Bitcoin Core  0.19.99
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
20 
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
28 # endif
29 #endif
30 
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
33 
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
39 # else
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
42 # endif
43 #endif
44 
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
47 
48 static void counting_illegal_callback_fn(const char* str, void* data) {
49  /* Dummy callback function that just counts. */
50  int32_t *p;
51  (void)str;
52  p = data;
53  (*p)++;
54 }
55 
56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57  /* Dummy callback function that just counts (backwards). */
58  int32_t *p;
59  (void)str;
60  p = data;
61  (*p)--;
62 }
63 
64 void random_field_element_test(secp256k1_fe *fe) {
65  do {
66  unsigned char b32[32];
67  secp256k1_rand256_test(b32);
68  if (secp256k1_fe_set_b32(fe, b32)) {
69  break;
70  }
71  } while(1);
72 }
73 
74 void random_field_element_magnitude(secp256k1_fe *fe) {
75  secp256k1_fe zero;
76  int n = secp256k1_rand_int(9);
77  secp256k1_fe_normalize(fe);
78  if (n == 0) {
79  return;
80  }
81  secp256k1_fe_clear(&zero);
82  secp256k1_fe_negate(&zero, &zero, 0);
83  secp256k1_fe_mul_int(&zero, n - 1);
84  secp256k1_fe_add(fe, &zero);
85  VERIFY_CHECK(fe->magnitude == n);
86 }
87 
88 void random_group_element_test(secp256k1_ge *ge) {
89  secp256k1_fe fe;
90  do {
91  random_field_element_test(&fe);
92  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93  secp256k1_fe_normalize(&ge->y);
94  break;
95  }
96  } while(1);
97 }
98 
99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
100  secp256k1_fe z2, z3;
101  do {
102  random_field_element_test(&gej->z);
103  if (!secp256k1_fe_is_zero(&gej->z)) {
104  break;
105  }
106  } while(1);
107  secp256k1_fe_sqr(&z2, &gej->z);
108  secp256k1_fe_mul(&z3, &z2, &gej->z);
109  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111  gej->infinity = ge->infinity;
112 }
113 
114 void random_scalar_order_test(secp256k1_scalar *num) {
115  do {
116  unsigned char b32[32];
117  int overflow = 0;
118  secp256k1_rand256_test(b32);
119  secp256k1_scalar_set_b32(num, b32, &overflow);
120  if (overflow || secp256k1_scalar_is_zero(num)) {
121  continue;
122  }
123  break;
124  } while(1);
125 }
126 
127 void random_scalar_order(secp256k1_scalar *num) {
128  do {
129  unsigned char b32[32];
130  int overflow = 0;
131  secp256k1_rand256(b32);
132  secp256k1_scalar_set_b32(num, b32, &overflow);
133  if (overflow || secp256k1_scalar_is_zero(num)) {
134  continue;
135  }
136  break;
137  } while(1);
138 }
139 
140 void run_context_tests(void) {
141  secp256k1_pubkey pubkey;
142  secp256k1_pubkey zero_pubkey;
143  secp256k1_ecdsa_signature sig;
144  unsigned char ctmp[32];
145  int32_t ecount;
146  int32_t ecount2;
147  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148  secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149  secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150  secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
151 
152  secp256k1_gej pubj;
153  secp256k1_ge pub;
154  secp256k1_scalar msg, key, nonce;
155  secp256k1_scalar sigr, sigs;
156 
157  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
158 
159  ecount = 0;
160  ecount2 = 10;
161  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
165 
166  /*** clone and destroy all of them to make sure cloning was complete ***/
167  {
168  secp256k1_context *ctx_tmp;
169 
170  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
174  }
175 
176  /* Verify that the error callback makes it across the clone. */
177  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178  /* And that it resets back to default. */
179  secp256k1_context_set_error_callback(sign, NULL, NULL);
180  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
181 
182  /*** attempt to use them ***/
183  random_scalar_order_test(&msg);
184  random_scalar_order_test(&key);
185  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186  secp256k1_ge_set_gej(&pub, &pubj);
187 
188  /* Verify context-type checking illegal-argument errors. */
189  memset(ctmp, 1, 32);
190  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
191  CHECK(ecount == 1);
192  VG_UNDEF(&pubkey, sizeof(pubkey));
193  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194  VG_CHECK(&pubkey, sizeof(pubkey));
195  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
196  CHECK(ecount == 2);
197  VG_UNDEF(&sig, sizeof(sig));
198  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199  VG_CHECK(&sig, sizeof(sig));
200  CHECK(ecount2 == 10);
201  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202  CHECK(ecount2 == 11);
203  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
204  CHECK(ecount == 2);
205  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206  CHECK(ecount2 == 12);
207  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
208  CHECK(ecount == 2);
209  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210  CHECK(ecount2 == 13);
211  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
212  CHECK(ecount == 2);
213  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
214  CHECK(ecount == 2);
215  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216  CHECK(ecount2 == 14);
217  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
218  CHECK(ecount == 3);
219  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
220  CHECK(ecount == 3);
221  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
222  CHECK(ecount == 3);
223  CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
224  CHECK(ecount == 3);
225  CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
226  CHECK(ecount2 == 14);
227  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
228  CHECK(ecount2 == 14);
229  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
230  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
231 
232  /* This shouldn't leak memory, due to already-set tests. */
233  secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
234  secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
235 
236  /* obtain a working nonce */
237  do {
238  random_scalar_order_test(&nonce);
239  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
240 
241  /* try signing */
242  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
243  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
244 
245  /* try verifying */
246  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
247  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
248 
249  /* cleanup */
250  secp256k1_context_destroy(none);
251  secp256k1_context_destroy(sign);
252  secp256k1_context_destroy(vrfy);
253  secp256k1_context_destroy(both);
254  /* Defined as no-op. */
255  secp256k1_context_destroy(NULL);
256 }
257 
258 void run_scratch_tests(void) {
259  int32_t ecount = 0;
260  secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
261  secp256k1_scratch_space *scratch;
262 
263  /* Test public API */
264  secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
265 
266  scratch = secp256k1_scratch_space_create(none, 1000);
267  CHECK(scratch != NULL);
268  CHECK(ecount == 0);
269 
270  /* Test internal API */
271  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
272  CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
273 
274  /* Allocating 500 bytes with no frame fails */
275  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
276  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
277 
278  /* ...but pushing a new stack frame does affect the max allocation */
279  CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
280  CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
281  CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
282  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
283 
284  CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
285 
286  /* ...and this effect is undone by popping the frame */
287  secp256k1_scratch_deallocate_frame(scratch);
288  CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
289  CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
290 
291  /* cleanup */
292  secp256k1_scratch_space_destroy(scratch);
293  secp256k1_context_destroy(none);
294 }
295 
296 /***** HASH TESTS *****/
297 
298 void run_sha256_tests(void) {
299  static const char *inputs[8] = {
300  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
301  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
302  "For this sample, this 63-byte string will be used as input data",
303  "This is exactly 64 bytes long, not counting the terminating byte"
304  };
305  static const unsigned char outputs[8][32] = {
306  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
307  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
308  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
309  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
310  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
311  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
312  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
313  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
314  };
315  int i;
316  for (i = 0; i < 8; i++) {
317  unsigned char out[32];
318  secp256k1_sha256 hasher;
319  secp256k1_sha256_initialize(&hasher);
320  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
321  secp256k1_sha256_finalize(&hasher, out);
322  CHECK(memcmp(out, outputs[i], 32) == 0);
323  if (strlen(inputs[i]) > 0) {
324  int split = secp256k1_rand_int(strlen(inputs[i]));
325  secp256k1_sha256_initialize(&hasher);
326  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
327  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
328  secp256k1_sha256_finalize(&hasher, out);
329  CHECK(memcmp(out, outputs[i], 32) == 0);
330  }
331  }
332 }
333 
334 void run_hmac_sha256_tests(void) {
335  static const char *keys[6] = {
336  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
337  "\x4a\x65\x66\x65",
338  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
339  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
340  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
341  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
342  };
343  static const char *inputs[6] = {
344  "\x48\x69\x20\x54\x68\x65\x72\x65",
345  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
346  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
347  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
348  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
349  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
350  };
351  static const unsigned char outputs[6][32] = {
352  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
353  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
354  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
355  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
356  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
357  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
358  };
359  int i;
360  for (i = 0; i < 6; i++) {
361  secp256k1_hmac_sha256 hasher;
362  unsigned char out[32];
363  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
364  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
365  secp256k1_hmac_sha256_finalize(&hasher, out);
366  CHECK(memcmp(out, outputs[i], 32) == 0);
367  if (strlen(inputs[i]) > 0) {
368  int split = secp256k1_rand_int(strlen(inputs[i]));
369  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
370  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
371  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
372  secp256k1_hmac_sha256_finalize(&hasher, out);
373  CHECK(memcmp(out, outputs[i], 32) == 0);
374  }
375  }
376 }
377 
378 void run_rfc6979_hmac_sha256_tests(void) {
379  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
380  static const unsigned char out1[3][32] = {
381  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
382  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
383  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
384  };
385 
386  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
387  static const unsigned char out2[3][32] = {
388  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
389  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
390  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
391  };
392 
393  secp256k1_rfc6979_hmac_sha256 rng;
394  unsigned char out[32];
395  int i;
396 
397  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
398  for (i = 0; i < 3; i++) {
399  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400  CHECK(memcmp(out, out1[i], 32) == 0);
401  }
402  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
403 
404  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
405  for (i = 0; i < 3; i++) {
406  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407  CHECK(memcmp(out, out1[i], 32) != 0);
408  }
409  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
410 
411  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
412  for (i = 0; i < 3; i++) {
413  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
414  CHECK(memcmp(out, out2[i], 32) == 0);
415  }
416  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
417 }
418 
419 /***** RANDOM TESTS *****/
420 
421 void test_rand_bits(int rand32, int bits) {
422  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
423  * get a false negative chance below once in a billion */
424  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
425  /* We try multiplying the results with various odd numbers, which shouldn't
426  * influence the uniform distribution modulo a power of 2. */
427  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
428  /* We only select up to 6 bits from the output to analyse */
429  unsigned int usebits = bits > 6 ? 6 : bits;
430  unsigned int maxshift = bits - usebits;
431  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
432  number, track all observed outcomes, one per bit in a uint64_t. */
433  uint64_t x[6][27] = {{0}};
434  unsigned int i, shift, m;
435  /* Multiply the output of all rand calls with the odd number m, which
436  should not change the uniformity of its distribution. */
437  for (i = 0; i < rounds[usebits]; i++) {
438  uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
439  CHECK((((uint64_t)r) >> bits) == 0);
440  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441  uint32_t rm = r * mults[m];
442  for (shift = 0; shift <= maxshift; shift++) {
443  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
444  }
445  }
446  }
447  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
448  for (shift = 0; shift <= maxshift; shift++) {
449  /* Test that the lower usebits bits of x[shift] are 1 */
450  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
451  }
452  }
453 }
454 
455 /* Subrange must be a whole divisor of range, and at most 64 */
456 void test_rand_int(uint32_t range, uint32_t subrange) {
457  /* (1-1/subrange)^rounds < 1/10^9 */
458  int rounds = (subrange * 2073) / 100;
459  int i;
460  uint64_t x = 0;
461  CHECK((range % subrange) == 0);
462  for (i = 0; i < rounds; i++) {
463  uint32_t r = secp256k1_rand_int(range);
464  CHECK(r < range);
465  r = r % subrange;
466  x |= (((uint64_t)1) << r);
467  }
468  /* Test that the lower subrange bits of x are 1. */
469  CHECK(((~x) << (64 - subrange)) == 0);
470 }
471 
472 void run_rand_bits(void) {
473  size_t b;
474  test_rand_bits(1, 32);
475  for (b = 1; b <= 32; b++) {
476  test_rand_bits(0, b);
477  }
478 }
479 
480 void run_rand_int(void) {
481  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
482  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
483  unsigned int m, s;
484  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
485  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
486  test_rand_int(ms[m] * ss[s], ss[s]);
487  }
488  }
489 }
490 
491 /***** NUM TESTS *****/
492 
493 #ifndef USE_NUM_NONE
494 void random_num_negate(secp256k1_num *num) {
495  if (secp256k1_rand_bits(1)) {
496  secp256k1_num_negate(num);
497  }
498 }
499 
500 void random_num_order_test(secp256k1_num *num) {
501  secp256k1_scalar sc;
502  random_scalar_order_test(&sc);
503  secp256k1_scalar_get_num(num, &sc);
504 }
505 
506 void random_num_order(secp256k1_num *num) {
507  secp256k1_scalar sc;
508  random_scalar_order(&sc);
509  secp256k1_scalar_get_num(num, &sc);
510 }
511 
512 void test_num_negate(void) {
513  secp256k1_num n1;
514  secp256k1_num n2;
515  random_num_order_test(&n1); /* n1 = R */
516  random_num_negate(&n1);
517  secp256k1_num_copy(&n2, &n1); /* n2 = R */
518  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
519  CHECK(secp256k1_num_is_zero(&n1));
520  secp256k1_num_copy(&n1, &n2); /* n1 = R */
521  secp256k1_num_negate(&n1); /* n1 = -R */
522  CHECK(!secp256k1_num_is_zero(&n1));
523  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
524  CHECK(secp256k1_num_is_zero(&n1));
525  secp256k1_num_copy(&n1, &n2); /* n1 = R */
526  secp256k1_num_negate(&n1); /* n1 = -R */
527  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
528  secp256k1_num_negate(&n1); /* n1 = R */
529  CHECK(secp256k1_num_eq(&n1, &n2));
530 }
531 
532 void test_num_add_sub(void) {
533  int i;
534  secp256k1_scalar s;
535  secp256k1_num n1;
536  secp256k1_num n2;
537  secp256k1_num n1p2, n2p1, n1m2, n2m1;
538  random_num_order_test(&n1); /* n1 = R1 */
539  if (secp256k1_rand_bits(1)) {
540  random_num_negate(&n1);
541  }
542  random_num_order_test(&n2); /* n2 = R2 */
543  if (secp256k1_rand_bits(1)) {
544  random_num_negate(&n2);
545  }
546  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
547  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
548  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
549  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
550  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
551  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
552  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
553  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
554  CHECK(!secp256k1_num_eq(&n2m1, &n1));
555  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
556  CHECK(secp256k1_num_eq(&n2m1, &n1));
557  CHECK(!secp256k1_num_eq(&n2p1, &n1));
558  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
559  CHECK(secp256k1_num_eq(&n2p1, &n1));
560 
561  /* check is_one */
562  secp256k1_scalar_set_int(&s, 1);
563  secp256k1_scalar_get_num(&n1, &s);
564  CHECK(secp256k1_num_is_one(&n1));
565  /* check that 2^n + 1 is never 1 */
566  secp256k1_scalar_get_num(&n2, &s);
567  for (i = 0; i < 250; ++i) {
568  secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
569  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
570  CHECK(!secp256k1_num_is_one(&n1p2));
571  }
572 }
573 
574 void test_num_mod(void) {
575  int i;
576  secp256k1_scalar s;
577  secp256k1_num order, n;
578 
579  /* check that 0 mod anything is 0 */
580  random_scalar_order_test(&s);
581  secp256k1_scalar_get_num(&order, &s);
582  secp256k1_scalar_set_int(&s, 0);
583  secp256k1_scalar_get_num(&n, &s);
584  secp256k1_num_mod(&n, &order);
585  CHECK(secp256k1_num_is_zero(&n));
586 
587  /* check that anything mod 1 is 0 */
588  secp256k1_scalar_set_int(&s, 1);
589  secp256k1_scalar_get_num(&order, &s);
590  secp256k1_scalar_get_num(&n, &s);
591  secp256k1_num_mod(&n, &order);
592  CHECK(secp256k1_num_is_zero(&n));
593 
594  /* check that increasing the number past 2^256 does not break this */
595  random_scalar_order_test(&s);
596  secp256k1_scalar_get_num(&n, &s);
597  /* multiply by 2^8, which'll test this case with high probability */
598  for (i = 0; i < 8; ++i) {
599  secp256k1_num_add(&n, &n, &n);
600  }
601  secp256k1_num_mod(&n, &order);
602  CHECK(secp256k1_num_is_zero(&n));
603 }
604 
605 void test_num_jacobi(void) {
606  secp256k1_scalar sqr;
607  secp256k1_scalar small;
608  secp256k1_scalar five; /* five is not a quadratic residue */
609  secp256k1_num order, n;
610  int i;
611  /* squares mod 5 are 1, 4 */
612  const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
613 
614  /* check some small values with 5 as the order */
615  secp256k1_scalar_set_int(&five, 5);
616  secp256k1_scalar_get_num(&order, &five);
617  for (i = 0; i < 10; ++i) {
618  secp256k1_scalar_set_int(&small, i);
619  secp256k1_scalar_get_num(&n, &small);
620  CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
621  }
622 
624  secp256k1_scalar_get_num(&order, &five);
625  /* we first need a scalar which is not a multiple of 5 */
626  do {
627  secp256k1_num fiven;
628  random_scalar_order_test(&sqr);
629  secp256k1_scalar_get_num(&fiven, &five);
630  secp256k1_scalar_get_num(&n, &sqr);
631  secp256k1_num_mod(&n, &fiven);
632  } while (secp256k1_num_is_zero(&n));
633  /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
634  * just multiply by two, i.e. add the number to itself */
635  if (secp256k1_num_jacobi(&n, &order) == -1) {
636  secp256k1_num_add(&n, &n, &n);
637  }
638 
639  /* test residue */
640  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
641  /* test nonresidue */
642  secp256k1_num_add(&n, &n, &n);
643  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
644 
646  secp256k1_scalar_order_get_num(&order);
647  random_scalar_order_test(&sqr);
648  secp256k1_scalar_sqr(&sqr, &sqr);
649  /* test residue */
650  secp256k1_scalar_get_num(&n, &sqr);
651  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
652  /* test nonresidue */
653  secp256k1_scalar_mul(&sqr, &sqr, &five);
654  secp256k1_scalar_get_num(&n, &sqr);
655  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
656  /* test multiple of the order*/
657  CHECK(secp256k1_num_jacobi(&order, &order) == 0);
658 
659  /* check one less than the order */
660  secp256k1_scalar_set_int(&small, 1);
661  secp256k1_scalar_get_num(&n, &small);
662  secp256k1_num_sub(&n, &order, &n);
663  CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
664 }
665 
666 void run_num_smalltests(void) {
667  int i;
668  for (i = 0; i < 100*count; i++) {
669  test_num_negate();
670  test_num_add_sub();
671  test_num_mod();
672  test_num_jacobi();
673  }
674 }
675 #endif
676 
677 /***** SCALAR TESTS *****/
678 
679 void scalar_test(void) {
680  secp256k1_scalar s;
681  secp256k1_scalar s1;
682  secp256k1_scalar s2;
683 #ifndef USE_NUM_NONE
684  secp256k1_num snum, s1num, s2num;
685  secp256k1_num order, half_order;
686 #endif
687  unsigned char c[32];
688 
689  /* Set 's' to a random scalar, with value 'snum'. */
690  random_scalar_order_test(&s);
691 
692  /* Set 's1' to a random scalar, with value 's1num'. */
693  random_scalar_order_test(&s1);
694 
695  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
696  random_scalar_order_test(&s2);
697  secp256k1_scalar_get_b32(c, &s2);
698 
699 #ifndef USE_NUM_NONE
700  secp256k1_scalar_get_num(&snum, &s);
701  secp256k1_scalar_get_num(&s1num, &s1);
702  secp256k1_scalar_get_num(&s2num, &s2);
703 
704  secp256k1_scalar_order_get_num(&order);
705  half_order = order;
706  secp256k1_num_shift(&half_order, 1);
707 #endif
708 
709  {
710  int i;
711  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
712  secp256k1_scalar n;
713  secp256k1_scalar_set_int(&n, 0);
714  for (i = 0; i < 256; i += 4) {
715  secp256k1_scalar t;
716  int j;
717  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
718  for (j = 0; j < 4; j++) {
719  secp256k1_scalar_add(&n, &n, &n);
720  }
721  secp256k1_scalar_add(&n, &n, &t);
722  }
723  CHECK(secp256k1_scalar_eq(&n, &s));
724  }
725 
726  {
727  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
728  secp256k1_scalar n;
729  int i = 0;
730  secp256k1_scalar_set_int(&n, 0);
731  while (i < 256) {
732  secp256k1_scalar t;
733  int j;
734  int now = secp256k1_rand_int(15) + 1;
735  if (now + i > 256) {
736  now = 256 - i;
737  }
738  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
739  for (j = 0; j < now; j++) {
740  secp256k1_scalar_add(&n, &n, &n);
741  }
742  secp256k1_scalar_add(&n, &n, &t);
743  i += now;
744  }
745  CHECK(secp256k1_scalar_eq(&n, &s));
746  }
747 
748 #ifndef USE_NUM_NONE
749  {
750  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
751  secp256k1_num rnum;
752  secp256k1_num r2num;
753  secp256k1_scalar r;
754  secp256k1_num_add(&rnum, &snum, &s2num);
755  secp256k1_num_mod(&rnum, &order);
756  secp256k1_scalar_add(&r, &s, &s2);
757  secp256k1_scalar_get_num(&r2num, &r);
758  CHECK(secp256k1_num_eq(&rnum, &r2num));
759  }
760 
761  {
762  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
763  secp256k1_scalar r;
764  secp256k1_num r2num;
765  secp256k1_num rnum;
766  secp256k1_num_mul(&rnum, &snum, &s2num);
767  secp256k1_num_mod(&rnum, &order);
768  secp256k1_scalar_mul(&r, &s, &s2);
769  secp256k1_scalar_get_num(&r2num, &r);
770  CHECK(secp256k1_num_eq(&rnum, &r2num));
771  /* The result can only be zero if at least one of the factors was zero. */
772  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
773  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
774  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
775  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
776  }
777 
778  {
779  secp256k1_scalar neg;
780  secp256k1_num negnum;
781  secp256k1_num negnum2;
782  /* Check that comparison with zero matches comparison with zero on the number. */
783  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
784  /* Check that comparison with the half order is equal to testing for high scalar. */
785  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
786  secp256k1_scalar_negate(&neg, &s);
787  secp256k1_num_sub(&negnum, &order, &snum);
788  secp256k1_num_mod(&negnum, &order);
789  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
790  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
791  /* Negating should change the high property, unless the value was already zero. */
792  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
793  secp256k1_scalar_get_num(&negnum2, &neg);
794  /* Negating a scalar should be equal to (order - n) mod order on the number. */
795  CHECK(secp256k1_num_eq(&negnum, &negnum2));
796  secp256k1_scalar_add(&neg, &neg, &s);
797  /* Adding a number to its negation should result in zero. */
798  CHECK(secp256k1_scalar_is_zero(&neg));
799  secp256k1_scalar_negate(&neg, &neg);
800  /* Negating zero should still result in zero. */
801  CHECK(secp256k1_scalar_is_zero(&neg));
802  }
803 
804  {
805  /* Test secp256k1_scalar_mul_shift_var. */
806  secp256k1_scalar r;
807  secp256k1_num one;
808  secp256k1_num rnum;
809  secp256k1_num rnum2;
810  unsigned char cone[1] = {0x01};
811  unsigned int shift = 256 + secp256k1_rand_int(257);
812  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
813  secp256k1_num_mul(&rnum, &s1num, &s2num);
814  secp256k1_num_shift(&rnum, shift - 1);
