Bitcoin Core 31.99.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#include <stdio.h>
8#include <stdlib.h>
9#include <string.h>
10
11#include <time.h>
12
13#ifdef USE_EXTERNAL_DEFAULT_CALLBACKS
14 #pragma message("Ignoring USE_EXTERNAL_CALLBACKS in tests.")
15 #undef USE_EXTERNAL_DEFAULT_CALLBACKS
16#endif
17#if defined(VERIFY) && defined(COVERAGE)
18 #pragma message("Defining VERIFY for tests being built for coverage analysis support is meaningless.")
19#endif
20#include "secp256k1.c"
21
22#include "../include/secp256k1.h"
23#include "../include/secp256k1_preallocated.h"
24#include "testrand_impl.h"
25#include "checkmem.h"
26#include "testutil.h"
27#include "util.h"
28#include "unit_test.h"
29#include "unit_test.c"
30
31#include "../contrib/lax_der_parsing.c"
32#include "../contrib/lax_der_privatekey_parsing.c"
33
34#include "modinv32_impl.h"
35#ifdef SECP256K1_WIDEMUL_INT128
36#include "modinv64_impl.h"
37#include "int128_impl.h"
38#endif
39
40#define CONDITIONAL_TEST(cnt, nam) if (COUNT < (cnt)) { printf("Skipping %s (iteration count too low)\n", nam); } else
41
42static secp256k1_context *CTX = NULL;
43static secp256k1_context *STATIC_CTX = NULL;
44
45static int all_bytes_equal(const void* s, unsigned char value, size_t n) {
46 const unsigned char *p = s;
47 size_t i;
48
49 for (i = 0; i < n; i++) {
50 if (p[i] != value) {
51 return 0;
52 }
53 }
54 return 1;
55}
56
57#define CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, callback, callback_setter) do { \
58 int32_t _calls_to_callback = 0; \
59 secp256k1_callback _saved_callback = ctx->callback; \
60 callback_setter(ctx, counting_callback_fn, &_calls_to_callback); \
61 { expr_or_stmt; } \
62 ctx->callback = _saved_callback; \
63 CHECK(_calls_to_callback == 1); \
64} while(0);
65
66/* CHECK that expr_or_stmt calls the error or illegal callback of ctx exactly once
67 *
68 * Useful for checking functions that return void (e.g., API functions that use ARG_CHECK_VOID) */
69#define CHECK_ERROR_VOID(ctx, expr_or_stmt) \
70 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, error_callback, secp256k1_context_set_error_callback)
71#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt) \
72 CHECK_COUNTING_CALLBACK_VOID(ctx, expr_or_stmt, illegal_callback, secp256k1_context_set_illegal_callback)
73
74/* CHECK that
75 * - expr calls the illegal callback of ctx exactly once and,
76 * - expr == 0 (or equivalently, expr == NULL)
77 *
78 * Useful for checking functions that return an integer or a pointer. */
79#define CHECK_ILLEGAL(ctx, expr) CHECK_ILLEGAL_VOID(ctx, CHECK((expr) == 0))
80#define CHECK_ERROR(ctx, expr) CHECK_ERROR_VOID(ctx, CHECK((expr) == 0))
81
82static void counting_callback_fn(const char* str, void* data) {
83 /* Dummy callback function that just counts. */
84 int32_t *p;
85 (void)str;
86 p = data;
87 CHECK(*p != INT32_MAX);
88 (*p)++;
89}
90
91static void run_xoshiro256pp_tests(void) {
92 {
93 size_t i;
94 /* Sanity check that we run before the actual seeding. */
95 for (i = 0; i < ARRAY_SIZE(secp256k1_test_state); i++) {
96 CHECK(secp256k1_test_state[i] == 0);
97 }
98 }
99 {
100 int i;
101 unsigned char buf32[32];
102 unsigned char seed16[16] = {
103 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
104 'C', 'H', 'I', 'C', 'K', 'E', 'N', '!',
105 };
106 unsigned char buf32_expected[32] = {
107 0xAF, 0xCC, 0xA9, 0x16, 0xB5, 0x6C, 0xE3, 0xF0,
108 0x44, 0x3F, 0x45, 0xE0, 0x47, 0xA5, 0x08, 0x36,
109 0x4C, 0xCC, 0xC1, 0x18, 0xB2, 0xD8, 0x8F, 0xEF,
110 0x43, 0x26, 0x15, 0x57, 0x37, 0x00, 0xEF, 0x30,
111 };
112 testrand_seed(seed16);
113 for (i = 0; i < 17; i++) {
114 testrand256(buf32);
115 }
116 CHECK(secp256k1_memcmp_var(buf32, buf32_expected, sizeof(buf32)) == 0);
117 }
118}
119
120static void run_selftest_tests(void) {
121 /* Test public API */
122 secp256k1_selftest();
123}
124
125static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b) {
126 return a->built == b->built
127 && secp256k1_scalar_eq(&a->scalar_offset, &b->scalar_offset)
128 && secp256k1_ge_eq_var(&a->ge_offset, &b->ge_offset)
129 && secp256k1_fe_equal(&a->proj_blind, &b->proj_blind);
130}
131
132static int context_eq(const secp256k1_context *a, const secp256k1_context *b) {
133 return a->declassify == b->declassify
134 && ecmult_gen_context_eq(&a->ecmult_gen_ctx, &b->ecmult_gen_ctx)
135 && a->hash_ctx.fn_sha256_compression == b->hash_ctx.fn_sha256_compression
136 && a->illegal_callback.fn == b->illegal_callback.fn
137 && a->illegal_callback.data == b->illegal_callback.data
138 && a->error_callback.fn == b->error_callback.fn
139 && a->error_callback.data == b->error_callback.data;
140}
141
142static void run_deprecated_context_flags_test(void) {
143 /* Check that a context created with any of the flags in the flags array is
144 * identical to the NONE context. */
145 unsigned int flags[] = { SECP256K1_CONTEXT_SIGN,
146 SECP256K1_CONTEXT_VERIFY,
147 SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY };
148 secp256k1_context *none_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
149 int i;
150 for (i = 0; i < (int)(ARRAY_SIZE(flags)); i++) {
151 secp256k1_context *tmp_ctx;
152 CHECK(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE) == secp256k1_context_preallocated_size(flags[i]));
153 tmp_ctx = secp256k1_context_create(flags[i]);
154 CHECK(context_eq(none_ctx, tmp_ctx));
155 secp256k1_context_destroy(tmp_ctx);
156 }
157 secp256k1_context_destroy(none_ctx);
158}
159
160static void run_ec_illegal_argument_tests(void) {
161 secp256k1_pubkey pubkey;
162 secp256k1_pubkey zero_pubkey;
163 secp256k1_ecdsa_signature sig;
164 unsigned char ctmp[32];
165
166 /* Setup */
167 memset(ctmp, 1, 32);
168 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
169
170 /* Verify context-type checking illegal-argument errors. */
171 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_create(STATIC_CTX, &pubkey, ctmp));
172 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
173 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
174 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
175 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ecdsa_sign(STATIC_CTX, &sig, ctmp, ctmp, NULL, NULL));
176 SECP256K1_CHECKMEM_UNDEFINE(&sig, sizeof(sig));
177 CHECK(secp256k1_ecdsa_sign(CTX, &sig, ctmp, ctmp, NULL, NULL) == 1);
178 SECP256K1_CHECKMEM_CHECK(&sig, sizeof(sig));
179 CHECK(secp256k1_ecdsa_verify(CTX, &sig, ctmp, &pubkey) == 1);
180 CHECK(secp256k1_ecdsa_verify(STATIC_CTX, &sig, ctmp, &pubkey) == 1);
181 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp) == 1);
182 CHECK(secp256k1_ec_pubkey_tweak_add(STATIC_CTX, &pubkey, ctmp) == 1);
183 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp) == 1);
184 CHECK(secp256k1_ec_pubkey_negate(STATIC_CTX, &pubkey) == 1);
185 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey) == 1);
186 CHECK_ILLEGAL(STATIC_CTX, secp256k1_ec_pubkey_negate(STATIC_CTX, &zero_pubkey));
187 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_negate(CTX, NULL));
188 CHECK(secp256k1_ec_pubkey_tweak_mul(STATIC_CTX, &pubkey, ctmp) == 1);
189}
190
191static void run_static_context_tests(int use_prealloc) {
192 /* Check that deprecated secp256k1_context_no_precomp is an alias to secp256k1_context_static. */
193 CHECK(secp256k1_context_no_precomp == secp256k1_context_static);
194
195 {
196 unsigned char seed[32] = {0x17};
197
198 /* Randomizing secp256k1_context_static is not supported. */
199 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, seed));
200 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_randomize(STATIC_CTX, NULL));
201
202 /* Destroying or cloning secp256k1_context_static is not supported. */
203 if (use_prealloc) {
204 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone_size(STATIC_CTX));
205 {
206 secp256k1_context *my_static_ctx = malloc(sizeof(*STATIC_CTX));
207 CHECK(my_static_ctx != NULL);
208 memset(my_static_ctx, 0x2a, sizeof(*my_static_ctx));
209 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_preallocated_clone(STATIC_CTX, my_static_ctx));
210 CHECK(all_bytes_equal(my_static_ctx, 0x2a, sizeof(*my_static_ctx)));
211 free(my_static_ctx);
212 }
213 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_preallocated_destroy(STATIC_CTX));
214 } else {
215 CHECK_ILLEGAL(STATIC_CTX, secp256k1_context_clone(STATIC_CTX));
216 CHECK_ILLEGAL_VOID(STATIC_CTX, secp256k1_context_destroy(STATIC_CTX));
217 }
218 }
219
220 {
221 /* Verify that setting and resetting illegal callback works */
222 int32_t dummy = 0;
223 secp256k1_context_set_illegal_callback(STATIC_CTX, counting_callback_fn, &dummy);
224 CHECK(STATIC_CTX->illegal_callback.fn == counting_callback_fn);
225 CHECK(STATIC_CTX->illegal_callback.data == &dummy);
226 secp256k1_context_set_illegal_callback(STATIC_CTX, NULL, NULL);
227 CHECK(STATIC_CTX->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
228 CHECK(STATIC_CTX->illegal_callback.data == NULL);
229 }
230}
231
232static void run_all_static_context_tests(void)
233{
234 run_static_context_tests(0);
235 run_static_context_tests(1);
236}
237
238static void run_proper_context_tests(int use_prealloc) {
239 int32_t dummy = 0;
240 secp256k1_context *my_ctx, *my_ctx_fresh;
241 void *my_ctx_prealloc = NULL;
242 unsigned char seed[32] = {0x17};
243
244 secp256k1_gej pubj;
245 secp256k1_ge pub;
246 secp256k1_scalar msg, key, nonce;
247 secp256k1_scalar sigr, sigs;
248
249 /* Fresh reference context for comparison */
250 my_ctx_fresh = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
251
252 if (use_prealloc) {
253 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
254 CHECK(my_ctx_prealloc != NULL);
255 my_ctx = secp256k1_context_preallocated_create(my_ctx_prealloc, SECP256K1_CONTEXT_NONE);
256 } else {
257 my_ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
258 }
259
260 /* Randomize and reset randomization */
261 CHECK(context_eq(my_ctx, my_ctx_fresh));
262 CHECK(secp256k1_context_randomize(my_ctx, seed) == 1);
263 CHECK(!context_eq(my_ctx, my_ctx_fresh));
264 CHECK(secp256k1_context_randomize(my_ctx, NULL) == 1);
265 CHECK(context_eq(my_ctx, my_ctx_fresh));
266
267 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
268 secp256k1_context_set_error_callback(my_ctx, secp256k1_default_illegal_callback_fn, NULL);
269 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
270 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
271
272 /* check if sizes for cloning are consistent */
273 CHECK(secp256k1_context_preallocated_clone_size(my_ctx) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
274
275 /*** clone and destroy all of them to make sure cloning was complete ***/
276 {
277 secp256k1_context *ctx_tmp;
278
279 if (use_prealloc) {
280 /* clone into a non-preallocated context and then again into a new preallocated one. */
281 ctx_tmp = my_ctx;
282 my_ctx = secp256k1_context_clone(my_ctx);
283 CHECK(context_eq(ctx_tmp, my_ctx));
284 secp256k1_context_preallocated_destroy(ctx_tmp);
285
286 free(my_ctx_prealloc);
287 my_ctx_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
288 CHECK(my_ctx_prealloc != NULL);
289 ctx_tmp = my_ctx;
290 my_ctx = secp256k1_context_preallocated_clone(my_ctx, my_ctx_prealloc);
291 CHECK(context_eq(ctx_tmp, my_ctx));
292 secp256k1_context_destroy(ctx_tmp);
293 } else {
294 /* clone into a preallocated context and then again into a new non-preallocated one. */
295 void *prealloc_tmp;
296
297 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
298 CHECK(prealloc_tmp != NULL);
299 ctx_tmp = my_ctx;
300 my_ctx = secp256k1_context_preallocated_clone(my_ctx, prealloc_tmp);
301 CHECK(context_eq(ctx_tmp, my_ctx));
302 secp256k1_context_destroy(ctx_tmp);
303
304 ctx_tmp = my_ctx;
305 my_ctx = secp256k1_context_clone(my_ctx);
306 CHECK(context_eq(ctx_tmp, my_ctx));
307 secp256k1_context_preallocated_destroy(ctx_tmp);
308 free(prealloc_tmp);
309 }
310 }
311
312 /* Verify that the error callback makes it across the clone. */
313 CHECK(my_ctx->error_callback.fn != secp256k1_default_error_callback_fn);
314 CHECK(my_ctx->error_callback.fn == secp256k1_default_illegal_callback_fn);
315 /* And that it resets back to default. */
316 secp256k1_context_set_error_callback(my_ctx, NULL, NULL);
317 CHECK(my_ctx->error_callback.fn == secp256k1_default_error_callback_fn);
318 CHECK(context_eq(my_ctx, my_ctx_fresh));
319
320 /* Verify that setting and resetting illegal callback works */
321 secp256k1_context_set_illegal_callback(my_ctx, counting_callback_fn, &dummy);
322 CHECK(my_ctx->illegal_callback.fn == counting_callback_fn);
323 CHECK(my_ctx->illegal_callback.data == &dummy);
324 secp256k1_context_set_illegal_callback(my_ctx, NULL, NULL);
325 CHECK(my_ctx->illegal_callback.fn == secp256k1_default_illegal_callback_fn);
326 CHECK(my_ctx->illegal_callback.data == NULL);
327 CHECK(context_eq(my_ctx, my_ctx_fresh));
328
329 /*** attempt to use them ***/
330 testutil_random_scalar_order_test(&msg);
331 testutil_random_scalar_order_test(&key);
332 secp256k1_ecmult_gen(&my_ctx->ecmult_gen_ctx, &pubj, &key);
333 secp256k1_ge_set_gej(&pub, &pubj);
334
335 /* obtain a working nonce */
336 do {
337 testutil_random_scalar_order_test(&nonce);
338 } while(!secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
339
340 /* try signing */
341 CHECK(secp256k1_ecdsa_sig_sign(&my_ctx->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
342
343 /* try verifying */
344 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
345
346 /* cleanup */
347 if (use_prealloc) {
348 secp256k1_context_preallocated_destroy(my_ctx);
349 free(my_ctx_prealloc);
350 } else {
351 secp256k1_context_destroy(my_ctx);
352 }
353 secp256k1_context_destroy(my_ctx_fresh);
354
355 /* Defined as no-op. */
356 secp256k1_context_destroy(NULL);
357 secp256k1_context_preallocated_destroy(NULL);
358}
359
360static void run_all_proper_context_tests(void)
361{
362 run_proper_context_tests(0);
363 run_proper_context_tests(1);
364}
365
366static void run_scratch_tests(void) {
367 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
368
369 size_t checkpoint;
370 size_t checkpoint_2;
371 secp256k1_scratch_space *scratch;
372 secp256k1_scratch_space local_scratch;
373
374 /* Test public API */
375 scratch = secp256k1_scratch_space_create(CTX, 1000);
376 CHECK(scratch != NULL);
377
378 /* Test internal API */
379 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
380 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
381 CHECK(scratch->alloc_size == 0);
382 CHECK(scratch->alloc_size % ALIGNMENT == 0);
383
384 /* Allocating 500 bytes succeeds */
385 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
386 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
387 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
388 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
389 CHECK(scratch->alloc_size != 0);
390 CHECK(scratch->alloc_size % ALIGNMENT == 0);
391
392 /* Allocating another 501 bytes fails */
393 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 501) == NULL);
394 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000 - adj_alloc);
395 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
396 CHECK(scratch->alloc_size != 0);
397 CHECK(scratch->alloc_size % ALIGNMENT == 0);
398
399 /* ...but it succeeds once we apply the checkpoint to undo it */
400 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
401 CHECK(scratch->alloc_size == 0);
402 CHECK(secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0) == 1000);
403 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500) != NULL);
404 CHECK(scratch->alloc_size != 0);
405
406 /* try to apply a bad checkpoint */
407 checkpoint_2 = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
408 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
409 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint_2)); /* checkpoint_2 is after checkpoint */
410 CHECK_ERROR_VOID(CTX, secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, (size_t) -1)); /* this is just wildly invalid */
411
412 /* try to use badly initialized scratch space */
413 secp256k1_scratch_space_destroy(CTX, scratch);
414 memset(&local_scratch, 0, sizeof(local_scratch));
415 scratch = &local_scratch;
416 CHECK_ERROR(CTX, secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, 0));
417 CHECK_ERROR(CTX, secp256k1_scratch_alloc(&CTX->error_callback, scratch, 500));
418 CHECK_ERROR_VOID(CTX, secp256k1_scratch_space_destroy(CTX, scratch));
419
420 /* Test that large integers do not wrap around in a bad way */
421 scratch = secp256k1_scratch_space_create(CTX, 1000);
422 /* Try max allocation with a large number of objects. Only makes sense if
423 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
424 * space. */
425 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&CTX->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
426 /* Try allocating SIZE_MAX to test wrap around which only happens if
427 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
428 * space is too small. */
429 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, SIZE_MAX) == NULL);
430 secp256k1_scratch_space_destroy(CTX, scratch);
431
432 /* cleanup */
433 secp256k1_scratch_space_destroy(CTX, NULL); /* no-op */
434}
435
436/* A compression function that does nothing */
437static void invalid_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) {
438 (void)s; (void)msg; (void)rounds;
439}
440
441static int own_transform_called = 0;
442static void good_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds) {
443 own_transform_called = 1;
444 secp256k1_sha256_transform(s, msg, rounds);
445}
446
447static void run_plug_sha256_compression_tests(void) {
448 secp256k1_context *ctx, *ctx_cloned;
449 secp256k1_sha256 sha;
450 unsigned char sha_out[32];
451 /* 1) Verify the context is initialized with the default compression function */
452 ctx = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
453 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform);
454
455 /* 2) Verify providing a bad compression function fails during set */
456 CHECK_ILLEGAL_VOID(ctx, secp256k1_context_set_sha256_compression(ctx, invalid_sha256_compression));
457 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform);
458
459 /* 3) Provide sha256 to ctx and verify it is called when provided */
460 own_transform_called = 0;
461 secp256k1_context_set_sha256_compression(ctx, good_sha256_compression);
462 CHECK(own_transform_called);
463
464 /* 4) Verify callback makes it across clone */
465 ctx_cloned = secp256k1_context_clone(ctx);
466 CHECK(ctx_cloned->hash_ctx.fn_sha256_compression == good_sha256_compression);
467
468 /* 5) A hash operation should invoke the installed callback */
469 own_transform_called = 0;
470 secp256k1_sha256_initialize(&sha);
471 secp256k1_sha256_write(secp256k1_get_hash_context(ctx), &sha, (const unsigned char*)"a", 1);
472 secp256k1_sha256_finalize(secp256k1_get_hash_context(ctx), &sha, sha_out);
473 CHECK(own_transform_called);
474
475 /* 6) Unset sha256 and verify the default one is set again */
476 secp256k1_context_set_sha256_compression(ctx, NULL);
477 CHECK(ctx->hash_ctx.fn_sha256_compression == secp256k1_sha256_transform);
478
479 secp256k1_context_destroy(ctx);
480 secp256k1_context_destroy(ctx_cloned);
481}
482
483static void run_sha256_multi_block_compression_tests(void) {
484 secp256k1_hash_ctx hash_ctx;
485 secp256k1_sha256 sha256_one;
486 secp256k1_sha256 sha256_two;
487 unsigned char out_one[32], out_two[32];
488
489 hash_ctx.fn_sha256_compression = secp256k1_sha256_transform;
490
491 { /* 1) Writing one 64-byte full block vs two 32-byte blocks */
492 const unsigned char data[64] = "totally serious test message to hash, definitely no random data";
493 unsigned char data32[32];
494
495 secp256k1_sha256_initialize(&sha256_one);
496 secp256k1_sha256_initialize(&sha256_two);
497
498 /* Write the 64-byte block */
499 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 64);
500 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
501
502 /* Write the two 32-byte blocks */
503 memcpy(data32, data, 32);
504 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32);
505 memcpy(data32, data + 32, 32);
506 secp256k1_sha256_write(&hash_ctx, &sha256_two, data32, 32);
507 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
508
509 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
510 }
511
512 { /* 2) Writing one 80-byte block vs two 40-byte blocks */
513 const unsigned char data[80] = "Genesis: The Times 03/Jan/2009 Chancellor on brink of second bailout for banks ";
514 unsigned char data40[40];
515
516 secp256k1_sha256_initialize(&sha256_one);
517 secp256k1_sha256_initialize(&sha256_two);
518
519 /* Write the 80-byte block */
520 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 80);
521 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
522
523 /* Write the two 40-byte blocks */
524 memcpy(data40, data, 40);
525 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40);
526 memcpy(data40, data + 40, 40);
527 secp256k1_sha256_write(&hash_ctx, &sha256_two, data40, 40);
528 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
529
530 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
531 }
532
533 { /* 3) Writing multiple consecutive full blocks in one write (128 bytes) */
534 unsigned char data[128];
535 unsigned char i;
536 for (i = 0; i < 128; i++) data[i] = i;
537
538 secp256k1_sha256_initialize(&sha256_one);
539 secp256k1_sha256_initialize(&sha256_two);
540
541 /* Single write of 128 bytes (two full 64-byte blocks) */
542 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 128);
543 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
544
545 /* Two separate writes of 64 bytes each */
546 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 64);
547 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 64, 64);
548 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
549
550 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
551 }
552
553 { /* 4) Mixed small + large writes in sequence */
554 unsigned char data[150];
555 unsigned char i;
556 for (i = 0; i < 150; i++) data[i] = i;
557
558 secp256k1_sha256_initialize(&sha256_one);
559 secp256k1_sha256_initialize(&sha256_two);
560
561 /* Single write of 150 bytes */
562 secp256k1_sha256_write(&hash_ctx, &sha256_one, data, 150);
563 secp256k1_sha256_finalize(&hash_ctx, &sha256_one, out_one);
564
565 /* Split writes: 10, 64, 64, 12 bytes */
566 secp256k1_sha256_write(&hash_ctx, &sha256_two, data, 10);
567 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 10, 64);
568 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 74, 64);
569 secp256k1_sha256_write(&hash_ctx, &sha256_two, data + 138, 12);
570 secp256k1_sha256_finalize(&hash_ctx, &sha256_two, out_two);
571
572 CHECK(secp256k1_memcmp_var(out_one, out_two, 32) == 0);
573 }
574}
575
576static void run_ctz_tests(void) {
577 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
578 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
579 int shift;
580 unsigned i;
581 for (i = 0; i < ARRAY_SIZE(b32); ++i) {
582 for (shift = 0; shift < 32; ++shift) {
583 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
584 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
585 }
586 }
587 for (i = 0; i < ARRAY_SIZE(b64); ++i) {
588 for (shift = 0; shift < 64; ++shift) {
589 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
590 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
591 }
592 }
593}
594
595/***** HASH TESTS *****/
596
597static void run_sha256_known_output_tests(void) {
598 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
599 static const char *inputs[] = {
600 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
601 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
602 "For this sample, this 63-byte string will be used as input data",
603 "This is exactly 64 bytes long, not counting the terminating byte",
604 "aaaaa",
605 };
606 static const unsigned int repeat[] = {
607 1, 1, 1, 1, 1, 1, 1, 1, 1000000/5
608 };
609 static const unsigned char outputs[][32] = {
610 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
611 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
612 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
613 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
614 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
615 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
616 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
617 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8},
618 {0xcd, 0xc7, 0x6e, 0x5c, 0x99, 0x14, 0xfb, 0x92, 0x81, 0xa1, 0xc7, 0xe2, 0x84, 0xd7, 0x3e, 0x67, 0xf1, 0x80, 0x9a, 0x48, 0xa4, 0x97, 0x20, 0x0e, 0x04, 0x6d, 0x39, 0xcc, 0xc7, 0x11, 0x2c, 0xd0},
619 };
620 unsigned int i, ninputs;
621
622 /* Skip last input vector for low iteration counts */
623 ninputs = ARRAY_SIZE(inputs) - 1;
624 CONDITIONAL_TEST(16, "run_sha256_known_output_tests 1000000") ninputs++;
625
626 for (i = 0; i < ninputs; i++) {
627 unsigned char out[32];
628 secp256k1_sha256 hasher;
629 unsigned int j;
630 /* 1. Run: simply write the input bytestrings */
631 j = repeat[i];
632 secp256k1_sha256_initialize(&hasher);
633 while (j > 0) {
634 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
635 j--;
636 }
637 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
638 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
639 /* 2. Run: split the input bytestrings randomly before writing */
640 if (strlen(inputs[i]) > 0) {
641 int split = testrand_int(strlen(inputs[i]));
642 secp256k1_sha256_initialize(&hasher);
643 j = repeat[i];
644 while (j > 0) {
645 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split);
646 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
647 j--;
648 }
649 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
650 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
651 }
652 }
653}
654
699static void run_sha256_counter_tests(void) {
700 static const char *input = "abcdefghbcdefghicdefghijdefghijkefghijklfghijklmghijklmnhijklmno";
701 static const secp256k1_sha256 midstates[] = {
702 {{0xa2b5c8bb, 0x26c88bb3, 0x2abdc3d2, 0x9def99a3, 0xdfd21a6e, 0x41fe585b, 0x7ef2c440, 0x2b79adda},
703 {0x00}, 0xfffc0},
704 {{0xa0d29445, 0x9287de66, 0x76aabd71, 0x41acd765, 0x0c7528b4, 0x84e14906, 0x942faec6, 0xcc5a7b26},
705 {0x00}, 0x1fffc0},
706 {{0x50449526, 0xb9f1d657, 0xa0fc13e9, 0x50860f10, 0xa550c431, 0x3fbc97c1, 0x7bbb2d89, 0xdb67bac1},
707 {0x00}, 0x3fffc0},
708 {{0x54a6efdc, 0x46762e7b, 0x88bfe73f, 0xbbd149c7, 0x41620c43, 0x1168da7b, 0x2c5960f9, 0xeccffda6},
709 {0x00}, 0x7fffc0},
710 {{0x2515a8f5, 0x5faa2977, 0x3a850486, 0xac858cad, 0x7b7276ee, 0x235c0385, 0xc53a157c, 0x7cb3e69c},
711 {0x00}, 0xffffc0},
712 {{0x34f39828, 0x409fedb7, 0x4bbdd0fb, 0x3b643634, 0x7806bf2e, 0xe0d1b713, 0xca3f2e1e, 0xe38722c2},
713 {0x00}, 0x1ffffc0},
714 {{0x389ef5c5, 0x38c54167, 0x8f5d56ab, 0x582a75cc, 0x8217caef, 0xf10947dd, 0x6a1998a8, 0x048f0b8c},
715 {0x00}, 0x3ffffc0},
716 {{0xd6c3f394, 0x0bee43b9, 0x6783f497, 0x29fa9e21, 0x6ce491c1, 0xa81fe45e, 0x2fc3859a, 0x269012d0},
717 {0x00}, 0x7ffffc0},
718 {{0x6dd3c526, 0x44d88aa0, 0x806a1bae, 0xfbcc0d32, 0x9d6144f3, 0x9d2bd757, 0x9851a957, 0xb50430ad},
719 {0x00}, 0xfffffc0},
720 {{0x2add4021, 0xdfe8a9e6, 0xa56317c6, 0x7a15f5bb, 0x4a48aacd, 0x5d368414, 0x4f00e6f0, 0xd9355023},
721 {0x00}, 0x1fffffc0},
722 {{0xb66666b4, 0xdbeac32b, 0x0ea351ae, 0xcba9da46, 0x6278b874, 0x8c508e23, 0xe16ca776, 0x8465bac1},
723 {0x00}, 0x3fffffc0},
724 {{0xb6744789, 0x9cce87aa, 0xc4c478b7, 0xf38404d8, 0x2e38ba62, 0xa3f7019b, 0x50458fe7, 0x3047dbec},
725 {0x00}, 0x7fffffc0},
726 {{0x8b1297ba, 0xba261a80, 0x2ba1b0dd, 0xfbc67d6d, 0x61072c4e, 0x4b5a2a0f, 0x52872760, 0x2dfeb162},
727 {0x00}, 0xffffffc0},
728 {{0x24f33cf7, 0x41ad6583, 0x41c8ff5d, 0xca7ef35f, 0x50395756, 0x021b743e, 0xd7126cd7, 0xd037473a},
729 {0x00}, 0x1ffffffc0},
730 };
731 static const unsigned char outputs[][32] = {
732 {0x0e, 0x83, 0xe2, 0xc9, 0x4f, 0xb2, 0xb8, 0x2b, 0x89, 0x06, 0x92, 0x78, 0x04, 0x03, 0x48, 0x5c, 0x48, 0x44, 0x67, 0x61, 0x77, 0xa4, 0xc7, 0x90, 0x9e, 0x92, 0x55, 0x10, 0x05, 0xfe, 0x39, 0x15},
733 {0x1d, 0x1e, 0xd7, 0xb8, 0xa3, 0xa7, 0x8a, 0x79, 0xfd, 0xa0, 0x05, 0x08, 0x9c, 0xeb, 0xf0, 0xec, 0x67, 0x07, 0x9f, 0x8e, 0x3c, 0x0d, 0x8e, 0xf9, 0x75, 0x55, 0x13, 0xc1, 0xe8, 0x77, 0xf8, 0xbb},
734 {0x66, 0x95, 0x6c, 0xc9, 0xe0, 0x39, 0x65, 0xb6, 0xb0, 0x05, 0xd1, 0xaf, 0xaf, 0xf3, 0x1d, 0xb9, 0xa4, 0xda, 0x6f, 0x20, 0xcd, 0x3a, 0xae, 0x64, 0xc2, 0xdb, 0xee, 0xf5, 0xb8, 0x8d, 0x57, 0x0e},
735 {0x3c, 0xbb, 0x1c, 0x12, 0x5e, 0x17, 0xfd, 0x54, 0x90, 0x45, 0xa7, 0x7b, 0x61, 0x6c, 0x1d, 0xfe, 0xe6, 0xcc, 0x7f, 0xee, 0xcf, 0xef, 0x33, 0x35, 0x50, 0x62, 0x16, 0x70, 0x2f, 0x87, 0xc3, 0xc9},
736 {0x53, 0x4d, 0xa8, 0xe7, 0x1e, 0x98, 0x73, 0x8d, 0xd9, 0xa3, 0x54, 0xa5, 0x0e, 0x59, 0x2c, 0x25, 0x43, 0x6f, 0xaa, 0xa2, 0xf5, 0x21, 0x06, 0x3e, 0xc9, 0x82, 0x06, 0x94, 0x98, 0x72, 0x9d, 0xa7},
737 {0xef, 0x7e, 0xe9, 0x6b, 0xd3, 0xe5, 0xb7, 0x41, 0x4c, 0xc8, 0xd3, 0x07, 0x52, 0x9a, 0x5a, 0x8b, 0x4e, 0x1e, 0x75, 0xa4, 0x17, 0x78, 0xc8, 0x36, 0xcd, 0xf8, 0x2e, 0xd9, 0x57, 0xe3, 0xd7, 0x07},
738 {0x87, 0x16, 0xfb, 0xf9, 0xa5, 0xf8, 0xc4, 0x56, 0x2b, 0x48, 0x52, 0x8e, 0x2d, 0x30, 0x85, 0xb6, 0x4c, 0x56, 0xb5, 0xd1, 0x16, 0x9c, 0xcf, 0x32, 0x95, 0xad, 0x03, 0xe8, 0x05, 0x58, 0x06, 0x76},
739 {0x75, 0x03, 0x80, 0x28, 0xf2, 0xa7, 0x63, 0x22, 0x1a, 0x26, 0x9c, 0x68, 0xe0, 0x58, 0xfc, 0x73, 0xeb, 0x42, 0xf6, 0x86, 0x16, 0x24, 0x4b, 0xbc, 0x24, 0xf7, 0x02, 0xc8, 0x3d, 0x90, 0xe2, 0xb0},
740 {0xdf, 0x49, 0x0f, 0x15, 0x7b, 0x7d, 0xbf, 0xe0, 0xd4, 0xcf, 0x47, 0xc0, 0x80, 0x93, 0x4a, 0x61, 0xaa, 0x03, 0x07, 0x66, 0xb3, 0x38, 0x5d, 0xc8, 0xc9, 0x07, 0x61, 0xfb, 0x97, 0x10, 0x2f, 0xd8},
741 {0x77, 0x19, 0x40, 0x56, 0x41, 0xad, 0xbc, 0x59, 0xda, 0x1e, 0xc5, 0x37, 0x14, 0x63, 0x7b, 0xfb, 0x79, 0xe2, 0x7a, 0xb1, 0x55, 0x42, 0x99, 0x42, 0x56, 0xfe, 0x26, 0x9d, 0x0f, 0x7e, 0x80, 0xc6},
742 {0x50, 0xe7, 0x2a, 0x0e, 0x26, 0x44, 0x2f, 0xe2, 0x55, 0x2d, 0xc3, 0x93, 0x8a, 0xc5, 0x86, 0x58, 0x22, 0x8c, 0x0c, 0xbf, 0xb1, 0xd2, 0xca, 0x87, 0x2a, 0xe4, 0x35, 0x26, 0x6f, 0xcd, 0x05, 0x5e},
743 {0xe4, 0x80, 0x6f, 0xdb, 0x3d, 0x7d, 0xba, 0xde, 0x50, 0x3f, 0xea, 0x00, 0x3d, 0x46, 0x59, 0x64, 0xfd, 0x58, 0x1c, 0xa1, 0xb8, 0x7d, 0x5f, 0xac, 0x94, 0x37, 0x9e, 0xa0, 0xc0, 0x9c, 0x93, 0x8b},
744 {0x2c, 0xf3, 0xa9, 0xf6, 0x15, 0x25, 0x80, 0x70, 0x76, 0x99, 0x7d, 0xf1, 0xc3, 0x2f, 0xa3, 0x31, 0xff, 0x92, 0x35, 0x2e, 0x8d, 0x04, 0x13, 0x33, 0xd8, 0x0d, 0xdb, 0x4a, 0xf6, 0x8c, 0x03, 0x34},
745 {0xec, 0x12, 0x24, 0x9f, 0x35, 0xa4, 0x29, 0x8b, 0x9e, 0x4a, 0x95, 0xf8, 0x61, 0xaf, 0x61, 0xc5, 0x66, 0x55, 0x3e, 0x3f, 0x2a, 0x98, 0xea, 0x71, 0x16, 0x6b, 0x1c, 0xd9, 0xe4, 0x09, 0xd2, 0x8e},
746 };
747 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
748 unsigned int i;
749 for (i = 0; i < ARRAY_SIZE(midstates); i++) {
750 unsigned char out[32];
751 secp256k1_sha256 hasher = midstates[i];
752 secp256k1_sha256_write(hash_ctx, &hasher, (const unsigned char*)input, strlen(input));
753 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
754 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
755 }
756}
757
758/* Tests for the equality of two sha256 structs. This function only produces a
759 * correct result if an integer multiple of 64 many bytes have been written
760 * into the hash functions. This function is used by some module tests. */
761static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2) {
762 /* Is buffer fully consumed? */
763 CHECK((sha1->bytes & 0x3F) == 0);
764
765 CHECK(sha1->bytes == sha2->bytes);
766 CHECK(secp256k1_memcmp_var(sha1->s, sha2->s, sizeof(sha1->s)) == 0);
767}
768/* Convenience function for using test_sha256_eq to verify the correctness of a
769 * tagged hash midstate. This function is used by some module tests. */
770static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen) {
771 secp256k1_sha256 sha;
772 secp256k1_sha256_initialize_tagged(hash_ctx, &sha, tag, taglen);
773 test_sha256_eq(&sha, sha_tagged);
774}
775
776static void run_hmac_sha256_tests(void) {
777 static const char *keys[6] = {
778 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
779 "\x4a\x65\x66\x65",
780 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
781 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
782 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
783 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
784 };
785 static const char *inputs[6] = {
786 "\x48\x69\x20\x54\x68\x65\x72\x65",
787 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
788 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
789 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
790 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
791 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
792 };
793 static const unsigned char outputs[6][32] = {
794 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
795 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
796 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
797 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
798 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
799 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
800 };
801 int i;
802 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
803 for (i = 0; i < 6; i++) {
804 secp256k1_hmac_sha256 hasher;
805 unsigned char out[32];
806 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
807 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
808 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out);
809 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
810 if (strlen(inputs[i]) > 0) {
811 int split = testrand_int(strlen(inputs[i]));
812 secp256k1_hmac_sha256_initialize(hash_ctx, &hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
813 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i]), split);
814 secp256k1_hmac_sha256_write(hash_ctx, &hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
815 secp256k1_hmac_sha256_finalize(hash_ctx, &hasher, out);
816 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
817 }
818 }
819}
820
821static void run_rfc6979_hmac_sha256_tests(void) {
822 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
823 static const unsigned char out1[3][32] = {
824 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
825 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
826 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
827 };
828
829 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
830 static const unsigned char out2[3][32] = {
831 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
832 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
833 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
834 };
835
836 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
837 secp256k1_rfc6979_hmac_sha256 rng;
838 unsigned char out[32];
839 int i;
840
841 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 64);
842 for (i = 0; i < 3; i++) {
843 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32);
844 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
845 }
846 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
847
848 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key1, 65);
849 for (i = 0; i < 3; i++) {
850 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32);
851 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
852 }
853 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
854
855 secp256k1_rfc6979_hmac_sha256_initialize(hash_ctx, &rng, key2, 64);
856 for (i = 0; i < 3; i++) {
857 secp256k1_rfc6979_hmac_sha256_generate(hash_ctx, &rng, out, 32);
858 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
859 }
860 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
861}
862
863static void run_tagged_sha256_tests(void) {
864 unsigned char tag[32] = { 0 };
865 unsigned char msg[32] = { 0 };
866 unsigned char hash32[32];
867 unsigned char hash_expected[32] = {
868 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
869 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
870 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
871 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
872 };
873
874 /* API test */
875 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
876 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, NULL, tag, sizeof(tag), msg, sizeof(msg)));
877 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, NULL, 0, msg, sizeof(msg)));
878 CHECK_ILLEGAL(CTX, secp256k1_tagged_sha256(CTX, hash32, tag, sizeof(tag), NULL, 0));
879
880 /* Static test vector */
881 memcpy(tag, "tag", 3);
882 memcpy(msg, "msg", 3);
883 CHECK(secp256k1_tagged_sha256(CTX, hash32, tag, 3, msg, 3) == 1);
884 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
885}
886
887static void run_sha256_initialize_midstate_tests(void) {
888 /* Midstate for the tagged hash with tag "sha256_midstate_test_tag". */
889 static const unsigned char tag[] = "sha256_midstate_test_tag";
890 static const uint32_t midstate[8] = {
891 0xa9ec59eaul, 0x9b4c2ffful, 0x400821e2ul, 0x0dcf3847ul,
892 0xbe7ea179ul, 0xa5772bdcul, 0x7d29bfe3ul, 0xa486b855ul
893 };
894 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
895 secp256k1_sha256 sha;
896
897 secp256k1_sha256_initialize_midstate(&sha, 64, midstate);
898 test_sha256_tag_midstate(hash_ctx, &sha, tag, sizeof(tag) - 1);
899}
900
901/***** MODINV TESTS *****/
902
903/* Compute the modular inverse of (odd) x mod 2^64. */
904static uint64_t modinv2p64(uint64_t x) {
905 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
906 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
907 * why. Start with L=0, for which it is true for every odd x that
908 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
909 int l;
910 uint64_t w = 1;
911 CHECK(x & 1);
912 for (l = 0; l < 6; ++l) w *= (2 - w*x);
913 return w;
914}
915
916
917/* compute out = (a*b) mod m; if b=NULL, treat b=1; if m=NULL, treat m=infinity.
