
2709  secp256k1_scalar rs;
2710  secp256k1_scalar_set_int(&rs, 0);
2711 
2712  random_group_element_test(&ptg);
2713  for (i = 0; i < 20; i++) {
2714  random_scalar_order(&sc[i]);
2715  pt[i] = ptg;
2716  secp256k1_scalar_add(&rs, &rs, &sc[i]);
2717  }
2718 
2719  secp256k1_gej_set_ge(&p0j, &pt[0]);
2720  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2721  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2722  secp256k1_gej_neg(&r2, &r2);
2723  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2724  CHECK(secp256k1_gej_is_infinity(&r));
2725  }
2726 
2727  /* Sanity check that zero scalars don't cause problems */
2728  for (ncount = 0; ncount < 20; ncount++) {
2729  random_scalar_order(&sc[ncount]);
2730  random_group_element_test(&pt[ncount]);
2731  }
2732 
2733  secp256k1_scalar_clear(&sc[0]);
2734  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2735  secp256k1_scalar_clear(&sc[1]);
2736  secp256k1_scalar_clear(&sc[2]);
2737  secp256k1_scalar_clear(&sc[3]);
2738  secp256k1_scalar_clear(&sc[4]);
2739  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2740  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2741  CHECK(secp256k1_gej_is_infinity(&r));
2742 
2743  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2744  {
2745  const size_t TOP = 8;
2746  size_t s0i, s1i;
2747  size_t t0i, t1i;
2748  secp256k1_ge ptg;
2749  secp256k1_gej ptgj;
2750 
2751  random_group_element_test(&ptg);
2752  secp256k1_gej_set_ge(&ptgj, &ptg);
2753 
2754  for(t0i = 0; t0i < TOP; t0i++) {
2755  for(t1i = 0; t1i < TOP; t1i++) {
2756  secp256k1_gej t0p, t1p;
2757  secp256k1_scalar t0, t1;
2758 
2759  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2760  secp256k1_scalar_cond_negate(&t0, t0i & 1);
2761  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2762  secp256k1_scalar_cond_negate(&t1, t1i & 1);
2763 
2764  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2765  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2766 
2767  for(s0i = 0; s0i < TOP; s0i++) {
2768  for(s1i = 0; s1i < TOP; s1i++) {
2769  secp256k1_scalar tmp1, tmp2;
2770  secp256k1_gej expected, actual;
2771 
2772  secp256k1_ge_set_gej(&pt[0], &t0p);
2773  secp256k1_ge_set_gej(&pt[1], &t1p);
2774 
2775  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2776  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2777  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2778  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2779 
2780  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2781  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2782  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2783 
2784  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2785  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2786  secp256k1_gej_neg(&expected, &expected);
2787  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2788  CHECK(secp256k1_gej_is_infinity(&actual));
2789  }
2790  }
2791  }
2792  }
2793  }
2794 }
2795 
2796 void test_secp256k1_pippenger_bucket_window_inv(void) {
2797  int i;
2798 
2799  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2800  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2801 #ifdef USE_ENDOMORPHISM
2802  /* Bucket_window of 8 is not used with endo */
2803  if (i == 8) {
2804  continue;
2805  }
2806 #endif
2807  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2808  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2809  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2810  }
2811  }
2812 }
2813 
2818 void test_ecmult_multi_pippenger_max_points(void) {
2819  size_t scratch_size = secp256k1_rand_int(256);
2820  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2821  secp256k1_scratch *scratch;
2822  size_t n_points_supported;
2823  int bucket_window = 0;
2824 
2825  for(; scratch_size < max_size; scratch_size+=256) {
2826  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2827  CHECK(scratch != NULL);
2828  n_points_supported = secp256k1_pippenger_max_points(scratch);
2829  if (n_points_supported == 0) {
2830  secp256k1_scratch_destroy(scratch);
2831  continue;
2832  }
2833  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2834  CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2835  secp256k1_scratch_deallocate_frame(scratch);
2836  secp256k1_scratch_destroy(scratch);
2837  }
2838  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2839 }
2840 
2845 void test_ecmult_multi_batching(void) {
2846  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2847  secp256k1_scalar scG;
2848  secp256k1_scalar szero;
2849  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2850  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2851  secp256k1_gej r;
2852  secp256k1_gej r2;
2853  ecmult_multi_data data;
2854  int i;
2855  secp256k1_scratch *scratch;
2856 
2857  secp256k1_gej_set_infinity(&r2);
2858  secp256k1_scalar_set_int(&szero, 0);
2859 
2860  /* Get random scalars and group elements and compute result */
2861  random_scalar_order(&scG);
2862  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2863  for(i = 0; i < n_points; i++) {
2864  secp256k1_ge ptg;
2865  secp256k1_gej ptgj;
2866  random_group_element_test(&ptg);
2867  secp256k1_gej_set_ge(&ptgj, &ptg);
2868  pt[i] = ptg;
2869  random_scalar_order(&sc[i]);
2870  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2871  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2872  }
2873  data.sc = sc;
2874  data.pt = pt;
2875 
2876  /* Test with empty scratch space */
2877  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2878  CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2879  secp256k1_scratch_destroy(scratch);
2880 
2881  /* Test with space for 1 point in pippenger. That's not enough because
2882  * ecmult_multi selects strauss which requires more memory. */
2883  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2884  CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2885  secp256k1_scratch_destroy(scratch);
2886 
2887  secp256k1_gej_neg(&r2, &r2);
2888  for(i = 1; i <= n_points; i++) {
2889  if (i > ECMULT_PIPPENGER_THRESHOLD) {
2890  int bucket_window = secp256k1_pippenger_bucket_window(i);
2891  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2892  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2893  } else {
2894  size_t scratch_size = secp256k1_strauss_scratch_size(i);
2895  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2896  }
2897  CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2898  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2899  CHECK(secp256k1_gej_is_infinity(&r));
2900  secp256k1_scratch_destroy(scratch);
2901  }
2902  free(sc);
2903  free(pt);
2904 }
2905 
2906 void run_ecmult_multi_tests(void) {
2907  secp256k1_scratch *scratch;
2908 
2909  test_secp256k1_pippenger_bucket_window_inv();
2910  test_ecmult_multi_pippenger_max_points();
2911  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2912  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2913  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2914  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2915  secp256k1_scratch_destroy(scratch);
2916 
2917  /* Run test_ecmult_multi with space for exactly one point */
2918  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2919  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2920  secp256k1_scratch_destroy(scratch);
2921 
2922  test_ecmult_multi_batching();
2923 }
2924 
2925 void test_wnaf(const secp256k1_scalar *number, int w) {
2926  secp256k1_scalar x, two, t;
2927  int wnaf[256];
2928  int zeroes = -1;
2929  int i;
2930  int bits;
2931  secp256k1_scalar_set_int(&x, 0);
2932  secp256k1_scalar_set_int(&two, 2);
2933  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2934  CHECK(bits <= 256);
2935  for (i = bits-1; i >= 0; i--) {
2936  int v = wnaf[i];
2937  secp256k1_scalar_mul(&x, &x, &two);
2938  if (v) {
2939  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2940  zeroes=0;
2941  CHECK((v & 1) == 1); /* check non-zero elements are odd */
2942  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2943  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2944  } else {
2945  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2946  zeroes++;
2947  }
2948  if (v >= 0) {
2949  secp256k1_scalar_set_int(&t, v);
2950  } else {
2951  secp256k1_scalar_set_int(&t, -v);
2952  secp256k1_scalar_negate(&t, &t);
2953  }
2954  secp256k1_scalar_add(&x, &x, &t);
2955  }
2956  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2957 }
2958 
2959 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2960  secp256k1_scalar neg1 = *number;
2961  secp256k1_scalar neg2 = *number;
2962  int sign1 = 1;
2963  int sign2 = 1;
2964 
2965  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2966  secp256k1_scalar_negate(&neg1, &neg1);
2967  sign1 = -1;
2968  }
2969  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2970  CHECK(sign1 == sign2);
2971  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2972 }
2973 
2974 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2975  secp256k1_scalar x, shift;
2976  int wnaf[256] = {0};
2977  int i;
2978  int skew;
2979  int bits = 256;
2980  secp256k1_scalar num = *number;
2981 
2982  secp256k1_scalar_set_int(&x, 0);
2983  secp256k1_scalar_set_int(&shift, 1 << w);
2984  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2985 #ifdef USE_ENDOMORPHISM
2986  for (i = 0; i < 16; ++i) {
2987  secp256k1_scalar_shr_int(&num, 8);
2988  }
2989  bits = 128;
2990 #endif
2991  skew = secp256k1_wnaf_const(wnaf, num, w, bits);
2992 
2993  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
2994  secp256k1_scalar t;
2995  int v = wnaf[i];
2996  CHECK(v != 0); /* check nonzero */
2997  CHECK(v & 1); /* check parity */
2998  CHECK(v > -(1 << w)); /* check range above */
2999  CHECK(v < (1 << w)); /* check range below */
3000 
3001  secp256k1_scalar_mul(&x, &x, &shift);
3002  if (v >= 0) {
3003  secp256k1_scalar_set_int(&t, v);
3004  } else {
3005  secp256k1_scalar_set_int(&t, -v);
3006  secp256k1_scalar_negate(&t, &t);
3007  }
3008  secp256k1_scalar_add(&x, &x, &t);
3009  }
3010  /* Skew num because when encoding numbers as odd we use an offset */
3011  secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3012  CHECK(secp256k1_scalar_eq(&x, &num));
3013 }
3014 
3015 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3016  secp256k1_scalar x, shift;
3017  int wnaf[256] = {0};
3018  int i;
3019  int skew;
3020  secp256k1_scalar num = *number;
3021 
3022  secp256k1_scalar_set_int(&x, 0);
3023  secp256k1_scalar_set_int(&shift, 1 << w);
3024  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3025 #ifdef USE_ENDOMORPHISM
3026  for (i = 0; i < 16; ++i) {
3027  secp256k1_scalar_shr_int(&num, 8);
3028  }
3029 #endif
3030  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3031 
3032  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3033  secp256k1_scalar t;
3034  int v = wnaf[i];
3035  CHECK(v == 0 || v & 1); /* check parity */
3036  CHECK(v > -(1 << w)); /* check range above */
3037  CHECK(v < (1 << w)); /* check range below */
3038 
3039  secp256k1_scalar_mul(&x, &x, &shift);
3040  if (v >= 0) {
3041  secp256k1_scalar_set_int(&t, v);
3042  } else {
3043  secp256k1_scalar_set_int(&t, -v);
3044  secp256k1_scalar_negate(&t, &t);
3045  }
3046  secp256k1_scalar_add(&x, &x, &t);
3047  }
3048  /* If skew is 1 then add 1 to num */
3049  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3050  CHECK(secp256k1_scalar_eq(&x, &num));
3051 }
3052 
3053 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3054  * rest is 0.*/
3055 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3056  int i;
3057  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3058  CHECK(wnaf[i] == 0);
3059  }
3060  for (i = 7; i >= 0; --i) {
3061  CHECK(wnaf[i] == wnaf_expected[i]);
3062  }
3063 }
3064 
3065 void test_fixed_wnaf_small(void) {
3066  int w = 4;
3067  int wnaf[256] = {0};
3068  int i;
3069  int skew;
3070  secp256k1_scalar num;
3071 
3072  secp256k1_scalar_set_int(&num, 0);