815  secp256k1_num_set_bin(&one, cone, 1);
816  secp256k1_num_add(&rnum, &rnum, &one);
817  secp256k1_num_shift(&rnum, 1);
818  secp256k1_scalar_get_num(&rnum2, &r);
819  CHECK(secp256k1_num_eq(&rnum, &rnum2));
820  }
821 
822  {
823  /* test secp256k1_scalar_shr_int */
824  secp256k1_scalar r;
825  int i;
826  random_scalar_order_test(&r);
827  for (i = 0; i < 100; ++i) {
828  int low;
829  int shift = 1 + secp256k1_rand_int(15);
830  int expected = r.d[0] % (1 << shift);
831  low = secp256k1_scalar_shr_int(&r, shift);
832  CHECK(expected == low);
833  }
834  }
835 #endif
836 
837  {
838  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
839  if (!secp256k1_scalar_is_zero(&s)) {
840  secp256k1_scalar inv;
841 #ifndef USE_NUM_NONE
842  secp256k1_num invnum;
843  secp256k1_num invnum2;
844 #endif
845  secp256k1_scalar_inverse(&inv, &s);
846 #ifndef USE_NUM_NONE
847  secp256k1_num_mod_inverse(&invnum, &snum, &order);
848  secp256k1_scalar_get_num(&invnum2, &inv);
849  CHECK(secp256k1_num_eq(&invnum, &invnum2));
850 #endif
851  secp256k1_scalar_mul(&inv, &inv, &s);
852  /* Multiplying a scalar with its inverse must result in one. */
853  CHECK(secp256k1_scalar_is_one(&inv));
854  secp256k1_scalar_inverse(&inv, &inv);
855  /* Inverting one must result in one. */
856  CHECK(secp256k1_scalar_is_one(&inv));
857 #ifndef USE_NUM_NONE
858  secp256k1_scalar_get_num(&invnum, &inv);
859  CHECK(secp256k1_num_is_one(&invnum));
860 #endif
861  }
862  }
863 
864  {
865  /* Test commutativity of add. */
866  secp256k1_scalar r1, r2;
867  secp256k1_scalar_add(&r1, &s1, &s2);
868  secp256k1_scalar_add(&r2, &s2, &s1);
869  CHECK(secp256k1_scalar_eq(&r1, &r2));
870  }
871 
872  {
873  secp256k1_scalar r1, r2;
874  secp256k1_scalar b;
875  int i;
876  /* Test add_bit. */
877  int bit = secp256k1_rand_bits(8);
878  secp256k1_scalar_set_int(&b, 1);
879  CHECK(secp256k1_scalar_is_one(&b));
880  for (i = 0; i < bit; i++) {
881  secp256k1_scalar_add(&b, &b, &b);
882  }
883  r1 = s1;
884  r2 = s1;
885  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
886  /* No overflow happened. */
887  secp256k1_scalar_cadd_bit(&r2, bit, 1);
888  CHECK(secp256k1_scalar_eq(&r1, &r2));
889  /* cadd is a noop when flag is zero */
890  secp256k1_scalar_cadd_bit(&r2, bit, 0);
891  CHECK(secp256k1_scalar_eq(&r1, &r2));
892  }
893  }
894 
895  {
896  /* Test commutativity of mul. */
897  secp256k1_scalar r1, r2;
898  secp256k1_scalar_mul(&r1, &s1, &s2);
899  secp256k1_scalar_mul(&r2, &s2, &s1);
900  CHECK(secp256k1_scalar_eq(&r1, &r2));
901  }
902 
903  {
904  /* Test associativity of add. */
905  secp256k1_scalar r1, r2;
906  secp256k1_scalar_add(&r1, &s1, &s2);
907  secp256k1_scalar_add(&r1, &r1, &s);
908  secp256k1_scalar_add(&r2, &s2, &s);
909  secp256k1_scalar_add(&r2, &s1, &r2);
910  CHECK(secp256k1_scalar_eq(&r1, &r2));
911  }
912 
913  {
914  /* Test associativity of mul. */
915  secp256k1_scalar r1, r2;
916  secp256k1_scalar_mul(&r1, &s1, &s2);
917  secp256k1_scalar_mul(&r1, &r1, &s);
918  secp256k1_scalar_mul(&r2, &s2, &s);
919  secp256k1_scalar_mul(&r2, &s1, &r2);
920  CHECK(secp256k1_scalar_eq(&r1, &r2));
921  }
922 
923  {
924  /* Test distributitivity of mul over add. */
925  secp256k1_scalar r1, r2, t;
926  secp256k1_scalar_add(&r1, &s1, &s2);
927  secp256k1_scalar_mul(&r1, &r1, &s);
928  secp256k1_scalar_mul(&r2, &s1, &s);
929  secp256k1_scalar_mul(&t, &s2, &s);
930  secp256k1_scalar_add(&r2, &r2, &t);
931  CHECK(secp256k1_scalar_eq(&r1, &r2));
932  }
933 
934  {
935  /* Test square. */
936  secp256k1_scalar r1, r2;
937  secp256k1_scalar_sqr(&r1, &s1);
938  secp256k1_scalar_mul(&r2, &s1, &s1);
939  CHECK(secp256k1_scalar_eq(&r1, &r2));
940  }
941 
942  {
943  /* Test multiplicative identity. */
944  secp256k1_scalar r1, v1;
945  secp256k1_scalar_set_int(&v1,1);
946  secp256k1_scalar_mul(&r1, &s1, &v1);
947  CHECK(secp256k1_scalar_eq(&r1, &s1));
948  }
949 
950  {
951  /* Test additive identity. */
952  secp256k1_scalar r1, v0;
953  secp256k1_scalar_set_int(&v0,0);
954  secp256k1_scalar_add(&r1, &s1, &v0);
955  CHECK(secp256k1_scalar_eq(&r1, &s1));
956  }
957 
958  {
959  /* Test zero product property. */
960  secp256k1_scalar r1, v0;
961  secp256k1_scalar_set_int(&v0,0);
962  secp256k1_scalar_mul(&r1, &s1, &v0);
963  CHECK(secp256k1_scalar_eq(&r1, &v0));
964  }
965 
966 }
967 
968 void run_scalar_tests(void) {
969  int i;
970  for (i = 0; i < 128 * count; i++) {
971  scalar_test();
972  }
973 
974  {
975  /* (-1)+1 should be zero. */
976  secp256k1_scalar s, o;
977  secp256k1_scalar_set_int(&s, 1);
978  CHECK(secp256k1_scalar_is_one(&s));
979  secp256k1_scalar_negate(&o, &s);
980  secp256k1_scalar_add(&o, &o, &s);
981  CHECK(secp256k1_scalar_is_zero(&o));
982  secp256k1_scalar_negate(&o, &o);
983  CHECK(secp256k1_scalar_is_zero(&o));
984  }
985 
986 #ifndef USE_NUM_NONE
987  {
988  /* A scalar with value of the curve order should be 0. */
989  secp256k1_num order;
990  secp256k1_scalar zero;
991  unsigned char bin[32];
992  int overflow = 0;
993  secp256k1_scalar_order_get_num(&order);
994  secp256k1_num_get_bin(bin, 32, &order);
995  secp256k1_scalar_set_b32(&zero, bin, &overflow);
996  CHECK(overflow == 1);
997  CHECK(secp256k1_scalar_is_zero(&zero));
998  }
999 #endif
1000 
1001  {
1002  /* Does check_overflow check catch all ones? */
1003  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1004  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1005  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1006  );
1007  CHECK(secp256k1_scalar_check_overflow(&overflowed));
1008  }
1009 
1010  {
1011  /* Static test vectors.
1012  * These were reduced from ~10^12 random vectors based on comparison-decision
1013  * and edge-case coverage on 32-bit and 64-bit implementations.
1014  * The responses were generated with Sage 5.9.
1015  */
1016  secp256k1_scalar x;
1017  secp256k1_scalar y;
1018  secp256k1_scalar z;
1019  secp256k1_scalar zz;
1020  secp256k1_scalar one;
1021  secp256k1_scalar r1;
1022  secp256k1_scalar r2;
1023 #if defined(USE_SCALAR_INV_NUM)
1024  secp256k1_scalar zzv;
1025 #endif
1026  int overflow;
1027  unsigned char chal[33][2][32] = {
1028  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1029  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1030  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1031  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1032  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1033  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1034  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1035  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1036  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1037  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1038  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1040  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1042  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1043  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1044  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1045  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1046  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1047  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1048  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1049  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1050  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1051  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1052  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1053  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1054  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1055  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1056  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1057  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1058  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1059  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1060  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1061  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1062  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1063  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1064  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1065  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1066  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1067  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1068  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1069  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1070  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1071  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1072  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1073  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1074  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1075  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1076  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1077  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1078  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1079  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1080  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1081  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1082  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1083  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1084  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1085  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1086  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1087  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1088  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1089  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1090  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1091  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1092  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1093  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1094  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1095  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1096  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1097  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1099  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1100  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1101  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1103  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1104  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1105  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1106  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1107  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1108  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1109  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1110  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1111  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1112  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1113  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1115  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1116  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1117  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1119  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1120  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1121  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1122  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1123  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1124  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1125  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1126  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1127  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1128  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1129  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1130  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1131  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1132  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1133  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1134  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1135  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1136  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1137  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1139  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1140  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1141  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1142  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1143  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1144  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1145  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1148  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1149  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1151  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1152  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1154  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1155  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1156  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1157  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1159  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1160  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1162  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1163  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1164  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1165  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1166  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1167  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1168  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1169  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1170  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1171  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1172  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1173  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1174  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1175  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1176  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1178  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1179  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1180  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1181  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1182  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1183  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1184  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1185  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1186  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1187  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1188  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1192  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1193  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1194  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1195  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1196  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1200  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1204  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1208  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1210  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1212  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1213  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1215  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1216  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1217  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1218  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1219  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1220  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1221  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1224  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1225  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1228  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1229  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1230  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1231  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1232  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1234  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1236  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1238  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1239  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1240  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1241  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1242  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1243  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1244  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1245  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1246  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1247  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1248  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1249  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1250  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1251  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1252  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1253  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1254  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1255  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1256  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1257  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1258  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1259  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1260  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1261  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1262  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1263  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1264  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1265  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1266  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1267  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1268  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1271  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1272  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1273  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1274  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1275  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1276  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1277  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1278  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1279  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1280  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1281  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1282  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1283  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1284  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1288  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1289  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1290  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1291  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1292  };
1293  unsigned char res[33][2][32] = {
1294  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1295  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1296  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1297  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1298  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1299  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1300  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1301  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1302  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1303  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1304  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1305  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1306  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1307  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1308  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1309  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1310  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1311  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1312  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1313  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1314  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1315  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1316  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1317  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1318  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1319  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1320  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1321  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1322  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1323  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1324  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1325  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1326  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1327  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1328  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1329  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1330  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1331  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1332  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1333  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1334  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1335  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1336  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1337  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1338  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1339  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1340  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1341  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1342  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1343  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1344  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1345  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1346  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1347  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1348  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1349  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1350  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1351  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1352  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1353  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1354  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1355  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1356  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1357  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1358  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1359  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1360  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1361  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1362  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1363  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1364  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1365  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1366  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1367  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1368  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1369  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1370  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1371  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1372  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1373  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1374  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1375  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1376  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1377  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1378  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1379  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1380  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1381  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1382  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1383  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1384  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1385  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1386  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1387  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1388  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1389  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1390  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1391  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1392  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1393  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1394  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1395  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1396  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1397  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1398  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1399  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1400  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1401  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1402  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1403  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1404  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1405  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1406  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1407  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1408  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1409  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1410  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1411  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1412  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1413  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1414  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1415  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1416  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1417  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1418  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1419  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1420  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1421  