918 *
919 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
920 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
921static void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
922 uint16_t mul[32];
923 uint64_t c = 0;
924 int i, j;
925 int m_bitlen = 0;
926 int mul_bitlen = 0;
927
928 if (b != NULL) {
929 /* Compute the product of a and b, and put it in mul. */
930 for (i = 0; i < 32; ++i) {
931 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
932 c += (uint64_t)a[j] * b[i - j];
933 }
934 mul[i] = c & 0xFFFF;
935 c >>= 16;
936 }
937 CHECK(c == 0);
938
939 /* compute the highest set bit in mul */
940 for (i = 511; i >= 0; --i) {
941 if ((mul[i >> 4] >> (i & 15)) & 1) {
942 mul_bitlen = i;
943 break;
944 }
945 }
946 } else {
947 /* if b==NULL, set mul=a. */
948 memcpy(mul, a, 32);
949 memset(mul + 16, 0, 32);
950 /* compute the highest set bit in mul */
951 for (i = 255; i >= 0; --i) {
952 if ((mul[i >> 4] >> (i & 15)) & 1) {
953 mul_bitlen = i;
954 break;
955 }
956 }
957 }
958
959 if (m) {
960 /* Compute the highest set bit in m. */
961 for (i = 255; i >= 0; --i) {
962 if ((m[i >> 4] >> (i & 15)) & 1) {
963 m_bitlen = i;
964 break;
965 }
966 }
967
968 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
969 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
970 uint16_t mul2[32];
971 int64_t cs;
972
973 /* Compute mul2 = mul - m<<i. */
974 cs = 0; /* accumulator */
975 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
976 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
977 uint16_t sub = 0;
978 int p;
979 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
980 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
981 if (bitpos >= 0 && bitpos < 256) {
982 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
983 }
984 }
985 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
986 cs += mul[j];
987 cs -= sub;
988 mul2[j] = (cs & 0xFFFF);
989 cs >>= 16;
990 }
991 /* If remainder of subtraction is 0, set mul = mul2. */
992 if (cs == 0) {
993 memcpy(mul, mul2, sizeof(mul));
994 }
995 }
996 /* Sanity check: test that all limbs higher than m's highest are zero */
997 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
998 CHECK(mul[i] == 0);
999 }
1000 }
1001 memcpy(out, mul, 32);
1002}
1003
1004/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
1005static void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
1006 int i;
1007 memset(out->v, 0, sizeof(out->v));
1008 for (i = 0; i < 256; ++i) {
1009 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
1010 }
1011}
1012
1013/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
1014static void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
1015 int i;
1016 memset(out, 0, 32);
1017 for (i = 0; i < 256; ++i) {
1018 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
1019 }
1020}
1021
1022/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
1023static void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
1024 int i;
1025 for (i = 0; i < 16; ++i) {
1026 int pos = testrand_bits(3);
1027 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
1028 x->v[pos] -= 0x40000000;
1029 x->v[pos + 1] += 1;
1030 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
1031 x->v[pos] += 0x40000000;
1032 x->v[pos + 1] -= 1;
1033 }
1034 }
1035}
1036
1037/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
1038static void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1039 uint16_t tmp[16];
1040 secp256k1_modinv32_signed30 x;
1041 secp256k1_modinv32_modinfo m;
1042 int i, vartime, nonzero;
1043
1044 uint16_to_signed30(&x, in);
1045 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
1046 uint16_to_signed30(&m.modulus, mod);
1047
1048 /* compute 1/modulus mod 2^30 */
1049 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
1050 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
1051
1052 /* Test secp256k1_jacobi32_maybe_var. */
1053 if (nonzero) {
1054 int jac;
1055 uint16_t sqr[16], negone[16];
1056 mulmod256(sqr, in, in, mod);
1057 uint16_to_signed30(&x, sqr);
1058 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1059 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1060 CHECK(jac == 0 || jac == 1);
1061 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1062 * jacobi symbols if and only if (mod % 4) == 3. */
1063 negone[0] = mod[0] - 1;
1064 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1065 mulmod256(sqr, sqr, negone, mod);
1066 uint16_to_signed30(&x, sqr);
1067 jac = secp256k1_jacobi32_maybe_var(&x, &m);
1068 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1069 }
1070
1071 uint16_to_signed30(&x, in);
1072 mutate_sign_signed30(&m.modulus);
1073 for (vartime = 0; vartime < 2; ++vartime) {
1074 /* compute inverse */
1075 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1076
1077 /* produce output */
1078 signed30_to_uint16(out, &x);
1079
1080 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1081 mulmod256(tmp, out, in, mod);
1082 CHECK(tmp[0] == nonzero);
1083 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1084
1085 /* invert again */
1086 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
1087
1088 /* check if the result is equal to the input */
1089 signed30_to_uint16(tmp, &x);
1090 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1091 }
1092}
1093
1094#ifdef SECP256K1_WIDEMUL_INT128
1095/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
1096static void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
1097 int i;
1098 memset(out->v, 0, sizeof(out->v));
1099 for (i = 0; i < 256; ++i) {
1100 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
1101 }
1102}
1103
1104/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
1105static void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
1106 int i;
1107 memset(out, 0, 32);
1108 for (i = 0; i < 256; ++i) {
1109 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
1110 }
1111}
1112
1113/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
1114static void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
1115 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1116 int i;
1117 for (i = 0; i < 8; ++i) {
1118 int pos = testrand_bits(2);
1119 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
1120 x->v[pos] -= (M62 + 1);
1121 x->v[pos + 1] += 1;
1122 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
1123 x->v[pos] += (M62 + 1);
1124 x->v[pos + 1] -= 1;
1125 }
1126 }
1127}
1128
1129/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
1130static void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
1131 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
1132 uint16_t tmp[16];
1133 secp256k1_modinv64_signed62 x;
1134 secp256k1_modinv64_modinfo m;
1135 int i, vartime, nonzero;
1136
1137 uint16_to_signed62(&x, in);
1138 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
1139 uint16_to_signed62(&m.modulus, mod);
1140
1141 /* compute 1/modulus mod 2^62 */
1142 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
1143 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
1144
1145 /* Test secp256k1_jacobi64_maybe_var. */
1146 if (nonzero) {
1147 int jac;
1148 uint16_t sqr[16], negone[16];
1149 mulmod256(sqr, in, in, mod);
1150 uint16_to_signed62(&x, sqr);
1151 /* Compute jacobi symbol of in^2, which must be 1 (or uncomputable). */
1152 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1153 CHECK(jac == 0 || jac == 1);
1154 /* Then compute the jacobi symbol of -(in^2). x and -x have opposite
1155 * jacobi symbols if and only if (mod % 4) == 3. */
1156 negone[0] = mod[0] - 1;
1157 for (i = 1; i < 16; ++i) negone[i] = mod[i];
1158 mulmod256(sqr, sqr, negone, mod);
1159 uint16_to_signed62(&x, sqr);
1160 jac = secp256k1_jacobi64_maybe_var(&x, &m);
1161 CHECK(jac == 0 || jac == 1 - (mod[0] & 2));
1162 }
1163
1164 uint16_to_signed62(&x, in);
1165 mutate_sign_signed62(&m.modulus);
1166 for (vartime = 0; vartime < 2; ++vartime) {
1167 /* compute inverse */
1168 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1169
1170 /* produce output */
1171 signed62_to_uint16(out, &x);
1172
1173 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
1174 mulmod256(tmp, out, in, mod);
1175 CHECK(tmp[0] == nonzero);
1176 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
1177
1178 /* invert again */
1179 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
1180
1181 /* check if the result is equal to the input */
1182 signed62_to_uint16(tmp, &x);
1183 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
1184 }
1185}
1186#endif
1187
1188/* test if a and b are coprime */
1189static int coprime(const uint16_t* a, const uint16_t* b) {
1190 uint16_t x[16], y[16], t[16];
1191 int i;
1192 int iszero;
1193 memcpy(x, a, 32);
1194 memcpy(y, b, 32);
1195
1196 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
1197 while (1) {
1198 iszero = 1;
1199 for (i = 0; i < 16; ++i) {
1200 if (x[i] != 0) {
1201 iszero = 0;
1202 break;
1203 }
1204 }
1205 if (iszero) break;
1206 mulmod256(t, y, NULL, x);
1207 memcpy(y, x, 32);
1208 memcpy(x, t, 32);
1209 }
1210
1211 /* return whether y=1 */
1212 if (y[0] != 1) return 0;
1213 for (i = 1; i < 16; ++i) {
1214 if (y[i] != 0) return 0;
1215 }
1216 return 1;
1217}
1218
1219static void run_modinv_tests(void) {
1220 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
1221 static const uint16_t CASES[][3][16] = {
1222 /* Test cases triggering edge cases in divsteps */
1223
1224 /* Test case known to need 713 divsteps */
1225 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
1226 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
1227 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
1228 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
1229 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
1230 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
1231 /* Test case known to need 589 divsteps, reaching delta=-140 and
1232 delta=141. */
1233 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
1234 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
1235 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
1236 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
1237 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
1238 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
1239 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
1240 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
1241 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
1242 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
1243 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
1244 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
1245 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
1246 /* example needing 713 divsteps; delta=-2..3 */
1247 {{0xe2e9, 0xee91, 0x4345, 0xe5ad, 0xf3ec, 0x8f42, 0x0364, 0xd5c9,
1248 0xff49, 0xbef5, 0x4544, 0x4c7c, 0xae4b, 0xfd9d, 0xb35b, 0xda9d},
1249 {0x36e7, 0x8cca, 0x2ed0, 0x47b3, 0xaca4, 0xb374, 0x7d2a, 0x0772,
1250 0x6bdb, 0xe0a7, 0x900b, 0xfe10, 0x788c, 0x6f22, 0xd909, 0xf298},
1251 {0xd8c6, 0xba39, 0x13ed, 0x198c, 0x16c8, 0xb837, 0xa5f2, 0x9797,
1252 0x0113, 0x882a, 0x15b5, 0x324c, 0xabee, 0xe465, 0x8170, 0x85ac}},
1253 /* example needing 713 divsteps; delta=-2..3 */
1254 {{0xd5b7, 0x2966, 0x040e, 0xf59a, 0x0387, 0xd96d, 0xbfbc, 0xd850,
1255 0x2d96, 0x872a, 0xad81, 0xc03c, 0xbb39, 0xb7fa, 0xd904, 0xef78},
1256 {0x6279, 0x4314, 0xfdd3, 0x1568, 0x0982, 0x4d13, 0x625f, 0x010c,
1257 0x22b1, 0x0cc3, 0xf22d, 0x5710, 0x1109, 0x5751, 0x7714, 0xfcf2},
1258 {0xdb13, 0x5817, 0x232e, 0xe456, 0xbbbc, 0x6fbe, 0x4572, 0xa358,
1259 0xc76d, 0x928e, 0x0162, 0x5314, 0x8325, 0x5683, 0xe21b, 0xda88}},
1260 /* example needing 713 divsteps; delta=-2..3 */
1261 {{0xa06f, 0x71ee, 0x3bac, 0x9ebb, 0xdeaa, 0x09ed, 0x1cf7, 0x9ec9,
1262 0x7158, 0x8b72, 0x5d53, 0x5479, 0x5c75, 0xbb66, 0x9125, 0xeccc},
1263 {0x2941, 0xd46c, 0x3cd4, 0x4a9d, 0x5c4a, 0x256b, 0xbd6c, 0x9b8e,
1264 0x8fe0, 0x8a14, 0xffe8, 0x2496, 0x618d, 0xa9d7, 0x5018, 0xfb29},
1265 {0x437c, 0xbd60, 0x7590, 0x94bb, 0x0095, 0xd35e, 0xd4fe, 0xd6da,
1266 0x0d4e, 0x5342, 0x4cd2, 0x169b, 0x661c, 0x1380, 0xed2d, 0x85c1}},
1267 /* example reaching delta=-64..65; 661 divsteps */
1268 {{0xfde4, 0x68d6, 0x6c48, 0x7f77, 0x1c78, 0x96de, 0x2fd9, 0xa6c2,
1269 0xbbb5, 0xd319, 0x69cf, 0xd4b3, 0xa321, 0xcda0, 0x172e, 0xe530},
1270 {0xd9e3, 0x0f60, 0x3d86, 0xeeab, 0x25ee, 0x9582, 0x2d50, 0xfe16,
1271 0xd4e2, 0xe3ba, 0x94e2, 0x9833, 0x6c5e, 0x8982, 0x13b6, 0xe598},
1272 {0xe675, 0xf55a, 0x10f6, 0xabde, 0x5113, 0xecaa, 0x61ae, 0xad9f,
1273 0x0c27, 0xef33, 0x62e5, 0x211d, 0x08fa, 0xa78d, 0xc675, 0x8bae}},
1274 /* example reaching delta=-64..65; 661 divsteps */
1275 {{0x21bf, 0x52d5, 0x8fd4, 0xaa18, 0x156a, 0x7247, 0xebb8, 0x5717,
1276 0x4eb5, 0x1421, 0xb58f, 0x3b0b, 0x5dff, 0xe533, 0xb369, 0xd28a},
1277 {0x9f6b, 0xe463, 0x2563, 0xc74d, 0x6d81, 0x636a, 0x8fc8, 0x7a94,
1278 0x9429, 0x1585, 0xf35e, 0x7ff5, 0xb64f, 0x9720, 0xba74, 0xe108},
1279 {0xa5ab, 0xea7b, 0xfe5e, 0x8a85, 0x13be, 0x7934, 0xe8a0, 0xa187,
1280 0x86b5, 0xe477, 0xb9a4, 0x75d7, 0x538f, 0xdd70, 0xc781, 0xb67d}},
1281 /* example reaching delta=-64..65; 661 divsteps */
1282 {{0xa41a, 0x3e8d, 0xf1f5, 0x9493, 0x868c, 0x5103, 0x2725, 0x3ceb,
1283 0x6032, 0x3624, 0xdc6b, 0x9120, 0xbf4c, 0x8821, 0x91ad, 0xb31a},
1284 {0x5c0b, 0xdda5, 0x20f8, 0x32a1, 0xaf73, 0x6ec5, 0x4779, 0x43d6,
1285 0xd454, 0x9573, 0xbf84, 0x5a58, 0xe04e, 0x307e, 0xd1d5, 0xe230},
1286 {0xda15, 0xbcd6, 0x7180, 0xabd3, 0x04e6, 0x6986, 0xc0d7, 0x90bb,
1287 0x3a4d, 0x7c95, 0xaaab, 0x9ab3, 0xda34, 0xa7f6, 0x9636, 0x6273}},
1288 /* example doing 123 consecutive (f,g/2) steps; 615 divsteps */
1289 {{0xb4d6, 0xb38f, 0x00aa, 0xebda, 0xd4c2, 0x70b8, 0x9dad, 0x58ee,
1290 0x68f8, 0x48d3, 0xb5ff, 0xf422, 0x9e46, 0x2437, 0x18d0, 0xd9cc},
1291 {0x5c83, 0xfed7, 0x97f5, 0x3f07, 0xcaad, 0x95b1, 0xb4a4, 0xb005,
1292 0x23af, 0xdd27, 0x6c0d, 0x932c, 0xe2b2, 0xe3ae, 0xfb96, 0xdf67},
1293 {0x3105, 0x0127, 0xfd48, 0x039b, 0x35f1, 0xbc6f, 0x6c0a, 0xb572,
1294 0xe4df, 0xebad, 0x8edc, 0xb89d, 0x9555, 0x4c26, 0x1fef, 0x997c}},
1295 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1296 {{0x5138, 0xd474, 0x385f, 0xc964, 0x00f2, 0x6df7, 0x862d, 0xb185,
1297 0xb264, 0xe9e1, 0x466c, 0xf39e, 0xafaf, 0x5f41, 0x47e2, 0xc89d},
1298 {0x8607, 0x9c81, 0x46a2, 0x7dcc, 0xcb0c, 0x9325, 0xe149, 0x2bde,
1299 0x6632, 0x2869, 0xa261, 0xb163, 0xccee, 0x22ae, 0x91e0, 0xcfd5},
1300 {0x831c, 0xda22, 0xb080, 0xba7a, 0x26e2, 0x54b0, 0x073b, 0x5ea0,
1301 0xed4b, 0xcb3d, 0xbba1, 0xbec8, 0xf2ad, 0xae0d, 0x349b, 0x17d1}},
1302 /* example doing 123 consecutive (f,g/2) steps; 614 divsteps */
1303 {{0xe9a5, 0xb4ad, 0xd995, 0x9953, 0xcdff, 0x50d7, 0xf715, 0x9dc7,
1304 0x3e28, 0x15a9, 0x95a3, 0x8554, 0x5b5e, 0xad1d, 0x6d57, 0x3d50},
1305 {0x3ad9, 0xbd60, 0x5cc7, 0x6b91, 0xadeb, 0x71f6, 0x7cc4, 0xa58a,
1306 0x2cce, 0xf17c, 0x38c9, 0x97ed, 0x65fb, 0x3fa6, 0xa6bc, 0xeb24},
1307 {0xf96c, 0x1963, 0x8151, 0xa0cc, 0x299b, 0xf277, 0x001a, 0x16bb,
1308 0xfd2e, 0x532d, 0x0410, 0xe117, 0x6b00, 0x44ec, 0xca6a, 0x1745}},
1309 /* example doing 446 (f,g/2) steps; 523 divsteps */
1310 {{0x3758, 0xa56c, 0xe41e, 0x4e47, 0x0975, 0xa82b, 0x107c, 0x89cf,
1311 0x2093, 0x5a0c, 0xda37, 0xe007, 0x6074, 0x4f68, 0x2f5a, 0xbb8a},
1312 {0x4beb, 0xa40f, 0x2c42, 0xd9d6, 0x97e8, 0xca7c, 0xd395, 0x894f,
1313 0x1f50, 0x8067, 0xa233, 0xb850, 0x1746, 0x1706, 0xbcda, 0xdf32},
1314 {0x762a, 0xceda, 0x4c45, 0x1ca0, 0x8c37, 0xd8c5, 0xef57, 0x7a2c,
1315 0x6e98, 0xe38a, 0xc50e, 0x2ca9, 0xcb85, 0x24d5, 0xc29c, 0x61f6}},
1316 /* example doing 446 (f,g/2) steps; 523 divsteps */
1317 {{0x6f38, 0x74ad, 0x7332, 0x4073, 0x6521, 0xb876, 0xa370, 0xa6bd,
1318 0xcea5, 0xbd06, 0x969f, 0x77c6, 0x1e69, 0x7c49, 0x7d51, 0xb6e7},
1319 {0x3f27, 0x4be4, 0xd81e, 0x1396, 0xb21f, 0x92aa, 0x6dc3, 0x6283,
1320 0x6ada, 0x3ca2, 0xc1e5, 0x8b9b, 0xd705, 0x5598, 0x8ba1, 0xe087},
1321 {0x6a22, 0xe834, 0xbc8d, 0xcee9, 0x42fc, 0xfc77, 0x9c45, 0x1ca8,
1322 0xeb66, 0xed74, 0xaaf9, 0xe75f, 0xfe77, 0x46d2, 0x179b, 0xbf3e}},
1323 /* example doing 336 (f,(f+g)/2) steps; 693 divsteps */
1324 {{0x7ea7, 0x444e, 0x84ea, 0xc447, 0x7c1f, 0xab97, 0x3de6, 0x5878,
1325 0x4e8b, 0xc017, 0x03e0, 0xdc40, 0xbbd0, 0x74ce, 0x0169, 0x7ab5},
1326 {0x4023, 0x154f, 0xfbe4, 0x8195, 0xfda0, 0xef54, 0x9e9a, 0xc703,
1327 0x2803, 0xf760, 0x6302, 0xed5b, 0x7157, 0x6456, 0xdd7d, 0xf14b},
1328 {0xb6fb, 0xe3b3, 0x0733, 0xa77e, 0x44c5, 0x3003, 0xc937, 0xdd4d,
1329 0x5355, 0x14e9, 0x184e, 0xcefe, 0xe6b5, 0xf2e0, 0x0a28, 0x5b74}},
1330 /* example doing 336 (f,(f+g)/2) steps; 687 divsteps */
1331 {{0xa893, 0xb5f4, 0x1ede, 0xa316, 0x242c, 0xbdcc, 0xb017, 0x0836,
1332 0x3a37, 0x27fb, 0xfb85, 0x251e, 0xa189, 0xb15d, 0xa4b8, 0xc24c},
1333 {0xb0b7, 0x57ba, 0xbb6d, 0x9177, 0xc896, 0xc7f2, 0x43b4, 0x85a6,
1334 0xe6c4, 0xe50e, 0x3109, 0x7ca5, 0xd73d, 0x13ff, 0x0c3d, 0xcd62},
1335 {0x48ca, 0xdb34, 0xe347, 0x2cef, 0x4466, 0x10fb, 0x7ee1, 0x6344,
1336 0x4308, 0x966d, 0xd4d1, 0xb099, 0x994f, 0xd025, 0x2187, 0x5866}},
1337 /* example doing 267 (g,(g-f)/2) steps; 678 divsteps */
1338 {{0x0775, 0x1754, 0x01f6, 0xdf37, 0xc0be, 0x8197, 0x072f, 0x6cf5,
1339 0x8b36, 0x8069, 0x5590, 0xb92d, 0x6084, 0x47a4, 0x23fe, 0xddd5},
1340 {0x8e1b, 0xda37, 0x27d9, 0x312e, 0x3a2f, 0xef6d, 0xd9eb, 0x8153,
1341 0xdcba, 0x9fa3, 0x9f80, 0xead5, 0x134d, 0x2ebb, 0x5ec0, 0xe032},
1342 {0x1cb6, 0x5a61, 0x1bed, 0x77d6, 0xd5d1, 0x7498, 0xef33, 0x2dd2,
1343 0x1089, 0xedbd, 0x6958, 0x16ae, 0x336c, 0x45e6, 0x4361, 0xbadc}},
1344 /* example doing 267 (g,(g-f)/2) steps; 676 divsteps */
1345 {{0x0207, 0xf948, 0xc430, 0xf36b, 0xf0a7, 0x5d36, 0x751f, 0x132c,
1346 0x6f25, 0xa630, 0xca1f, 0xc967, 0xaf9c, 0x34e7, 0xa38f, 0xbe9f},
1347 {0x5fb9, 0x7321, 0x6561, 0x5fed, 0x54ec, 0x9c3a, 0xee0e, 0x6717,
1348 0x49af, 0xb896, 0xf4f5, 0x451c, 0x722a, 0xf116, 0x64a9, 0xcf0b},
1349 {0xf4d7, 0xdb47, 0xfef2, 0x4806, 0x4cb8, 0x18c7, 0xd9a7, 0x4951,
1350 0x14d8, 0x5c3a, 0xd22d, 0xd7b2, 0x750c, 0x3de7, 0x8b4a, 0x19aa}},
1351
1352 /* Test cases triggering edge cases in divsteps variant starting with delta=1/2 */
1353
1354 /* example needing 590 divsteps; delta=-5/2..7/2 */
1355 {{0x9118, 0xb640, 0x53d7, 0x30ab, 0x2a23, 0xd907, 0x9323, 0x5b3a,
1356 0xb6d4, 0x538a, 0x7637, 0xfe97, 0xfd05, 0x3cc0, 0x453a, 0xfb7e},
1357 {0x6983, 0x4f75, 0x4ad1, 0x48ad, 0xb2d9, 0x521d, 0x3dbc, 0x9cc0,
1358 0x4b60, 0x0ac6, 0xd3be, 0x0fb6, 0xd305, 0x3895, 0x2da5, 0xfdf8},
1359 {0xcec1, 0x33ac, 0xa801, 0x8194, 0xe36c, 0x65ef, 0x103b, 0xca54,
1360 0xfa9b, 0xb41d, 0x9b52, 0xb6f7, 0xa611, 0x84aa, 0x3493, 0xbf54}},
1361 /* example needing 590 divsteps; delta=-3/2..5/2 */
1362 {{0xb5f2, 0x42d0, 0x35e8, 0x8ca0, 0x4b62, 0x6e1d, 0xbdf3, 0x890e,
1363 0x8c82, 0x23d8, 0xc79a, 0xc8e8, 0x789e, 0x353d, 0x9766, 0xea9d},
1364 {0x6fa1, 0xacba, 0x4b7a, 0x5de1, 0x95d0, 0xc845, 0xebbf, 0x6f5a,
1365 0x30cf, 0x52db, 0x69b7, 0xe278, 0x4b15, 0x8411, 0x2ab2, 0xf3e7},
1366 {0xf12c, 0x9d6d, 0x95fa, 0x1878, 0x9f13, 0x4fb5, 0x3c8b, 0xa451,
1367 0x7182, 0xc4b6, 0x7e2a, 0x7bb7, 0x6e0e, 0x5b68, 0xde55, 0x9927}},
1368 /* example needing 590 divsteps; delta=-3/2..5/2 */
1369 {{0x229c, 0x4ef8, 0x1e93, 0xe5dc, 0xcde5, 0x6d62, 0x263b, 0xad11,
1370 0xced0, 0x88ff, 0xae8e, 0x3183, 0x11d2, 0xa50b, 0x350d, 0xeb40},
1371 {0x3157, 0xe2ea, 0x8a02, 0x0aa3, 0x5ae1, 0xb26c, 0xea27, 0x6805,
1372 0x87e2, 0x9461, 0x37c1, 0x2f8d, 0x85d2, 0x77a8, 0xf805, 0xeec9},
1373 {0x6f4e, 0x2748, 0xf7e5, 0xd8d3, 0xabe2, 0x7270, 0xc4e0, 0xedc7,
1374 0xf196, 0x78ca, 0x9139, 0xd8af, 0x72c6, 0xaf2f, 0x85d2, 0x6cd3}},
1375 /* example needing 590 divsteps; delta=-5/2..7/2 */
1376 {{0xdce8, 0xf1fe, 0x6708, 0x021e, 0xf1ca, 0xd609, 0x5443, 0x85ce,
1377 0x7a05, 0x8f9c, 0x90c3, 0x52e7, 0x8e1d, 0x97b8, 0xc0bf, 0xf2a1},
1378 {0xbd3d, 0xed11, 0x1625, 0xb4c5, 0x844c, 0xa413, 0x2569, 0xb9ba,
1379 0xcd35, 0xff84, 0xcd6e, 0x7f0b, 0x7d5d, 0x10df, 0x3efe, 0xfbe5},
1380 {0xa9dd, 0xafef, 0xb1b7, 0x4c8d, 0x50e4, 0xafbf, 0x2d5a, 0xb27c,
1381 0x0653, 0x66b6, 0x5d36, 0x4694, 0x7e35, 0xc47c, 0x857f, 0x32c5}},
1382 /* example needing 590 divsteps; delta=-3/2..5/2 */
1383 {{0x7902, 0xc9f8, 0x926b, 0xaaeb, 0x90f8, 0x1c89, 0xcce3, 0x96b7,
1384 0x28b2, 0x87a2, 0x136d, 0x695a, 0xa8df, 0x9061, 0x9e31, 0xee82},
1385 {0xd3a9, 0x3c02, 0x818c, 0x6b81, 0x34b3, 0xebbb, 0xe2c8, 0x7712,
1386 0xbfd6, 0x8248, 0xa6f4, 0xba6f, 0x03bb, 0xfb54, 0x7575, 0xfe89},
1387 {0x8246, 0x0d63, 0x478e, 0xf946, 0xf393, 0x0451, 0x08c2, 0x5919,
1388 0x5fd6, 0x4c61, 0xbeb7, 0x9a15, 0x30e1, 0x55fc, 0x6a01, 0x3724}},
1389 /* example reaching delta=-127/2..129/2; 571 divsteps */
1390 {{0x3eff, 0x926a, 0x77f5, 0x1fff, 0x1a5b, 0xf3ef, 0xf64b, 0x8681,
1391 0xf800, 0xf9bc, 0x761d, 0xe268, 0x62b0, 0xa032, 0xba9c, 0xbe56},
1392 {0xb8f9, 0x00e7, 0x47b7, 0xdffc, 0xfd9d, 0x5abb, 0xa19b, 0x1868,
1393 0x31fd, 0x3b29, 0x3674, 0x5449, 0xf54d, 0x1d19, 0x6ac7, 0xff6f},
1394 {0xf1d7, 0x3551, 0x5682, 0x9adf, 0xe8aa, 0x19a5, 0x8340, 0x71db,
1395 0xb7ab, 0x4cfd, 0xf661, 0x632c, 0xc27e, 0xd3c6, 0xdf42, 0xd306}},
1396 /* example reaching delta=-127/2..129/2; 571 divsteps */
1397 {{0x0000, 0x0000, 0x0000, 0x0000, 0x3aff, 0x2ed7, 0xf2e0, 0xabc7,
1398 0x8aee, 0x166e, 0x7ed0, 0x9ac7, 0x714a, 0xb9c5, 0x4d58, 0xad6c},
1399 {0x9cf9, 0x47e2, 0xa421, 0xb277, 0xffc2, 0x2747, 0x6486, 0x94c1,
1400 0x1d99, 0xd49b, 0x1096, 0x991a, 0xe986, 0xae02, 0xe89b, 0xea36},
1401 {0x1fb4, 0x98d8, 0x19b7, 0x80e9, 0xcdac, 0xaa5a, 0xf1e6, 0x0074,
1402 0xe393, 0xed8b, 0x8d5c, 0xe17d, 0x81b3, 0xc16d, 0x54d3, 0x9be3}},
1403 /* example reaching delta=-127/2..129/2; 571 divsteps */
1404 {{0xd047, 0x7e36, 0x3157, 0x7ab6, 0xb4d9, 0x8dae, 0x7534, 0x4f5d,
1405 0x489e, 0xa8ab, 0x8a3d, 0xd52c, 0x62af, 0xa032, 0xba9c, 0xbe56},
1406 {0xb1f1, 0x737f, 0x5964, 0x5afb, 0x3712, 0x8ef9, 0x19f7, 0x9669,
1407 0x664d, 0x03ad, 0xc352, 0xf7a5, 0xf545, 0x1d19, 0x6ac7, 0xff6f},
1408 {0xa834, 0x5256, 0x27bc, 0x33bd, 0xba11, 0x5a7b, 0x791e, 0xe6c0,
1409 0x9ac4, 0x9370, 0x1130, 0x28b4, 0x2b2e, 0x231b, 0x082a, 0x796e}},
1410 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1411 {{0x6ab1, 0x6ea0, 0x1a99, 0xe0c2, 0xdd45, 0x645d, 0x8dbc, 0x466a,
1412 0xfa64, 0x4289, 0xd3f7, 0xfc8f, 0x2894, 0xe3c5, 0xa008, 0xcc14},
1413 {0xc75f, 0xc083, 0x4cc2, 0x64f2, 0x2aff, 0x4c12, 0x8461, 0xc4ae,
1414 0xbbfa, 0xb336, 0xe4b2, 0x3ac5, 0x2c22, 0xf56c, 0x5381, 0xe943},
1415 {0xcd80, 0x760d, 0x4395, 0xb3a6, 0xd497, 0xf583, 0x82bd, 0x1daa,
1416 0xbe92, 0x2613, 0xfdfb, 0x869b, 0x0425, 0xa333, 0x7056, 0xc9c5}},
1417 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1418 {{0x71d4, 0x64df, 0xec4f, 0x74d8, 0x7e0c, 0x40d3, 0x7073, 0x4cc8,
1419 0x2a2a, 0xb1ff, 0x8518, 0x6513, 0xb0ea, 0x640a, 0x62d9, 0xd5f4},
1420 {0xdc75, 0xd937, 0x3b13, 0x1d36, 0xdf83, 0xd034, 0x1c1c, 0x4332,
1421 0x4cc3, 0xeeec, 0x7d94, 0x6771, 0x3384, 0x74b0, 0x947d, 0xf2c4},
1422 {0x0a82, 0x37a4, 0x12d5, 0xec97, 0x972c, 0xe6bf, 0xc348, 0xa0a9,
1423 0xc50c, 0xdc7c, 0xae30, 0x19d1, 0x0fca, 0x35e1, 0xd6f6, 0x81ee}},
1424 /* example doing 123 consecutive (f,g/2) steps; 554 divsteps */
1425 {{0xa6b1, 0xabc5, 0x5bbc, 0x7f65, 0xdd32, 0xaa73, 0xf5a3, 0x1982,
1426 0xced4, 0xe949, 0x0fd6, 0x2bc4, 0x2bd7, 0xe3c5, 0xa008, 0xcc14},
1427 {0x4b5f, 0x8f96, 0xa375, 0xfbcf, 0x1c7d, 0xf1ec, 0x03f5, 0xb35d,
1428 0xb999, 0xdb1f, 0xc9a1, 0xb4c7, 0x1dd5, 0xf56c, 0x5381, 0xe943},
1429 {0xaa3d, 0x38b9, 0xf17d, 0xeed9, 0x9988, 0x69ee, 0xeb88, 0x1495,
1430 0x203f, 0x18c8, 0x82b7, 0xdcb2, 0x34a7, 0x6b00, 0x6998, 0x589a}},
1431 /* example doing 453 (f,g/2) steps; 514 divsteps */
1432 {{0xa478, 0xe60d, 0x3244, 0x60e6, 0xada3, 0xfe50, 0xb6b1, 0x2eae,
1433 0xd0ef, 0xa7b1, 0xef63, 0x05c0, 0xe213, 0x443e, 0x4427, 0x2448},
1434 {0x258f, 0xf9ef, 0xe02b, 0x92dd, 0xd7f3, 0x252b, 0xa503, 0x9089,
1435 0xedff, 0x96c1, 0xfe3a, 0x3a39, 0x198a, 0x981d, 0x0627, 0xedb7},
1436 {0x595a, 0x45be, 0x8fb0, 0x2265, 0xc210, 0x02b8, 0xdce9, 0xe241,
1437 0xcab6, 0xbf0d, 0x0049, 0x8d9a, 0x2f51, 0xae54, 0x5785, 0xb411}},
1438 /* example doing 453 (f,g/2) steps; 514 divsteps */
1439 {{0x48f0, 0x7db3, 0xdafe, 0x1c92, 0x5912, 0xe11a, 0xab52, 0xede1,
1440 0x3182, 0x8980, 0x5d2b, 0x9b5b, 0x8718, 0xda27, 0x1683, 0x1de2},
1441 {0x168f, 0x6f36, 0xce7a, 0xf435, 0x19d4, 0xda5e, 0x2351, 0x9af5,
1442 0xb003, 0x0ef5, 0x3b4c, 0xecec, 0xa9f0, 0x78e1, 0xdfef, 0xe823},
1443 {0x5f55, 0xfdcc, 0xb233, 0x2914, 0x84f0, 0x97d1, 0x9cf4, 0x2159,
1444 0xbf56, 0xb79c, 0x17a3, 0x7cef, 0xd5de, 0x34f0, 0x5311, 0x4c54}},
1445 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1446 {{0x2789, 0x2e04, 0x6e0e, 0xb6cd, 0xe4de, 0x4dbf, 0x228d, 0x7877,
1447 0xc335, 0x806b, 0x38cd, 0x8049, 0xa73b, 0xcfa2, 0x82f7, 0x9e19},
1448 {0xc08d, 0xb99d, 0xb8f3, 0x663d, 0xbbb3, 0x1284, 0x1485, 0x1d49,
1449 0xc98f, 0x9e78, 0x1588, 0x11e3, 0xd91a, 0xa2c7, 0xfff1, 0xc7b9},
1450 {0x1e1f, 0x411d, 0x7c49, 0x0d03, 0xe789, 0x2f8e, 0x5d55, 0xa95e,
1451 0x826e, 0x8de5, 0x52a0, 0x1abc, 0x4cd7, 0xd13a, 0x4395, 0x63e1}},
1452 /* example doing 510 (f,(f+g)/2) steps; 512 divsteps */
1453 {{0xd5a1, 0xf786, 0x555c, 0xb14b, 0x44ae, 0x535f, 0x4a49, 0xffc3,
1454 0xf497, 0x70d1, 0x57c8, 0xa933, 0xc85a, 0x1910, 0x75bf, 0x960b},
1455 {0xfe53, 0x5058, 0x496d, 0xfdff, 0x6fb8, 0x4100, 0x92bd, 0xe0c4,
1456 0xda89, 0xe0a4, 0x841b, 0x43d4, 0xa388, 0x957f, 0x99ca, 0x9abf},
1457 {0xe530, 0x05bc, 0xfeec, 0xfc7e, 0xbcd3, 0x1239, 0x54cb, 0x7042,
1458 0xbccb, 0x139e, 0x9076, 0x0203, 0x6068, 0x90c7, 0x1ddf, 0x488d}},
1459 /* example doing 228 (g,(g-f)/2) steps; 538 divsteps */
1460 {{0x9488, 0xe54b, 0x0e43, 0x81d2, 0x06e7, 0x4b66, 0x36d0, 0x53d6,
1461 0x2b68, 0x22ec, 0x3fa9, 0xc1a7, 0x9ad2, 0xa596, 0xb3ac, 0xdf42},
1462 {0xe31f, 0x0b28, 0x5f3b, 0xc1ff, 0x344c, 0xbf5f, 0xd2ec, 0x2936,
1463 0x9995, 0xdeb2, 0xae6c, 0x2852, 0xa2c6, 0xb306, 0x8120, 0xe305},
1464 {0xa56e, 0xfb98, 0x1537, 0x4d85, 0x619e, 0x866c, 0x3cd4, 0x779a,
1465 0xdd66, 0xa80d, 0xdc2f, 0xcae4, 0xc74c, 0x5175, 0xa65d, 0x605e}},
1466 /* example doing 228 (g,(g-f)/2) steps; 537 divsteps */
1467 {{0x8cd5, 0x376d, 0xd01b, 0x7176, 0x19ef, 0xcf09, 0x8403, 0x5e52,
1468 0x83c1, 0x44de, 0xb91e, 0xb33d, 0xe15c, 0x51e7, 0xbad8, 0x6359},
1469 {0x3b75, 0xf812, 0x5f9e, 0xa04e, 0x92d3, 0x226e, 0x540e, 0x7c9a,
1470 0x31c6, 0x46d2, 0x0b7b, 0xdb4a, 0xe662, 0x4950, 0x0265, 0xf76f},
1471 {0x09ed, 0x692f, 0xe8f1, 0x3482, 0xab54, 0x36b4, 0x8442, 0x6ae9,
1472 0x4329, 0x6505, 0x183b, 0x1c1d, 0x482d, 0x7d63, 0xb44f, 0xcc09}},
1473
1474 /* Test cases with the group order as modulus. */
1475
1476 /* Test case with the group order as modulus, needing 635 divsteps. */
1477 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
1478 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
1479 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1480 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1481 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
1482 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
1483 /* example with group size as modulus needing 631 divsteps */
1484 {{0x85ed, 0xc284, 0x9608, 0x3c56, 0x19b6, 0xbb5b, 0x2850, 0xdab7,
1485 0xa7f5, 0xe9ab, 0x06a4, 0x5bbb, 0x1135, 0xa186, 0xc424, 0xc68b},
1486 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1487 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1488 {0x8479, 0x450a, 0x8fa3, 0xde05, 0xb2f5, 0x7793, 0x7269, 0xbabb,
1489 0xc3b3, 0xd49b, 0x3377, 0x03c6, 0xe694, 0xc760, 0xd3cb, 0x2811}},
1490 /* example with group size as modulus needing 565 divsteps starting at delta=1/2 */
1491 {{0x8432, 0x5ceb, 0xa847, 0x6f1e, 0x51dd, 0x535a, 0x6ddc, 0x70ce,
1492 0x6e70, 0xc1f6, 0x18f2, 0x2a7e, 0xc8e7, 0x39f8, 0x7e96, 0xebbf},
1493 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1494 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1495 {0x257e, 0x449f, 0x689f, 0x89aa, 0x3989, 0xb661, 0x376c, 0x1e32,
1496 0x654c, 0xee2e, 0xf4e2, 0x33c8, 0x3f2f, 0x9716, 0x6046, 0xcaa3}},
1497 /* Test case with the group size as modulus, needing 981 divsteps with
1498 broken eta handling. */
1499 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
1500 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
1501 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1502 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1503 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
1504 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
1505 /* Test case with the group size as modulus, input = 0. */
1506 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1507 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1508 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1509 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1510 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1511 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1512 /* Test case with the group size as modulus, input = 1. */
1513 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1514 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1515 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1516 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1517 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1518 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1519 /* Test case with the group size as modulus, input = 2. */
1520 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1521 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1522 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1523 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1524 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1525 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1526 /* Test case with the group size as modulus, input = group - 1. */
1527 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1528 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1529 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1530 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1531 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1532 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1533
1534 /* Test cases with the field size as modulus. */
1535
1536 /* Test case with the field size as modulus, needing 637 divsteps. */
1537 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
1538 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
1539 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1540 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1541 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
1542 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
1543 /* example with field size as modulus needing 637 divsteps */
1544 {{0xaec3, 0xa7cf, 0x2f2d, 0x0693, 0x5ad5, 0xa8ff, 0x7ec7, 0x30ff,
1545 0x0c8b, 0xc242, 0xcab2, 0x063a, 0xf86e, 0x6057, 0x9cbd, 0xf6d8},
1546 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1547 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1548 {0x0310, 0x579d, 0xcb38, 0x9030, 0x3ded, 0x9bb9, 0x1234, 0x63ce,
1549 0x0c63, 0x8e3d, 0xacfe, 0x3c20, 0xdc85, 0xf859, 0x919e, 0x1d45}},
1550 /* example with field size as modulus needing 564 divsteps starting at delta=1/2 */
1551 {{0x63ae, 0x8d10, 0x0071, 0xdb5c, 0xb454, 0x78d1, 0x744a, 0x5f8e,
1552 0xe4d8, 0x87b1, 0x8e62, 0x9590, 0xcede, 0xa070, 0x36b4, 0x7f6f},
1553 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1554 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1555 {0xfdc8, 0xe8d5, 0xbe15, 0x9f86, 0xa5fe, 0xf18e, 0xa7ff, 0xd291,
1556 0xf4c2, 0x9c87, 0xf150, 0x073e, 0x69b8, 0xf7c4, 0xee4b, 0xc7e6}},
1557 /* Test case with the field size as modulus, needing 935 divsteps with
1558 broken eta handling. */
1559 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
1560 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
1561 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1562 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1563 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
1564 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
1565 /* Test case with the field size as modulus, input = 0. */
1566 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1567 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1568 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1569 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1570 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1571 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1572 /* Test case with the field size as modulus, input = 1. */
1573 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1574 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1575 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1576 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1577 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1578 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1579 /* Test case with the field size as modulus, input = 2. */
1580 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1581 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1582 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1583 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1584 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1585 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1586 /* Test case with the field size as modulus, input = field - 1. */
1587 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1588 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1589 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1590 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1591 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1592 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1593
1594 /* Selected from a large number of random inputs to reach small/large
1595 * d/e values in various configurations. */
1596 {{0x3a08, 0x23e1, 0x4d8c, 0xe606, 0x3263, 0x67af, 0x9bf1, 0x9d70,
1597 0xf5fd, 0x12e4, 0x03c8, 0xb9ca, 0xe847, 0x8c5d, 0x6322, 0xbd30},
1598 {0x8359, 0x59dd, 0x1831, 0x7c1a, 0x1e83, 0xaee1, 0x770d, 0xcea8,
1599 0xfbb1, 0xeed6, 0x10b5, 0xe2c6, 0x36ea, 0xee17, 0xe32c, 0xffff},
1600 {0x1727, 0x0f36, 0x6f85, 0x5d0c, 0xca6c, 0x3072, 0x9628, 0x5842,
1601 0xcb44, 0x7c2b, 0xca4f, 0x62e5, 0x29b1, 0x6ffd, 0x9055, 0xc196}},
1602 {{0x905d, 0x41c8, 0xa2ff, 0x295b, 0x72bb, 0x4679, 0x6d01, 0x2c98,
1603 0xb3e0, 0xc537, 0xa310, 0xe07e, 0xe72f, 0x4999, 0x1148, 0xf65e},
1604 {0x5b41, 0x4239, 0x3c37, 0x5130, 0x30e3, 0xff35, 0xc51f, 0x1a43,
1605 0xdb23, 0x13cf, 0x9f49, 0xf70c, 0x5e70, 0xd411, 0x3005, 0xf8c6},
1606 {0xc30e, 0x68f0, 0x201a, 0xe10c, 0x864a, 0x6243, 0xe946, 0x43ae,
1607 0xf3f1, 0x52dc, 0x1f7f, 0x50d4, 0x2797, 0x064c, 0x5ca4, 0x90e3}},
1608 {{0xf1b5, 0xc6e5, 0xd2c4, 0xff95, 0x27c5, 0x0c92, 0x5d19, 0x7ae5,
1609 0x4fbe, 0x5438, 0x99e1, 0x880d, 0xd892, 0xa05c, 0x6ffd, 0x7eac},
1610 {0x2153, 0xcc9d, 0xfc6c, 0x8358, 0x49a1, 0x01e2, 0xcef0, 0x4969,
1611 0xd69a, 0x8cef, 0xf5b2, 0xfd95, 0xdcc2, 0x71f4, 0x6ae2, 0xceeb},
1612 {0x9b2e, 0xcdc6, 0x0a5c, 0x7317, 0x9084, 0xe228, 0x56cf, 0xd512,
1613 0x628a, 0xce21, 0x3473, 0x4e13, 0x8823, 0x1ed0, 0x34d0, 0xbfa3}},
1614 {{0x5bae, 0x53e5, 0x5f4d, 0x21ca, 0xb875, 0x8ecf, 0x9aa6, 0xbe3c,
1615 0x9f96, 0x7b82, 0x375d, 0x4d3e, 0x491c, 0xb1eb, 0x04c9, 0xb6c8},
1616 {0xfcfd, 0x10b7, 0x73b2, 0xd23b, 0xa357, 0x67da, 0x0d9f, 0x8702,
1617 0xa037, 0xff8e, 0x0e8b, 0x1801, 0x2c5c, 0x4e6e, 0x4558, 0xfff2},
