1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
28 #include "contrib/lax_der_parsing.c"
29 #include "contrib/lax_der_privatekey_parsing.c"
31 #if !defined(VG_CHECK)
32 # if defined(VALGRIND)
33 # include <valgrind/memcheck.h>
34 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
35 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
37 # define VG_UNDEF(x,y)
38 # define VG_CHECK(x,y)
42 static int count
= 64;
43 static secp256k1_context
*ctx
= NULL
;
45 static void counting_illegal_callback_fn(const char* str
, void* data
) {
46 /* Dummy callback function that just counts. */
53 static void uncounting_illegal_callback_fn(const char* str
, void* data
) {
54 /* Dummy callback function that just counts (backwards). */
61 void random_field_element_test(secp256k1_fe
*fe
) {
63 unsigned char b32
[32];
64 secp256k1_rand256_test(b32
);
65 if (secp256k1_fe_set_b32(fe
, b32
)) {
71 void random_field_element_magnitude(secp256k1_fe
*fe
) {
73 int n
= secp256k1_rand_int(9);
74 secp256k1_fe_normalize(fe
);
78 secp256k1_fe_clear(&zero
);
79 secp256k1_fe_negate(&zero
, &zero
, 0);
80 secp256k1_fe_mul_int(&zero
, n
- 1);
81 secp256k1_fe_add(fe
, &zero
);
82 VERIFY_CHECK(fe
->magnitude
== n
);
85 void random_group_element_test(secp256k1_ge
*ge
) {
88 random_field_element_test(&fe
);
89 if (secp256k1_ge_set_xo_var(ge
, &fe
, secp256k1_rand_bits(1))) {
90 secp256k1_fe_normalize(&ge
->y
);
96 void random_group_element_jacobian_test(secp256k1_gej
*gej
, const secp256k1_ge
*ge
) {
99 random_field_element_test(&gej
->z
);
100 if (!secp256k1_fe_is_zero(&gej
->z
)) {
104 secp256k1_fe_sqr(&z2
, &gej
->z
);
105 secp256k1_fe_mul(&z3
, &z2
, &gej
->z
);
106 secp256k1_fe_mul(&gej
->x
, &ge
->x
, &z2
);
107 secp256k1_fe_mul(&gej
->y
, &ge
->y
, &z3
);
108 gej
->infinity
= ge
->infinity
;
111 void random_scalar_order_test(secp256k1_scalar
*num
) {
113 unsigned char b32
[32];
115 secp256k1_rand256_test(b32
);
116 secp256k1_scalar_set_b32(num
, b32
, &overflow
);
117 if (overflow
|| secp256k1_scalar_is_zero(num
)) {
124 void random_scalar_order(secp256k1_scalar
*num
) {
126 unsigned char b32
[32];
128 secp256k1_rand256(b32
);
129 secp256k1_scalar_set_b32(num
, b32
, &overflow
);
130 if (overflow
|| secp256k1_scalar_is_zero(num
)) {
137 void run_context_tests(void) {
138 secp256k1_pubkey pubkey
;
139 secp256k1_pubkey zero_pubkey
;
140 secp256k1_ecdsa_signature sig
;
141 unsigned char ctmp
[32];
144 secp256k1_context
*none
= secp256k1_context_create(SECP256K1_CONTEXT_NONE
);
145 secp256k1_context
*sign
= secp256k1_context_create(SECP256K1_CONTEXT_SIGN
);
146 secp256k1_context
*vrfy
= secp256k1_context_create(SECP256K1_CONTEXT_VERIFY
);
147 secp256k1_context
*both
= secp256k1_context_create(SECP256K1_CONTEXT_SIGN
| SECP256K1_CONTEXT_VERIFY
);
151 secp256k1_scalar msg
, key
, nonce
;
152 secp256k1_scalar sigr
, sigs
;
154 memset(&zero_pubkey
, 0, sizeof(zero_pubkey
));
158 secp256k1_context_set_illegal_callback(vrfy
, counting_illegal_callback_fn
, &ecount
);
159 secp256k1_context_set_illegal_callback(sign
, counting_illegal_callback_fn
, &ecount2
);
160 secp256k1_context_set_error_callback(sign
, counting_illegal_callback_fn
, NULL
);
161 CHECK(vrfy
->error_callback
.fn
!= sign
->error_callback
.fn
);
163 /*** clone and destroy all of them to make sure cloning was complete ***/
165 secp256k1_context
*ctx_tmp
;
167 ctx_tmp
= none
; none
= secp256k1_context_clone(none
); secp256k1_context_destroy(ctx_tmp
);
168 ctx_tmp
= sign
; sign
= secp256k1_context_clone(sign
); secp256k1_context_destroy(ctx_tmp
);
169 ctx_tmp
= vrfy
; vrfy
= secp256k1_context_clone(vrfy
); secp256k1_context_destroy(ctx_tmp
);
170 ctx_tmp
= both
; both
= secp256k1_context_clone(both
); secp256k1_context_destroy(ctx_tmp
);
173 /* Verify that the error callback makes it across the clone. */
174 CHECK(vrfy
->error_callback
.fn
!= sign
->error_callback
.fn
);
175 /* And that it resets back to default. */
176 secp256k1_context_set_error_callback(sign
, NULL
, NULL
);
177 CHECK(vrfy
->error_callback
.fn
== sign
->error_callback
.fn
);
179 /*** attempt to use them ***/
180 random_scalar_order_test(&msg
);
181 random_scalar_order_test(&key
);
182 secp256k1_ecmult_gen(&both
->ecmult_gen_ctx
, &pubj
, &key
);
183 secp256k1_ge_set_gej(&pub
, &pubj
);
185 /* Verify context-type checking illegal-argument errors. */
187 CHECK(secp256k1_ec_pubkey_create(vrfy
, &pubkey
, ctmp
) == 0);
189 VG_UNDEF(&pubkey
, sizeof(pubkey
));
190 CHECK(secp256k1_ec_pubkey_create(sign
, &pubkey
, ctmp
) == 1);
191 VG_CHECK(&pubkey
, sizeof(pubkey
));
192 CHECK(secp256k1_ecdsa_sign(vrfy
, &sig
, ctmp
, ctmp
, NULL
, NULL
) == 0);
194 VG_UNDEF(&sig
, sizeof(sig
));
195 CHECK(secp256k1_ecdsa_sign(sign
, &sig
, ctmp
, ctmp
, NULL
, NULL
) == 1);
196 VG_CHECK(&sig
, sizeof(sig
));
197 CHECK(ecount2
== 10);
198 CHECK(secp256k1_ecdsa_verify(sign
, &sig
, ctmp
, &pubkey
) == 0);
199 CHECK(ecount2
== 11);
200 CHECK(secp256k1_ecdsa_verify(vrfy
, &sig
, ctmp
, &pubkey
) == 1);
202 CHECK(secp256k1_ec_pubkey_tweak_add(sign
, &pubkey
, ctmp
) == 0);
203 CHECK(ecount2
== 12);
204 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy
, &pubkey
, ctmp
) == 1);
206 CHECK(secp256k1_ec_pubkey_tweak_mul(sign
, &pubkey
, ctmp
) == 0);
207 CHECK(ecount2
== 13);
208 CHECK(secp256k1_ec_pubkey_negate(vrfy
, &pubkey
) == 1);
210 CHECK(secp256k1_ec_pubkey_negate(sign
, &pubkey
) == 1);
212 CHECK(secp256k1_ec_pubkey_negate(sign
, NULL
) == 0);
213 CHECK(ecount2
== 14);
214 CHECK(secp256k1_ec_pubkey_negate(vrfy
, &zero_pubkey
) == 0);
216 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy
, &pubkey
, ctmp
) == 1);
218 CHECK(secp256k1_context_randomize(vrfy
, ctmp
) == 0);
220 CHECK(secp256k1_context_randomize(sign
, NULL
) == 1);
221 CHECK(ecount2
== 14);
222 secp256k1_context_set_illegal_callback(vrfy
, NULL
, NULL
);
223 secp256k1_context_set_illegal_callback(sign
, NULL
, NULL
);
225 /* This shouldn't leak memory, due to already-set tests. */
226 secp256k1_ecmult_gen_context_build(&sign
->ecmult_gen_ctx
, NULL
);
227 secp256k1_ecmult_context_build(&vrfy
->ecmult_ctx
, NULL
);
229 /* obtain a working nonce */
231 random_scalar_order_test(&nonce
);
232 } while(!secp256k1_ecdsa_sig_sign(&both
->ecmult_gen_ctx
, &sigr
, &sigs
, &key
, &msg
, &nonce
, NULL
));
235 CHECK(secp256k1_ecdsa_sig_sign(&sign
->ecmult_gen_ctx
, &sigr
, &sigs
, &key
, &msg
, &nonce
, NULL
));
236 CHECK(secp256k1_ecdsa_sig_sign(&both
->ecmult_gen_ctx
, &sigr
, &sigs
, &key
, &msg
, &nonce
, NULL
));
239 CHECK(secp256k1_ecdsa_sig_verify(&vrfy
->ecmult_ctx
, &sigr
, &sigs
, &pub
, &msg
));
240 CHECK(secp256k1_ecdsa_sig_verify(&both
->ecmult_ctx
, &sigr
, &sigs
, &pub
, &msg
));
243 secp256k1_context_destroy(none
);
244 secp256k1_context_destroy(sign
);
245 secp256k1_context_destroy(vrfy
);
246 secp256k1_context_destroy(both
);
247 /* Defined as no-op. */
248 secp256k1_context_destroy(NULL
);
251 /***** HASH TESTS *****/
253 void run_sha256_tests(void) {
254 static const char *inputs
[8] = {
255 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
256 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
257 "For this sample, this 63-byte string will be used as input data",
258 "This is exactly 64 bytes long, not counting the terminating byte"
260 static const unsigned char outputs
[8][32] = {
261 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
262 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
263 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
264 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
265 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
266 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
267 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
268 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
271 for (i
= 0; i
< 8; i
++) {
272 unsigned char out
[32];
273 secp256k1_sha256_t hasher
;
274 secp256k1_sha256_initialize(&hasher
);
275 secp256k1_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
]), strlen(inputs
[i
]));
276 secp256k1_sha256_finalize(&hasher
, out
);
277 CHECK(memcmp(out
, outputs
[i
], 32) == 0);
278 if (strlen(inputs
[i
]) > 0) {
279 int split
= secp256k1_rand_int(strlen(inputs
[i
]));
280 secp256k1_sha256_initialize(&hasher
);
281 secp256k1_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
]), split
);
282 secp256k1_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
] + split
), strlen(inputs
[i
]) - split
);
283 secp256k1_sha256_finalize(&hasher
, out
);
284 CHECK(memcmp(out
, outputs
[i
], 32) == 0);
289 void run_hmac_sha256_tests(void) {
290 static const char *keys
[6] = {
291 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
293 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
294 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
295 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
296 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
298 static const char *inputs
[6] = {
299 "\x48\x69\x20\x54\x68\x65\x72\x65",
300 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
301 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
302 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
303 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
304 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
306 static const unsigned char outputs
[6][32] = {
307 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
308 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
309 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
310 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
311 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
312 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
315 for (i
= 0; i
< 6; i
++) {
316 secp256k1_hmac_sha256_t hasher
;
317 unsigned char out
[32];
318 secp256k1_hmac_sha256_initialize(&hasher
, (const unsigned char*)(keys
[i
]), strlen(keys
[i
]));
319 secp256k1_hmac_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
]), strlen(inputs
[i
]));
320 secp256k1_hmac_sha256_finalize(&hasher
, out
);
321 CHECK(memcmp(out
, outputs
[i
], 32) == 0);
322 if (strlen(inputs
[i
]) > 0) {
323 int split
= secp256k1_rand_int(strlen(inputs
[i
]));
324 secp256k1_hmac_sha256_initialize(&hasher
, (const unsigned char*)(keys
[i
]), strlen(keys
[i
]));
325 secp256k1_hmac_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
]), split
);
326 secp256k1_hmac_sha256_write(&hasher
, (const unsigned char*)(inputs
[i
] + split
), strlen(inputs
[i
]) - split
);
327 secp256k1_hmac_sha256_finalize(&hasher
, out
);
328 CHECK(memcmp(out
, outputs
[i
], 32) == 0);
333 void run_rfc6979_hmac_sha256_tests(void) {
334 static const unsigned char key1
[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
335 static const unsigned char out1
[3][32] = {
336 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
337 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
338 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
341 static const unsigned char key2
[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
342 static const unsigned char out2
[3][32] = {
343 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
344 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
345 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
348 secp256k1_rfc6979_hmac_sha256_t rng
;
349 unsigned char out
[32];
352 secp256k1_rfc6979_hmac_sha256_initialize(&rng
, key1
, 64);
353 for (i
= 0; i
< 3; i
++) {
354 secp256k1_rfc6979_hmac_sha256_generate(&rng
, out
, 32);
355 CHECK(memcmp(out
, out1
[i
], 32) == 0);
357 secp256k1_rfc6979_hmac_sha256_finalize(&rng
);
359 secp256k1_rfc6979_hmac_sha256_initialize(&rng
, key1
, 65);
360 for (i
= 0; i
< 3; i
++) {
361 secp256k1_rfc6979_hmac_sha256_generate(&rng
, out
, 32);
362 CHECK(memcmp(out
, out1
[i
], 32) != 0);
364 secp256k1_rfc6979_hmac_sha256_finalize(&rng
);
366 secp256k1_rfc6979_hmac_sha256_initialize(&rng
, key2
, 64);
367 for (i
= 0; i
< 3; i
++) {
368 secp256k1_rfc6979_hmac_sha256_generate(&rng
, out
, 32);
369 CHECK(memcmp(out
, out2
[i
], 32) == 0);
371 secp256k1_rfc6979_hmac_sha256_finalize(&rng
);
374 /***** RANDOM TESTS *****/
376 void test_rand_bits(int rand32
, int bits
) {
377 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
378 * get a false negative chance below once in a billion */
379 static const unsigned int rounds
[7] = {1, 30, 73, 156, 322, 653, 1316};
380 /* We try multiplying the results with various odd numbers, which shouldn't
381 * influence the uniform distribution modulo a power of 2. */
382 static const uint32_t mults
[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
383 /* We only select up to 6 bits from the output to analyse */
384 unsigned int usebits
= bits
> 6 ? 6 : bits
;
385 unsigned int maxshift
= bits
- usebits
;
386 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
387 number, track all observed outcomes, one per bit in a uint64_t. */
388 uint64_t x
[6][27] = {{0}};
389 unsigned int i
, shift
, m
;
390 /* Multiply the output of all rand calls with the odd number m, which
391 should not change the uniformity of its distribution. */
392 for (i
= 0; i
< rounds
[usebits
]; i
++) {
393 uint32_t r
= (rand32
? secp256k1_rand32() : secp256k1_rand_bits(bits
));
394 CHECK((((uint64_t)r
) >> bits
) == 0);
395 for (m
= 0; m
< sizeof(mults
) / sizeof(mults
[0]); m
++) {
396 uint32_t rm
= r
* mults
[m
];
397 for (shift
= 0; shift
<= maxshift
; shift
++) {
398 x
[m
][shift
] |= (((uint64_t)1) << ((rm
>> shift
) & ((1 << usebits
) - 1)));
402 for (m
= 0; m
< sizeof(mults
) / sizeof(mults
[0]); m
++) {
403 for (shift
= 0; shift
<= maxshift
; shift
++) {
404 /* Test that the lower usebits bits of x[shift] are 1 */
405 CHECK(((~x
[m
][shift
]) << (64 - (1 << usebits
))) == 0);
410 /* Subrange must be a whole divisor of range, and at most 64 */
411 void test_rand_int(uint32_t range
, uint32_t subrange
) {
412 /* (1-1/subrange)^rounds < 1/10^9 */
413 int rounds
= (subrange
* 2073) / 100;
416 CHECK((range
% subrange
) == 0);
417 for (i
= 0; i
< rounds
; i
++) {
418 uint32_t r
= secp256k1_rand_int(range
);
421 x
|= (((uint64_t)1) << r
);
423 /* Test that the lower subrange bits of x are 1. */
424 CHECK(((~x
) << (64 - subrange
)) == 0);
427 void run_rand_bits(void) {
429 test_rand_bits(1, 32);
430 for (b
= 1; b
<= 32; b
++) {
431 test_rand_bits(0, b
);
435 void run_rand_int(void) {
436 static const uint32_t ms
[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
437 static const uint32_t ss
[] = {1, 3, 6, 9, 13, 31, 64};
439 for (m
= 0; m
< sizeof(ms
) / sizeof(ms
[0]); m
++) {
440 for (s
= 0; s
< sizeof(ss
) / sizeof(ss
[0]); s
++) {
441 test_rand_int(ms
[m
] * ss
[s
], ss
[s
]);
446 /***** NUM TESTS *****/
449 void random_num_negate(secp256k1_num
*num
) {
450 if (secp256k1_rand_bits(1)) {
451 secp256k1_num_negate(num
);
455 void random_num_order_test(secp256k1_num
*num
) {
457 random_scalar_order_test(&sc
);
458 secp256k1_scalar_get_num(num
, &sc
);
461 void random_num_order(secp256k1_num
*num
) {
463 random_scalar_order(&sc
);
464 secp256k1_scalar_get_num(num
, &sc
);
467 void test_num_negate(void) {
470 random_num_order_test(&n1
); /* n1 = R */
471 random_num_negate(&n1
);
472 secp256k1_num_copy(&n2
, &n1
); /* n2 = R */
473 secp256k1_num_sub(&n1
, &n2
, &n1
); /* n1 = n2-n1 = 0 */
474 CHECK(secp256k1_num_is_zero(&n1
));
475 secp256k1_num_copy(&n1
, &n2
); /* n1 = R */
476 secp256k1_num_negate(&n1
); /* n1 = -R */
477 CHECK(!secp256k1_num_is_zero(&n1
));
478 secp256k1_num_add(&n1
, &n2
, &n1
); /* n1 = n2+n1 = 0 */
479 CHECK(secp256k1_num_is_zero(&n1
));
480 secp256k1_num_copy(&n1
, &n2
); /* n1 = R */
481 secp256k1_num_negate(&n1
); /* n1 = -R */
482 CHECK(secp256k1_num_is_neg(&n1
) != secp256k1_num_is_neg(&n2
));
483 secp256k1_num_negate(&n1
); /* n1 = R */
484 CHECK(secp256k1_num_eq(&n1
, &n2
));
487 void test_num_add_sub(void) {
492 secp256k1_num n1p2
, n2p1
, n1m2
, n2m1
;
493 random_num_order_test(&n1
); /* n1 = R1 */
494 if (secp256k1_rand_bits(1)) {
495 random_num_negate(&n1
);
497 random_num_order_test(&n2
); /* n2 = R2 */
498 if (secp256k1_rand_bits(1)) {
499 random_num_negate(&n2
);
501 secp256k1_num_add(&n1p2
, &n1
, &n2
); /* n1p2 = R1 + R2 */
502 secp256k1_num_add(&n2p1
, &n2
, &n1
); /* n2p1 = R2 + R1 */
503 secp256k1_num_sub(&n1m2
, &n1
, &n2
); /* n1m2 = R1 - R2 */
504 secp256k1_num_sub(&n2m1
, &n2
, &n1
); /* n2m1 = R2 - R1 */
505 CHECK(secp256k1_num_eq(&n1p2
, &n2p1
));
506 CHECK(!secp256k1_num_eq(&n1p2
, &n1m2
));
507 secp256k1_num_negate(&n2m1
); /* n2m1 = -R2 + R1 */
508 CHECK(secp256k1_num_eq(&n2m1
, &n1m2
));
509 CHECK(!secp256k1_num_eq(&n2m1
, &n1
));
510 secp256k1_num_add(&n2m1
, &n2m1
, &n2
); /* n2m1 = -R2 + R1 + R2 = R1 */
511 CHECK(secp256k1_num_eq(&n2m1