3073  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3074  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3075  int v = wnaf[i];
3076  CHECK(v == 0);
3077  }
3078  CHECK(skew == 0);
3079 
3080  secp256k1_scalar_set_int(&num, 1);
3081  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3082  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3083  int v = wnaf[i];
3084  CHECK(v == 0);
3085  }
3086  CHECK(wnaf[0] == 1);
3087  CHECK(skew == 0);
3088 
3089  {
3090  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3091  secp256k1_scalar_set_int(&num, 0xffffffff);
3092  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3093  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3094  CHECK(skew == 0);
3095  }
3096  {
3097  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3098  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3099  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3100  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3101  CHECK(skew == 1);
3102  }
3103  {
3104  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3105  secp256k1_scalar_set_int(&num, 0x01010101);
3106  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3107  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3108  CHECK(skew == 0);
3109  }
3110  {
3111  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3112  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3113  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3114  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3115  CHECK(skew == 0);
3116  }
3117 }
3118 
3119 void run_wnaf(void) {
3120  int i;
3121  secp256k1_scalar n = {{0}};
3122 
3123  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3124  * have easier-to-diagnose failure modes */
3125  n.d[0] = 1;
3126  test_constant_wnaf(&n, 4);
3127  n.d[0] = 2;
3128  test_constant_wnaf(&n, 4);
3129  /* Test 0 */
3130  test_fixed_wnaf_small();
3131  /* Random tests */
3132  for (i = 0; i < count; i++) {
3133  random_scalar_order(&n);
3134  test_wnaf(&n, 4+(i%10));
3135  test_constant_wnaf_negate(&n);
3136  test_constant_wnaf(&n, 4 + (i % 10));
3137  test_fixed_wnaf(&n, 4 + (i % 10));
3138  }
3139  secp256k1_scalar_set_int(&n, 0);
3140  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3141  CHECK(secp256k1_scalar_is_zero(&n));
3142  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3143  CHECK(secp256k1_scalar_is_zero(&n));
3144 }
3145 
3146 void test_ecmult_constants(void) {
3147  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3148  secp256k1_scalar x;
3149  secp256k1_gej r;
3150  secp256k1_ge ng;
3151  int i;
3152  int j;
3153  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3154  for (i = 0; i < 36; i++ ) {
3155  secp256k1_scalar_set_int(&x, i);
3156  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3157  for (j = 0; j < i; j++) {
3158  if (j == i - 1) {
3159  ge_equals_gej(&secp256k1_ge_const_g, &r);
3160  }
3161  secp256k1_gej_add_ge(&r, &r, &ng);
3162  }
3163  CHECK(secp256k1_gej_is_infinity(&r));
3164  }
3165  for (i = 1; i <= 36; i++ ) {
3166  secp256k1_scalar_set_int(&x, i);
3167  secp256k1_scalar_negate(&x, &x);
3168  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3169  for (j = 0; j < i; j++) {
3170  if (j == i - 1) {
3171  ge_equals_gej(&ng, &r);
3172  }
3173  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3174  }
3175  CHECK(secp256k1_gej_is_infinity(&r));
3176  }
3177 }
3178 
3179 void run_ecmult_constants(void) {
3180  test_ecmult_constants();
3181 }
3182 
3183 void test_ecmult_gen_blind(void) {
3184  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3185  secp256k1_scalar key;
3186  secp256k1_scalar b;
3187  unsigned char seed32[32];
3188  secp256k1_gej pgej;
3189  secp256k1_gej pgej2;
3190  secp256k1_gej i;
3191  secp256k1_ge pge;
3192  random_scalar_order_test(&key);
3193  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3194  secp256k1_rand256(seed32);
3195  b = ctx->ecmult_gen_ctx.blind;
3196  i = ctx->ecmult_gen_ctx.initial;
3197  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3198  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3199  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3200  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3201  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3202  secp256k1_ge_set_gej(&pge, &pgej);
3203  ge_equals_gej(&pge, &pgej2);
3204 }
3205 
3206 void test_ecmult_gen_blind_reset(void) {
3207  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3208  secp256k1_scalar b;
3209  secp256k1_gej initial;
3210  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3211  b = ctx->ecmult_gen_ctx.blind;
3212  initial = ctx->ecmult_gen_ctx.initial;
3213  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3214  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3215  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3216 }
3217 
3218 void run_ecmult_gen_blind(void) {
3219  int i;
3220  test_ecmult_gen_blind_reset();
3221  for (i = 0; i < 10; i++) {
3222  test_ecmult_gen_blind();
3223  }
3224 }
3225 
3226 #ifdef USE_ENDOMORPHISM
3227 /***** ENDOMORPHISH TESTS *****/
3228 void test_scalar_split(void) {
3229  secp256k1_scalar full;
3230  secp256k1_scalar s1, slam;
3231  const unsigned char zero[32] = {0};
3232  unsigned char tmp[32];
3233 
3234  random_scalar_order_test(&full);
3235  secp256k1_scalar_split_lambda(&s1, &slam, &full);
3236 
3237  /* check that both are <= 128 bits in size */
3238  if (secp256k1_scalar_is_high(&s1)) {
3239  secp256k1_scalar_negate(&s1, &s1);
3240  }
3241  if (secp256k1_scalar_is_high(&slam)) {
3242  secp256k1_scalar_negate(&slam, &slam);
3243  }
3244 
3245  secp256k1_scalar_get_b32(tmp, &s1);
3246  CHECK(memcmp(zero, tmp, 16) == 0);
3247  secp256k1_scalar_get_b32(tmp, &slam);
3248  CHECK(memcmp(zero, tmp, 16) == 0);
3249 }
3250 
3251 void run_endomorphism_tests(void) {
3252  test_scalar_split();
3253 }
3254 #endif
3255 
3256 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3257  unsigned char pubkeyc[65];
3258  secp256k1_pubkey pubkey;
3259  secp256k1_ge ge;
3260  size_t pubkeyclen;
3261  int32_t ecount;
3262  ecount = 0;
3263  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3264  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3265  /* Smaller sizes are tested exhaustively elsewhere. */
3266  int32_t i;
3267  memcpy(&pubkeyc[1], input, 64);
3268  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3269  for (i = 0; i < 256; i++) {
3270  /* Try all type bytes. */
3271  int xpass;
3272  int ypass;
3273  int ysign;
3274  pubkeyc[0] = i;
3275  /* What sign does this point have? */
3276  ysign = (input[63] & 1) + 2;
3277  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3278  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3279  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3280  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3281  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3282  if (xpass || ypass) {
3283  /* These cases must parse. */
3284  unsigned char pubkeyo[65];
3285  size_t outl;
3286  memset(&pubkey, 0, sizeof(pubkey));
3287  VG_UNDEF(&pubkey, sizeof(pubkey));
3288  ecount = 0;
3289  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3290  VG_CHECK(&pubkey, sizeof(pubkey));
3291  outl = 65;
3292  VG_UNDEF(pubkeyo, 65);
3293  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3294  VG_CHECK(pubkeyo, outl);
3295  CHECK(outl == 33);
3296  CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3297  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3298  if (ypass) {
3299  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3300  CHECK(pubkeyo[0] == ysign);
3301  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3302  memset(&pubkey, 0, sizeof(pubkey));
3303  VG_UNDEF(&pubkey, sizeof(pubkey));
3304  secp256k1_pubkey_save(&pubkey, &ge);
3305  VG_CHECK(&pubkey, sizeof(pubkey));
3306  outl = 65;
3307  VG_UNDEF(pubkeyo, 65);
3308  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3309  VG_CHECK(pubkeyo, outl);
3310  CHECK(outl == 65);
3311  CHECK(pubkeyo[0] == 4);
3312  CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3313  }
3314  CHECK(ecount == 0);
3315  } else {
3316  /* These cases must fail to parse. */
3317  memset(&pubkey, 0xfe, sizeof(pubkey));
3318  ecount = 0;
3319  VG_UNDEF(&pubkey, sizeof(pubkey));
3320  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3321  VG_CHECK(&pubkey, sizeof(pubkey));
3322  CHECK(ecount == 0);
3323  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3324  CHECK(ecount == 1);
3325  }
3326  }
3327  }
3328  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3329 }
3330 
3331 void run_ec_pubkey_parse_test(void) {
3332 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3333  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3334  {
3335  /* Point with leading and trailing zeros in x and y serialization. */
3336  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3337  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3338  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3339  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3340  },
3341  {
3342  /* Point with x equal to a 3rd root of unity.*/
3343  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3344  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3345  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3346  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3347  },
3348  {
3349  /* Point with largest x. (1/2) */
3350  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3351  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3352  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3353  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3354  },
3355  {
3356  /* Point with largest x. (2/2) */
3357  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3358  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3359  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3360  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3361  },
3362  {
3363  /* Point with smallest x. (1/2) */
3364  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3365  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3366  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3367  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3368  },
3369  {
3370  /* Point with smallest x. (2/2) */
3371  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3372  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3373  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3374  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3375  },
3376  {
3377  /* Point with largest y. (1/3) */
3378  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3379  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3380  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3381  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3382  },
3383  {
3384  /* Point with largest y. (2/3) */
3385  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3386  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3387  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3388  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3389  },
3390  {
3391  /* Point with largest y. (3/3) */
3392  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3393  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3394  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3395  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3396  },
3397  {
3398  /* Point with smallest y. (1/3) */
3399  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3400  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3401  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3402  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3403  },
3404  {
3405  /* Point with smallest y. (2/3) */
3406  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3407  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3408  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3409  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3410  },
3411  {
3412  /* Point with smallest y. (3/3) */