1618 {0xc50f, 0x5654, 0x6713, 0x5ef5, 0xa7ce, 0xa647, 0xc832, 0x69ce,
1619 0x1d5c, 0x4310, 0x0746, 0x5a01, 0x96ea, 0xde4b, 0xa88b, 0x5543}},
1620 {{0xdc7f, 0x5e8c, 0x89d1, 0xb077, 0xd521, 0xcf90, 0x32fa, 0x5737,
1621 0x839e, 0x1464, 0x007c, 0x09c6, 0x9371, 0xe8ea, 0xc1cb, 0x75c4},
1622 {0xe3a3, 0x107f, 0xa82a, 0xa375, 0x4578, 0x60f4, 0x75c9, 0x5ee4,
1623 0x3fd7, 0x2736, 0x2871, 0xd3d2, 0x5f1d, 0x1abb, 0xa764, 0xffff},
1624 {0x45c6, 0x1f2e, 0xb14c, 0x84d7, 0x7bb7, 0x5a04, 0x0504, 0x3f33,
1625 0x5cc1, 0xb07a, 0x6a6c, 0x786f, 0x647f, 0xe1d7, 0x78a2, 0x4cf4}},
1626 {{0xc006, 0x356f, 0x8cd2, 0x967b, 0xb49e, 0x2d4e, 0x14bf, 0x4bcb,
1627 0xddab, 0xd3f9, 0xa068, 0x2c1c, 0xd242, 0xa56d, 0xf2c7, 0x5f97},
1628 {0x465b, 0xb745, 0x0e0d, 0x69a9, 0x987d, 0xcb37, 0xf637, 0xb311,
1629 0xc4d6, 0x2ddb, 0xf68f, 0x2af9, 0x959d, 0x3f53, 0x98f2, 0xf640},
1630 {0xc0f2, 0x6bfb, 0xf5c3, 0x91c1, 0x6b05, 0x0825, 0x5ca0, 0x7df7,
1631 0x9d55, 0x6d9e, 0xfe94, 0x2ad9, 0xd9f0, 0xe68b, 0xa72b, 0xd1b2}},
1632 {{0x2279, 0x61ba, 0x5bc6, 0x136b, 0xf544, 0x717c, 0xafda, 0x02bd,
1633 0x79af, 0x1fad, 0xea09, 0x81bb, 0x932b, 0x32c9, 0xdf1d, 0xe576},
1634 {0x8215, 0x7817, 0xca82, 0x43b0, 0x9b06, 0xea65, 0x1291, 0x0621,
1635 0x0089, 0x46fe, 0xc5a6, 0xddd7, 0x8065, 0xc6a0, 0x214b, 0xfc64},
1636 {0x04bf, 0x6f2a, 0x86b2, 0x841a, 0x4a95, 0xc632, 0x97b7, 0x5821,
1637 0x2b18, 0x1bb0, 0x3e97, 0x935e, 0xcc7d, 0x066b, 0xd513, 0xc251}},
1638 {{0x76e8, 0x5bc2, 0x3eaa, 0x04fc, 0x9974, 0x92c1, 0x7c15, 0xfa89,
1639 0x1151, 0x36ee, 0x48b2, 0x049c, 0x5f16, 0xcee4, 0x925b, 0xe98e},
1640 {0x913f, 0x0a2d, 0xa185, 0x9fea, 0xda5a, 0x4025, 0x40d7, 0x7cfa,
1641 0x88ca, 0xbbe8, 0xb265, 0xb7e4, 0x6cb1, 0xed64, 0xc6f9, 0xffb5},
1642 {0x6ab1, 0x1a86, 0x5009, 0x152b, 0x1cc4, 0xe2c8, 0x960b, 0x19d0,
1643 0x3554, 0xc562, 0xd013, 0xcf91, 0x10e1, 0x7933, 0xe195, 0xcf49}},
1644 {{0x9cb5, 0xd2d7, 0xc6ed, 0xa818, 0xb495, 0x06ee, 0x0f4a, 0x06e3,
1645 0x4c5a, 0x80ce, 0xd49a, 0x4cd7, 0x7487, 0x92af, 0xe516, 0x676c},
1646 {0xd6e9, 0x6b85, 0x619a, 0xb52c, 0x20a0, 0x2f79, 0x3545, 0x1edd,
1647 0x5a6f, 0x8082, 0x9b80, 0xf8f8, 0xc78a, 0xd0a3, 0xadf4, 0xffff},
1648 {0x01c2, 0x2118, 0xef5e, 0xa877, 0x046a, 0xd2c2, 0x2ad5, 0x951c,
1649 0x8900, 0xa5c9, 0x8d0f, 0x6b61, 0x55d3, 0xd572, 0x48de, 0x9219}},
1650 {{0x5114, 0x0644, 0x23dd, 0x01d3, 0xc101, 0xa659, 0xea17, 0x640f,
1651 0xf767, 0x2644, 0x9cec, 0xd8ba, 0xd6da, 0x9156, 0x8aeb, 0x875a},
1652 {0xc1bf, 0xdae9, 0xe96b, 0xce77, 0xf7a1, 0x3e99, 0x5c2e, 0x973b,
1653 0xd048, 0x5bd0, 0x4e8a, 0xcb85, 0xce39, 0x37f5, 0x815d, 0xffff},
1654 {0x48cc, 0x35b6, 0x26d4, 0x2ea6, 0x50d6, 0xa2f9, 0x64b6, 0x03bf,
1655 0xd00c, 0xe057, 0x3343, 0xfb79, 0x3ce5, 0xf717, 0xc5af, 0xe185}},
1656 {{0x13ff, 0x6c76, 0x2077, 0x16e0, 0xd5ca, 0xf2ad, 0x8dba, 0x8f49,
1657 0x7887, 0x16f9, 0xb646, 0xfc87, 0xfa31, 0x5096, 0xf08c, 0x3fbe},
1658 {0x8139, 0x6fd7, 0xf6df, 0xa7bf, 0x6699, 0x5361, 0x6f65, 0x13c8,
1659 0xf4d1, 0xe28f, 0xc545, 0x0a8c, 0x5274, 0xb0a6, 0xffff, 0xffff},
1660 {0x22ca, 0x0cd6, 0xc1b5, 0xb064, 0x44a7, 0x297b, 0x495f, 0x34ac,
1661 0xfa95, 0xec62, 0xf08d, 0x621c, 0x66a6, 0xba94, 0x84c6, 0x8ee0}},
1662 {{0xaa30, 0x312e, 0x439c, 0x4e88, 0x2e2f, 0x32dc, 0xb880, 0xa28e,
1663 0xf795, 0xc910, 0xb406, 0x8dd7, 0xb187, 0xa5a5, 0x38f1, 0xe49e},
1664 {0xfb19, 0xf64a, 0xba6a, 0x8ec2, 0x7255, 0xce89, 0x2cf9, 0x9cba,
1665 0xe1fe, 0x50da, 0x1705, 0xac52, 0xe3d4, 0x4269, 0x0648, 0xfd77},
1666 {0xb4c8, 0x6e8a, 0x2b5f, 0x4c2d, 0x5a67, 0xa7bb, 0x7d6d, 0x5569,
1667 0xa0ea, 0x244a, 0xc0f2, 0xf73d, 0x58cf, 0xac7f, 0xd32b, 0x3018}},
1668 {{0xc953, 0x1ae1, 0xae46, 0x8709, 0x19c2, 0xa986, 0x9abe, 0x1611,
1669 0x0395, 0xd5ab, 0xf0f6, 0xb5b0, 0x5b2b, 0x0317, 0x80ba, 0x376d},
1670 {0xfe77, 0xbc03, 0xac2f, 0x9d00, 0xa175, 0x293d, 0x3b56, 0x0e3a,
1671 0x0a9c, 0xf40c, 0x690e, 0x1508, 0x95d4, 0xddc4, 0xe805, 0xffff},
1672 {0xb1ce, 0x0929, 0xa5fe, 0x4b50, 0x9d5d, 0x8187, 0x2557, 0x4376,
1673 0x11ba, 0xdcef, 0xc1f3, 0xd531, 0x1824, 0x93f6, 0xd81f, 0x8f83}},
1674 {{0xb8d2, 0xb900, 0x4a0c, 0x7188, 0xa5bf, 0x1b0b, 0x2ae5, 0xa35b,
1675 0x98e0, 0x610c, 0x86db, 0x2487, 0xa267, 0x002c, 0xebb6, 0xc5f4},
1676 {0x9cdd, 0x1c1b, 0x2f06, 0x43d1, 0xce47, 0xc334, 0x6e60, 0xc016,
1677 0x989e, 0x0ab2, 0x0cac, 0x1196, 0xe2d9, 0x2e04, 0xc62b, 0xffff},
1678 {0xdc36, 0x1f05, 0x6aa9, 0x7a20, 0x944f, 0x2fd3, 0xa553, 0xdb4f,
1679 0xbd5c, 0x3a75, 0x25d4, 0xe20e, 0xa387, 0x1410, 0xdbb1, 0x1b60}},
1680 {{0x76b3, 0x2207, 0x4930, 0x5dd7, 0x65a0, 0xd55c, 0xb443, 0x53b7,
1681 0x5c22, 0x818a, 0xb2e7, 0x9de8, 0x9985, 0xed45, 0x33b1, 0x53e8},
1682 {0x7913, 0x44e1, 0xf15b, 0x5edd, 0x34f3, 0x4eba, 0x0758, 0x7104,
1683 0x32d9, 0x28f3, 0x4401, 0x85c5, 0xb695, 0xb899, 0xc0f2, 0xffff},
1684 {0x7f43, 0xd202, 0x24c9, 0x69f3, 0x74dc, 0x1a69, 0xeaee, 0x5405,
1685 0x1755, 0x4bb8, 0x04e3, 0x2fd2, 0xada8, 0x39eb, 0x5b4d, 0x96ca}},
1686 {{0x807b, 0x7112, 0xc088, 0xdafd, 0x02fa, 0x9d95, 0x5e42, 0xc033,
1687 0xde0a, 0xeecf, 0x8e90, 0x8da1, 0xb17e, 0x9a5b, 0x4c6d, 0x1914},
1688 {0x4871, 0xd1cb, 0x47d7, 0x327f, 0x09ec, 0x97bb, 0x2fae, 0xd346,
1689 0x6b78, 0x3707, 0xfeb2, 0xa6ab, 0x13df, 0x76b0, 0x8fb9, 0xffb3},
1690 {0x179e, 0xb63b, 0x4784, 0x231e, 0x9f42, 0x7f1a, 0xa3fb, 0xdd8c,
1691 0xd1eb, 0xb4c9, 0x8ca7, 0x018c, 0xf691, 0x576c, 0xa7d6, 0xce27}},
1692 {{0x5f45, 0x7c64, 0x083d, 0xedd5, 0x08a0, 0x0c64, 0x6c6f, 0xec3c,
1693 0xe2fb, 0x352c, 0x9303, 0x75e4, 0xb4e0, 0x8b09, 0xaca4, 0x7025},
1694 {0x1025, 0xb482, 0xfed5, 0xa678, 0x8966, 0x9359, 0x5329, 0x98bb,
1695 0x85b2, 0x73ba, 0x9982, 0x6fdc, 0xf190, 0xbe8c, 0xdc5c, 0xfd93},
1696 {0x83a2, 0x87a4, 0xa680, 0x52a1, 0x1ba1, 0x8848, 0x5db7, 0x9744,
1697 0x409c, 0x0745, 0x0e1e, 0x1cfc, 0x00cd, 0xf573, 0x2071, 0xccaa}},
1698 {{0xf61f, 0x63d4, 0x536c, 0x9eb9, 0x5ddd, 0xbb11, 0x9014, 0xe904,
1699 0xfe01, 0x6b45, 0x1858, 0xcb5b, 0x4c38, 0x43e1, 0x381d, 0x7f94},
1700 {0xf61f, 0x63d4, 0xd810, 0x7ca3, 0x8a04, 0x4b83, 0x11fc, 0xdf94,
1701 0x4169, 0xbd05, 0x608e, 0x7151, 0x4fbf, 0xb31a, 0x38a7, 0xa29b},
1702 {0xe621, 0xdfa5, 0x3d06, 0x1d03, 0x81e6, 0x00da, 0x53a6, 0x965e,
1703 0x93e5, 0x2164, 0x5b61, 0x59b8, 0xa629, 0x8d73, 0x699a, 0x6111}},
1704 {{0x4cc3, 0xd29e, 0xf4a3, 0x3428, 0x2048, 0xeec9, 0x5f50, 0x99a4,
1705 0x6de9, 0x05f2, 0x5aa9, 0x5fd2, 0x98b4, 0x1adc, 0x225f, 0x777f},
1706 {0xe649, 0x37da, 0x5ba6, 0x5765, 0x3f4a, 0x8a1c, 0x2e79, 0xf550,
1707 0x1a54, 0xcd1e, 0x7218, 0x3c3c, 0x6311, 0xfe28, 0x95fb, 0xed97},
1708 {0xe9b6, 0x0c47, 0x3f0e, 0x849b, 0x11f8, 0xe599, 0x5e4d, 0xd618,
1709 0xa06d, 0x33a0, 0x9a3e, 0x44db, 0xded8, 0x10f0, 0x94d2, 0x81fb}},
1710 {{0x2e59, 0x7025, 0xd413, 0x455a, 0x1ce3, 0xbd45, 0x7263, 0x27f7,
1711 0x23e3, 0x518e, 0xbe06, 0xc8c4, 0xe332, 0x4276, 0x68b4, 0xb166},
1712 {0x596f, 0x0cf6, 0xc8ec, 0x787b, 0x04c1, 0x473c, 0xd2b8, 0x8d54,
1713 0x9cdf, 0x77f2, 0xd3f3, 0x6735, 0x0638, 0xf80e, 0x9467, 0xc6aa},
1714 {0xc7e7, 0x1822, 0xb62a, 0xec0d, 0x89cd, 0x7846, 0xbfa2, 0x35d5,
1715 0xfa38, 0x870f, 0x494b, 0x1697, 0x8b17, 0xf904, 0x10b6, 0x9822}},
1716 {{0x6d5b, 0x1d4f, 0x0aaf, 0x807b, 0x35fb, 0x7ee8, 0x00c6, 0x059a,
1717 0xddf0, 0x1fb1, 0xc38a, 0xd78e, 0x2aa4, 0x79e7, 0xad28, 0xc3f1},
1718 {0xe3bb, 0x174e, 0xe0a8, 0x74b6, 0xbd5b, 0x35f6, 0x6d23, 0x6328,
1719 0xc11f, 0x83e1, 0xf928, 0xa918, 0x838e, 0xbf43, 0xe243, 0xfffb},
1720 {0x9cf2, 0x6b8b, 0x3476, 0x9d06, 0xdcf2, 0xdb8a, 0x89cd, 0x4857,
1721 0x75c2, 0xabb8, 0x490b, 0xc9bd, 0x890e, 0xe36e, 0xd552, 0xfffa}},
1722 {{0x2f09, 0x9d62, 0xa9fc, 0xf090, 0xd6d1, 0x9d1d, 0x1828, 0xe413,
1723 0xc92b, 0x3d5a, 0x1373, 0x368c, 0xbaf2, 0x2158, 0x71eb, 0x08a3},
1724 {0x2f09, 0x1d62, 0x4630, 0x0de1, 0x06dc, 0xf7f1, 0xc161, 0x1e92,
1725 0x7495, 0x97e4, 0x94b6, 0xa39e, 0x4f1b, 0x18f8, 0x7bd4, 0x0c4c},
1726 {0xeb3d, 0x723d, 0x0907, 0x525b, 0x463a, 0x49a8, 0xc6b8, 0xce7f,
1727 0x740c, 0x0d7d, 0xa83b, 0x457f, 0xae8e, 0xc6af, 0xd331, 0x0475}},
1728 {{0x6abd, 0xc7af, 0x3e4e, 0x95fd, 0x8fc4, 0xee25, 0x1f9c, 0x0afe,
1729 0x291d, 0xcde0, 0x48f4, 0xb2e8, 0xf7af, 0x8f8d, 0x0bd6, 0x078d},
1730 {0x4037, 0xbf0e, 0x2081, 0xf363, 0x13b2, 0x381e, 0xfb6e, 0x818e,
1731 0x27e4, 0x5662, 0x18b0, 0x0cd2, 0x81f5, 0x9415, 0x0d6c, 0xf9fb},
1732 {0xd205, 0x0981, 0x0498, 0x1f08, 0xdb93, 0x1732, 0x0579, 0x1424,
1733 0xad95, 0x642f, 0x050c, 0x1d6d, 0xfc95, 0xfc4a, 0xd41b, 0x3521}},
1734 {{0xf23a, 0x4633, 0xaef4, 0x1a92, 0x3c8b, 0x1f09, 0x30f3, 0x4c56,
1735 0x2a2f, 0x4f62, 0xf5e4, 0x8329, 0x63cc, 0xb593, 0xec6a, 0xc428},
1736 {0x93a7, 0xfcf6, 0x606d, 0xd4b2, 0x2aad, 0x28b4, 0xc65b, 0x8998,
1737 0x4e08, 0xd178, 0x0900, 0xc82b, 0x7470, 0xa342, 0x7c0f, 0xffff},
1738 {0x315f, 0xf304, 0xeb7b, 0xe5c3, 0x1451, 0x6311, 0x8f37, 0x93a8,
1739 0x4a38, 0xa6c6, 0xe393, 0x1087, 0x6301, 0xd673, 0x4ec4, 0xffff}},
1740 {{0x892e, 0xeed0, 0x1165, 0xcbc1, 0x5545, 0xa280, 0x7243, 0x10c9,
1741 0x9536, 0x36af, 0xb3fc, 0x2d7c, 0xe8a5, 0x09d6, 0xe1d4, 0xe85d},
1742 {0xae09, 0xc28a, 0xd777, 0xbd80, 0x23d6, 0xf980, 0xeb7c, 0x4e0e,
1743 0xf7dc, 0x6475, 0xf10a, 0x2d33, 0x5dfd, 0x797a, 0x7f1c, 0xf71a},
1744 {0x4064, 0x8717, 0xd091, 0x80b0, 0x4527, 0x8442, 0xac8b, 0x9614,
1745 0xc633, 0x35f5, 0x7714, 0x2e83, 0x4aaa, 0xd2e4, 0x1acd, 0x0562}},
1746 {{0xdb64, 0x0937, 0x308b, 0x53b0, 0x00e8, 0xc77f, 0x2f30, 0x37f7,
1747 0x79ce, 0xeb7f, 0xde81, 0x9286, 0xafda, 0x0e62, 0xae00, 0x0067},
1748 {0x2cc7, 0xd362, 0xb161, 0x0557, 0x4ff2, 0xb9c8, 0x06fe, 0x5f2b,
1749 0xde33, 0x0190, 0x28c6, 0xb886, 0xee2b, 0x5a4e, 0x3289, 0x0185},
1750 {0x4215, 0x923e, 0xf34f, 0xb362, 0x88f8, 0xceec, 0xafdd, 0x7f42,
1751 0x0c57, 0x56b2, 0xa366, 0x6a08, 0x0826, 0xfb8f, 0x1b03, 0x0163}},
1752 {{0xa4ba, 0x8408, 0x810a, 0xdeba, 0x47a3, 0x853a, 0xeb64, 0x2f74,
1753 0x3039, 0x038c, 0x7fbb, 0x498e, 0xd1e9, 0x46fb, 0x5691, 0x32a4},
1754 {0xd749, 0xb49d, 0x20b7, 0x2af6, 0xd34a, 0xd2da, 0x0a10, 0xf781,
1755 0x58c9, 0x171f, 0x3cb6, 0x6337, 0x88cd, 0xcf1e, 0xb246, 0x7351},
1756 {0xf729, 0xcf0a, 0x96ea, 0x032c, 0x4a8f, 0x42fe, 0xbac8, 0xec65,
1757 0x1510, 0x0d75, 0x4c17, 0x8d29, 0xa03f, 0x8b7e, 0x2c49, 0x0000}},
1758 {{0x0fa4, 0x8e1c, 0x3788, 0xba3c, 0x8d52, 0xd89d, 0x12c8, 0xeced,
1759 0x9fe6, 0x9b88, 0xecf3, 0xe3c8, 0xac48, 0x76ed, 0xf23e, 0xda79},
1760 {0x1103, 0x227c, 0x5b00, 0x3fcf, 0xc5d0, 0x2d28, 0x8020, 0x4d1c,
1761 0xc6b9, 0x67f9, 0x6f39, 0x989a, 0xda53, 0x3847, 0xd416, 0xe0d0},
1762 {0xdd8e, 0xcf31, 0x3710, 0x7e44, 0xa511, 0x933c, 0x0cc3, 0x5145,
1763 0xf632, 0x5e1d, 0x038f, 0x5ce7, 0x7265, 0xda9d, 0xded6, 0x08f8}},
1764 {{0xe2c8, 0x91d5, 0xa5f5, 0x735f, 0x6b58, 0x56dc, 0xb39d, 0x5c4a,
1765 0x57d0, 0xa1c2, 0xd92f, 0x9ad4, 0xf7c4, 0x51dd, 0xaf5c, 0x0096},
1766 {0x1739, 0x7207, 0x7505, 0xbf35, 0x42de, 0x0a29, 0xa962, 0xdedf,
1767 0x53e8, 0x12bf, 0xcde7, 0xd8e2, 0x8d4d, 0x2c4b, 0xb1b1, 0x0628},
1768 {0x992d, 0xe3a7, 0xb422, 0xc198, 0x23ab, 0xa6ef, 0xb45d, 0x50da,
1769 0xa738, 0x014a, 0x2310, 0x85fb, 0x5fe8, 0x1b18, 0x1774, 0x03a7}},
1770 {{0x1f16, 0x2b09, 0x0236, 0xee90, 0xccf9, 0x9775, 0x8130, 0x4c91,
1771 0x9091, 0x310b, 0x6dc4, 0x86f6, 0xc2e8, 0xef60, 0xfc0e, 0xf3a4},
1772 {0x9f49, 0xac15, 0x02af, 0x110f, 0xc59d, 0x5677, 0xa1a9, 0x38d5,
1773 0x914f, 0xa909, 0x3a3a, 0x4a39, 0x3703, 0xea30, 0x73da, 0xffad},
1774 {0x15ed, 0xdd16, 0x83c7, 0x270a, 0x862f, 0xd8ad, 0xcaa1, 0x5f41,
1775 0x99a9, 0x3fc8, 0x7bb2, 0x360a, 0xb06d, 0xfadc, 0x1b36, 0xffa8}},
1776 {{0xc4e0, 0xb8fd, 0x5106, 0xe169, 0x754c, 0xa58c, 0xc413, 0x8224,
1777 0x5483, 0x63ec, 0xd477, 0x8473, 0x4778, 0x9281, 0x0000, 0x0000},
1778 {0x85e1, 0xff54, 0xb200, 0xe413, 0xf4f4, 0x4c0f, 0xfcec, 0xc183,
1779 0x60d3, 0x1b0c, 0x3834, 0x601c, 0x943c, 0xbe6e, 0x0002, 0x0000},
1780 {0xf4f8, 0xfd5e, 0x61ef, 0xece8, 0x9199, 0xe5c4, 0x05a6, 0xe6c3,
1781 0xc4ae, 0x8b28, 0x66b1, 0x8a95, 0x9ece, 0x8f4a, 0x0001, 0x0000}},
1782 {{0xeae9, 0xa1b4, 0xc6d8, 0x2411, 0x2b5a, 0x1dd0, 0x2dc9, 0xb57b,
1783 0x5ccd, 0x4957, 0xaf59, 0xa04b, 0x5f42, 0xab7c, 0x2826, 0x526f},
1784 {0xf407, 0x165a, 0xb724, 0x2f12, 0x2ea1, 0x470b, 0x4464, 0xbd35,
1785 0x606f, 0xd73e, 0x50d3, 0x8a7f, 0x8029, 0x7ffc, 0xbe31, 0x6cfb},
1786 {0x8171, 0x1f4c, 0xced2, 0x9c99, 0x6d7e, 0x5a0f, 0xfefb, 0x59e3,
1787 0xa0c8, 0xabd9, 0xc4c5, 0x57d3, 0xbfa3, 0x4f11, 0x96a2, 0x5a7d}},
1788 {{0xe068, 0x4cc0, 0x8bcd, 0xc903, 0x9e52, 0xb3e1, 0xd745, 0x0995,
1789 0xdd8f, 0xf14b, 0xd2ac, 0xd65a, 0xda1d, 0xa742, 0xbac5, 0x474c},
1790 {0x7481, 0xf2ad, 0x9757, 0x2d82, 0xb683, 0xb16b, 0x0002, 0x7b60,
1791 0x8f0c, 0x2594, 0x8f64, 0x3b7a, 0x3552, 0x8d9d, 0xb9d7, 0x67eb},
1792 {0xcaab, 0xb9a1, 0xf966, 0xe311, 0x5b34, 0x0fa0, 0x6abc, 0x8134,
1793 0xab3d, 0x90f6, 0x1984, 0x9232, 0xec17, 0x74e5, 0x2ceb, 0x434e}},
1794 {{0x0fb1, 0x7a55, 0x1a5c, 0x53eb, 0xd7b3, 0x7a01, 0xca32, 0x31f6,
1795 0x3b74, 0x679e, 0x1501, 0x6c57, 0xdb20, 0x8b7c, 0xd7d0, 0x8097},
1796 {0xb127, 0xb20c, 0xe3a2, 0x96f3, 0xe0d8, 0xd50c, 0x14b4, 0x0b40,
1797 0x6eeb, 0xa258, 0x99db, 0x3c8c, 0x0f51, 0x4198, 0x3887, 0xffd0},
1798 {0x0273, 0x9f8c, 0x9669, 0xbbba, 0x1c49, 0x767c, 0xc2af, 0x59f0,
1799 0x1366, 0xd397, 0x63ac, 0x6fe8, 0x1a9a, 0x1259, 0x01d0, 0x0016}},
1800 {{0x7876, 0x2a35, 0xa24a, 0x433e, 0x5501, 0x573c, 0xd76d, 0xcb82,
1801 0x1334, 0xb4a6, 0xf290, 0xc797, 0xeae9, 0x2b83, 0x1e2b, 0x8b14},
1802 {0x3885, 0x8aef, 0x9dea, 0x2b8c, 0xdd7c, 0xd7cd, 0xb0cc, 0x05ee,
1803 0x361b, 0x3800, 0xb0d4, 0x4c23, 0xbd3f, 0x5180, 0x9783, 0xff80},
1804 {0xab36, 0x3104, 0xdae8, 0x0704, 0x4a28, 0x6714, 0x824b, 0x0051,
1805 0x8134, 0x1f6a, 0x712d, 0x1f03, 0x03b2, 0xecac, 0x377d, 0xfef9}}
1806 };
1807
1808 int i, j, ok;
1809
1810 /* Test known inputs/outputs */
1811 for (i = 0; (size_t)i < ARRAY_SIZE(CASES); ++i) {
1812 uint16_t out[16];
1813 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1814 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1815#ifdef SECP256K1_WIDEMUL_INT128
1816 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1817 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1818#endif
1819 }
1820
1821 for (i = 0; i < 100 * COUNT; ++i) {
1822 /* 256-bit numbers in 16-uint16_t's notation */
1823 static const uint16_t ZERO[16] = {0};
1824 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1825 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1826 uint16_t id[16]; /* the inverse of xd mod md */
1827
1828 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1829 do {
1830 /* generate random xd and md (with many subsequent 0s and 1s) */
1831 testrand256_test((unsigned char*)xd);
1832 testrand256_test((unsigned char*)md);
1833 md[0] |= 1; /* modulus must be odd */
1834 /* If modulus is 1, find another one. */
1835 ok = md[0] != 1;
1836 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1837 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1838 } while (!(ok && coprime(xd, md)));
1839
1840 test_modinv32_uint16(id, xd, md);
1841#ifdef SECP256K1_WIDEMUL_INT128
1842 test_modinv64_uint16(id, xd, md);
1843#endif
1844
1845 /* In a few cases, also test with input=0 */
1846 if (i < COUNT) {
1847 test_modinv32_uint16(id, ZERO, md);
1848#ifdef SECP256K1_WIDEMUL_INT128
1849 test_modinv64_uint16(id, ZERO, md);
1850#endif
1851 }
1852 }
1853}
1854
1855/***** INT128 TESTS *****/
1856
1857#ifdef SECP256K1_WIDEMUL_INT128
1858/* Add two 256-bit numbers (represented as 16 uint16_t's in LE order) together mod 2^256. */
1859static void add256(uint16_t* out, const uint16_t* a, const uint16_t* b) {
1860 int i;
1861 uint32_t carry = 0;
1862 for (i = 0; i < 16; ++i) {
1863 carry += a[i];
1864 carry += b[i];
1865 out[i] = carry;
1866 carry >>= 16;
1867 }
1868}
1869
1870/* Negate a 256-bit number (represented as 16 uint16_t's in LE order) mod 2^256. */
1871static void neg256(uint16_t* out, const uint16_t* a) {
1872 int i;
1873 uint32_t carry = 1;
1874 for (i = 0; i < 16; ++i) {
1875 carry += (uint16_t)~a[i];
1876 out[i] = carry;
1877 carry >>= 16;
1878 }
1879}
1880
1881/* Right-shift a 256-bit number (represented as 16 uint16_t's in LE order). */
1882static void rshift256(uint16_t* out, const uint16_t* a, int n, int sign_extend) {
1883 uint16_t sign = sign_extend && (a[15] >> 15);
1884 int i, j;
1885 for (i = 15; i >= 0; --i) {
1886 uint16_t v = 0;
1887 for (j = 0; j < 16; ++j) {
1888 int frompos = i*16 + j + n;
1889 if (frompos >= 256) {
1890 v |= sign << j;
1891 } else {
1892 v |= ((uint16_t)((a[frompos >> 4] >> (frompos & 15)) & 1)) << j;
1893 }
1894 }
1895 out[i] = v;
1896 }
1897}
1898
1899/* Load a 64-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1900static void load256u64(uint16_t* out, uint64_t v, int is_signed) {
1901 int i;
1902 uint64_t sign = is_signed && (v >> 63) ? UINT64_MAX : 0;
1903 for (i = 0; i < 4; ++i) {
1904 out[i] = v >> (16 * i);
1905 }
1906 for (i = 4; i < 16; ++i) {
1907 out[i] = sign;
1908 }
1909}
1910
1911/* Load a 128-bit unsigned integer into an array of 16 uint16_t's in LE order representing a 256-bit value. */
1912static void load256two64(uint16_t* out, uint64_t hi, uint64_t lo, int is_signed) {
1913 int i;
1914 uint64_t sign = is_signed && (hi >> 63) ? UINT64_MAX : 0;
1915 for (i = 0; i < 4; ++i) {
1916 out[i] = lo >> (16 * i);
1917 }
1918 for (i = 4; i < 8; ++i) {
1919 out[i] = hi >> (16 * (i - 4));
1920 }
1921 for (i = 8; i < 16; ++i) {
1922 out[i] = sign;
1923 }
1924}
1925
1926/* Check whether the 256-bit value represented by array of 16-bit values is in range -2^127 < v < 2^127. */
1927static int int256is127(const uint16_t* v) {
1928 int all_0 = ((v[7] & 0x8000) == 0), all_1 = ((v[7] & 0x8000) == 0x8000);
1929 int i;
1930 for (i = 8; i < 16; ++i) {
1931 if (v[i] != 0) all_0 = 0;
1932 if (v[i] != 0xffff) all_1 = 0;
1933 }
1934 return all_0 || all_1;
1935}
1936
1937static void load256u128(uint16_t* out, const secp256k1_uint128* v) {
1938 uint64_t lo = secp256k1_u128_to_u64(v), hi = secp256k1_u128_hi_u64(v);
1939 load256two64(out, hi, lo, 0);
1940}
1941
1942static void load256i128(uint16_t* out, const secp256k1_int128* v) {
1943 uint64_t lo;
1944 int64_t hi;
1945 secp256k1_int128 c = *v;
1946 lo = secp256k1_i128_to_u64(&c);
1947 secp256k1_i128_rshift(&c, 64);
1948 hi = secp256k1_i128_to_i64(&c);
1949 load256two64(out, hi, lo, 1);
1950}
1951
1952static void run_int128_test_case(void) {
1953 unsigned char buf[32];
1954 uint64_t v[4];
1955 secp256k1_int128 swa, swz;
1956 secp256k1_uint128 uwa, uwz;
1957 uint64_t ub, uc;
1958 int64_t sb, sc;
1959 uint16_t rswa[16], rswz[32], rswr[32], ruwa[16], ruwz[32], ruwr[32];
1960 uint16_t rub[16], ruc[16], rsb[16], rsc[16];
1961 int i;
1962
1963 /* Generate 32-byte random value. */
1964 testrand256_test(buf);
1965 /* Convert into 4 64-bit integers. */
1966 for (i = 0; i < 4; ++i) {
1967 uint64_t vi = 0;
1968 int j;
1969 for (j = 0; j < 8; ++j) vi = (vi << 8) + buf[8*i + j];
1970 v[i] = vi;
1971 }
1972 /* Convert those into a 128-bit value and two 64-bit values (signed and unsigned). */
1973 secp256k1_u128_load(&uwa, v[1], v[0]);
1974 secp256k1_i128_load(&swa, v[1], v[0]);
1975 ub = v[2];
1976 sb = v[2];
1977 uc = v[3];
1978 sc = v[3];
1979 /* Load those also into 16-bit array representations. */
1980 load256u128(ruwa, &uwa);
1981 load256i128(rswa, &swa);
1982 load256u64(rub, ub, 0);
1983 load256u64(rsb, sb, 1);
1984 load256u64(ruc, uc, 0);
1985 load256u64(rsc, sc, 1);
1986 /* test secp256k1_u128_mul */
1987 mulmod256(ruwr, rub, ruc, NULL);
1988 secp256k1_u128_mul(&uwz, ub, uc);
1989 load256u128(ruwz, &uwz);
1990 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1991 /* test secp256k1_u128_accum_mul */
1992 mulmod256(ruwr, rub, ruc, NULL);
1993 add256(ruwr, ruwr, ruwa);
1994 uwz = uwa;
1995 secp256k1_u128_accum_mul(&uwz, ub, uc);
1996 load256u128(ruwz, &uwz);
1997 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
1998 /* test secp256k1_u128_accum_u64 */
1999 add256(ruwr, rub, ruwa);
2000 uwz = uwa;
2001 secp256k1_u128_accum_u64(&uwz, ub);
2002 load256u128(ruwz, &uwz);
2003 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
2004 /* test secp256k1_u128_rshift */
2005 rshift256(ruwr, ruwa, uc % 128, 0);
2006 uwz = uwa;
2007 secp256k1_u128_rshift(&uwz, uc % 128);
2008 load256u128(ruwz, &uwz);
2009 CHECK(secp256k1_memcmp_var(ruwr, ruwz, 16) == 0);
2010 /* test secp256k1_u128_to_u64 */
2011 CHECK(secp256k1_u128_to_u64(&uwa) == v[0]);
2012 /* test secp256k1_u128_hi_u64 */
2013 CHECK(secp256k1_u128_hi_u64(&uwa) == v[1]);
2014 /* test secp256k1_u128_from_u64 */
2015 secp256k1_u128_from_u64(&uwz, ub);
2016 load256u128(ruwz, &uwz);
2017 CHECK(secp256k1_memcmp_var(rub, ruwz, 16) == 0);
2018 /* test secp256k1_u128_check_bits */
2019 {
2020 int uwa_bits = 0;
2021 int j;
2022 for (j = 0; j < 128; ++j) {
2023 if (ruwa[j / 16] >> (j % 16)) uwa_bits = 1 + j;
2024 }
2025 for (j = 0; j < 128; ++j) {
2026 CHECK(secp256k1_u128_check_bits(&uwa, j) == (uwa_bits <= j));
2027 }
2028 }
2029 /* test secp256k1_i128_mul */
2030 mulmod256(rswr, rsb, rsc, NULL);
2031 secp256k1_i128_mul(&swz, sb, sc);
2032 load256i128(rswz, &swz);
2033 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2034 /* test secp256k1_i128_accum_mul */
2035 mulmod256(rswr, rsb, rsc, NULL);
2036 add256(rswr, rswr, rswa);
2037 if (int256is127(rswr)) {
2038 swz = swa;
2039 secp256k1_i128_accum_mul(&swz, sb, sc);
2040 load256i128(rswz, &swz);
2041 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2042 }
2043 /* test secp256k1_i128_det */
2044 {
2045 uint16_t rsd[16], rse[16], rst[32];
2046 int64_t sd = v[0], se = v[1];
2047 load256u64(rsd, sd, 1);
2048 load256u64(rse, se, 1);
2049 mulmod256(rst, rsc, rsd, NULL);
2050 neg256(rst, rst);
2051 mulmod256(rswr, rsb, rse, NULL);
2052 add256(rswr, rswr, rst);
2053 secp256k1_i128_det(&swz, sb, sc, sd, se);
2054 load256i128(rswz, &swz);
2055 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2056 }
2057 /* test secp256k1_i128_rshift */
2058 rshift256(rswr, rswa, uc % 127, 1);
2059 swz = swa;
2060 secp256k1_i128_rshift(&swz, uc % 127);
2061 load256i128(rswz, &swz);
2062 CHECK(secp256k1_memcmp_var(rswr, rswz, 16) == 0);
2063 /* test secp256k1_i128_to_u64 */
2064 CHECK(secp256k1_i128_to_u64(&swa) == v[0]);
2065 /* test secp256k1_i128_from_i64 */
2066 secp256k1_i128_from_i64(&swz, sb);
2067 load256i128(rswz, &swz);
2068 CHECK(secp256k1_memcmp_var(rsb, rswz, 16) == 0);
2069 /* test secp256k1_i128_to_i64 */
2070 CHECK(secp256k1_i128_to_i64(&swz) == sb);
2071 /* test secp256k1_i128_eq_var */
2072 {
2073 int expect = (uc & 1);
2074 swz = swa;
2075 if (!expect) {
2076 /* Make sure swz != swa */
2077 uint64_t v0c = v[0], v1c = v[1];
2078 if (ub & 64) {
2079 v1c ^= (((uint64_t)1) << (ub & 63));
2080 } else {
2081 v0c ^= (((uint64_t)1) << (ub & 63));
2082 }
2083 secp256k1_i128_load(&swz, v1c, v0c);
2084 }
2085 CHECK(secp256k1_i128_eq_var(&swa, &swz) == expect);
2086 }
2087 /* test secp256k1_i128_check_pow2 (sign == 1) */
2088 {
2089 int expect = (uc & 1);
2090 int pos = ub % 127;
2091 if (expect) {
2092 /* If expect==1, set swz to exactly 2^pos. */
2093 uint64_t hi = 0;
2094 uint64_t lo = 0;
2095 if (pos >= 64) {
2096 hi = (((uint64_t)1) << (pos & 63));
2097 } else {
2098 lo = (((uint64_t)1) << (pos & 63));
2099 }
2100 secp256k1_i128_load(&swz, hi, lo);
2101 } else {
2102 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal 2^pos. */
2103 if (pos >= 64) {
2104 if ((v[1] == (((uint64_t)1) << (pos & 63))) && v[0] == 0) expect = 1;
2105 } else {
2106 if ((v[0] == (((uint64_t)1) << (pos & 63))) && v[1] == 0) expect = 1;
2107 }
2108 swz = swa;
2109 }
2110 CHECK(secp256k1_i128_check_pow2(&swz, pos, 1) == expect);
2111 }
2112 /* test secp256k1_i128_check_pow2 (sign == -1) */
2113 {
2114 int expect = (uc & 1);
2115 int pos = ub % 127;
2116 if (expect) {
2117 /* If expect==1, set swz to exactly -2^pos. */
2118 uint64_t hi = ~(uint64_t)0;
2119 uint64_t lo = ~(uint64_t)0;
2120 if (pos >= 64) {
2121 hi <<= (pos & 63);
2122 lo = 0;
2123 } else {
2124 lo <<= (pos & 63);
2125 }
2126 secp256k1_i128_load(&swz, hi, lo);
2127 } else {
2128 /* If expect==0, set swz = swa, but update expect=1 if swa happens to equal -2^pos. */
2129 if (pos >= 64) {
2130 if ((v[1] == ((~(uint64_t)0) << (pos & 63))) && v[0] == 0) expect = 1;
2131 } else {
2132 if ((v[0] == ((~(uint64_t)0) << (pos & 63))) && v[1] == ~(uint64_t)0) expect = 1;
2133 }
2134 swz = swa;
2135 }
2136 CHECK(secp256k1_i128_check_pow2(&swz, pos, -1) == expect);
2137 }
2138}
2139
2140static void run_int128_tests(void) {
2141 { /* secp256k1_u128_accum_mul */
2142 secp256k1_uint128 res;
2143
2144 /* Check secp256k1_u128_accum_mul overflow */
2145 secp256k1_u128_mul(&res, UINT64_MAX, UINT64_MAX);
2146 secp256k1_u128_accum_mul(&res, UINT64_MAX, UINT64_MAX);
2147 CHECK(secp256k1_u128_to_u64(&res) == 2);
2148 CHECK(secp256k1_u128_hi_u64(&res) == 18446744073709551612U);
2149 }
2150 { /* secp256k1_u128_accum_mul */
2151 secp256k1_int128 res;
2152
2153 /* Compute INT128_MAX = 2^127 - 1 with secp256k1_i128_accum_mul */
2154 secp256k1_i128_mul(&res, INT64_MAX, INT64_MAX);
2155 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MAX);
2156 CHECK(secp256k1_i128_to_u64(&res) == 2);
2157 secp256k1_i128_accum_mul(&res, 4, 9223372036854775807);
2158 secp256k1_i128_accum_mul(&res, 1, 1);
2159 CHECK(secp256k1_i128_to_u64(&res) == UINT64_MAX);
2160 secp256k1_i128_rshift(&res, 64);
2161 CHECK(secp256k1_i128_to_i64(&res) == INT64_MAX);
2162
2163 /* Compute INT128_MIN = - 2^127 with secp256k1_i128_accum_mul */
2164 secp256k1_i128_mul(&res, INT64_MAX, INT64_MIN);
2165 CHECK(secp256k1_i128_to_u64(&res) == (uint64_t)INT64_MIN);
2166 secp256k1_i128_accum_mul(&res, INT64_MAX, INT64_MIN);
2167 CHECK(secp256k1_i128_to_u64(&res) == 0);
2168 secp256k1_i128_accum_mul(&res, 2, INT64_MIN);
2169 CHECK(secp256k1_i128_to_u64(&res) == 0);
2170 secp256k1_i128_rshift(&res, 64);
2171 CHECK(secp256k1_i128_to_i64(&res) == INT64_MIN);
2172 }
2173 {
2174 /* Randomized tests. */
2175 int i;
2176 for (i = 0; i < 256 * COUNT; ++i) run_int128_test_case();
2177 }
2178}
2179#endif
2180
2181/***** SCALAR TESTS *****/
2182
2183static void scalar_test(void) {
2184 secp256k1_scalar s;
2185 secp256k1_scalar s1;
2186 secp256k1_scalar s2;
2187 unsigned char c[32];
2188
2189 /* Set 's' to a random scalar, with value 'snum'. */
2190 testutil_random_scalar_order_test(&s);
2191
2192 /* Set 's1' to a random scalar, with value 's1num'. */
2193 testutil_random_scalar_order_test(&s1);
2194
2195 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
2196 testutil_random_scalar_order_test(&s2);
2197 secp256k1_scalar_get_b32(c, &s2);
2198
2199 {
2200 int i;
2201 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
2202 secp256k1_scalar n;
2203 secp256k1_scalar_set_int(&n, 0);
2204 for (i = 0; i < 256; i += 4) {
2205 secp256k1_scalar t;
2206 int j;
2207 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_limb32(&s, 256 - 4 - i, 4));
2208 for (j = 0; j < 4; j++) {
2209 secp256k1_scalar_add(&n, &n, &n);
2210 }
2211 secp256k1_scalar_add(&n, &n, &t);
2212 }
2213 CHECK(secp256k1_scalar_eq(&n, &s));
2214 }
2215
2216 {
2217 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
2218 secp256k1_scalar n;
2219 int i = 0;
2220 secp256k1_scalar_set_int(&n, 0);
2221 while (i < 256) {
2222 secp256k1_scalar t;
2223 int j;
2224 int now = testrand_int(15) + 1;
2225 if (now + i > 256) {
2226 now = 256 - i;
2227 }
2228 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
2229 for (j = 0; j < now; j++) {
2230 secp256k1_scalar_add(&n, &n, &n);
2231 }
2232 secp256k1_scalar_add(&n, &n, &t);
2233 i += now;
2234 }
2235 CHECK(secp256k1_scalar_eq(&n, &s));
2236 }
2237
2238 {
2239 /* Test commutativity of add. */
2240 secp256k1_scalar r1, r2;
2241 secp256k1_scalar_add(&r1, &s1, &s2);
2242 secp256k1_scalar_add(&r2, &s2, &s1);
2243 CHECK(secp256k1_scalar_eq(&r1, &r2));
2244 }
2245
2246 {
2247 secp256k1_scalar r1, r2;
2248 secp256k1_scalar b;
2249 int i;
2250 /* Test add_bit. */
2251 int bit = testrand_bits(8);
2252 secp256k1_scalar_set_int(&b, 1);
2253 CHECK(secp256k1_scalar_is_one(&b));
2254 for (i = 0; i < bit; i++) {
2255 secp256k1_scalar_add(&b, &b, &b);
2256 }
2257 r1 = s1;
2258 r2 = s1;
2259 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
2260 /* No overflow happened. */
2261 secp256k1_scalar_cadd_bit(&r2, bit, 1);
2262 CHECK(secp256k1_scalar_eq(&r1, &r2));
2263 /* cadd is a noop when flag is zero */
2264 secp256k1_scalar_cadd_bit(&r2, bit, 0);
2265 CHECK(secp256k1_scalar_eq(&r1, &r2));
2266 }
2267 }
2268
2269 {
2270 /* Test commutativity of mul. */
2271 secp256k1_scalar r1, r2;
2272 secp256k1_scalar_mul(&r1, &s1, &s2);
2273 secp256k1_scalar_mul(&r2, &s2, &s1);
2274 CHECK(secp256k1_scalar_eq(&r1, &r2));
2275 }
2276
2277 {
2278 /* Test associativity of add. */
2279 secp256k1_scalar r1, r2;
2280 secp256k1_scalar_add(&r1, &s1, &s2);
2281 secp256k1_scalar_add(&r1, &r1, &s);
2282 secp256k1_scalar_add(&r2, &s2, &s);
2283 secp256k1_scalar_add(&r2, &s1, &r2);
2284 CHECK(secp256k1_scalar_eq(&r1, &r2));
2285 }
2286
2287 {
2288 /* Test associativity of mul. */
2289 secp256k1_scalar r1, r2;
2290 secp256k1_scalar_mul(&r1, &s1, &s2);
2291 secp256k1_scalar_mul(&r1, &r1, &s);
2292 secp256k1_scalar_mul(&r2, &s2, &s);
2293 secp256k1_scalar_mul(&r2, &s1, &r2);
2294 CHECK(secp256k1_scalar_eq(&r1, &r2));
2295 }
2296
2297 {
2298 /* Test distributitivity of mul over add. */
2299 secp256k1_scalar r1, r2, t;
2300 secp256k1_scalar_add(&r1, &s1, &s2);
2301 secp256k1_scalar_mul(&r1, &r1, &s);
2302 secp256k1_scalar_mul(&r2, &s1, &s);
2303 secp256k1_scalar_mul(&t, &s2, &s);
2304 secp256k1_scalar_add(&r2, &r2, &t);
2305 CHECK(secp256k1_scalar_eq(&r1, &r2));
2306 }
2307
2308 {
2309 /* Test multiplicative identity. */
2310 secp256k1_scalar r1;
2311 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_one);
2312 CHECK(secp256k1_scalar_eq(&r1, &s1));
2313 }
2314
2315 {
2316 /* Test additive identity. */
2317 secp256k1_scalar r1;
2318 secp256k1_scalar_add(&r1, &s1, &secp256k1_scalar_zero);
2319 CHECK(secp256k1_scalar_eq(&r1, &s1));
2320 }
2321
2322 {
2323 /* Test zero product property. */
2324 secp256k1_scalar r1;
2325 secp256k1_scalar_mul(&r1, &s1, &secp256k1_scalar_zero);
2326 CHECK(secp256k1_scalar_eq(&r1, &secp256k1_scalar_zero));
2327 }
2328
2329 {
2330 /* Test halving. */
2331 secp256k1_scalar r;
2332 secp256k1_scalar_add(&r, &s, &s);
2333 secp256k1_scalar_half(&r, &r);
2334 CHECK(secp256k1_scalar_eq(&r, &s));
2335 }
2336}
2337
2338static void run_scalar_set_b32_seckey_tests(void) {
2339 unsigned char b32[32];
2340 secp256k1_scalar s1;
2341 secp256k1_scalar s2;
2342
2343 /* Usually set_b32 and set_b32_seckey give the same result */
2344 testutil_random_scalar_order_b32(b32);
2345 secp256k1_scalar_set_b32(&s1, b32, NULL);
2346 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
2347 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
2348
2349 memset(b32, 0, sizeof(b32));
2350 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2351 memset(b32, 0xFF, sizeof(b32));
2352 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
2353}
2354
2355static void test_scalar_check_overflow(void) {
2356 secp256k1_scalar s;
2357 const secp256k1_scalar n_minus_1 = SECP256K1_SCALAR_CONST(
2358 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2359 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
2360 );
2361 const secp256k1_scalar n = SECP256K1_SCALAR_CONST(
2362 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2363 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364141UL
2364 );
2365 const secp256k1_scalar n_plus_1 = SECP256K1_SCALAR_CONST(
2366 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
2367 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364142UL
2368 );
2369 const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
2370 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
2371 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
2372 );
2373
2374 int i;
2375
2376 secp256k1_scalar_set_int(&s, 0);
2377 CHECK(secp256k1_scalar_check_overflow(&s) == 0);
2378 CHECK(secp256k1_scalar_check_overflow(&n_minus_1) == 0);
2379 CHECK(secp256k1_scalar_check_overflow(&n) == 1);
2380 CHECK(secp256k1_scalar_check_overflow(&n_plus_1) == 1);
2381 CHECK(secp256k1_scalar_check_overflow(&max) == 1);
2382
2383 for (i = 0; i < 2 * COUNT; i++) {
2384 int expected_overflow;
2385 int overflow = 0;
2386 unsigned char b32[32];
2387
2388 testrand256(b32);
2389
2390 /* Force top bits to be 0xFF sometimes to ensure we hit overflows */
2391 if (i % 2 == 0) {
2392 memset(b32, 0xFF, 16);
2393 }
2394
2395 expected_overflow = (secp256k1_memcmp_var(b32, secp256k1_group_order_bytes, 32) >= 0);
2396
2397 secp256k1_scalar_set_b32(&s, b32, &overflow);
2398 CHECK(overflow == expected_overflow);
2399 }
2400}
2401
2402static void run_scalar_tests(void) {
2403 int i;
2404
2405 test_scalar_check_overflow();
2406
2407 for (i = 0; i < 128 * COUNT; i++) {
2408 scalar_test();
2409 }
2410 for (i = 0; i < COUNT; i++) {
2411 run_scalar_set_b32_seckey_tests();
2412 }
2413
2414 {
2415 /* Check that the scalar constants secp256k1_scalar_zero and
2416 secp256k1_scalar_one contain the expected values. */
2417 secp256k1_scalar zero, one;
2418
2419 CHECK(secp256k1_scalar_is_zero(&secp256k1_scalar_zero));
2420 secp256k1_scalar_set_int(&zero, 0);
2421 CHECK(secp256k1_scalar_eq(&zero, &secp256k1_scalar_zero));
2422
2423 CHECK(secp256k1_scalar_is_one(&secp256k1_scalar_one));
2424 secp256k1_scalar_set_int(&one, 1);
2425 CHECK(secp256k1_scalar_eq(&one, &secp256k1_scalar_one));
2426 }
2427
2428 {
2429 /* (-1)+1 should be zero. */
2430 secp256k1_scalar o;
2431 secp256k1_scalar_negate(&o, &secp256k1_scalar_one);
2432 secp256k1_scalar_add(&o, &o, &secp256k1_scalar_one);
2433 CHECK(secp256k1_scalar_is_zero(&o));
2434 secp256k1_scalar_negate(&o, &o);
2435 CHECK(secp256k1_scalar_is_zero(&o));
2436 }
2437
2438 {
2439 /* Test that halving and doubling roundtrips on some fixed values. */
2440 static const secp256k1_scalar HALF_TESTS[] = {
2441 /* 0 */
2442 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2443 /* 1 */
2444 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2445 /* -1 */
2446 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd0364140ul),
2447 /* -2 (largest odd value) */
2448 SECP256K1_SCALAR_CONST(0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffeul, 0xbaaedce6ul, 0xaf48a03bul, 0xbfd25e8cul, 0xd036413Ful),
2449 /* Half the secp256k1 order */
2450 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a0ul),
2451 /* Half the secp256k1 order + 1 */
2452 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0x5d576e73ul, 0x57a4501dul, 0xdfe92f46ul, 0x681b20a1ul),
2453 /* 2^255 */
2454 SECP256K1_SCALAR_CONST(0x80000000ul, 0, 0, 0, 0, 0, 0, 0),
2455 /* 2^255 - 1 */
2456 SECP256K1_SCALAR_CONST(0x7ffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful, 0xfffffffful),
2457 };
2458 unsigned n;
2459 for (n = 0; n < ARRAY_SIZE(HALF_TESTS); ++n) {
2460 secp256k1_scalar s;
2461 secp256k1_scalar_half(&s, &HALF_TESTS[n]);
2462 secp256k1_scalar_add(&s, &s, &s);
2463 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2464 secp256k1_scalar_add(&s, &s, &s);
2465 secp256k1_scalar_half(&s, &s);
2466 CHECK(secp256k1_scalar_eq(&s, &HALF_TESTS[n]));
2467 }
2468 }
2469
2470 {
2471 /* Static test vectors.
2472 * These were reduced from ~10^12 random vectors based on comparison-decision
2473 * and edge-case coverage on 32-bit and 64-bit implementations.
2474 * The responses were generated with Sage 5.9.