, &n1
));
512 CHECK(!secp256k1_num_eq(&n2p1
, &n1
));
513 secp256k1_num_sub(&n2p1
, &n2p1
, &n2
); /* n2p1 = R2 + R1 - R2 = R1 */
514 CHECK(secp256k1_num_eq(&n2p1
, &n1
));
517 secp256k1_scalar_set_int(&s
, 1);
518 secp256k1_scalar_get_num(&n1
, &s
);
519 CHECK(secp256k1_num_is_one(&n1
));
520 /* check that 2^n + 1 is never 1 */
521 secp256k1_scalar_get_num(&n2
, &s
);
522 for (i
= 0; i
< 250; ++i
) {
523 secp256k1_num_add(&n1
, &n1
, &n1
); /* n1 *= 2 */
524 secp256k1_num_add(&n1p2
, &n1
, &n2
); /* n1p2 = n1 + 1 */
525 CHECK(!secp256k1_num_is_one(&n1p2
));
529 void test_num_mod(void) {
532 secp256k1_num order
, n
;
534 /* check that 0 mod anything is 0 */
535 random_scalar_order_test(&s
);
536 secp256k1_scalar_get_num(&order
, &s
);
537 secp256k1_scalar_set_int(&s
, 0);
538 secp256k1_scalar_get_num(&n
, &s
);
539 secp256k1_num_mod(&n
, &order
);
540 CHECK(secp256k1_num_is_zero(&n
));
542 /* check that anything mod 1 is 0 */
543 secp256k1_scalar_set_int(&s
, 1);
544 secp256k1_scalar_get_num(&order
, &s
);
545 secp256k1_scalar_get_num(&n
, &s
);
546 secp256k1_num_mod(&n
, &order
);
547 CHECK(secp256k1_num_is_zero(&n
));
549 /* check that increasing the number past 2^256 does not break this */
550 random_scalar_order_test(&s
);
551 secp256k1_scalar_get_num(&n
, &s
);
552 /* multiply by 2^8, which'll test this case with high probability */
553 for (i
= 0; i
< 8; ++i
) {
554 secp256k1_num_add(&n
, &n
, &n
);
556 secp256k1_num_mod(&n
, &order
);
557 CHECK(secp256k1_num_is_zero(&n
));
560 void test_num_jacobi(void) {
561 secp256k1_scalar sqr
;
562 secp256k1_scalar small
;
563 secp256k1_scalar five
; /* five is not a quadratic residue */
564 secp256k1_num order
, n
;
566 /* squares mod 5 are 1, 4 */
567 const int jacobi5
[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
569 /* check some small values with 5 as the order */
570 secp256k1_scalar_set_int(&five
, 5);
571 secp256k1_scalar_get_num(&order
, &five
);
572 for (i
= 0; i
< 10; ++i
) {
573 secp256k1_scalar_set_int(&small
, i
);
574 secp256k1_scalar_get_num(&n
, &small
);
575 CHECK(secp256k1_num_jacobi(&n
, &order
) == jacobi5
[i
]);
578 /** test large values with 5 as group order */
579 secp256k1_scalar_get_num(&order
, &five
);
580 /* we first need a scalar which is not a multiple of 5 */
583 random_scalar_order_test(&sqr
);
584 secp256k1_scalar_get_num(&fiven
, &five
);
585 secp256k1_scalar_get_num(&n
, &sqr
);
586 secp256k1_num_mod(&n
, &fiven
);
587 } while (secp256k1_num_is_zero(&n
));
588 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
589 * just multiply by two, i.e. add the number to itself */
590 if (secp256k1_num_jacobi(&n
, &order
) == -1) {
591 secp256k1_num_add(&n
, &n
, &n
);
595 CHECK(secp256k1_num_jacobi(&n
, &order
) == 1);
596 /* test nonresidue */
597 secp256k1_num_add(&n
, &n
, &n
);
598 CHECK(secp256k1_num_jacobi(&n
, &order
) == -1);
600 /** test with secp group order as order */
601 secp256k1_scalar_order_get_num(&order
);
602 random_scalar_order_test(&sqr
);
603 secp256k1_scalar_sqr(&sqr
, &sqr
);
605 secp256k1_scalar_get_num(&n
, &sqr
);
606 CHECK(secp256k1_num_jacobi(&n
, &order
) == 1);
607 /* test nonresidue */
608 secp256k1_scalar_mul(&sqr
, &sqr
, &five
);
609 secp256k1_scalar_get_num(&n
, &sqr
);
610 CHECK(secp256k1_num_jacobi(&n
, &order
) == -1);
611 /* test multiple of the order*/
612 CHECK(secp256k1_num_jacobi(&order
, &order
) == 0);
614 /* check one less than the order */
615 secp256k1_scalar_set_int(&small
, 1);
616 secp256k1_scalar_get_num(&n
, &small
);
617 secp256k1_num_sub(&n
, &order
, &n
);
618 CHECK(secp256k1_num_jacobi(&n
, &order
) == 1); /* sage confirms this is 1 */
621 void run_num_smalltests(void) {
623 for (i
= 0; i
< 100*count
; i
++) {
632 /***** SCALAR TESTS *****/
634 void scalar_test(void) {
639 secp256k1_num snum
, s1num
, s2num
;
640 secp256k1_num order
, half_order
;
644 /* Set 's' to a random scalar, with value 'snum'. */
645 random_scalar_order_test(&s
);
647 /* Set 's1' to a random scalar, with value 's1num'. */
648 random_scalar_order_test(&s1
);
650 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
651 random_scalar_order_test(&s2
);
652 secp256k1_scalar_get_b32(c
, &s2
);
655 secp256k1_scalar_get_num(&snum
, &s
);
656 secp256k1_scalar_get_num(&s1num
, &s1
);
657 secp256k1_scalar_get_num(&s2num
, &s2
);
659 secp256k1_scalar_order_get_num(&order
);
661 secp256k1_num_shift(&half_order
, 1);
666 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
668 secp256k1_scalar_set_int(&n
, 0);
669 for (i
= 0; i
< 256; i
+= 4) {
672 secp256k1_scalar_set_int(&t
, secp256k1_scalar_get_bits(&s
, 256 - 4 - i
, 4));
673 for (j
= 0; j
< 4; j
++) {
674 secp256k1_scalar_add(&n
, &n
, &n
);
676 secp256k1_scalar_add(&n
, &n
, &t
);
678 CHECK(secp256k1_scalar_eq(&n
, &s
));
682 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
685 secp256k1_scalar_set_int(&n
, 0);
689 int now
= secp256k1_rand_int(15) + 1;
693 secp256k1_scalar_set_int(&t
, secp256k1_scalar_get_bits_var(&s
, 256 - now
- i
, now
));
694 for (j
= 0; j
< now
; j
++) {
695 secp256k1_scalar_add(&n
, &n
, &n
);
697 secp256k1_scalar_add(&n
, &n
, &t
);
700 CHECK(secp256k1_scalar_eq(&n
, &s
));
705 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
709 secp256k1_num_add(&rnum
, &snum
, &s2num
);
710 secp256k1_num_mod(&rnum
, &order
);
711 secp256k1_scalar_add(&r
, &s
, &s2
);
712 secp256k1_scalar_get_num(&r2num
, &r
);
713 CHECK(secp256k1_num_eq(&rnum
, &r2num
));
717 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
721 secp256k1_num_mul(&rnum
, &snum
, &s2num
);
722 secp256k1_num_mod(&rnum
, &order
);
723 secp256k1_scalar_mul(&r
, &s
, &s2
);
724 secp256k1_scalar_get_num(&r2num
, &r
);
725 CHECK(secp256k1_num_eq(&rnum
, &r2num
));
726 /* The result can only be zero if at least one of the factors was zero. */
727 CHECK(secp256k1_scalar_is_zero(&r
) == (secp256k1_scalar_is_zero(&s
) || secp256k1_scalar_is_zero(&s2
)));
728 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
729 CHECK(secp256k1_num_eq(&rnum
, &snum
) == (secp256k1_scalar_is_zero(&s
) || secp256k1_scalar_is_one(&s2
)));
730 CHECK(secp256k1_num_eq(&rnum
, &s2num
) == (secp256k1_scalar_is_zero(&s2
) || secp256k1_scalar_is_one(&s
)));
734 secp256k1_scalar neg
;
735 secp256k1_num negnum
;
736 secp256k1_num negnum2
;
737 /* Check that comparison with zero matches comparison with zero on the number. */
738 CHECK(secp256k1_num_is_zero(&snum
) == secp256k1_scalar_is_zero(&s
));
739 /* Check that comparison with the half order is equal to testing for high scalar. */
740 CHECK(secp256k1_scalar_is_high(&s
) == (secp256k1_num_cmp(&snum
, &half_order
) > 0));
741 secp256k1_scalar_negate(&neg
, &s
);
742 secp256k1_num_sub(&negnum
, &order
, &snum
);
743 secp256k1_num_mod(&negnum
, &order
);
744 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
745 CHECK(secp256k1_scalar_is_high(&neg
) == (secp256k1_num_cmp(&negnum
, &half_order
) > 0));
746 /* Negating should change the high property, unless the value was already zero. */
747 CHECK((secp256k1_scalar_is_high(&s
) == secp256k1_scalar_is_high(&neg
)) == secp256k1_scalar_is_zero(&s
));
748 secp256k1_scalar_get_num(&negnum2
, &neg
);
749 /* Negating a scalar should be equal to (order - n) mod order on the number. */
750 CHECK(secp256k1_num_eq(&negnum
, &negnum2
));
751 secp256k1_scalar_add(&neg
, &neg
, &s
);
752 /* Adding a number to its negation should result in zero. */
753 CHECK(secp256k1_scalar_is_zero(&neg
));
754 secp256k1_scalar_negate(&neg
, &neg
);
755 /* Negating zero should still result in zero. */
756 CHECK(secp256k1_scalar_is_zero(&neg
));
760 /* Test secp256k1_scalar_mul_shift_var. */
765 unsigned char cone
[1] = {0x01};
766 unsigned int shift
= 256 + secp256k1_rand_int(257);
767 secp256k1_scalar_mul_shift_var(&r
, &s1
, &s2
, shift
);
768 secp256k1_num_mul(&rnum
, &s1num
, &s2num
);
769 secp256k1_num_shift(&rnum
, shift
- 1);
770 secp256k1_num_set_bin(&one
, cone
, 1);
771 secp256k1_num_add(&rnum
, &rnum
, &one
);
772 secp256k1_num_shift(&rnum
, 1);
773 secp256k1_scalar_get_num(&rnum2
, &r
);
774 CHECK(secp256k1_num_eq(&rnum
, &rnum2
));
778 /* test secp256k1_scalar_shr_int */
781 random_scalar_order_test(&r
);
782 for (i
= 0; i
< 100; ++i
) {
784 int shift
= 1 + secp256k1_rand_int(15);
785 int expected
= r
.d
[0] % (1 << shift
);
786 low
= secp256k1_scalar_shr_int(&r
, shift
);
787 CHECK(expected
== low
);
793 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
794 if (!secp256k1_scalar_is_zero(&s
)) {
795 secp256k1_scalar inv
;
797 secp256k1_num invnum
;
798 secp256k1_num invnum2
;
800 secp256k1_scalar_inverse(&inv
, &s
);
802 secp256k1_num_mod_inverse(&invnum
, &snum
, &order
);
803 secp256k1_scalar_get_num(&invnum2
, &inv
);
804 CHECK(secp256k1_num_eq(&invnum
, &invnum2
));
806 secp256k1_scalar_mul(&inv
, &inv
, &s
);
807 /* Multiplying a scalar with its inverse must result in one. */
808 CHECK(secp256k1_scalar_is_one(&inv
));
809 secp256k1_scalar_inverse(&inv
, &inv
);
810 /* Inverting one must result in one. */
811 CHECK(secp256k1_scalar_is_one(&inv
));
813 secp256k1_scalar_get_num(&invnum
, &inv
);
814 CHECK(secp256k1_num_is_one(&invnum
));
820 /* Test commutativity of add. */
821 secp256k1_scalar r1
, r2
;
822 secp256k1_scalar_add(&r1
, &s1
, &s2
);
823 secp256k1_scalar_add(&r2
, &s2
, &s1
);
824 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
828 secp256k1_scalar r1
, r2
;
832 int bit
= secp256k1_rand_bits(8);
833 secp256k1_scalar_set_int(&b
, 1);
834 CHECK(secp256k1_scalar_is_one(&b
));
835 for (i
= 0; i
< bit
; i
++) {
836 secp256k1_scalar_add(&b
, &b
, &b
);
840 if (!secp256k1_scalar_add(&r1
, &r1
, &b
)) {
841 /* No overflow happened. */
842 secp256k1_scalar_cadd_bit(&r2
, bit
, 1);
843 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
844 /* cadd is a noop when flag is zero */
845 secp256k1_scalar_cadd_bit(&r2
, bit
, 0);
846 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
851 /* Test commutativity of mul. */
852 secp256k1_scalar r1
, r2
;
853 secp256k1_scalar_mul(&r1
, &s1
, &s2
);
854 secp256k1_scalar_mul(&r2
, &s2
, &s1
);
855 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
859 /* Test associativity of add. */
860 secp256k1_scalar r1
, r2
;
861 secp256k1_scalar_add(&r1
, &s1
, &s2
);
862 secp256k1_scalar_add(&r1
, &r1
, &s
);
863 secp256k1_scalar_add(&r2
, &s2
, &s
);
864 secp256k1_scalar_add(&r2
, &s1
, &r2
);
865 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
869 /* Test associativity of mul. */
870 secp256k1_scalar r1
, r2
;
871 secp256k1_scalar_mul(&r1
, &s1
, &s2
);
872 secp256k1_scalar_mul(&r1
, &r1
, &s
);
873 secp256k1_scalar_mul(&r2
, &s2
, &s
);
874 secp256k1_scalar_mul(&r2
, &s1
, &r2
);
875 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
879 /* Test distributitivity of mul over add. */
880 secp256k1_scalar r1
, r2
, t
;
881 secp256k1_scalar_add(&r1
, &s1
, &s2
);
882 secp256k1_scalar_mul(&r1
, &r1
, &s
);
883 secp256k1_scalar_mul(&r2
, &s1
, &s
);
884 secp256k1_scalar_mul(&t
, &s2
, &s
);
885 secp256k1_scalar_add(&r2
, &r2
, &t
);
886 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
891 secp256k1_scalar r1
, r2
;
892 secp256k1_scalar_sqr(&r1
, &s1
);
893 secp256k1_scalar_mul(&r2
, &s1
, &s1
);
894 CHECK(secp256k1_scalar_eq(&r1
, &r2
));
898 /* Test multiplicative identity. */
899 secp256k1_scalar r1
, v1
;
900 secp256k1_scalar_set_int(&v1
,1);
901 secp256k1_scalar_mul(&r1
, &s1
, &v1
);
902 CHECK(secp256k1_scalar_eq(&r1
, &s1
));
906 /* Test additive identity. */
907 secp256k1_scalar r1
, v0
;
908 secp256k1_scalar_set_int(&v0
,0);
909 secp256k1_scalar_add(&r1
, &s1
, &v0
);
910 CHECK(secp256k1_scalar_eq(&r1
, &s1
));
914 /* Test zero product property. */
915 secp256k1_scalar r1
, v0
;
916 secp256k1_scalar_set_int(&v0
,0);
917 secp256k1_scalar_mul(&r1
, &s1
, &v0
);
918 CHECK(secp256k1_scalar_eq(&r1
, &v0
));
923 void run_scalar_tests(void) {
925 for (i
= 0; i
< 128 * count
; i
++) {
930 /* (-1)+1 should be zero. */
931 secp256k1_scalar s
, o
;
932 secp256k1_scalar_set_int(&s
, 1);
933 CHECK(secp256k1_scalar_is_one(&s
));
934 secp256k1_scalar_negate(&o
, &s
);
935 secp256k1_scalar_add(&o
, &o
, &s
);
936 CHECK(secp256k1_scalar_is_zero(&o
));
937 secp256k1_scalar_negate(&o
, &o
);
938 CHECK(secp256k1_scalar_is_zero(&o
));
943 /* A scalar with value of the curve order should be 0. */
945 secp256k1_scalar zero
;
946 unsigned char bin
[32];
948 secp256k1_scalar_order_get_num(&order
);
949 secp256k1_num_get_bin(bin
, 32, &order
);
950 secp256k1_scalar_set_b32(&zero
, bin
, &overflow
);
951 CHECK(overflow
== 1);
952 CHECK(secp256k1_scalar_is_zero(&zero
));
957 /* Does check_overflow check catch all ones? */
958 static const secp256k1_scalar overflowed
= SECP256K1_SCALAR_CONST(
959 0xFFFFFFFFUL
, 0xFFFFFFFFUL
, 0xFFFFFFFFUL
, 0xFFFFFFFFUL
,
960 0xFFFFFFFFUL
, 0xFFFFFFFFUL
, 0xFFFFFFFFUL
, 0xFFFFFFFFUL
962 CHECK(secp256k1_scalar_check_overflow(&overflowed
));
966 /* Static test vectors.
967 * These were reduced from ~10^12 random vectors based on comparison-decision
968 * and edge-case coverage on 32-bit and 64-bit implementations.
969 * The responses were generated with Sage 5.9.
975 secp256k1_scalar one
;
978 #if defined(USE_SCALAR_INV_NUM)
979 secp256k1_scalar zzv
;
982 unsigned char chal
[33][2][32] = {
983 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
984 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
985 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
986 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
987 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
989 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
990 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
991 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
992 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
995 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
997 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
998 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
999 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1000 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1001 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1002 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1003 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1004 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1005 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1006 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1007 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1008 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1009 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1010 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1011 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1012 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1013 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1014 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1015 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1016 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1017 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1018 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1019 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1020 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1021 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1022 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1023 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1024 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1025 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1026 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1027 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1028 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1029 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1030 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1031 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1032 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1033 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1034 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1035 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1036 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1037 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1039 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1040 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1041 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1042 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1043 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1044 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1045 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1046 