3413  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3414  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3415  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3417  }
3418  };
3419 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3420  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3421  {
3422  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3423  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3424  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3425  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3426  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3427  },
3428  {
3429  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3430  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3431  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3432  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3433  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3434  },
3435  {
3436  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3437  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3438  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3439  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3440  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3441  },
3442  {
3443  /* x on curve, y is from y^2 = x^3 + 8. */
3444  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3445  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3446  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3447  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3448  }
3449  };
3450 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3451  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3452  {
3453  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3454  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3455  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3456  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3457  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3458  },
3459  {
3460  /* Valid if x overflow ignored (x = 1 mod p). */
3461  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3462  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3463  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3464  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3465  },
3466  {
3467  /* Valid if x overflow ignored (x = 1 mod p). */
3468  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3469  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3470  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3471  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3472  },
3473  {
3474  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3475  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3476  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3477  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3478  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3479  },
3480  {
3481  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3482  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3483  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3484  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3485  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3486  },
3487  {
3488  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3489  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3490  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3491  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3492  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3493  },
3494  {
3495  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3496  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3497  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3498  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3499  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3500  }
3501  };
3502  const unsigned char pubkeyc[66] = {
3503  /* Serialization of G. */
3504  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3505  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3506  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3507  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3508  0xB8, 0x00
3509  };
3510  unsigned char sout[65];
3511  unsigned char shortkey[2];
3512  secp256k1_ge ge;
3513  secp256k1_pubkey pubkey;
3514  size_t len;
3515  int32_t i;
3516  int32_t ecount;
3517  int32_t ecount2;
3518  ecount = 0;
3519  /* Nothing should be reading this far into pubkeyc. */
3520  VG_UNDEF(&pubkeyc[65], 1);
3521  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3522  /* Zero length claimed, fail, zeroize, no illegal arg error. */
3523  memset(&pubkey, 0xfe, sizeof(pubkey));
3524  ecount = 0;
3525  VG_UNDEF(shortkey, 2);
3526  VG_UNDEF(&pubkey, sizeof(pubkey));
3527  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3528  VG_CHECK(&pubkey, sizeof(pubkey));
3529  CHECK(ecount == 0);
3530  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3531  CHECK(ecount == 1);
3532  /* Length one claimed, fail, zeroize, no illegal arg error. */
3533  for (i = 0; i < 256 ; i++) {
3534  memset(&pubkey, 0xfe, sizeof(pubkey));
3535  ecount = 0;
3536  shortkey[0] = i;
3537  VG_UNDEF(&shortkey[1], 1);
3538  VG_UNDEF(&pubkey, sizeof(pubkey));
3539  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3540  VG_CHECK(&pubkey, sizeof(pubkey));
3541  CHECK(ecount == 0);
3542  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3543  CHECK(ecount == 1);
3544  }
3545  /* Length two claimed, fail, zeroize, no illegal arg error. */
3546  for (i = 0; i < 65536 ; i++) {
3547  memset(&pubkey, 0xfe, sizeof(pubkey));
3548  ecount = 0;
3549  shortkey[0] = i & 255;
3550  shortkey[1] = i >> 8;
3551  VG_UNDEF(&pubkey, sizeof(pubkey));
3552  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3553  VG_CHECK(&pubkey, sizeof(pubkey));
3554  CHECK(ecount == 0);
3555  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3556  CHECK(ecount == 1);
3557  }
3558  memset(&pubkey, 0xfe, sizeof(pubkey));
3559  ecount = 0;
3560  VG_UNDEF(&pubkey, sizeof(pubkey));
3561  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3562  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3563  VG_CHECK(&pubkey, sizeof(pubkey));
3564  CHECK(ecount == 0);
3565  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3566  CHECK(ecount == 1);
3567  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3568  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3569  CHECK(ecount == 2);
3570  /* NULL input string. Illegal arg and zeroize output. */
3571  memset(&pubkey, 0xfe, sizeof(pubkey));
3572  ecount = 0;
3573  VG_UNDEF(&pubkey, sizeof(pubkey));
3574  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3575  VG_CHECK(&pubkey, sizeof(pubkey));
3576  CHECK(ecount == 1);
3577  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3578  CHECK(ecount == 2);
3579  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3580  memset(&pubkey, 0xfe, sizeof(pubkey));
3581  ecount = 0;
3582  VG_UNDEF(&pubkey, sizeof(pubkey));
3583  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3584  VG_CHECK(&pubkey, sizeof(pubkey));
3585  CHECK(ecount == 0);
3586  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3587  CHECK(ecount == 1);
3588  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3589  memset(&pubkey, 0xfe, sizeof(pubkey));
3590  ecount = 0;
3591  VG_UNDEF(&pubkey, sizeof(pubkey));
3592  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3593  VG_CHECK(&pubkey, sizeof(pubkey));
3594  CHECK(ecount == 0);
3595  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3596  CHECK(ecount == 1);
3597  /* Valid parse. */
3598  memset(&pubkey, 0, sizeof(pubkey));
3599  ecount = 0;
3600  VG_UNDEF(&pubkey, sizeof(pubkey));
3601  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3602  VG_CHECK(&pubkey, sizeof(pubkey));
3603  CHECK(ecount == 0);
3604  VG_UNDEF(&ge, sizeof(ge));
3605  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3606  VG_CHECK(&ge.x, sizeof(ge.x));
3607  VG_CHECK(&ge.y, sizeof(ge.y));
3608  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3609  ge_equals_ge(&secp256k1_ge_const_g, &ge);
3610  CHECK(ecount == 0);
3611  /* secp256k1_ec_pubkey_serialize illegal args. */
3612  ecount = 0;
3613  len = 65;
3614  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3615  CHECK(ecount == 1);
3616  CHECK(len == 0);
3617  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3618  CHECK(ecount == 2);
3619  len = 65;
3620  VG_UNDEF(sout, 65);
3621  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3622  VG_CHECK(sout, 65);
3623  CHECK(ecount == 3);
3624  CHECK(len == 0);
3625  len = 65;
3626  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3627  CHECK(ecount == 4);
3628  CHECK(len == 0);
3629  len = 65;
3630  VG_UNDEF(sout, 65);
3631  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3632  VG_CHECK(sout, 65);
3633  CHECK(ecount == 4);
3634  CHECK(len == 65);
3635  /* Multiple illegal args. Should still set arg error only once. */
3636  ecount = 0;
3637  ecount2 = 11;
3638  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3639  CHECK(ecount == 1);
3640  /* Does the illegal arg callback actually change the behavior? */
3641  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3642  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3643  CHECK(ecount == 1);
3644  CHECK(ecount2 == 10);
3645  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3646  /* Try a bunch of prefabbed points with all possible encodings. */
3647  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3648  ec_pubkey_parse_pointtest(valid[i], 1, 1);
3649  }
3650  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3651  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3652  }
3653  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3654  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3655  }
3656 }
3657 
3658 void run_eckey_edge_case_test(void) {
3659  const unsigned char orderc[32] = {
3660  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3661  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3662  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3663  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3664  };
3665  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3666  unsigned char ctmp[33];
3667  unsigned char ctmp2[33];
3668  secp256k1_pubkey pubkey;
3669  secp256k1_pubkey pubkey2;
3670  secp256k1_pubkey pubkey_one;
3671  secp256k1_pubkey pubkey_negone;
3672  const secp256k1_pubkey *pubkeys[3];
3673  size_t len;
3674  int32_t ecount;
3675  /* Group order is too large, reject. */
3676  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3677  VG_UNDEF(&pubkey, sizeof(pubkey));
3678  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3679  VG_CHECK(&pubkey, sizeof(pubkey));
3680  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3681  /* Maximum value is too large, reject. */
3682  memset(ctmp, 255, 32);
3683  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3684  memset(&pubkey, 1, sizeof(pubkey));
3685  VG_UNDEF(&pubkey, sizeof(pubkey));
3686  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3687  VG_CHECK(&pubkey, sizeof(pubkey));
3688  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3689  /* Zero is too small, reject. */
3690  memset(ctmp, 0, 32);
3691  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3692  memset(&pubkey, 1, sizeof(pubkey));
3693  VG_UNDEF(&pubkey, sizeof(pubkey));
3694  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3695  VG_CHECK(&pubkey, sizeof(pubkey));
3696  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3697  /* One must be accepted. */
3698  ctmp[31] = 0x01;
3699  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3700  memset(&pubkey, 0, sizeof(pubkey));
3701  VG_UNDEF(&pubkey, sizeof(pubkey));
3702  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3703  VG_CHECK(&pubkey, sizeof(pubkey));
3704  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3705  pubkey_one = pubkey;
3706  /* Group order + 1 is too large, reject. */
3707  memcpy(ctmp, orderc, 32);
3708  ctmp[31] = 0x42;