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1422  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1423  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1424  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1425  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1426  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1427  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1428  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1429  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1430  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1431  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1432  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1433  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1434  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1435  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1436  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1437  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1438  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1439  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1440  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1441  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1442  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1443  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1444  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1445  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1446  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1447  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1448  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1449  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1450  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1451  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1452  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1453  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1454  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1458  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1462  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1466  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1467  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1469  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1470  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1474  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1475  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1476  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1477  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1478  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1479  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1480  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1481  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1482  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1483  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1484  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1485  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1486  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1488  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1489  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1490  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1491  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1492  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1493  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1494  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1495  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1496  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1497  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1498  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1502  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1503  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1504  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1505  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1506  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1507  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1508  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1509  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1510  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1511  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1512  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1513  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1514  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1515  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1516  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1517  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1518  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1519  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1520  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1521  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1522  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1523  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1524  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1525  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1526  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1527  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1528  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1529  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1530  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1531  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1532  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1533  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1534  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1535  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1536  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1537  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1538  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1539  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1540  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1541  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1542  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1543  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1544  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1545  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1546  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1547  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1548  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1549  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1550  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1554  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1555  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1556  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1557  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1558  };
1559  secp256k1_scalar_set_int(&one, 1);
1560  for (i = 0; i < 33; i++) {
1561  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1562  CHECK(!overflow);
1563  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1564  CHECK(!overflow);
1565  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1566  CHECK(!overflow);
1567  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1568  CHECK(!overflow);
1569  secp256k1_scalar_mul(&z, &x, &y);
1570  CHECK(!secp256k1_scalar_check_overflow(&z));
1571  CHECK(secp256k1_scalar_eq(&r1, &z));
1572  if (!secp256k1_scalar_is_zero(&y)) {
1573  secp256k1_scalar_inverse(&zz, &y);
1574  CHECK(!secp256k1_scalar_check_overflow(&zz));
1575 #if defined(USE_SCALAR_INV_NUM)
1576  secp256k1_scalar_inverse_var(&zzv, &y);
1577  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1578 #endif
1579  secp256k1_scalar_mul(&z, &z, &zz);
1580  CHECK(!secp256k1_scalar_check_overflow(&z));
1581  CHECK(secp256k1_scalar_eq(&x, &z));
1582  secp256k1_scalar_mul(&zz, &zz, &y);
1583  CHECK(!secp256k1_scalar_check_overflow(&zz));
1584  CHECK(secp256k1_scalar_eq(&one, &zz));
1585  }
1586  secp256k1_scalar_mul(&z, &x, &x);
1587  CHECK(!secp256k1_scalar_check_overflow(&z));
1588  secp256k1_scalar_sqr(&zz, &x);
1589  CHECK(!secp256k1_scalar_check_overflow(&zz));
1590  CHECK(secp256k1_scalar_eq(&zz, &z));
1591  CHECK(secp256k1_scalar_eq(&r2, &zz));
1592  }
1593  }
1594 }
1595 
1596 /***** FIELD TESTS *****/
1597 
1598 void random_fe(secp256k1_fe *x) {
1599  unsigned char bin[32];
1600  do {
1601  secp256k1_rand256(bin);
1602  if (secp256k1_fe_set_b32(x, bin)) {
1603  return;
1604  }
1605  } while(1);
1606 }
1607 
1608 void random_fe_test(secp256k1_fe *x) {
1609  unsigned char bin[32];
1610  do {
1611  secp256k1_rand256_test(bin);
1612  if (secp256k1_fe_set_b32(x, bin)) {
1613  return;
1614  }
1615  } while(1);
1616 }
1617 
1618 void random_fe_non_zero(secp256k1_fe *nz) {
1619  int tries = 10;
1620  while (--tries >= 0) {
1621  random_fe(nz);
1622  secp256k1_fe_normalize(nz);
1623  if (!secp256k1_fe_is_zero(nz)) {
1624  break;
1625  }
1626  }
1627  /* Infinitesimal probability of spurious failure here */
1628  CHECK(tries >= 0);
1629 }
1630 
1631 void random_fe_non_square(secp256k1_fe *ns) {
1632  secp256k1_fe r;
1633  random_fe_non_zero(ns);
1634  if (secp256k1_fe_sqrt(&r, ns)) {
1635  secp256k1_fe_negate(ns, ns, 1);
1636  }
1637 }
1638 
1639 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1640  secp256k1_fe an = *a;
1641  secp256k1_fe bn = *b;
1642  secp256k1_fe_normalize_weak(&an);
1643  secp256k1_fe_normalize_var(&bn);
1644  return secp256k1_fe_equal_var(&an, &bn);
1645 }
1646 
1647 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1648  secp256k1_fe x;
1649  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1650  secp256k1_fe_mul(&x, a, ai);
1651  return check_fe_equal(&x, &one);
1652 }
1653 
1654 void run_field_convert(void) {
1655  static const unsigned char b32[32] = {
1656  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1658  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1659  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1660  };
1661  static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1662  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1664  );
1665  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1666  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1667  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1668  );
1669  secp256k1_fe fe2;
1670  unsigned char b322[32];
1671  secp256k1_fe_storage fes2;
1672  /* Check conversions to fe. */
1673  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1674  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1675  secp256k1_fe_from_storage(&fe2, &fes);
1676  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1677  /* Check conversion from fe. */
1678  secp256k1_fe_get_b32(b322, &fe);
1679  CHECK(memcmp(b322, b32, 32) == 0);
1680  secp256k1_fe_to_storage(&fes2, &fe);
1681  CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1682 }
1683 
1684 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1685  secp256k1_fe t = *b;
1686 #ifdef VERIFY
1687  t.magnitude = a->magnitude;
1688  t.normalized = a->normalized;
1689 #endif
1690  return memcmp(a, &t, sizeof(secp256k1_fe));
1691 }
1692 
1693 void run_field_misc(void) {
1694  secp256k1_fe x;
1695  secp256k1_fe y;
1696  secp256k1_fe z;
1697  secp256k1_fe q;
1698  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1699  int i, j;
1700  for (i = 0; i < 5*count; i++) {
1701  secp256k1_fe_storage xs, ys, zs;
1702  random_fe(&x);
1703  random_fe_non_zero(&y);
1704  /* Test the fe equality and comparison operations. */
1705  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1706  CHECK(secp256k1_fe_equal_var(&x, &x));
1707  z = x;
1708  secp256k1_fe_add(&z,&y);
1709  /* Test fe conditional move; z is not normalized here. */
1710  q = x;
1711  secp256k1_fe_cmov(&x, &z, 0);
1712  VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1713  secp256k1_fe_cmov(&x, &x, 1);
1714  CHECK(fe_memcmp(&x, &z) != 0);
1715  CHECK(fe_memcmp(&x, &q) == 0);
1716  secp256k1_fe_cmov(&q, &z, 1);
1717  VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1718  CHECK(fe_memcmp(&q, &z) == 0);
1719  secp256k1_fe_normalize_var(&x);
1720  secp256k1_fe_normalize_var(&z);
1721  CHECK(!secp256k1_fe_equal_var(&x, &z));
1722  secp256k1_fe_normalize_var(&q);
1723  secp256k1_fe_cmov(&q, &z, (i&1));
1724  VERIFY_CHECK(q.normalized && q.magnitude == 1);
1725  for (j = 0; j < 6; j++) {
1726  secp256k1_fe_negate(&z, &z, j+1);
1727  secp256k1_fe_normalize_var(&q);
1728  secp256k1_fe_cmov(&q, &z, (j&1));
1729  VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1730  }
1731  secp256k1_fe_normalize_var(&z);
1732  /* Test storage conversion and conditional moves. */
1733  secp256k1_fe_to_storage(&xs, &x);
1734  secp256k1_fe_to_storage(&ys, &y);
1735  secp256k1_fe_to_storage(&zs, &z);
1736  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1737  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1738  CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1739  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1740  CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1741  secp256k1_fe_from_storage(&x, &xs);
1742  secp256k1_fe_from_storage(&y, &ys);
1743  secp256k1_fe_from_storage(&z, &zs);
1744  /* Test that mul_int, mul, and add agree. */
1745  secp256k1_fe_add(&y, &x);
1746  secp256k1_fe_add(&y, &x);
1747  z = x;
1748  secp256k1_fe_mul_int(&z, 3);
1749  CHECK(check_fe_equal(&y, &z));
1750  secp256k1_fe_add(&y, &x);
1751  secp256k1_fe_add(&z, &x);
1752  CHECK(check_fe_equal(&z, &y));
1753  z = x;
1754  secp256k1_fe_mul_int(&z, 5);
1755  secp256k1_fe_mul(&q, &x, &fe5);
1756  CHECK(check_fe_equal(&z, &q));
1757  secp256k1_fe_negate(&x, &x, 1);
1758  secp256k1_fe_add(&z, &x);
1759  secp256k1_fe_add(&q, &x);
1760  CHECK(check_fe_equal(&y, &z));
1761  CHECK(check_fe_equal(&q, &y));
1762  }
1763 }
1764 
1765 void run_field_inv(void) {
1766  secp256k1_fe x, xi, xii;
1767  int i;
1768  for (i = 0; i < 10*count; i++) {
1769  random_fe_non_zero(&x);
1770  secp256k1_fe_inv(&xi, &x);
1771  CHECK(check_fe_inverse(&x, &xi));
1772  secp256k1_fe_inv(&xii, &xi);
1773  CHECK(check_fe_equal(&x, &xii));
1774  }
1775 }
1776 
1777 void run_field_inv_var(void) {
1778  secp256k1_fe x, xi, xii;
1779  int i;
1780  for (i = 0; i < 10*count; i++) {
1781  random_fe_non_zero(&x);
1782  secp256k1_fe_inv_var(&xi, &x);
1783  CHECK(check_fe_inverse(&x, &xi));
1784  secp256k1_fe_inv_var(&xii, &xi);
1785  CHECK(check_fe_equal(&x, &xii));
1786  }
1787 }
1788 
1789 void run_field_inv_all_var(void) {
1790  secp256k1_fe x[16], xi[16], xii[16];
1791  int i;
1792  /* Check it's safe to call for 0 elements */
1793  secp256k1_fe_inv_all_var(xi, x, 0);
1794  for (i = 0; i < count; i++) {
1795  size_t j;
1796  size_t len = secp256k1_rand_int(15) + 1;
1797  for (j = 0; j < len; j++) {
1798  random_fe_non_zero(&x[j]);
1799  }
1800  secp256k1_fe_inv_all_var(xi, x, len);
1801  for (j = 0; j < len; j++) {
1802  CHECK(check_fe_inverse(&x[j], &xi[j]));
1803  }
1804  secp256k1_fe_inv_all_var(xii, xi, len);
1805  for (j = 0; j < len; j++) {
1806  CHECK(check_fe_equal(&x[j], &xii[j]));
1807  }
1808  }
1809 }
1810 
1811 void run_sqr(void) {
1812  secp256k1_fe x, s;
1813 
1814  {
1815  int i;
1816  secp256k1_fe_set_int(&x, 1);
1817  secp256k1_fe_negate(&x, &x, 1);
1818 
1819  for (i = 1; i <= 512; ++i) {
1820  secp256k1_fe_mul_int(&x, 2);
1821  secp256k1_fe_normalize(&x);
1822  secp256k1_fe_sqr(&s, &x);
1823  }
1824  }
1825 }
1826 
1827 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1828  secp256k1_fe r1, r2;
1829  int v = secp256k1_fe_sqrt(&r1, a);
1830  CHECK((v == 0) == (k == NULL));
1831 
1832  if (k != NULL) {
1833  /* Check that the returned root is +/- the given known answer */
1834  secp256k1_fe_negate(&r2, &r1, 1);
1835  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1836  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1837  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1838  }
1839 }
1840 
1841 void run_sqrt(void) {
1842  secp256k1_fe ns, x, s, t;
1843  int i;
1844 
1845  /* Check sqrt(0) is 0 */
1846  secp256k1_fe_set_int(&x, 0);
1847  secp256k1_fe_sqr(&s, &x);
1848  test_sqrt(&s, &x);
1849 
1850  /* Check sqrt of small squares (and their negatives) */
1851  for (i = 1; i <= 100; i++) {
1852  secp256k1_fe_set_int(&x, i);
1853  secp256k1_fe_sqr(&s, &x);
1854  test_sqrt(&s, &x);
1855  secp256k1_fe_negate(&t, &s, 1);
1856  test_sqrt(&t, NULL);
1857  }
1858 
1859  /* Consistency checks for large random values */
1860  for (i = 0; i < 10; i++) {
1861  int j;
1862  random_fe_non_square(&ns);
1863  for (j = 0; j < count; j++) {
1864  random_fe(&x);
1865  secp256k1_fe_sqr(&s, &x);
1866  test_sqrt(&s, &x);
1867  secp256k1_fe_negate(&t, &s, 1);
1868  test_sqrt(&t, NULL);
1869  secp256k1_fe_mul(&t, &s, &ns);
1870  test_sqrt(&t, NULL);
1871  }
1872  }
1873 }
1874 
1875 /***** GROUP TESTS *****/
1876 
1877 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1878  CHECK(a->infinity == b->infinity);
1879  if (a->infinity) {
1880  return;
1881  }
1882  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1883  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1884 }
1885 
1886 /* This compares jacobian points including their Z, not just their geometric meaning. */
1887 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1888  secp256k1_gej a2;
1889  secp256k1_gej b2;
1890  int ret = 1;
1891  ret &= a->infinity == b->infinity;
1892  if (ret && !a->infinity) {
1893  a2 = *a;
1894  b2 = *b;
1895  secp256k1_fe_normalize(&a2.x);
1896  secp256k1_fe_normalize(&a2.y);
1897  secp256k1_fe_normalize(&a2.z);
1898  secp256k1_fe_normalize(&b2.x);
1899  secp256k1_fe_normalize(&b2.y);
1900  secp256k1_fe_normalize(&b2.z);
1901  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1902  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1903  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1904  }
1905  return ret;
1906 }
1907 
1908 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1909  secp256k1_fe z2s;
1910  secp256k1_fe u1, u2, s1, s2;
1911  CHECK(a->infinity == b->infinity);
1912  if (a->infinity) {
1913  return;
1914  }
1915  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1916  secp256k1_fe_sqr(&z2s, &b->z);
1917  secp256k1_fe_mul(&u1, &a->x, &z2s);
1918  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1919  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1920  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1921  CHECK(secp256k1_fe_equal_var(&u1, &u2));
1922  CHECK(secp256k1_fe_equal_var(&s1, &s2));
1923 }
1924 
1925 void test_ge(void) {
1926  int i, i1;
1927 #ifdef USE_ENDOMORPHISM
1928  int runs = 6;
1929 #else
1930  int runs = 4;
1931 #endif
1932  /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1933  * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1934  * All magnitudes are randomized.
1935  * All 17*17 combinations of points are added to each other, using all applicable methods.
1936  *
1937  * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1938  */
1939  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1940  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1941  secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1942  secp256k1_fe zf;
1943  secp256k1_fe zfi2, zfi3;
1944 
1945  secp256k1_gej_set_infinity(&gej[0]);
1946  secp256k1_ge_clear(&ge[0]);
1947  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1948  for (i = 0; i < runs; i++) {
1949  int j;
1950  secp256k1_ge g;
1951  random_group_element_test(&g);
1952 #ifdef USE_ENDOMORPHISM
1953  if (i >= runs - 2) {
1954  secp256k1_ge_mul_lambda(&g, &ge[1]);
1955  }
1956  if (i >= runs - 1) {
1957  secp256k1_ge_mul_lambda(&g, &g);
1958  }
1959 #endif
1960  ge[1 + 4 * i] = g;
1961  ge[2 + 4 * i] = g;
1962  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1963  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1964  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1965  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1966  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1967  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1968  for (j = 0; j < 4; j++) {
1969  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1970  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1971  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1972  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1973  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1974  }
1975  }
1976 
1977  /* Compute z inverses. */
1978  {
1979  secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1980  for (i = 0; i < 4 * runs + 1; i++) {
1981  if (i == 0) {
1982  /* The point at infinity does not have a meaningful z inverse. Any should do. */
1983  do {
1984  random_field_element_test(&zs[i]);
1985  } while(secp256k1_fe_is_zero(&zs[i]));
1986  } else {
1987  zs[i] = gej[i].z;
1988  }
1989  }
1990  secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1991  free(zs);
1992  }
1993 
1994  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1995  do {
1996  random_field_element_test(&zf);
1997  } while(secp256k1_fe_is_zero(&zf));
1998  random_field_element_magnitude(&zf);
1999  secp256k1_fe_inv_var(&zfi3, &zf);
2000  secp256k1_fe_sqr(&zfi2, &zfi3);
2001  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2002 
2003  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2004  int i2;
2005  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2006  /* Compute reference result using gej + gej (var). */
2007  secp256k1_gej refj, resj;
2008  secp256k1_ge ref;
2009  secp256k1_fe zr;
2010  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2011  /* Check Z ratio. */
2012  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2013  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2014  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2015  }
2016  secp256k1_ge_set_gej_var(&ref, &refj);
2017 
2018  /* Test gej + ge with Z ratio result (var). */
2019  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2020  ge_equals_gej(&ref, &resj);
2021  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2022  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2023  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2024  }
2025 
2026  /* Test gej + ge (var, with additional Z factor). */
2027  {
2028  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2029  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2030  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2031  random_field_element_magnitude(&ge2_zfi.x);
2032  random_field_element_magnitude(&ge2_zfi.y);
2033  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2034  ge_equals_gej(&ref, &resj);
2035  }
2036 
2037  /* Test gej + ge (const). */
2038  if (i2 != 0) {
2039  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2040  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2041  ge_equals_gej(&ref, &resj);
2042  }
2043 
2044  /* Test doubling (var). */
2045  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2046  secp256k1_fe zr2;
2047  /* Normal doubling with Z ratio result. */
2048  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2049  ge_equals_gej(&ref, &resj);
2050  /* Check Z ratio. */
2051  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2052  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2053  /* Normal doubling. */
2054  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2055  ge_equals_gej(&ref, &resj);
2056  }
2057 
2058  /* Test adding opposites. */
2059  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2060  CHECK(secp256k1_ge_is_infinity(&ref));
2061  }
2062 
2063  /* Test adding infinity. */
2064  if (i1 == 0) {
2065  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2066  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2067  ge_equals_gej(&ref, &gej[i2]);
2068  }
2069  if (i2 == 0) {
2070  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2071  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2072  ge_equals_gej(&ref, &gej[i1]);
2073  }
2074  }
2075  }
2076 
2077  /* Test adding all points together in random order equals infinity. */
2078  {
2079  secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2080  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2081  for (i = 0; i < 4 * runs + 1; i++) {
2082  gej_shuffled[i] = gej[i];
2083  }
2084  for (i = 0; i < 4 * runs + 1; i++) {
2085  int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2086  if (swap != i) {
2087  secp256k1_gej t = gej_shuffled[i];
2088  gej_shuffled[i] = gej_shuffled[swap];
2089  gej_shuffled[swap] = t;
2090  }
2091  }
2092  for (i = 0; i < 4 * runs + 1; i++) {
2093  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2094  }
2095  CHECK(secp256k1_gej_is_infinity(&sum));
2096  free(gej_shuffled);
2097  }
2098 
2099  /* Test batch gej -> ge conversion with and without known z ratios. */
2100  {
2101  secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2102  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2103  for (i = 0; i < 4 * runs + 1; i++) {
2104  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2105  if (i < 4 * runs) {
2106  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2107  }
2108  }
2109  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2110  for (i = 0; i < 4 * runs + 1; i++) {
2111  secp256k1_fe s;
2112  random_fe_non_zero(&s);
2113  secp256k1_gej_rescale(&gej[i], &s);
2114  ge_equals_gej(&ge_set_all[i], &gej[i]);
2115  }
2116  free(ge_set_all);
2117  free(zr);
2118  }
2119 
2120  /* Test batch gej -> ge conversion with many infinities. */
2121  for (i = 0; i < 4 * runs + 1; i++) {
2122  random_group_element_test(&ge[i]);
2123  /* randomly set half the points to infinitiy */
2124  if(secp256k1_fe_is_odd(&ge[i].x)) {
2125  secp256k1_ge_set_infinity(&ge[i]);
2126  }
2127  secp256k1_gej_set_ge(&gej[i], &ge[i]);
2128  }
2129  /* batch invert */
2130  secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2131  /* check result */
2132  for (i = 0; i < 4 * runs + 1; i++) {
2133  ge_equals_gej(&ge[i], &gej[i]);
2134  }
2135 
2136  free(ge);
2137  free(gej);
2138  free(zinv);
2139 }
2140 
2141 void test_add_neg_y_diff_x(void) {
2142  /* The point of this test is to check that we can add two points
2143  * whose y-coordinates are negatives of each other but whose x
2144  * coordinates differ. If the x-coordinates were the same, these
2145  * points would be negatives of each other and their sum is
2146  * infinity. This is cool because it "covers up" any degeneracy
2147  * in the addition algorithm that would cause the xy coordinates
2148  * of the sum to be wrong (since infinity has no xy coordinates).
2149  * HOWEVER, if the x-coordinates are different, infinity is the
2150  * wrong answer, and such degeneracies are exposed. This is the
2151  * root of https://github.com/bitcoin-core/secp256k1/issues/257
2152  * which this test is a regression test for.