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1047 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1048 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1049 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1051 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1052 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1055 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1056 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1057 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1058 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1059 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1060 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1061 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1062 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1063 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1064 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1067 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1070 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1071 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1072 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1073 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1074 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1075 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1076 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1077 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1079 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1081 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1083 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1084 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1085 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1086 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1087 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1088 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1091 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1092 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1095 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1096 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1097 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1099 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1103 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1104 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1107 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1108 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1109 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1110 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1111 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1112 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1114 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1115 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1117 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1119 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1121 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1123 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1124 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1125 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1126 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1127 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1128 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1131 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1132 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1133 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1134 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1135 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1136 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1137 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1139 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1140 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1141 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1143 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1147 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1148 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1149 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1150 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1151 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1152 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1155 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1156 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1159 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1163 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1165 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1167 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1168 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1171 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1172 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1173 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1175 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1176 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1179 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1183 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1184 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1185 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1186 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1187 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1191 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1193 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1194 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1195 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1196 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1197 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1198 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1199 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1200 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1201 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1202 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1203 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1204 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1207 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1211 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1213 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1214 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1215 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1216 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1217 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1219 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1220 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1221 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1223 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1224 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1226 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1227 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1228 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1229 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1230 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1231 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1232 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1233 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1234 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1235 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1236 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1237 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1238 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1239 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1240 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1242 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1243 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1244 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1245 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1246 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1248 unsigned char res
[33][2][32] = {
1249 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1250 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1251 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1252 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1253 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1254 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1255 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1256 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1257 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1258 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1259 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1260 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1261 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1262 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1263 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1264 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1265 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1266 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1267 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1268 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1269 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1270 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1271 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1272 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1273 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1274 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1275 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1276 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1277 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1278 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1279 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1280 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1281 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1282 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1283 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1284 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1285 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1286 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1287 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1288 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1289 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1290 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1291 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1292 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1293 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1294 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1295 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1296 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1297 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1298 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1299 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1300 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1301 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1302 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1303 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1304 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1305 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1306 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1307 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1308 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1309 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1310 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1311 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1312 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1313 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1314 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1315 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1316 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1317 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1318 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1319 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1320 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1321 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1322 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1323 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1324 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1325 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1326 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1327 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1328 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1329 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1330 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1331 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1332 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1333 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1334 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1335 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1336 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1337 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1338 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1339 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1340 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1341 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1342 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1343 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1344 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1345 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1346 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1347 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1348 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1349 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1350 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1351 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1352 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1353 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1354 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1355 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1356 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1357 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1358 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1359 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1360 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1361 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1362 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1363 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1364 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1365 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1366 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1367 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1368 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1369 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1370 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1371 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1372 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1373 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1374 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1375 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1376 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1377 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1378 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1379 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1380 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1381 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1382 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1383 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1384 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1385 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1386 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1387 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1388 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1389 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1390 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1391 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1392 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1393 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1394 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1395 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1396 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1397 