2475 */
2476 secp256k1_scalar x;
2477 secp256k1_scalar y;
2478 secp256k1_scalar z;
2479 secp256k1_scalar zz;
2480 secp256k1_scalar r1;
2481 secp256k1_scalar r2;
2482 secp256k1_scalar zzv;
2483 int overflow;
2484 unsigned char chal[33][2][32] = {
2485 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
2486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2487 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
2488 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
2489 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
2490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
2491 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2492 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
2493 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
2494 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
2495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2497 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
2499 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2500 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
2501 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2502 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
2503 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
2504 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
2505 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
2506 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
2507 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
2508 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
2509 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2510 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2511 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2512 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
2513 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
2514 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
2515 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
2516 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
2517 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
2518 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
2519 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
2520 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
2521 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
2522 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2523 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
2524 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
2525 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
2526 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2527 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
2528 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2529 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2530 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
2531 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
2532 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
2533 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
2534 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2535 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
2536 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
2537 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
2538 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2539 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
2540 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2541 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
2542 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2543 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2544 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
2545 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
2546 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
2547 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2548 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2549 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2550 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
2551 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2552 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2553 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2554 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2555 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2556 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2557 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2558 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2559 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
2560 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
2561 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
2562 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
2563 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
2564 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
2565 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
2566 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2567 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
2568 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
2569 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
2570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
2572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
2573 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2574 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2575 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2576 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2577 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2578 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
2579 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
2580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2581 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2582 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2584 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
2585 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
2586 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
2587 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
2588 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
2589 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2590 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2592 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
2593 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
2594 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2595 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
2596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
2597 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
2598 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
2599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2600 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2601 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
2602 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2603 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2604 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
2605 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
2606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2608 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2609 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2610 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
2611 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
2612 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
2613 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2614 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2615 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
2616 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
2617 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2618 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2619 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
2620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2621 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2622 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
2623 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
2624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
2625 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2626 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
2627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2628 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
2629 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2630 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2631 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2632 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2633 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2634 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
2635 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
2636 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
2637 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
2638 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
2639 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
2641 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2642 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
2643 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
2644 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
2645 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2649 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2650 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2651 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2652 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
2653 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
2657 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2660 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2661 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2662 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2663 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2664 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2665 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2666 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2667 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2668 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2669 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
2670 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2671 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
2672 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
2673 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
2674 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
2675 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
2676 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
2677 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2679 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2681 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2682 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2683 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2684 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
2685 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2686 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2687 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2688 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2689 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2690 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2693 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2694 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
2695 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
2696 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
2697 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2698 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
2699 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
2700 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
2701 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
2702 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2703 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2704 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
2705 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
2706 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
2707 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2708 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
2709 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2710 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
2711 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
2712 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
2713 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
2714 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2715 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
2716 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
2717 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2718 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
2719 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
2720 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
2721 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
2722 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
2723 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
2724 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
2725 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
2726 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2727 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
2728 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
2729 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2730 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
2731 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
2732 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
2733 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
2734 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
2735 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
2736 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
2737 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
2738 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
2739 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
2740 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
2741 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2742 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2743 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2744 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
2745 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2746 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
2747 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
2748 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
2749 };
2750 unsigned char res[33][2][32] = {
2751 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
2752 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
2753 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
2754 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
2755 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
2756 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
2757 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
2758 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
2759 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
2760 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
2761 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
2762 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
2763 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
2764 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
2765 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
2766 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
2767 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
2768 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
2769 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
2770 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
2771 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
2772 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
2773 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
2774 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
2775 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
2776 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
2777 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
2778 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
2779 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
2780 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
2781 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
2782 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
2783 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
2784 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
2785 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
2786 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
2787 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
2788 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
2789 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
2790 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
2791 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
2792 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
2793 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
2794 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
2795 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
2796 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
2797 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
2798 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
2799 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
2800 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
2801 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
2802 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
2803 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
2804 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
2805 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
2806 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
2807 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
2808 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
2809 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
2810 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
2811 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
2812 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
2813 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
2814 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
2815 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
2816 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
2817 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
2818 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
2819 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
2820 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
2821 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
2822 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
2823 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
2824 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
2825 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
2826 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
2827 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
2828 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
2829 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
2830 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
2831 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
2832 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
2833 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
2834 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
2835 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
2836 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
2837 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
2838 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
2839 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
2840 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
2841 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
2842 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
2843 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
2844 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
2845 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
2846 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
2847 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
2848 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
2849 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
2850 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
2851 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
2852 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
2853 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
2854 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
2855 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
2856 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
2857 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
2858 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
2859 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
2860 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
2861 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
2862 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
2863 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
2864 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
2865 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
2866 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
2867 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
2868 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
2869 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
2870 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
2871 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
2872 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
2873 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
2874 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
2875 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
2876 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
2877 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
2878 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
2879 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
2880 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
2881 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
2882 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
2883 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
2884 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
2885 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
2886 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
2887 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
2888 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
2889 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
2890 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
2891 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
2892 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
2893 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
2894 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
2895 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
2896 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
2897 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
2898 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
2899 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
2900 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
2901 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
2902 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
2903 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
2904 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
2905 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
2906 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
2907 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
2908 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
2909 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
2910 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
2911 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2914 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2915 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
2919 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2921 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2922 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
2923 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2924 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2925 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2926 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2927 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2928 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2929 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2930 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
2931 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2932 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2933 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2934 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2935 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
2936 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
2937 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
2938 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
2939 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
2940 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
2941 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
2942 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
2943 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2944 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2945 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
2946 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
2947 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
2948 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
2949 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
2950 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
2951 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2952 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2953 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2954 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
2955 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2956 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2957 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2958 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
2959 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
2960 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
2961 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
2962 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
2963 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
2964 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
2965 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
2966 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
2967 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
2968 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
2969 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
2970 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
2971 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
2972 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
2973 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
2974 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
2975 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
2976 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
2977 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
2978 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
2979 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
2980 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
2981 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
2982 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
2983 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
2984 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
2985 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
2986 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
2987 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
2988 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
2989 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
2990 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
2991 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
2992 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
2993 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
2994 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
2995 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
2996 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
2997 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
2998 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
2999 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
3000 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
3001 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
3002 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
3003 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
3004 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
3005 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
3006 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
3007 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
3008 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
3009 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
3010 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
3011 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
3012 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
3013 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
3014 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
3015 };
3016 for (i = 0; i < 33; i++) {
3017 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
3018 CHECK(!overflow);
3019 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
3020 CHECK(!overflow);
3021 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
3022 CHECK(!overflow);
3023 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
3024 CHECK(!overflow);
3025 secp256k1_scalar_mul(&z, &x, &y);
3026 CHECK(secp256k1_scalar_eq(&r1, &z));
3027 if (!secp256k1_scalar_is_zero(&y)) {
3028 secp256k1_scalar_inverse(&zz, &y);
3029 secp256k1_scalar_inverse_var(&zzv, &y);
3030 CHECK(secp256k1_scalar_eq(&zzv, &zz));
3031 secp256k1_scalar_mul(&z, &z, &zz);
3032 CHECK(secp256k1_scalar_eq(&x, &z));
3033 secp256k1_scalar_mul(&zz, &zz, &y);
3034 CHECK(secp256k1_scalar_eq(&secp256k1_scalar_one, &zz));
3035 }
3036 secp256k1_scalar_mul(&z, &x, &x);
3037 CHECK(secp256k1_scalar_eq(&r2, &z));
3038 }
3039 }
3040}
3041
3042/***** FIELD TESTS *****/
3043
3044static void random_fe_non_square(secp256k1_fe *ns) {
3045 secp256k1_fe r;
3046 testutil_random_fe_non_zero(ns);
3047 if (secp256k1_fe_sqrt(&r, ns)) {
3048 secp256k1_fe_negate(ns, ns, 1);
3049 }
3050}
3051
3052static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
3053 secp256k1_fe an = *a;
3054 secp256k1_fe bn = *b;
3055 secp256k1_fe_normalize_weak(&an);
3056 return secp256k1_fe_equal(&an, &bn);
3057}
3058
3059static void run_field_convert(void) {
3060 static const unsigned char b32[32] = {
3061 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
3062 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
3063 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
3064 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
3065 };
3066 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
3067 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3068 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3069 );
3070 static const secp256k1_fe fe = SECP256K1_FE_CONST(
3071 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
3072 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
3073 );
3074 secp256k1_fe fe2;
3075 unsigned char b322[32];
3076 secp256k1_fe_storage fes2;
3077 /* Check conversions to fe. */
3078 CHECK(secp256k1_fe_set_b32_limit(&fe2, b32));
3079 CHECK(secp256k1_fe_equal(&fe, &fe2));
3080 secp256k1_fe_from_storage(&fe2, &fes);
3081 CHECK(secp256k1_fe_equal(&fe, &fe2));
3082 /* Check conversion from fe. */
3083 secp256k1_fe_get_b32(b322, &fe);
3084 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
3085 secp256k1_fe_to_storage(&fes2, &fe);
3086 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
3087}
3088
3089static void run_field_be32_overflow(void) {
3090 {
3091 static const unsigned char zero_overflow[32] = {
3092 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3093 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3094 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3095 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F,
3096 };
3097 static const unsigned char zero[32] = { 0x00 };
3098 unsigned char out[32];
3099 secp256k1_fe fe;
3100 CHECK(secp256k1_fe_set_b32_limit(&fe, zero_overflow) == 0);
3101 secp256k1_fe_set_b32_mod(&fe, zero_overflow);
3102 CHECK(secp256k1_fe_normalizes_to_zero(&fe) == 1);
3103 secp256k1_fe_normalize(&fe);
3104 CHECK(secp256k1_fe_is_zero(&fe) == 1);
3105 secp256k1_fe_get_b32(out, &fe);
3106 CHECK(secp256k1_memcmp_var(out, zero, 32) == 0);
3107 }
3108 {
3109 static const unsigned char one_overflow[32] = {
3110 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3111 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3112 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3113 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x30,
3114 };
3115 static const unsigned char one[32] = {
3116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3120 };
3121 unsigned char out[32];
3122 secp256k1_fe fe;
3123 CHECK(secp256k1_fe_set_b32_limit(&fe, one_overflow) == 0);
3124 secp256k1_fe_set_b32_mod(&fe, one_overflow);
3125 secp256k1_fe_normalize(&fe);
3126 CHECK(secp256k1_fe_cmp_var(&fe, &secp256k1_fe_one) == 0);
3127 secp256k1_fe_get_b32(out, &fe);
3128 CHECK(secp256k1_memcmp_var(out, one, 32) == 0);
3129 }
3130 {
3131 static const unsigned char ff_overflow[32] = {
3132 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3133 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3134 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3135 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
3136 };
3137 static const unsigned char ff[32] = {
3138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3141 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x03, 0xD0,
3142 };
3143 unsigned char out[32];
3144 secp256k1_fe fe;
3145 const secp256k1_fe fe_ff = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0x01, 0x000003d0);
3146 CHECK(secp256k1_fe_set_b32_limit(&fe, ff_overflow) == 0);
3147 secp256k1_fe_set_b32_mod(&fe, ff_overflow);
3148 secp256k1_fe_normalize(&fe);
3149 CHECK(secp256k1_fe_cmp_var(&fe, &fe_ff) == 0);
3150 secp256k1_fe_get_b32(out, &fe);
3151 CHECK(secp256k1_memcmp_var(out, ff, 32) == 0);
3152 }
3153}
3154
3155/* Returns true if two field elements have the same representation. */
3156static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b) {
3157 int ret = 1;
3158 /* Compare the struct member that holds the limbs. */
3159 ret &= (secp256k1_memcmp_var(a->n, b->n, sizeof(a->n)) == 0);
3160 return ret;
3161}
3162
3163static void run_field_half(void) {
3164 secp256k1_fe t, u;
3165 int m;
3166
3167 /* Check magnitude 0 input */
3168 secp256k1_fe_get_bounds(&t, 0);
3169 secp256k1_fe_half(&t);
3170#ifdef VERIFY
3171 CHECK(t.magnitude == 1);
3172 CHECK(t.normalized == 0);
3173#endif
3174 CHECK(secp256k1_fe_normalizes_to_zero(&t));
3175
3176 /* Check non-zero magnitudes in the supported range */
3177 for (m = 1; m < 32; m++) {
3178 /* Check max-value input */
3179 secp256k1_fe_get_bounds(&t, m);
3180
3181 u = t;
3182 secp256k1_fe_half(&u);
3183#ifdef VERIFY
3184 CHECK(u.magnitude == (m >> 1) + 1);
3185 CHECK(u.normalized == 0);
3186#endif
3187 secp256k1_fe_normalize_weak(&u);
3188 secp256k1_fe_add(&u, &u);
3189 CHECK(fe_equal(&t, &u));
3190
3191 /* Check worst-case input: ensure the LSB is 1 so that P will be added,
3192 * which will also cause all carries to be 1, since all limbs that can
3193 * generate a carry are initially even and all limbs of P are odd in
3194 * every existing field implementation. */
3195 secp256k1_fe_get_bounds(&t, m);
3196 CHECK(t.n[0] > 0);
3197 CHECK((t.n[0] & 1) == 0);
3198 --t.n[0];
3199
3200 u = t;
3201 secp256k1_fe_half(&u);
3202#ifdef VERIFY
3203 CHECK(u.magnitude == (m >> 1) + 1);
3204 CHECK(u.normalized == 0);
3205#endif
3206 secp256k1_fe_normalize_weak(&u);
3207 secp256k1_fe_add(&u, &u);
3208 CHECK(fe_equal(&t, &u));
3209 }
3210}
3211
3212static void run_field_misc(void) {
3213 secp256k1_fe x;
3214 secp256k1_fe y;
3215 secp256k1_fe z;
3216 secp256k1_fe q;
3217 int v;
3218 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3219 int i, j;
3220 for (i = 0; i < 1000 * COUNT; i++) {
3221 secp256k1_fe_storage xs, ys, zs;
3222 if (i & 1) {
3223 testutil_random_fe(&x);
3224 } else {
3225 testutil_random_fe_test(&x);
3226 }
3227 testutil_random_fe_non_zero(&y);
3228 v = testrand_bits(15);
3229 /* Test that fe_add_int is equivalent to fe_set_int + fe_add. */
3230 secp256k1_fe_set_int(&q, v); /* q = v */
3231 z = x; /* z = x */
3232 secp256k1_fe_add(&z, &q); /* z = x+v */
3233 q = x; /* q = x */
3234 secp256k1_fe_add_int(&q, v); /* q = x+v */
3235 CHECK(fe_equal(&q, &z));
3236 /* Test the fe equality and comparison operations. */
3237 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
3238 CHECK(secp256k1_fe_equal(&x, &x));
3239 z = x;
3240 secp256k1_fe_add(&z,&y);
3241 /* Test fe conditional move; z is not normalized here. */
3242 q = x;
3243 secp256k1_fe_cmov(&x, &z, 0);
3244#ifdef VERIFY
3245 CHECK(!x.normalized);
3246 CHECK((x.magnitude == q.magnitude) || (x.magnitude == z.magnitude));
3247 CHECK((x.magnitude >= q.magnitude) && (x.magnitude >= z.magnitude));
3248#endif
3249 x = q;
3250 secp256k1_fe_cmov(&x, &x, 1);
3251 CHECK(!fe_identical(&x, &z));
3252 CHECK(fe_identical(&x, &q));
3253 secp256k1_fe_cmov(&q, &z, 1);
3254#ifdef VERIFY
3255 CHECK(!q.normalized);
3256 CHECK((q.magnitude == x.magnitude) || (q.magnitude == z.magnitude));
3257 CHECK((q.magnitude >= x.magnitude) && (q.magnitude >= z.magnitude));
3258#endif
3259 CHECK(fe_identical(&q, &z));
3260 q = z;
3261 secp256k1_fe_normalize_var(&x);
3262 secp256k1_fe_normalize_var(&z);
3263 CHECK(!secp256k1_fe_equal(&x, &z));
3264 secp256k1_fe_normalize_var(&q);
3265 secp256k1_fe_cmov(&q, &z, (i&1));
3266#ifdef VERIFY
3267 CHECK(q.normalized && q.magnitude == 1);
3268#endif
3269 for (j = 0; j < 6; j++) {
3270 secp256k1_fe_negate_unchecked(&z, &z, j+1);
3271 secp256k1_fe_normalize_var(&q);
3272 secp256k1_fe_cmov(&q, &z, (j&1));
3273#ifdef VERIFY
3274 CHECK(!q.normalized && q.magnitude == z.magnitude);
3275#endif
3276 }
3277 secp256k1_fe_normalize_var(&z);
3278 /* Test storage conversion and conditional moves. */
3279 secp256k1_fe_to_storage(&xs, &x);
3280 secp256k1_fe_to_storage(&ys, &y);
3281 secp256k1_fe_to_storage(&zs, &z);
3282 secp256k1_fe_storage_cmov(&zs, &xs, 0);
3283 secp256k1_fe_storage_cmov(&zs, &zs, 1);
3284 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
3285 secp256k1_fe_storage_cmov(&ys, &xs, 1);
3286 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
3287 secp256k1_fe_from_storage(&x, &xs);
3288 secp256k1_fe_from_storage(&y, &ys);
3289 secp256k1_fe_from_storage(&z, &zs);
3290 /* Test that mul_int, mul, and add agree. */
3291 secp256k1_fe_add(&y, &x);
3292 secp256k1_fe_add(&y, &x);
3293 z = x;
3294 secp256k1_fe_mul_int(&z, 3);
3295 CHECK(fe_equal(&y, &z));
3296 secp256k1_fe_add(&y, &x);
3297 secp256k1_fe_add(&z, &x);
3298 CHECK(fe_equal(&z, &y));
3299 z = x;
3300 secp256k1_fe_mul_int(&z, 5);
3301 secp256k1_fe_mul(&q, &x, &fe5);
3302 CHECK(fe_equal(&z, &q));
3303 secp256k1_fe_negate(&x, &x, 1);
3304 secp256k1_fe_add(&z, &x);
3305 secp256k1_fe_add(&q, &x);
3306 CHECK(fe_equal(&y, &z));
3307 CHECK(fe_equal(&q, &y));
3308 /* Check secp256k1_fe_half. */
3309 z = x;
3310 secp256k1_fe_half(&z);
3311 secp256k1_fe_add(&z, &z);
3312 CHECK(fe_equal(&x, &z));
3313 secp256k1_fe_add(&z, &z);
3314 secp256k1_fe_half(&z);
3315 CHECK(fe_equal(&x, &z));
3316 }
3317}
3318
3319static void test_fe_mul(const secp256k1_fe* a, const secp256k1_fe* b, int use_sqr)
3320{
3321 secp256k1_fe c, an, bn;
3322 /* Variables in BE 32-byte format. */
3323 unsigned char a32[32], b32[32], c32[32];
3324 /* Variables in LE 16x uint16_t format. */
3325 uint16_t a16[16], b16[16], c16[16];
3326 /* Field modulus in LE 16x uint16_t format. */
3327 static const uint16_t m16[16] = {
3328 0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3329 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
3330 };
3331 uint16_t t16[32];
3332 int i;
3333
3334 /* Compute C = A * B in fe format. */
3335 c = *a;
3336 if (use_sqr) {
3337 secp256k1_fe_sqr(&c, &c);
3338 } else {
3339 secp256k1_fe_mul(&c, &c, b);
3340 }
3341
3342 /* Convert A, B, C into LE 16x uint16_t format. */
3343 an = *a;
3344 bn = *b;
3345 secp256k1_fe_normalize_var(&c);
3346 secp256k1_fe_normalize_var(&an);
3347 secp256k1_fe_normalize_var(&bn);
3348 secp256k1_fe_get_b32(a32, &an);
3349 secp256k1_fe_get_b32(b32, &bn);
3350 secp256k1_fe_get_b32(c32, &c);
3351 for (i = 0; i < 16; ++i) {
3352 a16[i] = a32[31 - 2*i] + ((uint16_t)a32[30 - 2*i] << 8);
3353 b16[i] = b32[31 - 2*i] + ((uint16_t)b32[30 - 2*i] << 8);
3354 c16[i] = c32[31 - 2*i] + ((uint16_t)c32[30 - 2*i] << 8);
3355 }
3356 /* Compute T = A * B in LE 16x uint16_t format. */
3357 mulmod256(t16, a16, b16, m16);
3358 /* Compare */
3359 CHECK(secp256k1_memcmp_var(t16, c16, 32) == 0);
3360}
3361
3362static void run_fe_mul(void) {
3363 int i;
3364 for (i = 0; i < 100 * COUNT; ++i) {
3365 secp256k1_fe a, b, c, d;
3366 testutil_random_fe(&a);
3367 testutil_random_fe_magnitude(&a, 8);
3368 testutil_random_fe(&b);
3369 testutil_random_fe_magnitude(&b, 8);
3370 testutil_random_fe_test(&c);
3371 testutil_random_fe_magnitude(&c, 8);
3372 testutil_random_fe_test(&d);
3373 testutil_random_fe_magnitude(&d, 8);
3374 test_fe_mul(&a, &a, 1);
3375 test_fe_mul(&c, &c, 1);
3376 test_fe_mul(&a, &b, 0);
3377 test_fe_mul(&a, &c, 0);
3378 test_fe_mul(&c, &b, 0);
3379 test_fe_mul(&c, &d, 0);
3380 }
3381}
3382
3383static void run_sqr(void) {
3384 int i;
3385 secp256k1_fe x, y, lhs, rhs, tmp;
3386
3387 secp256k1_fe_set_int(&x, 1);
3388 secp256k1_fe_negate(&x, &x, 1);
3389
3390 for (i = 1; i <= 512; ++i) {
3391 secp256k1_fe_mul_int(&x, 2);
3392 secp256k1_fe_normalize(&x);
3393
3394 /* Check that (x+y)*(x-y) = x^2 - y*2 for some random values y */
3395 testutil_random_fe_test(&y);
3396
3397 lhs = x;
3398 secp256k1_fe_add(&lhs, &y); /* lhs = x+y */
3399 secp256k1_fe_negate(&tmp, &y, 1); /* tmp = -y */
3400 secp256k1_fe_add(&tmp, &x); /* tmp = x-y */
3401 secp256k1_fe_mul(&lhs, &lhs, &tmp); /* lhs = (x+y)*(x-y) */
3402
3403 secp256k1_fe_sqr(&rhs, &x); /* rhs = x^2 */
3404 secp256k1_fe_sqr(&tmp, &y); /* tmp = y^2 */
3405 secp256k1_fe_negate(&tmp, &tmp, 1); /* tmp = -y^2 */
3406 secp256k1_fe_add(&rhs, &tmp); /* rhs = x^2 - y^2 */
3407
3408 CHECK(fe_equal(&lhs, &rhs));
3409 }
3410}
3411
3412static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
3413 secp256k1_fe r1, r2;
3414 int v = secp256k1_fe_sqrt(&r1, a);
3415 CHECK((v == 0) == (k == NULL));
3416
3417 if (k != NULL) {
3418 /* Check that the returned root is +/- the given known answer */
3419 secp256k1_fe_negate(&r2, &r1, 1);
3420 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
3421 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
3422 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
3423 }
3424}
3425
3426static void run_sqrt(void) {
3427 secp256k1_fe ns, x, s, t;
3428 int i;
3429
3430 /* Check sqrt(0) is 0 */
3431 secp256k1_fe_set_int(&x, 0);
3432 secp256k1_fe_sqr(&s, &x);
3433 test_sqrt(&s, &x);
3434
3435 /* Check sqrt of small squares (and their negatives) */
3436 for (i = 1; i <= 100; i++) {
3437 secp256k1_fe_set_int(&x, i);
3438 secp256k1_fe_sqr(&s, &x);
3439 test_sqrt(&s, &x);
3440 secp256k1_fe_negate(&t, &s, 1);
3441 test_sqrt(&t, NULL);
3442 }
3443
3444 /* Consistency checks for large random values */
3445 for (i = 0; i < 10; i++) {
3446 int j;
3447 random_fe_non_square(&ns);
3448 for (j = 0; j < COUNT; j++) {
3449 testutil_random_fe(&x);
3450 secp256k1_fe_sqr(&s, &x);
3451 CHECK(secp256k1_fe_is_square_var(&s));
3452 test_sqrt(&s, &x);
3453 secp256k1_fe_negate(&t, &s, 1);
3454 CHECK(!secp256k1_fe_is_square_var(&t));
3455 test_sqrt(&t, NULL);
3456 secp256k1_fe_mul(&t, &s, &ns);
3457 test_sqrt(&t, NULL);
3458 }
3459 }
3460}
3461
3462/***** FIELD/SCALAR INVERSE TESTS *****/
3463
3464static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
3465 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
3466 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
3467);
3468
3469static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
3470 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
3471 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
3472);
3473
3474/* These tests test the following identities:
3475 *
3476 * for x==0: 1/x == 0
3477 * for x!=0: x*(1/x) == 1
3478 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
3479 */
3480
3481static void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
3482{
3483 secp256k1_scalar l, r, t;
3484
3485 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, x); /* l = 1/x */
3486 if (out) *out = l;
3487 if (secp256k1_scalar_is_zero(x)) {
3488 CHECK(secp256k1_scalar_is_zero(&l));
3489 return;
3490 }
3491 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
3492 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
3493 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
3494 if (secp256k1_scalar_is_zero(&r)) return;
3495 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&r, &r); /* r = 1/(x-1) */
3496 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
3497 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse)(&l, &l); /* l = 1/(1/x-1) */
3498 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
3499 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3500 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
3501}
3502
3503static void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
3504{
3505 secp256k1_fe l, r, t;
3506
3507 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
3508 if (out) *out = l;
3509 t = *x; /* t = x */
3510 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
3511 CHECK(secp256k1_fe_normalizes_to_zero(&l));
3512 return;
3513 }
3514 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
3515 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
3516 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
3517 r = *x; /* r = x */
3518 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
3519 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
3520 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
3521 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
3522 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
3523 secp256k1_fe_add_int(&l, 1); /* l = 1/(1/x-1)+1 */
3524 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
3525 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
3526}
3527
3528static void run_inverse_tests(void)
3529{
3530 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
3531 static const secp256k1_fe fe_cases[][2] = {
3532 /* 0 */
3533 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3534 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3535 /* 1 */
3536 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3537 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3538 /* -1 */
3539 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
3540 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
3541 /* 2 */
3542 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3543 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
3544 /* 2**128 */
3545 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3546 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
3547 /* Input known to need 637 divsteps */
3548 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
3549 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)},
3550 /* Input known to need 567 divsteps starting with delta=1/2. */
3551 {SECP256K1_FE_CONST(0xf6bc3ba3, 0x636451c4, 0x3e46357d, 0x2c21d619, 0x0988e234, 0x15985661, 0x6672982b, 0xa7549bfc),
3552 SECP256K1_FE_CONST(0xb024fdc7, 0x5547451e, 0x426c585f, 0xbd481425, 0x73df6b75, 0xeef6d9d0, 0x389d87d4, 0xfbb440ba)},
3553 /* Input known to need 566 divsteps starting with delta=1/2. */
3554 {SECP256K1_FE_CONST(0xb595d81b, 0x2e3c1e2f, 0x482dbc65, 0xe4865af7, 0x9a0a50aa, 0x29f9e618, 0x6f87d7a5, 0x8d1063ae),
3555 SECP256K1_FE_CONST(0xc983337c, 0x5d5c74e1, 0x49918330, 0x0b53afb5, 0xa0428a0b, 0xce6eef86, 0x059bd8ef, 0xe5b908de)},
3556 /* Set of 10 inputs accessing all 128 entries in the modinv32 divsteps_var table */
3557 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0xe0ff1f80, 0x1f000000, 0x00000000, 0x00000000, 0xfeff0100, 0x00000000),
3558 SECP256K1_FE_CONST(0x9faf9316, 0x77e5049d, 0x0b5e7a1b, 0xef70b893, 0x18c9e30c, 0x045e7fd7, 0x29eddf8c, 0xd62e9e3d)},
3559 {SECP256K1_FE_CONST(0x621a538d, 0x511b2780, 0x35688252, 0x53f889a4, 0x6317c3ac, 0x32ba0a46, 0x6277c0d1, 0xccd31192),
3560 SECP256K1_FE_CONST(0x38513b0c, 0x5eba856f, 0xe29e882e, 0x9b394d8c, 0x34bda011, 0xeaa66943, 0x6a841a4c, 0x6ae8bcff)},
3561 {SECP256K1_FE_CONST(0x00000200, 0xf0ffff1f, 0x00000000, 0x0000e0ff, 0xffffffff, 0xfffcffff, 0xffffffff, 0xffff0100),
3562 SECP256K1_FE_CONST(0x5da42a52, 0x3640de9e, 0x13e64343, 0x0c7591b7, 0x6c1e3519, 0xf048c5b6, 0x0484217c, 0xedbf8b2f)},
3563 {SECP256K1_FE_CONST(0xd1343ef9, 0x4b952621, 0x7c52a2ee, 0x4ea1281b, 0x4ab46410, 0x9f26998d, 0xa686a8ff, 0x9f2103e8),
3564 SECP256K1_FE_CONST(0x84044385, 0x9a4619bf, 0x74e35b6d, 0xa47e0c46, 0x6b7fb47d, 0x9ffab128, 0xb0775aa3, 0xcb318bd1)},
3565 {SECP256K1_FE_CONST(0xb27235d2, 0xc56a52be, 0x210db37a, 0xd50d23a4, 0xbe621bdd, 0x5df22c6a, 0xe926ba62, 0xd2e4e440),
3566 SECP256K1_FE_CONST(0x67a26e54, 0x483a9d3c, 0xa568469e, 0xd258ab3d, 0xb9ec9981, 0xdca9b1bd, 0x8d2775fe, 0x53ae429b)},
3567 {SECP256K1_FE_CONST(0x00000000, 0x00000000, 0x00e0ffff, 0xffffff83, 0xffffffff, 0x3f00f00f, 0x000000e0, 0xffffffff),
3568 SECP256K1_FE_CONST(0x310e10f8, 0x23bbfab0, 0xac94907d, 0x076c9a45, 0x8d357d7f, 0xc763bcee, 0x00d0e615, 0x5a6acef6)},
3569 {SECP256K1_FE_CONST(0xfeff0300, 0x001c0000, 0xf80700c0, 0x0ff0ffff, 0xffffffff, 0x0fffffff, 0xffff0100, 0x7f0000fe),
3570 SECP256K1_FE_CONST(0x28e2fdb4, 0x0709168b, 0x86f598b0, 0x3453a370, 0x530cf21f, 0x32f978d5, 0x1d527a71, 0x59269b0c)},
3571 {SECP256K1_FE_CONST(0xc2591afa, 0x7bb98ef7, 0x090bb273, 0x85c14f87, 0xbb0b28e0, 0x54d3c453, 0x85c66753, 0xd5574d2f),
3572 SECP256K1_FE_CONST(0xfdca70a2, 0x70ce627c, 0x95e66fae, 0x848a6dbb, 0x07ffb15c, 0x5f63a058, 0xba4140ed, 0x6113b503)},
3573 {SECP256K1_FE_CONST(0xf5475db3, 0xedc7b5a3, 0x411c047e, 0xeaeb452f, 0xc625828e, 0x1cf5ad27, 0x8eec1060, 0xc7d3e690),
3574 SECP256K1_FE_CONST(0x5eb756c0, 0xf963f4b9, 0xdc6a215e, 0xec8cc2d8, 0x2e9dec01, 0xde5eb88d, 0x6aba7164, 0xaecb2c5a)},
3575 {SECP256K1_FE_CONST(0x00000000, 0x00f8ffff, 0xffffffff, 0x01000000, 0xe0ff1f00, 0x00000000, 0xffffff7f, 0x00000000),
3576 SECP256K1_FE_CONST(0xe0d2e3d8, 0x49b6157d, 0xe54e88c2, 0x1a7f02ca, 0x7dd28167, 0xf1125d81, 0x7bfa444e, 0xbe110037)},
3577 /* Selection of randomly generated inputs that reach high/low d/e values in various configurations. */
3578 {SECP256K1_FE_CONST(0x13cc08a4, 0xd8c41f0f, 0x179c3e67, 0x54c46c67, 0xc4109221, 0x09ab3b13, 0xe24d9be1, 0xffffe950),
3579 SECP256K1_FE_CONST(0xb80c8006, 0xd16abaa7, 0xcabd71e5, 0xcf6714f4, 0x966dd3d0, 0x64767a2d, 0xe92c4441, 0x51008cd1)},
3580 {SECP256K1_FE_CONST(0xaa6db990, 0x95efbca1, 0x3cc6ff71, 0x0602e24a, 0xf49ff938, 0x99fffc16, 0x46f40993, 0xc6e72057),
3581 SECP256K1_FE_CONST(0xd5d3dd69, 0xb0c195e5, 0x285f1d49, 0xe639e48c, 0x9223f8a9, 0xca1d731d, 0x9ca482f9, 0xa5b93e06)},
3582 {SECP256K1_FE_CONST(0x1c680eac, 0xaeabffd8, 0x9bdc4aee, 0x1781e3de, 0xa3b08108, 0x0015f2e0, 0x94449e1b, 0x2f67a058),
3583 SECP256K1_FE_CONST(0x7f083f8d, 0x31254f29, 0x6510f475, 0x245c373d, 0xc5622590, 0x4b323393, 0x32ed1719, 0xc127444b)},
3584 {SECP256K1_FE_CONST(0x147d44b3, 0x012d83f8, 0xc160d386, 0x1a44a870, 0x9ba6be96, 0x8b962707, 0x267cbc1a, 0xb65b2f0a),
3585 SECP256K1_FE_CONST(0x555554ff, 0x170aef1e, 0x50a43002, 0xe51fbd36, 0xafadb458, 0x7a8aded1, 0x0ca6cd33, 0x6ed9087c)},
3586 {SECP256K1_FE_CONST(0x12423796, 0x22f0fe61, 0xf9ca017c, 0x5384d107, 0xa1fbf3b2, 0x3b018013, 0x916a3c37, 0x4000b98c),
3587 SECP256K1_FE_CONST(0x20257700, 0x08668f94, 0x1177e306, 0x136c01f5, 0x8ed1fbd2, 0x95ec4589, 0xae38edb9, 0xfd19b6d7)},
3588 {SECP256K1_FE_CONST(0xdcf2d030, 0x9ab42cb4, 0x93ffa181, 0xdcd23619, 0x39699b52, 0x08909a20, 0xb5a17695, 0x3a9dcf21),
3589 SECP256K1_FE_CONST(0x1f701dea, 0xe211fb1f, 0x4f37180d, 0x63a0f51c, 0x29fe1e40, 0xa40b6142, 0x2e7b12eb, 0x982b06b6)},
3590 {SECP256K1_FE_CONST(0x79a851f6, 0xa6314ed3, 0xb35a55e6, 0xca1c7d7f, 0xe32369ea, 0xf902432e, 0x375308c5, 0xdfd5b600),
3591 SECP256K1_FE_CONST(0xcaae00c5, 0xe6b43851, 0x9dabb737, 0x38cba42c, 0xa02c8549, 0x7895dcbf, 0xbd183d71, 0xafe4476a)},
3592 {SECP256K1_FE_CONST(0xede78fdd, 0xcfc92bf1, 0x4fec6c6c, 0xdb8d37e2, 0xfb66bc7b, 0x28701870, 0x7fa27c9a, 0x307196ec),
3593 SECP256K1_FE_CONST(0x68193a6c, 0x9a8b87a7, 0x2a760c64, 0x13e473f6, 0x23ae7bed, 0x1de05422, 0x88865427, 0xa3418265)},
3594 {SECP256K1_FE_CONST(0xa40b2079, 0xb8f88e89, 0xa7617997, 0x89baf5ae, 0x174df343, 0x75138eae, 0x2711595d, 0x3fc3e66c),
3595 SECP256K1_FE_CONST(0x9f99c6a5, 0x6d685267, 0xd4b87c37, 0x9d9c4576, 0x358c692b, 0x6bbae0ed, 0x3389c93d, 0x7fdd2655)},
3596 {SECP256K1_FE_CONST(0x7c74c6b6, 0xe98d9151, 0x72645cf1, 0x7f06e321, 0xcefee074, 0x15b2113a, 0x10a9be07, 0x08a45696),
3597 SECP256K1_FE_CONST(0x8c919a88, 0x898bc1e0, 0x77f26f97, 0x12e655b7, 0x9ba0ac40, 0xe15bb19e, 0x8364cc3b, 0xe227a8ee)},
3598 {SECP256K1_FE_CONST(0x109ba1ce, 0xdafa6d4a, 0xa1cec2b2, 0xeb1069f4, 0xb7a79e5b, 0xec6eb99b, 0xaec5f643, 0xee0e723e),
3599 SECP256K1_FE_CONST(0x93d13eb8, 0x4bb0bcf9, 0xe64f5a71, 0xdbe9f359, 0x7191401c, 0x6f057a4a, 0xa407fe1b, 0x7ecb65cc)},
3600 {SECP256K1_FE_CONST(0x3db076cd, 0xec74a5c9, 0xf61dd138, 0x90e23e06, 0xeeedd2d0, 0x74cbc4e0, 0x3dbe1e91, 0xded36a78),
3601 SECP256K1_FE_CONST(0x3f07f966, 0x8e2a1e09, 0x706c71df, 0x02b5e9d5, 0xcb92ddbf, 0xcdd53010, 0x16545564, 0xe660b107)},
3602 {SECP256K1_FE_CONST(0xe31c73ed, 0xb4c4b82c, 0x02ae35f7, 0x4cdec153, 0x98b522fd, 0xf7d2460c, 0x6bf7c0f8, 0x4cf67b0d),
3603 SECP256K1_FE_CONST(0x4b8f1faf, 0x94e8b070, 0x19af0ff6, 0xa319cd31, 0xdf0a7ffb, 0xefaba629, 0x59c50666, 0x1fe5b843)},
3604 {SECP256K1_FE_CONST(0x4c8b0e6e, 0x83392ab6, 0xc0e3e9f1, 0xbbd85497, 0x16698897, 0xf552d50d, 0x79652ddb, 0x12f99870),
3605 SECP256K1_FE_CONST(0x56d5101f, 0xd23b7949, 0x17dc38d6, 0xf24022ef, 0xcf18e70a, 0x5cc34424, 0x438544c3, 0x62da4bca)},
3606 {SECP256K1_FE_CONST(0xb0e040e2, 0x40cc35da, 0x7dd5c611, 0x7fccb178, 0x28888137, 0xbc930358, 0xea2cbc90, 0x775417dc),
3607 SECP256K1_FE_CONST(0xca37f0d4, 0x016dd7c8, 0xab3ae576, 0x96e08d69, 0x68ed9155, 0xa9b44270, 0x900ae35d, 0x7c7800cd)},
3608 {SECP256K1_FE_CONST(0x8a32ea49, 0x7fbb0bae, 0x69724a9d, 0x8e2105b2, 0xbdf69178, 0x862577ef, 0x35055590, 0x667ddaef),
3609 SECP256K1_FE_CONST(0xd02d7ead, 0xc5e190f0, 0x559c9d72, 0xdaef1ffc, 0x64f9f425, 0xf43645ea, 0x7341e08d, 0x11768e96)},
3610 {SECP256K1_FE_CONST(0xa3592d98, 0x9abe289d, 0x579ebea6, 0xbb0857a8, 0xe242ab73, 0x85f9a2ce, 0xb6998f0f, 0xbfffbfc6),
3611 SECP256K1_FE_CONST(0x093c1533, 0x32032efa, 0x6aa46070, 0x0039599e, 0x589c35f4, 0xff525430, 0x7fe3777a, 0x44b43ddc)},
3612 {SECP256K1_FE_CONST(0x647178a3, 0x229e607b, 0xcc98521a, 0xcce3fdd9, 0x1e1bc9c9, 0x97fb7c6a, 0x61b961e0, 0x99b10709),
3613 SECP256K1_FE_CONST(0x98217c13, 0xd51ddf78, 0x96310e77, 0xdaebd908, 0x602ca683, 0xcb46d07a, 0xa1fcf17e, 0xc8e2feb3)},
3614 {SECP256K1_FE_CONST(0x7334627c, 0x73f98968, 0x99464b4b, 0xf5964958, 0x1b95870d, 0xc658227e, 0x5e3235d8, 0xdcab5787),
3615 SECP256K1_FE_CONST(0x000006fd, 0xc7e9dd94, 0x40ae367a, 0xe51d495c, 0x07603b9b, 0x2d088418, 0x6cc5c74c, 0x98514307)},
3616 {SECP256K1_FE_CONST(0x82e83876, 0x96c28938, 0xa50dd1c5, 0x605c3ad1, 0xc048637d, 0x7a50825f, 0x335ed01a, 0x00005760),
3617 SECP256K1_FE_CONST(0xb0393f9f, 0x9f2aa55e, 0xf5607e2e, 0x5287d961, 0x60b3e704, 0xf3e16e80, 0xb4f9a3ea, 0xfec7f02d)},
3618 {SECP256K1_FE_CONST(0xc97b6cec, 0x3ee6b8dc, 0x98d24b58, 0x3c1970a1, 0xfe06297a, 0xae813529, 0xe76bb6bd, 0x771ae51d),
3619 SECP256K1_FE_CONST(0x0507c702, 0xd407d097, 0x47ddeb06, 0xf6625419, 0x79f48f79, 0x7bf80d0b, 0xfc34b364, 0x253a5db1)},
3620 {SECP256K1_FE_CONST(0xd559af63, 0x77ea9bc4, 0x3cf1ad14, 0x5c7a4bbb, 0x10e7d18b, 0x7ce0dfac, 0x380bb19d, 0x0bb99bd3),
3621 SECP256K1_FE_CONST(0x00196119, 0xb9b00d92, 0x34edfdb5, 0xbbdc42fc, 0xd2daa33a, 0x163356ca, 0xaa8754c8, 0xb0ec8b0b)},
3622 {SECP256K1_FE_CONST(0x8ddfa3dc, 0x52918da0, 0x640519dc, 0x0af8512a, 0xca2d33b2, 0xbde52514, 0xda9c0afc, 0xcb29fce4),
3623 SECP256K1_FE_CONST(0xb3e4878d, 0x5cb69148, 0xcd54388b, 0xc23acce0, 0x62518ba8, 0xf09def92, 0x7b31e6aa, 0x6ba35b02)},
3624 {SECP256K1_FE_CONST(0xf8207492, 0xe3049f0a, 0x65285f2b, 0x0bfff996, 0x00ca112e, 0xc05da837, 0x546d41f9, 0x5194fb91),
3625 SECP256K1_FE_CONST(0x7b7ee50b, 0xa8ed4bbd, 0xf6469930, 0x81419a5c, 0x071441c7, 0x290d046e, 0x3b82ea41, 0x611c5f95)},
3626 {SECP256K1_FE_CONST(0x050f7c80, 0x5bcd3c6b, 0x823cb724, 0x5ce74db7, 0xa4e39f5c, 0xbd8828d7, 0xfd4d3e07, 0x3ec2926a),
3627 SECP256K1_FE_CONST(0x000d6730, 0xb0171314, 0x4764053d, 0xee157117, 0x48fd61da, 0xdea0b9db, 0x1d5e91c6, 0xbdc3f59e)},
3628 {SECP256K1_FE_CONST(0x3e3ea8eb, 0x05d760cf, 0x23009263, 0xb3cb3ac9, 0x088f6f0d, 0x3fc182a3, 0xbd57087c, 0xe67c62f9),
3629 SECP256K1_FE_CONST(0xbe988716, 0xa29c1bf6, 0x4456aed6, 0xab1e4720, 0x49929305, 0x51043bf4, 0xebd833dd, 0xdd511e8b)},
3630 {SECP256K1_FE_CONST(0x6964d2a9, 0xa7fa6501, 0xa5959249, 0x142f4029, 0xea0c1b5f, 0x2f487ef6, 0x301ac80a, 0x768be5cd),
3631 SECP256K1_FE_CONST(0x3918ffe4, 0x07492543, 0xed24d0b7, 0x3df95f8f, 0xaffd7cb4, 0x0de2191c, 0x9ec2f2ad, 0x2c0cb3c6)},
3632 {SECP256K1_FE_CONST(0x37c93520, 0xf6ddca57, 0x2b42fd5e, 0xb5c7e4de, 0x11b5b81c, 0xb95e91f3, 0x95c4d156, 0x39877ccb),
3633 SECP256K1_FE_CONST(0x9a94b9b5, 0x57eb71ee, 0x4c975b8b, 0xac5262a8, 0x077b0595, 0xe12a6b1f, 0xd728edef, 0x1a6bf956)}
3634 };
3635 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
3636 static const secp256k1_scalar scalar_cases[][2] = {
3637 /* 0 */
3638 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
3639 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
3640 /* 1 */
3641 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
3642 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
3643 /* -1 */
3644 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
3645 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
3646 /* 2 */
3647 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
3648 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
3649 /* 2**128 */
3650 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
3651 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
3652 /* Input known to need 635 divsteps */
3653 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
3654 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)},
3655 /* Input known to need 566 divsteps starting with delta=1/2. */
3656 {SECP256K1_SCALAR_CONST(0x7e3c993d, 0xa4272488, 0xbc015b49, 0x2db54174, 0xd382083a, 0xebe6db35, 0x80f82eff, 0xcd132c72),
3657 SECP256K1_SCALAR_CONST(0x086f34a0, 0x3e631f76, 0x77418f28, 0xcc84ac95, 0x6304439d, 0x365db268, 0x312c6ded, 0xd0b934f8)},
3658 /* Input known to need 565 divsteps starting with delta=1/2. */
3659 {SECP256K1_SCALAR_CONST(0xbad7e587, 0x3f307859, 0x60d93147, 0x8a18491e, 0xb38a9fd5, 0x254350d3, 0x4b1f0e4b, 0x7dd6edc4),
3660 SECP256K1_SCALAR_CONST(0x89f2df26, 0x39e2b041, 0xf19bd876, 0xd039c8ac, 0xc2223add, 0x29c4943e, 0x6632d908, 0x515f467b)},
3661 /* Selection of randomly generated inputs that reach low/high d/e values in various configurations. */
3662 {SECP256K1_SCALAR_CONST(0x1950d757, 0xb37a5809, 0x435059bb, 0x0bb8997e, 0x07e1e3c8, 0x5e5d7d2c, 0x6a0ed8e3, 0xdbde180e),
3663 SECP256K1_SCALAR_CONST(0xbf72af9b, 0x750309e2, 0x8dda230b, 0xfe432b93, 0x7e25e475, 0x4388251e, 0x633d894b, 0x3bcb6f8c)},
3664 {SECP256K1_SCALAR_CONST(0x9bccf4e7, 0xc5a515e3, 0x50637aa9, 0xbb65a13f, 0x391749a1, 0x62de7d4e, 0xf6d7eabb, 0x3cd10ce0),
3665 SECP256K1_SCALAR_CONST(0xaf2d5623, 0xb6385a33, 0xcd0365be, 0x5e92a70d, 0x7f09179c, 0x3baaf30f, 0x8f9cc83b, 0x20092f67)},
3666 {SECP256K1_SCALAR_CONST(0x73a57111, 0xb242952a, 0x5c5dee59, 0xf3be2ace, 0xa30a7659, 0xa46e5f47, 0xd21267b1, 0x39e642c9),
3667 SECP256K1_SCALAR_CONST(0xa711df07, 0xcbcf13ef, 0xd61cc6be, 0xbcd058ce, 0xb02cf157, 0x272d4a18, 0x86d0feb3, 0xcd5fa004)},
3668 {SECP256K1_SCALAR_CONST(0x04884963, 0xce0580b1, 0xba547030, 0x3c691db3, 0x9cd2c84f, 0x24c7cebd, 0x97ebfdba, 0x3e785ec2),
3669 SECP256K1_SCALAR_CONST(0xaaaaaf14, 0xd7c99ba7, 0x517ce2c1, 0x78a28b4c, 0x3769a851, 0xe5c5a03d, 0x4cc28f33, 0x0ec4dc5d)},
3670 {SECP256K1_SCALAR_CONST(0x1679ed49, 0x21f537b1, 0x815cb8ae, 0x9efc511c, 0x5b9fa037, 0x0b0f275e, 0x6c985281, 0x6c4a9905),
3671 SECP256K1_SCALAR_CONST(0xb14ac3d5, 0x62b52999, 0xef34ead1, 0xffca4998, 0x0294341a, 0x1f8172aa, 0xea1624f9, 0x302eea62)},
3672 {SECP256K1_SCALAR_CONST(0x626b37c0, 0xf0057c35, 0xee982f83, 0x452a1fd3, 0xea826506, 0x48b08a9d, 0x1d2c4799, 0x4ad5f6ec),
3673 SECP256K1_SCALAR_CONST(0xe38643b7, 0x567bfc2f, 0x5d2f1c15, 0xe327239c, 0x07112443, 0x69509283, 0xfd98e77a, 0xdb71c1e8)},
3674 {SECP256K1_SCALAR_CONST(0x1850a3a7, 0x759efc56, 0x54f287b2, 0x14d1234b, 0xe263bbc9, 0xcf4d8927, 0xd5f85f27, 0x965bd816),
3675 SECP256K1_SCALAR_CONST(0x3b071831, 0xcac9619a, 0xcceb0596, 0xf614d63b, 0x95d0db2f, 0xc6a00901, 0x8eaa2621, 0xabfa0009)},
3676 {SECP256K1_SCALAR_CONST(0x94ae5d06, 0xa27dc400, 0x487d72be, 0xaa51ebed, 0xe475b5c0, 0xea675ffc, 0xf4df627a, 0xdca4222f),
3677 SECP256K1_SCALAR_CONST(0x01b412ed, 0xd7830956, 0x1532537e, 0xe5e3dc99, 0x8fd3930a, 0x54f8d067, 0x32ef5760, 0x594438a5)},
3678 {SECP256K1_SCALAR_CONST(0x1f24278a, 0xb5bfe374, 0xa328dbbc, 0xebe35f48, 0x6620e009, 0xd58bb1b4, 0xb5a6bf84, 0x8815f63a),
3679 SECP256K1_SCALAR_CONST(0xfe928416, 0xca5ba2d3, 0xfde513da, 0x903a60c7, 0x9e58ad8a, 0x8783bee4, 0x083a3843, 0xa608c914)},
3680 {SECP256K1_SCALAR_CONST(0xdc107d58, 0x274f6330, 0x67dba8bc, 0x26093111, 0x5201dfb8, 0x968ce3f5, 0xf34d1bd4, 0xf2146504),
3681 SECP256K1_SCALAR_CONST(0x660cfa90, 0x13c3d93e, 0x7023b1e5, 0xedd09e71, 0x6d9c9d10, 0x7a3d2cdb, 0xdd08edc3, 0xaa78fcfb)},
3682 {SECP256K1_SCALAR_CONST(0x7cd1e905, 0xc6f02776, 0x2f551cc7, 0x5da61cff, 0x7da05389, 0x1119d5a4, 0x631c7442, 0x894fd4f7),
3683 SECP256K1_SCALAR_CONST(0xff20862a, 0x9d3b1a37, 0x1628803b, 0x3004ccae, 0xaa23282a, 0xa89a1109, 0xd94ece5e, 0x181bdc46)},
3684 {SECP256K1_SCALAR_CONST(0x5b9dade8, 0x23d26c58, 0xcd12d818, 0x25b8ae97, 0x3dea04af, 0xf482c96b, 0xa062f254, 0x9e453640),
3685 SECP256K1_SCALAR_CONST(0x50c38800, 0x15fa53f4, 0xbe1e5392, 0x5c9b120a, 0x262c22c7, 0x18fa0816, 0x5f2baab4, 0x8cb5db46)},
3686 {SECP256K1_SCALAR_CONST(0x11cdaeda, 0x969c464b, 0xef1f4ab0, 0x5b01d22e, 0x656fd098, 0x882bea84, 0x65cdbe7a, 0x0c19ff03),
3687 SECP256K1_SCALAR_CONST(0x1968d0fa, 0xac46f103, 0xb55f1f72, 0xb3820bed, 0xec6b359a, 0x4b1ae0ad, 0x7e38e1fb, 0x295ccdfb)},
3688 {SECP256K1_SCALAR_CONST(0x2c351aa1, 0x26e91589, 0x194f8a1e, 0x06561f66, 0x0cb97b7f, 0x10914454, 0x134d1c03, 0x157266b4),
3689 SECP256K1_SCALAR_CONST(0xbe49ada6, 0x92bd8711, 0x41b176c4, 0xa478ba95, 0x14883434, 0x9d1cd6f3, 0xcc4b847d, 0x22af80f5)},
3690 {SECP256K1_SCALAR_CONST(0x6ba07c6e, 0x13a60edb, 0x6247f5c3, 0x84b5fa56, 0x76fe3ec5, 0x80426395, 0xf65ec2ae, 0x623ba730),
3691 SECP256K1_SCALAR_CONST(0x25ac23f7, 0x418cd747, 0x98376f9d, 0x4a11c7bf, 0x24c8ebfe, 0x4c8a8655, 0x345f4f52, 0x1c515595)},
3692 {SECP256K1_SCALAR_CONST(0x9397a712, 0x8abb6951, 0x2d4a3d54, 0x703b1c2a, 0x0661dca8, 0xd75c9b31, 0xaed4d24b, 0xd2ab2948),
3693 SECP256K1_SCALAR_CONST(0xc52e8bef, 0xd55ce3eb, 0x1c897739, 0xeb9fb606, 0x36b9cd57, 0x18c51cc2, 0x6a87489e, 0xffd0dcf3)},
3694 {SECP256K1_SCALAR_CONST(0xe6a808cc, 0xeb437888, 0xe97798df, 0x4e224e44, 0x7e3b380a, 0x207c1653, 0x889f3212, 0xc6738b6f),
3695 SECP256K1_SCALAR_CONST(0x31f9ae13, 0xd1e08b20, 0x757a2e5e, 0x5243a0eb, 0x8ae35f73, 0x19bb6122, 0xb910f26b, 0xda70aa55)},
3696 {SECP256K1_SCALAR_CONST(0xd0320548, 0xab0effe7, 0xa70779e0, 0x61a347a6, 0xb8c1e010, 0x9d5281f8, 0x2ee588a6, 0x80000000),
3697 SECP256K1_SCALAR_CONST(0x1541897e, 0x78195c90, 0x7583dd9e, 0x728b6100, 0xbce8bc6d, 0x7a53b471, 0x5dcd9e45, 0x4425fcaf)},
3698 {SECP256K1_SCALAR_CONST(0x93d623f1, 0xd45b50b0, 0x796e9186, 0x9eac9407, 0xd30edc20, 0xef6304cf, 0x250494e7, 0xba503de9),
3699 SECP256K1_SCALAR_CONST(0x7026d638, 0x1178b548, 0x92043952, 0x3c7fb47c, 0xcd3ea236, 0x31d82b01, 0x612fc387, 0x80b9b957)},
3700 {SECP256K1_SCALAR_CONST(0xf860ab39, 0x55f5d412, 0xa4d73bcc, 0x3b48bd90, 0xc248ffd3, 0x13ca10be, 0x8fba84cc, 0xdd28d6a3),
3701 SECP256K1_SCALAR_CONST(0x5c32fc70, 0xe0b15d67, 0x76694700, 0xfe62be4d, 0xeacdb229, 0x7a4433d9, 0x52155cd0, 0x7649ab59)},
3702 {SECP256K1_SCALAR_CONST(0x4e41311c, 0x0800af58, 0x7a690a8e, 0xe175c9ba, 0x6981ab73, 0xac532ea8, 0x5c1f5e63, 0x6ac1f189),
3703 SECP256K1_SCALAR_CONST(0xfffffff9, 0xd075982c, 0x7fbd3825, 0xc05038a2, 0x4533b91f, 0x94ec5f45, 0xb280b28f, 0x842324dc)},
3704 {SECP256K1_SCALAR_CONST(0x48e473bf, 0x3555eade, 0xad5d7089, 0x2424c4e4, 0x0a99397c, 0x2dc796d8, 0xb7a43a69, 0xd0364141),
3705 SECP256K1_SCALAR_CONST(0x634976b2, 0xa0e47895, 0x1ec38593, 0x266d6fd0, 0x6f602644, 0x9bb762f1, 0x7180c704, 0xe23a4daa)},
3706 {SECP256K1_SCALAR_CONST(0xbe83878d, 0x3292fc54, 0x26e71c62, 0x556ccedc, 0x7cbb8810, 0x4032a720, 0x34ead589, 0xe4d6bd13),
3707 SECP256K1_SCALAR_CONST(0x6cd150ad, 0x25e59d0f, 0x74cbae3d, 0x6377534a, 0x1e6562e8, 0xb71b9d18, 0xe1e5d712, 0x8480abb3)},
3708 {SECP256K1_SCALAR_CONST(0xcdddf2e5, 0xefc15f88, 0xc9ee06de, 0x8a846ca9, 0x28561581, 0x68daa5fb, 0xd1cf3451, 0xeb1782d0),
3709 SECP256K1_SCALAR_CONST(0xffffffd9, 0xed8d2af4, 0x993c865a, 0x23e9681a, 0x3ca3a3dc, 0xe6d5a46e, 0xbd86bd87, 0x61b55c70)},
3710 {SECP256K1_SCALAR_CONST(0xb6a18f1f, 0x04872df9, 0x08165ec4, 0x319ca19c, 0x6c0359ab, 0x1f7118fb, 0xc2ef8082, 0xca8b7785),
3711 SECP256K1_SCALAR_CONST(0xff55b19b, 0x0f1ac78c, 0x0f0c88c2, 0x2358d5ad, 0x5f455e4e, 0x3330b72f, 0x274dc153, 0xffbf272b)},
3712 {SECP256K1_SCALAR_CONST(0xea4898e5, 0x30eba3e8, 0xcf0e5c3d, 0x06ec6844, 0x01e26fb6, 0x75636225, 0xc5d08f4c, 0x1decafa0),
3713 SECP256K1_SCALAR_CONST(0xe5a014a8, 0xe3c4ec1e, 0xea4f9b32, 0xcfc7b386, 0x00630806, 0x12c08d02, 0x6407ccc2, 0xb067d90e)},
3714 {SECP256K1_SCALAR_CONST(0x70e9aea9, 0x7e933af0, 0x8a23bfab, 0x23e4b772, 0xff951863, 0x5ffcf47d, 0x6bebc918, 0x2ca58265),
3715 SECP256K1_SCALAR_CONST(0xf4e00006, 0x81bc6441, 0x4eb6ec02, 0xc194a859, 0x80ad7c48, 0xba4e9afb, 0x8b6bdbe0, 0x989d8f77)},
3716 {SECP256K1_SCALAR_CONST(0x3c56c774, 0x46efe6f0, 0xe93618b8, 0xf9b5a846, 0xd247df61, 0x83b1e215, 0x06dc8bcc, 0xeefc1bf5),
3717 SECP256K1_SCALAR_CONST(0xfff8937a, 0x2cd9586b, 0x43c25e57, 0xd1cefa7a, 0x9fb91ed3, 0x95b6533d, 0x8ad0de5b, 0xafb93f00)},
3718 {SECP256K1_SCALAR_CONST(0xfb5c2772, 0x5cb30e83, 0xe38264df, 0xe4e3ebf3, 0x392aa92e, 0xa68756a1, 0x51279ac5, 0xb50711a8),
3719 SECP256K1_SCALAR_CONST(0x000013af, 0x1105bfe7, 0xa6bbd7fb, 0x3d638f99, 0x3b266b02, 0x072fb8bc, 0x39251130, 0x2e0fd0ea)}
3720 };
3721 int i, var, testrand;
3722 unsigned char b32[32];
3723 secp256k1_fe x_fe;
3724 secp256k1_scalar x_scalar;
3725 memset(b32, 0, sizeof(b32));
3726 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
3727 for (i = 0; (size_t)i < ARRAY_SIZE(fe_cases); ++i) {
3728 for (var = 0; var <= 1; ++var) {
3729 test_inverse_field(&x_fe, &fe_cases[i][0], var);
3730 CHECK(fe_equal(&x_fe, &fe_cases[i][1]));
3731 test_inverse_field(&x_fe, &fe_cases[i][1], var);
3732 CHECK(fe_equal(&x_fe, &fe_cases[i][0]));
3733 }
3734 }
3735 for (i = 0; (size_t)i < ARRAY_SIZE(scalar_cases); ++i) {
3736 for (var = 0; var <= 1; ++var) {
3737 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
3738 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
3739 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
3740 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
3741 }
3742 }
3743 /* Test inputs 0..999 and their respective negations. */
3744 for (i = 0; i < 1000; ++i) {
3745 b32[31] = i & 0xff;
3746 b32[30] = (i >> 8) & 0xff;
3747 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3748 secp256k1_fe_set_b32_mod(&x_fe, b32);
3749 for (var = 0; var <= 1; ++var) {
3750 test_inverse_scalar(NULL, &x_scalar, var);
3751 test_inverse_field(NULL, &x_fe, var);
3752 }
3753 secp256k1_scalar_negate(&x_scalar, &x_scalar);
3754 secp256k1_fe_negate(&x_fe, &x_fe, 1);
3755 for (var = 0; var <= 1; ++var) {
3756 test_inverse_scalar(NULL, &x_scalar, var);
3757 test_inverse_field(NULL, &x_fe, var);
3758 }
3759 }
3760 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
3761 for (testrand = 0; testrand <= 1; ++testrand) {
3762 for (i = 0; i < 64 * COUNT; ++i) {
3763 (testrand ? testrand256_test : testrand256)(b32);
3764 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
3765 secp256k1_fe_set_b32_mod(&x_fe, b32);
3766 for (var = 0; var <= 1; ++var) {
3767 test_inverse_scalar(NULL, &x_scalar, var);
3768 test_inverse_field(NULL, &x_fe, var);
3769 }
3770 }
3771 }
3772}
3773
3774/***** HSORT TESTS *****/
3775
3776static void test_heap_swap(void) {
3777 unsigned char a[600];
3778 unsigned char e[sizeof(a)];
3779 memset(a, 21, 200);
3780 memset(a + 200, 99, 200);
3781 memset(a + 400, 42, 200);
3782 memset(e, 42, 200);
3783 memset(e + 200, 99, 200);
3784 memset(e + 400, 21, 200);
3785 secp256k1_heap_swap(a, 0, 2, 200);
3786 CHECK(secp256k1_memcmp_var(a, e, sizeof(a)) == 0);
3787}
3788
3789static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len) {
3790 size_t i;
3791 for (i = 1; i < n; i++) {
3792 CHECK(secp256k1_memcmp_var(&elements[(i-1) * len], &elements[i * len], len) <= 0);
3793 }
3794}
3795
3796struct test_hsort_cmp_data {
3797 size_t counter;
3798 size_t element_len;
3799};
3800
3801
3802static int test_hsort_cmp(const void *ele1, const void *ele2, void *data) {
3803 struct test_hsort_cmp_data *d = (struct test_hsort_cmp_data *) data;
3804 d->counter += 1;
3805 return secp256k1_memcmp_var((unsigned char *)ele1, (unsigned char *)ele2, d->element_len);
3806}
3807
3808#define NUM 65
3809#define MAX_ELEMENT_LEN 65
3810static void test_hsort(size_t element_len) {
3811 unsigned char elements[NUM * MAX_ELEMENT_LEN] = { 0 };
3812 struct test_hsort_cmp_data data;
3813 int i;
3814
3815 VERIFY_CHECK(element_len <= MAX_ELEMENT_LEN);
3816 data.counter = 0;
3817 data.element_len = element_len;
3818
3819 secp256k1_hsort(elements, 0, element_len, test_hsort_cmp, &data);
3820 CHECK(data.counter == 0);
3821 secp256k1_hsort(elements, 1, element_len, test_hsort_cmp, &data);
3822 CHECK(data.counter == 0);
3823 secp256k1_hsort(elements, NUM, element_len, test_hsort_cmp, &data);
3824 CHECK(data.counter >= NUM - 1);
3825 test_hsort_is_sorted(elements, NUM, element_len);
3826
3827 /* Test hsort with array of random length n */
3828 for (i = 0; i < COUNT; i++) {
3829 int n = testrand_int(NUM);
3830 testrand_bytes_test(elements, n*element_len);
3831 secp256k1_hsort(elements, n, element_len, test_hsort_cmp, &data);
3832 test_hsort_is_sorted(elements, n, element_len);
3833 }
3834}
3835#undef NUM
3836#undef MAX_ELEMENT_LEN
3837
3838
3839static void run_hsort_tests(void) {
3840 test_heap_swap();
3841 test_hsort(1);
3842 test_hsort(64);
3843 test_hsort(65);
3844}
3845
3846/***** GROUP TESTS *****/
3847
3848/* This compares jacobian points including their Z, not just their geometric meaning. */
3849static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
3850 secp256k1_gej a2;
3851 secp256k1_gej b2;
3852 int ret = 1;
3853 ret &= a->infinity == b->infinity;
3854 if (ret && !a->infinity) {
3855 a2 = *a;
3856 b2 = *b;
3857 secp256k1_fe_normalize(&a2.x);
3858 secp256k1_fe_normalize(&a2.y);
3859 secp256k1_fe_normalize(&a2.z);
3860 secp256k1_fe_normalize(&b2.x);
3861 secp256k1_fe_normalize(&b2.y);
3862 secp256k1_fe_normalize(&b2.z);
3863 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
3864 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
3865 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
3866 }
3867 return ret;
3868}
3869
3870static void test_ge(void) {
3871 int i, i1;
3872 int runs = 6;
3873 /* 25 points are used:
3874 * - infinity
3875 * - for each of four random points p1 p2 p3 p4, we add the point, its
3876 * negation, and then those two again but with randomized Z coordinate.