2153  *
2154  * These points were generated in sage as
2155  * # secp256k1 params
2156  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2157  * C = EllipticCurve ([F (0), F (7)])
2158  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2159  * N = FiniteField(G.order())
2160  *
2161  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2162  * x = polygen(N)
2163  * lam = (1 - x^3).roots()[1][0]
2164  *
2165  * # random "bad pair"
2166  * P = C.random_element()
2167  * Q = -int(lam) * P
2168  * print " P: %x %x" % P.xy()
2169  * print " Q: %x %x" % Q.xy()
2170  * print "P + Q: %x %x" % (P + Q).xy()
2171  */
2172  secp256k1_gej aj = SECP256K1_GEJ_CONST(
2173  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2174  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2175  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2176  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2177  );
2178  secp256k1_gej bj = SECP256K1_GEJ_CONST(
2179  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2180  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2181  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2182  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2183  );
2184  secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2185  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2186  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2187  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2188  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2189  );
2190  secp256k1_ge b;
2191  secp256k1_gej resj;
2192  secp256k1_ge res;
2193  secp256k1_ge_set_gej(&b, &bj);
2194 
2195  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2196  secp256k1_ge_set_gej(&res, &resj);
2197  ge_equals_gej(&res, &sumj);
2198 
2199  secp256k1_gej_add_ge(&resj, &aj, &b);
2200  secp256k1_ge_set_gej(&res, &resj);
2201  ge_equals_gej(&res, &sumj);
2202 
2203  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2204  secp256k1_ge_set_gej(&res, &resj);
2205  ge_equals_gej(&res, &sumj);
2206 }
2207 
2208 void run_ge(void) {
2209  int i;
2210  for (i = 0; i < count * 32; i++) {
2211  test_ge();
2212  }
2213  test_add_neg_y_diff_x();
2214 }
2215 
2216 void test_ec_combine(void) {
2217  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2218  secp256k1_pubkey data[6];
2219  const secp256k1_pubkey* d[6];
2220  secp256k1_pubkey sd;
2221  secp256k1_pubkey sd2;
2222  secp256k1_gej Qj;
2223  secp256k1_ge Q;
2224  int i;
2225  for (i = 1; i <= 6; i++) {
2226  secp256k1_scalar s;
2227  random_scalar_order_test(&s);
2228  secp256k1_scalar_add(&sum, &sum, &s);
2229  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2230  secp256k1_ge_set_gej(&Q, &Qj);
2231  secp256k1_pubkey_save(&data[i - 1], &Q);
2232  d[i - 1] = &data[i - 1];
2233  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2234  secp256k1_ge_set_gej(&Q, &Qj);
2235  secp256k1_pubkey_save(&sd, &Q);
2236  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2237  CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2238  }
2239 }
2240 
2241 void run_ec_combine(void) {
2242  int i;
2243  for (i = 0; i < count * 8; i++) {
2244  test_ec_combine();
2245  }
2246 }
2247 
2248 void test_group_decompress(const secp256k1_fe* x) {
2249  /* The input itself, normalized. */
2250  secp256k1_fe fex = *x;
2251  secp256k1_fe fez;
2252  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2253  secp256k1_ge ge_quad, ge_even, ge_odd;
2254  secp256k1_gej gej_quad;
2255  /* Return values of the above calls. */
2256  int res_quad, res_even, res_odd;
2257 
2258  secp256k1_fe_normalize_var(&fex);
2259 
2260  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2261  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2262  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2263 
2264  CHECK(res_quad == res_even);
2265  CHECK(res_quad == res_odd);
2266 
2267  if (res_quad) {
2268  secp256k1_fe_normalize_var(&ge_quad.x);
2269  secp256k1_fe_normalize_var(&ge_odd.x);
2270  secp256k1_fe_normalize_var(&ge_even.x);
2271  secp256k1_fe_normalize_var(&ge_quad.y);
2272  secp256k1_fe_normalize_var(&ge_odd.y);
2273  secp256k1_fe_normalize_var(&ge_even.y);
2274 
2275  /* No infinity allowed. */
2276  CHECK(!ge_quad.infinity);
2277  CHECK(!ge_even.infinity);
2278  CHECK(!ge_odd.infinity);
2279 
2280  /* Check that the x coordinates check out. */
2281  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2282  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2283  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2284 
2285  /* Check that the Y coordinate result in ge_quad is a square. */
2286  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2287 
2288  /* Check odd/even Y in ge_odd, ge_even. */
2289  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2290  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2291 
2292  /* Check secp256k1_gej_has_quad_y_var. */
2293  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2294  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2295  do {
2296  random_fe_test(&fez);
2297  } while (secp256k1_fe_is_zero(&fez));
2298  secp256k1_gej_rescale(&gej_quad, &fez);
2299  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2300  secp256k1_gej_neg(&gej_quad, &gej_quad);
2301  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2302  do {
2303  random_fe_test(&fez);
2304  } while (secp256k1_fe_is_zero(&fez));
2305  secp256k1_gej_rescale(&gej_quad, &fez);
2306  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2307  secp256k1_gej_neg(&gej_quad, &gej_quad);
2308  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2309  }
2310 }
2311 
2312 void run_group_decompress(void) {
2313  int i;
2314  for (i = 0; i < count * 4; i++) {
2315  secp256k1_fe fe;
2316  random_fe_test(&fe);
2317  test_group_decompress(&fe);
2318  }
2319 }
2320 
2321 /***** ECMULT TESTS *****/
2322 
2323 void run_ecmult_chain(void) {
2324  /* random starting point A (on the curve) */
2325  secp256k1_gej a = SECP256K1_GEJ_CONST(
2326  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2327  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2328  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2329  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2330  );
2331  /* two random initial factors xn and gn */
2332  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2333  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2334  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2335  );
2336  secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2337  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2338  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2339  );
2340  /* two small multipliers to be applied to xn and gn in every iteration: */
2341  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2342  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2343  /* accumulators with the resulting coefficients to A and G */
2344  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2345  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2346  /* actual points */
2347  secp256k1_gej x;
2348  secp256k1_gej x2;
2349  int i;
2350 
2351  /* the point being computed */
2352  x = a;
2353  for (i = 0; i < 200*count; i++) {
2354  /* in each iteration, compute X = xn*X + gn*G; */
2355  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2356  /* also compute ae and ge: the actual accumulated factors for A and G */
2357  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2358  secp256k1_scalar_mul(&ae, &ae, &xn);
2359  secp256k1_scalar_mul(&ge, &ge, &xn);
2360  secp256k1_scalar_add(&ge, &ge, &gn);
2361  /* modify xn and gn */
2362  secp256k1_scalar_mul(&xn, &xn, &xf);
2363  secp256k1_scalar_mul(&gn, &gn, &gf);
2364 
2365  /* verify */
2366  if (i == 19999) {
2367  /* expected result after 19999 iterations */
2368  secp256k1_gej rp = SECP256K1_GEJ_CONST(
2369  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2370  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2371  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2372  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2373  );
2374 
2375  secp256k1_gej_neg(&rp, &rp);
2376  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2377  CHECK(secp256k1_gej_is_infinity(&rp));
2378  }
2379  }
2380  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2381  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2382  secp256k1_gej_neg(&x2, &x2);
2383  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2384  CHECK(secp256k1_gej_is_infinity(&x2));
2385 }
2386 
2387 void test_point_times_order(const secp256k1_gej *point) {
2388  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2389  secp256k1_scalar x;
2390  secp256k1_scalar nx;
2391  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2392  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2393  secp256k1_gej res1, res2;
2394  secp256k1_ge res3;
2395  unsigned char pub[65];
2396  size_t psize = 65;
2397  random_scalar_order_test(&x);
2398  secp256k1_scalar_negate(&nx, &x);
2399  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2400  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2401  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2402  CHECK(secp256k1_gej_is_infinity(&res1));
2403  CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2404  secp256k1_ge_set_gej(&res3, &res1);
2405  CHECK(secp256k1_ge_is_infinity(&res3));
2406  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2407  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2408  psize = 65;
2409  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2410  /* check zero/one edge cases */
2411  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2412  secp256k1_ge_set_gej(&res3, &res1);
2413  CHECK(secp256k1_ge_is_infinity(&res3));
2414  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2415  secp256k1_ge_set_gej(&res3, &res1);
2416  ge_equals_gej(&res3, point);
2417  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2418  secp256k1_ge_set_gej(&res3, &res1);
2419  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2420 }
2421 
2422 void run_point_times_order(void) {
2423  int i;
2424  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2425  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2426  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2427  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2428  );
2429  for (i = 0; i < 500; i++) {
2430  secp256k1_ge p;
2431  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2432  secp256k1_gej j;
2433  CHECK(secp256k1_ge_is_valid_var(&p));
2434  secp256k1_gej_set_ge(&j, &p);
2435  CHECK(secp256k1_gej_is_valid_var(&j));
2436  test_point_times_order(&j);
2437  }
2438  secp256k1_fe_sqr(&x, &x);
2439  }
2440  secp256k1_fe_normalize_var(&x);
2441  CHECK(secp256k1_fe_equal_var(&x, &xr));
2442 }
2443 
2444 void ecmult_const_random_mult(void) {
2445  /* random starting point A (on the curve) */
2446  secp256k1_ge a = SECP256K1_GE_CONST(
2447  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2448  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2449  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2450  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2451  );
2452  /* random initial factor xn */
2453  secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2454  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2455  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2456  );
2457  /* expected xn * A (from sage) */
2458  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2459  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2460  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2461  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2462  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2463  );
2464  secp256k1_gej b;
2465  secp256k1_ecmult_const(&b, &a, &xn, 256);
2466 
2467  CHECK(secp256k1_ge_is_valid_var(&a));
2468  ge_equals_gej(&expected_b, &b);
2469 }
2470 
2471 void ecmult_const_commutativity(void) {
2472  secp256k1_scalar a;
2473  secp256k1_scalar b;
2474  secp256k1_gej res1;
2475  secp256k1_gej res2;
2476  secp256k1_ge mid1;
2477  secp256k1_ge mid2;
2478  random_scalar_order_test(&a);
2479  random_scalar_order_test(&b);
2480 
2481  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2482  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2483  secp256k1_ge_set_gej(&mid1, &res1);
2484  secp256k1_ge_set_gej(&mid2, &res2);
2485  secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2486  secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2487  secp256k1_ge_set_gej(&mid1, &res1);
2488  secp256k1_ge_set_gej(&mid2, &res2);
2489  ge_equals_ge(&mid1, &mid2);
2490 }
2491 
2492 void ecmult_const_mult_zero_one(void) {
2493  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2494  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2495  secp256k1_scalar negone;
2496  secp256k1_gej res1;
2497  secp256k1_ge res2;
2498  secp256k1_ge point;
2499  secp256k1_scalar_negate(&negone, &one);
2500 
2501  random_group_element_test(&point);
2502  secp256k1_ecmult_const(&res1, &point, &zero, 3);
2503  secp256k1_ge_set_gej(&res2, &res1);
2504  CHECK(secp256k1_ge_is_infinity(&res2));
2505  secp256k1_ecmult_const(&res1, &point, &one, 2);
2506  secp256k1_ge_set_gej(&res2, &res1);
2507  ge_equals_ge(&res2, &point);
2508  secp256k1_ecmult_const(&res1, &point, &negone, 256);
2509  secp256k1_gej_neg(&res1, &res1);
2510  secp256k1_ge_set_gej(&res2, &res1);
2511  ge_equals_ge(&res2, &point);
2512 }
2513 
2514 void ecmult_const_chain_multiply(void) {
2515  /* Check known result (randomly generated test problem from sage) */
2516  const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2517  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2518  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2519  );
2520  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2521  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2522  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2523  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2524  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2525  );
2526  secp256k1_gej point;
2527  secp256k1_ge res;
2528  int i;
2529 
2530  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2531  for (i = 0; i < 100; ++i) {
2532  secp256k1_ge tmp;
2533  secp256k1_ge_set_gej(&tmp, &point);
2534  secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2535  }
2536  secp256k1_ge_set_gej(&res, &point);
2537  ge_equals_gej(&res, &expected_point);
2538 }
2539 
2540 void run_ecmult_const_tests(void) {
2541  ecmult_const_mult_zero_one();
2542  ecmult_const_random_mult();
2543  ecmult_const_commutativity();
2544  ecmult_const_chain_multiply();
2545 }
2546 
2547 typedef struct {
2548  secp256k1_scalar *sc;
2549  secp256k1_ge *pt;
2550 } ecmult_multi_data;
2551 
2552 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2553  ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2554  *sc = data->sc[idx];
2555  *pt = data->pt[idx];
2556  return 1;
2557 }
2558 
2559 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2560  (void)sc;
2561  (void)pt;
2562  (void)idx;
2563  (void)cbdata;
2564  return 0;
2565 }
2566 
2567 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2568  int ncount;
2569  secp256k1_scalar szero;
2570  secp256k1_scalar sc[32];
2571  secp256k1_ge pt[32];
2572  secp256k1_gej r;
2573  secp256k1_gej r2;
2574  ecmult_multi_data data;
2575  secp256k1_scratch *scratch_empty;
2576 
2577  data.sc = sc;
2578  data.pt = pt;
2579  secp256k1_scalar_set_int(&szero, 0);
2580 
2581  /* No points to multiply */
2582  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2583 
2584  /* Check 1- and 2-point multiplies against ecmult */
2585  for (ncount = 0; ncount < count; ncount++) {
2586  secp256k1_ge ptg;
2587  secp256k1_gej ptgj;
2588  random_scalar_order(&sc[0]);
2589  random_scalar_order(&sc[1]);
2590 
2591  random_group_element_test(&ptg);
2592  secp256k1_gej_set_ge(&ptgj, &ptg);
2593  pt[0] = ptg;
2594  pt[1] = secp256k1_ge_const_g;
2595 
2596  /* only G scalar */
2597  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2598  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2599  secp256k1_gej_neg(&r2, &r2);
2600  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2601  CHECK(secp256k1_gej_is_infinity(&r));
2602 
2603  /* 1-point */
2604  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2605  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2606  secp256k1_gej_neg(&r2, &r2);
2607  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2608  CHECK(secp256k1_gej_is_infinity(&r));
2609 
2610  /* Try to multiply 1 point, but scratch space is empty */
2611  scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2612  CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2613  secp256k1_scratch_destroy(scratch_empty);
2614 
2615  /* Try to multiply 1 point, but callback returns false */
2616  CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2617 
2618  /* 2-point */
2619  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2620  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2621  secp256k1_gej_neg(&r2, &r2);
2622  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2623  CHECK(secp256k1_gej_is_infinity(&r));
2624 
2625  /* 2-point with G scalar */
2626  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2627  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2628  secp256k1_gej_neg(&r2, &r2);
2629  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2630  CHECK(secp256k1_gej_is_infinity(&r));
2631  }
2632 
2633  /* Check infinite outputs of various forms */
2634  for (ncount = 0; ncount < count; ncount++) {
2635  secp256k1_ge ptg;
2636  size_t i, j;
2637  size_t sizes[] = { 2, 10, 32 };
2638 
2639  for (j = 0; j < 3; j++) {
2640  for (i = 0; i < 32; i++) {
2641  random_scalar_order(&sc[i]);
2642  secp256k1_ge_set_infinity(&pt[i]);
2643  }
2644  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2645  CHECK(secp256k1_gej_is_infinity(&r));
2646  }
2647 
2648  for (j = 0; j < 3; j++) {
2649  for (i = 0; i < 32; i++) {
2650  random_group_element_test(&ptg);
2651  pt[i] = ptg;
2652  secp256k1_scalar_set_int(&sc[i], 0);
2653  }
2654  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2655  CHECK(secp256k1_gej_is_infinity(&r));
2656  }
2657 
2658  for (j = 0; j < 3; j++) {
2659  random_group_element_test(&ptg);
2660  for (i = 0; i < 16; i++) {
2661  random_scalar_order(&sc[2*i]);
2662  secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2663  pt[2 * i] = ptg;
2664  pt[2 * i + 1] = ptg;
2665  }
2666 
2667  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2668  CHECK(secp256k1_gej_is_infinity(&r));
2669 
2670  random_scalar_order(&sc[0]);
2671  for (i = 0; i < 16; i++) {
2672  random_group_element_test(&ptg);
2673 
2674  sc[2*i] = sc[0];
2675  sc[2*i+1] = sc[0];
2676  pt[2 * i] = ptg;
2677  secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2678  }
2679 
2680  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2681  CHECK(secp256k1_gej_is_infinity(&r));
2682  }
2683 
2684  random_group_element_test(&ptg);
2685  secp256k1_scalar_set_int(&sc[0], 0);
2686  pt[0] = ptg;
2687  for (i = 1; i < 32; i++) {
2688  pt[i] = ptg;
2689 
2690  random_scalar_order(&sc[i]);
2691  secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2692  secp256k1_scalar_negate(&sc[i], &sc[i]);
2693  }
2694 
2695  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2696  CHECK(secp256k1_gej_is_infinity(&r));
2697  }
2698 
2699  /* Check random points, constant scalar */
2700  for (ncount = 0; ncount < count; ncount++) {
2701  size_t i;
2702  secp256k1_gej_set_infinity(&r);
2703 
2704  random_scalar_order(&sc[0]);
2705  for (i = 0; i < 20; i++) {
2706  secp256k1_ge ptg;
2707  sc[i] = sc[0];
2708  random_group_element_test(&ptg);
2709  pt[i] = ptg;
2710  secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2711  }
2712 
2713  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2714  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2715  secp256k1_gej_neg(&r2, &r2);
2716  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2717  CHECK(secp256k1_gej_is_infinity(&r));
2718  }
2719 
2720  /* Check random scalars, constant point */
2721  for (ncount = 0; ncount < count; ncount++) {
2722  size_t i;
2723  secp256k1_ge ptg;
2724  secp256k1_gej p0j;
2725  secp256k1_scalar rs;
2726  secp256k1_scalar_set_int(&rs, 0);
2727 
2728  random_group_element_test(&ptg);
2729  for (i = 0; i < 20; i++) {
2730  random_scalar_order(&sc[i]);
2731  pt[i] = ptg;
2732  secp256k1_scalar_add(&rs, &rs, &sc[i]);
2733  }
2734 
2735  secp256k1_gej_set_ge(&p0j, &pt[0]);
2736  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2737  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2738  secp256k1_gej_neg(&r2, &r2);
2739  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2740  CHECK(secp256k1_gej_is_infinity(&r));
2741  }
2742 
2743  /* Sanity check that zero scalars don't cause problems */
2744  for (ncount = 0; ncount < 20; ncount++) {
2745  random_scalar_order(&sc[ncount]);
2746  random_group_element_test(&pt[ncount]);
2747  }
2748 
2749  secp256k1_scalar_clear(&sc[0]);
2750  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2751  secp256k1_scalar_clear(&sc[1]);
2752  secp256k1_scalar_clear(&sc[2]);
2753  secp256k1_scalar_clear(&sc[3]);
2754  secp256k1_scalar_clear(&sc[4]);
2755  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2756  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2757  CHECK(secp256k1_gej_is_infinity(&r));
2758 
2759  /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2760  {
2761  const size_t TOP = 8;
2762  size_t s0i, s1i;
2763  size_t t0i, t1i;
2764  secp256k1_ge ptg;
2765  secp256k1_gej ptgj;
2766 
2767  random_group_element_test(&ptg);
2768  secp256k1_gej_set_ge(&ptgj, &ptg);
2769 
2770  for(t0i = 0; t0i < TOP; t0i++) {
2771  for(t1i = 0; t1i < TOP; t1i++) {
2772  secp256k1_gej t0p, t1p;
2773  secp256k1_scalar t0, t1;
2774 
2775  secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2776  secp256k1_scalar_cond_negate(&t0, t0i & 1);
2777  secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2778  secp256k1_scalar_cond_negate(&t1, t1i & 1);
2779 
2780  secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2781  secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2782 
2783  for(s0i = 0; s0i < TOP; s0i++) {
2784  for(s1i = 0; s1i < TOP; s1i++) {
2785  secp256k1_scalar tmp1, tmp2;
2786  secp256k1_gej expected, actual;
2787 
2788  secp256k1_ge_set_gej(&pt[0], &t0p);
2789  secp256k1_ge_set_gej(&pt[1], &t1p);
2790 
2791  secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2792  secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2793  secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2794  secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2795 
2796  secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2797  secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2798  secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2799 
2800  secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2801  CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2802  secp256k1_gej_neg(&expected, &expected);
2803  secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2804  CHECK(secp256k1_gej_is_infinity(&actual));
2805  }
2806  }
2807  }
2808  }
2809  }
2810 }
2811 
2812 void test_secp256k1_pippenger_bucket_window_inv(void) {
2813  int i;
2814 
2815  CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2816  for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2817 #ifdef USE_ENDOMORPHISM
2818  /* Bucket_window of 8 is not used with endo */
2819  if (i == 8) {
2820  continue;
2821  }
2822 #endif
2823  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2824  if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2825  CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2826  }
2827  }
2828 }
2829 
2834 void test_ecmult_multi_pippenger_max_points(void) {
2835  size_t scratch_size = secp256k1_rand_int(256);