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1398 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1399 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1400 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1401 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1402 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1403 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1404 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1405 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1406 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1407 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1408 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1409 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1413 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1417 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1419 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1421 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1423 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1425 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1426 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1427 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1428 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1429 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1430 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1431 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1432 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1433 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1434 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1435 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1436 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1437 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1438 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1439 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1440 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1441 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1443 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1444 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1445 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1446 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1447 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1448 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1449 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1451 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1452 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1453 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1457 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1458 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1459 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1460 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1461 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1462 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1463 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1464 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1465 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1466 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1467 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1468 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1469 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1470 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1471 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1472 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1473 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1474 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1475 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1476 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1477 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1478 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1479 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1480 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1481 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1482 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1483 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1484 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1485 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1486 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1487 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1488 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1489 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1490 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1491 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1492 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1493 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1494 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1495 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1496 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1497 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1498 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1499 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1500 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1501 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1502 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1503 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1504 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1505 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1506 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1507 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1508 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1509 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1510 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1511 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1512 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1514 secp256k1_scalar_set_int(&one
, 1);
1515 for (i
= 0; i
< 33; i
++) {
1516 secp256k1_scalar_set_b32(&x
, chal
[i
][0], &overflow
);
1518 secp256k1_scalar_set_b32(&y
, chal
[i
][1], &overflow
);
1520 secp256k1_scalar_set_b32(&r1
, res
[i
][0], &overflow
);
1522 secp256k1_scalar_set_b32(&r2
, res
[i
][1], &overflow
);
1524 secp256k1_scalar_mul(&z
, &x
, &y
);
1525 CHECK(!secp256k1_scalar_check_overflow(&z
));
1526 CHECK(secp256k1_scalar_eq(&r1
, &z
));
1527 if (!secp256k1_scalar_is_zero(&y
)) {
1528 secp256k1_scalar_inverse(&zz
, &y
);
1529 CHECK(!secp256k1_scalar_check_overflow(&zz
));
1530 #if defined(USE_SCALAR_INV_NUM)
1531 secp256k1_scalar_inverse_var(&zzv
, &y
);
1532 CHECK(secp256k1_scalar_eq(&zzv
, &zz
));
1534 secp256k1_scalar_mul(&z
, &z
, &zz
);
1535 CHECK(!secp256k1_scalar_check_overflow(&z
));
1536 CHECK(secp256k1_scalar_eq(&x
, &z
));
1537 secp256k1_scalar_mul(&zz
, &zz
, &y
);
1538 CHECK(!secp256k1_scalar_check_overflow(&zz
));
1539 CHECK(secp256k1_scalar_eq(&one
, &zz
));
1541 secp256k1_scalar_mul(&z
, &x
, &x
);
1542 CHECK(!secp256k1_scalar_check_overflow(&z
));
1543 secp256k1_scalar_sqr(&zz
, &x
);
1544 CHECK(!secp256k1_scalar_check_overflow(&zz
));
1545 CHECK(secp256k1_scalar_eq(&zz
, &z
));
1546 CHECK(secp256k1_scalar_eq(&r2
, &zz
));
1551 /***** FIELD TESTS *****/
1553 void random_fe(secp256k1_fe
*x
) {
1554 unsigned char bin
[32];
1556 secp256k1_rand256(bin
);
1557 if (secp256k1_fe_set_b32(x
, bin
)) {
1563 void random_fe_test(secp256k1_fe
*x
) {
1564 unsigned char bin
[32];
1566 secp256k1_rand256_test(bin
);
1567 if (secp256k1_fe_set_b32(x
, bin
)) {
1573 void random_fe_non_zero(secp256k1_fe
*nz
) {
1575 while (--tries
>= 0) {
1577 secp256k1_fe_normalize(nz
);
1578 if (!secp256k1_fe_is_zero(nz
)) {
1582 /* Infinitesimal probability of spurious failure here */
1586 void random_fe_non_square(secp256k1_fe
*ns
) {
1588 random_fe_non_zero(ns
);
1589 if (secp256k1_fe_sqrt(&r
, ns
)) {
1590 secp256k1_fe_negate(ns
, ns
, 1);
1594 int check_fe_equal(const secp256k1_fe
*a
, const secp256k1_fe
*b
) {
1595 secp256k1_fe an
= *a
;
1596 secp256k1_fe bn
= *b
;
1597 secp256k1_fe_normalize_weak(&an
);
1598 secp256k1_fe_normalize_var(&bn
);
1599 return secp256k1_fe_equal_var(&an
, &bn
);
1602 int check_fe_inverse(const secp256k1_fe
*a
, const secp256k1_fe
*ai
) {
1604 secp256k1_fe one
= SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1605 secp256k1_fe_mul(&x
, a
, ai
);
1606 return check_fe_equal(&x
, &one
);
1609 void run_field_convert(void) {
1610 static const unsigned char b32
[32] = {
1611 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1612 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1613 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1614 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1616 static const secp256k1_fe_storage fes
= SECP256K1_FE_STORAGE_CONST(
1617 0x00010203UL
, 0x04050607UL
, 0x11121314UL
, 0x15161718UL
,
1618 0x22232425UL
, 0x26272829UL
, 0x33343536UL
, 0x37383940UL
1620 static const secp256k1_fe fe
= SECP256K1_FE_CONST(
1621 0x00010203UL
, 0x04050607UL
, 0x11121314UL
, 0x15161718UL
,
1622 0x22232425UL
, 0x26272829UL
, 0x33343536UL
, 0x37383940UL
1625 unsigned char b322
[32];
1626 secp256k1_fe_storage fes2
;
1627 /* Check conversions to fe. */
1628 CHECK(secp256k1_fe_set_b32(&fe2
, b32
));
1629 CHECK(secp256k1_fe_equal_var(&fe
, &fe2
));
1630 secp256k1_fe_from_storage(&fe2
, &fes
);
1631 CHECK(secp256k1_fe_equal_var(&fe
, &fe2
));
1632 /* Check conversion from fe. */
1633 secp256k1_fe_get_b32(b322
, &fe
);
1634 CHECK(memcmp(b322
, b32
, 32) == 0);
1635 secp256k1_fe_to_storage(&fes2
, &fe
);
1636 CHECK(memcmp(&fes2
, &fes
, sizeof(fes
)) == 0);
1639 int fe_memcmp(const secp256k1_fe
*a
, const secp256k1_fe
*b
) {
1640 secp256k1_fe t
= *b
;
1642 t
.magnitude
= a
->magnitude
;
1643 t
.normalized
= a
->normalized
;
1645 return memcmp(a
, &t
, sizeof(secp256k1_fe
));
1648 void run_field_misc(void) {
1653 secp256k1_fe fe5
= SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1655 for (i
= 0; i
< 5*count
; i
++) {
1656 secp256k1_fe_storage xs
, ys
, zs
;
1658 random_fe_non_zero(&y
);
1659 /* Test the fe equality and comparison operations. */
1660 CHECK(secp256k1_fe_cmp_var(&x
, &x
) == 0);
1661 CHECK(secp256k1_fe_equal_var(&x
, &x
));
1663 secp256k1_fe_add(&z
,&y
);
1664 /* Test fe conditional move; z is not normalized here. */
1666 secp256k1_fe_cmov(&x
, &z
, 0);
1667 VERIFY_CHECK(!x
.normalized
&& x
.magnitude
== z
.magnitude
);
1668 secp256k1_fe_cmov(&x
, &x
, 1);
1669 CHECK(fe_memcmp(&x
, &z
) != 0);
1670 CHECK(fe_memcmp(&x
, &q
) == 0);
1671 secp256k1_fe_cmov(&q
, &z
, 1);
1672 VERIFY_CHECK(!q
.normalized
&& q
.magnitude
== z
.magnitude
);
1673 CHECK(fe_memcmp(&q
, &z
) == 0);
1674 secp256k1_fe_normalize_var(&x
);
1675 secp256k1_fe_normalize_var(&z
);
1676 CHECK(!secp256k1_fe_equal_var(&x
, &z
));
1677 secp256k1_fe_normalize_var(&q
);
1678 secp256k1_fe_cmov(&q
, &z
, (i
&1));
1679 VERIFY_CHECK(q
.normalized
&& q
.magnitude
== 1);
1680 for (j
= 0; j
< 6; j
++) {
1681 secp256k1_fe_negate(&z
, &z
, j
+1);
1682 secp256k1_fe_normalize_var(&q
);
1683 secp256k1_fe_cmov(&q
, &z
, (j
&1));
1684 VERIFY_CHECK(!q
.normalized
&& q
.magnitude
== (j
+2));
1686 secp256k1_fe_normalize_var(&z
);
1687 /* Test storage conversion and conditional moves. */
1688 secp256k1_fe_to_storage(&xs
, &x
);
1689 secp256k1_fe_to_storage(&ys
, &y
);
1690 secp256k1_fe_to_storage(&zs
, &z
);
1691 secp256k1_fe_storage_cmov(&zs
, &xs
, 0);
1692 secp256k1_fe_storage_cmov(&zs
, &zs
, 1);
1693 CHECK(memcmp(&xs
, &zs
, sizeof(xs
)) != 0);
1694 secp256k1_fe_storage_cmov(&ys
, &xs
, 1);
1695 CHECK(memcmp(&xs
, &ys
, sizeof(xs
)) == 0);
1696 secp256k1_fe_from_storage(&x
, &xs
);
1697 secp256k1_fe_from_storage(&y
, &ys
);
1698 secp256k1_fe_from_storage(&z
, &zs
);
1699 /* Test that mul_int, mul, and add agree. */
1700 secp256k1_fe_add(&y
, &x
);
1701 secp256k1_fe_add(&y
, &x
);
1703 secp256k1_fe_mul_int(&z
, 3);
1704 CHECK(check_fe_equal(&y
, &z
));
1705 secp256k1_fe_add(&y
, &x
);
1706 secp256k1_fe_add(&z
, &x
);
1707 CHECK(check_fe_equal(&z
, &y
));
1709 secp256k1_fe_mul_int(&z
, 5);
1710 secp256k1_fe_mul(&q
, &x
, &fe5
);
1711 CHECK(check_fe_equal(&z
, &q
));
1712 secp256k1_fe_negate(&x
, &x
, 1);
1713 secp256k1_fe_add(&z
, &x
);
1714 secp256k1_fe_add(&q
, &x
);
1715 CHECK(check_fe_equal(&y
, &z
));
1716 CHECK(check_fe_equal(&q
, &y
));
1720 void run_field_inv(void) {
1721 secp256k1_fe x
, xi
, xii
;
1723 for (i
= 0; i
< 10*count
; i
++) {
1724 random_fe_non_zero(&x
);
1725 secp256k1_fe_inv(&xi
, &x
);
1726 CHECK(check_fe_inverse(&x
, &xi
));
1727 secp256k1_fe_inv(&xii
, &xi
);
1728 CHECK(check_fe_equal(&x
, &xii
));
1732 void run_field_inv_var(void) {
1733 secp256k1_fe x
, xi
, xii
;
1735 for (i
= 0; i
< 10*count
; i
++) {
1736 random_fe_non_zero(&x
);
1737 secp256k1_fe_inv_var(&xi
, &x
);
1738 CHECK(check_fe_inverse(&x
, &xi
));
1739 secp256k1_fe_inv_var(&xii
, &xi
);
1740 CHECK(check_fe_equal(&x
, &xii
));
1744 void run_field_inv_all_var(void) {
1745 secp256k1_fe x
[16], xi
[16], xii
[16];
1747 /* Check it's safe to call for 0 elements */
1748 secp256k1_fe_inv_all_var(xi
, x
, 0);
1749 for (i
= 0; i
< count
; i
++) {
1751 size_t len
= secp256k1_rand_int(15) + 1;
1752 for (j
= 0; j
< len
; j
++) {
1753 random_fe_non_zero(&x
[j
]);
1755 secp256k1_fe_inv_all_var(xi
, x
, len
);
1756 for (j
= 0; j
< len
; j
++) {
1757 CHECK(check_fe_inverse(&x
[j
], &xi
[j
]));
1759 secp256k1_fe_inv_all_var(xii
, xi
, len
);
1760 for (j
= 0; j
< len
; j
++) {
1761 CHECK(check_fe_equal(&x
[j
], &xii
[j
]));
1766 void run_sqr(void) {
1771 secp256k1_fe_set_int(&x
, 1);
1772 secp256k1_fe_negate(&x
, &x
, 1);
1774 for (i
= 1; i
<= 512; ++i
) {
1775 secp256k1_fe_mul_int(&x
, 2);
1776 secp256k1_fe_normalize(&x
);
1777 secp256k1_fe_sqr(&s
, &x
);
1782 void test_sqrt(const secp256k1_fe
*a
, const secp256k1_fe
*k
) {
1783 secp256k1_fe r1
, r2
;
1784 int v
= secp256k1_fe_sqrt(&r1
, a
);
1785 CHECK((v
== 0) == (k
== NULL
));
1788 /* Check that the returned root is +/- the given known answer */
1789 secp256k1_fe_negate(&r2
, &r1
, 1);
1790 secp256k1_fe_add(&r1
, k
); secp256k1_fe_add(&r2
, k
);
1791 secp256k1_fe_normalize(&r1
); secp256k1_fe_normalize(&r2
);
1792 CHECK(secp256k1_fe_is_zero(&r1
) || secp256k1_fe_is_zero(&r2
));
1796 void run_sqrt(void) {
1797 secp256k1_fe ns
, x
, s
, t
;
1800 /* Check sqrt(0) is 0 */
1801 secp256k1_fe_set_int(&x
, 0);
1802 secp256k1_fe_sqr(&s
, &x
);
1805 /* Check sqrt of small squares (and their negatives) */
1806 for (i
= 1; i
<= 100; i
++) {
1807 secp256k1_fe_set_int(&x
, i
);
1808 secp256k1_fe_sqr(&s
, &x
);
1810 secp256k1_fe_negate(&t
, &s
, 1);
1811 test_sqrt(&t
, NULL
);
1814 /* Consistency checks for large random values */
1815 for (i
= 0; i
< 10; i
++) {
1817 random_fe_non_square(&ns
);
1818 for (j
= 0; j
< count
; j
++) {
1820 secp256k1_fe_sqr(&s
, &x
);
1822 secp256k1_fe_negate(&t
, &s
, 1);
1823 test_sqrt(&t
, NULL
);
1824 secp256k1_fe_mul(&t
, &s
, &ns
);
1825 test_sqrt(&t
, NULL
);
1830 /***** GROUP TESTS *****/
1832 void ge_equals_ge(const secp256k1_ge
*a
, const secp256k1_ge
*b
) {
1833 CHECK(a
->infinity
== b
->infinity
);
1837 CHECK(secp256k1_fe_equal_var(&a
->x
, &b
->x
));
1838 CHECK(secp256k1_fe_equal_var(&a
->y
, &b
->y
));
1841 /* This compares jacobian points including their Z, not just their geometric meaning. */
1842 int gej_xyz_equals_gej(const secp256k1_gej
*a
, const secp256k1_gej
*b
) {
1846 ret
&= a
->infinity
== b
->infinity
;
1847 if (ret
&& !a
->infinity
) {
1850 secp256k1_fe_normalize(&a2
.x
);
1851 secp256k1_fe_normalize(&a2
.y
);
1852 secp256k1_fe_normalize(&a2
.z
);
1853 secp256k1_fe_normalize(&b2
.x
);
1854 secp256k1_fe_normalize(&b2
.y
);
1855 secp256k1_fe_normalize(&b2
.z
);
1856 ret
&= secp256k1_fe_cmp_var(&a2
.x
, &b2
.x
) == 0;
1857 ret
&= secp256k1_fe_cmp_var(&a2
.y
, &b2
.y
) == 0;
1858 ret
&= secp256k1_fe_cmp_var(&a2
.z
, &b2
.z
) == 0;
1863 void ge_equals_gej(const secp256k1_ge
*a
, const secp256k1_gej
*b
) {
1865 secp256k1_fe u1
, u2
, s1
, s2
;
1866 CHECK(a
->infinity
== b
->infinity
);
1870 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1871 secp256k1_fe_sqr(&z2s
, &b
->z
);
1872 secp256k1_fe_mul(&u1
, &a
->x
, &z2s
);
1873 u2
= b
->x
; secp256k1_fe_normalize_weak(&u2
);
1874 secp256k1_fe_mul(&s1
, &a
->y
, &z2s
); secp256k1_fe_mul(&s1
, &s1
, &b
->z
);
1875 s2
= b
->y
; secp256k1_fe_normalize_weak(&s2
);
1876 CHECK(secp256k1_fe_equal_var(&u1
, &u2
));
1877 CHECK(secp256k1_fe_equal_var(&s1
, &s2
));
1880 void test_ge(void) {
1882 #ifdef USE_ENDOMORPHISM
1887 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1888 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1889 * All magnitudes are randomized.
1890 * All 17*17 combinations of points are added to each other, using all applicable methods.