3709  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3710  memset(&pubkey, 1, sizeof(pubkey));
3711  VG_UNDEF(&pubkey, sizeof(pubkey));
3712  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3713  VG_CHECK(&pubkey, sizeof(pubkey));
3714  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3715  /* -1 must be accepted. */
3716  ctmp[31] = 0x40;
3717  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3718  memset(&pubkey, 0, sizeof(pubkey));
3719  VG_UNDEF(&pubkey, sizeof(pubkey));
3720  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3721  VG_CHECK(&pubkey, sizeof(pubkey));
3722  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3723  pubkey_negone = pubkey;
3724  /* Tweak of zero leaves the value unchanged. */
3725  memset(ctmp2, 0, 32);
3726  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3727  CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3728  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3729  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3730  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3731  /* Multiply tweak of zero zeroizes the output. */
3732  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3733  CHECK(memcmp(zeros, ctmp, 32) == 0);
3734  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3735  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3736  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3737  /* Overflowing key tweak zeroizes. */
3738  memcpy(ctmp, orderc, 32);
3739  ctmp[31] = 0x40;
3740  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3741  CHECK(memcmp(zeros, ctmp, 32) == 0);
3742  memcpy(ctmp, orderc, 32);
3743  ctmp[31] = 0x40;
3744  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3745  CHECK(memcmp(zeros, ctmp, 32) == 0);
3746  memcpy(ctmp, orderc, 32);
3747  ctmp[31] = 0x40;
3748  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3749  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3750  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3751  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3752  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3753  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3754  /* Private key tweaks results in a key of zero. */
3755  ctmp2[31] = 1;
3756  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3757  CHECK(memcmp(zeros, ctmp2, 32) == 0);
3758  ctmp2[31] = 1;
3759  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3760  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3761  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3762  /* Tweak computation wraps and results in a key of 1. */
3763  ctmp2[31] = 2;
3764  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3765  CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3766  ctmp2[31] = 2;
3767  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3768  ctmp2[31] = 1;
3769  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3770  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3771  /* Tweak mul * 2 = 1+1. */
3772  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3773  ctmp2[31] = 2;
3774  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3775  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3776  /* Test argument errors. */
3777  ecount = 0;
3778  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3779  CHECK(ecount == 0);
3780  /* Zeroize pubkey on parse error. */
3781  memset(&pubkey, 0, 32);
3782  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3783  CHECK(ecount == 1);
3784  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3785  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3786  memset(&pubkey2, 0, 32);
3787  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3788  CHECK(ecount == 2);
3789  CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3790  /* Plain argument errors. */
3791  ecount = 0;
3792  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3793  CHECK(ecount == 0);
3794  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3795  CHECK(ecount == 1);
3796  ecount = 0;
3797  memset(ctmp2, 0, 32);
3798  ctmp2[31] = 4;
3799  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3800  CHECK(ecount == 1);
3801  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3802  CHECK(ecount == 2);
3803  ecount = 0;
3804  memset(ctmp2, 0, 32);
3805  ctmp2[31] = 4;
3806  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3807  CHECK(ecount == 1);
3808  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3809  CHECK(ecount == 2);
3810  ecount = 0;
3811  memset(ctmp2, 0, 32);
3812  CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3813  CHECK(ecount == 1);
3814  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3815  CHECK(ecount == 2);
3816  ecount = 0;
3817  memset(ctmp2, 0, 32);
3818  ctmp2[31] = 1;
3819  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3820  CHECK(ecount == 1);
3821  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3822  CHECK(ecount == 2);
3823  ecount = 0;
3824  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3825  CHECK(ecount == 1);
3826  memset(&pubkey, 1, sizeof(pubkey));
3827  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3828  CHECK(ecount == 2);
3829  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3830  /* secp256k1_ec_pubkey_combine tests. */
3831  ecount = 0;
3832  pubkeys[0] = &pubkey_one;
3833  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3834  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3835  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3836  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3837  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3838  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3839  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3840  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3841  CHECK(ecount == 1);
3842  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3843  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3844  CHECK(ecount == 2);
3845  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3846  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3847  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3848  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3849  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3850  CHECK(ecount == 3);
3851  pubkeys[0] = &pubkey_negone;
3852  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3853  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3854  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3855  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3856  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3857  CHECK(ecount == 3);
3858  len = 33;
3859  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3860  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3861  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3862  /* Result is infinity. */
3863  pubkeys[0] = &pubkey_one;
3864  pubkeys[1] = &pubkey_negone;
3865  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3866  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3867  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3868  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3869  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3870  CHECK(ecount == 3);
3871  /* Passes through infinity but comes out one. */
3872  pubkeys[2] = &pubkey_one;
3873  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3874  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3875  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3876  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3877  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3878  CHECK(ecount == 3);
3879  len = 33;
3880  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3881  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3882  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3883  /* Adds to two. */
3884  pubkeys[1] = &pubkey_one;
3885  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3886  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3887  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3888  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3889  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3890  CHECK(ecount == 3);
3891  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3892 }
3893 
3894 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3895  secp256k1_scalar nonce;
3896  do {
3897  random_scalar_order_test(&nonce);
3898  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3899 }
3900 
3901 void test_ecdsa_sign_verify(void) {
3902  secp256k1_gej pubj;
3903  secp256k1_ge pub;
3904  secp256k1_scalar one;
3905  secp256k1_scalar msg, key;
3906  secp256k1_scalar sigr, sigs;
3907  int recid;
3908  int getrec;
3909  random_scalar_order_test(&msg);
3910  random_scalar_order_test(&key);
3911  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3912  secp256k1_ge_set_gej(&pub, &pubj);
3913  getrec = secp256k1_rand_bits(1);
3914  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3915  if (getrec) {
3916  CHECK(recid >= 0 && recid < 4);
3917  }
3918  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3919  secp256k1_scalar_set_int(&one, 1);
3920  secp256k1_scalar_add(&msg, &msg, &one);
3921  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3922 }
3923 
3924 void run_ecdsa_sign_verify(void) {
3925  int i;
3926  for (i = 0; i < 10*count; i++) {
3927  test_ecdsa_sign_verify();
3928  }
3929 }
3930 
3932 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3933  (void)msg32;
3934  (void)key32;
3935  (void)algo16;
3936  memcpy(nonce32, data, 32);
3937  return (counter == 0);
3938 }
3939 
3940 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3941  /* Dummy nonce generator that has a fatal error on the first counter value. */
3942  if (counter == 0) {
3943  return 0;
3944  }
3945  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3946 }
3947 
3948 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3949  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3950  if (counter < 3) {
3951  memset(nonce32, counter==0 ? 0 : 255, 32);
3952  if (counter == 2) {
3953  nonce32[31]--;
3954  }
3955  return 1;
3956  }
3957  if (counter < 5) {
3958  static const unsigned char order[] = {
3959  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3960  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3961  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3962  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3963  };
3964  memcpy(nonce32, order, 32);
3965  if (counter == 4) {
3966  nonce32[31]++;
3967  }
3968  return 1;
3969  }
3970  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3971  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3972  if (counter > 5) {
3973  return 0;
3974  }
3975  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3976 }
3977 
3978 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3979  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3980  return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3981 }
3982 
3983 void test_ecdsa_end_to_end(void) {
3984  unsigned char extra[32] = {0x00};
3985  unsigned char privkey[32];
3986  unsigned char message[32];
3987  unsigned char privkey2[32];
3988  secp256k1_ecdsa_signature signature[6];
3989  secp256k1_scalar r, s;
3990  unsigned char sig[74];
3991  size_t siglen = 74;
3992  unsigned char pubkeyc[65];
3993  size_t pubkeyclen = 65;
3994  secp256k1_pubkey pubkey;
3995  secp256k1_pubkey pubkey_tmp;
3996  unsigned char seckey[300];
3997  size_t seckeylen = 300;
3998 
3999  /* Generate a random key and message. */
4000  {
4001  secp256k1_scalar msg, key;
4002  random_scalar_order_test(&msg);
4003  random_scalar_order_test(&key);
4004  secp256k1_scalar_get_b32(privkey, &key);
4005  secp256k1_scalar_get_b32(message, &msg);
4006  }
4007 
4008  /* Construct and verify corresponding public key. */
4009  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4010  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4011 
4012  /* Verify exporting and importing public key. */