2836  size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2837  secp256k1_scratch *scratch;
2838  size_t n_points_supported;
2839  int bucket_window = 0;
2840 
2841  for(; scratch_size < max_size; scratch_size+=256) {
2842  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2843  CHECK(scratch != NULL);
2844  n_points_supported = secp256k1_pippenger_max_points(scratch);
2845  if (n_points_supported == 0) {
2846  secp256k1_scratch_destroy(scratch);
2847  continue;
2848  }
2849  bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2850  CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2851  secp256k1_scratch_deallocate_frame(scratch);
2852  secp256k1_scratch_destroy(scratch);
2853  }
2854  CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2855 }
2856 
2857 void test_ecmult_multi_batch_size_helper(void) {
2858  size_t n_batches, n_batch_points, max_n_batch_points, n;
2859 
2860  max_n_batch_points = 0;
2861  n = 1;
2862  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2863 
2864  max_n_batch_points = 1;
2865  n = 0;
2866  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2867  CHECK(n_batches == 0);
2868  CHECK(n_batch_points == 0);
2869 
2870  max_n_batch_points = 2;
2871  n = 5;
2872  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2873  CHECK(n_batches == 3);
2874  CHECK(n_batch_points == 2);
2875 
2876  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2877  n = ECMULT_MAX_POINTS_PER_BATCH;
2878  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2879  CHECK(n_batches == 1);
2880  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2881 
2882  max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2883  n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2884  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2885  CHECK(n_batches == 2);
2886  CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2887 
2888  max_n_batch_points = 1;
2889  n = SIZE_MAX;
2890  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2891  CHECK(n_batches == SIZE_MAX);
2892  CHECK(n_batch_points == 1);
2893 
2894  max_n_batch_points = 2;
2895  n = SIZE_MAX;
2896  CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2897  CHECK(n_batches == SIZE_MAX/2 + 1);
2898  CHECK(n_batch_points == 2);
2899 }
2900 
2905 void test_ecmult_multi_batching(void) {
2906  static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2907  secp256k1_scalar scG;
2908  secp256k1_scalar szero;
2909  secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2910  secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2911  secp256k1_gej r;
2912  secp256k1_gej r2;
2913  ecmult_multi_data data;
2914  int i;
2915  secp256k1_scratch *scratch;
2916 
2917  secp256k1_gej_set_infinity(&r2);
2918  secp256k1_scalar_set_int(&szero, 0);
2919 
2920  /* Get random scalars and group elements and compute result */
2921  random_scalar_order(&scG);
2922  secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2923  for(i = 0; i < n_points; i++) {
2924  secp256k1_ge ptg;
2925  secp256k1_gej ptgj;
2926  random_group_element_test(&ptg);
2927  secp256k1_gej_set_ge(&ptgj, &ptg);
2928  pt[i] = ptg;
2929  random_scalar_order(&sc[i]);
2930  secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2931  secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2932  }
2933  data.sc = sc;
2934  data.pt = pt;
2935 
2936  /* Test with empty scratch space */
2937  scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2938  CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2939  secp256k1_scratch_destroy(scratch);
2940 
2941  /* Test with space for 1 point in pippenger. That's not enough because
2942  * ecmult_multi selects strauss which requires more memory. */
2943  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2944  CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2945  secp256k1_scratch_destroy(scratch);
2946 
2947  secp256k1_gej_neg(&r2, &r2);
2948  for(i = 1; i <= n_points; i++) {
2949  if (i > ECMULT_PIPPENGER_THRESHOLD) {
2950  int bucket_window = secp256k1_pippenger_bucket_window(i);
2951  size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2952  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2953  } else {
2954  size_t scratch_size = secp256k1_strauss_scratch_size(i);
2955  scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2956  }
2957  CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2958  secp256k1_gej_add_var(&r, &r, &r2, NULL);
2959  CHECK(secp256k1_gej_is_infinity(&r));
2960  secp256k1_scratch_destroy(scratch);
2961  }
2962  free(sc);
2963  free(pt);
2964 }
2965 
2966 void run_ecmult_multi_tests(void) {
2967  secp256k1_scratch *scratch;
2968 
2969  test_secp256k1_pippenger_bucket_window_inv();
2970  test_ecmult_multi_pippenger_max_points();
2971  scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2972  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2973  test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
2974  test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2975  test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2976  secp256k1_scratch_destroy(scratch);
2977 
2978  /* Run test_ecmult_multi with space for exactly one point */
2979  scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2980  test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2981  secp256k1_scratch_destroy(scratch);
2982 
2983  test_ecmult_multi_batch_size_helper();
2984  test_ecmult_multi_batching();
2985 }
2986 
2987 void test_wnaf(const secp256k1_scalar *number, int w) {
2988  secp256k1_scalar x, two, t;
2989  int wnaf[256];
2990  int zeroes = -1;
2991  int i;
2992  int bits;
2993  secp256k1_scalar_set_int(&x, 0);
2994  secp256k1_scalar_set_int(&two, 2);
2995  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2996  CHECK(bits <= 256);
2997  for (i = bits-1; i >= 0; i--) {
2998  int v = wnaf[i];
2999  secp256k1_scalar_mul(&x, &x, &two);
3000  if (v) {
3001  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3002  zeroes=0;
3003  CHECK((v & 1) == 1); /* check non-zero elements are odd */
3004  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3005  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3006  } else {
3007  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3008  zeroes++;
3009  }
3010  if (v >= 0) {
3011  secp256k1_scalar_set_int(&t, v);
3012  } else {
3013  secp256k1_scalar_set_int(&t, -v);
3014  secp256k1_scalar_negate(&t, &t);
3015  }
3016  secp256k1_scalar_add(&x, &x, &t);
3017  }
3018  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3019 }
3020 
3021 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3022  secp256k1_scalar neg1 = *number;
3023  secp256k1_scalar neg2 = *number;
3024  int sign1 = 1;
3025  int sign2 = 1;
3026 
3027  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3028  secp256k1_scalar_negate(&neg1, &neg1);
3029  sign1 = -1;
3030  }
3031  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3032  CHECK(sign1 == sign2);
3033  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3034 }
3035 
3036 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3037  secp256k1_scalar x, shift;
3038  int wnaf[256] = {0};
3039  int i;
3040  int skew;
3041  int bits = 256;
3042  secp256k1_scalar num = *number;
3043 
3044  secp256k1_scalar_set_int(&x, 0);
3045  secp256k1_scalar_set_int(&shift, 1 << w);
3046  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3047 #ifdef USE_ENDOMORPHISM
3048  for (i = 0; i < 16; ++i) {
3049  secp256k1_scalar_shr_int(&num, 8);
3050  }
3051  bits = 128;
3052 #endif
3053  skew = secp256k1_wnaf_const(wnaf, num, w, bits);
3054 
3055  for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3056  secp256k1_scalar t;
3057  int v = wnaf[i];
3058  CHECK(v != 0); /* check nonzero */
3059  CHECK(v & 1); /* check parity */
3060  CHECK(v > -(1 << w)); /* check range above */
3061  CHECK(v < (1 << w)); /* check range below */
3062 
3063  secp256k1_scalar_mul(&x, &x, &shift);
3064  if (v >= 0) {
3065  secp256k1_scalar_set_int(&t, v);
3066  } else {
3067  secp256k1_scalar_set_int(&t, -v);
3068  secp256k1_scalar_negate(&t, &t);
3069  }
3070  secp256k1_scalar_add(&x, &x, &t);
3071  }
3072  /* Skew num because when encoding numbers as odd we use an offset */
3073  secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3074  CHECK(secp256k1_scalar_eq(&x, &num));
3075 }
3076 
3077 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3078  secp256k1_scalar x, shift;
3079  int wnaf[256] = {0};
3080  int i;
3081  int skew;
3082  secp256k1_scalar num = *number;
3083 
3084  secp256k1_scalar_set_int(&x, 0);
3085  secp256k1_scalar_set_int(&shift, 1 << w);
3086  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3087 #ifdef USE_ENDOMORPHISM
3088  for (i = 0; i < 16; ++i) {
3089  secp256k1_scalar_shr_int(&num, 8);
3090  }
3091 #endif
3092  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3093 
3094  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3095  secp256k1_scalar t;
3096  int v = wnaf[i];
3097  CHECK(v == 0 || v & 1); /* check parity */
3098  CHECK(v > -(1 << w)); /* check range above */
3099  CHECK(v < (1 << w)); /* check range below */
3100 
3101  secp256k1_scalar_mul(&x, &x, &shift);
3102  if (v >= 0) {
3103  secp256k1_scalar_set_int(&t, v);
3104  } else {
3105  secp256k1_scalar_set_int(&t, -v);
3106  secp256k1_scalar_negate(&t, &t);
3107  }
3108  secp256k1_scalar_add(&x, &x, &t);
3109  }
3110  /* If skew is 1 then add 1 to num */
3111  secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3112  CHECK(secp256k1_scalar_eq(&x, &num));
3113 }
3114 
3115 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3116  * rest is 0.*/
3117 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3118  int i;
3119  for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3120  CHECK(wnaf[i] == 0);
3121  }
3122  for (i = 7; i >= 0; --i) {
3123  CHECK(wnaf[i] == wnaf_expected[i]);
3124  }
3125 }
3126 
3127 void test_fixed_wnaf_small(void) {
3128  int w = 4;
3129  int wnaf[256] = {0};
3130  int i;
3131  int skew;
3132  secp256k1_scalar num;
3133 
3134  secp256k1_scalar_set_int(&num, 0);
3135  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3136  for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3137  int v = wnaf[i];
3138  CHECK(v == 0);
3139  }
3140  CHECK(skew == 0);
3141 
3142  secp256k1_scalar_set_int(&num, 1);
3143  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3144  for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3145  int v = wnaf[i];
3146  CHECK(v == 0);
3147  }
3148  CHECK(wnaf[0] == 1);
3149  CHECK(skew == 0);
3150 
3151  {
3152  int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3153  secp256k1_scalar_set_int(&num, 0xffffffff);
3154  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3155  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3156  CHECK(skew == 0);
3157  }
3158  {
3159  int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3160  secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3161  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3162  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3163  CHECK(skew == 1);
3164  }
3165  {
3166  int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3167  secp256k1_scalar_set_int(&num, 0x01010101);
3168  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3169  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3170  CHECK(skew == 0);
3171  }
3172  {
3173  int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3174  secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3175  skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3176  test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3177  CHECK(skew == 0);
3178  }
3179 }
3180 
3181 void run_wnaf(void) {
3182  int i;
3183  secp256k1_scalar n = {{0}};
3184 
3185  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3186  * have easier-to-diagnose failure modes */
3187  n.d[0] = 1;
3188  test_constant_wnaf(&n, 4);
3189  n.d[0] = 2;
3190  test_constant_wnaf(&n, 4);
3191  /* Test 0 */
3192  test_fixed_wnaf_small();
3193  /* Random tests */
3194  for (i = 0; i < count; i++) {
3195  random_scalar_order(&n);
3196  test_wnaf(&n, 4+(i%10));
3197  test_constant_wnaf_negate(&n);
3198  test_constant_wnaf(&n, 4 + (i % 10));
3199  test_fixed_wnaf(&n, 4 + (i % 10));
3200  }
3201  secp256k1_scalar_set_int(&n, 0);
3202  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3203  CHECK(secp256k1_scalar_is_zero(&n));
3204  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3205  CHECK(secp256k1_scalar_is_zero(&n));
3206 }
3207 
3208 void test_ecmult_constants(void) {
3209  /* Test ecmult_gen() for [0..36) and [order-36..0). */
3210  secp256k1_scalar x;
3211  secp256k1_gej r;
3212  secp256k1_ge ng;
3213  int i;
3214  int j;
3215  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3216  for (i = 0; i < 36; i++ ) {
3217  secp256k1_scalar_set_int(&x, i);
3218  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3219  for (j = 0; j < i; j++) {
3220  if (j == i - 1) {
3221  ge_equals_gej(&secp256k1_ge_const_g, &r);
3222  }
3223  secp256k1_gej_add_ge(&r, &r, &ng);
3224  }
3225  CHECK(secp256k1_gej_is_infinity(&r));
3226  }
3227  for (i = 1; i <= 36; i++ ) {
3228  secp256k1_scalar_set_int(&x, i);
3229  secp256k1_scalar_negate(&x, &x);
3230  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3231  for (j = 0; j < i; j++) {
3232  if (j == i - 1) {
3233  ge_equals_gej(&ng, &r);
3234  }
3235  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3236  }
3237  CHECK(secp256k1_gej_is_infinity(&r));
3238  }
3239 }
3240 
3241 void run_ecmult_constants(void) {
3242  test_ecmult_constants();
3243 }
3244 
3245 void test_ecmult_gen_blind(void) {
3246  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3247  secp256k1_scalar key;
3248  secp256k1_scalar b;
3249  unsigned char seed32[32];
3250  secp256k1_gej pgej;
3251  secp256k1_gej pgej2;
3252  secp256k1_gej i;
3253  secp256k1_ge pge;
3254  random_scalar_order_test(&key);
3255  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3256  secp256k1_rand256(seed32);
3257  b = ctx->ecmult_gen_ctx.blind;
3258  i = ctx->ecmult_gen_ctx.initial;
3259  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3260  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3261  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3262  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3263  CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3264  secp256k1_ge_set_gej(&pge, &pgej);
3265  ge_equals_gej(&pge, &pgej2);
3266 }
3267 
3268 void test_ecmult_gen_blind_reset(void) {
3269  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3270  secp256k1_scalar b;
3271  secp256k1_gej initial;
3272  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3273  b = ctx->ecmult_gen_ctx.blind;
3274  initial = ctx->ecmult_gen_ctx.initial;
3275  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3276  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3277  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3278 }
3279 
3280 void run_ecmult_gen_blind(void) {
3281  int i;
3282  test_ecmult_gen_blind_reset();
3283  for (i = 0; i < 10; i++) {
3284  test_ecmult_gen_blind();
3285  }
3286 }
3287 
3288 #ifdef USE_ENDOMORPHISM
3289 /***** ENDOMORPHISH TESTS *****/
3290 void test_scalar_split(void) {
3291  secp256k1_scalar full;
3292  secp256k1_scalar s1, slam;
3293  const unsigned char zero[32] = {0};
3294  unsigned char tmp[32];
3295 
3296  random_scalar_order_test(&full);
3297  secp256k1_scalar_split_lambda(&s1, &slam, &full);
3298 
3299  /* check that both are <= 128 bits in size */
3300  if (secp256k1_scalar_is_high(&s1)) {
3301  secp256k1_scalar_negate(&s1, &s1);
3302  }
3303  if (secp256k1_scalar_is_high(&slam)) {
3304  secp256k1_scalar_negate(&slam, &slam);
3305  }
3306 
3307  secp256k1_scalar_get_b32(tmp, &s1);
3308  CHECK(memcmp(zero, tmp, 16) == 0);
3309  secp256k1_scalar_get_b32(tmp, &slam);
3310  CHECK(memcmp(zero, tmp, 16) == 0);
3311 }
3312 
3313 void run_endomorphism_tests(void) {
3314  test_scalar_split();
3315 }
3316 #endif
3317 
3318 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3319  unsigned char pubkeyc[65];
3320  secp256k1_pubkey pubkey;
3321  secp256k1_ge ge;
3322  size_t pubkeyclen;
3323  int32_t ecount;
3324  ecount = 0;
3325  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3326  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3327  /* Smaller sizes are tested exhaustively elsewhere. */
3328  int32_t i;
3329  memcpy(&pubkeyc[1], input, 64);
3330  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3331  for (i = 0; i < 256; i++) {
3332  /* Try all type bytes. */
3333  int xpass;
3334  int ypass;
3335  int ysign;
3336  pubkeyc[0] = i;
3337  /* What sign does this point have? */
3338  ysign = (input[63] & 1) + 2;
3339  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3340  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3341  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3342  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3343  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3344  if (xpass || ypass) {
3345  /* These cases must parse. */
3346  unsigned char pubkeyo[65];
3347  size_t outl;
3348  memset(&pubkey, 0, sizeof(pubkey));
3349  VG_UNDEF(&pubkey, sizeof(pubkey));
3350  ecount = 0;
3351  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3352  VG_CHECK(&pubkey, sizeof(pubkey));
3353  outl = 65;
3354  VG_UNDEF(pubkeyo, 65);
3355  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3356  VG_CHECK(pubkeyo, outl);
3357  CHECK(outl == 33);
3358  CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3359  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3360  if (ypass) {
3361  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3362  CHECK(pubkeyo[0] == ysign);
3363  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3364  memset(&pubkey, 0, sizeof(pubkey));
3365  VG_UNDEF(&pubkey, sizeof(pubkey));
3366  secp256k1_pubkey_save(&pubkey, &ge);
3367  VG_CHECK(&pubkey, sizeof(pubkey));
3368  outl = 65;
3369  VG_UNDEF(pubkeyo, 65);
3370  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3371  VG_CHECK(pubkeyo, outl);
3372  CHECK(outl == 65);
3373  CHECK(pubkeyo[0] == 4);
3374  CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3375  }
3376  CHECK(ecount == 0);
3377  } else {
3378  /* These cases must fail to parse. */
3379  memset(&pubkey, 0xfe, sizeof(pubkey));
3380  ecount = 0;
3381  VG_UNDEF(&pubkey, sizeof(pubkey));
3382  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3383  VG_CHECK(&pubkey, sizeof(pubkey));
3384  CHECK(ecount == 0);
3385  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3386  CHECK(ecount == 1);
3387  }
3388  }
3389  }
3390  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3391 }
3392 
3393 void run_ec_pubkey_parse_test(void) {
3394 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3395  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3396  {
3397  /* Point with leading and trailing zeros in x and y serialization. */
3398  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3399  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3400  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3401  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3402  },
3403  {
3404  /* Point with x equal to a 3rd root of unity.*/
3405  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3406  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3407  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3408  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3409  },
3410  {
3411  /* Point with largest x. (1/2) */
3412  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3413  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3414  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3415  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3416  },
3417  {
3418  /* Point with largest x. (2/2) */
3419  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3420  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3421  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3422  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3423  },
3424  {
3425  /* Point with smallest x. (1/2) */
3426  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3427  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3428  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3429  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3430  },
3431  {
3432  /* Point with smallest x. (2/2) */
3433  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3434  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3435  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3436  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3437  },
3438  {
3439  /* Point with largest y. (1/3) */
3440  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3441  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3442  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3443  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3444  },
3445  {
3446  /* Point with largest y. (2/3) */
3447  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3448  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3449  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3450  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3451  },
3452  {
3453  /* Point with largest y. (3/3) */
3454  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3455  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3456  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3457  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3458  },
3459  {
3460  /* Point with smallest y. (1/3) */
3461  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3462  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3463  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3464  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3465  },
3466  {
3467  /* Point with smallest y. (2/3) */
3468  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3469  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3470  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3471  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3472  },
3473  {
3474  /* Point with smallest y. (3/3) */
3475  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3476  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3477  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3478  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3479  }
3480  };
3481 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3482  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3483  {
3484  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3485  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3486  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3487  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3488  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3489  },
3490  {
3491  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3492  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3493  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3494  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3495  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3496  },
3497  {
3498  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3499  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3500  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3501  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3502  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3503  },
3504  {
3505  /* x on curve, y is from y^2 = x^3 + 8. */
3506  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3507  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3508  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3509  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3510  }
3511  };
3512 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3513  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3514  {