3877 * - The same is then done for lambda*p1 and lambda^2*p1.
3878 */
3879 secp256k1_ge *ge = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
3880 secp256k1_gej *gej = checked_malloc(&CTX->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
3881 secp256k1_fe zf, r;
3882 secp256k1_fe zfi2, zfi3;
3883
3884 secp256k1_gej_set_infinity(&gej[0]);
3885 secp256k1_ge_set_infinity(&ge[0]);
3886 for (i = 0; i < runs; i++) {
3887 int j, k;
3888 secp256k1_ge g;
3889 testutil_random_ge_test(&g);
3890 if (i >= runs - 2) {
3891 secp256k1_ge_mul_lambda(&g, &ge[1]);
3892 CHECK(!secp256k1_ge_eq_var(&g, &ge[1]));
3893 }
3894 if (i >= runs - 1) {
3895 secp256k1_ge_mul_lambda(&g, &g);
3896 }
3897 ge[1 + 4 * i] = g;
3898 ge[2 + 4 * i] = g;
3899 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
3900 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
3901 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
3902 testutil_random_ge_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
3903 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
3904 testutil_random_ge_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
3905 for (j = 0; j < 4; j++) {
3906 testutil_random_ge_x_magnitude(&ge[1 + j + 4 * i]);
3907 testutil_random_ge_y_magnitude(&ge[1 + j + 4 * i]);
3908 testutil_random_gej_x_magnitude(&gej[1 + j + 4 * i]);
3909 testutil_random_gej_y_magnitude(&gej[1 + j + 4 * i]);
3910 testutil_random_gej_z_magnitude(&gej[1 + j + 4 * i]);
3911 }
3912
3913 for (j = 0; j < 4; ++j) {
3914 for (k = 0; k < 4; ++k) {
3915 int expect_equal = (j >> 1) == (k >> 1);
3916 CHECK(secp256k1_ge_eq_var(&ge[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3917 CHECK(secp256k1_gej_eq_var(&gej[1 + j + 4 * i], &gej[1 + k + 4 * i]) == expect_equal);
3918 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + j + 4 * i], &ge[1 + k + 4 * i]) == expect_equal);
3919 CHECK(secp256k1_gej_eq_ge_var(&gej[1 + k + 4 * i], &ge[1 + j + 4 * i]) == expect_equal);
3920 }
3921 }
3922 }
3923
3924 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
3925 testutil_random_fe_non_zero_test(&zf);
3926 testutil_random_fe_magnitude(&zf, 8);
3927 secp256k1_fe_inv_var(&zfi3, &zf);
3928 secp256k1_fe_sqr(&zfi2, &zfi3);
3929 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
3930
3931 /* Generate random r */
3932 testutil_random_fe_non_zero_test(&r);
3933
3934 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
3935 int i2;
3936 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
3937 /* Compute reference result using gej + gej (var). */
3938 secp256k1_gej refj, resj;
3939 secp256k1_ge ref;
3940 secp256k1_fe zr;
3941 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3942 /* Check Z ratio. */
3943 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
3944 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3945 CHECK(secp256k1_fe_equal(&zrz, &refj.z));
3946 }
3947 secp256k1_ge_set_gej_var(&ref, &refj);
3948
3949 /* Test gej + ge with Z ratio result (var). */
3950 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
3951 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3952 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
3953 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
3954 CHECK(secp256k1_fe_equal(&zrz, &resj.z));
3955 }
3956
3957 /* Test gej + ge (var, with additional Z factor). */
3958 {
3959 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
3960 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
3961 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
3962 testutil_random_ge_x_magnitude(&ge2_zfi);
3963 testutil_random_ge_y_magnitude(&ge2_zfi);
3964 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
3965 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3966 }
3967
3968 /* Test gej + ge (const). */
3969 if (i2 != 0) {
3970 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
3971 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
3972 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3973 }
3974
3975 /* Test doubling (var). */
3976 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
3977 secp256k1_fe zr2;
3978 /* Normal doubling with Z ratio result. */
3979 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
3980 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3981 /* Check Z ratio. */
3982 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
3983 CHECK(secp256k1_fe_equal(&zr2, &resj.z));
3984 /* Normal doubling. */
3985 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
3986 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3987 /* Constant-time doubling. */
3988 secp256k1_gej_double(&resj, &gej[i2]);
3989 CHECK(secp256k1_gej_eq_ge_var(&resj, &ref));
3990 }
3991
3992 /* Test adding opposites. */
3993 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
3994 CHECK(secp256k1_ge_is_infinity(&ref));
3995 }
3996
3997 /* Test adding infinity. */
3998 if (i1 == 0) {
3999 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
4000 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
4001 CHECK(secp256k1_gej_eq_ge_var(&gej[i2], &ref));
4002 }
4003 if (i2 == 0) {
4004 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
4005 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
4006 CHECK(secp256k1_gej_eq_ge_var(&gej[i1], &ref));
4007 }
4008 }
4009 }
4010
4011 /* Test adding all points together in random order equals infinity. */
4012 {
4013 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
4014 secp256k1_gej *gej_shuffled = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
4015 for (i = 0; i < 4 * runs + 1; i++) {
4016 gej_shuffled[i] = gej[i];
4017 }
4018 for (i = 0; i < 4 * runs + 1; i++) {
4019 int swap = i + testrand_int(4 * runs + 1 - i);
4020 if (swap != i) {
4021 secp256k1_gej t = gej_shuffled[i];
4022 gej_shuffled[i] = gej_shuffled[swap];
4023 gej_shuffled[swap] = t;
4024 }
4025 }
4026 for (i = 0; i < 4 * runs + 1; i++) {
4027 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
4028 }
4029 CHECK(secp256k1_gej_is_infinity(&sum));
4030 free(gej_shuffled);
4031 }
4032
4033 /* Test batch gej -> ge conversion without known z ratios. */
4034 {
4035 secp256k1_ge *ge_set_all_var = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4036 secp256k1_ge *ge_set_all = checked_malloc(&CTX->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4037 secp256k1_ge_set_all_gej_var(&ge_set_all_var[0], &gej[0], 4 * runs + 1);
4038 for (i = 0; i < 4 * runs + 1; i++) {
4039 secp256k1_fe s;
4040 testutil_random_fe_non_zero(&s);
4041 secp256k1_gej_rescale(&gej[i], &s);
4042 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all_var[i]));
4043 }
4044
4045 /* Skip infinity at &gej[0]. */
4046 secp256k1_ge_set_all_gej(&ge_set_all[1], &gej[1], 4 * runs);
4047 for (i = 1; i < 4 * runs + 1; i++) {
4048 secp256k1_fe s;
4049 testutil_random_fe_non_zero(&s);
4050 secp256k1_gej_rescale(&gej[i], &s);
4051 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge_set_all[i]));
4052 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[i], &ge_set_all[i]));
4053 }
4054
4055 /* Test with an array of length 1. */
4056 secp256k1_ge_set_all_gej_var(ge_set_all_var, &gej[1], 1);
4057 secp256k1_ge_set_all_gej(ge_set_all, &gej[1], 1);
4058 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all_var[1]));
4059 CHECK(secp256k1_gej_eq_ge_var(&gej[1], &ge_set_all[1]));
4060 CHECK(secp256k1_ge_eq_var(&ge_set_all_var[1], &ge_set_all[1]));
4061
4062 /* Test with an array of length 0. */
4063 secp256k1_ge_set_all_gej_var(NULL, NULL, 0);
4064 secp256k1_ge_set_all_gej(NULL, NULL, 0);
4065
4066 free(ge_set_all_var);
4067 free(ge_set_all);
4068 }
4069
4070 /* Test that all elements have X coordinates on the curve. */
4071 for (i = 1; i < 4 * runs + 1; i++) {
4072 secp256k1_fe n;
4073 CHECK(secp256k1_ge_x_on_curve_var(&ge[i].x));
4074 /* And the same holds after random rescaling. */
4075 secp256k1_fe_mul(&n, &zf, &ge[i].x);
4076 CHECK(secp256k1_ge_x_frac_on_curve_var(&n, &zf));
4077 }
4078
4079 /* Test correspondence of secp256k1_ge_x{,_frac}_on_curve_var with ge_set_xo. */
4080 {
4081 secp256k1_fe n;
4082 secp256k1_ge q;
4083 int ret_on_curve, ret_frac_on_curve, ret_set_xo;
4084 secp256k1_fe_mul(&n, &zf, &r);
4085 ret_on_curve = secp256k1_ge_x_on_curve_var(&r);
4086 ret_frac_on_curve = secp256k1_ge_x_frac_on_curve_var(&n, &zf);
4087 ret_set_xo = secp256k1_ge_set_xo_var(&q, &r, 0);
4088 CHECK(ret_on_curve == ret_frac_on_curve);
4089 CHECK(ret_on_curve == ret_set_xo);
4090 if (ret_set_xo) CHECK(secp256k1_fe_equal(&r, &q.x));
4091 }
4092
4093 /* Test batch gej -> ge conversion with many infinities. */
4094 for (i = 0; i < 4 * runs + 1; i++) {
4095 int odd;
4096 testutil_random_ge_test(&ge[i]);
4097 odd = secp256k1_fe_is_odd(&ge[i].x);
4098 CHECK(odd == 0 || odd == 1);
4099 /* randomly set half the points to infinity */
4100 if (odd == i % 2) {
4101 secp256k1_ge_set_infinity(&ge[i]);
4102 }
4103 secp256k1_gej_set_ge(&gej[i], &ge[i]);
4104 }
4105 /* batch convert */
4106 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
4107 /* check result */
4108 for (i = 0; i < 4 * runs + 1; i++) {
4109 CHECK(secp256k1_gej_eq_ge_var(&gej[i], &ge[i]));
4110 }
4111
4112 /* Test batch gej -> ge conversion with all infinities. */
4113 for (i = 0; i < 4 * runs + 1; i++) {
4114 secp256k1_gej_set_infinity(&gej[i]);
4115 }
4116 /* batch convert */
4117 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
4118 /* check result */
4119 for (i = 0; i < 4 * runs + 1; i++) {
4120 CHECK(secp256k1_ge_is_infinity(&ge[i]));
4121 }
4122
4123 free(ge);
4124 free(gej);
4125}
4126
4127static void test_initialized_inf(void) {
4128 secp256k1_ge p;
4129 secp256k1_gej pj, npj, infj1, infj2, infj3;
4130 secp256k1_fe zinv;
4131
4132 /* Test that adding P+(-P) results in a fully initialized infinity*/
4133 testutil_random_ge_test(&p);
4134 secp256k1_gej_set_ge(&pj, &p);
4135 secp256k1_gej_neg(&npj, &pj);
4136
4137 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
4138 CHECK(secp256k1_gej_is_infinity(&infj1));
4139 CHECK(secp256k1_fe_is_zero(&infj1.x));
4140 CHECK(secp256k1_fe_is_zero(&infj1.y));
4141 CHECK(secp256k1_fe_is_zero(&infj1.z));
4142
4143 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
4144 CHECK(secp256k1_gej_is_infinity(&infj2));
4145 CHECK(secp256k1_fe_is_zero(&infj2.x));
4146 CHECK(secp256k1_fe_is_zero(&infj2.y));
4147 CHECK(secp256k1_fe_is_zero(&infj2.z));
4148
4149 secp256k1_fe_set_int(&zinv, 1);
4150 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
4151 CHECK(secp256k1_gej_is_infinity(&infj3));
4152 CHECK(secp256k1_fe_is_zero(&infj3.x));
4153 CHECK(secp256k1_fe_is_zero(&infj3.y));
4154 CHECK(secp256k1_fe_is_zero(&infj3.z));
4155
4156
4157}
4158
4159static void test_add_neg_y_diff_x(void) {
4160 /* The point of this test is to check that we can add two points
4161 * whose y-coordinates are negatives of each other but whose x
4162 * coordinates differ. If the x-coordinates were the same, these
4163 * points would be negatives of each other and their sum is
4164 * infinity. This is cool because it "covers up" any degeneracy
4165 * in the addition algorithm that would cause the xy coordinates
4166 * of the sum to be wrong (since infinity has no xy coordinates).
4167 * HOWEVER, if the x-coordinates are different, infinity is the
4168 * wrong answer, and such degeneracies are exposed. This is the
4169 * root of https://github.com/bitcoin-core/secp256k1/issues/257
4170 * which this test is a regression test for.
4171 *
4172 * These points were generated in sage as
4173 *
4174 * load("secp256k1_params.sage")
4175 *
4176 * # random "bad pair"
4177 * P = C.random_element()
4178 * Q = -int(LAMBDA) * P
4179 * print(" P: %x %x" % P.xy())
4180 * print(" Q: %x %x" % Q.xy())
4181 * print("P + Q: %x %x" % (P + Q).xy())
4182 */
4183 secp256k1_gej aj = SECP256K1_GEJ_CONST(
4184 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
4185 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
4186 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
4187 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
4188 );
4189 secp256k1_gej bj = SECP256K1_GEJ_CONST(
4190 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
4191 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
4192 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
4193 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
4194 );
4195 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
4196 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
4197 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
4198 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
4199 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
4200 );
4201 secp256k1_ge b;
4202 secp256k1_gej resj;
4203 secp256k1_ge res;
4204 secp256k1_ge_set_gej(&b, &bj);
4205
4206 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
4207 secp256k1_ge_set_gej(&res, &resj);
4208 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4209
4210 secp256k1_gej_add_ge(&resj, &aj, &b);
4211 secp256k1_ge_set_gej(&res, &resj);
4212 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4213
4214 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
4215 secp256k1_ge_set_gej(&res, &resj);
4216 CHECK(secp256k1_gej_eq_ge_var(&sumj, &res));
4217}
4218
4219static void test_ge_bytes(void) {
4220 int i;
4221
4222 for (i = 0; i < COUNT + 1; i++) {
4223 unsigned char buf[64];
4224 secp256k1_ge p, q;
4225
4226 if (i == 0) {
4227 secp256k1_ge_set_infinity(&p);
4228 } else {
4229 testutil_random_ge_test(&p);
4230 }
4231
4232 if (!secp256k1_ge_is_infinity(&p)) {
4233 secp256k1_ge_to_bytes(buf, &p);
4234
4235 secp256k1_ge_from_bytes(&q, buf);
4236 CHECK(secp256k1_ge_eq_var(&p, &q));
4237
4238 secp256k1_ge_from_bytes_ext(&q, buf);
4239 CHECK(secp256k1_ge_eq_var(&p, &q));
4240 }
4241 secp256k1_ge_to_bytes_ext(buf, &p);
4242 secp256k1_ge_from_bytes_ext(&q, buf);
4243 CHECK(secp256k1_ge_eq_var(&p, &q));
4244 }
4245}
4246
4247static void run_ge(void) {
4248 int i;
4249 for (i = 0; i < COUNT * 32; i++) {
4250 test_ge();
4251 }
4252 test_add_neg_y_diff_x();
4253 test_initialized_inf();
4254 test_ge_bytes();
4255}
4256
4257static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b) {
4258 secp256k1_gej t = *a;
4259 secp256k1_gej_cmov(&t, b, 0);
4260 CHECK(gej_xyz_equals_gej(&t, a));
4261 secp256k1_gej_cmov(&t, b, 1);
4262 CHECK(gej_xyz_equals_gej(&t, b));
4263}
4264
4265static void run_gej(void) {
4266 int i;
4267 secp256k1_gej a, b;
4268
4269 /* Tests for secp256k1_gej_cmov */
4270 for (i = 0; i < COUNT; i++) {
4271 secp256k1_gej_set_infinity(&a);
4272 secp256k1_gej_set_infinity(&b);
4273 test_gej_cmov(&a, &b);
4274
4275 testutil_random_gej_test(&a);
4276 test_gej_cmov(&a, &b);
4277 test_gej_cmov(&b, &a);
4278
4279 b = a;
4280 test_gej_cmov(&a, &b);
4281
4282 testutil_random_gej_test(&b);
4283 test_gej_cmov(&a, &b);
4284 test_gej_cmov(&b, &a);
4285 }
4286
4287 /* Tests for secp256k1_gej_eq_var */
4288 for (i = 0; i < COUNT; i++) {
4289 secp256k1_fe fe;
4290 testutil_random_gej_test(&a);
4291 testutil_random_gej_test(&b);
4292 CHECK(!secp256k1_gej_eq_var(&a, &b));
4293
4294 b = a;
4295 testutil_random_fe_non_zero_test(&fe);
4296 secp256k1_gej_rescale(&a, &fe);
4297 CHECK(secp256k1_gej_eq_var(&a, &b));
4298 }
4299}
4300
4301static void test_ec_combine(void) {
4302 secp256k1_scalar sum = secp256k1_scalar_zero;
4303 secp256k1_pubkey data[6];
4304 const secp256k1_pubkey* d[6];
4305 secp256k1_pubkey sd;
4306 secp256k1_pubkey sd2;
4307 secp256k1_gej Qj;
4308 secp256k1_ge Q;
4309 int i;
4310 for (i = 1; i <= 6; i++) {
4311 secp256k1_scalar s;
4312 testutil_random_scalar_order_test(&s);
4313 secp256k1_scalar_add(&sum, &sum, &s);
4314 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &s);
4315 secp256k1_ge_set_gej(&Q, &Qj);
4316 secp256k1_pubkey_save(&data[i - 1], &Q);
4317 d[i - 1] = &data[i - 1];
4318 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &Qj, &sum);
4319 secp256k1_ge_set_gej(&Q, &Qj);
4320 secp256k1_pubkey_save(&sd, &Q);
4321 CHECK(secp256k1_ec_pubkey_combine(CTX, &sd2, d, i) == 1);
4322 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
4323 }
4324}
4325
4326static void run_ec_combine(void) {
4327 int i;
4328 for (i = 0; i < COUNT * 8; i++) {
4329 test_ec_combine();
4330 }
4331}
4332
4333static void test_group_decompress(const secp256k1_fe* x) {
4334 /* The input itself, normalized. */
4335 secp256k1_fe fex = *x;
4336 /* Results of set_xo_var(..., 0), set_xo_var(..., 1). */
4337 secp256k1_ge ge_even, ge_odd;
4338 /* Return values of the above calls. */
4339 int res_even, res_odd;
4340
4341 secp256k1_fe_normalize_var(&fex);
4342
4343 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
4344 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
4345
4346 CHECK(res_even == res_odd);
4347
4348 if (res_even) {
4349 secp256k1_fe_normalize_var(&ge_odd.x);
4350 secp256k1_fe_normalize_var(&ge_even.x);
4351 secp256k1_fe_normalize_var(&ge_odd.y);
4352 secp256k1_fe_normalize_var(&ge_even.y);
4353
4354 /* No infinity allowed. */
4355 CHECK(!secp256k1_ge_is_infinity(&ge_even));
4356 CHECK(!secp256k1_ge_is_infinity(&ge_odd));
4357
4358 /* Check that the x coordinates check out. */
4359 CHECK(secp256k1_fe_equal(&ge_even.x, x));
4360 CHECK(secp256k1_fe_equal(&ge_odd.x, x));
4361
4362 /* Check odd/even Y in ge_odd, ge_even. */
4363 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
4364 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
4365 }
4366}
4367
4368static void run_group_decompress(void) {
4369 int i;
4370 for (i = 0; i < COUNT * 4; i++) {
4371 secp256k1_fe fe;
4372 testutil_random_fe_test(&fe);
4373 test_group_decompress(&fe);
4374 }
4375}
4376
4377/***** ECMULT TESTS *****/
4378
4379static void test_pre_g_table(const secp256k1_ge_storage * pre_g, size_t n) {
4380 /* Tests the pre_g / pre_g_128 tables for consistency.
4381 * For independent verification we take a "geometric" approach to verification.
4382 * We check that every entry is on-curve.
4383 * We check that for consecutive entries p and q, that p + gg - q = 0 by checking
4384 * (1) p, gg, and -q are colinear.
4385 * (2) p, gg, and -q are all distinct.
4386 * where gg is twice the generator, where the generator is the first table entry.
4387 *
4388 * Checking the table's generators are correct is done in run_ecmult_pre_g.
4389 */
4390 secp256k1_gej g2;
4391 secp256k1_ge p, q, gg;
4392 secp256k1_fe dpx, dpy, dqx, dqy;
4393 size_t i;
4394
4395 CHECK(0 < n);
4396
4397 secp256k1_ge_from_storage(&p, &pre_g[0]);
4398 CHECK(secp256k1_ge_is_valid_var(&p));
4399
4400 secp256k1_gej_set_ge(&g2, &p);
4401 secp256k1_gej_double_var(&g2, &g2, NULL);
4402 secp256k1_ge_set_gej_var(&gg, &g2);
4403 for (i = 1; i < n; ++i) {
4404 secp256k1_fe_negate(&dpx, &p.x, 1); secp256k1_fe_add(&dpx, &gg.x); secp256k1_fe_normalize_weak(&dpx);
4405 secp256k1_fe_negate(&dpy, &p.y, 1); secp256k1_fe_add(&dpy, &gg.y); secp256k1_fe_normalize_weak(&dpy);
4406 /* Check that p is not equal to gg */
4407 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dpx) || !secp256k1_fe_normalizes_to_zero_var(&dpy));
4408
4409 secp256k1_ge_from_storage(&q, &pre_g[i]);
4410 CHECK(secp256k1_ge_is_valid_var(&q));
4411
4412 secp256k1_fe_negate(&dqx, &q.x, 1); secp256k1_fe_add(&dqx, &gg.x);
4413 dqy = q.y; secp256k1_fe_add(&dqy, &gg.y);
4414 /* Check that -q is not equal to gg */
4415 CHECK(!secp256k1_fe_normalizes_to_zero_var(&dqx) || !secp256k1_fe_normalizes_to_zero_var(&dqy));
4416
4417 /* Check that -q is not equal to p */
4418 CHECK(!secp256k1_fe_equal(&dpx, &dqx) || !secp256k1_fe_equal(&dpy, &dqy));
4419
4420 /* Check that p, -q and gg are colinear */
4421 secp256k1_fe_mul(&dpx, &dpx, &dqy);
4422 secp256k1_fe_mul(&dpy, &dpy, &dqx);
4423 CHECK(secp256k1_fe_equal(&dpx, &dpy));
4424
4425 p = q;
4426 }
4427}
4428
4429static void run_ecmult_pre_g(void) {
4430 secp256k1_ge_storage gs;
4431 secp256k1_gej gj;
4432 secp256k1_ge g;
4433 size_t i;
4434
4435 /* Check that the pre_g and pre_g_128 tables are consistent. */
4436 test_pre_g_table(secp256k1_pre_g, ECMULT_TABLE_SIZE(WINDOW_G));
4437 test_pre_g_table(secp256k1_pre_g_128, ECMULT_TABLE_SIZE(WINDOW_G));
4438
4439 /* Check the first entry from the pre_g table. */
4440 secp256k1_ge_to_storage(&gs, &secp256k1_ge_const_g);
4441 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g[0], sizeof(gs)) == 0);
4442
4443 /* Check the first entry from the pre_g_128 table. */
4444 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
4445 for (i = 0; i < 128; ++i) {
4446 secp256k1_gej_double_var(&gj, &gj, NULL);
4447 }
4448 secp256k1_ge_set_gej(&g, &gj);
4449 secp256k1_ge_to_storage(&gs, &g);
4450 CHECK(secp256k1_memcmp_var(&gs, &secp256k1_pre_g_128[0], sizeof(gs)) == 0);
4451}
4452
4453static void run_ecmult_chain(void) {
4454 /* random starting point A (on the curve) */
4455 secp256k1_gej a = SECP256K1_GEJ_CONST(
4456 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
4457 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
4458 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
4459 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
4460 );
4461 /* two random initial factors xn and gn */
4462 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4463 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
4464 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
4465 );
4466 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
4467 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
4468 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
4469 );
4470 /* two small multipliers to be applied to xn and gn in every iteration: */
4471 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
4472 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
4473 /* accumulators with the resulting coefficients to A and G */
4474 secp256k1_scalar ae = secp256k1_scalar_one;
4475 secp256k1_scalar ge = secp256k1_scalar_zero;
4476 /* actual points */
4477 secp256k1_gej x;
4478 secp256k1_gej x2;
4479 int i;
4480
4481 /* the point being computed */
4482 x = a;
4483 for (i = 0; i < 200*COUNT; i++) {
4484 /* in each iteration, compute X = xn*X + gn*G; */
4485 secp256k1_ecmult(&x, &x, &xn, &gn);
4486 /* also compute ae and ge: the actual accumulated factors for A and G */
4487 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
4488 secp256k1_scalar_mul(&ae, &ae, &xn);
4489 secp256k1_scalar_mul(&ge, &ge, &xn);
4490 secp256k1_scalar_add(&ge, &ge, &gn);
4491 /* modify xn and gn */
4492 secp256k1_scalar_mul(&xn, &xn, &xf);
4493 secp256k1_scalar_mul(&gn, &gn, &gf);
4494
4495 /* verify */
4496 if (i == 19999) {
4497 /* expected result after 19999 iterations */
4498 secp256k1_gej rp = SECP256K1_GEJ_CONST(
4499 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
4500 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
4501 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
4502 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
4503 );
4504 CHECK(secp256k1_gej_eq_var(&rp, &x));
4505 }
4506 }
4507 /* redo the computation, but directly with the resulting ae and ge coefficients: */
4508 secp256k1_ecmult(&x2, &a, &ae, &ge);
4509 CHECK(secp256k1_gej_eq_var(&x, &x2));
4510}
4511
4512static void test_point_times_order(const secp256k1_gej *point) {
4513 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
4514 secp256k1_scalar x;
4515 secp256k1_scalar nx;
4516 secp256k1_gej res1, res2;
4517 secp256k1_ge res3;
4518 testutil_random_scalar_order_test(&x);
4519 secp256k1_scalar_negate(&nx, &x);
4520 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
4521 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4522 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
4523 CHECK(secp256k1_gej_is_infinity(&res1));
4524 secp256k1_ge_set_gej(&res3, &res1);
4525 CHECK(secp256k1_ge_is_infinity(&res3));
4526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
4527 /* check zero/one edge cases */
4528 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_zero);
4529 secp256k1_ecmult(&res2, point, &secp256k1_scalar_zero, NULL);
4530 secp256k1_ge_set_gej(&res3, &res1);
4531 CHECK(secp256k1_gej_is_infinity(&res1));
4532 CHECK(secp256k1_gej_is_infinity(&res2));
4533 CHECK(secp256k1_ge_is_infinity(&res3));
4534
4535 secp256k1_ecmult(&res1, point, &secp256k1_scalar_one, &secp256k1_scalar_zero);
4536 secp256k1_ecmult(&res2, point, &secp256k1_scalar_one, NULL);
4537 secp256k1_ge_set_gej(&res3, &res1);
4538 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4539 secp256k1_ge_set_gej(&res3, &res2);
4540 CHECK(secp256k1_gej_eq_ge_var(point, &res3));
4541
4542 secp256k1_ecmult(&res1, point, &secp256k1_scalar_zero, &secp256k1_scalar_one);
4543 secp256k1_ge_set_gej(&res3, &res1);
4544 CHECK(secp256k1_ge_eq_var(&secp256k1_ge_const_g, &res3));
4545}
4546
4547/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
4548 *
4549 * They are computed as:
4550 * - For a in [-2, -1, 0, 1, 2]:
4551 * - For b in [-3, -1, 1, 3]:
4552 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
4553 */
4554static const secp256k1_scalar scalars_near_split_bounds[20] = {
4555 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
4556 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
4557 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
4558 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
4559 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
4560 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
4561 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
4562 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
4563 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
4564 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
4565 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
4566 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
4567 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
4568 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
4569 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
4570 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
4571 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
4572 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
4573 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
4574 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
4575};
4576
4577static void test_ecmult_target(const secp256k1_scalar* target, int mode) {
4578 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
4579 secp256k1_scalar n1, n2;
4580 secp256k1_ge p;
4581 secp256k1_gej pj, p1j, p2j, ptj;
4582
4583 /* Generate random n1,n2 such that n1+n2 = -target. */
4584 testutil_random_scalar_order_test(&n1);
4585 secp256k1_scalar_add(&n2, &n1, target);
4586 secp256k1_scalar_negate(&n2, &n2);
4587
4588 /* Generate a random input point. */
4589 if (mode != 0) {
4590 testutil_random_ge_test(&p);
4591 secp256k1_gej_set_ge(&pj, &p);
4592 }
4593
4594 /* EC multiplications */
4595 if (mode == 0) {
4596 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p1j, &n1);
4597 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &p2j, &n2);
4598 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &ptj, target);
4599 } else if (mode == 1) {
4600 secp256k1_ecmult(&p1j, &pj, &n1, &secp256k1_scalar_zero);
4601 secp256k1_ecmult(&p2j, &pj, &n2, &secp256k1_scalar_zero);
4602 secp256k1_ecmult(&ptj, &pj, target, &secp256k1_scalar_zero);
4603 } else {
4604 secp256k1_ecmult_const(&p1j, &p, &n1);
4605 secp256k1_ecmult_const(&p2j, &p, &n2);
4606 secp256k1_ecmult_const(&ptj, &p, target);
4607 }
4608
4609 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
4610 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
4611 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
4612 CHECK(secp256k1_gej_is_infinity(&ptj));
4613}
4614
4615static void run_ecmult_near_split_bound(void) {
4616 int i;
4617 unsigned j;
4618 for (i = 0; i < 4*COUNT; ++i) {
4619 for (j = 0; j < ARRAY_SIZE(scalars_near_split_bounds); ++j) {
4620 test_ecmult_target(&scalars_near_split_bounds[j], 0);
4621 test_ecmult_target(&scalars_near_split_bounds[j], 1);
4622 test_ecmult_target(&scalars_near_split_bounds[j], 2);
4623 }
4624 }
4625}
4626
4627static void run_point_times_order(void) {
4628 int i;
4629 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
4630 static const secp256k1_fe xr = SECP256K1_FE_CONST(
4631 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
4632 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
4633 );
4634 for (i = 0; i < 500; i++) {
4635 secp256k1_ge p;
4636 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
4637 secp256k1_gej j;
4638 CHECK(secp256k1_ge_is_valid_var(&p));
4639 secp256k1_gej_set_ge(&j, &p);
4640 test_point_times_order(&j);
4641 }
4642 secp256k1_fe_sqr(&x, &x);
4643 }
4644 secp256k1_fe_normalize_var(&x);
4645 CHECK(secp256k1_fe_equal(&x, &xr));
4646}
4647
4648static void ecmult_const_random_mult(void) {
4649 /* random starting point A (on the curve) */
4650 secp256k1_ge a = SECP256K1_GE_CONST(
4651 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
4652 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
4653 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
4654 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
4655 );
4656 /* random initial factor xn */
4657 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
4658 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
4659 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
4660 );
4661 /* expected xn * A (from sage) */
4662 secp256k1_ge expected_b = SECP256K1_GE_CONST(
4663 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
4664 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
4665 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
4666 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
4667 );
4668 secp256k1_gej b;
4669 secp256k1_ecmult_const(&b, &a, &xn);
4670
4671 CHECK(secp256k1_ge_is_valid_var(&a));
4672 CHECK(secp256k1_gej_eq_ge_var(&b, &expected_b));
4673}
4674
4675static void ecmult_const_commutativity(void) {
4676 secp256k1_scalar a;
4677 secp256k1_scalar b;
4678 secp256k1_gej res1;
4679 secp256k1_gej res2;
4680 secp256k1_ge mid1;
4681 secp256k1_ge mid2;
4682 testutil_random_scalar_order_test(&a);
4683 testutil_random_scalar_order_test(&b);
4684
4685 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
4686 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
4687 secp256k1_ge_set_gej(&mid1, &res1);
4688 secp256k1_ge_set_gej(&mid2, &res2);
4689 secp256k1_ecmult_const(&res1, &mid1, &b);
4690 secp256k1_ecmult_const(&res2, &mid2, &a);
4691 secp256k1_ge_set_gej(&mid1, &res1);
4692 secp256k1_ge_set_gej(&mid2, &res2);
4693 CHECK(secp256k1_ge_eq_var(&mid1, &mid2));
4694}
4695
4696static void ecmult_const_mult_zero_one(void) {
4697 secp256k1_scalar s;
4698 secp256k1_scalar negone;
4699 secp256k1_gej res1;
4700 secp256k1_ge res2;
4701 secp256k1_ge point;
4702 secp256k1_ge inf;
4703
4704 testutil_random_scalar_order_test(&s);
4705 secp256k1_scalar_negate(&negone, &secp256k1_scalar_one);
4706 testutil_random_ge_test(&point);
4707 secp256k1_ge_set_infinity(&inf);
4708
4709 /* 0*point */
4710 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_zero);
4711 CHECK(secp256k1_gej_is_infinity(&res1));
4712
4713 /* s*inf */
4714 secp256k1_ecmult_const(&res1, &inf, &s);
4715 CHECK(secp256k1_gej_is_infinity(&res1));
4716
4717 /* 1*point */
4718 secp256k1_ecmult_const(&res1, &point, &secp256k1_scalar_one);
4719 secp256k1_ge_set_gej(&res2, &res1);
4720 CHECK(secp256k1_ge_eq_var(&res2, &point));
4721
4722 /* -1*point */
4723 secp256k1_ecmult_const(&res1, &point, &negone);
4724 secp256k1_gej_neg(&res1, &res1);
4725 secp256k1_ge_set_gej(&res2, &res1);
4726 CHECK(secp256k1_ge_eq_var(&res2, &point));
4727}
4728
4729static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar* q, const secp256k1_gej *res) {
4730 secp256k1_gej pointj, res2j;
4731 secp256k1_ge res2;
4732 secp256k1_gej_set_ge(&pointj, A);
4733 secp256k1_ecmult(&res2j, &pointj, q, &secp256k1_scalar_zero);
4734 secp256k1_ge_set_gej(&res2, &res2j);
4735 CHECK(secp256k1_gej_eq_ge_var(res, &res2));
4736}
4737
4738static void ecmult_const_edges(void) {
4739 secp256k1_scalar q;
4740 secp256k1_ge point;
4741 secp256k1_gej res;
4742 size_t i;
4743 size_t cases = 1 + ARRAY_SIZE(scalars_near_split_bounds);
4744
4745 /* We are trying to reach the following edge cases (variables are defined as
4746 * in ecmult_const_impl.h):
4747 * 1. i = 0: s = 0 <=> q = -K
4748 * 2. i > 0: v1, v2 large values
4749 * <=> s1, s2 large values
4750 * <=> s = scalars_near_split_bounds[i]
4751 * <=> q = 2*scalars_near_split_bounds[i] - K
4752 */
4753 for (i = 0; i < cases; ++i) {
4754 secp256k1_scalar_negate(&q, &secp256k1_ecmult_const_K);
4755 if (i > 0) {
4756 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4757 secp256k1_scalar_add(&q, &q, &scalars_near_split_bounds[i - 1]);
4758 }
4759 testutil_random_ge_test(&point);
4760 secp256k1_ecmult_const(&res, &point, &q);
4761 ecmult_const_check_result(&point, &q, &res);
4762 }
4763}
4764
4765static void ecmult_const_mult_xonly(void) {
4766 int i;
4767
4768 /* Test correspondence between secp256k1_ecmult_const and secp256k1_ecmult_const_xonly. */
4769 for (i = 0; i < 2*COUNT; ++i) {
4770 secp256k1_ge base;
4771 secp256k1_gej basej, resj;
4772 secp256k1_fe n, d, resx, v;
4773 secp256k1_scalar q;
4774 int res;
4775 /* Random base point. */
4776 testutil_random_ge_test(&base);
4777 /* Random scalar to multiply it with. */
4778 testutil_random_scalar_order_test(&q);
4779 /* If i is odd, n=d*base.x for random non-zero d */
4780 if (i & 1) {
4781 testutil_random_fe_non_zero_test(&d);
4782 secp256k1_fe_mul(&n, &base.x, &d);
4783 } else {
4784 n = base.x;
4785 }
4786 /* Perform x-only multiplication. */
4787 res = secp256k1_ecmult_const_xonly(&resx, &n, (i & 1) ? &d : NULL, &q, i & 2);
4788 CHECK(res);
4789 /* Perform normal multiplication. */
4790 secp256k1_gej_set_ge(&basej, &base);
4791 secp256k1_ecmult(&resj, &basej, &q, NULL);
4792 /* Check that resj's X coordinate corresponds with resx. */
4793 secp256k1_fe_sqr(&v, &resj.z);
4794 secp256k1_fe_mul(&v, &v, &resx);
4795 CHECK(fe_equal(&v, &resj.x));
4796 }
4797
4798 /* Test that secp256k1_ecmult_const_xonly correctly rejects X coordinates not on curve. */
4799 for (i = 0; i < 2*COUNT; ++i) {
4800 secp256k1_fe x, n, d, r;
4801 int res;
4802 secp256k1_scalar q;
4803 testutil_random_scalar_order_test(&q);
4804 /* Generate random X coordinate not on the curve. */
4805 do {
4806 testutil_random_fe_test(&x);
4807 } while (secp256k1_ge_x_on_curve_var(&x));
4808 /* If i is odd, n=d*x for random non-zero d. */
4809 if (i & 1) {
4810 testutil_random_fe_non_zero_test(&d);
4811 secp256k1_fe_mul(&n, &x, &d);
4812 } else {
4813 n = x;
4814 }
4815 res = secp256k1_ecmult_const_xonly(&r, &n, (i & 1) ? &d : NULL, &q, 0);
4816 CHECK(res == 0);
4817 }
4818}
4819
4820static void ecmult_const_chain_multiply(void) {
4821 /* Check known result (randomly generated test problem from sage) */
4822 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
4823 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
4824 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
4825 );
4826 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
4827 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
4828 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
4829 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
4830 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
4831 );
4832 secp256k1_gej point;
4833 secp256k1_ge res;
4834 int i;
4835
4836 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
4837 for (i = 0; i < 100; ++i) {
4838 secp256k1_ge tmp;
4839 secp256k1_ge_set_gej(&tmp, &point);
4840 secp256k1_ecmult_const(&point, &tmp, &scalar);
4841 }
4842 secp256k1_ge_set_gej(&res, &point);
4843 CHECK(secp256k1_gej_eq_ge_var(&expected_point, &res));
4844}
4845
4846static void run_ecmult_const_tests(void) {
4847 ecmult_const_mult_zero_one();
4848 ecmult_const_edges();
4849 ecmult_const_random_mult();
4850 ecmult_const_commutativity();
4851 ecmult_const_chain_multiply();
4852 ecmult_const_mult_xonly();
4853}
4854
4855typedef struct {
4856 secp256k1_scalar *sc;
4857 secp256k1_ge *pt;
4858} ecmult_multi_data;
4859
4860static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4861 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
4862 *sc = data->sc[idx];
4863 *pt = data->pt[idx];
4864 return 1;
4865}
4866
4867static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
4868 (void)sc;
4869 (void)pt;
4870 (void)idx;
4871 (void)cbdata;
4872 return 0;
4873}
4874
4875static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
4876 int ncount;
4877 secp256k1_scalar sc[32];
4878 secp256k1_ge pt[32];
4879 secp256k1_gej r;
4880 secp256k1_gej r2;
4881 ecmult_multi_data data;
4882
4883 data.sc = sc;
4884 data.pt = pt;
4885
4886 /* No points to multiply */
4887 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
4888
4889 /* Check 1- and 2-point multiplies against ecmult */
4890 for (ncount = 0; ncount < COUNT; ncount++) {
4891 secp256k1_ge ptg;
4892 secp256k1_gej ptgj;
4893 testutil_random_scalar_order(&sc[0]);
4894 testutil_random_scalar_order(&sc[1]);
4895
4896 testutil_random_ge_test(&ptg);
4897 secp256k1_gej_set_ge(&ptgj, &ptg);
4898 pt[0] = ptg;
4899 pt[1] = secp256k1_ge_const_g;
4900
4901 /* only G scalar */
4902 secp256k1_ecmult(&r2, &ptgj, &secp256k1_scalar_zero, &sc[0]);
4903 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
4904 CHECK(secp256k1_gej_eq_var(&r, &r2));
4905
4906 /* 1-point */
4907 secp256k1_ecmult(&r2, &ptgj, &sc[0], &secp256k1_scalar_zero);
4908 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
4909 CHECK(secp256k1_gej_eq_var(&r, &r2));
4910
4911 /* Try to multiply 1 point, but callback returns false */
4912 CHECK(!ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_false_callback, &data, 1));
4913
4914 /* 2-point */
4915 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4916 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
4917 CHECK(secp256k1_gej_eq_var(&r, &r2));
4918
4919 /* 2-point with G scalar */
4920 secp256k1_ecmult(&r2, &ptgj, &sc[0], &sc[1]);
4921 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
4922 CHECK(secp256k1_gej_eq_var(&r, &r2));
4923 }
4924
4925 /* Check infinite outputs of various forms */
4926 for (ncount = 0; ncount < COUNT; ncount++) {
4927 secp256k1_ge ptg;
4928 size_t i, j;
4929 size_t sizes[] = { 2, 10, 32 };
4930
4931 for (j = 0; j < 3; j++) {
4932 for (i = 0; i < 32; i++) {
4933 testutil_random_scalar_order(&sc[i]);
4934 secp256k1_ge_set_infinity(&pt[i]);
4935 }
4936 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4937 CHECK(secp256k1_gej_is_infinity(&r));
4938 }
4939
4940 for (j = 0; j < 3; j++) {
4941 for (i = 0; i < 32; i++) {
4942 testutil_random_ge_test(&ptg);
4943 pt[i] = ptg;
4944 secp256k1_scalar_set_int(&sc[i], 0);
4945 }
4946 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4947 CHECK(secp256k1_gej_is_infinity(&r));
4948 }
4949
4950 for (j = 0; j < 3; j++) {
4951 testutil_random_ge_test(&ptg);
4952 for (i = 0; i < 16; i++) {
4953 testutil_random_scalar_order(&sc[2*i]);
4954 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
4955 pt[2 * i] = ptg;
4956 pt[2 * i + 1] = ptg;
4957 }
4958
4959 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4960 CHECK(secp256k1_gej_is_infinity(&r));
4961
4962 testutil_random_scalar_order(&sc[0]);
4963 for (i = 0; i < 16; i++) {
4964 testutil_random_ge_test(&ptg);
4965
4966 sc[2*i] = sc[0];
4967 sc[2*i+1] = sc[0];
4968 pt[2 * i] = ptg;
4969 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
4970 }
4971
4972 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, sizes[j]));
4973 CHECK(secp256k1_gej_is_infinity(&r));
4974 }
4975
4976 testutil_random_ge_test(&ptg);
4977 secp256k1_scalar_set_int(&sc[0], 0);
4978 pt[0] = ptg;
4979 for (i = 1; i < 32; i++) {
4980 pt[i] = ptg;
4981
4982 testutil_random_scalar_order(&sc[i]);
4983 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
4984 secp256k1_scalar_negate(&sc[i], &sc[i]);
4985 }
4986
4987 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 32));
4988 CHECK(secp256k1_gej_is_infinity(&r));
4989 }
4990
4991 /* Check random points, constant scalar */
4992 for (ncount = 0; ncount < COUNT; ncount++) {
4993 size_t i;
4994 secp256k1_gej_set_infinity(&r);
4995
4996 testutil_random_scalar_order(&sc[0]);
4997 for (i = 0; i < 20; i++) {
4998 secp256k1_ge ptg;
4999 sc[i] = sc[0];
5000 testutil_random_ge_test(&ptg);
5001 pt[i] = ptg;
5002 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
5003 }
5004
5005 secp256k1_ecmult(&r2, &r, &sc[0], &secp256k1_scalar_zero);
5006 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5007 CHECK(secp256k1_gej_eq_var(&r, &r2));
5008 }
5009
5010 /* Check random scalars, constant point */
5011 for (ncount = 0; ncount < COUNT; ncount++) {
5012 size_t i;
5013 secp256k1_ge ptg;
5014 secp256k1_gej p0j;
5015 secp256k1_scalar rs;
5016 secp256k1_scalar_set_int(&rs, 0);
5017
5018 testutil_random_ge_test(&ptg);
5019 for (i = 0; i < 20; i++) {
5020 testutil_random_scalar_order(&sc[i]);
5021 pt[i] = ptg;
5022 secp256k1_scalar_add(&rs, &rs, &sc[i]);
5023 }
5024
5025 secp256k1_gej_set_ge(&p0j, &pt[0]);
5026 secp256k1_ecmult(&r2, &p0j, &rs, &secp256k1_scalar_zero);
5027 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5028 CHECK(secp256k1_gej_eq_var(&r, &r2));
5029 }
5030
5031 /* Sanity check that zero scalars don't cause problems */
5032 for (ncount = 0; ncount < 20; ncount++) {
5033 testutil_random_scalar_order(&sc[ncount]);
5034 testutil_random_ge_test(&pt[ncount]);
5035 }
5036
5037 secp256k1_scalar_set_int(&sc[0], 0);
5038 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 20));
5039 secp256k1_scalar_set_int(&sc[1], 0);
5040 secp256k1_scalar_set_int(&sc[2], 0);
5041 secp256k1_scalar_set_int(&sc[3], 0);
5042 secp256k1_scalar_set_int(&sc[4], 0);
5043 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 6));
5044 CHECK(ecmult_multi(&CTX->error_callback, scratch, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 5));
5045 CHECK(secp256k1_gej_is_infinity(&r));
5046
5047 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
5048 {
5049 const size_t TOP = 8;
5050 size_t s0i, s1i;
5051 size_t t0i, t1i;
5052 secp256k1_ge ptg;
5053 secp256k1_gej ptgj;
5054
5055 testutil_random_ge_test(&ptg);
5056 secp256k1_gej_set_ge(&ptgj, &ptg);
5057
5058 for(t0i = 0; t0i < TOP; t0i++) {
5059 for(t1i = 0; t1i < TOP; t1i++) {
5060 secp256k1_gej t0p, t1p;
5061 secp256k1_scalar t0, t1;
5062
5063 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
5064 secp256k1_scalar_cond_negate(&t0, t0i & 1);
5065 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
5066 secp256k1_scalar_cond_negate(&t1, t1i & 1);
5067
5068 secp256k1_ecmult(&t0p, &ptgj, &t0, &secp256k1_scalar_zero);
5069 secp256k1_ecmult(&t1p, &ptgj, &t1, &secp256k1_scalar_zero);
5070
5071 for(s0i = 0; s0i < TOP; s0i++) {
5072 for(s1i = 0; s1i < TOP; s1i++) {
5073 secp256k1_scalar tmp1, tmp2;
5074 secp256k1_gej expected, actual;
5075
5076 secp256k1_ge_set_gej(&pt[0], &t0p);
5077 secp256k1_ge_set_gej(&pt[1], &t1p);
5078
5079 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
5080 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
5081 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
5082 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
5083
5084 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
5085 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
5086 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
5087
5088 secp256k1_ecmult(&expected, &ptgj, &tmp1, &secp256k1_scalar_zero);
5089 CHECK(ecmult_multi(&CTX->error_callback, scratch, &actual, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 2));
5090 CHECK(secp256k1_gej_eq_var(&actual, &expected));
5091 }
5092 }
5093 }
5094 }
5095 }
5096}
5097
5098static int test_ecmult_multi_random(secp256k1_scratch *scratch) {
5099 /* Large random test for ecmult_multi_* functions which exercises:
5100 * - Few or many inputs (0 up to 128, roughly exponentially distributed).