4013  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4014  memset(&pubkey, 0, sizeof(pubkey));
4015  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4016 
4017  /* Verify negation changes the key and changes it back */
4018  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4019  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4020  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4021  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4022  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4023 
4024  /* Verify private key import and export. */
4025  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4026  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4027  CHECK(memcmp(privkey, privkey2, 32) == 0);
4028 
4029  /* Optionally tweak the keys using addition. */
4030  if (secp256k1_rand_int(3) == 0) {
4031  int ret1;
4032  int ret2;
4033  unsigned char rnd[32];
4034  secp256k1_pubkey pubkey2;
4035  secp256k1_rand256_test(rnd);
4036  ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4037  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4038  CHECK(ret1 == ret2);
4039  if (ret1 == 0) {
4040  return;
4041  }
4042  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4043  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4044  }
4045 
4046  /* Optionally tweak the keys using multiplication. */
4047  if (secp256k1_rand_int(3) == 0) {
4048  int ret1;
4049  int ret2;
4050  unsigned char rnd[32];
4051  secp256k1_pubkey pubkey2;
4052  secp256k1_rand256_test(rnd);
4053  ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4054  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4055  CHECK(ret1 == ret2);
4056  if (ret1 == 0) {
4057  return;
4058  }
4059  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4060  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4061  }
4062 
4063  /* Sign. */
4064  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4065  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4066  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4067  extra[31] = 1;
4068  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4069  extra[31] = 0;
4070  extra[0] = 1;
4071  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4072  CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4073  CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4074  CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4075  CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4076  CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4077  CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4078  CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4079  /* Verify. */
4080  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4081  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4082  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4083  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4084  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4085  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4086  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4087  secp256k1_scalar_negate(&s, &s);
4088  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4089  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4090  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4091  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4092  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4093  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4094  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4095  secp256k1_scalar_negate(&s, &s);
4096  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4097  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4098  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4099  CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4100 
4101  /* Serialize/parse DER and verify again */
4102  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4103  memset(&signature[0], 0, sizeof(signature[0]));
4104  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4105  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4106  /* Serialize/destroy/parse DER and verify again. */
4107  siglen = 74;
4108  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4109  sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4110  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4111  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4112 }
4113 
4114 void test_random_pubkeys(void) {
4115  secp256k1_ge elem;
4116  secp256k1_ge elem2;
4117  unsigned char in[65];
4118  /* Generate some randomly sized pubkeys. */
4119  size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4120  if (secp256k1_rand_bits(2) == 0) {
4121  len = secp256k1_rand_bits(6);
4122  }
4123  if (len == 65) {
4124  in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4125  } else {
4126  in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4127  }
4128  if (secp256k1_rand_bits(3) == 0) {
4129  in[0] = secp256k1_rand_bits(8);
4130  }
4131  if (len > 1) {
4132  secp256k1_rand256(&in[1]);
4133  }
4134  if (len > 33) {
4135  secp256k1_rand256(&in[33]);
4136  }
4137  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4138  unsigned char out[65];
4139  unsigned char firstb;
4140  int res;
4141  size_t size = len;
4142  firstb = in[0];
4143  /* If the pubkey can be parsed, it should round-trip... */
4144  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4145  CHECK(size == len);
4146  CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4147  /* ... except for the type of hybrid inputs. */
4148  if ((in[0] != 6) && (in[0] != 7)) {
4149  CHECK(in[0] == out[0]);
4150  }
4151  size = 65;
4152  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4153  CHECK(size == 65);
4154  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4155  ge_equals_ge(&elem,&elem2);
4156  /* Check that the X9.62 hybrid type is checked. */
4157  in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4158  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4159  if (firstb == 2 || firstb == 3) {
4160  if (in[0] == firstb + 4) {
4161  CHECK(res);
4162  } else {
4163  CHECK(!res);
4164  }
4165  }
4166  if (res) {
4167  ge_equals_ge(&elem,&elem2);
4168  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4169  CHECK(memcmp(&in[1], &out[1], 64) == 0);
4170  }
4171  }
4172 }
4173 
4174 void run_random_pubkeys(void) {
4175  int i;
4176  for (i = 0; i < 10*count; i++) {
4177  test_random_pubkeys();
4178  }
4179 }
4180 
4181 void run_ecdsa_end_to_end(void) {
4182  int i;
4183  for (i = 0; i < 64*count; i++) {
4184  test_ecdsa_end_to_end();
4185  }
4186 }
4187 
4188 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4189  static const unsigned char zeroes[32] = {0};
4190 #ifdef ENABLE_OPENSSL_TESTS
4191  static const unsigned char max_scalar[32] = {
4192  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4193  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4194  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4195  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4196  };
4197 #endif
4198 
4199  int ret = 0;
4200 
4201  secp256k1_ecdsa_signature sig_der;
4202  unsigned char roundtrip_der[2048];
4203  unsigned char compact_der[64];
4204  size_t len_der = 2048;
4205  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4206 
4207  secp256k1_ecdsa_signature sig_der_lax;
4208  unsigned char roundtrip_der_lax[2048];
4209  unsigned char compact_der_lax[64];
4210  size_t len_der_lax = 2048;
4211  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4212 
4213 #ifdef ENABLE_OPENSSL_TESTS
4214  ECDSA_SIG *sig_openssl;
4215  const BIGNUM *r = NULL, *s = NULL;
4216  const unsigned char *sigptr;
4217  unsigned char roundtrip_openssl[2048];
4218  int len_openssl = 2048;
4219  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4220 #endif
4221 
4222  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4223  if (parsed_der) {
4224  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4225  valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4226  }
4227  if (valid_der) {
4228  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4229  roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4230  }
4231 
4232  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4233  if (parsed_der_lax) {
4234  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4235  valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4236  }
4237  if (valid_der_lax) {
4238  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4239  roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4240  }
4241 
4242  if (certainly_der) {
4243  ret |= (!parsed_der) << 2;
4244  }
4245  if (certainly_not_der) {
4246  ret |= (parsed_der) << 17;
4247  }
4248  if (valid_der) {
4249  ret |= (!roundtrips_der) << 3;
4250  }
4251 
4252  if (valid_der) {
4253  ret |= (!roundtrips_der_lax) << 12;
4254  ret |= (len_der != len_der_lax) << 13;
4255  ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4256  }
4257  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4258  if (parsed_der) {
4259  ret |= (!parsed_der_lax) << 16;
4260  }
4261 
4262 #ifdef ENABLE_OPENSSL_TESTS
4263  sig_openssl = ECDSA_SIG_new();
4264  sigptr = sig;
4265  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4266  if (parsed_openssl) {
4267  ECDSA_SIG_get0(sig_openssl, &r, &s);
4268  valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4269  if (valid_openssl) {
4270  unsigned char tmp[32] = {0};
4271  BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4272  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4273  }
4274  if (valid_openssl) {
4275  unsigned char tmp[32] = {0};
4276  BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4277  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4278  }
4279  }
4280  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4281  if (len_openssl <= 2048) {
4282  unsigned char *ptr = roundtrip_openssl;
4283  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4284  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4285  } else {
4286  len_openssl = 0;
4287  }
4288  ECDSA_SIG_free(sig_openssl);
4289 
4290  ret |= (parsed_der && !parsed_openssl) << 4;
4291  ret |= (valid_der && !valid_openssl) << 5;
4292  ret |= (roundtrips_openssl && !parsed_der) << 6;
4293  ret |= (roundtrips_der != roundtrips_openssl) << 7;
4294  if (roundtrips_openssl) {
4295  ret |= (len_der != (size_t)len_openssl) << 8;
4296  ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4297  }
4298 #endif
4299  return ret;
4300 }
4301 
4302 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4303  size_t i;
4304  for (i = 0; i < ptrlen; i++) {
4305  int shift = ptrlen - 1 - i;
4306  if (shift >= 4) {
4307  ptr[i] = 0;
4308  } else {
4309  ptr[i] = (val >> shift) & 0xFF;
4310  }
4311  }
4312 }
4313 
4314 static void damage_array(unsigned char *sig, size_t *len) {
4315  int pos;
4316  int action = secp256k1_rand_bits(3);
4317  if (action < 1 && *len > 3) {
4318  /* Delete a byte. */
4319  pos = secp256k1_rand_int(*len);
4320  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4321  (*len)--;
4322  return;
4323  } else if (action < 2 && *len < 2048) {
4324  /* Insert a byte. */
4325  pos = secp256k1_rand_int(1 + *len);
4326  memmove(sig + pos + 1, sig + pos, *len - pos);
4327  sig[pos] = secp256k1_rand_bits(8);
4328  (*len)++;
4329  return;
4330  } else if (action < 4) {
4331  /* Modify a byte. */
4332  sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4333  return;
4334  } else { /* action < 8 */
4335  /* Modify a bit. */
4336  sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4337  return;
4338  }
4339 }
4340 
4341 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4342  int der;
4343  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4344  size_t tlen, elen, glen;
4345  int indet;
4346  int n;
4347 
4348  *len = 0;
4349  der = secp256k1_rand_bits(2) == 0;
4350  *certainly_der = der;
4351  *certainly_not_der = 0;
4352  indet = der ? 0 : secp256k1_rand_int(10) == 0;
4353 
4354  for (n = 0; n < 2; n++) {