1892 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1894 secp256k1_ge
*ge
= (secp256k1_ge
*)checked_malloc(&ctx
->error_callback
, sizeof(secp256k1_ge
) * (1 + 4 * runs
));
1895 secp256k1_gej
*gej
= (secp256k1_gej
*)checked_malloc(&ctx
->error_callback
, sizeof(secp256k1_gej
) * (1 + 4 * runs
));
1896 secp256k1_fe
*zinv
= (secp256k1_fe
*)checked_malloc(&ctx
->error_callback
, sizeof(secp256k1_fe
) * (1 + 4 * runs
));
1898 secp256k1_fe zfi2
, zfi3
;
1900 secp256k1_gej_set_infinity(&gej
[0]);
1901 secp256k1_ge_clear(&ge
[0]);
1902 secp256k1_ge_set_gej_var(&ge
[0], &gej
[0]);
1903 for (i
= 0; i
< runs
; i
++) {
1906 random_group_element_test(&g
);
1907 #ifdef USE_ENDOMORPHISM
1908 if (i
>= runs
- 2) {
1909 secp256k1_ge_mul_lambda(&g
, &ge
[1]);
1911 if (i
>= runs
- 1) {
1912 secp256k1_ge_mul_lambda(&g
, &g
);
1917 secp256k1_ge_neg(&ge
[3 + 4 * i
], &g
);
1918 secp256k1_ge_neg(&ge
[4 + 4 * i
], &g
);
1919 secp256k1_gej_set_ge(&gej
[1 + 4 * i
], &ge
[1 + 4 * i
]);
1920 random_group_element_jacobian_test(&gej
[2 + 4 * i
], &ge
[2 + 4 * i
]);
1921 secp256k1_gej_set_ge(&gej
[3 + 4 * i
], &ge
[3 + 4 * i
]);
1922 random_group_element_jacobian_test(&gej
[4 + 4 * i
], &ge
[4 + 4 * i
]);
1923 for (j
= 0; j
< 4; j
++) {
1924 random_field_element_magnitude(&ge
[1 + j
+ 4 * i
].x
);
1925 random_field_element_magnitude(&ge
[1 + j
+ 4 * i
].y
);
1926 random_field_element_magnitude(&gej
[1 + j
+ 4 * i
].x
);
1927 random_field_element_magnitude(&gej
[1 + j
+ 4 * i
].y
);
1928 random_field_element_magnitude(&gej
[1 + j
+ 4 * i
].z
);
1932 /* Compute z inverses. */
1934 secp256k1_fe
*zs
= checked_malloc(&ctx
->error_callback
, sizeof(secp256k1_fe
) * (1 + 4 * runs
));
1935 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
1937 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1939 random_field_element_test(&zs
[i
]);
1940 } while(secp256k1_fe_is_zero(&zs
[i
]));
1945 secp256k1_fe_inv_all_var(zinv
, zs
, 4 * runs
+ 1);
1949 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1951 random_field_element_test(&zf
);
1952 } while(secp256k1_fe_is_zero(&zf
));
1953 random_field_element_magnitude(&zf
);
1954 secp256k1_fe_inv_var(&zfi3
, &zf
);
1955 secp256k1_fe_sqr(&zfi2
, &zfi3
);
1956 secp256k1_fe_mul(&zfi3
, &zfi3
, &zfi2
);
1958 for (i1
= 0; i1
< 1 + 4 * runs
; i1
++) {
1960 for (i2
= 0; i2
< 1 + 4 * runs
; i2
++) {
1961 /* Compute reference result using gej + gej (var). */
1962 secp256k1_gej refj
, resj
;
1965 secp256k1_gej_add_var(&refj
, &gej
[i1
], &gej
[i2
], secp256k1_gej_is_infinity(&gej
[i1
]) ? NULL
: &zr
);
1966 /* Check Z ratio. */
1967 if (!secp256k1_gej_is_infinity(&gej
[i1
]) && !secp256k1_gej_is_infinity(&refj
)) {
1968 secp256k1_fe zrz
; secp256k1_fe_mul(&zrz
, &zr
, &gej
[i1
].z
);
1969 CHECK(secp256k1_fe_equal_var(&zrz
, &refj
.z
));
1971 secp256k1_ge_set_gej_var(&ref
, &refj
);
1973 /* Test gej + ge with Z ratio result (var). */
1974 secp256k1_gej_add_ge_var(&resj
, &gej
[i1
], &ge
[i2
], secp256k1_gej_is_infinity(&gej
[i1
]) ? NULL
: &zr
);
1975 ge_equals_gej(&ref
, &resj
);
1976 if (!secp256k1_gej_is_infinity(&gej
[i1
]) && !secp256k1_gej_is_infinity(&resj
)) {
1977 secp256k1_fe zrz
; secp256k1_fe_mul(&zrz
, &zr
, &gej
[i1
].z
);
1978 CHECK(secp256k1_fe_equal_var(&zrz
, &resj
.z
));
1981 /* Test gej + ge (var, with additional Z factor). */
1983 secp256k1_ge ge2_zfi
= ge
[i2
]; /* the second term with x and y rescaled for z = 1/zf */
1984 secp256k1_fe_mul(&ge2_zfi
.x
, &ge2_zfi
.x
, &zfi2
);
1985 secp256k1_fe_mul(&ge2_zfi
.y
, &ge2_zfi
.y
, &zfi3
);
1986 random_field_element_magnitude(&ge2_zfi
.x
);
1987 random_field_element_magnitude(&ge2_zfi
.y
);
1988 secp256k1_gej_add_zinv_var(&resj
, &gej
[i1
], &ge2_zfi
, &zf
);
1989 ge_equals_gej(&ref
, &resj
);
1992 /* Test gej + ge (const). */
1994 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1995 secp256k1_gej_add_ge(&resj
, &gej
[i1
], &ge
[i2
]);
1996 ge_equals_gej(&ref
, &resj
);
1999 /* Test doubling (var). */
2000 if ((i1
== 0 && i2
== 0) || ((i1
+ 3)/4 == (i2
+ 3)/4 && ((i1
+ 3)%4)/2 == ((i2
+ 3)%4)/2)) {
2002 /* Normal doubling with Z ratio result. */
2003 secp256k1_gej_double_var(&resj
, &gej
[i1
], &zr2
);
2004 ge_equals_gej(&ref
, &resj
);
2005 /* Check Z ratio. */
2006 secp256k1_fe_mul(&zr2
, &zr2
, &gej
[i1
].z
);
2007 CHECK(secp256k1_fe_equal_var(&zr2
, &resj
.z
));
2008 /* Normal doubling. */
2009 secp256k1_gej_double_var(&resj
, &gej
[i2
], NULL
);
2010 ge_equals_gej(&ref
, &resj
);
2013 /* Test adding opposites. */
2014 if ((i1
== 0 && i2
== 0) || ((i1
+ 3)/4 == (i2
+ 3)/4 && ((i1
+ 3)%4)/2 != ((i2
+ 3)%4)/2)) {
2015 CHECK(secp256k1_ge_is_infinity(&ref
));
2018 /* Test adding infinity. */
2020 CHECK(secp256k1_ge_is_infinity(&ge
[i1
]));
2021 CHECK(secp256k1_gej_is_infinity(&gej
[i1
]));
2022 ge_equals_gej(&ref
, &gej
[i2
]);
2025 CHECK(secp256k1_ge_is_infinity(&ge
[i2
]));
2026 CHECK(secp256k1_gej_is_infinity(&gej
[i2
]));
2027 ge_equals_gej(&ref
, &gej
[i1
]);
2032 /* Test adding all points together in random order equals infinity. */
2034 secp256k1_gej sum
= SECP256K1_GEJ_CONST_INFINITY
;
2035 secp256k1_gej
*gej_shuffled
= (secp256k1_gej
*)checked_malloc(&ctx
->error_callback
, (4 * runs
+ 1) * sizeof(secp256k1_gej
));
2036 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
2037 gej_shuffled
[i
] = gej
[i
];
2039 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
2040 int swap
= i
+ secp256k1_rand_int(4 * runs
+ 1 - i
);
2042 secp256k1_gej t
= gej_shuffled
[i
];
2043 gej_shuffled
[i
] = gej_shuffled
[swap
];
2044 gej_shuffled
[swap
] = t
;
2047 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
2048 secp256k1_gej_add_var(&sum
, &sum
, &gej_shuffled
[i
], NULL
);
2050 CHECK(secp256k1_gej_is_infinity(&sum
));
2054 /* Test batch gej -> ge conversion with and without known z ratios. */
2056 secp256k1_fe
*zr
= (secp256k1_fe
*)checked_malloc(&ctx
->error_callback
, (4 * runs
+ 1) * sizeof(secp256k1_fe
));
2057 secp256k1_ge
*ge_set_table
= (secp256k1_ge
*)checked_malloc(&ctx
->error_callback
, (4 * runs
+ 1) * sizeof(secp256k1_ge
));
2058 secp256k1_ge
*ge_set_all
= (secp256k1_ge
*)checked_malloc(&ctx
->error_callback
, (4 * runs
+ 1) * sizeof(secp256k1_ge
));
2059 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
2060 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2062 secp256k1_fe_mul(&zr
[i
+ 1], &zinv
[i
], &gej
[i
+ 1].z
);
2065 secp256k1_ge_set_table_gej_var(ge_set_table
, gej
, zr
, 4 * runs
+ 1);
2066 secp256k1_ge_set_all_gej_var(ge_set_all
, gej
, 4 * runs
+ 1, &ctx
->error_callback
);
2067 for (i
= 0; i
< 4 * runs
+ 1; i
++) {
2069 random_fe_non_zero(&s
);
2070 secp256k1_gej_rescale(&gej
[i
], &s
);
2071 ge_equals_gej(&ge_set_table
[i
], &gej
[i
]);
2072 ge_equals_gej(&ge_set_all
[i
], &gej
[i
]);
2084 void test_add_neg_y_diff_x(void) {
2085 /* The point of this test is to check that we can add two points
2086 * whose y-coordinates are negatives of each other but whose x
2087 * coordinates differ. If the x-coordinates were the same, these
2088 * points would be negatives of each other and their sum is
2089 * infinity. This is cool because it "covers up" any degeneracy
2090 * in the addition algorithm that would cause the xy coordinates
2091 * of the sum to be wrong (since infinity has no xy coordinates).
2092 * HOWEVER, if the x-coordinates are different, infinity is the
2093 * wrong answer, and such degeneracies are exposed. This is the
2094 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2095 * which this test is a regression test for.
2097 * These points were generated in sage as
2098 * # secp256k1 params
2099 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2100 * C = EllipticCurve ([F (0), F (7)])
2101 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2102 * N = FiniteField(G.order())
2104 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2106 * lam = (1 - x^3).roots()[1][0]
2108 * # random "bad pair"
2109 * P = C.random_element()
2111 * print " P: %x %x" % P.xy()
2112 * print " Q: %x %x" % Q.xy()
2113 * print "P + Q: %x %x" % (P + Q).xy()
2115 secp256k1_gej aj
= SECP256K1_GEJ_CONST(
2116 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2117 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2118 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2119 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2121 secp256k1_gej bj
= SECP256K1_GEJ_CONST(
2122 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2123 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2124 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2125 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2127 secp256k1_gej sumj
= SECP256K1_GEJ_CONST(
2128 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2129 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2130 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2131 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2136 secp256k1_ge_set_gej(&b
, &bj
);
2138 secp256k1_gej_add_var(&resj
, &aj
, &bj
, NULL
);
2139 secp256k1_ge_set_gej(&res
, &resj
);
2140 ge_equals_gej(&res
, &sumj
);
2142 secp256k1_gej_add_ge(&resj
, &aj
, &b
);
2143 secp256k1_ge_set_gej(&res
, &resj
);
2144 ge_equals_gej(&res
, &sumj
);
2146 secp256k1_gej_add_ge_var(&resj
, &aj
, &b
, NULL
);
2147 secp256k1_ge_set_gej(&res
, &resj
);
2148 ge_equals_gej(&res
, &sumj
);
2153 for (i
= 0; i
< count
* 32; i
++) {
2156 test_add_neg_y_diff_x();
2159 void test_ec_combine(void) {
2160 secp256k1_scalar sum
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2161 secp256k1_pubkey data
[6];
2162 const secp256k1_pubkey
* d
[6];
2163 secp256k1_pubkey sd
;
2164 secp256k1_pubkey sd2
;
2168 for (i
= 1; i
<= 6; i
++) {
2170 random_scalar_order_test(&s
);
2171 secp256k1_scalar_add(&sum
, &sum
, &s
);
2172 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &Qj
, &s
);
2173 secp256k1_ge_set_gej(&Q
, &Qj
);
2174 secp256k1_pubkey_save(&data
[i
- 1], &Q
);
2175 d
[i
- 1] = &data
[i
- 1];
2176 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &Qj
, &sum
);
2177 secp256k1_ge_set_gej(&Q
, &Qj
);
2178 secp256k1_pubkey_save(&sd
, &Q
);
2179 CHECK(secp256k1_ec_pubkey_combine(ctx
, &sd2
, d
, i
) == 1);
2180 CHECK(memcmp(&sd
, &sd2
, sizeof(sd
)) == 0);
2184 void run_ec_combine(void) {
2186 for (i
= 0; i
< count
* 8; i
++) {
2191 void test_group_decompress(const secp256k1_fe
* x
) {
2192 /* The input itself, normalized. */
2193 secp256k1_fe fex
= *x
;
2195 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2196 secp256k1_ge ge_quad
, ge_even
, ge_odd
;
2197 secp256k1_gej gej_quad
;
2198 /* Return values of the above calls. */
2199 int res_quad
, res_even
, res_odd
;
2201 secp256k1_fe_normalize_var(&fex
);
2203 res_quad
= secp256k1_ge_set_xquad(&ge_quad
, &fex
);
2204 res_even
= secp256k1_ge_set_xo_var(&ge_even
, &fex
, 0);
2205 res_odd
= secp256k1_ge_set_xo_var(&ge_odd
, &fex
, 1);
2207 CHECK(res_quad
== res_even
);
2208 CHECK(res_quad
== res_odd
);
2211 secp256k1_fe_normalize_var(&ge_quad
.x
);
2212 secp256k1_fe_normalize_var(&ge_odd
.x
);
2213 secp256k1_fe_normalize_var(&ge_even
.x
);
2214 secp256k1_fe_normalize_var(&ge_quad
.y
);
2215 secp256k1_fe_normalize_var(&ge_odd
.y
);
2216 secp256k1_fe_normalize_var(&ge_even
.y
);
2218 /* No infinity allowed. */
2219 CHECK(!ge_quad
.infinity
);
2220 CHECK(!ge_even
.infinity
);
2221 CHECK(!ge_odd
.infinity
);
2223 /* Check that the x coordinates check out. */
2224 CHECK(secp256k1_fe_equal_var(&ge_quad
.x
, x
));
2225 CHECK(secp256k1_fe_equal_var(&ge_even
.x
, x
));
2226 CHECK(secp256k1_fe_equal_var(&ge_odd
.x
, x
));
2228 /* Check that the Y coordinate result in ge_quad is a square. */
2229 CHECK(secp256k1_fe_is_quad_var(&ge_quad
.y
));
2231 /* Check odd/even Y in ge_odd, ge_even. */
2232 CHECK(secp256k1_fe_is_odd(&ge_odd
.y
));
2233 CHECK(!secp256k1_fe_is_odd(&ge_even
.y
));
2235 /* Check secp256k1_gej_has_quad_y_var. */
2236 secp256k1_gej_set_ge(&gej_quad
, &ge_quad
);
2237 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad
));
2239 random_fe_test(&fez
);
2240 } while (secp256k1_fe_is_zero(&fez
));
2241 secp256k1_gej_rescale(&gej_quad
, &fez
);
2242 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad
));
2243 secp256k1_gej_neg(&gej_quad
, &gej_quad
);
2244 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad
));
2246 random_fe_test(&fez
);
2247 } while (secp256k1_fe_is_zero(&fez
));
2248 secp256k1_gej_rescale(&gej_quad
, &fez
);
2249 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad
));
2250 secp256k1_gej_neg(&gej_quad
, &gej_quad
);
2251 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad
));
2255 void run_group_decompress(void) {
2257 for (i
= 0; i
< count
* 4; i
++) {
2259 random_fe_test(&fe
);
2260 test_group_decompress(&fe
);
2264 /***** ECMULT TESTS *****/
2266 void run_ecmult_chain(void) {
2267 /* random starting point A (on the curve) */
2268 secp256k1_gej a
= SECP256K1_GEJ_CONST(
2269 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2270 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2271 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2272 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2274 /* two random initial factors xn and gn */
2275 secp256k1_scalar xn
= SECP256K1_SCALAR_CONST(
2276 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2277 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2279 secp256k1_scalar gn
= SECP256K1_SCALAR_CONST(
2280 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2281 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2283 /* two small multipliers to be applied to xn and gn in every iteration: */
2284 static const secp256k1_scalar xf
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2285 static const secp256k1_scalar gf
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2286 /* accumulators with the resulting coefficients to A and G */
2287 secp256k1_scalar ae
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2288 secp256k1_scalar ge
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2294 /* the point being computed */
2296 for (i
= 0; i
< 200*count
; i
++) {
2297 /* in each iteration, compute X = xn*X + gn*G; */
2298 secp256k1_ecmult(&ctx
->ecmult_ctx
, &x
, &x
, &xn
, &gn
);
2299 /* also compute ae and ge: the actual accumulated factors for A and G */