5101 * - Few or many 0*P or a*INF inputs (roughly uniformly distributed).
5102 * - Including or excluding an nonzero a*G term (or such a term at all).
5103 * - Final expected result equal to infinity or not (roughly 50%).
5104 * - ecmult_multi_var, ecmult_strauss_single_batch, ecmult_pippenger_single_batch
5105 */
5106
5107 /* These 4 variables define the eventual input to the ecmult_multi function.
5108 * g_scalar is the G scalar fed to it (or NULL, possibly, if g_scalar=0), and
5109 * scalars[0..filled-1] and gejs[0..filled-1] are the scalars and points
5110 * which form its normal inputs. */
5111 int filled = 0;
5112 secp256k1_scalar g_scalar = secp256k1_scalar_zero;
5113 secp256k1_scalar scalars[128];
5114 secp256k1_gej gejs[128];
5115 /* The expected result, and the computed result. */
5116 secp256k1_gej expected, computed;
5117 /* Temporaries. */
5118 secp256k1_scalar sc_tmp;
5119 secp256k1_ge ge_tmp;
5120 /* Variables needed for the actual input to ecmult_multi. */
5121 secp256k1_ge ges[128];
5122 ecmult_multi_data data;
5123
5124 int i;
5125 /* Which multiplication function to use */
5126 int fn = testrand_int(3);
5127 secp256k1_ecmult_multi_func ecmult_multi = fn == 0 ? secp256k1_ecmult_multi_var :
5128 fn == 1 ? secp256k1_ecmult_strauss_batch_single :
5129 secp256k1_ecmult_pippenger_batch_single;
5130 /* Simulate exponentially distributed num. */
5131 int num_bits = 2 + testrand_int(6);
5132 /* Number of (scalar, point) inputs (excluding g). */
5133 int num = testrand_int((1 << num_bits) + 1);
5134 /* Number of those which are nonzero. */
5135 int num_nonzero = testrand_int(num + 1);
5136 /* Whether we're aiming to create an input with nonzero expected result. */
5137 int nonzero_result = testrand_bits(1);
5138 /* Whether we will provide nonzero g multiplicand. In some cases our hand
5139 * is forced here based on num_nonzero and nonzero_result. */
5140 int g_nonzero = num_nonzero == 0 ? nonzero_result :
5141 num_nonzero == 1 && !nonzero_result ? 1 :
5142 (int)testrand_bits(1);
5143 /* Which g_scalar pointer to pass into ecmult_multi(). */
5144 const secp256k1_scalar* g_scalar_ptr = (g_nonzero || testrand_bits(1)) ? &g_scalar : NULL;
5145 /* How many EC multiplications were performed in this function. */
5146 int mults = 0;
5147 /* How many randomization steps to apply to the input list. */
5148 int rands = (int)testrand_bits(3);
5149 if (rands > num_nonzero) rands = num_nonzero;
5150
5151 secp256k1_gej_set_infinity(&expected);
5152 secp256k1_gej_set_infinity(&gejs[0]);
5153 secp256k1_scalar_set_int(&scalars[0], 0);
5154
5155 if (g_nonzero) {
5156 /* If g_nonzero, set g_scalar to nonzero value r. */
5157 testutil_random_scalar_order_test(&g_scalar);
5158 if (!nonzero_result) {
5159 /* If expected=0 is desired, add a (a*r, -(1/a)*g) term to compensate. */
5160 CHECK(num_nonzero > filled);
5161 testutil_random_scalar_order_test(&sc_tmp);
5162 secp256k1_scalar_mul(&scalars[filled], &sc_tmp, &g_scalar);
5163 secp256k1_scalar_inverse_var(&sc_tmp, &sc_tmp);
5164 secp256k1_scalar_negate(&sc_tmp, &sc_tmp);
5165 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &gejs[filled], &sc_tmp);
5166 ++filled;
5167 ++mults;
5168 }
5169 }
5170
5171 if (nonzero_result && filled < num_nonzero) {
5172 /* If a nonzero result is desired, and there is space, add a random nonzero term. */
5173 testutil_random_scalar_order_test(&scalars[filled]);
5174 testutil_random_ge_test(&ge_tmp);
5175 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5176 ++filled;
5177 }
5178
5179 if (nonzero_result) {
5180 /* Compute the expected result using normal ecmult. */
5181 CHECK(filled <= 1);
5182 secp256k1_ecmult(&expected, &gejs[0], &scalars[0], &g_scalar);
5183 mults += filled + g_nonzero;
5184 }
5185
5186 /* At this point we have expected = scalar_g*G + sum(scalars[i]*gejs[i] for i=0..filled-1). */
5187 CHECK(filled <= 1 + !nonzero_result);
5188 CHECK(filled <= num_nonzero);
5189
5190 /* Add entries to scalars,gejs so that there are num of them. All the added entries
5191 * either have scalar=0 or point=infinity, so these do not change the expected result. */
5192 while (filled < num) {
5193 if (testrand_bits(1)) {
5194 secp256k1_gej_set_infinity(&gejs[filled]);
5195 testutil_random_scalar_order_test(&scalars[filled]);
5196 } else {
5197 secp256k1_scalar_set_int(&scalars[filled], 0);
5198 testutil_random_ge_test(&ge_tmp);
5199 secp256k1_gej_set_ge(&gejs[filled], &ge_tmp);
5200 }
5201 ++filled;
5202 }
5203
5204 /* Now perform cheapish transformations on gejs and scalars, for indices
5205 * 0..num_nonzero-1, which do not change the expected result, but may
5206 * convert some of them to be both non-0-scalar and non-infinity-point. */
5207 for (i = 0; i < rands; ++i) {
5208 int j;
5209 secp256k1_scalar v, iv;
5210 /* Shuffle the entries. */
5211 for (j = 0; j < num_nonzero; ++j) {
5212 int k = testrand_int(num_nonzero - j);
5213 if (k != 0) {
5214 secp256k1_gej gej = gejs[j];
5215 secp256k1_scalar sc = scalars[j];
5216 gejs[j] = gejs[j + k];
5217 scalars[j] = scalars[j + k];
5218 gejs[j + k] = gej;
5219 scalars[j + k] = sc;
5220 }
5221 }
5222 /* Perturb all consecutive pairs of inputs:
5223 * a*P + b*Q -> (a+b)*P + b*(Q-P). */
5224 for (j = 0; j + 1 < num_nonzero; j += 2) {
5225 secp256k1_gej gej;
5226 secp256k1_scalar_add(&scalars[j], &scalars[j], &scalars[j+1]);
5227 secp256k1_gej_neg(&gej, &gejs[j]);
5228 secp256k1_gej_add_var(&gejs[j+1], &gejs[j+1], &gej, NULL);
5229 }
5230 /* Transform the last input: a*P -> (v*a) * ((1/v)*P). */
5231 CHECK(num_nonzero >= 1);
5232 testutil_random_scalar_order_test(&v);
5233 secp256k1_scalar_inverse(&iv, &v);
5234 secp256k1_scalar_mul(&scalars[num_nonzero - 1], &scalars[num_nonzero - 1], &v);
5235 secp256k1_ecmult(&gejs[num_nonzero - 1], &gejs[num_nonzero - 1], &iv, NULL);
5236 ++mults;
5237 }
5238
5239 /* Shuffle all entries (0..num-1). */
5240 for (i = 0; i < num; ++i) {
5241 int j = testrand_int(num - i);
5242 if (j != 0) {
5243 secp256k1_gej gej = gejs[i];
5244 secp256k1_scalar sc = scalars[i];
5245 gejs[i] = gejs[i + j];
5246 scalars[i] = scalars[i + j];
5247 gejs[i + j] = gej;
5248 scalars[i + j] = sc;
5249 }
5250 }
5251
5252 /* Compute affine versions of all inputs. */
5253 secp256k1_ge_set_all_gej_var(ges, gejs, filled);
5254 /* Invoke ecmult_multi code. */
5255 data.sc = scalars;
5256 data.pt = ges;
5257 CHECK(ecmult_multi(&CTX->error_callback, scratch, &computed, g_scalar_ptr, ecmult_multi_callback, &data, filled));
5258 mults += num_nonzero + g_nonzero;
5259 /* Compare with expected result. */
5260 CHECK(secp256k1_gej_eq_var(&computed, &expected));
5261 return mults;
5262}
5263
5264static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
5265 secp256k1_scalar sc;
5266 secp256k1_ge pt;
5267 secp256k1_gej r;
5268 ecmult_multi_data data;
5269 secp256k1_scratch *scratch_empty;
5270
5271 testutil_random_ge_test(&pt);
5272 testutil_random_scalar_order(&sc);
5273 data.sc = &sc;
5274 data.pt = &pt;
5275
5276 /* Try to multiply 1 point, but scratch space is empty.*/
5277 scratch_empty = secp256k1_scratch_create(&CTX->error_callback, 0);
5278 CHECK(!ecmult_multi(&CTX->error_callback, scratch_empty, &r, &secp256k1_scalar_zero, ecmult_multi_callback, &data, 1));
5279 secp256k1_scratch_destroy(&CTX->error_callback, scratch_empty);
5280}
5281
5282static void test_secp256k1_pippenger_bucket_window_inv(void) {
5283 int i;
5284
5285 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
5286 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
5287 /* Bucket_window of 8 is not used with endo */
5288 if (i == 8) {
5289 continue;
5290 }
5291 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
5292 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
5293 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
5294 }
5295 }
5296}
5297
5302static void test_ecmult_multi_pippenger_max_points(void) {
5303 size_t scratch_size = testrand_bits(8);
5304 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
5305 secp256k1_scratch *scratch;
5306 size_t n_points_supported;
5307 int bucket_window = 0;
5308
5309 for(; scratch_size < max_size; scratch_size+=256) {
5310 size_t i;
5311 size_t total_alloc;
5312 size_t checkpoint;
5313 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size);
5314 CHECK(scratch != NULL);
5315 checkpoint = secp256k1_scratch_checkpoint(&CTX->error_callback, scratch);
5316 n_points_supported = secp256k1_pippenger_max_points(&CTX->error_callback, scratch);
5317 if (n_points_supported == 0) {
5318 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5319 continue;
5320 }
5321 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
5322 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
5323 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
5324 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
5325 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, 1));
5326 total_alloc--;
5327 }
5328 CHECK(secp256k1_scratch_alloc(&CTX->error_callback, scratch, total_alloc));
5329 secp256k1_scratch_apply_checkpoint(&CTX->error_callback, scratch, checkpoint);
5330 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5331 }
5332 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
5333}
5334
5335static void test_ecmult_multi_batch_size_helper(void) {
5336 size_t n_batches, n_batch_points, max_n_batch_points, n;
5337
5338 max_n_batch_points = 0;
5339 n = 1;
5340 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
5341
5342 max_n_batch_points = 1;
5343 n = 0;
5344 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5345 CHECK(n_batches == 0);
5346 CHECK(n_batch_points == 0);
5347
5348 max_n_batch_points = 2;
5349 n = 5;
5350 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5351 CHECK(n_batches == 3);
5352 CHECK(n_batch_points == 2);
5353
5354 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
5355 n = ECMULT_MAX_POINTS_PER_BATCH;
5356 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5357 CHECK(n_batches == 1);
5358 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
5359
5360 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
5361 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
5362 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5363 CHECK(n_batches == 2);
5364 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
5365
5366 max_n_batch_points = 1;
5367 n = SIZE_MAX;
5368 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5369 CHECK(n_batches == SIZE_MAX);
5370 CHECK(n_batch_points == 1);
5371
5372 max_n_batch_points = 2;
5373 n = SIZE_MAX;
5374 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
5375 CHECK(n_batches == SIZE_MAX/2 + 1);
5376 CHECK(n_batch_points == 2);
5377}
5378
5383static void test_ecmult_multi_batching(void) {
5384 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
5385 secp256k1_scalar scG;
5386 secp256k1_scalar *sc = checked_malloc(&CTX->error_callback, sizeof(secp256k1_scalar) * n_points);
5387 secp256k1_ge *pt = checked_malloc(&CTX->error_callback, sizeof(secp256k1_ge) * n_points);
5388 secp256k1_gej r;
5389 secp256k1_gej r2;
5390 ecmult_multi_data data;
5391 int i;
5392 secp256k1_scratch *scratch;
5393
5394 secp256k1_gej_set_infinity(&r2);
5395
5396 /* Get random scalars and group elements and compute result */
5397 testutil_random_scalar_order(&scG);
5398 secp256k1_ecmult(&r2, &r2, &secp256k1_scalar_zero, &scG);
5399 for(i = 0; i < n_points; i++) {
5400 secp256k1_ge ptg;
5401 secp256k1_gej ptgj;
5402 testutil_random_ge_test(&ptg);
5403 secp256k1_gej_set_ge(&ptgj, &ptg);
5404 pt[i] = ptg;
5405 testutil_random_scalar_order(&sc[i]);
5406 secp256k1_ecmult(&ptgj, &ptgj, &sc[i], NULL);
5407 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
5408 }
5409 data.sc = sc;
5410 data.pt = pt;
5411 secp256k1_gej_neg(&r2, &r2);
5412
5413 /* Test with empty scratch space. It should compute the correct result using
5414 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
5415 scratch = secp256k1_scratch_create(&CTX->error_callback, 0);
5416 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5417 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5418 CHECK(secp256k1_gej_is_infinity(&r));
5419 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5420
5421 /* Test with space for 1 point in pippenger. That's not enough because
5422 * ecmult_multi selects strauss which requires more memory. It should
5423 * therefore select the simple algorithm. */
5424 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5425 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5426 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5427 CHECK(secp256k1_gej_is_infinity(&r));
5428 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5429
5430 for(i = 1; i <= n_points; i++) {
5431 if (i > ECMULT_PIPPENGER_THRESHOLD) {
5432 int bucket_window = secp256k1_pippenger_bucket_window(i);
5433 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
5434 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
5435 } else {
5436 size_t scratch_size = secp256k1_strauss_scratch_size(i);
5437 scratch = secp256k1_scratch_create(&CTX->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5438 }
5439 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
5440 secp256k1_gej_add_var(&r, &r, &r2, NULL);
5441 CHECK(secp256k1_gej_is_infinity(&r));
5442 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5443 }
5444 free(sc);
5445 free(pt);
5446}
5447
5448static void run_ecmult_multi_tests(void) {
5449 secp256k1_scratch *scratch;
5450 int64_t todo = (int64_t)320 * COUNT;
5451
5452 test_secp256k1_pippenger_bucket_window_inv();
5453 test_ecmult_multi_pippenger_max_points();
5454 scratch = secp256k1_scratch_create(&CTX->error_callback, 819200);
5455 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5456 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
5457 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
5458 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
5459 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
5460 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
5461 while (todo > 0) {
5462 todo -= test_ecmult_multi_random(scratch);
5463 }
5464 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5465
5466 /* Run test_ecmult_multi with space for exactly one point */
5467 scratch = secp256k1_scratch_create(&CTX->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
5468 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
5469 secp256k1_scratch_destroy(&CTX->error_callback, scratch);
5470
5471 test_ecmult_multi_batch_size_helper();
5472 test_ecmult_multi_batching();
5473}
5474
5475static void test_wnaf(const secp256k1_scalar *number, int w) {
5476 secp256k1_scalar x, two, t;
5477 int wnaf[256];
5478 int zeroes = -1;
5479 int i;
5480 int bits;
5481 secp256k1_scalar_set_int(&x, 0);
5482 secp256k1_scalar_set_int(&two, 2);
5483 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
5484 CHECK(bits <= 256);
5485 for (i = bits-1; i >= 0; i--) {
5486 int v = wnaf[i];
5487 secp256k1_scalar_mul(&x, &x, &two);
5488 if (v) {
5489 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
5490 zeroes=0;
5491 CHECK((v & 1) == 1); /* check non-zero elements are odd */
5492 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
5493 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
5494 } else {
5495 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
5496 zeroes++;
5497 }
5498 if (v >= 0) {
5499 secp256k1_scalar_set_int(&t, v);
5500 } else {
5501 secp256k1_scalar_set_int(&t, -v);
5502 secp256k1_scalar_negate(&t, &t);
5503 }
5504 secp256k1_scalar_add(&x, &x, &t);
5505 }
5506 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
5507}
5508
5509static void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
5510 secp256k1_scalar x, shift;
5511 int wnaf[256] = {0};
5512 int i;
5513 int skew;
5514 secp256k1_scalar num, unused;
5515
5516 secp256k1_scalar_set_int(&x, 0);
5517 secp256k1_scalar_set_int(&shift, 1 << w);
5518 /* Make num a 128-bit scalar. */
5519 secp256k1_scalar_split_128(&num, &unused, number);
5520 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5521
5522 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5523 secp256k1_scalar t;
5524 int v = wnaf[i];
5525 CHECK(v == 0 || v & 1); /* check parity */
5526 CHECK(v > -(1 << w)); /* check range above */
5527 CHECK(v < (1 << w)); /* check range below */
5528
5529 secp256k1_scalar_mul(&x, &x, &shift);
5530 if (v >= 0) {
5531 secp256k1_scalar_set_int(&t, v);
5532 } else {
5533 secp256k1_scalar_set_int(&t, -v);
5534 secp256k1_scalar_negate(&t, &t);
5535 }
5536 secp256k1_scalar_add(&x, &x, &t);
5537 }
5538 /* If skew is 1 then add 1 to num */
5539 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
5540 CHECK(secp256k1_scalar_eq(&x, &num));
5541}
5542
5543/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
5544 * rest is 0.*/
5545static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
5546 int i;
5547 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
5548 CHECK(wnaf[i] == 0);
5549 }
5550 for (i = 7; i >= 0; --i) {
5551 CHECK(wnaf[i] == wnaf_expected[i]);
5552 }
5553}
5554
5555static void test_fixed_wnaf_small(void) {
5556 int w = 4;
5557 int wnaf[256] = {0};
5558 int i;
5559 int skew;
5560 secp256k1_scalar num;
5561
5562 secp256k1_scalar_set_int(&num, 0);
5563 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5564 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
5565 int v = wnaf[i];
5566 CHECK(v == 0);
5567 }
5568 CHECK(skew == 0);
5569
5570 secp256k1_scalar_set_int(&num, 1);
5571 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5572 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
5573 int v = wnaf[i];
5574 CHECK(v == 0);
5575 }
5576 CHECK(wnaf[0] == 1);
5577 CHECK(skew == 0);
5578
5579 {
5580 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
5581 secp256k1_scalar_set_int(&num, 0xffffffff);
5582 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5583 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5584 CHECK(skew == 0);
5585 }
5586 {
5587 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
5588 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
5589 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5590 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5591 CHECK(skew == 1);
5592 }
5593 {
5594 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
5595 secp256k1_scalar_set_int(&num, 0x01010101);
5596 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5597 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5598 CHECK(skew == 0);
5599 }
5600 {
5601 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
5602 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
5603 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
5604 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
5605 CHECK(skew == 0);
5606 }
5607}
5608
5609static void run_wnaf(void) {
5610 int i;
5611 secp256k1_scalar n;
5612
5613 /* Test 0 for fixed wnaf */
5614 test_fixed_wnaf_small();
5615 /* Random tests */
5616 for (i = 0; i < COUNT; i++) {
5617 testutil_random_scalar_order(&n);
5618 test_wnaf(&n, 4+(i%10));
5619 test_fixed_wnaf(&n, 4 + (i % 10));
5620 }
5621 secp256k1_scalar_set_int(&n, 0);
5622 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
5623 CHECK(secp256k1_scalar_is_zero(&n));
5624 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
5625 CHECK(secp256k1_scalar_is_zero(&n));
5626}
5627
5628static int test_ecmult_accumulate_cb(secp256k1_scalar* sc, secp256k1_ge* pt, size_t idx, void* data) {
5629 const secp256k1_scalar* indata = (const secp256k1_scalar*)data;
5630 *sc = *indata;
5631 *pt = secp256k1_ge_const_g;
5632 CHECK(idx == 0);
5633 return 1;
5634}
5635
5636static void test_ecmult_accumulate(secp256k1_sha256* acc, const secp256k1_scalar* x, secp256k1_scratch* scratch) {
5637 /* Compute x*G in many different ways, serialize it uncompressed, and feed it into acc. */
5638 secp256k1_gej gj, infj;
5639 secp256k1_ge r;
5640 secp256k1_gej rj[7];
5641 unsigned char bytes[65];
5642 size_t i;
5643 secp256k1_gej_set_ge(&gj, &secp256k1_ge_const_g);
5644 secp256k1_gej_set_infinity(&infj);
5645 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &rj[0], x);
5646 secp256k1_ecmult(&rj[1], &gj, x, NULL);
5647 secp256k1_ecmult(&rj[2], &gj, x, &secp256k1_scalar_zero);
5648 secp256k1_ecmult(&rj[3], &infj, &secp256k1_scalar_zero, x);
5649 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj[4], x, NULL, NULL, 0));
5650 CHECK(secp256k1_ecmult_multi_var(&CTX->error_callback, scratch, &rj[5], &secp256k1_scalar_zero, test_ecmult_accumulate_cb, (void*)x, 1));
5651 secp256k1_ecmult_const(&rj[6], &secp256k1_ge_const_g, x);
5652 secp256k1_ge_set_gej_var(&r, &rj[0]);
5653 for (i = 0; i < ARRAY_SIZE(rj); i++) {
5654 CHECK(secp256k1_gej_eq_ge_var(&rj[i], &r));
5655 }
5656 if (secp256k1_ge_is_infinity(&r)) {
5657 /* Store infinity as 0x00 */
5658 const unsigned char zerobyte[1] = {0};
5659 secp256k1_sha256_write(secp256k1_get_hash_context(CTX), acc, zerobyte, 1);
5660 } else {
5661 /* Store other points using their uncompressed serialization. */
5662 secp256k1_eckey_pubkey_serialize65(&r, bytes);
5663 secp256k1_sha256_write(secp256k1_get_hash_context(CTX), acc, bytes, sizeof(bytes));
5664 }
5665}
5666
5667static void test_ecmult_constants_2bit(void) {
5668 /* Using test_ecmult_accumulate, test ecmult for:
5669 * - For i in 0..36:
5670 * - Key i
5671 * - Key -i
5672 * - For i in 0..255:
5673 * - For j in 1..255 (only odd values):
5674 * - Key (j*2^i) mod order
5675 */
5676 secp256k1_scalar x;
5677 secp256k1_sha256 acc;
5678 unsigned char b32[32];
5679 int i, j;
5680 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5681
5682 /* Expected hash of all the computed points; created with an independent
5683 * implementation. */
5684 static const unsigned char expected32[32] = {
5685 0xe4, 0x71, 0x1b, 0x4d, 0x14, 0x1e, 0x68, 0x48,
5686 0xb7, 0xaf, 0x47, 0x2b, 0x4c, 0xd2, 0x04, 0x14,
5687 0x3a, 0x75, 0x87, 0x60, 0x1a, 0xf9, 0x63, 0x60,
5688 0xd0, 0xcb, 0x1f, 0xaa, 0x85, 0x9a, 0xb7, 0xb4
5689 };
5690 secp256k1_sha256_initialize(&acc);
5691 for (i = 0; i <= 36; ++i) {
5692 secp256k1_scalar_set_int(&x, i);
5693 test_ecmult_accumulate(&acc, &x, scratch);
5694 secp256k1_scalar_negate(&x, &x);
5695 test_ecmult_accumulate(&acc, &x, scratch);
5696 };
5697 for (i = 0; i < 256; ++i) {
5698 for (j = 1; j < 256; j += 2) {
5699 int k;
5700 secp256k1_scalar_set_int(&x, j);
5701 for (k = 0; k < i; ++k) secp256k1_scalar_add(&x, &x, &x);
5702 test_ecmult_accumulate(&acc, &x, scratch);
5703 }
5704 }
5705 secp256k1_sha256_finalize(secp256k1_get_hash_context(CTX), &acc, b32);
5706 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5707
5708 secp256k1_scratch_space_destroy(CTX, scratch);
5709}
5710
5711static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char* expected32) {
5712 /* Using test_ecmult_accumulate, test ecmult for:
5713 * - Key 0
5714 * - Key 1
5715 * - Key -1
5716 * - For i in range(iter):
5717 * - Key SHA256(LE32(prefix) || LE16(i))
5718 */
5719 secp256k1_scalar x;
5720 secp256k1_sha256 acc;
5721 unsigned char b32[32];
5722 unsigned char inp[6];
5723 size_t i;
5724 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
5725 secp256k1_scratch_space *scratch = secp256k1_scratch_space_create(CTX, 65536);
5726
5727 inp[0] = prefix & 0xFF;
5728 inp[1] = (prefix >> 8) & 0xFF;
5729 inp[2] = (prefix >> 16) & 0xFF;
5730 inp[3] = (prefix >> 24) & 0xFF;
5731 secp256k1_sha256_initialize(&acc);
5732 secp256k1_scalar_set_int(&x, 0);
5733 test_ecmult_accumulate(&acc, &x, scratch);
5734 secp256k1_scalar_set_int(&x, 1);
5735 test_ecmult_accumulate(&acc, &x, scratch);
5736 secp256k1_scalar_negate(&x, &x);
5737 test_ecmult_accumulate(&acc, &x, scratch);
5738
5739 for (i = 0; i < iter; ++i) {
5740 secp256k1_sha256 gen;
5741 inp[4] = i & 0xff;
5742 inp[5] = (i >> 8) & 0xff;
5743 secp256k1_sha256_initialize(&gen);
5744 secp256k1_sha256_write(hash_ctx, &gen, inp, sizeof(inp));
5745 secp256k1_sha256_finalize(hash_ctx, &gen, b32);
5746 secp256k1_scalar_set_b32(&x, b32, NULL);
5747 test_ecmult_accumulate(&acc, &x, scratch);
5748 }
5749 secp256k1_sha256_finalize(hash_ctx, &acc, b32);
5750 CHECK(secp256k1_memcmp_var(b32, expected32, 32) == 0);
5751
5752 secp256k1_scratch_space_destroy(CTX, scratch);
5753}
5754
5755static void run_ecmult_constants(void) {
5756 /* Expected hashes of all points in the tests below. Computed using an
5757 * independent implementation. */
5758 static const unsigned char expected32_6bit20[32] = {
5759 0x68, 0xb6, 0xed, 0x6f, 0x28, 0xca, 0xc9, 0x7f,
5760 0x8e, 0x8b, 0xd6, 0xc0, 0x61, 0x79, 0x34, 0x6e,
5761 0x5a, 0x8f, 0x2b, 0xbc, 0x3e, 0x1f, 0xc5, 0x2e,
5762 0x2a, 0xd0, 0x45, 0x67, 0x7f, 0x95, 0x95, 0x8e
5763 };
5764 static const unsigned char expected32_8bit8[32] = {
5765 0x8b, 0x65, 0x8e, 0xea, 0x86, 0xae, 0x3c, 0x95,
5766 0x90, 0xb6, 0x77, 0xa4, 0x8c, 0x76, 0xd9, 0xec,
5767 0xf5, 0xab, 0x8a, 0x2f, 0xfd, 0xdb, 0x19, 0x12,
5768 0x1a, 0xee, 0xe6, 0xb7, 0x6e, 0x05, 0x3f, 0xc6
5769 };
5770 /* For every combination of 6 bit positions out of 256, restricted to
5771 * 20-bit windows (i.e., the first and last bit position are no more than
5772 * 19 bits apart), all 64 bit patterns occur in the input scalars used in
5773 * this test. */
5774 CONDITIONAL_TEST(1, "test_ecmult_constants_sha 1024") {
5775 test_ecmult_constants_sha(4808378u, 1024, expected32_6bit20);
5776 }
5777
5778 /* For every combination of 8 consecutive bit positions, all 256 bit
5779 * patterns occur in the input scalars used in this test. */
5780 CONDITIONAL_TEST(3, "test_ecmult_constants_sha 2048") {
5781 test_ecmult_constants_sha(1607366309u, 2048, expected32_8bit8);
5782 }
5783
5784 CONDITIONAL_TEST(16, "test_ecmult_constants_2bit") {
5785 test_ecmult_constants_2bit();
5786 }
5787}
5788
5789static void test_ecmult_gen_blind(void) {
5790 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
5791 secp256k1_scalar key;
5792 secp256k1_scalar b;
5793 unsigned char seed32[32];
5794 secp256k1_gej pgej;
5795 secp256k1_gej pgej2;
5796 secp256k1_ge p;
5797 secp256k1_ge pge;
5798 testutil_random_scalar_order_test(&key);
5799 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej, &key);
5800 testrand256(seed32);
5801 b = CTX->ecmult_gen_ctx.scalar_offset;
5802 p = CTX->ecmult_gen_ctx.ge_offset;
5803 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), seed32);
5804 CHECK(!secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset));
5805 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pgej2, &key);
5806 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
5807 CHECK(!secp256k1_ge_eq_var(&p, &CTX->ecmult_gen_ctx.ge_offset));
5808 secp256k1_ge_set_gej(&pge, &pgej);
5809 CHECK(secp256k1_gej_eq_ge_var(&pgej2, &pge));
5810}
5811
5812static void test_ecmult_gen_blind_reset(void) {
5813 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
5814 secp256k1_scalar b;
5815 secp256k1_ge p1, p2;
5816 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), 0);
5817 b = CTX->ecmult_gen_ctx.scalar_offset;
5818 p1 = CTX->ecmult_gen_ctx.ge_offset;
5819 secp256k1_ecmult_gen_blind(&CTX->ecmult_gen_ctx, secp256k1_get_hash_context(CTX), 0);
5820 CHECK(secp256k1_scalar_eq(&b, &CTX->ecmult_gen_ctx.scalar_offset));
5821 p2 = CTX->ecmult_gen_ctx.ge_offset;
5822 CHECK(secp256k1_ge_eq_var(&p1, &p2));
5823}
5824
5825/* Verify that ecmult_gen for scalars gn for which gn + scalar_offset = {-1,0,1}. */
5826static void test_ecmult_gen_edge_cases(void) {
5827 int i;
5828 secp256k1_gej res1, res2, res3;
5829 secp256k1_scalar gn = secp256k1_scalar_one; /* gn = 1 */
5830 secp256k1_scalar_add(&gn, &gn, &CTX->ecmult_gen_ctx.scalar_offset); /* gn = 1 + scalar_offset */
5831 secp256k1_scalar_negate(&gn, &gn); /* gn = -1 - scalar_offset */
5832
5833 for (i = -1; i < 2; ++i) {
5834 /* Run test with gn = i - scalar_offset (so that the ecmult_gen recoded value represents i). */
5835 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &res1, &gn);
5836 secp256k1_ecmult(&res2, NULL, &secp256k1_scalar_zero, &gn);
5837 secp256k1_ecmult_const(&res3, &secp256k1_ge_const_g, &gn);
5838 CHECK(secp256k1_gej_eq_var(&res1, &res2));
5839 CHECK(secp256k1_gej_eq_var(&res1, &res3));
5840 secp256k1_scalar_add(&gn, &gn, &secp256k1_scalar_one);
5841 }
5842}
5843
5844static void run_ecmult_gen_blind(void) {
5845 int i;
5846 test_ecmult_gen_blind_reset();
5847 test_ecmult_gen_edge_cases();
5848 for (i = 0; i < 10; i++) {
5849 test_ecmult_gen_blind();
5850 }
5851}
5852
5853/***** ENDOMORPHISH TESTS *****/
5854static void test_scalar_split(const secp256k1_scalar* full) {
5855 secp256k1_scalar s, s1, slam;
5856 const unsigned char zero[32] = {0};
5857 unsigned char tmp[32];
5858
5859 secp256k1_scalar_split_lambda(&s1, &slam, full);
5860
5861 /* check slam*lambda + s1 == full */
5862 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
5863 secp256k1_scalar_add(&s, &s, &s1);
5864 CHECK(secp256k1_scalar_eq(&s, full));
5865
5866 /* check that both are <= 128 bits in size */
5867 if (secp256k1_scalar_is_high(&s1)) {
5868 secp256k1_scalar_negate(&s1, &s1);
5869 }
5870 if (secp256k1_scalar_is_high(&slam)) {
5871 secp256k1_scalar_negate(&slam, &slam);
5872 }
5873
5874 secp256k1_scalar_get_b32(tmp, &s1);
5875 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5876 secp256k1_scalar_get_b32(tmp, &slam);
5877 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
5878}
5879
5880
5881static void run_endomorphism_tests(void) {
5882 unsigned i;
5883 static secp256k1_scalar s;
5884 test_scalar_split(&secp256k1_scalar_zero);
5885 test_scalar_split(&secp256k1_scalar_one);
5886 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
5887 test_scalar_split(&s);
5888 test_scalar_split(&secp256k1_const_lambda);
5889 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
5890 test_scalar_split(&s);
5891
5892 for (i = 0; i < 100U * COUNT; ++i) {
5893 secp256k1_scalar full;
5894 testutil_random_scalar_order_test(&full);
5895 test_scalar_split(&full);
5896 }
5897 for (i = 0; i < ARRAY_SIZE(scalars_near_split_bounds); ++i) {
5898 test_scalar_split(&scalars_near_split_bounds[i]);
5899 }
5900}
5901
5902static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
5903 unsigned char pubkeyc[65];
5904 secp256k1_pubkey pubkey;
5905 secp256k1_ge ge;
5906 size_t pubkeyclen;
5907
5908 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
5909 /* Smaller sizes are tested exhaustively elsewhere. */
5910 int32_t i;
5911 memcpy(&pubkeyc[1], input, 64);
5912 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
5913 for (i = 0; i < 256; i++) {
5914 /* Try all type bytes. */
5915 int xpass;
5916 int ypass;
5917 int ysign;
5918 pubkeyc[0] = i;
5919 /* What sign does this point have? */
5920 ysign = (input[63] & 1) + 2;
5921 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
5922 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
5923 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
5924 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
5925 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
5926 if (xpass || ypass) {
5927 /* These cases must parse. */
5928 unsigned char pubkeyo[65];
5929 size_t outl;
5930 memset(&pubkey, 0, sizeof(pubkey));
5931 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5932 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
5933 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5934 outl = 65;
5935 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5936 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
5937 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5938 CHECK(outl == 33);
5939 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
5940 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
5941 if (ypass) {
5942 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
5943 CHECK(pubkeyo[0] == ysign);
5944 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
5945 memset(&pubkey, 0, sizeof(pubkey));
5946 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5947 secp256k1_pubkey_save(&pubkey, &ge);
5948 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5949 outl = 65;
5950 SECP256K1_CHECKMEM_UNDEFINE(pubkeyo, 65);
5951 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
5952 SECP256K1_CHECKMEM_CHECK(pubkeyo, outl);
5953 CHECK(outl == 65);
5954 CHECK(pubkeyo[0] == 4);
5955 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
5956 }
5957 } else {
5958 /* These cases must fail to parse. */
5959 memset(&pubkey, 0xfe, sizeof(pubkey));
5960 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
5961 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 0);
5962 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
5963 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
5964 }
5965 }
5966 }
5967}
5968
5969static void run_ec_pubkey_parse_test(void) {
5970#define SECP256K1_EC_PARSE_TEST_NVALID (12)
5971 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
5972 {
5973 /* Point with leading and trailing zeros in x and y serialization. */
5974 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
5975 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5976 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
5977 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
5978 },
5979 {
5980 /* Point with x equal to a 3rd root of unity.*/
5981 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
5982 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
5983 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
5984 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
5985 },
5986 {
5987 /* Point with largest x. (1/2) */
5988 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5989 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5990 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
5991 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
5992 },
5993 {
5994 /* Point with largest x. (2/2) */
5995 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5996 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
5997 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
5998 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
5999 },
6000 {
6001 /* Point with smallest x. (1/2) */
6002 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6003 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6004 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
6005 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
6006 },
6007 {
6008 /* Point with smallest x. (2/2) */
6009 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6010 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6011 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
6012 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
6013 },
6014 {
6015 /* Point with largest y. (1/3) */
6016 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6017 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6018 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6019 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6020 },
6021 {
6022 /* Point with largest y. (2/3) */
6023 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6024 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6025 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6027 },
6028 {
6029 /* Point with largest y. (3/3) */
6030 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6031 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6032 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6033 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6034 },
6035 {
6036 /* Point with smallest y. (1/3) */
6037 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6038 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6040 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6041 },
6042 {
6043 /* Point with smallest y. (2/3) */
6044 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6045 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6048 },
6049 {
6050 /* Point with smallest y. (3/3) */
6051 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6052 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
6055 }
6056 };
6057#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
6058 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
6059 {
6060 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
6061 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
6062 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
6063 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6064 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6065 },
6066 {
6067 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
6068 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
6069 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
6070 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6071 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6072 },
6073 {
6074 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
6075 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
6076 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
6077 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6078 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6079 },
6080 {
6081 /* x on curve, y is from y^2 = x^3 + 8. */
6082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
6086 }
6087 };
6088#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
6089 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
6090 {
6091 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
6092 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
6093 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
6094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6095 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
6096 },
6097 {
6098 /* Valid if x overflow ignored (x = 1 mod p). */
6099 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6101 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
6102 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
6103 },
6104 {
6105 /* Valid if x overflow ignored (x = 1 mod p). */
6106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6107 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
6108 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
6109 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
6110 },
6111 {
6112 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
6113 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6114 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6115 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
6116 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
6117 },
6118 {
6119 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
6120 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
6121 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
6122 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
6123 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
6124 },
6125 {
6126 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
6127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6129 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
6130 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
6131 },
6132 {
6133 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
6134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
6136 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
6137 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
6138 }
6139 };
6140 const unsigned char pubkeyc[66] = {
6141 /* Serialization of G. */
6142 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
6143 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
6144 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
6145 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
6146 0xB8, 0x00
6147 };
6148 unsigned char sout[65];
6149 unsigned char shortkey[2] = { 0 };
6150 secp256k1_ge ge;
6151 secp256k1_pubkey pubkey;
6152 size_t len;
6153 int32_t i;
6154
6155 /* Nothing should be reading this far into pubkeyc. */
6156 SECP256K1_CHECKMEM_UNDEFINE(&pubkeyc[65], 1);
6157 /* Zero length claimed, fail, zeroize, no illegal arg error. */
6158 memset(&pubkey, 0xfe, sizeof(pubkey));
6159 SECP256K1_CHECKMEM_UNDEFINE(shortkey, 2);
6160 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6161 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 0) == 0);
6162 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6163 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6164 /* Length one claimed, fail, zeroize, no illegal arg error. */
6165 for (i = 0; i < 256 ; i++) {
6166 memset(&pubkey, 0xfe, sizeof(pubkey));
6167 shortkey[0] = i;
6168 SECP256K1_CHECKMEM_UNDEFINE(&shortkey[1], 1);
6169 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6170 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 1) == 0);
6171 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6172 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6173 }
6174 /* Length two claimed, fail, zeroize, no illegal arg error. */
6175 for (i = 0; i < 65536 ; i++) {
6176 memset(&pubkey, 0xfe, sizeof(pubkey));
6177 shortkey[0] = i & 255;
6178 shortkey[1] = i >> 8;
6179 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6180 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, shortkey, 2) == 0);
6181 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6182 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6183 }
6184 memset(&pubkey, 0xfe, sizeof(pubkey));
6185 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6186 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
6187 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 33) == 0);
6188 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6189 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6190 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
6191 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, pubkeyc, 65));
6192 /* NULL input string. Illegal arg and zeroize output. */
6193 memset(&pubkey, 0xfe, sizeof(pubkey));
6194 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6195 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, &pubkey, NULL, 65));
6196 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6197 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6198 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
6199 memset(&pubkey, 0xfe, sizeof(pubkey));
6200 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6201 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 64) == 0);
6202 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6203 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6204 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
6205 memset(&pubkey, 0xfe, sizeof(pubkey));
6206 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6207 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 66) == 0);
6208 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6209 CHECK_ILLEGAL(CTX, secp256k1_pubkey_load(CTX, &ge, &pubkey));
6210 /* Valid parse. */
6211 memset(&pubkey, 0, sizeof(pubkey));
6212 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6213 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, 65) == 1);
6214 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_static, &pubkey, pubkeyc, 65) == 1);
6215 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6216 SECP256K1_CHECKMEM_UNDEFINE(&ge, sizeof(ge));
6217 CHECK(secp256k1_pubkey_load(CTX, &ge, &pubkey) == 1);
6218 SECP256K1_CHECKMEM_CHECK(&ge.x, sizeof(ge.x));
6219 SECP256K1_CHECKMEM_CHECK(&ge.y, sizeof(ge.y));
6220 SECP256K1_CHECKMEM_CHECK(&ge.infinity, sizeof(ge.infinity));
6221 CHECK(secp256k1_ge_eq_var(&ge, &secp256k1_ge_const_g));
6222 /* secp256k1_ec_pubkey_serialize illegal args. */
6223 len = 65;
6224 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED));
6225 CHECK(len == 0);
6226 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED));
6227 len = 65;
6228 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6229 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED));
6230 SECP256K1_CHECKMEM_CHECK(sout, 65);
6231 CHECK(len == 0);
6232 len = 65;
6233 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, ~0));
6234 CHECK(len == 0);
6235 len = 65;
6236 SECP256K1_CHECKMEM_UNDEFINE(sout, 65);
6237 CHECK(secp256k1_ec_pubkey_serialize(CTX, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
6238 SECP256K1_CHECKMEM_CHECK(sout, 65);
6239 CHECK(len == 65);
6240 /* Multiple illegal args. Should still set arg error only once. */
6241 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_parse(CTX, NULL, NULL, 65));
6242 /* Try a bunch of prefabbed points with all possible encodings. */
6243 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
6244 ec_pubkey_parse_pointtest(valid[i], 1, 1);
6245 }
6246 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
6247 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
6248 }
6249 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
6250 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
6251 }
6252}
6253
6254static void run_eckey_edge_case_test(void) {
6255 const unsigned char *orderc = secp256k1_group_order_bytes;
6256 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
6257 unsigned char ctmp[33];
6258 unsigned char ctmp2[33];
6259 secp256k1_pubkey pubkey;
6260 secp256k1_pubkey pubkey2;
6261 secp256k1_pubkey pubkey_one;
6262 secp256k1_pubkey pubkey_negone;
6263 const secp256k1_pubkey *pubkeys[3];
6264 size_t len;
6265 int i;
6266 /* Group order is too large, reject. */
6267 CHECK(secp256k1_ec_seckey_verify(CTX, orderc) == 0);
6268 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6269 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, orderc) == 0);
6270 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6271 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6272 /* Maximum value is too large, reject. */
6273 memset(ctmp, 255, 32);
6274 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6275 memset(&pubkey, 1, sizeof(pubkey));
6276 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6277 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6278 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6279 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6280 /* Zero is too small, reject. */
6281 memset(ctmp, 0, 32);
6282 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6283 memset(&pubkey, 1, sizeof(pubkey));
6284 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6285 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6286 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6287 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6288 /* One must be accepted. */
6289 ctmp[31] = 0x01;
6290 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6291 memset(&pubkey, 0, sizeof(pubkey));
6292 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6293 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6294 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6295 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6296 pubkey_one = pubkey;
6297 /* Group order + 1 is too large, reject. */
6298 memcpy(ctmp, orderc, 32);
6299 ctmp[31] = 0x42;
6300 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6301 memset(&pubkey, 1, sizeof(pubkey));
6302 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6303 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 0);
6304 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6305 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6306 /* -1 must be accepted. */
6307 ctmp[31] = 0x40;
6308 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6309 memset(&pubkey, 0, sizeof(pubkey));
6310 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(pubkey));
6311 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, ctmp) == 1);
6312 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(pubkey));
6313 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6314 pubkey_negone = pubkey;
6315 /* Tweak of zero leaves the value unchanged. */
6316 memset(ctmp2, 0, 32);
6317 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 1);
6318 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
6319 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
6320 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6321 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6322 /* Multiply tweak of zero zeroizes the output. */
6323 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6324 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6325 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, ctmp2) == 0);
6326 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6327 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6328 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6329 seckey, the seckey is zeroized. */
6330 memcpy(ctmp, orderc, 32);
6331 memset(ctmp2, 0, 32);
6332 ctmp2[31] = 0x01;
6333 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp2) == 1);
6334 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 0);
6335 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, ctmp2) == 0);
6336 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6337 memcpy(ctmp, orderc, 32);
6338 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, ctmp2) == 0);
6339 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6340 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
6341 tweak, the seckey is zeroized. */
6342 memcpy(ctmp, orderc, 32);
6343 ctmp[31] = 0x40;
6344 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp, orderc) == 0);
6345 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6346 memcpy(ctmp, orderc, 32);
6347 ctmp[31] = 0x40;
6348 CHECK(secp256k1_ec_seckey_tweak_mul(CTX, ctmp, orderc) == 0);
6349 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
6350 memcpy(ctmp, orderc, 32);
6351 ctmp[31] = 0x40;
6352 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
6353 tweak, the pubkey is zeroized. */
6354 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, orderc) == 0);
6355 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6356 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6357 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, orderc) == 0);
6358 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6359 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6360 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
6361 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
6362 * case the pubkey is zeroized. */
6363 memcpy(ctmp, orderc, 32);
6364 ctmp[31] = 0x40;
6365 memset(ctmp2, 0, 32);
6366 ctmp2[31] = 1;
6367 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 0);
6368 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
6369 ctmp2[31] = 1;
6370 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 0);
6371 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6372 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6373 /* Tweak computation wraps and results in a key of 1. */
6374 ctmp2[31] = 2;
6375 CHECK(secp256k1_ec_seckey_tweak_add(CTX, ctmp2, ctmp) == 1);
6376 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
6377 ctmp2[31] = 2;
6378 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6379 ctmp2[31] = 1;
6380 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, ctmp2) == 1);
6381 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6382 /* Tweak mul * 2 = 1+1. */
6383 CHECK(secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2) == 1);
6384 ctmp2[31] = 2;
6385 CHECK(secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2) == 1);
6386 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6387 /* Zeroize pubkey on parse error. */
6388 memset(&pubkey, 0, 32);
6389 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, ctmp2));
6390 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
6391 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
6392 memset(&pubkey2, 0, 32);
6393 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey2, ctmp2));
6394 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
6395 /* Plain argument errors. */
6396 CHECK(secp256k1_ec_seckey_verify(CTX, ctmp) == 1);
6397 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_verify(CTX, NULL));
6398 memset(ctmp2, 0, 32);
6399 ctmp2[31] = 4;
6400 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, NULL, ctmp2));
6401 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, NULL));
6402 memset(ctmp2, 0, 32);
6403 ctmp2[31] = 4;
6404 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, NULL, ctmp2));
6405 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, NULL));
6406 memset(ctmp2, 0, 32);
6407 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, NULL, ctmp2));
6408 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_add(CTX, ctmp, NULL));
6409 memset(ctmp2, 0, 32);
6410 ctmp2[31] = 1;
6411 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, NULL, ctmp2));
6412 CHECK_ILLEGAL(CTX, secp256k1_ec_seckey_tweak_mul(CTX, ctmp, NULL));
6413 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, NULL, ctmp));
6414 memset(&pubkey, 1, sizeof(pubkey));
6415 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
6416 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6417 /* secp256k1_ec_pubkey_combine tests. */
6418 pubkeys[0] = &pubkey_one;
6419 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[0], sizeof(secp256k1_pubkey *));
6420 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[1], sizeof(secp256k1_pubkey *));
6421 SECP256K1_CHECKMEM_UNDEFINE(&pubkeys[2], sizeof(secp256k1_pubkey *));
6422 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6423 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6424 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 0));
6425 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6426 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6427 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, NULL, pubkeys, 1));
6428 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6429 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6430 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6431 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &pubkey, NULL, 1));
6432 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6433 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6434 pubkeys[0] = &pubkey_negone;
6435 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6436 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6437 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 1) == 1);
6438 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6439 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6440 len = 33;
6441 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6442 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
6443 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6444 /* Result is infinity. */
6445 pubkeys[0] = &pubkey_one;
6446 pubkeys[1] = &pubkey_negone;
6447 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6448 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6449 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 0);
6450 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6451 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
6452 /* Passes through infinity but comes out one. */
6453 pubkeys[2] = &pubkey_one;
6454 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6455 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6456 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 3) == 1);
6457 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6458 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6459 /* check that NULL in array of pubkey pointers is not allowed */
6460 for (i = 0; i < 3; i++) {
6461 const secp256k1_pubkey *original_ptr = pubkeys[i];
6462 secp256k1_pubkey result;
6463 pubkeys[i] = NULL;
6464 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_combine(CTX, &result, pubkeys, 3));
6465 pubkeys[i] = original_ptr;
6466 }
6467 len = 33;
6468 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