4355  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4356  nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4357  /* The length of the number in bytes (the first byte of which will always be nonzero) */
4358  nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4359  CHECK(nlen[n] <= 232);
4360  /* The top bit of the number. */
4361  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4362  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4363  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4364  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4365  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4366  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4367  *certainly_not_der = 1;
4368  }
4369  CHECK(nlen[n] + nzlen[n] <= 300);
4370  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4371  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4372  if (!der) {
4373  /* nlenlen[n] max 127 bytes */
4374  int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4375  nlenlen[n] += add;
4376  if (add != 0) {
4377  *certainly_not_der = 1;
4378  }
4379  }
4380  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4381  }
4382 
4383  /* The total length of the data to go, so far */
4384  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4385  CHECK(tlen <= 856);
4386 
4387  /* The length of the garbage inside the tuple. */
4388  elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4389  if (elen != 0) {
4390  *certainly_not_der = 1;
4391  }
4392  tlen += elen;
4393  CHECK(tlen <= 980);
4394 
4395  /* The length of the garbage after the end of the tuple. */
4396  glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4397  if (glen != 0) {
4398  *certainly_not_der = 1;
4399  }
4400  CHECK(tlen + glen <= 990);
4401 
4402  /* Write the tuple header. */
4403  sig[(*len)++] = 0x30;
4404  if (indet) {
4405  /* Indeterminate length */
4406  sig[(*len)++] = 0x80;
4407  *certainly_not_der = 1;
4408  } else {
4409  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4410  if (!der) {
4411  int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4412  tlenlen += add;
4413  if (add != 0) {
4414  *certainly_not_der = 1;
4415  }
4416  }
4417  if (tlenlen == 0) {
4418  /* Short length notation */
4419  sig[(*len)++] = tlen;
4420  } else {
4421  /* Long length notation */
4422  sig[(*len)++] = 128 + tlenlen;
4423  assign_big_endian(sig + *len, tlenlen, tlen);
4424  *len += tlenlen;
4425  }
4426  tlen += tlenlen;
4427  }
4428  tlen += 2;
4429  CHECK(tlen + glen <= 1119);
4430 
4431  for (n = 0; n < 2; n++) {
4432  /* Write the integer header. */
4433  sig[(*len)++] = 0x02;
4434  if (nlenlen[n] == 0) {
4435  /* Short length notation */
4436  sig[(*len)++] = nlen[n] + nzlen[n];
4437  } else {
4438  /* Long length notation. */
4439  sig[(*len)++] = 128 + nlenlen[n];
4440  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4441  *len += nlenlen[n];
4442  }
4443  /* Write zero padding */
4444  while (nzlen[n] > 0) {
4445  sig[(*len)++] = 0x00;
4446  nzlen[n]--;
4447  }
4448  if (nlen[n] == 32 && !nlow[n]) {
4449  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4450  int i;
4451  for (i = 0; i < 16; i++) {
4452  sig[(*len)++] = 0xFF;
4453  }
4454  nlen[n] -= 16;
4455  }
4456  /* Write first byte of number */
4457  if (nlen[n] > 0) {
4458  sig[(*len)++] = nhbyte[n];
4459  nlen[n]--;
4460  }
4461  /* Generate remaining random bytes of number */
4462  secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4463  *len += nlen[n];
4464  nlen[n] = 0;
4465  }
4466 
4467  /* Generate random garbage inside tuple. */
4468  secp256k1_rand_bytes_test(sig + *len, elen);
4469  *len += elen;
4470 
4471  /* Generate end-of-contents bytes. */
4472  if (indet) {
4473  sig[(*len)++] = 0;
4474  sig[(*len)++] = 0;
4475  tlen += 2;
4476  }
4477  CHECK(tlen + glen <= 1121);
4478 
4479  /* Generate random garbage outside tuple. */
4480  secp256k1_rand_bytes_test(sig + *len, glen);
4481  *len += glen;
4482  tlen += glen;
4483  CHECK(tlen <= 1121);
4484  CHECK(tlen == *len);
4485 }
4486 
4487 void run_ecdsa_der_parse(void) {
4488  int i,j;
4489  for (i = 0; i < 200 * count; i++) {
4490  unsigned char buffer[2048];
4491  size_t buflen = 0;
4492  int certainly_der = 0;
4493  int certainly_not_der = 0;
4494  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4495  CHECK(buflen <= 2048);
4496  for (j = 0; j < 16; j++) {
4497  int ret = 0;
4498  if (j > 0) {
4499  damage_array(buffer, &buflen);
4500  /* We don't know anything anymore about the DERness of the result */
4501  certainly_der = 0;
4502  certainly_not_der = 0;
4503  }
4504  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4505  if (ret != 0) {
4506  size_t k;
4507  fprintf(stderr, "Failure %x on ", ret);
4508  for (k = 0; k < buflen; k++) {
4509  fprintf(stderr, "%02x ", buffer[k]);
4510  }
4511  fprintf(stderr, "\n");
4512  }
4513  CHECK(ret == 0);
4514  }
4515  }
4516 }
4517 
4518 /* Tests several edge cases. */
4519 void test_ecdsa_edge_cases(void) {
4520  int t;
4521  secp256k1_ecdsa_signature sig;
4522 
4523  /* Test the case where ECDSA recomputes a point that is infinity. */
4524  {
4525  secp256k1_gej keyj;
4526  secp256k1_ge key;
4527  secp256k1_scalar msg;
4528  secp256k1_scalar sr, ss;
4529  secp256k1_scalar_set_int(&ss, 1);
4530  secp256k1_scalar_negate(&ss, &ss);
4531  secp256k1_scalar_inverse(&ss, &ss);
4532  secp256k1_scalar_set_int(&sr, 1);
4533  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4534  secp256k1_ge_set_gej(&key, &keyj);
4535  msg = ss;
4536  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4537  }
4538 
4539  /* Verify signature with r of zero fails. */
4540  {
4541  const unsigned char pubkey_mods_zero[33] = {
4542  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4543  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4544  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4545  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4546  0x41
4547  };
4548  secp256k1_ge key;
4549  secp256k1_scalar msg;
4550  secp256k1_scalar sr, ss;
4551  secp256k1_scalar_set_int(&ss, 1);
4552  secp256k1_scalar_set_int(&msg, 0);
4553  secp256k1_scalar_set_int(&sr, 0);
4554  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4555  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4556  }
4557 
4558  /* Verify signature with s of zero fails. */
4559  {
4560  const unsigned char pubkey[33] = {
4561  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4562  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4563  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4564  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4565  0x01
4566  };
4567  secp256k1_ge key;
4568  secp256k1_scalar msg;
4569  secp256k1_scalar sr, ss;
4570  secp256k1_scalar_set_int(&ss, 0);
4571  secp256k1_scalar_set_int(&msg, 0);
4572  secp256k1_scalar_set_int(&sr, 1);
4573  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4574  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4575  }
4576 
4577  /* Verify signature with message 0 passes. */
4578  {
4579  const unsigned char pubkey[33] = {
4580  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4581  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4582  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4583  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4584  0x02
4585  };
4586  const unsigned char pubkey2[33] = {
4587  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4588  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4589  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4590  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4591  0x43
4592  };
4593  secp256k1_ge key;
4594  secp256k1_ge key2;
4595  secp256k1_scalar msg;
4596  secp256k1_scalar sr, ss;
4597  secp256k1_scalar_set_int(&ss, 2);
4598  secp256k1_scalar_set_int(&msg, 0);
4599  secp256k1_scalar_set_int(&sr, 2);
4600  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4601  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4602  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4603  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4604  secp256k1_scalar_negate(&ss, &ss);
4605  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4606  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4607  secp256k1_scalar_set_int(&ss, 1);
4608  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4609  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4610  }
4611 
4612  /* Verify signature with message 1 passes. */
4613  {
4614  const unsigned char pubkey[33] = {
4615  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4616  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4617  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4618  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4619  0x25
4620  };
4621  const unsigned char pubkey2[33] = {
4622  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4623  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4624  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4625  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4626  0x62
4627  };
4628  const unsigned char csr[32] = {
4629  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4630  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4631  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4632  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4633  };
4634  secp256k1_ge key;
4635  secp256k1_ge key2;
4636  secp256k1_scalar msg;
4637  secp256k1_scalar sr, ss;
4638  secp256k1_scalar_set_int(&ss, 1);
4639  secp256k1_scalar_set_int(&msg, 1);
4640  secp256k1_scalar_set_b32(&sr, csr, NULL);
4641  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4642  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4643  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4644  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4645  secp256k1_scalar_negate(&ss, &ss);
4646  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4647  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4648  secp256k1_scalar_set_int(&ss, 2);
4649  secp256k1_scalar_inverse_var(&ss, &ss);
4650  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4651  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4652  }
4653 
4654  /* Verify signature with message -1 passes. */
4655  {
4656  const unsigned char pubkey[33] = {
4657  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4658  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4659  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4660  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4661  0xf1
4662  };
4663  const unsigned char csr[32] = {
4664  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4665  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4666  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4667  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4668  };
4669  secp256k1_ge key;
4670  secp256k1_scalar msg;
4671  secp256k1_scalar sr, ss;
4672  secp256k1_scalar_set_int(&ss, 1);
4673  secp256k1_scalar_set_int(&msg, 1);
4674  secp256k1_scalar_negate(&msg, &msg);
4675  secp256k1_scalar_set_b32(&sr, csr, NULL);
4676  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4677  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4678  secp256k1_scalar_negate(&ss, &ss);
4679  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4680  secp256k1_scalar_set_int(&ss, 3);
4681  secp256k1_scalar_inverse_var(&ss, &ss);
4682  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4683  }
4684 
4685  /* Signature where s would be zero. */
4686  {
4687  secp256k1_pubkey pubkey;
4688  size_t siglen;
4689  int32_t ecount;
4690  unsigned char signature[72];
4691  static const unsigned char nonce[32] = {
4692  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4693  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4694  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4695  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4696  };
4697  static const unsigned char nonce2[32] = {