3515  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3516  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3517  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3518  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3519  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3520  },
3521  {
3522  /* Valid if x overflow ignored (x = 1 mod p). */
3523  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3524  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3525  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3526  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3527  },
3528  {
3529  /* Valid if x overflow ignored (x = 1 mod p). */
3530  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3531  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3532  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3533  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3534  },
3535  {
3536  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3537  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3538  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3539  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3540  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3541  },
3542  {
3543  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3544  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3545  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3546  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3547  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3548  },
3549  {
3550  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3551  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3552  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3553  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3554  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3555  },
3556  {
3557  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3558  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3559  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3560  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3561  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3562  }
3563  };
3564  const unsigned char pubkeyc[66] = {
3565  /* Serialization of G. */
3566  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3567  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3568  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3569  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3570  0xB8, 0x00
3571  };
3572  unsigned char sout[65];
3573  unsigned char shortkey[2];
3574  secp256k1_ge ge;
3575  secp256k1_pubkey pubkey;
3576  size_t len;
3577  int32_t i;
3578  int32_t ecount;
3579  int32_t ecount2;
3580  ecount = 0;
3581  /* Nothing should be reading this far into pubkeyc. */
3582  VG_UNDEF(&pubkeyc[65], 1);
3583  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3584  /* Zero length claimed, fail, zeroize, no illegal arg error. */
3585  memset(&pubkey, 0xfe, sizeof(pubkey));
3586  ecount = 0;
3587  VG_UNDEF(shortkey, 2);
3588  VG_UNDEF(&pubkey, sizeof(pubkey));
3589  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3590  VG_CHECK(&pubkey, sizeof(pubkey));
3591  CHECK(ecount == 0);
3592  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3593  CHECK(ecount == 1);
3594  /* Length one claimed, fail, zeroize, no illegal arg error. */
3595  for (i = 0; i < 256 ; i++) {
3596  memset(&pubkey, 0xfe, sizeof(pubkey));
3597  ecount = 0;
3598  shortkey[0] = i;
3599  VG_UNDEF(&shortkey[1], 1);
3600  VG_UNDEF(&pubkey, sizeof(pubkey));
3601  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3602  VG_CHECK(&pubkey, sizeof(pubkey));
3603  CHECK(ecount == 0);
3604  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3605  CHECK(ecount == 1);
3606  }
3607  /* Length two claimed, fail, zeroize, no illegal arg error. */
3608  for (i = 0; i < 65536 ; i++) {
3609  memset(&pubkey, 0xfe, sizeof(pubkey));
3610  ecount = 0;
3611  shortkey[0] = i & 255;
3612  shortkey[1] = i >> 8;
3613  VG_UNDEF(&pubkey, sizeof(pubkey));
3614  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3615  VG_CHECK(&pubkey, sizeof(pubkey));
3616  CHECK(ecount == 0);
3617  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3618  CHECK(ecount == 1);
3619  }
3620  memset(&pubkey, 0xfe, sizeof(pubkey));
3621  ecount = 0;
3622  VG_UNDEF(&pubkey, sizeof(pubkey));
3623  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3624  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3625  VG_CHECK(&pubkey, sizeof(pubkey));
3626  CHECK(ecount == 0);
3627  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3628  CHECK(ecount == 1);
3629  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3630  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3631  CHECK(ecount == 2);
3632  /* NULL input string. Illegal arg and zeroize output. */
3633  memset(&pubkey, 0xfe, sizeof(pubkey));
3634  ecount = 0;
3635  VG_UNDEF(&pubkey, sizeof(pubkey));
3636  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3637  VG_CHECK(&pubkey, sizeof(pubkey));
3638  CHECK(ecount == 1);
3639  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3640  CHECK(ecount == 2);
3641  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3642  memset(&pubkey, 0xfe, sizeof(pubkey));
3643  ecount = 0;
3644  VG_UNDEF(&pubkey, sizeof(pubkey));
3645  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3646  VG_CHECK(&pubkey, sizeof(pubkey));
3647  CHECK(ecount == 0);
3648  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3649  CHECK(ecount == 1);
3650  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3651  memset(&pubkey, 0xfe, sizeof(pubkey));
3652  ecount = 0;
3653  VG_UNDEF(&pubkey, sizeof(pubkey));
3654  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3655  VG_CHECK(&pubkey, sizeof(pubkey));
3656  CHECK(ecount == 0);
3657  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3658  CHECK(ecount == 1);
3659  /* Valid parse. */
3660  memset(&pubkey, 0, sizeof(pubkey));
3661  ecount = 0;
3662  VG_UNDEF(&pubkey, sizeof(pubkey));
3663  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3664  CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3665  VG_CHECK(&pubkey, sizeof(pubkey));
3666  CHECK(ecount == 0);
3667  VG_UNDEF(&ge, sizeof(ge));
3668  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3669  VG_CHECK(&ge.x, sizeof(ge.x));
3670  VG_CHECK(&ge.y, sizeof(ge.y));
3671  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3672  ge_equals_ge(&secp256k1_ge_const_g, &ge);
3673  CHECK(ecount == 0);
3674  /* secp256k1_ec_pubkey_serialize illegal args. */
3675  ecount = 0;
3676  len = 65;
3677  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3678  CHECK(ecount == 1);
3679  CHECK(len == 0);
3680  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3681  CHECK(ecount == 2);
3682  len = 65;
3683  VG_UNDEF(sout, 65);
3684  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3685  VG_CHECK(sout, 65);
3686  CHECK(ecount == 3);
3687  CHECK(len == 0);
3688  len = 65;
3689  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3690  CHECK(ecount == 4);
3691  CHECK(len == 0);
3692  len = 65;
3693  VG_UNDEF(sout, 65);
3694  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3695  VG_CHECK(sout, 65);
3696  CHECK(ecount == 4);
3697  CHECK(len == 65);
3698  /* Multiple illegal args. Should still set arg error only once. */
3699  ecount = 0;
3700  ecount2 = 11;
3701  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3702  CHECK(ecount == 1);
3703  /* Does the illegal arg callback actually change the behavior? */
3704  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3705  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3706  CHECK(ecount == 1);
3707  CHECK(ecount2 == 10);
3708  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3709  /* Try a bunch of prefabbed points with all possible encodings. */
3710  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3711  ec_pubkey_parse_pointtest(valid[i], 1, 1);
3712  }
3713  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3714  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3715  }
3716  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3717  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3718  }
3719 }
3720 
3721 void run_eckey_edge_case_test(void) {
3722  const unsigned char orderc[32] = {
3723  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3724  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3725  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3726  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3727  };
3728  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3729  unsigned char ctmp[33];
3730  unsigned char ctmp2[33];
3731  secp256k1_pubkey pubkey;
3732  secp256k1_pubkey pubkey2;
3733  secp256k1_pubkey pubkey_one;
3734  secp256k1_pubkey pubkey_negone;
3735  const secp256k1_pubkey *pubkeys[3];
3736  size_t len;
3737  int32_t ecount;
3738  /* Group order is too large, reject. */
3739  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3740  VG_UNDEF(&pubkey, sizeof(pubkey));
3741  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3742  VG_CHECK(&pubkey, sizeof(pubkey));
3743  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3744  /* Maximum value is too large, reject. */
3745  memset(ctmp, 255, 32);
3746  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3747  memset(&pubkey, 1, sizeof(pubkey));
3748  VG_UNDEF(&pubkey, sizeof(pubkey));
3749  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3750  VG_CHECK(&pubkey, sizeof(pubkey));
3751  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3752  /* Zero is too small, reject. */
3753  memset(ctmp, 0, 32);
3754  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3755  memset(&pubkey, 1, sizeof(pubkey));
3756  VG_UNDEF(&pubkey, sizeof(pubkey));
3757  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3758  VG_CHECK(&pubkey, sizeof(pubkey));
3759  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3760  /* One must be accepted. */
3761  ctmp[31] = 0x01;
3762  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3763  memset(&pubkey, 0, sizeof(pubkey));
3764  VG_UNDEF(&pubkey, sizeof(pubkey));
3765  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3766  VG_CHECK(&pubkey, sizeof(pubkey));
3767  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3768  pubkey_one = pubkey;
3769  /* Group order + 1 is too large, reject. */
3770  memcpy(ctmp, orderc, 32);
3771  ctmp[31] = 0x42;
3772  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3773  memset(&pubkey, 1, sizeof(pubkey));
3774  VG_UNDEF(&pubkey, sizeof(pubkey));
3775  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3776  VG_CHECK(&pubkey, sizeof(pubkey));
3777  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3778  /* -1 must be accepted. */
3779  ctmp[31] = 0x40;
3780  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3781  memset(&pubkey, 0, sizeof(pubkey));
3782  VG_UNDEF(&pubkey, sizeof(pubkey));
3783  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3784  VG_CHECK(&pubkey, sizeof(pubkey));
3785  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3786  pubkey_negone = pubkey;
3787  /* Tweak of zero leaves the value unchanged. */
3788  memset(ctmp2, 0, 32);
3789  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3790  CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3791  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3792  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3793  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3794  /* Multiply tweak of zero zeroizes the output. */
3795  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3796  CHECK(memcmp(zeros, ctmp, 32) == 0);
3797  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3798  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3799  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3800  /* Overflowing key tweak zeroizes. */
3801  memcpy(ctmp, orderc, 32);
3802  ctmp[31] = 0x40;
3803  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3804  CHECK(memcmp(zeros, ctmp, 32) == 0);
3805  memcpy(ctmp, orderc, 32);
3806  ctmp[31] = 0x40;
3807  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3808  CHECK(memcmp(zeros, ctmp, 32) == 0);
3809  memcpy(ctmp, orderc, 32);
3810  ctmp[31] = 0x40;
3811  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3812  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3813  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3814  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3815  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3816  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3817  /* Private key tweaks results in a key of zero. */
3818  ctmp2[31] = 1;
3819  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3820  CHECK(memcmp(zeros, ctmp2, 32) == 0);
3821  ctmp2[31] = 1;
3822  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3823  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3824  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3825  /* Tweak computation wraps and results in a key of 1. */
3826  ctmp2[31] = 2;
3827  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3828  CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3829  ctmp2[31] = 2;
3830  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3831  ctmp2[31] = 1;
3832  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3833  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3834  /* Tweak mul * 2 = 1+1. */
3835  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3836  ctmp2[31] = 2;
3837  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3838  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3839  /* Test argument errors. */
3840  ecount = 0;
3841  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3842  CHECK(ecount == 0);
3843  /* Zeroize pubkey on parse error. */
3844  memset(&pubkey, 0, 32);
3845  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3846  CHECK(ecount == 1);
3847  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3848  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3849  memset(&pubkey2, 0, 32);
3850  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3851  CHECK(ecount == 2);
3852  CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3853  /* Plain argument errors. */
3854  ecount = 0;
3855  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3856  CHECK(ecount == 0);
3857  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3858  CHECK(ecount == 1);
3859  ecount = 0;
3860  memset(ctmp2, 0, 32);
3861  ctmp2[31] = 4;
3862  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3863  CHECK(ecount == 1);
3864  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3865  CHECK(ecount == 2);
3866  ecount = 0;
3867  memset(ctmp2, 0, 32);
3868  ctmp2[31] = 4;
3869  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3870  CHECK(ecount == 1);
3871  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3872  CHECK(ecount == 2);
3873  ecount = 0;
3874  memset(ctmp2, 0, 32);
3875  CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3876  CHECK(ecount == 1);
3877  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3878  CHECK(ecount == 2);
3879  ecount = 0;
3880  memset(ctmp2, 0, 32);
3881  ctmp2[31] = 1;
3882  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3883  CHECK(ecount == 1);
3884  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3885  CHECK(ecount == 2);
3886  ecount = 0;
3887  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3888  CHECK(ecount == 1);
3889  memset(&pubkey, 1, sizeof(pubkey));
3890  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3891  CHECK(ecount == 2);
3892  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3893  /* secp256k1_ec_pubkey_combine tests. */
3894  ecount = 0;
3895  pubkeys[0] = &pubkey_one;
3896  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3897  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3898  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3899  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3900  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3901  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3902  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3903  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3904  CHECK(ecount == 1);
3905  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3906  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3907  CHECK(ecount == 2);
3908  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3909  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3910  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3911  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3912  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3913  CHECK(ecount == 3);
3914  pubkeys[0] = &pubkey_negone;
3915  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3916  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3917  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3918  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3919  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3920  CHECK(ecount == 3);
3921  len = 33;
3922  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3923  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3924  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3925  /* Result is infinity. */
3926  pubkeys[0] = &pubkey_one;
3927  pubkeys[1] = &pubkey_negone;
3928  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3929  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3930  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3931  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3932  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3933  CHECK(ecount == 3);
3934  /* Passes through infinity but comes out one. */
3935  pubkeys[2] = &pubkey_one;
3936  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3937  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3938  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3939  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3940  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3941  CHECK(ecount == 3);
3942  len = 33;
3943  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3944  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3945  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3946  /* Adds to two. */
3947  pubkeys[1] = &pubkey_one;
3948  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3949  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3950  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3951  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3952  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3953  CHECK(ecount == 3);
3954  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3955 }
3956 
3957 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3958  secp256k1_scalar nonce;
3959  do {
3960  random_scalar_order_test(&nonce);
3961  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3962 }
3963 
3964 void test_ecdsa_sign_verify(void) {
3965  secp256k1_gej pubj;
3966  secp256k1_ge pub;
3967  secp256k1_scalar one;
3968  secp256k1_scalar msg, key;
3969  secp256k1_scalar sigr, sigs;
3970  int recid;
3971  int getrec;
3972  random_scalar_order_test(&msg);
3973  random_scalar_order_test(&key);
3974  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3975  secp256k1_ge_set_gej(&pub, &pubj);
3976  getrec = secp256k1_rand_bits(1);
3977  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3978  if (getrec) {
3979  CHECK(recid >= 0 && recid < 4);
3980  }
3981  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3982  secp256k1_scalar_set_int(&one, 1);
3983  secp256k1_scalar_add(&msg, &msg, &one);
3984  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3985 }
3986 
3987 void run_ecdsa_sign_verify(void) {
3988  int i;
3989  for (i = 0; i < 10*count; i++) {
3990  test_ecdsa_sign_verify();
3991  }
3992 }
3993 
3995 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3996  (void)msg32;
3997  (void)key32;
3998  (void)algo16;
3999  memcpy(nonce32, data, 32);
4000  return (counter == 0);
4001 }
4002 
4003 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4004  /* Dummy nonce generator that has a fatal error on the first counter value. */
4005  if (counter == 0) {
4006  return 0;
4007  }
4008  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4009 }
4010 
4011 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4012  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4013  if (counter < 3) {
4014  memset(nonce32, counter==0 ? 0 : 255, 32);
4015  if (counter == 2) {
4016  nonce32[31]--;
4017  }
4018  return 1;
4019  }
4020  if (counter < 5) {
4021  static const unsigned char order[] = {
4022  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4023  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4024  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4025  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4026  };
4027  memcpy(nonce32, order, 32);
4028  if (counter == 4) {
4029  nonce32[31]++;
4030  }
4031  return 1;
4032  }
4033  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4034  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4035  if (counter > 5) {
4036  return 0;
4037  }
4038  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4039 }
4040 
4041 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4042  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4043  return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4044 }
4045 
4046 void test_ecdsa_end_to_end(void) {
4047  unsigned char extra[32] = {0x00};
4048  unsigned char privkey[32];
4049  unsigned char message[32];
4050  unsigned char privkey2[32];
4051  secp256k1_ecdsa_signature signature[6];
4052  secp256k1_scalar r, s;
4053  unsigned char sig[74];
4054  size_t siglen = 74;
4055  unsigned char pubkeyc[65];
4056  size_t pubkeyclen = 65;
4057  secp256k1_pubkey pubkey;
4058  secp256k1_pubkey pubkey_tmp;
4059  unsigned char seckey[300];
4060  size_t seckeylen = 300;
4061 
4062  /* Generate a random key and message. */
4063  {
4064  secp256k1_scalar msg, key;
4065  random_scalar_order_test(&msg);
4066  random_scalar_order_test(&key);
4067  secp256k1_scalar_get_b32(privkey, &key);
4068  secp256k1_scalar_get_b32(message, &msg);
4069  }
4070 
4071  /* Construct and verify corresponding public key. */
4072  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4073  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4074 
4075  /* Verify exporting and importing public key. */
4076  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4077  memset(&pubkey, 0, sizeof(pubkey));
4078  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4079 
4080  /* Verify negation changes the key and changes it back */
4081  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4082  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4083  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4084  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4085  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4086 
4087  /* Verify private key import and export. */
4088  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4089  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4090  CHECK(memcmp(privkey, privkey2, 32) == 0);
4091 
4092  /* Optionally tweak the keys using addition. */
4093  if (secp256k1_rand_int(3) == 0) {
4094  int ret1;
4095  int ret2;
4096  unsigned char rnd[32];
4097  secp256k1_pubkey pubkey2;
4098  secp256k1_rand256_test(rnd);
4099  ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4100  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4101  CHECK(ret1 == ret2);
4102  if (ret1 == 0) {
4103  return;
4104  }
4105  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4106  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4107  }
4108 
4109  /* Optionally tweak the keys using multiplication. */
4110  if (secp256k1_rand_int(3) == 0) {
4111  int ret1;
4112  int ret2;
4113  unsigned char rnd[32];
4114  secp256k1_pubkey pubkey2;
4115  secp256k1_rand256_test(rnd);
4116  ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4117  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4118  CHECK(ret1 == ret2);
4119  if (ret1 == 0) {