6469 CHECK(secp256k1_ec_pubkey_serialize(CTX, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
6470 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
6471 /* Adds to two. */
6472 pubkeys[1] = &pubkey_one;
6473 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
6474 SECP256K1_CHECKMEM_UNDEFINE(&pubkey, sizeof(secp256k1_pubkey));
6475 CHECK(secp256k1_ec_pubkey_combine(CTX, &pubkey, pubkeys, 2) == 1);
6476 SECP256K1_CHECKMEM_CHECK(&pubkey, sizeof(secp256k1_pubkey));
6477 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
6478}
6479
6480static void run_eckey_negate_test(void) {
6481 unsigned char seckey[32];
6482 unsigned char seckey_tmp[32];
6483
6484 testutil_random_scalar_order_b32(seckey);
6485 memcpy(seckey_tmp, seckey, 32);
6486
6487 /* Verify negation changes the key and changes it back */
6488 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6489 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
6490 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 1);
6491 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6492
6493 /* Negating all 0s fails */
6494 memset(seckey, 0, 32);
6495 memset(seckey_tmp, 0, 32);
6496 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6497 /* Check that seckey is not modified */
6498 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6499
6500 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
6501 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
6502 * doesn't just set seckey to a constant value in case of failure. */
6503 testutil_random_scalar_order_b32(seckey);
6504 memset(seckey, 0xFF, 16);
6505 memset(seckey_tmp, 0, 32);
6506 CHECK(secp256k1_ec_seckey_negate(CTX, seckey) == 0);
6507 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
6508}
6509
6510static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
6511 secp256k1_scalar nonce;
6512 do {
6513 testutil_random_scalar_order_test(&nonce);
6514 } while(!secp256k1_ecdsa_sig_sign(&CTX->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
6515}
6516
6517static void test_ecdsa_sign_verify(void) {
6518 secp256k1_gej pubj;
6519 secp256k1_ge pub;
6520 secp256k1_scalar one;
6521 secp256k1_scalar msg, key;
6522 secp256k1_scalar sigr, sigs;
6523 int getrec;
6524 int recid;
6525 testutil_random_scalar_order_test(&msg);
6526 testutil_random_scalar_order_test(&key);
6527 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &pubj, &key);
6528 secp256k1_ge_set_gej(&pub, &pubj);
6529 getrec = testrand_bits(1);
6530 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
6531 See the commit messages of the commit that introduced this comment for details. */
6532 if (getrec) {
6533 random_sign(&sigr, &sigs, &key, &msg, &recid);
6534 CHECK(recid >= 0 && recid < 4);
6535 } else {
6536 random_sign(&sigr, &sigs, &key, &msg, NULL);
6537 }
6538 CHECK(secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6539 secp256k1_scalar_set_int(&one, 1);
6540 secp256k1_scalar_add(&msg, &msg, &one);
6541 CHECK(!secp256k1_ecdsa_sig_verify(&sigr, &sigs, &pub, &msg));
6542}
6543
6544static void run_ecdsa_sign_verify(void) {
6545 int i;
6546 for (i = 0; i < 10*COUNT; i++) {
6547 test_ecdsa_sign_verify();
6548 }
6549}
6550
6552static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6553 (void)msg32;
6554 (void)key32;
6555 (void)algo16;
6556 memcpy(nonce32, data, 32);
6557 return (counter == 0);
6558}
6559
6560static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6561 /* Dummy nonce generator that has a fatal error on the first counter value. */
6562 if (counter == 0) {
6563 return 0;
6564 }
6565 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
6566}
6567
6568static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
6569 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
6570 if (counter < 3) {
6571 memset(nonce32, counter==0 ? 0 : 255, 32);
6572 if (counter == 2) {
6573 nonce32[31]--;
6574 }
6575 return 1;
6576 }
6577 if (counter < 5) {
6578 memcpy(nonce32, secp256k1_group_order_bytes, 32);
6579 if (counter == 4) {
6580 nonce32[31]++;
6581 }
6582 return 1;
6583 }
6584 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
6585 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
6586 if (counter > 5) {
6587 return 0;
6588 }
6589 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
6590}
6591
6592static int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
6593 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
6594 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
6595}
6596
6597static void test_ecdsa_end_to_end(void) {
6598 unsigned char extra[32] = {0x00};
6599 unsigned char privkey[32];
6600 unsigned char message[32];
6601 unsigned char privkey2[32];
6602 secp256k1_ecdsa_signature signature[6];
6603 secp256k1_scalar r, s;
6604 unsigned char sig[74];
6605 size_t siglen = 74;
6606 unsigned char pubkeyc[65];
6607 size_t pubkeyclen = 65;
6608 secp256k1_pubkey pubkey;
6609 secp256k1_pubkey pubkey_tmp;
6610 unsigned char seckey[300];
6611 size_t seckeylen = 300;
6612
6613 /* Generate a random key and message. */
6614 {
6615 secp256k1_scalar msg, key;
6616 testutil_random_scalar_order_test(&msg);
6617 testutil_random_scalar_order_test(&key);
6618 secp256k1_scalar_get_b32(privkey, &key);
6619 secp256k1_scalar_get_b32(message, &msg);
6620 }
6621
6622 /* Construct and verify corresponding public key. */
6623 CHECK(secp256k1_ec_seckey_verify(CTX, privkey) == 1);
6624 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, privkey) == 1);
6625
6626 /* Verify exporting and importing public key. */
6627 CHECK(secp256k1_ec_pubkey_serialize(CTX, pubkeyc, &pubkeyclen, &pubkey, testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
6628 memset(&pubkey, 0, sizeof(pubkey));
6629 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pubkeyc, pubkeyclen) == 1);
6630
6631 /* Verify negation changes the key and changes it back */
6632 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
6633 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6634 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
6635 CHECK(secp256k1_ec_pubkey_negate(CTX, &pubkey_tmp) == 1);
6636 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
6637
6638 /* Verify private key import and export. */
6639 CHECK(ec_privkey_export_der(CTX, seckey, &seckeylen, privkey, testrand_bits(1) == 1));
6640 CHECK(ec_privkey_import_der(CTX, privkey2, seckey, seckeylen) == 1);
6641 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
6642
6643 /* Optionally tweak the keys using addition. */
6644 if (testrand_int(3) == 0) {
6645 int ret1;
6646 int ret2;
6647 unsigned char rnd[32];
6648 secp256k1_pubkey pubkey2;
6649 testrand256_test(rnd);
6650 ret1 = secp256k1_ec_seckey_tweak_add(CTX, privkey, rnd);
6651 ret2 = secp256k1_ec_pubkey_tweak_add(CTX, &pubkey, rnd);
6652 CHECK(ret1 == ret2);
6653 if (ret1 == 0) {
6654 return;
6655 }
6656 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6657 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6658 }
6659
6660 /* Optionally tweak the keys using multiplication. */
6661 if (testrand_int(3) == 0) {
6662 int ret1;
6663 int ret2;
6664 unsigned char rnd[32];
6665 secp256k1_pubkey pubkey2;
6666 testrand256_test(rnd);
6667 ret1 = secp256k1_ec_seckey_tweak_mul(CTX, privkey, rnd);
6668 ret2 = secp256k1_ec_pubkey_tweak_mul(CTX, &pubkey, rnd);
6669 CHECK(ret1 == ret2);
6670 if (ret1 == 0) {
6671 return;
6672 }
6673 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey2, privkey) == 1);
6674 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
6675 }
6676
6677 /* Sign. */
6678 CHECK(secp256k1_ecdsa_sign(CTX, &signature[0], message, privkey, NULL, NULL) == 1);
6679 CHECK(secp256k1_ecdsa_sign(CTX, &signature[4], message, privkey, NULL, NULL) == 1);
6680 CHECK(secp256k1_ecdsa_sign(CTX, &signature[1], message, privkey, NULL, extra) == 1);
6681 extra[31] = 1;
6682 CHECK(secp256k1_ecdsa_sign(CTX, &signature[2], message, privkey, NULL, extra) == 1);
6683 extra[31] = 0;
6684 extra[0] = 1;
6685 CHECK(secp256k1_ecdsa_sign(CTX, &signature[3], message, privkey, NULL, extra) == 1);
6686 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
6687 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
6688 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
6689 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
6690 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
6691 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
6692 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
6693 /* Verify. */
6694 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6695 CHECK(secp256k1_ecdsa_verify(CTX, &signature[1], message, &pubkey) == 1);
6696 CHECK(secp256k1_ecdsa_verify(CTX, &signature[2], message, &pubkey) == 1);
6697 CHECK(secp256k1_ecdsa_verify(CTX, &signature[3], message, &pubkey) == 1);
6698 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
6699 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[0]));
6700 secp256k1_ecdsa_signature_load(CTX, &r, &s, &signature[0]);
6701 secp256k1_scalar_negate(&s, &s);
6702 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6703 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 0);
6704 CHECK(secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6705 CHECK(secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6706 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6707 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, &signature[5], &signature[5]));
6708 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6709 secp256k1_scalar_negate(&s, &s);
6710 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
6711 CHECK(!secp256k1_ecdsa_signature_normalize(CTX, NULL, &signature[5]));
6712 CHECK(secp256k1_ecdsa_verify(CTX, &signature[5], message, &pubkey) == 1);
6713 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
6714
6715 /* Serialize/parse DER and verify again */
6716 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6717 memset(&signature[0], 0, sizeof(signature[0]));
6718 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 1);
6719 CHECK(secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 1);
6720 /* Serialize/destroy/parse DER and verify again. */
6721 siglen = 74;
6722 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, sig, &siglen, &signature[0]) == 1);
6723 sig[testrand_int(siglen)] += 1 + testrand_int(255);
6724 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &signature[0], sig, siglen) == 0 ||
6725 secp256k1_ecdsa_verify(CTX, &signature[0], message, &pubkey) == 0);
6726}
6727
6728static void test_random_pubkeys(void) {
6729 secp256k1_ge elem;
6730 secp256k1_ge elem2;
6731 unsigned char in[65];
6732 /* Generate some randomly sized pubkeys. */
6733 size_t len = testrand_bits(2) == 0 ? 65 : 33;
6734 if (testrand_bits(2) == 0) {
6735 len = testrand_bits(6);
6736 }
6737 if (len == 65) {
6738 in[0] = testrand_bits(1) ? 4 : (testrand_bits(1) ? 6 : 7);
6739 } else {
6740 in[0] = testrand_bits(1) ? 2 : 3;
6741 }
6742 if (testrand_bits(3) == 0) {
6743 in[0] = testrand_bits(8);
6744 }
6745 if (len > 1) {
6746 testrand256(&in[1]);
6747 }
6748 if (len > 33) {
6749 testrand256(&in[33]);
6750 }
6751 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
6752 unsigned char out[65];
6753 unsigned char firstb;
6754 int res;
6755 size_t size = len;
6756 firstb = in[0];
6757 /* If the pubkey can be parsed, it should round-trip... */
6758 if (len == 33) {
6759 secp256k1_eckey_pubkey_serialize33(&elem, out);
6760 } else {
6761 secp256k1_eckey_pubkey_serialize65(&elem, out);
6762 }
6763 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
6764 /* ... except for the type of hybrid inputs. */
6765 if ((in[0] != 6) && (in[0] != 7)) {
6766 CHECK(in[0] == out[0]);
6767 }
6768 size = 65;
6769 secp256k1_eckey_pubkey_serialize65(&elem, in);
6770 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
6771 CHECK(secp256k1_ge_eq_var(&elem2, &elem));
6772 /* Check that the X9.62 hybrid type is checked. */
6773 in[0] = testrand_bits(1) ? 6 : 7;
6774 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
6775 if (firstb == 2 || firstb == 3) {
6776 if (in[0] == firstb + 4) {
6777 CHECK(res);
6778 } else {
6779 CHECK(!res);
6780 }
6781 }
6782 if (res) {
6783 CHECK(secp256k1_ge_eq_var(&elem, &elem2));
6784 secp256k1_eckey_pubkey_serialize65(&elem, out);
6785 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
6786 }
6787 }
6788}
6789
6790static void run_pubkey_comparison(void) {
6791 unsigned char pk1_ser[33] = {
6792 0x02,
6793 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
6794 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
6795 };
6796 const unsigned char pk2_ser[33] = {
6797 0x02,
6798 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
6799 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
6800 };
6801 secp256k1_pubkey pk1;
6802 secp256k1_pubkey pk2;
6803
6804 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
6805 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
6806
6807 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, NULL, &pk2) < 0));
6808 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, NULL) > 0));
6809 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6810 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6811 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk1) == 0);
6812 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk2) == 0);
6813 {
6814 secp256k1_pubkey pk_tmp;
6815 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
6816 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk2) < 0));
6817 {
6818 int32_t ecount = 0;
6819 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount);
6820 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk_tmp, &pk_tmp) == 0);
6821 CHECK(ecount == 2);
6822 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6823 }
6824 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk_tmp) > 0));
6825 }
6826
6827 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
6828 * an uncompressed encoding, these would have the opposite ordering */
6829 pk1_ser[0] = 3;
6830 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
6831 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk1, &pk2) < 0);
6832 CHECK(secp256k1_ec_pubkey_cmp(CTX, &pk2, &pk1) > 0);
6833}
6834
6835static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk) {
6836 size_t i;
6837 const secp256k1_pubkey *pk_test[5];
6838
6839 for (i = 0; i < n_pk; i++) {
6840 pk_test[i] = &pk[pk_order[i]];
6841 }
6842 secp256k1_ec_pubkey_sort(CTX, pk_test, n_pk);
6843 for (i = 0; i < n_pk; i++) {
6844 CHECK(secp256k1_memcmp_var(pk_test[i], &pk[i], sizeof(*pk_test[i])) == 0);
6845 }
6846}
6847
6848static void permute(size_t *arr, size_t n) {
6849 size_t i;
6850 for (i = n - 1; i >= 1; i--) {
6851 size_t tmp, j;
6852 j = testrand_int(i + 1);
6853 tmp = arr[i];
6854 arr[i] = arr[j];
6855 arr[j] = tmp;
6856 }
6857}
6858
6859static void test_sort_api(void) {
6860 secp256k1_pubkey pks[2];
6861 const secp256k1_pubkey *pks_ptr[2];
6862 int i;
6863
6864 pks_ptr[0] = &pks[0];
6865 pks_ptr[1] = &pks[1];
6866
6867 testutil_random_pubkey_test(&pks[0]);
6868 testutil_random_pubkey_test(&pks[1]);
6869
6870 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6871 /* check that NULL in array of public key pointers is not allowed */
6872 for (i = 0; i < 2; i++) {
6873 const secp256k1_pubkey *original_ptr = pks_ptr[i];
6874 pks_ptr[i] = NULL;
6875 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2));
6876 pks_ptr[i] = original_ptr;
6877 }
6878 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_sort(CTX, NULL, 2));
6879 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 0) == 1);
6880 /* Test illegal public keys */
6881 memset(&pks[0], 0, sizeof(pks[0]));
6882 CHECK_ILLEGAL_VOID(CTX, CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1));
6883 memset(&pks[1], 0, sizeof(pks[1]));
6884 {
6885 int32_t ecount = 0;
6886 secp256k1_context_set_illegal_callback(CTX, counting_callback_fn, &ecount);
6887 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, 2) == 1);
6888 CHECK(ecount == 2);
6889 secp256k1_context_set_illegal_callback(CTX, NULL, NULL);
6890 }
6891}
6892
6893static void test_sort(void) {
6894 secp256k1_pubkey pk[5];
6895 unsigned char pk_ser[5][33] = {
6896 { 0x02, 0x08 },
6897 { 0x02, 0x0b },
6898 { 0x02, 0x0c },
6899 { 0x03, 0x05 },
6900 { 0x03, 0x0a },
6901 };
6902 int i;
6903 size_t pk_order[5] = { 0, 1, 2, 3, 4 };
6904
6905 for (i = 0; i < 5; i++) {
6906 CHECK(secp256k1_ec_pubkey_parse(CTX, &pk[i], pk_ser[i], sizeof(pk_ser[i])));
6907 }
6908
6909 permute(pk_order, 1);
6910 test_sort_helper(pk, pk_order, 1);
6911 permute(pk_order, 2);
6912 test_sort_helper(pk, pk_order, 2);
6913 permute(pk_order, 3);
6914 test_sort_helper(pk, pk_order, 3);
6915 for (i = 0; i < COUNT; i++) {
6916 permute(pk_order, 4);
6917 test_sort_helper(pk, pk_order, 4);
6918 }
6919 for (i = 0; i < COUNT; i++) {
6920 permute(pk_order, 5);
6921 test_sort_helper(pk, pk_order, 5);
6922 }
6923 /* Check that sorting also works for random pubkeys */
6924 for (i = 0; i < COUNT; i++) {
6925 int j;
6926 const secp256k1_pubkey *pk_ptr[5];
6927 for (j = 0; j < 5; j++) {
6928 testutil_random_pubkey_test(&pk[j]);
6929 pk_ptr[j] = &pk[j];
6930 }
6931 secp256k1_ec_pubkey_sort(CTX, pk_ptr, 5);
6932 for (j = 1; j < 5; j++) {
6933 CHECK(secp256k1_ec_pubkey_sort_cmp(&pk_ptr[j - 1], &pk_ptr[j], CTX) <= 0);
6934 }
6935 }
6936}
6937
6938/* Test vectors from BIP-MuSig2 */
6939static void test_sort_vectors(void) {
6940 enum { N_PUBKEYS = 6 };
6941 unsigned char pk_ser[N_PUBKEYS][33] = {
6942 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6943 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6944 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 },
6945 { 0x02, 0xF9, 0x30, 0x8A, 0x01, 0x92, 0x58, 0xC3, 0x10, 0x49, 0x34,
6946 0x4F, 0x85, 0xF8, 0x9D, 0x52, 0x29, 0xB5, 0x31, 0xC8, 0x45, 0x83,
6947 0x6F, 0x99, 0xB0, 0x86, 0x01, 0xF1, 0x13, 0xBC, 0xE0, 0x36, 0xF9 },
6948 { 0x03, 0xDF, 0xF1, 0xD7, 0x7F, 0x2A, 0x67, 0x1C, 0x5F, 0x36, 0x18,
6949 0x37, 0x26, 0xDB, 0x23, 0x41, 0xBE, 0x58, 0xFE, 0xAE, 0x1D, 0xA2,
6950 0xDE, 0xCE, 0xD8, 0x43, 0x24, 0x0F, 0x7B, 0x50, 0x2B, 0xA6, 0x59 },
6951 { 0x02, 0x35, 0x90, 0xA9, 0x4E, 0x76, 0x8F, 0x8E, 0x18, 0x15, 0xC2,
6952 0xF2, 0x4B, 0x4D, 0x80, 0xA8, 0xE3, 0x14, 0x93, 0x16, 0xC3, 0x51,
6953 0x8C, 0xE7, 0xB7, 0xAD, 0x33, 0x83, 0x68, 0xD0, 0x38, 0xCA, 0x66 },
6954 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6955 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6956 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xFF },
6957 { 0x02, 0xDD, 0x30, 0x8A, 0xFE, 0xC5, 0x77, 0x7E, 0x13, 0x12, 0x1F,
6958 0xA7, 0x2B, 0x9C, 0xC1, 0xB7, 0xCC, 0x01, 0x39, 0x71, 0x53, 0x09,
6959 0xB0, 0x86, 0xC9, 0x60, 0xE1, 0x8F, 0xD9, 0x69, 0x77, 0x4E, 0xB8 }
6960 };
6961 secp256k1_pubkey pubkeys[N_PUBKEYS];
6962 secp256k1_pubkey *sorted[N_PUBKEYS];
6963 const secp256k1_pubkey *pks_ptr[N_PUBKEYS];
6964 int i;
6965
6966 sorted[0] = &pubkeys[3];
6967 sorted[1] = &pubkeys[0];
6968 sorted[2] = &pubkeys[0];
6969 sorted[3] = &pubkeys[4];
6970 sorted[4] = &pubkeys[1];
6971 sorted[5] = &pubkeys[2];
6972
6973 for (i = 0; i < N_PUBKEYS; i++) {
6974 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkeys[i], pk_ser[i], sizeof(pk_ser[i])));
6975 pks_ptr[i] = &pubkeys[i];
6976 }
6977 CHECK(secp256k1_ec_pubkey_sort(CTX, pks_ptr, N_PUBKEYS) == 1);
6978 for (i = 0; i < N_PUBKEYS; i++) {
6979 CHECK(secp256k1_memcmp_var(pks_ptr[i], sorted[i], sizeof(secp256k1_pubkey)) == 0);
6980 }
6981}
6982
6983static void run_pubkey_sort(void) {
6984 test_sort_api();
6985 test_sort();
6986 test_sort_vectors();
6987}
6988
6989
6990static void run_random_pubkeys(void) {
6991 int i;
6992 for (i = 0; i < 10*COUNT; i++) {
6993 test_random_pubkeys();
6994 }
6995}
6996
6997static void run_ecdsa_end_to_end(void) {
6998 int i;
6999 for (i = 0; i < 64*COUNT; i++) {
7000 test_ecdsa_end_to_end();
7001 }
7002}
7003
7004static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
7005 static const unsigned char zeroes[32] = {0};
7006
7007 int ret = 0;
7008
7009 secp256k1_ecdsa_signature sig_der;
7010 unsigned char roundtrip_der[2048];
7011 unsigned char compact_der[64];
7012 size_t len_der = 2048;
7013 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
7014
7015 secp256k1_ecdsa_signature sig_der_lax;
7016 unsigned char roundtrip_der_lax[2048];
7017 unsigned char compact_der_lax[64];
7018 size_t len_der_lax = 2048;
7019 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
7020
7021 parsed_der = secp256k1_ecdsa_signature_parse_der(CTX, &sig_der, sig, siglen);
7022 if (parsed_der) {
7023 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der, &sig_der)) << 0;
7024 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
7025 }
7026 if (valid_der) {
7027 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der, &len_der, &sig_der)) << 1;
7028 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
7029 }
7030
7031 parsed_der_lax = ecdsa_signature_parse_der_lax(CTX, &sig_der_lax, sig, siglen);
7032 if (parsed_der_lax) {
7033 ret |= (!secp256k1_ecdsa_signature_serialize_compact(CTX, compact_der_lax, &sig_der_lax)) << 10;
7034 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
7035 }
7036 if (valid_der_lax) {
7037 ret |= (!secp256k1_ecdsa_signature_serialize_der(CTX, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
7038 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
7039 }
7040
7041 if (certainly_der) {
7042 ret |= (!parsed_der) << 2;
7043 }
7044 if (certainly_not_der) {
7045 ret |= (parsed_der) << 17;
7046 }
7047 if (valid_der) {
7048 ret |= (!roundtrips_der) << 3;
7049 }
7050
7051 if (valid_der) {
7052 ret |= (!roundtrips_der_lax) << 12;
7053 ret |= (len_der != len_der_lax) << 13;
7054 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
7055 }
7056 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
7057 if (parsed_der) {
7058 ret |= (!parsed_der_lax) << 16;
7059 }
7060
7061 return ret;
7062}
7063
7064static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
7065 size_t i;
7066 for (i = 0; i < ptrlen; i++) {
7067 int shift = ptrlen - 1 - i;
7068 if (shift >= 4) {
7069 ptr[i] = 0;
7070 } else {
7071 ptr[i] = (val >> shift) & 0xFF;
7072 }
7073 }
7074}
7075
7076static void damage_array(unsigned char *sig, size_t *len) {
7077 int pos;
7078 int action = testrand_bits(3);
7079 if (action < 1 && *len > 3) {
7080 /* Delete a byte. */
7081 pos = testrand_int(*len);
7082 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
7083 (*len)--;
7084 return;
7085 } else if (action < 2 && *len < 2048) {
7086 /* Insert a byte. */
7087 pos = testrand_int(1 + *len);
7088 memmove(sig + pos + 1, sig + pos, *len - pos);
7089 sig[pos] = testrand_bits(8);
7090 (*len)++;
7091 return;
7092 } else if (action < 4) {
7093 /* Modify a byte. */
7094 sig[testrand_int(*len)] += 1 + testrand_int(255);
7095 return;
7096 } else { /* action < 8 */
7097 /* Modify a bit. */
7098 sig[testrand_int(*len)] ^= 1 << testrand_bits(3);
7099 return;
7100 }
7101}
7102
7103static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
7104 int der;
7105 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
7106 size_t tlen, elen, glen;
7107 int indet;
7108 int n;
7109
7110 *len = 0;
7111 der = testrand_bits(2) == 0;
7112 *certainly_der = der;
7113 *certainly_not_der = 0;
7114 indet = der ? 0 : testrand_int(10) == 0;
7115
7116 for (n = 0; n < 2; n++) {
7117 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
7118 nlow[n] = der ? 1 : (testrand_bits(3) != 0);
7119 /* The length of the number in bytes (the first byte of which will always be nonzero) */
7120 nlen[n] = nlow[n] ? testrand_int(33) : 32 + testrand_int(200) * testrand_bits(3) / 8;
7121 CHECK(nlen[n] <= 232);
7122 /* The top bit of the number. */
7123 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : testrand_bits(1));
7124 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
7125 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + testrand_bits(7) : 1 + testrand_int(127));
7126 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
7127 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? testrand_int(3) : testrand_int(300 - nlen[n]) * testrand_bits(3) / 8);
7128 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
7129 *certainly_not_der = 1;
7130 }
7131 CHECK(nlen[n] + nzlen[n] <= 300);
7132 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
7133 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
7134 if (!der) {
7135 /* nlenlen[n] max 127 bytes */
7136 int add = testrand_int(127 - nlenlen[n]) * testrand_bits(4) * testrand_bits(4) / 256;
7137 nlenlen[n] += add;
7138 if (add != 0) {
7139 *certainly_not_der = 1;
7140 }
7141 }
7142 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
7143 }
7144
7145 /* The total length of the data to go, so far */
7146 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
7147 CHECK(tlen <= 856);
7148
7149 /* The length of the garbage inside the tuple. */
7150 elen = (der || indet) ? 0 : testrand_int(980 - tlen) * testrand_bits(3) / 8;
7151 if (elen != 0) {
7152 *certainly_not_der = 1;
7153 }
7154 tlen += elen;
7155 CHECK(tlen <= 980);
7156
7157 /* The length of the garbage after the end of the tuple. */
7158 glen = der ? 0 : testrand_int(990 - tlen) * testrand_bits(3) / 8;
7159 if (glen != 0) {
7160 *certainly_not_der = 1;
7161 }
7162 CHECK(tlen + glen <= 990);
7163
7164 /* Write the tuple header. */
7165 sig[(*len)++] = 0x30;
7166 if (indet) {
7167 /* Indeterminate length */
7168 sig[(*len)++] = 0x80;
7169 *certainly_not_der = 1;
7170 } else {
7171 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
7172 if (!der) {
7173 int add = testrand_int(127 - tlenlen) * testrand_bits(4) * testrand_bits(4) / 256;
7174 tlenlen += add;
7175 if (add != 0) {
7176 *certainly_not_der = 1;
7177 }
7178 }
7179 if (tlenlen == 0) {
7180 /* Short length notation */
7181 sig[(*len)++] = tlen;
7182 } else {
7183 /* Long length notation */
7184 sig[(*len)++] = 128 + tlenlen;
7185 assign_big_endian(sig + *len, tlenlen, tlen);
7186 *len += tlenlen;
7187 }
7188 tlen += tlenlen;
7189 }
7190 tlen += 2;
7191 CHECK(tlen + glen <= 1119);
7192
7193 for (n = 0; n < 2; n++) {
7194 /* Write the integer header. */
7195 sig[(*len)++] = 0x02;
7196 if (nlenlen[n] == 0) {
7197 /* Short length notation */
7198 sig[(*len)++] = nlen[n] + nzlen[n];
7199 } else {
7200 /* Long length notation. */
7201 sig[(*len)++] = 128 + nlenlen[n];
7202 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
7203 *len += nlenlen[n];
7204 }
7205 /* Write zero padding */
7206 while (nzlen[n] > 0) {
7207 sig[(*len)++] = 0x00;
7208 nzlen[n]--;
7209 }
7210 if (nlen[n] == 32 && !nlow[n]) {
7211 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
7212 int i;
7213 for (i = 0; i < 16; i++) {
7214 sig[(*len)++] = 0xFF;
7215 }
7216 nlen[n] -= 16;
7217 }
7218 /* Write first byte of number */
7219 if (nlen[n] > 0) {
7220 sig[(*len)++] = nhbyte[n];
7221 nlen[n]--;
7222 }
7223 /* Generate remaining random bytes of number */
7224 testrand_bytes_test(sig + *len, nlen[n]);
7225 *len += nlen[n];
7226 nlen[n] = 0;
7227 }
7228
7229 /* Generate random garbage inside tuple. */
7230 testrand_bytes_test(sig + *len, elen);
7231 *len += elen;
7232
7233 /* Generate end-of-contents bytes. */
7234 if (indet) {
7235 sig[(*len)++] = 0;
7236 sig[(*len)++] = 0;
7237 tlen += 2;
7238 }
7239 CHECK(tlen + glen <= 1121);
7240
7241 /* Generate random garbage outside tuple. */
7242 testrand_bytes_test(sig + *len, glen);
7243 *len += glen;
7244 tlen += glen;
7245 CHECK(tlen <= 1121);
7246 CHECK(tlen == *len);
7247}
7248
7249static void run_ecdsa_der_parse(void) {
7250 int i,j;
7251 for (i = 0; i < 200 * COUNT; i++) {
7252 unsigned char buffer[2048];
7253 size_t buflen = 0;
7254 int certainly_der = 0;
7255 int certainly_not_der = 0;
7256 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
7257 CHECK(buflen <= 2048);
7258 for (j = 0; j < 16; j++) {
7259 int ret = 0;
7260 if (j > 0) {
7261 damage_array(buffer, &buflen);
7262 /* We don't know anything anymore about the DERness of the result */
7263 certainly_der = 0;
7264 certainly_not_der = 0;
7265 }
7266 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
7267 if (ret != 0) {
7268 size_t k;
7269 fprintf(stderr, "Failure %x on ", ret);
7270 for (k = 0; k < buflen; k++) {
7271 fprintf(stderr, "%02x ", buffer[k]);
7272 }
7273 fprintf(stderr, "\n");
7274 }
7275 CHECK(ret == 0);
7276 }
7277 }
7278}
7279
7280/* Tests several edge cases. */
7281static void run_ecdsa_edge_cases(void) {
7282 int t;
7283 secp256k1_ecdsa_signature sig;
7284
7285 /* Test the case where ECDSA recomputes a point that is infinity. */
7286 {
7287 secp256k1_gej keyj;
7288 secp256k1_ge key;
7289 secp256k1_scalar msg;
7290 secp256k1_scalar sr, ss;
7291 secp256k1_scalar_set_int(&ss, 1);
7292 secp256k1_scalar_negate(&ss, &ss);
7293 secp256k1_scalar_inverse(&ss, &ss);
7294 secp256k1_scalar_set_int(&sr, 1);
7295 secp256k1_ecmult_gen(&CTX->ecmult_gen_ctx, &keyj, &sr);
7296 secp256k1_ge_set_gej(&key, &keyj);
7297 msg = ss;
7298 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7299 }
7300
7301 /* Verify signature with r of zero fails. */
7302 {
7303 const unsigned char pubkey_mods_zero[33] = {
7304 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7306 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7307 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7308 0x41
7309 };
7310 secp256k1_ge key;
7311 secp256k1_scalar msg;
7312 secp256k1_scalar sr, ss;
7313 secp256k1_scalar_set_int(&ss, 1);
7314 secp256k1_scalar_set_int(&msg, 0);
7315 secp256k1_scalar_set_int(&sr, 0);
7316 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
7317 CHECK(secp256k1_ecdsa_sig_verify( &sr, &ss, &key, &msg) == 0);
7318 }
7319
7320 /* Verify signature with s of zero fails. */
7321 {
7322 const unsigned char pubkey[33] = {
7323 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7325 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7326 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7327 0x01
7328 };
7329 secp256k1_ge key;
7330 secp256k1_scalar msg;
7331 secp256k1_scalar sr, ss;
7332 secp256k1_scalar_set_int(&ss, 0);
7333 secp256k1_scalar_set_int(&msg, 0);
7334 secp256k1_scalar_set_int(&sr, 1);
7335 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7336 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7337 }
7338
7339 /* Verify signature with message 0 passes. */
7340 {
7341 const unsigned char pubkey[33] = {
7342 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7343 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7344 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7346 0x02
7347 };
7348 const unsigned char pubkey2[33] = {
7349 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
7351 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
7352 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
7353 0x43
7354 };
7355 secp256k1_ge key;
7356 secp256k1_ge key2;
7357 secp256k1_scalar msg;
7358 secp256k1_scalar sr, ss;
7359 secp256k1_scalar_set_int(&ss, 2);
7360 secp256k1_scalar_set_int(&msg, 0);
7361 secp256k1_scalar_set_int(&sr, 2);
7362 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7363 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7364 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7365 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7366 secp256k1_scalar_negate(&ss, &ss);
7367 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7368 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7369 secp256k1_scalar_set_int(&ss, 1);
7370 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7371 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7372 }
7373
7374 /* Verify signature with message 1 passes. */
7375 {
7376 const unsigned char pubkey[33] = {
7377 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
7378 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
7379 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
7380 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
7381 0x25
7382 };
7383 const unsigned char pubkey2[33] = {
7384 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
7385 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
7386 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
7387 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
7388 0x62
7389 };
7390 const unsigned char csr[32] = {
7391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7393 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7394 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
7395 };
7396 secp256k1_ge key;
7397 secp256k1_ge key2;
7398 secp256k1_scalar msg;
7399 secp256k1_scalar sr, ss;
7400 secp256k1_scalar_set_int(&ss, 1);
7401 secp256k1_scalar_set_int(&msg, 1);
7402 secp256k1_scalar_set_b32(&sr, csr, NULL);
7403 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7404 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
7405 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7406 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7407 secp256k1_scalar_negate(&ss, &ss);
7408 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7409 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 1);
7410 secp256k1_scalar_set_int(&ss, 2);
7411 secp256k1_scalar_inverse_var(&ss, &ss);
7412 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7413 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key2, &msg) == 0);
7414 }
7415
7416 /* Verify signature with message -1 passes. */
7417 {
7418 const unsigned char pubkey[33] = {
7419 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
7420 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
7421 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
7422 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
7423 0xf1
7424 };
7425 const unsigned char csr[32] = {
7426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7428 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
7429 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
7430 };
7431 secp256k1_ge key;
7432 secp256k1_scalar msg;
7433 secp256k1_scalar sr, ss;
7434 secp256k1_scalar_set_int(&ss, 1);
7435 secp256k1_scalar_set_int(&msg, 1);
7436 secp256k1_scalar_negate(&msg, &msg);
7437 secp256k1_scalar_set_b32(&sr, csr, NULL);
7438 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
7439 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7440 secp256k1_scalar_negate(&ss, &ss);
7441 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 1);
7442 secp256k1_scalar_set_int(&ss, 3);
7443 secp256k1_scalar_inverse_var(&ss, &ss);
7444 CHECK(secp256k1_ecdsa_sig_verify(&sr, &ss, &key, &msg) == 0);
7445 }
7446
7447 /* Signature where s would be zero. */
7448 {
7449 secp256k1_pubkey pubkey;
7450 size_t siglen;
7451 unsigned char signature[72];
7452 static const unsigned char nonce[32] = {
7453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7457 };
7458 static const unsigned char nonce2[32] = {
7459 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
7460 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
7461 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
7462 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
7463 };
7464 const unsigned char key[32] = {
7465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7466 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
7468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
7469 };
7470 unsigned char msg[32] = {
7471 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
7472 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
7473 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
7474 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
7475 };
7476 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
7477 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
7478 msg[31] = 0xaa;
7479 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
7480 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, NULL, msg, key, precomputed_nonce_function, nonce2));
7481 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, NULL, key, precomputed_nonce_function, nonce2));
7482 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_sign(CTX, &sig, msg, NULL, precomputed_nonce_function, nonce2));
7483 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
7484 CHECK(secp256k1_ec_pubkey_create(CTX, &pubkey, key) == 1);
7485 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, NULL, msg, &pubkey));
7486 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, NULL, &pubkey));
7487 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, NULL));
7488 CHECK(secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey) == 1);
7489 CHECK_ILLEGAL(CTX, secp256k1_ec_pubkey_create(CTX, &pubkey, NULL));
7490 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
7491 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_verify(CTX, &sig, msg, &pubkey));
7492 siglen = 72;
7493 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, NULL, &siglen, &sig));
7494 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, NULL, &sig));
7495 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, NULL));
7496 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 1);
7497 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, NULL, signature, siglen));
7498 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_der(CTX, &sig, NULL, siglen));
7499 CHECK(secp256k1_ecdsa_signature_parse_der(CTX, &sig, signature, siglen) == 1);
7500 siglen = 10;
7501 /* Too little room for a signature does not fail via ARGCHECK. */
7502 CHECK(secp256k1_ecdsa_signature_serialize_der(CTX, signature, &siglen, &sig) == 0);
7503 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_normalize(CTX, NULL, NULL));
7504 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, NULL, &sig));
7505 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_serialize_compact(CTX, signature, NULL));
7506 CHECK(secp256k1_ecdsa_signature_serialize_compact(CTX, signature, &sig) == 1);
7507 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, NULL, signature));
7508 CHECK_ILLEGAL(CTX, secp256k1_ecdsa_signature_parse_compact(CTX, &sig, NULL));
7509 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 1);
7510 memset(signature, 255, 64);
7511 CHECK(secp256k1_ecdsa_signature_parse_compact(CTX, &sig, signature) == 0);
7512 }
7513
7514 /* Nonce function corner cases. */
7515 for (t = 0; t < 2; t++) {
7516 static const unsigned char zero[32] = {0x00};
7517 int i;
7518 unsigned char key[32];
7519 unsigned char msg[32];
7520 secp256k1_ecdsa_signature sig2;
7521 secp256k1_scalar sr[512], ss;
7522 const unsigned char *extra;
7523 extra = t == 0 ? NULL : zero;
7524 memset(msg, 0, 32);
7525 msg[31] = 1;
7526 /* High key results in signature failure. */
7527 memset(key, 0xFF, 32);
7528 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7529 CHECK(is_empty_signature(&sig));
7530 /* Zero key results in signature failure. */
7531 memset(key, 0, 32);
7532 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, NULL, extra) == 0);
7533 CHECK(is_empty_signature(&sig));
7534 /* Nonce function failure results in signature failure. */
7535 key[31] = 1;
7536 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_fail, extra) == 0);
7537 CHECK(is_empty_signature(&sig));
7538 /* The retry loop successfully makes its way to the first good value. */
7539 CHECK(secp256k1_ecdsa_sign(CTX, &sig, msg, key, nonce_function_test_retry, extra) == 1);
7540 CHECK(!is_empty_signature(&sig));
7541 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
7542 CHECK(!is_empty_signature(&sig2));
7543 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7544 /* The default nonce function is deterministic. */
7545 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7546 CHECK(!is_empty_signature(&sig2));
7547 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
7548 /* The default nonce function changes output with different messages. */
7549 for(i = 0; i < 256; i++) {
7550 int j;
7551 msg[0] = i;
7552 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7553 CHECK(!is_empty_signature(&sig2));
7554 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7555 for (j = 0; j < i; j++) {
7556 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7557 }
7558 }
7559 msg[0] = 0;
7560 msg[31] = 2;
7561 /* The default nonce function changes output with different keys. */
7562 for(i = 256; i < 512; i++) {
7563 int j;
7564 key[0] = i - 256;
7565 CHECK(secp256k1_ecdsa_sign(CTX, &sig2, msg, key, NULL, extra) == 1);
7566 CHECK(!is_empty_signature(&sig2));
7567 secp256k1_ecdsa_signature_load(CTX, &sr[i], &ss, &sig2);
7568 for (j = 0; j < i; j++) {
7569 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
7570 }
7571 }
7572 key[0] = 0;
7573 }
7574
7575 {
7576 /* Check that optional nonce arguments do not have equivalent effect. */
7577 const unsigned char zeros[32] = {0};
7578 unsigned char nonce[32];
7579 unsigned char nonce2[32];
7580 unsigned char nonce3[32];
7581 unsigned char nonce4[32];
7582 SECP256K1_CHECKMEM_UNDEFINE(nonce,32);
7583 SECP256K1_CHECKMEM_UNDEFINE(nonce2,32);
7584 SECP256K1_CHECKMEM_UNDEFINE(nonce3,32);
7585 SECP256K1_CHECKMEM_UNDEFINE(nonce4,32);
7586 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
7587 SECP256K1_CHECKMEM_CHECK(nonce,32);
7588 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
7589 SECP256K1_CHECKMEM_CHECK(nonce2,32);
7590 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
7591 SECP256K1_CHECKMEM_CHECK(nonce3,32);
7592 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
7593 SECP256K1_CHECKMEM_CHECK(nonce4,32);
7594 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
7595 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
7596 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
7597 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
7598 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
7599 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
7600 }
7601
7602
7603 /* Privkey export where pubkey is the point at infinity. */
7604 {
7605 unsigned char privkey[300];
7606 const unsigned char *seckey = secp256k1_group_order_bytes;
7607 size_t outlen = 300;
7608 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 0));
7609 outlen = 300;
7610 CHECK(!ec_privkey_export_der(CTX, privkey, &outlen, seckey, 1));
7611 }
7612}
7613
7614DEFINE_SHA256_TRANSFORM_PROBE(sha256_ecdsa)
7615static void ecdsa_ctx_sha256(void) {
7616 /* Check ctx-provided SHA256 compression override takes effect */
7617 secp256k1_context *ctx = secp256k1_context_clone(CTX);
7618 secp256k1_ecdsa_signature out_default, out_custom;
7619 unsigned char sk[32] = {1}, msg32[32] = {1};
7620
7621 /* Default behavior. No ctx-provided SHA256 compression */
7622 CHECK(secp256k1_ecdsa_sign(ctx, &out_default, msg32, sk, NULL, NULL));
7623 CHECK(!sha256_ecdsa_called);
7624
7625 /* Override SHA256 compression directly, bypassing the ctx setter sanity checks */
7626 ctx->hash_ctx.fn_sha256_compression = sha256_ecdsa;
7627 CHECK(secp256k1_ecdsa_sign(ctx, &out_custom, msg32, sk, NULL, NULL));
7628 CHECK(sha256_ecdsa_called);
7629 /* Outputs must differ if custom compression was used */
7630 CHECK(secp256k1_memcmp_var(out_default.data, out_custom.data, 64) != 0);
7631
7632 secp256k1_context_destroy(ctx);
7633}
7634
7639static void test_ecdsa_wycheproof(void) {
7640 #include "wycheproof/ecdsa_secp256k1_sha256_bitcoin_test.h"
7641
7642 int t;
7643 const secp256k1_hash_ctx *hash_ctx = secp256k1_get_hash_context(CTX);
7644 for (t = 0; t < SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS; t++) {
7645 secp256k1_ecdsa_signature signature;
7646 secp256k1_sha256 hasher;
7647 secp256k1_pubkey pubkey;
7648 const unsigned char *msg, *sig, *pk;
7649 unsigned char out[32] = {0};
7650 int actual_verify = 0;
7651
7652 memset(&pubkey, 0, sizeof(pubkey));
7653 pk = &wycheproof_ecdsa_public_keys[testvectors[t].pk_offset];
7654 CHECK(secp256k1_ec_pubkey_parse(CTX, &pubkey, pk, 65) == 1);
7655
7656 secp256k1_sha256_initialize(&hasher);
7657 msg = &wycheproof_ecdsa_messages[testvectors[t].msg_offset];
7658 secp256k1_sha256_write(hash_ctx, &hasher, msg, testvectors[t].msg_len);
7659 secp256k1_sha256_finalize(hash_ctx, &hasher, out);
7660
7661 sig = &wycheproof_ecdsa_signatures[testvectors[t].sig_offset];
7662 if (secp256k1_ecdsa_signature_parse_der(CTX, &signature, sig, testvectors[t].sig_len) == 1) {
7663 actual_verify = secp256k1_ecdsa_verify(CTX, (const secp256k1_ecdsa_signature *)&signature, out, &pubkey);
7664 }
7665 CHECK(testvectors[t].expected_verify == actual_verify);
7666 }
7667}
7668
7669/* Tests cases from Wycheproof test suite. */
7670static void run_ecdsa_wycheproof(void) {
7671 test_ecdsa_wycheproof();
7672}
7673
7674#ifdef ENABLE_MODULE_ECDH
7675# include "modules/ecdh/tests_impl.h"
7676#endif
7677
7678#ifdef ENABLE_MODULE_RECOVERY
7679# include "modules/recovery/tests_impl.h"
7680#endif
7681
7682#ifdef ENABLE_MODULE_EXTRAKEYS
7683# include "modules/extrakeys/tests_impl.h"
7684#endif
7685
7686#ifdef ENABLE_MODULE_SCHNORRSIG
7687# include "modules/schnorrsig/tests_impl.h"
7688#endif
7689
7690#ifdef ENABLE_MODULE_MUSIG
7691# include "modules/musig/tests_impl.h"
7692#endif
7693
7694#ifdef ENABLE_MODULE_ELLSWIFT
7695# include "modules/ellswift/tests_impl.h"
7696#endif
7697
7698static void run_secp256k1_memczero_test(void) {
7699 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
7700 unsigned char buf2[sizeof(buf1)];
7701
7702 /* secp256k1_memczero(..., ..., 0) is a noop. */
7703 memcpy(buf2, buf1, sizeof(buf1));
7704 secp256k1_memczero(buf1, sizeof(buf1), 0);
7705 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7706
7707 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
7708 memset(buf2, 0, sizeof(buf2));
7709 secp256k1_memczero(buf1, sizeof(buf1) , 1);
7710 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
7711}
7712
7713
7714static void run_secp256k1_is_zero_array_test(void) {
7715 unsigned char buf1[3] = {0, 1};
7716 unsigned char buf2[3] = {1, 0};
7717
7718 CHECK(secp256k1_is_zero_array(buf1, 0) == 1);
7719 CHECK(secp256k1_is_zero_array(buf1, 1) == 1);
7720 CHECK(secp256k1_is_zero_array(buf1, 2) == 0);
7721 CHECK(secp256k1_is_zero_array(buf2, 1) == 0);
7722 CHECK(secp256k1_is_zero_array(buf2, 2) == 0);
7723}
7724
7725static void run_secp256k1_byteorder_tests(void) {
7726 {
7727 const uint32_t x = 0xFF03AB45;
7728 const unsigned char x_be[4] = {0xFF, 0x03, 0xAB, 0x45};
7729 unsigned char buf[4];
7730 uint32_t x_;
7731
7732 secp256k1_write_be32(buf, x);
7733 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7734
7735 x_ = secp256k1_read_be32(buf);
7736 CHECK(x == x_);
7737 }
7738
7739 {
7740 const uint64_t x = 0xCAFE0123BEEF4567;
7741 const unsigned char x_be[8] = {0xCA, 0xFE, 0x01, 0x23, 0xBE, 0xEF, 0x45, 0x67};
7742 unsigned char buf[8];
7743 uint64_t x_;
7744
7745 secp256k1_write_be64(buf, x);
7746 CHECK(secp256k1_memcmp_var(buf, x_be, sizeof(buf)) == 0);
7747
7748 x_ = secp256k1_read_be64(buf);
7749 CHECK(x == x_);
7750 }
7751}
7752
7753static void int_cmov_test(void) {
7754 int r = INT_MAX;
7755 int a = 0;
7756
7757 secp256k1_int_cmov(&r, &a, 0);
7758 CHECK(r == INT_MAX);
7759
7760 r = 0; a = INT_MAX;
7761 secp256k1_int_cmov(&r, &a, 1);
7762 CHECK(r == INT_MAX);
7763
7764 a = 0;
7765 secp256k1_int_cmov(&r, &a, 1);
7766 CHECK(r == 0);
7767
7768 a = 1;
7769 secp256k1_int_cmov(&r, &a, 1);
7770 CHECK(r == 1);
7771
7772 r = 1; a = 0;
7773 secp256k1_int_cmov(&r, &a, 0);
7774 CHECK(r == 1);
7775
7776}
7777
7778static void fe_cmov_test(void) {
7779 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7780 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7781 static const secp256k1_fe max = SECP256K1_FE_CONST(
7782 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7783 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7784 );
7785 secp256k1_fe r = max;
7786 secp256k1_fe a = zero;
7787
7788 secp256k1_fe_cmov(&r, &a, 0);
7789 CHECK(fe_identical(&r, &max));
7790
7791 r = zero; a = max;
7792 secp256k1_fe_cmov(&r, &a, 1);
7793 CHECK(fe_identical(&r, &max));
7794
7795 a = zero;
7796 secp256k1_fe_cmov(&r, &a, 1);
7797 CHECK(fe_identical(&r, &zero));
7798
7799 a = one;
7800 secp256k1_fe_cmov(&r, &a, 1);
7801 CHECK(fe_identical(&r, &one));
7802
7803 r = one; a = zero;
7804 secp256k1_fe_cmov(&r, &a, 0);
7805 CHECK(fe_identical(&r, &one));
7806}
7807
7808static void fe_storage_cmov_test(void) {
7809 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
7810 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
7811 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
7812 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7813 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7814 );
7815 secp256k1_fe_storage r = max;
7816 secp256k1_fe_storage a = zero;
7817
7818 secp256k1_fe_storage_cmov(&r, &a, 0);
7819 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7820
7821 r = zero; a = max;
7822 secp256k1_fe_storage_cmov(&r, &a, 1);
7823 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7824
7825 a = zero;
7826 secp256k1_fe_storage_cmov(&r, &a, 1);
7827 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7828
7829 a = one;
7830 secp256k1_fe_storage_cmov(&r, &a, 1);
7831 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7832
7833 r = one; a = zero;
7834 secp256k1_fe_storage_cmov(&r, &a, 0);
7835 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7836}
7837
7838static void scalar_cmov_test(void) {
7839 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
7840 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFEUL,
7841 0xBAAEDCE6UL, 0xAF48A03BUL, 0xBFD25E8CUL, 0xD0364140UL
7842 );
7843 secp256k1_scalar r = max;
7844 secp256k1_scalar a = secp256k1_scalar_zero;
7845
7846 secp256k1_scalar_cmov(&r, &a, 0);
7847 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7848
7849 r = secp256k1_scalar_zero; a = max;
7850 secp256k1_scalar_cmov(&r, &a, 1);
7851 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7852
7853 a = secp256k1_scalar_zero;
7854 secp256k1_scalar_cmov(&r, &a, 1);
7855 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_zero, sizeof(r)) == 0);
7856
7857 a = secp256k1_scalar_one;
7858 secp256k1_scalar_cmov(&r, &a, 1);
7859 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7860
7861 r = secp256k1_scalar_one; a = secp256k1_scalar_zero;
7862 secp256k1_scalar_cmov(&r, &a, 0);
7863 CHECK(secp256k1_memcmp_var(&r, &secp256k1_scalar_one, sizeof(r)) == 0);
7864}
7865
7866static void ge_storage_cmov_test(void) {
7867 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
7868 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
7869 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
7870 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7871 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7872 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
7873 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
7874 );
7875 secp256k1_ge_storage r = max;
7876 secp256k1_ge_storage a = zero;
7877
7878 secp256k1_ge_storage_cmov(&r, &a, 0);
7879 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7880
7881 r = zero; a = max;
7882 secp256k1_ge_storage_cmov(&r, &a, 1);
7883 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
7884
7885 a = zero;
7886 secp256k1_ge_storage_cmov(&r, &a, 1);
7887 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
7888
7889 a = one;
7890 secp256k1_ge_storage_cmov(&r, &a, 1);
7891 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7892
7893 r = one; a = zero;
7894 secp256k1_ge_storage_cmov(&r, &a, 0);
7895 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
7896}
7897
7898static void run_cmov_tests(void) {
7899 int_cmov_test();
7900 fe_cmov_test();
7901 fe_storage_cmov_test();
7902 scalar_cmov_test();
7903 ge_storage_cmov_test();
7904}
7905
7906/* --------------------------------------------------------- */
7907/* Test Registry */
7908/* --------------------------------------------------------- */
7909
7910/* --- Special test cases that must run before RNG initialization --- */
7911static const struct tf_test_entry tests_no_rng[] = {
7912 CASE(xoshiro256pp_tests),
7913};
7914static const struct tf_test_module registry_modules_no_rng = MAKE_TEST_MODULE(no_rng);
7915
7916/* --- Standard test cases start here --- */
7917static const struct tf_test_entry tests_general[] = {
7918 CASE(selftest_tests),
7919 CASE(all_proper_context_tests),
7920 CASE(all_static_context_tests),
7921 CASE(deprecated_context_flags_test),
7922 CASE(scratch_tests),
7923 CASE(plug_sha256_compression_tests),
7924 CASE(sha256_multi_block_compression_tests),
7925};
7926
7927static const struct tf_test_entry tests_integer[] = {
7928#ifdef SECP256K1_WIDEMUL_INT128
7929 CASE(int128_tests),
7930#endif
7931 CASE(ctz_tests),
7932 CASE(modinv_tests),
7933 CASE(inverse_tests),
7934};
7935
7936static const struct tf_test_entry tests_hash[] = {
7937 CASE(sha256_known_output_tests),
7938 CASE(sha256_counter_tests),
7939 CASE(hmac_sha256_tests),
7940 CASE(rfc6979_hmac_sha256_tests),
7941 CASE(tagged_sha256_tests),
7942 CASE(sha256_initialize_midstate_tests),
7943};
7944
7945static const struct tf_test_entry tests_scalar[] = {
7946 CASE(scalar_tests),
7947};
7948
7949static const struct tf_test_entry tests_field[] = {
7950 CASE(field_half),
7951 CASE(field_misc),
7952 CASE(field_convert),
7953 CASE(field_be32_overflow),
7954 CASE(fe_mul),
7955 CASE(sqr),
7956 CASE(sqrt),
7957};
7958
7959static const struct tf_test_entry tests_group[] = {
7960 CASE(ge),
7961 CASE(gej),
7962 CASE(group_decompress),
7963};
7964
7965static const struct tf_test_entry tests_ecmult[] = {
7966 CASE(ecmult_pre_g),
7967 CASE(wnaf),
7968 CASE(point_times_order),
7969 CASE(ecmult_near_split_bound),
7970 CASE(ecmult_chain),
7971 CASE(ecmult_constants),
7972 CASE(ecmult_gen_blind),
7973 CASE(ecmult_const_tests),
7974 CASE(ecmult_multi_tests),
7975 CASE(ec_combine),
7976};
7977
7978static const struct tf_test_entry tests_ec[] = {
7979 CASE(endomorphism_tests),
7980 CASE(ec_pubkey_parse_test),
7981 CASE(eckey_edge_case_test),
7982 CASE(eckey_negate_test),
7983};
7984
7985static const struct tf_test_entry tests_ecdsa[] = {
7986 CASE(ec_illegal_argument_tests),
7987 CASE(pubkey_comparison),
7988 CASE(pubkey_sort),
7989 CASE(random_pubkeys),
7990 CASE(ecdsa_der_parse),
7991 CASE(ecdsa_sign_verify),
7992 CASE(ecdsa_end_to_end),
7993 CASE(ecdsa_edge_cases),
7994 CASE(ecdsa_wycheproof),
7995 CASE1(ecdsa_ctx_sha256),
7996};
7997
7998static const struct tf_test_entry tests_utils[] = {
7999 CASE(hsort_tests),
8000 CASE(secp256k1_memczero_test),
8001 CASE(secp256k1_is_zero_array_test),
8002 CASE(secp256k1_byteorder_tests),
8003 CASE(cmov_tests),
8004};
8005
8006/* Register test modules */
8007static const struct tf_test_module registry_modules[] = {
8008 MAKE_TEST_MODULE(general),
8009 MAKE_TEST_MODULE(integer),
8010 MAKE_TEST_MODULE(hash),
8011 MAKE_TEST_MODULE(scalar),
8012 MAKE_TEST_MODULE(field),
8013 MAKE_TEST_MODULE(group),
8014 MAKE_TEST_MODULE(ecmult),
8015 MAKE_TEST_MODULE(ec),
8016#ifdef ENABLE_MODULE_ECDH
8017 MAKE_TEST_MODULE(ecdh),
8018#endif
8019 MAKE_TEST_MODULE(ecdsa),
8020#ifdef ENABLE_MODULE_RECOVERY
8021 /* ECDSA pubkey recovery tests */
8022 MAKE_TEST_MODULE(recovery),
8023#endif
8024#ifdef ENABLE_MODULE_EXTRAKEYS
8025 MAKE_TEST_MODULE(extrakeys),
8026#endif
8027#ifdef ENABLE_MODULE_SCHNORRSIG
8028 MAKE_TEST_MODULE(schnorrsig),
8029#endif
8030#ifdef ENABLE_MODULE_MUSIG
8031 MAKE_TEST_MODULE(musig),
8032#endif
8033#ifdef ENABLE_MODULE_ELLSWIFT
8034 MAKE_TEST_MODULE(ellswift),
8035#endif
8036 MAKE_TEST_MODULE(utils),
8037};
8038
8039/* Setup test environment */
8040static int setup(void) {
8041 /* Create a global context available to all tests */
8042 CTX = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
8043 /* Randomize the context only with probability 15/16
8044 to make sure we test without context randomization from time to time.