4698  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4699  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4700  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4701  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4702  };
4703  const unsigned char key[32] = {
4704  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4705  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4706  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4707  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4708  };
4709  unsigned char msg[32] = {
4710  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4711  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4712  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4713  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4714  };
4715  ecount = 0;
4716  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4717  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4718  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4719  msg[31] = 0xaa;
4720  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4721  CHECK(ecount == 0);
4722  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4723  CHECK(ecount == 1);
4724  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4725  CHECK(ecount == 2);
4726  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4727  CHECK(ecount == 3);
4728  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4729  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4730  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4731  CHECK(ecount == 4);
4732  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4733  CHECK(ecount == 5);
4734  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4735  CHECK(ecount == 6);
4736  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4737  CHECK(ecount == 6);
4738  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4739  CHECK(ecount == 7);
4740  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4741  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4742  CHECK(ecount == 8);
4743  siglen = 72;
4744  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4745  CHECK(ecount == 9);
4746  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4747  CHECK(ecount == 10);
4748  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4749  CHECK(ecount == 11);
4750  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4751  CHECK(ecount == 11);
4752  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4753  CHECK(ecount == 12);
4754  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4755  CHECK(ecount == 13);
4756  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4757  CHECK(ecount == 13);
4758  siglen = 10;
4759  /* Too little room for a signature does not fail via ARGCHECK. */
4760  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4761  CHECK(ecount == 13);
4762  ecount = 0;
4763  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4764  CHECK(ecount == 1);
4765  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4766  CHECK(ecount == 2);
4767  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4768  CHECK(ecount == 3);
4769  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4770  CHECK(ecount == 3);
4771  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4772  CHECK(ecount == 4);
4773  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4774  CHECK(ecount == 5);
4775  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4776  CHECK(ecount == 5);
4777  memset(signature, 255, 64);
4778  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4779  CHECK(ecount == 5);
4780  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4781  }
4782 
4783  /* Nonce function corner cases. */
4784  for (t = 0; t < 2; t++) {
4785  static const unsigned char zero[32] = {0x00};
4786  int i;
4787  unsigned char key[32];
4788  unsigned char msg[32];
4789  secp256k1_ecdsa_signature sig2;
4790  secp256k1_scalar sr[512], ss;
4791  const unsigned char *extra;
4792  extra = t == 0 ? NULL : zero;
4793  memset(msg, 0, 32);
4794  msg[31] = 1;
4795  /* High key results in signature failure. */
4796  memset(key, 0xFF, 32);
4797  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4798  CHECK(is_empty_signature(&sig));
4799  /* Zero key results in signature failure. */
4800  memset(key, 0, 32);
4801  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4802  CHECK(is_empty_signature(&sig));
4803  /* Nonce function failure results in signature failure. */
4804  key[31] = 1;
4805  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4806  CHECK(is_empty_signature(&sig));
4807  /* The retry loop successfully makes its way to the first good value. */
4808  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4809  CHECK(!is_empty_signature(&sig));
4810  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4811  CHECK(!is_empty_signature(&sig2));
4812  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4813  /* The default nonce function is deterministic. */
4814  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4815  CHECK(!is_empty_signature(&sig2));
4816  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4817  /* The default nonce function changes output with different messages. */
4818  for(i = 0; i < 256; i++) {
4819  int j;
4820  msg[0] = i;
4821  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4822  CHECK(!is_empty_signature(&sig2));
4823  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4824  for (j = 0; j < i; j++) {
4825  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4826  }
4827  }
4828  msg[0] = 0;
4829  msg[31] = 2;
4830  /* The default nonce function changes output with different keys. */
4831  for(i = 256; i < 512; i++) {
4832  int j;
4833  key[0] = i - 256;
4834  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4835  CHECK(!is_empty_signature(&sig2));
4836  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4837  for (j = 0; j < i; j++) {
4838  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4839  }
4840  }
4841  key[0] = 0;
4842  }
4843 
4844  {
4845  /* Check that optional nonce arguments do not have equivalent effect. */
4846  const unsigned char zeros[32] = {0};
4847  unsigned char nonce[32];
4848  unsigned char nonce2[32];
4849  unsigned char nonce3[32];
4850  unsigned char nonce4[32];
4851  VG_UNDEF(nonce,32);
4852  VG_UNDEF(nonce2,32);
4853  VG_UNDEF(nonce3,32);
4854  VG_UNDEF(nonce4,32);
4855  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4856  VG_CHECK(nonce,32);
4857  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4858  VG_CHECK(nonce2,32);
4859  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4860  VG_CHECK(nonce3,32);
4861  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4862  VG_CHECK(nonce4,32);
4863  CHECK(memcmp(nonce, nonce2, 32) != 0);
4864  CHECK(memcmp(nonce, nonce3, 32) != 0);
4865  CHECK(memcmp(nonce, nonce4, 32) != 0);
4866  CHECK(memcmp(nonce2, nonce3, 32) != 0);
4867  CHECK(memcmp(nonce2, nonce4, 32) != 0);
4868  CHECK(memcmp(nonce3, nonce4, 32) != 0);
4869  }
4870 
4871 
4872  /* Privkey export where pubkey is the point at infinity. */
4873  {
4874  unsigned char privkey[300];
4875  unsigned char seckey[32] = {
4876  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4877  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4878  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4879  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4880  };
4881  size_t outlen = 300;
4882  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4883  outlen = 300;
4884  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4885  }
4886 }
4887 
4888 void run_ecdsa_edge_cases(void) {
4889  test_ecdsa_edge_cases();
4890 }
4891 
4892 #ifdef ENABLE_OPENSSL_TESTS
4893 EC_KEY *get_openssl_key(const unsigned char *key32) {
4894  unsigned char privkey[300];
4895  size_t privkeylen;
4896  const unsigned char* pbegin = privkey;
4897  int compr = secp256k1_rand_bits(1);
4898  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4899  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4900  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4901  CHECK(EC_KEY_check_key(ec_key));
4902  return ec_key;
4903 }
4904 
4905 void test_ecdsa_openssl(void) {
4906  secp256k1_gej qj;
4907  secp256k1_ge q;
4908  secp256k1_scalar sigr, sigs;
4909  secp256k1_scalar one;
4910  secp256k1_scalar msg2;
4911  secp256k1_scalar key, msg;
4912  EC_KEY *ec_key;
4913  unsigned int sigsize = 80;
4914  size_t secp_sigsize = 80;
4915  unsigned char message[32];
4916  unsigned char signature[80];
4917  unsigned char key32[32];
4918  secp256k1_rand256_test(message);
4919  secp256k1_scalar_set_b32(&msg, message, NULL);
4920  random_scalar_order_test(&key);
4921  secp256k1_scalar_get_b32(key32, &key);
4922  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4923  secp256k1_ge_set_gej(&q, &qj);
4924  ec_key = get_openssl_key(key32);
4925  CHECK(ec_key != NULL);
4926  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4927  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4928  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4929  secp256k1_scalar_set_int(&one, 1);
4930  secp256k1_scalar_add(&msg2, &msg, &one);
4931  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4932 
4933  random_sign(&sigr, &sigs, &key, &msg, NULL);
4934  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4935  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4936 
4937  EC_KEY_free(ec_key);
4938 }
4939 
4940 void run_ecdsa_openssl(void) {
4941  int i;
4942  for (i = 0; i < 10*count; i++) {
4943  test_ecdsa_openssl();
4944  }
4945 }
4946 #endif
4947 
4948 #ifdef ENABLE_MODULE_ECDH
4949 # include "modules/ecdh/tests_impl.h"
4950 #endif
4951 
4952 #ifdef ENABLE_MODULE_RECOVERY
4953 # include "modules/recovery/tests_impl.h"
4954 #endif
4955 
4956 int main(int argc, char **argv) {
4957  unsigned char seed16[16] = {0};
4958  unsigned char run32[32] = {0};
4959  /* find iteration count */
4960  if (argc > 1) {
4961  count = strtol(argv[1], NULL, 0);
4962  }
4963 
4964  /* find random seed */
4965  if (argc > 2) {
4966  int pos = 0;
4967  const char* ch = argv[2];
4968  while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4969  unsigned short sh;
4970  if (sscanf(ch, "%2hx", &sh)) {
4971  seed16[pos] = sh;
4972  } else {
4973  break;
4974  }
4975  ch += 2;
4976  pos++;
4977  }
4978  } else {
4979  FILE *frand = fopen("/dev/urandom", "r");
4980  if ((frand == NULL) || fread(&seed16, sizeof(seed16), 1, frand) != sizeof(seed16)) {
4981  uint64_t t = time(NULL) * (uint64_t)1337;
4982  seed16[0] ^= t;
4983  seed16[1] ^= t >> 8;
4984  seed16[2] ^= t >> 16;
4985  seed16[3] ^= t >> 24;
4986  seed16[4] ^= t >> 32;
4987  seed16[5] ^= t >> 40;
4988  seed16[6] ^= t >> 48;
4989  seed16[7] ^= t >> 56;
4990  }
4991  if (frand) {
4992  fclose(frand);
4993  }
4994  }
4995  secp256k1_rand_seed(seed16);
4996 
4997  printf("test count = %i\n", count);
4998  printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4999 
5000  /* initialize */
5001  run_context_tests();
5002  run_scratch_tests();
5003  ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5004  if (secp256k1_rand_bits(1)) {
5005  secp256k1_rand256(run32);
5006  CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5007  }
5008 
5009  run_rand_bits();
5010  run_rand_int();
5011 
5012  run_sha256_tests();
5013  run_hmac_sha256_tests();
5014  run_rfc6979_hmac_sha256_tests();
5015 
5016 #ifndef USE_NUM_NONE
5017  /* num tests */
5018  run_num_smalltests();
5019 #endif
5020 
5021  /* scalar tests */
5022  run_scalar_tests();
5023 
5024  /* field tests */
5025  run_field_inv();
5026  run_field_inv_var();
5027  run_field_inv_all_var();
5028  run_field_misc();
5029  run_field_convert();
5030  run_sqr();
5031  run_sqrt();
5032 
5033  /* group tests */
5034  run_ge();
5035  run_group_decompress();
5036 
5037  /* ecmult tests */
5038  run_wnaf();
5039  run_point_times_order();
5040  run_ecmult_chain();
5041  run_ecmult_constants();
5042  run_ecmult_gen_blind();
5043  run_ecmult_const_tests();
5044  run_ecmult_multi_tests();
5045  run_ec_combine();
5046 
5047  /* endomorphism tests */
5048 #ifdef USE_ENDOMORPHISM