4120  return;
4121  }
4122  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4123  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4124  }
4125 
4126  /* Sign. */
4127  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4128  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4129  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4130  extra[31] = 1;
4131  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4132  extra[31] = 0;
4133  extra[0] = 1;
4134  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4135  CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4136  CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4137  CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4138  CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4139  CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4140  CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4141  CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4142  /* Verify. */
4143  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4144  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4145  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4146  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4147  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4148  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4149  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4150  secp256k1_scalar_negate(&s, &s);
4151  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4152  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4153  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4154  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4155  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4156  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4157  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4158  secp256k1_scalar_negate(&s, &s);
4159  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4160  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4161  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4162  CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4163 
4164  /* Serialize/parse DER and verify again */
4165  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4166  memset(&signature[0], 0, sizeof(signature[0]));
4167  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4168  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4169  /* Serialize/destroy/parse DER and verify again. */
4170  siglen = 74;
4171  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4172  sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4173  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4174  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4175 }
4176 
4177 void test_random_pubkeys(void) {
4178  secp256k1_ge elem;
4179  secp256k1_ge elem2;
4180  unsigned char in[65];
4181  /* Generate some randomly sized pubkeys. */
4182  size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4183  if (secp256k1_rand_bits(2) == 0) {
4184  len = secp256k1_rand_bits(6);
4185  }
4186  if (len == 65) {
4187  in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4188  } else {
4189  in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4190  }
4191  if (secp256k1_rand_bits(3) == 0) {
4192  in[0] = secp256k1_rand_bits(8);
4193  }
4194  if (len > 1) {
4195  secp256k1_rand256(&in[1]);
4196  }
4197  if (len > 33) {
4198  secp256k1_rand256(&in[33]);
4199  }
4200  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4201  unsigned char out[65];
4202  unsigned char firstb;
4203  int res;
4204  size_t size = len;
4205  firstb = in[0];
4206  /* If the pubkey can be parsed, it should round-trip... */
4207  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4208  CHECK(size == len);
4209  CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4210  /* ... except for the type of hybrid inputs. */
4211  if ((in[0] != 6) && (in[0] != 7)) {
4212  CHECK(in[0] == out[0]);
4213  }
4214  size = 65;
4215  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4216  CHECK(size == 65);
4217  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4218  ge_equals_ge(&elem,&elem2);
4219  /* Check that the X9.62 hybrid type is checked. */
4220  in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4221  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4222  if (firstb == 2 || firstb == 3) {
4223  if (in[0] == firstb + 4) {
4224  CHECK(res);
4225  } else {
4226  CHECK(!res);
4227  }
4228  }
4229  if (res) {
4230  ge_equals_ge(&elem,&elem2);
4231  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4232  CHECK(memcmp(&in[1], &out[1], 64) == 0);
4233  }
4234  }
4235 }
4236 
4237 void run_random_pubkeys(void) {
4238  int i;
4239  for (i = 0; i < 10*count; i++) {
4240  test_random_pubkeys();
4241  }
4242 }
4243 
4244 void run_ecdsa_end_to_end(void) {
4245  int i;
4246  for (i = 0; i < 64*count; i++) {
4247  test_ecdsa_end_to_end();
4248  }
4249 }
4250 
4251 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4252  static const unsigned char zeroes[32] = {0};
4253 #ifdef ENABLE_OPENSSL_TESTS
4254  static const unsigned char max_scalar[32] = {
4255  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4256  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4257  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4258  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4259  };
4260 #endif
4261 
4262  int ret = 0;
4263 
4264  secp256k1_ecdsa_signature sig_der;
4265  unsigned char roundtrip_der[2048];
4266  unsigned char compact_der[64];
4267  size_t len_der = 2048;
4268  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4269 
4270  secp256k1_ecdsa_signature sig_der_lax;
4271  unsigned char roundtrip_der_lax[2048];
4272  unsigned char compact_der_lax[64];
4273  size_t len_der_lax = 2048;
4274  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4275 
4276 #ifdef ENABLE_OPENSSL_TESTS
4277  ECDSA_SIG *sig_openssl;
4278  const BIGNUM *r = NULL, *s = NULL;
4279  const unsigned char *sigptr;
4280  unsigned char roundtrip_openssl[2048];
4281  int len_openssl = 2048;
4282  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4283 #endif
4284 
4285  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4286  if (parsed_der) {
4287  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4288  valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4289  }
4290  if (valid_der) {
4291  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4292  roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4293  }
4294 
4295  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4296  if (parsed_der_lax) {
4297  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4298  valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4299  }
4300  if (valid_der_lax) {
4301  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4302  roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4303  }
4304 
4305  if (certainly_der) {
4306  ret |= (!parsed_der) << 2;
4307  }
4308  if (certainly_not_der) {
4309  ret |= (parsed_der) << 17;
4310  }
4311  if (valid_der) {
4312  ret |= (!roundtrips_der) << 3;
4313  }
4314 
4315  if (valid_der) {
4316  ret |= (!roundtrips_der_lax) << 12;
4317  ret |= (len_der != len_der_lax) << 13;
4318  ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4319  }
4320  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4321  if (parsed_der) {
4322  ret |= (!parsed_der_lax) << 16;
4323  }
4324 
4325 #ifdef ENABLE_OPENSSL_TESTS
4326  sig_openssl = ECDSA_SIG_new();
4327  sigptr = sig;
4328  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4329  if (parsed_openssl) {
4330  ECDSA_SIG_get0(sig_openssl, &r, &s);
4331  valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4332  if (valid_openssl) {
4333  unsigned char tmp[32] = {0};
4334  BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4335  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4336  }
4337  if (valid_openssl) {
4338  unsigned char tmp[32] = {0};
4339  BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4340  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4341  }
4342  }
4343  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4344  if (len_openssl <= 2048) {
4345  unsigned char *ptr = roundtrip_openssl;
4346  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4347  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4348  } else {
4349  len_openssl = 0;
4350  }
4351  ECDSA_SIG_free(sig_openssl);
4352 
4353  ret |= (parsed_der && !parsed_openssl) << 4;
4354  ret |= (valid_der && !valid_openssl) << 5;
4355  ret |= (roundtrips_openssl && !parsed_der) << 6;
4356  ret |= (roundtrips_der != roundtrips_openssl) << 7;
4357  if (roundtrips_openssl) {
4358  ret |= (len_der != (size_t)len_openssl) << 8;
4359  ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4360  }
4361 #endif
4362  return ret;
4363 }
4364 
4365 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4366  size_t i;
4367  for (i = 0; i < ptrlen; i++) {
4368  int shift = ptrlen - 1 - i;
4369  if (shift >= 4) {
4370  ptr[i] = 0;
4371  } else {
4372  ptr[i] = (val >> shift) & 0xFF;
4373  }
4374  }
4375 }
4376 
4377 static void damage_array(unsigned char *sig, size_t *len) {
4378  int pos;
4379  int action = secp256k1_rand_bits(3);
4380  if (action < 1 && *len > 3) {
4381  /* Delete a byte. */
4382  pos = secp256k1_rand_int(*len);
4383  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4384  (*len)--;
4385  return;
4386  } else if (action < 2 && *len < 2048) {
4387  /* Insert a byte. */
4388  pos = secp256k1_rand_int(1 + *len);
4389  memmove(sig + pos + 1, sig + pos, *len - pos);
4390  sig[pos] = secp256k1_rand_bits(8);
4391  (*len)++;
4392  return;
4393  } else if (action < 4) {
4394  /* Modify a byte. */
4395  sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4396  return;
4397  } else { /* action < 8 */
4398  /* Modify a bit. */
4399  sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4400  return;
4401  }
4402 }
4403 
4404 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4405  int der;
4406  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4407  size_t tlen, elen, glen;
4408  int indet;
4409  int n;
4410 
4411  *len = 0;
4412  der = secp256k1_rand_bits(2) == 0;
4413  *certainly_der = der;
4414  *certainly_not_der = 0;
4415  indet = der ? 0 : secp256k1_rand_int(10) == 0;
4416 
4417  for (n = 0; n < 2; n++) {
4418  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4419  nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4420  /* The length of the number in bytes (the first byte of which will always be nonzero) */
4421  nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4422  CHECK(nlen[n] <= 232);
4423  /* The top bit of the number. */
4424  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4425  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4426  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4427  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4428  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4429  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4430  *certainly_not_der = 1;
4431  }
4432  CHECK(nlen[n] + nzlen[n] <= 300);
4433  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4434  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4435  if (!der) {
4436  /* nlenlen[n] max 127 bytes */
4437  int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4438  nlenlen[n] += add;
4439  if (add != 0) {
4440  *certainly_not_der = 1;
4441  }
4442  }
4443  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4444  }
4445 
4446  /* The total length of the data to go, so far */
4447  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4448  CHECK(tlen <= 856);
4449 
4450  /* The length of the garbage inside the tuple. */
4451  elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4452  if (elen != 0) {
4453  *certainly_not_der = 1;
4454  }
4455  tlen += elen;
4456  CHECK(tlen <= 980);
4457 
4458  /* The length of the garbage after the end of the tuple. */
4459  glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4460  if (glen != 0) {
4461  *certainly_not_der = 1;
4462  }
4463  CHECK(tlen + glen <= 990);
4464 
4465  /* Write the tuple header. */
4466  sig[(*len)++] = 0x30;
4467  if (indet) {
4468  /* Indeterminate length */
4469  sig[(*len)++] = 0x80;
4470  *certainly_not_der = 1;
4471  } else {
4472  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4473  if (!der) {
4474  int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4475  tlenlen += add;
4476  if (add != 0) {
4477  *certainly_not_der = 1;
4478  }
4479  }
4480  if (tlenlen == 0) {
4481  /* Short length notation */
4482  sig[(*len)++] = tlen;
4483  } else {
4484  /* Long length notation */
4485  sig[(*len)++] = 128 + tlenlen;
4486  assign_big_endian(sig + *len, tlenlen, tlen);
4487  *len += tlenlen;
4488  }
4489  tlen += tlenlen;
4490  }
4491  tlen += 2;
4492  CHECK(tlen + glen <= 1119);
4493 
4494  for (n = 0; n < 2; n++) {
4495  /* Write the integer header. */
4496  sig[(*len)++] = 0x02;
4497  if (nlenlen[n] == 0) {
4498  /* Short length notation */
4499  sig[(*len)++] = nlen[n] + nzlen[n];
4500  } else {
4501  /* Long length notation. */
4502  sig[(*len)++] = 128 + nlenlen[n];
4503  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4504  *len += nlenlen[n];
4505  }
4506  /* Write zero padding */
4507  while (nzlen[n] > 0) {
4508  sig[(*len)++] = 0x00;
4509  nzlen[n]--;
4510  }
4511  if (nlen[n] == 32 && !nlow[n]) {
4512  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4513  int i;
4514  for (i = 0; i < 16; i++) {
4515  sig[(*len)++] = 0xFF;
4516  }
4517  nlen[n] -= 16;
4518  }
4519  /* Write first byte of number */
4520  if (nlen[n] > 0) {
4521  sig[(*len)++] = nhbyte[n];
4522  nlen[n]--;
4523  }
4524  /* Generate remaining random bytes of number */
4525  secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4526  *len += nlen[n];
4527  nlen[n] = 0;
4528  }
4529 
4530  /* Generate random garbage inside tuple. */
4531  secp256k1_rand_bytes_test(sig + *len, elen);
4532  *len += elen;
4533 
4534  /* Generate end-of-contents bytes. */
4535  if (indet) {
4536  sig[(*len)++] = 0;
4537  sig[(*len)++] = 0;
4538  tlen += 2;
4539  }
4540  CHECK(tlen + glen <= 1121);
4541 
4542  /* Generate random garbage outside tuple. */
4543  secp256k1_rand_bytes_test(sig + *len, glen);
4544  *len += glen;
4545  tlen += glen;
4546  CHECK(tlen <= 1121);
4547  CHECK(tlen == *len);
4548 }
4549 
4550 void run_ecdsa_der_parse(void) {
4551  int i,j;
4552  for (i = 0; i < 200 * count; i++) {
4553  unsigned char buffer[2048];
4554  size_t buflen = 0;
4555  int certainly_der = 0;
4556  int certainly_not_der = 0;
4557  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4558  CHECK(buflen <= 2048);
4559  for (j = 0; j < 16; j++) {
4560  int ret = 0;
4561  if (j > 0) {
4562  damage_array(buffer, &buflen);
4563  /* We don't know anything anymore about the DERness of the result */
4564  certainly_der = 0;
4565  certainly_not_der = 0;
4566  }
4567  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4568  if (ret != 0) {
4569  size_t k;
4570  fprintf(stderr, "Failure %x on ", ret);
4571  for (k = 0; k < buflen; k++) {
4572  fprintf(stderr, "%02x ", buffer[k]);
4573  }
4574  fprintf(stderr, "\n");
4575  }
4576  CHECK(ret == 0);
4577  }
4578  }
4579 }
4580 
4581 /* Tests several edge cases. */
4582 void test_ecdsa_edge_cases(void) {
4583  int t;
4584  secp256k1_ecdsa_signature sig;
4585 
4586  /* Test the case where ECDSA recomputes a point that is infinity. */
4587  {
4588  secp256k1_gej keyj;
4589  secp256k1_ge key;
4590  secp256k1_scalar msg;
4591  secp256k1_scalar sr, ss;
4592  secp256k1_scalar_set_int(&ss, 1);
4593  secp256k1_scalar_negate(&ss, &ss);
4594  secp256k1_scalar_inverse(&ss, &ss);
4595  secp256k1_scalar_set_int(&sr, 1);
4596  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4597  secp256k1_ge_set_gej(&key, &keyj);
4598  msg = ss;
4599  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4600  }
4601 
4602  /* Verify signature with r of zero fails. */
4603  {
4604  const unsigned char pubkey_mods_zero[33] = {
4605  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4606  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4607  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4608  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4609  0x41
4610  };
4611  secp256k1_ge key;
4612  secp256k1_scalar msg;
4613  secp256k1_scalar sr, ss;
4614  secp256k1_scalar_set_int(&ss, 1);
4615  secp256k1_scalar_set_int(&msg, 0);
4616  secp256k1_scalar_set_int(&sr, 0);
4617  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4618  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4619  }
4620 
4621  /* Verify signature with s of zero fails. */
4622  {
4623  const unsigned char pubkey[33] = {
4624  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4625  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4626  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4627  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4628  0x01
4629  };
4630  secp256k1_ge key;
4631  secp256k1_scalar msg;
4632  secp256k1_scalar sr, ss;
4633  secp256k1_scalar_set_int(&ss, 0);
4634  secp256k1_scalar_set_int(&msg, 0);
4635  secp256k1_scalar_set_int(&sr, 1);
4636  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4637  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4638  }
4639 
4640  /* Verify signature with message 0 passes. */
4641  {
4642  const unsigned char pubkey[33] = {
4643  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4644  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4645  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4646  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4647  0x02
4648  };
4649  const unsigned char pubkey2[33] = {
4650  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4651  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4652  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4653  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4654  0x43
4655  };
4656  secp256k1_ge key;
4657  secp256k1_ge key2;
4658  secp256k1_scalar msg;
4659  secp256k1_scalar sr, ss;
4660  secp256k1_scalar_set_int(&ss, 2);
4661  secp256k1_scalar_set_int(&msg, 0);
4662  secp256k1_scalar_set_int(&sr, 2);
4663  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4664  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4665  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4666  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4667  secp256k1_scalar_negate(&ss, &ss);
4668  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4669  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4670  secp256k1_scalar_set_int(&ss, 1);
4671  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4672  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4673  }
4674 
4675  /* Verify signature with message 1 passes. */
4676  {
4677  const unsigned char pubkey[33] = {
4678  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4679  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4680  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4681  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4682  0x25
4683  };
4684  const unsigned char pubkey2[33] = {
4685  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4686  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4687  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4688  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4689  0x62
4690  };
4691  const unsigned char csr[32] = {
4692  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4693  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4694  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4695  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4696  };
4697  secp256k1_ge key;
4698  secp256k1_ge key2;
4699  secp256k1_scalar msg;
4700  secp256k1_scalar sr, ss;
4701  secp256k1_scalar_set_int(&ss, 1);
4702  secp256k1_scalar_set_int(&msg, 1);
4703  secp256k1_scalar_set_b32(&sr, csr, NULL);
4704  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4705  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4706  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4707  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4708  secp256k1_scalar_negate(&ss, &ss);
4709  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4710  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4711  secp256k1_scalar_set_int(&ss, 2);
4712  secp256k1_scalar_inverse_var(&ss, &ss);
4713  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4714  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4715  }
4716 
4717  /* Verify signature with message -1 passes. */
4718  {
4719  const unsigned char pubkey[33] = {
4720  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4721  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4722  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4723  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4724  0xf1
4725  };
4726  const unsigned char csr[32] = {
4727  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4728  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4729  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4730  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4731  };
4732  secp256k1_ge key;
4733  secp256k1_scalar msg;
4734  secp256k1_scalar sr, ss;
4735  secp256k1_scalar_set_int(&ss, 1);
4736  secp256k1_scalar_set_int(&msg, 1);
4737  secp256k1_scalar_negate(&msg, &msg);
4738  secp256k1_scalar_set_b32(&sr, csr, NULL);
4739  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4740  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4741  secp256k1_scalar_negate(&ss, &ss);
4742  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4743  secp256k1_scalar_set_int(&ss, 3);
4744  secp256k1_scalar_inverse_var(&ss, &ss);
4745  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4746  }
4747 
4748  /* Signature where s would be zero. */
4749  {
4750  secp256k1_pubkey pubkey;
4751  size_t siglen;
4752  int32_t ecount;
4753  unsigned char signature[72];
4754  static const unsigned char nonce[32] = {
4755  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4756  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4757  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4758  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4759  };
4760  static const unsigned char nonce2[32] = {
4761  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4762  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4763  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4764  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4765  };
4766  const unsigned char key[32] = {
4767  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4768  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4769  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4770  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4771  };
4772  unsigned char msg[32] = {
4773  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4774  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4775  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4776  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4777  };
4778  ecount = 0;
4779  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4780  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4781  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4782  msg[31] = 0xaa;
4783  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4784  CHECK(ecount == 0);
4785  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4786  CHECK(ecount == 1);
4787  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4788  CHECK(ecount == 2);
4789  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4790  CHECK(ecount == 3);
4791  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4792  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4793  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4794  CHECK(ecount == 4);
4795  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4796  CHECK(ecount == 5);