8045 TODO Reconsider this when recalibrating the tests. */
8046 if (testrand_bits(4)) {
8047 unsigned char rand32[32];
8048 testrand256(rand32);
8049 CHECK(secp256k1_context_randomize(CTX, rand32));
8050 }
8051 /* Make a writable copy of secp256k1_context_static in order to test the effect of API functions
8052 that write to the context. The API does not support cloning the static context, so we use
8053 memcpy instead. The user is not supposed to copy a context but we should still ensure that
8054 the API functions handle copies of the static context gracefully. */
8055 STATIC_CTX = malloc(sizeof(*secp256k1_context_static));
8056 CHECK(STATIC_CTX != NULL);
8057 memcpy(STATIC_CTX, secp256k1_context_static, sizeof(secp256k1_context));
8058 CHECK(!secp256k1_context_is_proper(STATIC_CTX));
8059 return 0;
8060}
8061
8062/* Shutdown test environment */
8063static int teardown(void) {
8064 free(STATIC_CTX);
8065 secp256k1_context_destroy(CTX);
8066 return 0;
8067}
8068
8069int main(int argc, char **argv) {
8070 struct tf_framework tf = {0};
8071 tf.registry_modules = registry_modules;
8072 tf.num_modules = ARRAY_SIZE(registry_modules);
8073 tf.registry_no_rng = &registry_modules_no_rng;
8074
8075 /* Add context creation/destruction functions */
8076 tf.fn_setup = setup;
8077 tf.fn_teardown = teardown;
8078
8079 /* Init and run framework */
8080 if (tf_init(&tf, argc, argv) != 0) return EXIT_FAILURE;
8081 return tf_run(&tf);
8082}
cs
static void pool cs
Definition: blockencodings.cpp:23
ret
int ret
Definition: bitcoin-cli.cpp:1405
flags
int flags
Definition: bitcoin-tx.cpp:530
SECP256K1_CHECKMEM_UNDEFINE
#define SECP256K1_CHECKMEM_UNDEFINE(p, len)
Definition: checkmem.h:105
SECP256K1_CHECKMEM_CHECK
#define SECP256K1_CHECKMEM_CHECK(p, len)
Definition: checkmem.h:107
tests_impl.h
testvectors
static const wycheproof_ecdh_testvector testvectors[SECP256K1_ECDH_WYCHEPROOF_NUMBER_TESTVECTORS]
Definition: ecdh_secp256k1_test.h:1000
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
ecdsa_secp256k1_sha256_bitcoin_test.h
wycheproof_ecdsa_signatures
static const unsigned char wycheproof_ecdsa_signatures[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:173
wycheproof_ecdsa_public_keys
static const unsigned char wycheproof_ecdsa_public_keys[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:73
wycheproof_ecdsa_messages
static const unsigned char wycheproof_ecdsa_messages[]
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:13
SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
#define SECP256K1_ECDSA_WYCHEPROOF_NUMBER_TESTVECTORS
Definition: ecdsa_secp256k1_sha256_bitcoin_test.h:2
secp256k1_eckey_pubkey_serialize65
static void secp256k1_eckey_pubkey_serialize65(secp256k1_ge *elem, unsigned char *pub65)
Serialize a group element (that is not allowed to be infinity) to an uncompressed public key (65 byte...
secp256k1_eckey_pubkey_serialize33
static void secp256k1_eckey_pubkey_serialize33(secp256k1_ge *elem, unsigned char *pub33)
Serialize a group element (that is not allowed to be infinity) to a compressed public key (33 bytes).
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
ECMULT_TABLE_SIZE
#define ECMULT_TABLE_SIZE(w)
The number of entries a table with precomputed multiples needs to have.
Definition: ecmult.h:41
secp256k1_ecmult
static void secp256k1_ecmult(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_const_xonly
static int secp256k1_ecmult_const_xonly(secp256k1_fe *r, const secp256k1_fe *n, const secp256k1_fe *d, const secp256k1_scalar *q, int known_on_curve)
Same as secp256k1_ecmult_const, but takes in an x coordinate of the base point only,...
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q)
Multiply: R = q*A (in constant-time for q)
secp256k1_ecmult_const_K
static const secp256k1_scalar secp256k1_ecmult_const_K
Definition: ecmult_const_impl.h:92
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const secp256k1_hash_ctx *hash_ctx, const unsigned char *seed32)
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:50
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:626
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:743
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:46
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:422
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:437
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:162
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:377
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:55
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:597
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:734
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:57
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:52
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:49
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:804
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:664
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:822
tests_impl.h
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
N_PUBKEYS
#define N_PUBKEYS
Definition: tests_impl.h:252
secp256k1_fe_cmov
#define secp256k1_fe_cmov
Definition: field.h:95
secp256k1_fe_negate
#define secp256k1_fe_negate(r, a, m)
Negate a field element.
Definition: field.h:211
secp256k1_fe_mul_int
#define secp256k1_fe_mul_int(r, a)
Multiply a field element with a small integer.
Definition: field.h:233
secp256k1_fe_normalizes_to_zero_var
#define secp256k1_fe_normalizes_to_zero_var
Definition: field.h:82
secp256k1_fe_cmp_var
#define secp256k1_fe_cmp_var
Definition: field.h:86
secp256k1_fe_normalize_weak
#define secp256k1_fe_normalize_weak
Definition: field.h:79
secp256k1_fe_is_odd
#define secp256k1_fe_is_odd
Definition: field.h:85
secp256k1_fe_mul
#define secp256k1_fe_mul
Definition: field.h:93
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field.h:68
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *SECP256K1_RESTRICT r, const secp256k1_fe *SECP256K1_RESTRICT a)
Compute a square root of a field element.
secp256k1_fe_add
#define secp256k1_fe_add
Definition: field.h:92
secp256k1_fe_normalize_var
#define secp256k1_fe_normalize_var
Definition: field.h:80
secp256k1_fe_half
#define secp256k1_fe_half
Definition: field.h:101
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
This expands to an initializer for a secp256k1_fe valued sum((i*32) * d_i, i=0..7) mod p.
Definition: field.h:66
secp256k1_fe_to_storage
#define secp256k1_fe_to_storage
Definition: field.h:96
secp256k1_fe_inv_var
#define secp256k1_fe_inv_var
Definition: field.h:99
secp256k1_fe_is_zero
#define secp256k1_fe_is_zero
Definition: field.h:84
secp256k1_fe_set_b32_limit
#define secp256k1_fe_set_b32_limit
Definition: field.h:88
secp256k1_fe_is_square_var
#define secp256k1_fe_is_square_var
Definition: field.h:103
secp256k1_fe_get_bounds
#define secp256k1_fe_get_bounds
Definition: field.h:100
secp256k1_fe_from_storage
#define secp256k1_fe_from_storage
Definition: field.h:97
secp256k1_fe_set_b32_mod
#define secp256k1_fe_set_b32_mod
Definition: field.h:87
secp256k1_fe_negate_unchecked
#define secp256k1_fe_negate_unchecked
Definition: field.h:90
secp256k1_fe_get_b32
#define secp256k1_fe_get_b32
Definition: field.h:89
secp256k1_fe_normalizes_to_zero
#define secp256k1_fe_normalizes_to_zero
Definition: field.h:81
secp256k1_fe_inv
#define secp256k1_fe_inv
Definition: field.h:98
secp256k1_fe_sqr
#define secp256k1_fe_sqr
Definition: field.h:94
secp256k1_fe_normalize
#define secp256k1_fe_normalize
Definition: field.h:78
secp256k1_fe_equal
static int secp256k1_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Determine whether two field elements are equal.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
secp256k1_fe_add_int
#define secp256k1_fe_add_int
Definition: field.h:102
secp256k1_fe_set_int
#define secp256k1_fe_set_int
Definition: field.h:83
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:54
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:36
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:43
secp256k1_gej_eq_var
static int secp256k1_gej_eq_var(const secp256k1_gej *a, const secp256k1_gej *b)
Check two group elements (jacobian) for equality in variable time.
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_ge_eq_var
static int secp256k1_ge_eq_var(const secp256k1_ge *a, const secp256k1_ge *b)
Check two group elements (affine) for equality in variable time.
secp256k1_ge_x_on_curve_var
static int secp256k1_ge_x_on_curve_var(const secp256k1_fe *x)
Determine whether x is a valid X coordinate on the curve.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_ge_to_bytes_ext
static void secp256k1_ge_to_bytes_ext(unsigned char *data, const secp256k1_ge *ge)
Convert a group element (that is allowed to be infinity) to a 64-byte array.
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_gej_eq_ge_var
static int secp256k1_gej_eq_ge_var(const secp256k1_gej *a, const secp256k1_ge *b)
Check two group elements (jacobian and affine) for equality in variable time.
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_ge_from_bytes_ext
static void secp256k1_ge_from_bytes_ext(secp256k1_ge *ge, const unsigned char *data)
Convert a 64-byte array into a group element.
secp256k1_ge_from_storage
static void secp256k1_ge_from_storage(secp256k1_ge *r, const secp256k1_ge_storage *a)
Convert a group element back from the storage type.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_x_frac_on_curve_var
static int secp256k1_ge_x_frac_on_curve_var(const secp256k1_fe *xn, const secp256k1_fe *xd)
Determine whether fraction xn/xd is a valid X coordinate on the curve (xd != 0).
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_set_all_gej
static void secp256k1_ge_set_all_gej(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set group elements r[0:len] (affine) equal to group elements a[0:len] (jacobian).
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
secp256k1_ge_to_storage
static void secp256k1_ge_to_storage(secp256k1_ge_storage *r, const secp256k1_ge *a)
Convert a group element to the storage type.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:22
secp256k1_ge_to_bytes
static void secp256k1_ge_to_bytes(unsigned char *buf, const secp256k1_ge *a)
Convert a group element that is not infinity to a 64-byte array.
secp256k1_gej_cmov
static void secp256k1_gej_cmov(secp256k1_gej *r, const secp256k1_gej *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:35
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_from_bytes
static void secp256k1_ge_from_bytes(secp256k1_ge *r, const unsigned char *buf)
Convert a 64-byte array into group element.
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Definition: group_impl.h:72
secp256k1_sha256_transform
static void secp256k1_sha256_transform(uint32_t *state, const unsigned char *blocks64, size_t n_blocks)
Definition: hash_impl.h:133
secp256k1_sha256_initialize_tagged
static void secp256k1_sha256_initialize_tagged(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *tag, size_t taglen)
Definition: hash_impl.h:196
secp256k1_hsort
static void secp256k1_hsort(void *ptr, size_t count, size_t size, int(*cmp)(const void *, const void *, void *), void *cmp_data)
secp256k1_heap_swap
static SECP256K1_INLINE void secp256k1_heap_swap(unsigned char *arr, size_t i, size_t j, size_t stride)
Definition: hsort_impl.h:34
int128_impl.h
secp256k1_int128
int128_t secp256k1_int128
Definition: int128_native.h:17
secp256k1_i128_load
static SECP256K1_INLINE void secp256k1_i128_load(secp256k1_int128 *r, int64_t hi, uint64_t lo)
Definition: int128_native_impl.h:45
secp256k1_i128_det
static SECP256K1_INLINE void secp256k1_i128_det(secp256k1_int128 *r, int64_t a, int64_t b, int64_t c, int64_t d)
Definition: int128_native_impl.h:59
secp256k1_u128_check_bits
static SECP256K1_INLINE int secp256k1_u128_check_bits(const secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:40
secp256k1_i128_rshift
static SECP256K1_INLINE void secp256k1_i128_rshift(secp256k1_int128 *r, unsigned int n)
Definition: int128_native_impl.h:66
secp256k1_u128_hi_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_hi_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:32
secp256k1_i128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_i128_to_u64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:71
secp256k1_i128_from_i64
static SECP256K1_INLINE void secp256k1_i128_from_i64(secp256k1_int128 *r, int64_t a)
Definition: int128_native_impl.h:80
secp256k1_u128_from_u64
static SECP256K1_INLINE void secp256k1_u128_from_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:36
secp256k1_i128_eq_var
static SECP256K1_INLINE int secp256k1_i128_eq_var(const secp256k1_int128 *a, const secp256k1_int128 *b)
Definition: int128_native_impl.h:84
secp256k1_i128_to_i64
static SECP256K1_INLINE int64_t secp256k1_i128_to_i64(const secp256k1_int128 *a)
Definition: int128_native_impl.h:75
secp256k1_i128_mul
static SECP256K1_INLINE void secp256k1_i128_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:49
secp256k1_u128_rshift
static SECP256K1_INLINE void secp256k1_u128_rshift(secp256k1_uint128 *r, unsigned int n)
Definition: int128_native_impl.h:23
secp256k1_i128_check_pow2
static SECP256K1_INLINE int secp256k1_i128_check_pow2(const secp256k1_int128 *r, unsigned int n, int sign)
Definition: int128_native_impl.h:88
secp256k1_u128_accum_u64
static SECP256K1_INLINE void secp256k1_u128_accum_u64(secp256k1_uint128 *r, uint64_t a)
Definition: int128_native_impl.h:19
secp256k1_i128_accum_mul
static SECP256K1_INLINE void secp256k1_i128_accum_mul(secp256k1_int128 *r, int64_t a, int64_t b)
Definition: int128_native_impl.h:53
secp256k1_u128_accum_mul
static SECP256K1_INLINE void secp256k1_u128_accum_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:15
secp256k1_u128_load
static SECP256K1_INLINE void secp256k1_u128_load(secp256k1_uint128 *r, uint64_t hi, uint64_t lo)
Definition: int128_native_impl.h:7
secp256k1_u128_mul
static SECP256K1_INLINE void secp256k1_u128_mul(secp256k1_uint128 *r, uint64_t a, uint64_t b)
Definition: int128_native_impl.h:11
secp256k1_u128_to_u64
static SECP256K1_INLINE uint64_t secp256k1_u128_to_u64(const secp256k1_uint128 *a)
Definition: int128_native_impl.h:28
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
Definition: lax_der_privatekey_parsing.c:55
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
Definition: lax_der_privatekey_parsing.c:11
nonce
unsigned int nonce
Definition: miner_tests.cpp:82
CHECK
#define CHECK(cond)
Unconditional failure on condition failure.
Definition: util.h:35
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_jacobi32_maybe_var
static int secp256k1_jacobi32_maybe_var(const secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_jacobi64_maybe_var
static int secp256k1_jacobi64_maybe_var(const secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
sign
static int sign(const secp256k1_context *ctx, struct signer_secrets *signer_secrets, struct signer *signer, const secp256k1_musig_keyagg_cache *cache, const unsigned char *msg32, unsigned char *sig64)
Definition: musig.c:106
miniscript::internal::ZERO
static const auto ZERO
A stack consisting of a single zero-length element (interpreted as 0 by the script interpreter in num...
Definition: miniscript.h:343
sha1
Internal SHA-1 implementation.
Definition: sha1.cpp:16
subprocess::util::split
static std::vector< std::string > split(const std::string &str, const std::string &delims=" \t")
Definition: subprocess.h:311
test_vectors_musig2_generate.s
tuple s
Definition: test_vectors_musig2_generate.py:72
test_vectors_musig2_generate.data
data
Definition: test_vectors_musig2_generate.py:98
tests_wycheproof_generate_ecdh.sk
sk
Definition: tests_wycheproof_generate_ecdh.py:101
tests_wycheproof_generate_ecdh.pk
def pk
Definition: tests_wycheproof_generate_ecdh.py:115
tests_wycheproof_generate_ecdsa.expected_verify
int expected_verify
Definition: tests_wycheproof_generate_ecdsa.py:42
tests_wycheproof_generate_ecdsa.msg
msg
Definition: tests_wycheproof_generate_ecdsa.py:52
tests_wycheproof_generate_ecdsa.out
string out
Definition: tests_wycheproof_generate_ecdsa.py:24
tests_wycheproof_generate_ecdsa.group
group
Definition: tests_wycheproof_generate_ecdsa.py:32
secp256k1_pre_g_128
const secp256k1_ge_storage secp256k1_pre_g_128[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:8236
secp256k1_pre_g
const secp256k1_ge_storage secp256k1_pre_g[ECMULT_TABLE_SIZE(WINDOW_G)]
Definition: precomputed_ecmult.c:16
WINDOW_G
#define WINDOW_G
Definition: precomputed_ecmult.c:15
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:45
tests_impl.h
prefix
const char * prefix
Definition: rest.cpp:1142
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
secp256k1_scalar_half
static void secp256k1_scalar_half(secp256k1_scalar *r, const secp256k1_scalar *a)
Multiply a scalar with the multiplicative inverse of 2.
secp256k1_scalar_split_128
static void secp256k1_scalar_split_128(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*2^128 = k.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_get_bits_limb32
static uint32_t secp256k1_scalar_get_bits_limb32(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *SECP256K1_RESTRICT r1, secp256k1_scalar *SECP256K1_RESTRICT r2, const secp256k1_scalar *SECP256K1_RESTRICT k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_get_bits_var
static uint32_t secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits (1 < count <= 32) from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:62
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:28
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:27
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:83
tests_impl.h
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_sha256_initialize_midstate
static void secp256k1_sha256_initialize_midstate(secp256k1_sha256 *hash, uint64_t bytes, const uint32_t state[8])
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(const secp256k1_hash_ctx *hash_ctx, secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(const secp256k1_hash_ctx *hash_ctx, secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_sha256_write
static void secp256k1_sha256_write(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(const secp256k1_hash_ctx *hash_ctx, secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:400
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:271
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is 1, set *r equal to *a; if flag is 0, leave it.
Definition: util.h:302
ARRAY_SIZE
#define ARRAY_SIZE(arr)
Definition: util.h:184
ALIGNMENT
#define ALIGNMENT
Definition: util.h:176
secp256k1_default_error_callback_fn
static void secp256k1_default_error_callback_fn(const char *str, void *data)
Definition: util.h:102
secp256k1_is_zero_array
static SECP256K1_INLINE int secp256k1_is_zero_array(const unsigned char *s, size_t len)
Definition: util.h:286
secp256k1_read_be32
static SECP256K1_INLINE uint32_t secp256k1_read_be32(const unsigned char *p)
Definition: util.h:418
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:382
secp256k1_write_be32
static SECP256K1_INLINE void secp256k1_write_be32(unsigned char *p, uint32_t x)
Definition: util.h:426
secp256k1_write_be64
static SECP256K1_INLINE void secp256k1_write_be64(unsigned char *p, uint64_t x)
Definition: util.h:446
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: util.h:97
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:371
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:159
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:359
secp256k1_read_be64
static SECP256K1_INLINE uint64_t secp256k1_read_be64(const unsigned char *p)
Definition: util.h:434
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:162
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:210
secp256k1_context_no_precomp
const secp256k1_context *const secp256k1_context_no_precomp
Definition: secp256k1.c:77
secp256k1_scratch_space_destroy
static void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch)
Definition: secp256k1.c:247
secp256k1_context_is_proper
static int secp256k1_context_is_proper(const secp256k1_context *ctx)
Definition: secp256k1.c:84
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:386
secp256k1_scratch_space_create
static secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t max_size)
Definition: secp256k1.c:242
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:259
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:265
secp256k1_get_hash_context
static SECP256K1_INLINE const secp256k1_hash_ctx * secp256k1_get_hash_context(const secp256k1_context *ctx)
Definition: secp256k1.c:238
secp256k1_ec_pubkey_sort_cmp
static int secp256k1_ec_pubkey_sort_cmp(const void *pk1, const void *pk2, void *ctx)
Definition: secp256k1.c:339
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:534
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:372
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:190
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:739
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:219
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Randomizes the context to provide enhanced protection against side-channel leakage.
Definition: secp256k1.c:782
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:792
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:657
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:412
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:287
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:214
secp256k1_ec_pubkey_negate
SECP256K1_API int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:672
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:313
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an elliptic curve secret key.
Definition: secp256k1.c:615
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:144
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:202
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:601
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:269
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Context flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size,...
Definition: secp256k1.h:215
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:396
secp256k1_selftest
SECP256K1_API void secp256k1_selftest(void)
Perform basic self tests (to be used in conjunction with secp256k1_context_static)
Definition: secp256k1.c:88
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:639
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:225
secp256k1_pubkey
struct secp256k1_pubkey secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:477
secp256k1_tagged_sha256
SECP256K1_API int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:818
secp256k1_context_static
SECP256K1_API const secp256k1_context *const secp256k1_context_static
A built-in constant secp256k1 context object with static storage duration, to be used in conjunction ...
Definition: secp256k1.h:246
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:458
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:166
secp256k1_context_set_sha256_compression
SECP256K1_API void secp256k1_context_set_sha256_compression(secp256k1_context *ctx, secp256k1_sha256_compression_function fn_compression) SECP256K1_ARG_NONNULL(1)
Set a callback function to override the internal SHA256 compression function.
Definition: secp256k1.c:226
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:722
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:226
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:433
secp256k1_ecdsa_signature
struct secp256k1_ecdsa_signature secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
secp256k1_ec_pubkey_sort
SECP256K1_API int secp256k1_ec_pubkey_sort(const secp256k1_context *ctx, const secp256k1_pubkey **pubkeys, size_t n_pubkeys) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Sort public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:345
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Deprecated context flags.
Definition: secp256k1.h:218
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:699
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:759
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:445
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:114
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:179
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:120
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:94
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:155
ecmult_multi_data
Definition: tests.c:4855
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:4856
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:4857
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:88
secp256k1_callback::data
const void * data
Definition: util.h:89
secp256k1_context_struct
Definition: secp256k1.c:61
secp256k1_context_struct::illegal_callback
secp256k1_callback illegal_callback
Definition: secp256k1.c:64
secp256k1_context_struct::declassify
int declassify
Definition: secp256k1.c:66
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:65
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:62
secp256k1_context_struct::hash_ctx
secp256k1_hash_ctx hash_ctx
Definition: secp256k1.c:63
secp256k1_ecdsa_signature
Opaque data structure that holds a parsed ECDSA signature.
Definition: secp256k1.h:75
secp256k1_ecdsa_signature::data
unsigned char data[64]
Definition: secp256k1.h:76
secp256k1_ecmult_gen_context
Definition: ecmult_gen.h:118
secp256k1_ecmult_gen_context::ge_offset
secp256k1_ge ge_offset
Definition: ecmult_gen.h:129
secp256k1_ecmult_gen_context::built
int built
Definition: ecmult_gen.h:120
secp256k1_ecmult_gen_context::scalar_offset
secp256k1_scalar scalar_offset
Definition: ecmult_gen.h:128
secp256k1_ecmult_gen_context::proj_blind
secp256k1_fe proj_blind
Definition: ecmult_gen.h:133
secp256k1_fe_storage
Definition: field_10x26.h:50
secp256k1_fe
This field implementation represents the value as 10 uint32_t limbs in base 2^26.
Definition: field_10x26.h:14
secp256k1_fe::n
uint32_t n[10]
Definition: field_10x26.h:22
secp256k1_ge_storage
Definition: group.h:38
secp256k1_ge
A group element in affine coordinates on the secp256k1 curve, or occasionally on an isomorphic curve ...
Definition: group.h:16
secp256k1_ge::infinity
int infinity
Definition: group.h:19
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:17
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:18
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:28
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:30
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:29
secp256k1_gej::infinity
int infinity
Definition: group.h:32
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:31
secp256k1_hash_ctx
Definition: hash.h:13
secp256k1_hash_ctx::fn_sha256_compression
secp256k1_sha256_compression_function fn_sha256_compression
Definition: hash.h:14
secp256k1_hmac_sha256
Definition: hash.h:34
secp256k1_modinv32_modinfo
Definition: modinv32.h:19
secp256k1_modinv32_signed30
Definition: modinv32.h:15
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:16
secp256k1_modinv64_modinfo
Definition: modinv64.h:23
secp256k1_modinv64_signed62
Definition: modinv64.h:19
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:20
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:62
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:43
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:19
secp256k1_sha256::bytes
uint64_t bytes
Definition: hash.h:22
secp256k1_sha256::s
uint32_t s[8]
Definition: hash.h:20
secp256k1_uint128
Definition: int128_struct.h:7
test_hsort_cmp_data
Definition: tests.c:3796
test_hsort_cmp_data::element_len
size_t element_len
Definition: tests.c:3798
test_hsort_cmp_data::counter
size_t counter
Definition: tests.c:3797
tf_framework
Definition: unit_test.h:95
tf_framework::fn_teardown
teardown_fn fn_teardown
Definition: unit_test.h:106
tf_framework::fn_setup
setup_ctx_fn fn_setup
Definition: unit_test.h:105
tf_framework::registry_no_rng
const struct tf_test_module * registry_no_rng
Definition: unit_test.h:103
tf_framework::registry_modules
const struct tf_test_module * registry_modules
Definition: unit_test.h:99
tf_framework::num_modules
int num_modules
Definition: unit_test.h:101
tf_test_entry
Definition: unit_test.h:53
tf_test_module
Definition: unit_test.h:58
wycheproof_ecdh_testvector::pk_offset
size_t pk_offset
Definition: ecdh_secp256k1_test.h:5
testrand256_test
static void testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
testrand256
static void testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
testrand_bits
static SECP256K1_INLINE uint64_t testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_int
static uint32_t testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
testrand_seed
static SECP256K1_INLINE void testrand_seed(const unsigned char *seed16)
Seed the pseudorandom number generator for testing.
testrand_bytes_test
static void testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
testrand_impl.h
secp256k1_test_state
static uint64_t secp256k1_test_state[4]
Definition: testrand_impl.h:18
run_random_pubkeys
static void run_random_pubkeys(void)
Definition: tests.c:6990
CHECK_ILLEGAL_VOID
#define CHECK_ILLEGAL_VOID(ctx, expr_or_stmt)
Definition: tests.c:71
run_all_proper_context_tests
static void run_all_proper_context_tests(void)
Definition: tests.c:360
test_wnaf
static void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5475
run_inverse_tests
static void run_inverse_tests(void)
Definition: tests.c:3528
counting_callback_fn
static void counting_callback_fn(const char *str, void *data)
Definition: tests.c:82
mutate_sign_signed30
static void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:1023
ec_pubkey_parse_pointtest
static void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:5902
registry_modules_no_rng
static const struct tf_test_module registry_modules_no_rng
Definition: tests.c:7914
test_ecdsa_sign_verify
static void test_ecdsa_sign_verify(void)
Definition: tests.c:6517
test_ge
static void test_ge(void)
Definition: tests.c:3870
CHECK_ERROR_VOID
#define CHECK_ERROR_VOID(ctx, expr_or_stmt)
Definition: tests.c:69
tests_field
static const struct tf_test_entry tests_field[]
Definition: tests.c:7949
run_pubkey_comparison
static void run_pubkey_comparison(void)
Definition: tests.c:6790
run_ecdsa_sign_verify
static void run_ecdsa_sign_verify(void)
Definition: tests.c:6544
run_field_misc
static void run_field_misc(void)
Definition: tests.c:3212
good_sha256_compression
static void good_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds)
Definition: tests.c:442
test_ecmult_gen_blind_reset
static void test_ecmult_gen_blind_reset(void)
Definition: tests.c:5812
run_ec_pubkey_parse_test
static void run_ec_pubkey_parse_test(void)
Definition: tests.c:5969
run_static_context_tests
static void run_static_context_tests(int use_prealloc)
Definition: tests.c:191
random_sign
static void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:6510
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6560
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:6568
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
test_ecmult_multi_random
static int test_ecmult_multi_random(secp256k1_scratch *scratch)
Definition: tests.c:5098
mulmod256
static void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:921
tests_group
static const struct tf_test_entry tests_group[]
Definition: tests.c:7959
test_sha256_tag_midstate
static void test_sha256_tag_midstate(const secp256k1_hash_ctx *hash_ctx, secp256k1_sha256 *sha_tagged, const unsigned char *tag, size_t taglen)
Definition: tests.c:770
ecmult_const_check_result
static void ecmult_const_check_result(const secp256k1_ge *A, const secp256k1_scalar *q, const secp256k1_gej *res)
Definition: tests.c:4729
test_sort
static void test_sort(void)
Definition: tests.c:6893
CHECK_ILLEGAL
#define CHECK_ILLEGAL(ctx, expr)
Definition: tests.c:79
gej_xyz_equals_gej
static int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:3849
ecmult_gen_context_eq
static int ecmult_gen_context_eq(const secp256k1_ecmult_gen_context *a, const secp256k1_ecmult_gen_context *b)
Definition: tests.c:125
run_tagged_sha256_tests
static void run_tagged_sha256_tests(void)
Definition: tests.c:863
run_sha256_counter_tests
static void run_sha256_counter_tests(void)
SHA256 counter tests.
Definition: tests.c:699
test_fixed_wnaf_small_helper
static void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:5545
test_hsort_cmp
static int test_hsort_cmp(const void *ele1, const void *ele2, void *data)
Definition: tests.c:3802
all_bytes_equal
static int all_bytes_equal(const void *s, unsigned char value, size_t n)
Definition: tests.c:45
test_fixed_wnaf_small
static void test_fixed_wnaf_small(void)
Definition: tests.c:5555
main
int main(int argc, char **argv)
Definition: tests.c:8069
run_plug_sha256_compression_tests
static void run_plug_sha256_compression_tests(void)
Definition: tests.c:447
run_ecmult_const_tests
static void run_ecmult_const_tests(void)
Definition: tests.c:4846
fe_identical
static int fe_identical(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3156
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_eckey_edge_case_test
static void run_eckey_edge_case_test(void)
Definition: tests.c:6254
teardown
static int teardown(void)
Definition: tests.c:8063
run_pubkey_sort
static void run_pubkey_sort(void)
Definition: tests.c:6983
random_fe_non_square
static void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:3044
run_secp256k1_byteorder_tests
static void run_secp256k1_byteorder_tests(void)
Definition: tests.c:7725
run_ecmult_constants
static void run_ecmult_constants(void)
Definition: tests.c:5755
run_field_be32_overflow
static void run_field_be32_overflow(void)
Definition: tests.c:3089
test_modinv32_uint16
static void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:1038
run_ecmult_chain
static void run_ecmult_chain(void)
Definition: tests.c:4453
tests_utils
static const struct tf_test_entry tests_utils[]
Definition: tests.c:7998
test_inverse_field
static void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:3503
run_ec_combine
static void run_ec_combine(void)
Definition: tests.c:4326
registry_modules
static const struct tf_test_module registry_modules[]
Definition: tests.c:8007
run_deprecated_context_flags_test
static void run_deprecated_context_flags_test(void)
Definition: tests.c:142
CTX
static secp256k1_context * CTX
Definition: tests.c:42
run_point_times_order
static void run_point_times_order(void)
Definition: tests.c:4627
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:7103
test_sort_vectors
static void test_sort_vectors(void)
Definition: tests.c:6939
CONDITIONAL_TEST
#define CONDITIONAL_TEST(cnt, nam)
Definition: tests.c:40
ecmult_const_commutativity
static void ecmult_const_commutativity(void)
Definition: tests.c:4675
int_cmov_test
static void int_cmov_test(void)
Definition: tests.c:7753
tests_ecdsa
static const struct tf_test_entry tests_ecdsa[]
Definition: tests.c:7985
test_ge_bytes
static void test_ge_bytes(void)
Definition: tests.c:4219
test_add_neg_y_diff_x
static void test_add_neg_y_diff_x(void)
Definition: tests.c:4159
test_ecmult_accumulate
static void test_ecmult_accumulate(secp256k1_sha256 *acc, const secp256k1_scalar *x, secp256k1_scratch *scratch)
Definition: tests.c:5636
test_point_times_order
static void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:4512
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:7064
tests_ec
static const struct tf_test_entry tests_ec[]
Definition: tests.c:7978
run_hmac_sha256_tests
static void run_hmac_sha256_tests(void)
Definition: tests.c:776
fe_equal
static int fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:3052
test_ecmult_multi_batch_single
static void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:5264
signed30_to_uint16
static void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:1014
run_secp256k1_is_zero_array_test
static void run_secp256k1_is_zero_array_test(void)
Definition: tests.c:7714
tests_no_rng
static const struct tf_test_entry tests_no_rng[]
Definition: tests.c:7911
is_empty_signature
static int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:6592
run_field_half
static void run_field_half(void)
Definition: tests.c:3163
run_eckey_negate_test
static void run_eckey_negate_test(void)
Definition: tests.c:6480
scalar_test
static void scalar_test(void)
Definition: tests.c:2183
run_scalar_set_b32_seckey_tests
static void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:2338
test_ecmult_multi
static void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:4875
run_hsort_tests
static void run_hsort_tests(void)
Definition: tests.c:3839
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:6552
test_hsort_is_sorted
static void test_hsort_is_sorted(unsigned char *elements, size_t n, size_t len)
Definition: tests.c:3789
run_gej
static void run_gej(void)
Definition: tests.c:4265
tests_integer
static const struct tf_test_entry tests_integer[]
Definition: tests.c:7927
run_ge
static void run_ge(void)
Definition: tests.c:4247
MAX_ELEMENT_LEN
#define MAX_ELEMENT_LEN
Definition: tests.c:3809
ge_storage_cmov_test
static void ge_storage_cmov_test(void)
Definition: tests.c:7866
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:3464
fe_storage_cmov_test
static void fe_storage_cmov_test(void)
Definition: tests.c:7808
test_ec_combine
static void test_ec_combine(void)
Definition: tests.c:4301
test_secp256k1_pippenger_bucket_window_inv
static void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:5282
test_ecmult_gen_edge_cases
static void test_ecmult_gen_edge_cases(void)
Definition: tests.c:5826
run_ctz_tests
static void run_ctz_tests(void)
Definition: tests.c:576
test_sort_helper
static void test_sort_helper(secp256k1_pubkey *pk, size_t *pk_order, size_t n_pk)
Definition: tests.c:6835
test_ecmult_multi_pippenger_max_points
static void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:5302
run_scalar_tests
static void run_scalar_tests(void)
Definition: tests.c:2402
test_random_pubkeys
static void test_random_pubkeys(void)
Definition: tests.c:6728
test_gej_cmov
static void test_gej_cmov(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:4257
test_heap_swap
static void test_heap_swap(void)
Definition: tests.c:3776
test_sqrt
static void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:3412
scalar_cmov_test
static void scalar_cmov_test(void)
Definition: tests.c:7838
tests_hash
static const struct tf_test_entry tests_hash[]
Definition: tests.c:7936
run_ecmult_gen_blind
static void run_ecmult_gen_blind(void)
Definition: tests.c:5844
test_ecdsa_end_to_end
static void test_ecdsa_end_to_end(void)
Definition: tests.c:6597
tests_ecmult
static const struct tf_test_entry tests_ecmult[]
Definition: tests.c:7965
run_sha256_known_output_tests
static void run_sha256_known_output_tests(void)
Definition: tests.c:597
test_ecmult_target
static void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:4577
NUM
#define NUM
Definition: tests.c:3808
CHECK_ERROR
#define CHECK_ERROR(ctx, expr)
Definition: tests.c:80
run_ecdsa_end_to_end
static void run_ecdsa_end_to_end(void)
Definition: tests.c:6997
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4860
ecmult_const_mult_xonly
static void ecmult_const_mult_xonly(void)
Definition: tests.c:4765
run_proper_context_tests
static void run_proper_context_tests(int use_prealloc)
Definition: tests.c:238
tests_general
static const struct tf_test_entry tests_general[]
Definition: tests.c:7917
test_fe_mul
static void test_fe_mul(const secp256k1_fe *a, const secp256k1_fe *b, int use_sqr)
Definition: tests.c:3319
test_group_decompress
static void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:4333
test_scalar_check_overflow
static void test_scalar_check_overflow(void)
Definition: tests.c:2355
test_ecmult_constants_2bit
static void test_ecmult_constants_2bit(void)
Definition: tests.c:5667
run_cmov_tests
static void run_cmov_tests(void)
Definition: tests.c:7898
permute
static void permute(size_t *arr, size_t n)
Definition: tests.c:6848
run_sha256_multi_block_compression_tests
static void run_sha256_multi_block_compression_tests(void)
Definition: tests.c:483
tests_scalar
static const struct tf_test_entry tests_scalar[]
Definition: tests.c:7945
test_initialized_inf
static void test_initialized_inf(void)
Definition: tests.c:4127
run_ecdsa_der_parse
static void run_ecdsa_der_parse(void)
Definition: tests.c:7249
ecmult_const_random_mult
static void ecmult_const_random_mult(void)
Definition: tests.c:4648
test_scalar_split
static void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:5854
run_field_convert
static void run_field_convert(void)
Definition: tests.c:3059
test_ecdsa_der_parse
static int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:7004
run_ec_illegal_argument_tests
static void run_ec_illegal_argument_tests(void)
Definition: tests.c:160
run_ecdsa_wycheproof
static void run_ecdsa_wycheproof(void)
Definition: tests.c:7670
test_ecmult_constants_sha
static void test_ecmult_constants_sha(uint32_t prefix, size_t iter, const unsigned char *expected32)
Definition: tests.c:5711
invalid_sha256_compression
static void invalid_sha256_compression(uint32_t *s, const unsigned char *msg, size_t rounds)
Definition: tests.c:437
test_ecmult_multi_batching
static void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:5383
run_all_static_context_tests
static void run_all_static_context_tests(void)
Definition: tests.c:232
run_sqrt
static void run_sqrt(void)
Definition: tests.c:3426
run_modinv_tests
static void run_modinv_tests(void)
Definition: tests.c:1219
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:4554
uint16_to_signed30
static void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:1005
run_xoshiro256pp_tests
static void run_xoshiro256pp_tests(void)
Definition: tests.c:91
run_wnaf
static void run_wnaf(void)
Definition: tests.c:5609
run_ecmult_multi_tests
static void run_ecmult_multi_tests(void)
Definition: tests.c:5448
run_selftest_tests
static void run_selftest_tests(void)
Definition: tests.c:120
coprime
static int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:1189
run_sqr
static void run_sqr(void)
Definition: tests.c:3383
context_eq
static int context_eq(const secp256k1_context *a, const secp256k1_context *b)
Definition: tests.c:132
test_ecmult_multi_batch_size_helper
static void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:5335
run_endomorphism_tests
static void run_endomorphism_tests(void)
Definition: tests.c:5881
run_scratch_tests
static void run_scratch_tests(void)
Definition: tests.c:366
test_ecdsa_wycheproof
static void test_ecdsa_wycheproof(void)
Wycheproof tests.
Definition: tests.c:7639
run_ecmult_near_split_bound
static void run_ecmult_near_split_bound(void)
Definition: tests.c:4615
run_ecdsa_edge_cases
static void run_ecdsa_edge_cases(void)
Definition: tests.c:7281
fe_cmov_test
static void fe_cmov_test(void)
Definition: tests.c:7778
run_group_decompress
static void run_group_decompress(void)
Definition: tests.c:4368
ecmult_const_mult_zero_one
static void ecmult_const_mult_zero_one(void)
Definition: tests.c:4696
test_ecmult_accumulate_cb
static int test_ecmult_accumulate_cb(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *data)
Definition: tests.c:5628
ecmult_const_edges
static void ecmult_const_edges(void)
Definition: tests.c:4738
run_sha256_initialize_midstate_tests
static void run_sha256_initialize_midstate_tests(void)
Definition: tests.c:887
ecmult_const_chain_multiply
static void ecmult_const_chain_multiply(void)
Definition: tests.c:4820
run_ecmult_pre_g
static void run_ecmult_pre_g(void)
Definition: tests.c:4429
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:4867
test_sha256_eq
static void test_sha256_eq(const secp256k1_sha256 *sha1, const secp256k1_sha256 *sha2)
Definition: tests.c:761
test_pre_g_table
static void test_pre_g_table(const secp256k1_ge_storage *pre_g, size_t n)
Definition: tests.c:4379
test_hsort
static void test_hsort(size_t element_len)
Definition: tests.c:3810
test_sort_api
static void test_sort_api(void)
Definition: tests.c:6859
setup
static int setup(void)
Definition: tests.c:8040
STATIC_CTX
static secp256k1_context * STATIC_CTX
Definition: tests.c:43
test_fixed_wnaf
static void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:5509
test_inverse_scalar
static void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:3481
test_ecmult_gen_blind
static void test_ecmult_gen_blind(void)
Definition: tests.c:5789
run_secp256k1_memczero_test
static void run_secp256k1_memczero_test(void)
Definition: tests.c:7698
own_transform_called
static int own_transform_called
Definition: tests.c:441
run_fe_mul
static void run_fe_mul(void)
Definition: tests.c:3362
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:7076
ecdsa_ctx_sha256
static void ecdsa_ctx_sha256(void)
Definition: tests.c:7615
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:3469
run_rfc6979_hmac_sha256_tests
static void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:821
modinv2p64
static uint64_t modinv2p64(uint64_t x)
Definition: tests.c:904
testutil_random_fe_test
static void testutil_random_fe_test(secp256k1_fe *x)
Definition: testutil.h:63
testutil_random_pubkey_test
static void testutil_random_pubkey_test(secp256k1_pubkey *pk)
Definition: testutil.h:123
testutil_random_gej_y_magnitude
static void testutil_random_gej_y_magnitude(secp256k1_gej *gej)
Definition: testutil.h:91
secp256k1_group_order_bytes
static const unsigned char secp256k1_group_order_bytes[32]
Definition: testutil.h:24
testutil_random_fe_non_zero
static void testutil_random_fe_non_zero(secp256k1_fe *nz)
Definition: testutil.h:41
testutil_random_scalar_order
static void testutil_random_scalar_order(secp256k1_scalar *num)
Definition: testutil.h:142
DEFINE_SHA256_TRANSFORM_PROBE
#define DEFINE_SHA256_TRANSFORM_PROBE(name)
Definition: testutil.h:15
testutil_random_gej_test
static void testutil_random_gej_test(secp256k1_gej *gej)
Definition: testutil.h:117
testutil_random_scalar_order_test
static void testutil_random_scalar_order_test(secp256k1_scalar *num)
Definition: testutil.h:129
testutil_random_scalar_order_b32
static void testutil_random_scalar_order_b32(unsigned char *b32)
Definition: testutil.h:155
testutil_random_fe
static void testutil_random_fe(secp256k1_fe *x)
Definition: testutil.h:31
testutil_random_fe_non_zero_test
static void testutil_random_fe_non_zero_test(secp256k1_fe *fe)
Definition: testutil.h:73
testutil_random_gej_x_magnitude
static void testutil_random_gej_x_magnitude(secp256k1_gej *gej)
Definition: testutil.h:87
testutil_random_fe_magnitude
static void testutil_random_fe_magnitude(secp256k1_fe *fe, int m)
Definition: testutil.h:47
testutil_random_ge_x_magnitude
static void testutil_random_ge_x_magnitude(secp256k1_ge *ge)
Definition: testutil.h:79
testutil_random_gej_z_magnitude
static void testutil_random_gej_z_magnitude(secp256k1_gej *gej)
Definition: testutil.h:95
testutil_random_ge_test
static void testutil_random_ge_test(secp256k1_ge *ge)
Definition: testutil.h:99
testutil_random_ge_y_magnitude
static void testutil_random_ge_y_magnitude(secp256k1_ge *ge)
Definition: testutil.h:83
testutil_random_ge_jacobian_test
static void testutil_random_ge_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: testutil.h:110
unit_test.c
COUNT
int COUNT
Definition: unit_test.c:23
tf_init
static int tf_init(struct tf_framework *tf, int argc, char **argv)
Definition: unit_test.c:349
tf_run
static int tf_run(struct tf_framework *tf)
Definition: unit_test.c:411
unit_test.h
CASE1
#define CASE1(name)
Definition: unit_test.h:27
CASE
#define CASE(name)
Definition: unit_test.h:26
MAKE_TEST_MODULE
#define MAKE_TEST_MODULE(name)
Definition: unit_test.h:29
expect
#define expect(bit)
Definition: univalue_read.cpp:258
Generated on Wed Apr 29 2026 20:00:28 for Bitcoin Core by doxygen 1.9.4