2300 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2301 secp256k1_scalar_mul(&ae
, &ae
, &xn
);
2302 secp256k1_scalar_mul(&ge
, &ge
, &xn
);
2303 secp256k1_scalar_add(&ge
, &ge
, &gn
);
2304 /* modify xn and gn */
2305 secp256k1_scalar_mul(&xn
, &xn
, &xf
);
2306 secp256k1_scalar_mul(&gn
, &gn
, &gf
);
2310 /* expected result after 19999 iterations */
2311 secp256k1_gej rp
= SECP256K1_GEJ_CONST(
2312 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2313 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2314 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2315 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2318 secp256k1_gej_neg(&rp
, &rp
);
2319 secp256k1_gej_add_var(&rp
, &rp
, &x
, NULL
);
2320 CHECK(secp256k1_gej_is_infinity(&rp
));
2323 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2324 secp256k1_ecmult(&ctx
->ecmult_ctx
, &x2
, &a
, &ae
, &ge
);
2325 secp256k1_gej_neg(&x2
, &x2
);
2326 secp256k1_gej_add_var(&x2
, &x2
, &x
, NULL
);
2327 CHECK(secp256k1_gej_is_infinity(&x2
));
2330 void test_point_times_order(const secp256k1_gej
*point
) {
2331 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2333 secp256k1_scalar nx
;
2334 secp256k1_scalar zero
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2335 secp256k1_scalar one
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2336 secp256k1_gej res1
, res2
;
2338 unsigned char pub
[65];
2340 random_scalar_order_test(&x
);
2341 secp256k1_scalar_negate(&nx
, &x
);
2342 secp256k1_ecmult(&ctx
->ecmult_ctx
, &res1
, point
, &x
, &x
); /* calc res1 = x * point + x * G; */
2343 secp256k1_ecmult(&ctx
->ecmult_ctx
, &res2
, point
, &nx
, &nx
); /* calc res2 = (order - x) * point + (order - x) * G; */
2344 secp256k1_gej_add_var(&res1
, &res1
, &res2
, NULL
);
2345 CHECK(secp256k1_gej_is_infinity(&res1
));
2346 CHECK(secp256k1_gej_is_valid_var(&res1
) == 0);
2347 secp256k1_ge_set_gej(&res3
, &res1
);
2348 CHECK(secp256k1_ge_is_infinity(&res3
));
2349 CHECK(secp256k1_ge_is_valid_var(&res3
) == 0);
2350 CHECK(secp256k1_eckey_pubkey_serialize(&res3
, pub
, &psize
, 0) == 0);
2352 CHECK(secp256k1_eckey_pubkey_serialize(&res3
, pub
, &psize
, 1) == 0);
2353 /* check zero/one edge cases */
2354 secp256k1_ecmult(&ctx
->ecmult_ctx
, &res1
, point
, &zero
, &zero
);
2355 secp256k1_ge_set_gej(&res3
, &res1
);
2356 CHECK(secp256k1_ge_is_infinity(&res3
));
2357 secp256k1_ecmult(&ctx
->ecmult_ctx
, &res1
, point
, &one
, &zero
);
2358 secp256k1_ge_set_gej(&res3
, &res1
);
2359 ge_equals_gej(&res3
, point
);
2360 secp256k1_ecmult(&ctx
->ecmult_ctx
, &res1
, point
, &zero
, &one
);
2361 secp256k1_ge_set_gej(&res3
, &res1
);
2362 ge_equals_ge(&res3
, &secp256k1_ge_const_g
);
2365 void run_point_times_order(void) {
2367 secp256k1_fe x
= SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2368 static const secp256k1_fe xr
= SECP256K1_FE_CONST(
2369 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2370 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2372 for (i
= 0; i
< 500; i
++) {
2374 if (secp256k1_ge_set_xo_var(&p
, &x
, 1)) {
2376 CHECK(secp256k1_ge_is_valid_var(&p
));
2377 secp256k1_gej_set_ge(&j
, &p
);
2378 CHECK(secp256k1_gej_is_valid_var(&j
));
2379 test_point_times_order(&j
);
2381 secp256k1_fe_sqr(&x
, &x
);
2383 secp256k1_fe_normalize_var(&x
);
2384 CHECK(secp256k1_fe_equal_var(&x
, &xr
));
2387 void ecmult_const_random_mult(void) {
2388 /* random starting point A (on the curve) */
2389 secp256k1_ge a
= SECP256K1_GE_CONST(
2390 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2391 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2392 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2393 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2395 /* random initial factor xn */
2396 secp256k1_scalar xn
= SECP256K1_SCALAR_CONST(
2397 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2398 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2400 /* expected xn * A (from sage) */
2401 secp256k1_ge expected_b
= SECP256K1_GE_CONST(
2402 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2403 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2404 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2405 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2408 secp256k1_ecmult_const(&b
, &a
, &xn
);
2410 CHECK(secp256k1_ge_is_valid_var(&a
));
2411 ge_equals_gej(&expected_b
, &b
);
2414 void ecmult_const_commutativity(void) {
2421 random_scalar_order_test(&a
);
2422 random_scalar_order_test(&b
);
2424 secp256k1_ecmult_const(&res1
, &secp256k1_ge_const_g
, &a
);
2425 secp256k1_ecmult_const(&res2
, &secp256k1_ge_const_g
, &b
);
2426 secp256k1_ge_set_gej(&mid1
, &res1
);
2427 secp256k1_ge_set_gej(&mid2
, &res2
);
2428 secp256k1_ecmult_const(&res1
, &mid1
, &b
);
2429 secp256k1_ecmult_const(&res2
, &mid2
, &a
);
2430 secp256k1_ge_set_gej(&mid1
, &res1
);
2431 secp256k1_ge_set_gej(&mid2
, &res2
);
2432 ge_equals_ge(&mid1
, &mid2
);
2435 void ecmult_const_mult_zero_one(void) {
2436 secp256k1_scalar zero
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2437 secp256k1_scalar one
= SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2438 secp256k1_scalar negone
;
2442 secp256k1_scalar_negate(&negone
, &one
);
2444 random_group_element_test(&point
);
2445 secp256k1_ecmult_const(&res1
, &point
, &zero
);
2446 secp256k1_ge_set_gej(&res2
, &res1
);
2447 CHECK(secp256k1_ge_is_infinity(&res2
));
2448 secp256k1_ecmult_const(&res1
, &point
, &one
);
2449 secp256k1_ge_set_gej(&res2
, &res1
);
2450 ge_equals_ge(&res2
, &point
);
2451 secp256k1_ecmult_const(&res1
, &point
, &negone
);
2452 secp256k1_gej_neg(&res1
, &res1
);
2453 secp256k1_ge_set_gej(&res2
, &res1
);
2454 ge_equals_ge(&res2
, &point
);
2457 void ecmult_const_chain_multiply(void) {
2458 /* Check known result (randomly generated test problem from sage) */
2459 const secp256k1_scalar scalar
= SECP256K1_SCALAR_CONST(
2460 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2461 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2463 const secp256k1_gej expected_point
= SECP256K1_GEJ_CONST(
2464 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2465 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2466 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2467 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2469 secp256k1_gej point
;
2473 secp256k1_gej_set_ge(&point
, &secp256k1_ge_const_g
);
2474 for (i
= 0; i
< 100; ++i
) {
2476 secp256k1_ge_set_gej(&tmp
, &point
);
2477 secp256k1_ecmult_const(&point
, &tmp
, &scalar
);
2479 secp256k1_ge_set_gej(&res
, &point
);
2480 ge_equals_gej(&res
, &expected_point
);
2483 void run_ecmult_const_tests(void) {
2484 ecmult_const_mult_zero_one();
2485 ecmult_const_random_mult();
2486 ecmult_const_commutativity();
2487 ecmult_const_chain_multiply();
2490 void test_wnaf(const secp256k1_scalar
*number
, int w
) {
2491 secp256k1_scalar x
, two
, t
;
2496 secp256k1_scalar_set_int(&x
, 0);
2497 secp256k1_scalar_set_int(&two
, 2);
2498 bits
= secp256k1_ecmult_wnaf(wnaf
, 256, number
, w
);
2500 for (i
= bits
-1; i
>= 0; i
--) {
2502 secp256k1_scalar_mul(&x
, &x
, &two
);
2504 CHECK(zeroes
== -1 || zeroes
>= w
-1); /* check that distance between non-zero elements is at least w-1 */
2506 CHECK((v
& 1) == 1); /* check non-zero elements are odd */
2507 CHECK(v
<= (1 << (w
-1)) - 1); /* check range below */
2508 CHECK(v
>= -(1 << (w
-1)) - 1); /* check range above */
2510 CHECK(zeroes
!= -1); /* check that no unnecessary zero padding exists */
2514 secp256k1_scalar_set_int(&t
, v
);
2516 secp256k1_scalar_set_int(&t
, -v
);
2517 secp256k1_scalar_negate(&t
, &t
);
2519 secp256k1_scalar_add(&x
, &x
, &t
);
2521 CHECK(secp256k1_scalar_eq(&x
, number
)); /* check that wnaf represents number */
2524 void test_constant_wnaf_negate(const secp256k1_scalar
*number
) {
2525 secp256k1_scalar neg1
= *number
;
2526 secp256k1_scalar neg2
= *number
;
2530 if (!secp256k1_scalar_get_bits(&neg1
, 0, 1)) {
2531 secp256k1_scalar_negate(&neg1
, &neg1
);
2534 sign2
= secp256k1_scalar_cond_negate(&neg2
, secp256k1_scalar_is_even(&neg2
));
2535 CHECK(sign1
== sign2
);
2536 CHECK(secp256k1_scalar_eq(&neg1
, &neg2
));
2539 void test_constant_wnaf(const secp256k1_scalar
*number
, int w
) {
2540 secp256k1_scalar x
, shift
;
2541 int wnaf
[256] = {0};
2544 secp256k1_scalar num
= *number
;
2546 secp256k1_scalar_set_int(&x
, 0);
2547 secp256k1_scalar_set_int(&shift
, 1 << w
);
2548 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2549 #ifdef USE_ENDOMORPHISM
2550 for (i
= 0; i
< 16; ++i
) {
2551 secp256k1_scalar_shr_int(&num
, 8);
2554 skew
= secp256k1_wnaf_const(wnaf
, num
, w
);
2556 for (i
= WNAF_SIZE(w
); i
>= 0; --i
) {
2559 CHECK(v
!= 0); /* check nonzero */
2560 CHECK(v
& 1); /* check parity */
2561 CHECK(v
> -(1 << w
)); /* check range above */
2562 CHECK(v
< (1 << w
)); /* check range below */
2564 secp256k1_scalar_mul(&x
, &x
, &shift
);
2566 secp256k1_scalar_set_int(&t
, v
);
2568 secp256k1_scalar_set_int(&t
, -v
);
2569 secp256k1_scalar_negate(&t
, &t
);
2571 secp256k1_scalar_add(&x
, &x
, &t
);
2573 /* Skew num because when encoding numbers as odd we use an offset */
2574 secp256k1_scalar_cadd_bit(&num
, skew
== 2, 1);
2575 CHECK(secp256k1_scalar_eq(&x
, &num
));
2578 void run_wnaf(void) {
2580 secp256k1_scalar n
= {{0}};
2582 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2583 * have easier-to-diagnose failure modes */
2585 test_constant_wnaf(&n
, 4);
2587 test_constant_wnaf(&n
, 4);
2589 for (i
= 0; i
< count
; i
++) {
2590 random_scalar_order(&n
);
2591 test_wnaf(&n
, 4+(i
%10));
2592 test_constant_wnaf_negate(&n
);
2593 test_constant_wnaf(&n
, 4 + (i
% 10));
2595 secp256k1_scalar_set_int(&n
, 0);
2596 CHECK(secp256k1_scalar_cond_negate(&n
, 1) == -1);
2597 CHECK(secp256k1_scalar_is_zero(&n
));
2598 CHECK(secp256k1_scalar_cond_negate(&n
, 0) == 1);
2599 CHECK(secp256k1_scalar_is_zero(&n
));
2602 void test_ecmult_constants(void) {
2603 /* Test ecmult_gen() for [0..36) and [order-36..0). */
2609 secp256k1_ge_neg(&ng
, &secp256k1_ge_const_g
);
2610 for (i
= 0; i
< 36; i
++ ) {
2611 secp256k1_scalar_set_int(&x
, i
);
2612 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &r
, &x
);
2613 for (j
= 0; j
< i
; j
++) {
2615 ge_equals_gej(&secp256k1_ge_const_g
, &r
);
2617 secp256k1_gej_add_ge(&r
, &r
, &ng
);
2619 CHECK(secp256k1_gej_is_infinity(&r
));
2621 for (i
= 1; i
<= 36; i
++ ) {
2622 secp256k1_scalar_set_int(&x
, i
);
2623 secp256k1_scalar_negate(&x
, &x
);
2624 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &r
, &x
);
2625 for (j
= 0; j
< i
; j
++) {
2627 ge_equals_gej(&ng
, &r
);
2629 secp256k1_gej_add_ge(&r
, &r
, &secp256k1_ge_const_g
);
2631 CHECK(secp256k1_gej_is_infinity(&r
));
2635 void run_ecmult_constants(void) {
2636 test_ecmult_constants();
2639 void test_ecmult_gen_blind(void) {
2640 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
2641 secp256k1_scalar key
;
2643 unsigned char seed32
[32];
2645 secp256k1_gej pgej2
;
2648 random_scalar_order_test(&key
);
2649 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &pgej
, &key
);
2650 secp256k1_rand256(seed32
);
2651 b
= ctx
->ecmult_gen_ctx
.blind
;
2652 i
= ctx
->ecmult_gen_ctx
.initial
;
2653 secp256k1_ecmult_gen_blind(&ctx
->ecmult_gen_ctx
, seed32
);
2654 CHECK(!secp256k1_scalar_eq(&b
, &ctx
->ecmult_gen_ctx
.blind
));
2655 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &pgej2
, &key
);
2656 CHECK(!gej_xyz_equals_gej(&pgej
, &pgej2
));
2657 CHECK(!gej_xyz_equals_gej(&i
, &ctx
->ecmult_gen_ctx
.initial
));
2658 secp256k1_ge_set_gej(&pge
, &pgej
);
2659 ge_equals_gej(&pge
, &pgej2
);
2662 void test_ecmult_gen_blind_reset(void) {
2663 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
2665 secp256k1_gej initial
;
2666 secp256k1_ecmult_gen_blind(&ctx
->ecmult_gen_ctx
, 0);
2667 b
= ctx
->ecmult_gen_ctx
.blind
;
2668 initial
= ctx
->ecmult_gen_ctx
.initial
;
2669 secp256k1_ecmult_gen_blind(&ctx
->ecmult_gen_ctx
, 0);
2670 CHECK(secp256k1_scalar_eq(&b
, &ctx
->ecmult_gen_ctx
.blind
));
2671 CHECK(gej_xyz_equals_gej(&initial
, &ctx
->ecmult_gen_ctx
.initial
));
2674 void run_ecmult_gen_blind(void) {
2676 test_ecmult_gen_blind_reset();
2677 for (i
= 0; i
< 10; i
++) {
2678 test_ecmult_gen_blind();
2682 #ifdef USE_ENDOMORPHISM
2683 /***** ENDOMORPHISH TESTS *****/
2684 void test_scalar_split(void) {
2685 secp256k1_scalar full
;
2686 secp256k1_scalar s1
, slam
;
2687 const unsigned char zero
[32] = {0};
2688 unsigned char tmp
[32];
2690 random_scalar_order_test(&full
);
2691 secp256k1_scalar_split_lambda(&s1
, &slam
, &full
);
2693 /* check that both are <= 128 bits in size */
2694 if (secp256k1_scalar_is_high(&s1
)) {
2695 secp256k1_scalar_negate(&s1
, &s1
);
2697 if (secp256k1_scalar_is_high(&slam
)) {
2698 secp256k1_scalar_negate(&slam
, &slam
);
2701 secp256k1_scalar_get_b32(tmp
, &s1
);
2702 CHECK(memcmp(zero
, tmp
, 16) == 0);
2703 secp256k1_scalar_get_b32(tmp
, &slam
);
2704 CHECK(memcmp(zero
, tmp
, 16) == 0);
2707 void run_endomorphism_tests(void) {
2708 test_scalar_split();
2712 void ec_pubkey_parse_pointtest(const unsigned char *input
, int xvalid
, int yvalid
) {
2713 unsigned char pubkeyc
[65];
2714 secp256k1_pubkey pubkey
;
2719 secp256k1_context_set_illegal_callback(ctx
, counting_illegal_callback_fn
, &ecount
);
2720 for (pubkeyclen
= 3; pubkeyclen
<= 65; pubkeyclen
++) {
2721 /* Smaller sizes are tested exhaustively elsewhere. */
2723 memcpy(&pubkeyc
[1], input
, 64);
2724 VG_UNDEF(&pubkeyc
[pubkeyclen
], 65 - pubkeyclen
);
2725 for (i
= 0; i
< 256; i
++) {
2726 /* Try all type bytes. */
2731 /* What sign does this point have? */
2732 ysign
= (input
[63] & 1) + 2;
2733 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2734 xpass
= xvalid
&& (pubkeyclen
== 33) && ((i
& 254) == 2);
2735 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2736 ypass
= xvalid
&& yvalid
&& ((i
& 4) == ((pubkeyclen
== 65) << 2)) &&
2737 ((i
== 4) || ((i
& 251) == ysign
)) && ((pubkeyclen
== 33) || (pubkeyclen
== 65));
2738 if (xpass
|| ypass
) {
2739 /* These cases must parse. */
2740 unsigned char pubkeyo
[65];
2742 memset(&pubkey
, 0, sizeof(pubkey
));
2743 VG_UNDEF(&pubkey
, sizeof(pubkey
));
2745 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, pubkeyclen
) == 1);
2746 VG_CHECK(&pubkey