5049  run_endomorphism_tests();
5050 #endif
5051 
5052  /* EC point parser test */
5053  run_ec_pubkey_parse_test();
5054 
5055  /* EC key edge cases */
5056  run_eckey_edge_case_test();
5057 
5058 #ifdef ENABLE_MODULE_ECDH
5059  /* ecdh tests */
5060  run_ecdh_tests();
5061 #endif
5062 
5063  /* ecdsa tests */
5064  run_random_pubkeys();
5065  run_ecdsa_der_parse();
5066  run_ecdsa_sign_verify();
5067  run_ecdsa_end_to_end();
5068  run_ecdsa_edge_cases();
5069 #ifdef ENABLE_OPENSSL_TESTS
5070  run_ecdsa_openssl();
5071 #endif
5072 
5073 #ifdef ENABLE_MODULE_RECOVERY
5074  /* ECDSA pubkey recovery tests */
5075  run_recovery_tests();
5076 #endif
5077 
5078  secp256k1_rand256(run32);
5079  printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5080 
5081  /* shutdown */
5082  secp256k1_context_destroy(ctx);
5083 
5084  printf("no problems found\n");
5085  return 0;
5086 }
sum
volatile double sum
Definition: Examples.cpp:22
tests_impl.h
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:126
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:58
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:51
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:66
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:60
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:57
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_ecmult_context *, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:975
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:50
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:38
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:45
buffer
std::vector< uint8_t > buffer
Definition: fuzz.cpp:71
argv
char ** argv
Definition: fuzz.cpp:52
memcpy
void * memcpy(void *a, const void *b, size_t c)
Definition: glibc_compat.cpp:18
memmove
void * memmove(void *a, const void *b, size_t c)
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:32
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:20
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:31
low
sph_u32 low
Definition: keccak.c:370
lax_der_parsing.c
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a signature in "lax DER" format.
Definition: lax_der_parsing.c:12
lax_der_privatekey_parsing.c
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:56
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:12
nonce
unsigned int nonce
Definition: miner_tests.cpp:28
fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:23
tinyformat::printf
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:975
tests_impl.h
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:382
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
ALIGNMENT
#define ALIGNMENT
Definition: scratch_impl.h:16
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:536
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:168
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:467
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(secp256k1_scratch_space *scratch)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:123
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:118
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:560
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:490
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:238
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:175
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:110
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:404
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:102
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:303
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:567
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:160
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:169
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:222
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:358
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:417
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copies a secp256k1 context object.
Definition: secp256k1.c:84
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object.
Definition: secp256k1.c:59
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export.
Definition: secp256k1.h:172
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:284
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:173
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by multiplying it by a tweak.
Definition: secp256k1.c:514
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:259
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:452
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create.
Definition: secp256k1.h:167
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:93
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:271
ecmult_multi_data
Definition: tests.c:2531
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:2532
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:2533
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:19
secp256k1_context_struct
Definition: secp256k1.c:52
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:56
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:54
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:53
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:28
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:27
secp256k1_fe_storage
Definition: field_10x26.h:41
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
secp256k1_ge::infinity
int infinity
Definition: group.h:17
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:16
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:26
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:25
secp256k1_gej::infinity
int infinity
Definition: group.h:28
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:27
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_num
Definition: num_gmp.h:14
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:66
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:14
secp256k1_sha256
Definition: hash.h:13
testrand_impl.h
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:2845
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:127
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:2296
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:4174
scalar_test
void scalar_test(void)
Definition: tests.c:675
random_num_order
void random_num_order(secp256k1_num *num)
Definition: tests.c:502
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:4188
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:3331
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
run_sha256_tests
void run_sha256_tests(void)
Definition: tests.c:294
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:2428
run_context_tests
void run_context_tests(void)
Definition: tests.c:140
test_ge
void test_ge(void)
Definition: tests.c:1921
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:3658
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:3206
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:2225
main
int main(int argc, char **argv)
Definition: tests.c:4956
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:2796
run_field_convert
void run_field_convert(void)
Definition: tests.c:1650
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:3983
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_field_misc
void run_field_misc(void)
Definition: tests.c:1689
VG_CHECK
#define VG_CHECK(x, y)
Definition: tests.c:41
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:1823
test_num_mod
void test_num_mod(void)
Definition: tests.c:570
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:74
random_num_negate
void random_num_negate(secp256k1_num *num)
Definition: tests.c:490
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:114
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2371
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:2551
fe_memcmp
int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1680
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:3894
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:2498
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:88
run_num_smalltests
void run_num_smalltests(void)
Definition: tests.c:662
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:330
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: tests.c:40
test_num_negate
void test_num_negate(void)
Definition: tests.c:508
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:1873
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:452
run_rand_int
void run_rand_int(void)
Definition: tests.c:476
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:1604
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:1904
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2925
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:3978
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1614
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:2125
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:3924
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:468
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:99
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:3179
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:1883
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:4114
run_sqrt
void run_sqrt(void)
Definition: tests.c:1837
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:3901
check_fe_inverse
int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai)
Definition: tests.c:1643
run_ge
void run_ge(void)
Definition: tests.c:2192
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2476
test_ecmult_constants
void test_ecmult_constants(void)
Definition: tests.c:3146
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:4181
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:2455
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2974
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:3256
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:3183
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3015
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:4519
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2232
test_num_jacobi
void test_num_jacobi(void)
Definition: tests.c:601
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:3055
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:3218
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:1627
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:2406
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:1594
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:3065
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:2818
run_field_inv
void run_field_inv(void)
Definition: tests.c:1761
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:2906
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:4888
run_field_inv_var
void run_field_inv_var(void)
Definition: tests.c:1773
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:2959
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:374
random_num_order_test
void random_num_order_test(secp256k1_num *num)
Definition: tests.c:496
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1635
run_sqr
void run_sqr(void)
Definition: tests.c:1807
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:2307
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:4487
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:64
run_wnaf
void run_wnaf(void)
Definition: tests.c:3119
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:254
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:2200
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:2524
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
run_field_inv_all_var
void run_field_inv_all_var(void)
Definition: tests.c:1785
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:417
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:964
test_num_add_sub
void test_num_add_sub(void)
Definition: tests.c:528
CHECK
#define CHECK(cond)
Definition: util.h:52
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:67
Generated on Wed Apr 2 2025 00:40:35 for PIVX Core by doxygen 1.9.1