4797  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4798  CHECK(ecount == 6);
4799  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4800  CHECK(ecount == 6);
4801  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4802  CHECK(ecount == 7);
4803  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4804  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4805  CHECK(ecount == 8);
4806  siglen = 72;
4807  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4808  CHECK(ecount == 9);
4809  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4810  CHECK(ecount == 10);
4811  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4812  CHECK(ecount == 11);
4813  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4814  CHECK(ecount == 11);
4815  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4816  CHECK(ecount == 12);
4817  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4818  CHECK(ecount == 13);
4819  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4820  CHECK(ecount == 13);
4821  siglen = 10;
4822  /* Too little room for a signature does not fail via ARGCHECK. */
4823  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4824  CHECK(ecount == 13);
4825  ecount = 0;
4826  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4827  CHECK(ecount == 1);
4828  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4829  CHECK(ecount == 2);
4830  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4831  CHECK(ecount == 3);
4832  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4833  CHECK(ecount == 3);
4834  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4835  CHECK(ecount == 4);
4836  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4837  CHECK(ecount == 5);
4838  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4839  CHECK(ecount == 5);
4840  memset(signature, 255, 64);
4841  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4842  CHECK(ecount == 5);
4843  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4844  }
4845 
4846  /* Nonce function corner cases. */
4847  for (t = 0; t < 2; t++) {
4848  static const unsigned char zero[32] = {0x00};
4849  int i;
4850  unsigned char key[32];
4851  unsigned char msg[32];
4852  secp256k1_ecdsa_signature sig2;
4853  secp256k1_scalar sr[512], ss;
4854  const unsigned char *extra;
4855  extra = t == 0 ? NULL : zero;
4856  memset(msg, 0, 32);
4857  msg[31] = 1;
4858  /* High key results in signature failure. */
4859  memset(key, 0xFF, 32);
4860  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4861  CHECK(is_empty_signature(&sig));
4862  /* Zero key results in signature failure. */
4863  memset(key, 0, 32);
4864  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4865  CHECK(is_empty_signature(&sig));
4866  /* Nonce function failure results in signature failure. */
4867  key[31] = 1;
4868  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4869  CHECK(is_empty_signature(&sig));
4870  /* The retry loop successfully makes its way to the first good value. */
4871  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4872  CHECK(!is_empty_signature(&sig));
4873  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4874  CHECK(!is_empty_signature(&sig2));
4875  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4876  /* The default nonce function is deterministic. */
4877  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4878  CHECK(!is_empty_signature(&sig2));
4879  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4880  /* The default nonce function changes output with different messages. */
4881  for(i = 0; i < 256; i++) {
4882  int j;
4883  msg[0] = i;
4884  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4885  CHECK(!is_empty_signature(&sig2));
4886  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4887  for (j = 0; j < i; j++) {
4888  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4889  }
4890  }
4891  msg[0] = 0;
4892  msg[31] = 2;
4893  /* The default nonce function changes output with different keys. */
4894  for(i = 256; i < 512; i++) {
4895  int j;
4896  key[0] = i - 256;
4897  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4898  CHECK(!is_empty_signature(&sig2));
4899  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4900  for (j = 0; j < i; j++) {
4901  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4902  }
4903  }
4904  key[0] = 0;
4905  }
4906 
4907  {
4908  /* Check that optional nonce arguments do not have equivalent effect. */
4909  const unsigned char zeros[32] = {0};
4910  unsigned char nonce[32];
4911  unsigned char nonce2[32];
4912  unsigned char nonce3[32];
4913  unsigned char nonce4[32];
4914  VG_UNDEF(nonce,32);
4915  VG_UNDEF(nonce2,32);
4916  VG_UNDEF(nonce3,32);
4917  VG_UNDEF(nonce4,32);
4918  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4919  VG_CHECK(nonce,32);
4920  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4921  VG_CHECK(nonce2,32);
4922  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4923  VG_CHECK(nonce3,32);
4924  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4925  VG_CHECK(nonce4,32);
4926  CHECK(memcmp(nonce, nonce2, 32) != 0);
4927  CHECK(memcmp(nonce, nonce3, 32) != 0);
4928  CHECK(memcmp(nonce, nonce4, 32) != 0);
4929  CHECK(memcmp(nonce2, nonce3, 32) != 0);
4930  CHECK(memcmp(nonce2, nonce4, 32) != 0);
4931  CHECK(memcmp(nonce3, nonce4, 32) != 0);
4932  }
4933 
4934 
4935  /* Privkey export where pubkey is the point at infinity. */
4936  {
4937  unsigned char privkey[300];
4938  unsigned char seckey[32] = {
4939  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4940  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4941  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4942  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4943  };
4944  size_t outlen = 300;
4945  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4946  outlen = 300;
4947  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4948  }
4949 }
4950 
4951 void run_ecdsa_edge_cases(void) {
4952  test_ecdsa_edge_cases();
4953 }
4954 
4955 #ifdef ENABLE_OPENSSL_TESTS
4956 EC_KEY *get_openssl_key(const unsigned char *key32) {
4957  unsigned char privkey[300];
4958  size_t privkeylen;
4959  const unsigned char* pbegin = privkey;
4960  int compr = secp256k1_rand_bits(1);
4961  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4962  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4963  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4964  CHECK(EC_KEY_check_key(ec_key));
4965  return ec_key;
4966 }
4967 
4968 void test_ecdsa_openssl(void) {
4969  secp256k1_gej qj;
4970  secp256k1_ge q;
4971  secp256k1_scalar sigr, sigs;
4972  secp256k1_scalar one;
4973  secp256k1_scalar msg2;
4974  secp256k1_scalar key, msg;
4975  EC_KEY *ec_key;
4976  unsigned int sigsize = 80;
4977  size_t secp_sigsize = 80;
4978  unsigned char message[32];
4979  unsigned char signature[80];
4980  unsigned char key32[32];
4981  secp256k1_rand256_test(message);
4982  secp256k1_scalar_set_b32(&msg, message, NULL);
4983  random_scalar_order_test(&key);
4984  secp256k1_scalar_get_b32(key32, &key);
4985  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4986  secp256k1_ge_set_gej(&q, &qj);
4987  ec_key = get_openssl_key(key32);
4988  CHECK(ec_key != NULL);
4989  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4990  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4991  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4992  secp256k1_scalar_set_int(&one, 1);
4993  secp256k1_scalar_add(&msg2, &msg, &one);
4994  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4995 
4996  random_sign(&sigr, &sigs, &key, &msg, NULL);
4997  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4998  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4999 
5000  EC_KEY_free(ec_key);
5001 }
5002 
5003 void run_ecdsa_openssl(void) {
5004  int i;
5005  for (i = 0; i < 10*count; i++) {
5006  test_ecdsa_openssl();
5007  }
5008 }
5009 #endif
5010 
5011 #ifdef ENABLE_MODULE_ECDH
5012 # include "modules/ecdh/tests_impl.h"
5013 #endif
5014 
5015 #ifdef ENABLE_MODULE_RECOVERY
5016 # include "modules/recovery/tests_impl.h"
5017 #endif
5018 
5019 int main(int argc, char **argv) {
5020  unsigned char seed16[16] = {0};
5021  unsigned char run32[32] = {0};
5022  /* find iteration count */
5023  if (argc > 1) {
5024  count = strtol(argv[1], NULL, 0);
5025  }
5026 
5027  /* find random seed */
5028  if (argc > 2) {
5029  int pos = 0;
5030  const char* ch = argv[2];
5031  while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5032  unsigned short sh;
5033  if (sscanf(ch, "%2hx", &sh)) {
5034  seed16[pos] = sh;
5035  } else {
5036  break;
5037  }
5038  ch += 2;
5039  pos++;
5040  }
5041  } else {
5042  FILE *frand = fopen("/dev/urandom", "r");
5043  if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5044  uint64_t t = time(NULL) * (uint64_t)1337;
5045  fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5046  seed16[0] ^= t;
5047  seed16[1] ^= t >> 8;
5048  seed16[2] ^= t >> 16;
5049  seed16[3] ^= t >> 24;
5050  seed16[4] ^= t >> 32;
5051  seed16[5] ^= t >> 40;
5052  seed16[6] ^= t >> 48;
5053  seed16[7] ^= t >> 56;
5054  }
5055  if (frand) {
5056  fclose(frand);
5057  }
5058  }
5059  secp256k1_rand_seed(seed16);
5060 
5061  printf("test count = %i\n", count);
5062  printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5063 
5064  /* initialize */
5065  run_context_tests();
5066  run_scratch_tests();
5067  ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5068  if (secp256k1_rand_bits(1)) {
5069  secp256k1_rand256(run32);
5070  CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5071  }
5072 
5073  run_rand_bits();
5074  run_rand_int();
5075 
5076  run_sha256_tests();
5077  run_hmac_sha256_tests();
5078  run_rfc6979_hmac_sha256_tests();
5079 
5080 #ifndef USE_NUM_NONE
5081  /* num tests */
5082  run_num_smalltests();
5083 #endif
5084 
5085  /* scalar tests */
5086  run_scalar_tests();
5087 
5088  /* field tests */
5089  run_field_inv();
5090  run_field_inv_var();
5091  run_field_inv_all_var();
5092  run_field_misc();
5093  run_field_convert();
5094  run_sqr();
5095  run_sqrt();
5096 
5097  /* group tests */
5098  run_ge();
5099  run_group_decompress();
5100 
5101  /* ecmult tests */
5102  run_wnaf();
5103  run_point_times_order();
5104  run_ecmult_chain();
5105  run_ecmult_constants();
5106  run_ecmult_gen_blind();
5107  run_ecmult_const_tests();
5108  run_ecmult_multi_tests();
5109  run_ec_combine();
5110 
5111  /* endomorphism tests */
5112 #ifdef USE_ENDOMORPHISM
5113  run_endomorphism_tests();
5114 #endif
5115 
5116  /* EC point parser test */
5117  run_ec_pubkey_parse_test();
5118 
5119  /* EC key edge cases */
5120  run_eckey_edge_case_test();
5121 
5122 #ifdef ENABLE_MODULE_ECDH
5123  /* ecdh tests */
5124  run_ecdh_tests();
5125 #endif
5126 
5127  /* ecdsa tests */
5128  run_random_pubkeys();
5129  run_ecdsa_der_parse();
5130  run_ecdsa_sign_verify();
5131  run_ecdsa_end_to_end();
5132  run_ecdsa_edge_cases();
5133 #ifdef ENABLE_OPENSSL_TESTS
5134  run_ecdsa_openssl();
5135 #endif
5136 
5137 #ifdef ENABLE_MODULE_RECOVERY
5138  /* ECDSA pubkey recovery tests */
5139  run_recovery_tests();
5140 #endif
5141 
5142  secp256k1_rand256(run32);
5143  printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5144 
5145  /* shutdown */
5146  secp256k1_context_destroy(ctx);
5147 
5148  printf("no problems found\n");
5149  return 0;
5150 }
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_num_is_one
static int secp256k1_num_is_one(const secp256k1_num *a)
Check whether a number is one.
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
VERIFY_CHECK
#define VERIFY_CHECK(cond)
Definition: util.h:67
ScriptContext::TOP
Top-level scriptPubKey.
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:57
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:334
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1639
secp256k1_num_eq
static int secp256k1_num_eq(const secp256k1_num *a, const secp256k1_num *b)
Test whether two number are equal (including sign).
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:2812
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:501
secp256k1_fe
Definition: field_10x26.h:12
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:2549
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by multiplying it by a tweak.
Definition: secp256k1.c:525
secp256k1_rand_bytes_test
static void secp256k1_rand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:1598
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:111
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:2141
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:2540
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:956
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:282
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space...
Definition: ecmult_impl.h:1051
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2387
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:31
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element&#39;s y coordinate is a quadratic residue.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:295
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:2312
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
fsbridge::fopen
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:19
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
tests_impl.h
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:25
tests_impl.h
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_num_set_bin
static void secp256k1_num_set_bin(secp256k1_num *r, const unsigned char *a, unsigned int alen)
Set a number to the value of a binary big-endian string.
fe_memcmp
int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1684
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:968
lax_der_parsing.c
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:1827
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:571
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4003
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:336
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Definition: group_impl.h:113
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:4177
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_scalar_get_num
static void secp256k1_scalar_get_num(secp256k1_num *r, const secp256k1_scalar *a)
Convert a scalar to a number.
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4011
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(secp256k1_scratch *scratch)
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:1042
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:4365
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
test_ecmult_constants
void test_ecmult_constants(void)
Definition: tests.c:3208
secp256k1_num_copy
static void secp256k1_num_copy(secp256k1_num *r, const secp256k1_num *a)
Copy a number.
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:169
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
run_field_misc
void run_field_misc(void)
Definition: tests.c:1693
secp256k1_ecdsa_sig_parse
static int secp256k1_ecdsa_sig_parse(secp256k1_scalar *r, secp256k1_scalar *s, const unsigned char *sig, size_t size)
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_rand_int
static uint32_t secp256k1_rand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:60
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
run_ge
void run_ge(void)
Definition: tests.c:2208
run_sqrt
void run_sqrt(void)
Definition: tests.c:1841
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:4237
run_rand_int
void run_rand_int(void)
Definition: tests.c:480
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:157
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2987
secp256k1_sha256
Definition: hash.h:13
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b&#39;s Z coordinate passed as bzinv)...
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:2567
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:127
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:32
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1618
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:186
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3077
testrand_impl.h
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:3241
secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:19
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small integer.
secp256k1_context_struct
Definition: secp256k1.c:52
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:472
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:1877
secp256k1_ecmult_gen_context_build
static void secp256k1_ecmult_gen_context_build(secp256k1_ecmult_gen_context *ctx, const secp256k1_callback *cb)
secp256k1_num_mod_inverse
static void secp256k1_num_mod_inverse(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *m)
Compute a modular inverse.
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:168
test_num_add_sub
void test_num_add_sub(void)
Definition: tests.c:532
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:3987
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:64
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:2834
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:478
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:2216
test_num_negate
void test_num_negate(void)
Definition: tests.c:512
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:3957
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:3117
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:223
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:3268
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_gej_is_valid_var
static int secp256k1_gej_is_valid_var(const secp256k1_gej *a)
Definition: group_impl.h:272
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:4377
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:1908
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
test_num_jacobi
void test_num_jacobi(void)
Definition: tests.c:605
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:3721
run_context_tests
void run_context_tests(void)
Definition: tests.c:140
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
ec_privkey_export_der
static int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, bool compressed)
This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1 http://www...
Definition: key.cpp:91
sum
volatile double sum
Definition: examples.cpp:22
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:101
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:4251
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:126
ecmult_multi_data
Definition: tests.c:2547
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Generator for secp256k1, value &#39;g&#39; defined in "Standards for Efficient Cryptography" (SEC2) 2...
Definition: group_impl.h:64
run_field_inv_all_var
void run_field_inv_all_var(void)
Definition: tests.c:1789
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:428
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:456
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:173
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export.
Definition: secp256k1.h:172
secp256k1_scalar_mul_shift_var
static void secp256k1_scalar_mul_shift_var(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b, unsigned int shift)
Multiply a and b (without taking the modulus!), divide by 2**shift, and round to the nearest integer...
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:378
run_field_inv_var
void run_field_inv_var(void)
Definition: tests.c:1777
random_num_order
void random_num_order(secp256k1_num *num)
Definition: tests.c:506
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:3393
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scratch_deallocate_frame
static void secp256k1_scratch_deallocate_frame(secp256k1_scratch *scratch)
Deallocates a stack frame.
run_field_inv
void run_field_inv(void)
Definition: tests.c:1765
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:415
secp256k1_scratch_allocate_frame
static int secp256k1_scratch_allocate_frame(secp256k1_scratch *scratch, size_t n, size_t objects)
Attempts to allocate a new stack frame with n available bytes.
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:3280
secp256k1_num
Definition: num_gmp.h:14
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:4550
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:57
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:27
secp256k1_num_sub
static void secp256k1_num_sub(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Subtract two (signed) numbers.
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, secp256k1_scalar s, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:51
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:2552
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:54
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:901
run_field_convert
void run_field_convert(void)
Definition: tests.c:1654
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:66
run_num_smalltests
void run_num_smalltests(void)
Definition: tests.c:666
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2492
ctx
static secp256k1_context * ctx
Definition: tests.c:46
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:2323
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:4041
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:369
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:2857
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:50
secp256k1_gej::infinity
int infinity
Definition: group.h:28
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: tests.c:40
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_num_add
static void secp256k1_num_add(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Add two (signed) numbers.
secp256k1_num_jacobi
static int secp256k1_num_jacobi(const secp256k1_num *a, const secp256k1_num *b)
Compute the jacobi symbol (a|b).
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:547
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_num_shift
static void secp256k1_num_shift(secp256k1_num *r, int bits)
Right-shift the passed number by bits bits.
secp256k1_scalar_sqr
static void secp256k1_scalar_sqr(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the square of a scalar (modulo the group order).
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:844
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2248
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:4244
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:684
secp256k1_num_mul
static void secp256k1_num_mul(secp256k1_num *r, const secp256k1_num *a, const secp256k1_num *b)
Multiply two (signed) numbers.
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:3021
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:72
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:3318
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:2905
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:171
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:53
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:79
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:15
run_sqr
void run_sqr(void)
Definition: tests.c:1811
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce it magnitude to 1, but don&#39;t fully normalize.
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_rand32
static uint32_t secp256k1_rand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
VG_CHECK
#define VG_CHECK(x, y)
Definition: tests.c:41
ec_privkey_import_der
static int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
These functions are taken from the libsecp256k1 distribution and are very ugly.
Definition: key.cpp:34
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
secp256k1_num_negate
static void secp256k1_num_negate(secp256k1_num *r)
Change a number&#39;s sign.
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:620
CHECK
#define CHECK(cond)
Definition: util.h:52
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:3127