, sizeof(pubkey
));
2748 VG_UNDEF(pubkeyo
, 65);
2749 CHECK(secp256k1_ec_pubkey_serialize(ctx
, pubkeyo
, &outl
, &pubkey
, SECP256K1_EC_COMPRESSED
) == 1);
2750 VG_CHECK(pubkeyo
, outl
);
2752 CHECK(memcmp(&pubkeyo
[1], &pubkeyc
[1], 32) == 0);
2753 CHECK((pubkeyclen
!= 33) || (pubkeyo
[0] == pubkeyc
[0]));
2755 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2756 CHECK(pubkeyo
[0] == ysign
);
2757 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 1);
2758 memset(&pubkey
, 0, sizeof(pubkey
));
2759 VG_UNDEF(&pubkey
, sizeof(pubkey
));
2760 secp256k1_pubkey_save(&pubkey
, &ge
);
2761 VG_CHECK(&pubkey
, sizeof(pubkey
));
2763 VG_UNDEF(pubkeyo
, 65);
2764 CHECK(secp256k1_ec_pubkey_serialize(ctx
, pubkeyo
, &outl
, &pubkey
, SECP256K1_EC_UNCOMPRESSED
) == 1);
2765 VG_CHECK(pubkeyo
, outl
);
2767 CHECK(pubkeyo
[0] == 4);
2768 CHECK(memcmp(&pubkeyo
[1], input
, 64) == 0);
2772 /* These cases must fail to parse. */
2773 memset(&pubkey
, 0xfe, sizeof(pubkey
));
2775 VG_UNDEF(&pubkey
, sizeof(pubkey
));
2776 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, pubkeyclen
) == 0);
2777 VG_CHECK(&pubkey
, sizeof(pubkey
));
2779 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
2784 secp256k1_context_set_illegal_callback(ctx
, NULL
, NULL
);
2787 void run_ec_pubkey_parse_test(void) {
2788 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
2789 const unsigned char valid
[SECP256K1_EC_PARSE_TEST_NVALID
][64] = {
2791 /* Point with leading and trailing zeros in x and y serialization. */
2792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2794 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2795 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2798 /* Point with x equal to a 3rd root of unity.*/
2799 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2800 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2801 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2802 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2805 /* Point with largest x. (1/2) */
2806 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2807 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2808 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2809 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2812 /* Point with largest x. (2/2) */
2813 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2814 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2815 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2816 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2819 /* Point with smallest x. (1/2) */
2820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2822 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2823 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2826 /* Point with smallest x. (2/2) */
2827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2829 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2830 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2833 /* Point with largest y. (1/3) */
2834 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2835 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2836 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2837 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2840 /* Point with largest y. (2/3) */
2841 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2842 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2843 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2844 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2847 /* Point with largest y. (3/3) */
2848 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2849 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2850 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2851 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2854 /* Point with smallest y. (1/3) */
2855 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2856 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2861 /* Point with smallest y. (2/3) */
2862 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2863 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2865 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2868 /* Point with smallest y. (3/3) */
2869 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2870 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2875 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2876 const unsigned char onlyxvalid
[SECP256K1_EC_PARSE_TEST_NXVALID
][64] = {
2878 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2879 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2880 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2881 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2882 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2885 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2886 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2887 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2888 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2889 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2892 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2893 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2894 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2895 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2899 /* x on curve, y is from y^2 = x^3 + 8. */
2900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2902 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2903 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2906 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2907 const unsigned char invalid
[SECP256K1_EC_PARSE_TEST_NINVALID
][64] = {
2909 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2910 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2911 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2916 /* Valid if x overflow ignored (x = 1 mod p). */
2917 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2918 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2919 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2920 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2923 /* Valid if x overflow ignored (x = 1 mod p). */
2924 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2925 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2926 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2927 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2930 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2931 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2932 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2933 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2934 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2937 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2938 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2939 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2940 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2941 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2944 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2945 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2946 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2947 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2948 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2951 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2953 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2954 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2955 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2958 const unsigned char pubkeyc
[66] = {
2959 /* Serialization of G. */
2960 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2961 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2962 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2963 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2966 unsigned char sout
[65];
2967 unsigned char shortkey
[2];
2969 secp256k1_pubkey pubkey
;
2975 /* Nothing should be reading this far into pubkeyc. */
2976 VG_UNDEF(&pubkeyc
[65], 1);
2977 secp256k1_context_set_illegal_callback(ctx
, counting_illegal_callback_fn
, &ecount
);
2978 /* Zero length claimed, fail, zeroize, no illegal arg error. */
2979 memset(&pubkey
, 0xfe, sizeof(pubkey
));
2981 VG_UNDEF(shortkey
, 2);
2982 VG_UNDEF(&pubkey
, sizeof(pubkey
));
2983 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, shortkey
, 0) == 0);
2984 VG_CHECK(&pubkey
, sizeof(pubkey
));
2986 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
2988 /* Length one claimed, fail, zeroize, no illegal arg error. */
2989 for (i
= 0; i
< 256 ; i
++) {
2990 memset(&pubkey
, 0xfe, sizeof(pubkey
));
2993 VG_UNDEF(&shortkey
[1], 1);
2994 VG_UNDEF(&pubkey
, sizeof(pubkey
));
2995 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, shortkey
, 1) == 0);
2996 VG_CHECK(&pubkey
, sizeof(pubkey
));
2998 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3001 /* Length two claimed, fail, zeroize, no illegal arg error. */
3002 for (i
= 0; i
< 65536 ; i
++) {
3003 memset(&pubkey
, 0xfe, sizeof(pubkey
));
3005 shortkey
[0] = i
& 255;
3006 shortkey
[1] = i
>> 8;
3007 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3008 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, shortkey
, 2) == 0);
3009 VG_CHECK(&pubkey
, sizeof(pubkey
));
3011 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3014 memset(&pubkey
, 0xfe, sizeof(pubkey
));
3016 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3017 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3018 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, 33) == 0);
3019 VG_CHECK(&pubkey
, sizeof(pubkey
));
3021 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3023 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3024 CHECK(secp256k1_ec_pubkey_parse(ctx
, NULL
, pubkeyc
, 65) == 0);
3026 /* NULL input string. Illegal arg and zeroize output. */
3027 memset(&pubkey
, 0xfe, sizeof(pubkey
));
3029 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3030 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, NULL
, 65) == 0);
3031 VG_CHECK(&pubkey
, sizeof(pubkey
));
3033 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3035 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3036 memset(&pubkey
, 0xfe, sizeof(pubkey
));
3038 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3039 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, 64) == 0);
3040 VG_CHECK(&pubkey
, sizeof(pubkey
));
3042 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3044 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3045 memset(&pubkey
, 0xfe, sizeof(pubkey
));
3047 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3048 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, 66) == 0);
3049 VG_CHECK(&pubkey
, sizeof(pubkey
));
3051 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 0);
3054 memset(&pubkey
, 0, sizeof(pubkey
));
3056 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3057 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, 65) == 1);
3058 VG_CHECK(&pubkey
, sizeof(pubkey
));
3060 VG_UNDEF(&ge
, sizeof(ge
));
3061 CHECK(secp256k1_pubkey_load(ctx
, &ge
, &pubkey
) == 1);
3062 VG_CHECK(&ge
.x
, sizeof(ge
.x
));
3063 VG_CHECK(&ge
.y
, sizeof(ge
.y
));
3064 VG_CHECK(&ge
.infinity
, sizeof(ge
.infinity
));
3065 ge_equals_ge(&secp256k1_ge_const_g
, &ge
);
3067 /* secp256k1_ec_pubkey_serialize illegal args. */
3070 CHECK(secp256k1_ec_pubkey_serialize(ctx
, NULL
, &len
, &pubkey
, SECP256K1_EC_UNCOMPRESSED
) == 0);
3073 CHECK(secp256k1_ec_pubkey_serialize(ctx
, sout
, NULL
, &pubkey
, SECP256K1_EC_UNCOMPRESSED
) == 0);
3077 CHECK(secp256k1_ec_pubkey_serialize(ctx
, sout
, &len
, NULL
, SECP256K1_EC_UNCOMPRESSED
) == 0);
3082 CHECK(secp256k1_ec_pubkey_serialize(ctx
, sout
, &len
, &pubkey
, ~0) == 0);
3087 CHECK(secp256k1_ec_pubkey_serialize(ctx
, sout
, &len
, &pubkey
, SECP256K1_EC_UNCOMPRESSED
) == 1);
3091 /* Multiple illegal args. Should still set arg error only once. */
3094 CHECK(secp256k1_ec_pubkey_parse(ctx
, NULL
, NULL
, 65) == 0);
3096 /* Does the illegal arg callback actually change the behavior? */
3097 secp256k1_context_set_illegal_callback(ctx
, uncounting_illegal_callback_fn
, &ecount2
);
3098 CHECK(secp256k1_ec_pubkey_parse(ctx
, NULL
, NULL
, 65) == 0);
3100 CHECK(ecount2
== 10);
3101 secp256k1_context_set_illegal_callback(ctx
, NULL
, NULL
);
3102 /* Try a bunch of prefabbed points with all possible encodings. */
3103 for (i
= 0; i
< SECP256K1_EC_PARSE_TEST_NVALID
; i
++) {
3104 ec_pubkey_parse_pointtest(valid
[i
], 1, 1);
3106 for (i
= 0; i
< SECP256K1_EC_PARSE_TEST_NXVALID
; i
++) {
3107 ec_pubkey_parse_pointtest(onlyxvalid
[i
], 1, 0);
3109 for (i
= 0; i
< SECP256K1_EC_PARSE_TEST_NINVALID
; i
++) {
3110 ec_pubkey_parse_pointtest(invalid
[i
], 0, 0);
3114 void run_eckey_edge_case_test(void) {
3115 const unsigned char orderc
[32] = {
3116 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3117 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3118 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3119 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3121 const unsigned char zeros
[sizeof(secp256k1_pubkey
)] = {0x00};
3122 unsigned char ctmp
[33];
3123 unsigned char ctmp2
[33];
3124 secp256k1_pubkey pubkey
;
3125 secp256k1_pubkey pubkey2
;
3126 secp256k1_pubkey pubkey_one
;
3127 secp256k1_pubkey pubkey_negone
;
3128 const secp256k1_pubkey
*pubkeys
[3];
3131 /* Group order is too large, reject. */
3132 CHECK(secp256k1_ec_seckey_verify(ctx
, orderc
) == 0);
3133 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3134 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, orderc
) == 0);
3135 VG_CHECK(&pubkey
, sizeof(pubkey
));
3136 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3137 /* Maximum value is too large, reject. */
3138 memset(ctmp
, 255, 32);
3139 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 0);
3140 memset(&pubkey
, 1, sizeof(pubkey
));
3141 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3142 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, ctmp
) == 0);
3143 VG_CHECK(&pubkey
, sizeof(pubkey
));
3144 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3145 /* Zero is too small, reject. */
3146 memset(ctmp
, 0, 32);
3147 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 0);
3148 memset(&pubkey
, 1, sizeof(pubkey
));
3149 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3150 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, ctmp
) == 0);
3151 VG_CHECK(&pubkey
, sizeof(pubkey
));
3152 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3153 /* One must be accepted. */
3155 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 1);
3156 memset(&pubkey
, 0, sizeof(pubkey
));
3157 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3158 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, ctmp
) == 1);
3159 VG_CHECK(&pubkey
, sizeof(pubkey
));
3160 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) > 0);
3161 pubkey_one
= pubkey
;
3162 /* Group order + 1 is too large, reject. */
3163 memcpy(ctmp
, orderc
, 32);
3165 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 0);
3166 memset(&pubkey
, 1, sizeof(pubkey
));
3167 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3168 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, ctmp
) == 0);
3169 VG_CHECK(&pubkey
, sizeof(pubkey
));
3170 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3171 /* -1 must be accepted. */
3173 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 1);
3174 memset(&pubkey
, 0, sizeof(pubkey
));
3175 VG_UNDEF(&pubkey
, sizeof(pubkey
));
3176 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, ctmp
) == 1);
3177 VG_CHECK(&pubkey
, sizeof(pubkey
));
3178 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) > 0);
3179 pubkey_negone
= pubkey
;
3180 /* Tweak of zero leaves the value changed. */
3181 memset(ctmp2
, 0, 32);
3182 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, ctmp
, ctmp2
) == 1);
3183 CHECK(memcmp(orderc
, ctmp
, 31) == 0 && ctmp
[31] == 0x40);
3184 memcpy(&pubkey2
, &pubkey
, sizeof(pubkey
));
3185 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, ctmp2
) == 1);
3186 CHECK(memcmp(&pubkey
, &pubkey2
, sizeof(pubkey
)) == 0);
3187 /* Multiply tweak of zero zeroizes the output. */
3188 CHECK(secp256k1_ec_privkey_tweak_mul(ctx
, ctmp
, ctmp2
) == 0);
3189 CHECK(memcmp(zeros
, ctmp
, 32) == 0);
3190 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey
, ctmp2
) == 0);
3191 CHECK(memcmp(&pubkey
, zeros
, sizeof(pubkey
)) == 0);
3192 memcpy(&pubkey
, &pubkey2
, sizeof(pubkey
));
3193 /* Overflowing key tweak zeroizes. */
3194 memcpy(ctmp
, orderc
, 32);
3196 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, ctmp
, orderc
) == 0);
3197 CHECK(memcmp(zeros
, ctmp
, 32) == 0);
3198 memcpy(ctmp
, orderc
, 32);
3200 CHECK(secp256k1_ec_privkey_tweak_mul(ctx
, ctmp
, orderc
) == 0);
3201 CHECK(memcmp(zeros
, ctmp
, 32) == 0);
3202 memcpy(ctmp
, orderc
, 32);
3204 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, orderc
) == 0);
3205 CHECK(memcmp(&pubkey
, zeros
, sizeof(pubkey
)) == 0);
3206 memcpy(&pubkey
, &pubkey2
, sizeof(pubkey
));
3207 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey
, orderc
) == 0);
3208 CHECK(memcmp(&pubkey
, zeros
, sizeof(pubkey
)) == 0);
3209 memcpy(&pubkey
, &pubkey2
, sizeof(pubkey
));
3210 /* Private key tweaks results in a key of zero. */
3212 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, ctmp2
, ctmp
) == 0);
3213 CHECK(memcmp(zeros
, ctmp2
, 32) == 0);
3215 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, ctmp2
) == 0);
3216 CHECK(memcmp(&pubkey
, zeros
, sizeof(pubkey
)) == 0);
3217 memcpy(&pubkey
, &pubkey2
, sizeof(pubkey
));
3218 /* Tweak computation wraps and results in a key of 1. */
3220 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, ctmp2
, ctmp
) == 1);
3221 CHECK(memcmp(ctmp2
, zeros
, 31) == 0 && ctmp2
[31] == 1);
3223 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, ctmp2
) == 1);
3225 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey2
, ctmp2
) == 1);
3226 CHECK(memcmp(&pubkey
, &pubkey2
, sizeof(pubkey
)) == 0);
3227 /* Tweak mul * 2 = 1+1. */
3228 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, ctmp2
) == 1);
3230 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey2
, ctmp2
) == 1);
3231 CHECK(memcmp(&pubkey
, &pubkey2
, sizeof(pubkey
)) == 0);
3232 /* Test argument errors. */
3234 secp256k1_context_set_illegal_callback(ctx
, counting_illegal_callback_fn
, &ecount
);
3236 /* Zeroize pubkey on parse error. */
3237 memset(&pubkey
, 0, 32);
3238 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, ctmp2
) == 0);
3240 CHECK(memcmp(&pubkey
, zeros
, sizeof(pubkey
)) == 0);
3241 memcpy(&pubkey
, &pubkey2
, sizeof(pubkey
));
3242 memset(&pubkey2
, 0, 32);
3243 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey2
, ctmp2
) == 0);
3245 CHECK(memcmp(&pubkey2
, zeros
, sizeof(pubkey2
)) == 0);
3246 /* Plain argument errors. */
3248 CHECK(secp256k1_ec_seckey_verify(ctx
, ctmp
) == 1);
3250 CHECK(secp256k1_ec_seckey_verify(ctx
, NULL
) == 0);
3253 memset(ctmp2
, 0, 32);
3255 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, NULL
, ctmp2
) == 0);
3257 CHECK(secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, NULL
) == 0);
3260 memset(ctmp2
, 0, 32);
3262 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, NULL
, ctmp2
) == 0);
3264 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey
, NULL
) == 0);
3267 memset(ctmp2
, 0, 32);
3268 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, NULL
, ctmp2
) == 0);
3270 CHECK(secp256k1_ec_privkey_tweak_add(ctx
, ctmp
, NULL
) == 0);
3273 memset(ctmp2
, 0, 32);
3275 CHECK(secp256k1_ec_privkey_tweak_mul(ctx
, NULL
, ctmp2
) == 0);
3277 CHECK(secp256k1_ec_privkey_tweak_mul(ctx
, ctmp
, NULL
) == 0);
3280 CHECK(secp256k1_ec_pubkey_create(ctx
, NULL
, ctmp
) == 0);
3282 memset(&pubkey
, 1, sizeof(pubkey
));
3283 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, NULL
) == 0);
3285 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3286 /* secp256k1_ec_pubkey_combine tests. */
3288 pubkeys
[0] = &pubkey_one
;
3289 VG_UNDEF(&pubkeys
[0], sizeof(secp256k1_pubkey
*));
3290 VG_UNDEF(&pubkeys
[1], sizeof(secp256k1_pubkey
*));
3291 VG_UNDEF(&pubkeys
[2], sizeof(secp256k1_pubkey
*));
3292 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3293 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3294 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, pubkeys
, 0) == 0);
3295 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3296 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3298 CHECK(secp256k1_ec_pubkey_combine(ctx
, NULL
, pubkeys
, 1) == 0);
3299 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3301 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3302 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3303 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, NULL
, 1) == 0);
3304 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3305 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3307 pubkeys
[0] = &pubkey_negone
;
3308 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3309 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3310 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, pubkeys
, 1) == 1);
3311 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3312 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) > 0);
3315 CHECK(secp256k1_ec_pubkey_serialize(ctx
, ctmp
, &len
, &pubkey
, SECP256K1_EC_COMPRESSED
) == 1);
3316 CHECK(secp256k1_ec_pubkey_serialize(ctx
, ctmp2
, &len
, &pubkey_negone
, SECP256K1_EC_COMPRESSED
) == 1);
3317 CHECK(memcmp(ctmp
, ctmp2
, 33) == 0);
3318 /* Result is infinity. */
3319 pubkeys
[0] = &pubkey_one
;
3320 pubkeys
[1] = &pubkey_negone
;
3321 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3322 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3323 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, pubkeys
, 2) == 0);
3324 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3325 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) == 0);
3327 /* Passes through infinity but comes out one. */
3328 pubkeys
[2] = &pubkey_one
;
3329 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3330 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3331 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, pubkeys
, 3) == 1);
3332 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3333 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) > 0);
3336 CHECK(secp256k1_ec_pubkey_serialize(ctx
, ctmp
, &len
, &pubkey
, SECP256K1_EC_COMPRESSED
) == 1);
3337 CHECK(secp256k1_ec_pubkey_serialize(ctx
, ctmp2
, &len
, &pubkey_one
, SECP256K1_EC_COMPRESSED
) == 1);
3338 CHECK(memcmp(ctmp
, ctmp2
, 33) == 0);
3340 pubkeys
[1] = &pubkey_one
;
3341 memset(&pubkey
, 255, sizeof(secp256k1_pubkey
));
3342 VG_UNDEF(&pubkey
, sizeof(secp256k1_pubkey
));
3343 CHECK(secp256k1_ec_pubkey_combine(ctx
, &pubkey
, pubkeys
, 2) == 1);
3344 VG_CHECK(&pubkey
, sizeof(secp256k1_pubkey
));
3345 CHECK(memcmp(&pubkey
, zeros
, sizeof(secp256k1_pubkey
)) > 0);
3347 secp256k1_context_set_illegal_callback(ctx
, NULL
, NULL
);
3350 void random_sign(secp256k1_scalar
*sigr
, secp256k1_scalar
*sigs
, const secp256k1_scalar
*key
, const secp256k1_scalar
*msg
, int *recid
) {
3351 secp256k1_scalar nonce
;
3353 random_scalar_order_test(&nonce
);
3354 } while(!secp256k1_ecdsa_sig_sign(&ctx
->ecmult_gen_ctx
, sigr
, sigs
, key
, msg
, &nonce
, recid
));
3357 void test_ecdsa_sign_verify(void) {
3360 secp256k1_scalar one
;
3361 secp256k1_scalar msg
, key
;
3362 secp256k1_scalar sigr
, sigs
;
3365 random_scalar_order_test(&msg
);
3366 random_scalar_order_test(&key
);
3367 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &pubj
, &key
);
3368 secp256k1_ge_set_gej(&pub
, &pubj
);
3369 getrec
= secp256k1_rand_bits(1);
3370 random_sign(&sigr
, &sigs
, &key
, &msg
, getrec
?&recid
:NULL
);
3372 CHECK(recid
>= 0 && recid
< 4);
3374 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sigr
, &sigs
, &pub
, &msg
));
3375 secp256k1_scalar_set_int(&one
, 1);
3376 secp256k1_scalar_add(&msg
, &msg
, &one
);
3377 CHECK(!secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sigr
, &sigs
, &pub
, &msg
));
3380 void run_ecdsa_sign_verify(void) {
3382 for (i
= 0; i
< 10*count
; i
++) {
3383 test_ecdsa_sign_verify();
3387 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3388 static int precomputed_nonce_function(unsigned char *nonce32
, const unsigned char *msg32
, const unsigned char *key32
, const unsigned char *algo16
, void *data
, unsigned int counter
) {
3392 memcpy(nonce32
, data
, 32);
3393 return (counter
== 0);
3396 static int nonce_function_test_fail(unsigned char *nonce32
, const unsigned char *msg32
, const unsigned char *key32
, const unsigned char *algo16
, void *data
, unsigned int counter
) {
3397 /* Dummy nonce generator that has a fatal error on the first counter value. */
3401 return nonce_function_rfc6979(nonce32
, msg32
, key32
, algo16
, data
, counter
- 1);
3404 static int nonce_function_test_retry(unsigned char *nonce32
, const unsigned char *msg32
, const unsigned char *key32
, const unsigned char *algo16
, void *data
, unsigned int counter
) {
3405 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3407 memset(nonce32
, counter
==0 ? 0 : 255, 32);
3414 static const unsigned char order
[] = {
3415 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3416 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3417 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3418 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3420 memcpy(nonce32
, order
, 32);
3426 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3427 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3431 return nonce_function_rfc6979(nonce32
, msg32
, key32
, algo16
, data
, counter
- 5);
3434 int is_empty_signature(const secp256k1_ecdsa_signature
*sig
) {
3435 static const unsigned char res
[sizeof(secp256k1_ecdsa_signature
)] = {0};
3436 return memcmp(sig
, res
, sizeof(secp256k1_ecdsa_signature
)) == 0;
3439 void test_ecdsa_end_to_end(void) {
3440 unsigned char extra
[32] = {0x00};
3441 unsigned char privkey
[32];
3442 unsigned char message
[32];
3443 unsigned char privkey2
[32];
3444 secp256k1_ecdsa_signature signature
[6];
3445 secp256k1_scalar r
, s
;
3446 unsigned char sig
[74];
3448 unsigned char pubkeyc
[65];
3449 size_t pubkeyclen
= 65;
3450 secp256k1_pubkey pubkey
;
3451 secp256k1_pubkey pubkey_tmp
;
3452 unsigned char seckey
[300];
3453 size_t seckeylen
= 300;
3455 /* Generate a random key and message. */
3457 secp256k1_scalar msg
, key
;
3458 random_scalar_order_test(&msg
);
3459 random_scalar_order_test(&key
);
3460 secp256k1_scalar_get_b32(privkey
, &key
);
3461 secp256k1_scalar_get_b32(message
, &msg
);
3464 /* Construct and verify corresponding public key. */
3465 CHECK(secp256k1_ec_seckey_verify(ctx
, privkey
) == 1);
3466 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, privkey
) == 1);
3468 /* Verify exporting and importing public key. */
3469 CHECK(secp256k1_ec_pubkey_serialize(ctx
, pubkeyc
, &pubkeyclen
, &pubkey
, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED
: SECP256K1_EC_UNCOMPRESSED
));
3470 memset(&pubkey
, 0, sizeof(pubkey
));
3471 CHECK(secp256k1_ec_pubkey_parse(ctx
, &pubkey
, pubkeyc
, pubkeyclen
) == 1);
3473 /* Verify negation changes the key and changes it back */
3474 memcpy(&pubkey_tmp
, &pubkey
, sizeof(pubkey
));
3475 CHECK(secp256k1_ec_pubkey_negate(ctx
, &pubkey_tmp
) == 1);
3476 CHECK(memcmp(&pubkey_tmp
, &pubkey
, sizeof(pubkey
)) != 0);
3477 CHECK(secp256k1_ec_pubkey_negate(ctx
, &pubkey_tmp
) == 1);
3478 CHECK(memcmp(&pubkey_tmp
, &pubkey
, sizeof(pubkey
)) == 0);
3480 /* Verify private key import and export. */
3481 CHECK(ec_privkey_export_der(ctx
, seckey
, &seckeylen
, privkey
, secp256k1_rand_bits(1) == 1));
3482 CHECK(ec_privkey_import_der(ctx
, privkey2
, seckey
, seckeylen
) == 1);
3483 CHECK(memcmp(privkey
, privkey2
, 32) == 0);
3485 /* Optionally tweak the keys using addition. */
3486 if (secp256k1_rand_int(3) == 0) {
3489 unsigned char rnd
[32];
3490 secp256k1_pubkey pubkey2
;
3491 secp256k1_rand256_test(rnd
);
3492 ret1
= secp256k1_ec_privkey_tweak_add(ctx
, privkey
, rnd
);
3493 ret2
= secp256k1_ec_pubkey_tweak_add(ctx
, &pubkey
, rnd
);
3494 CHECK(ret1
== ret2
);
3498 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey2
, privkey
) == 1);
3499 CHECK(memcmp(&pubkey
, &pubkey2
, sizeof(pubkey
)) == 0);
3502 /* Optionally tweak the keys using multiplication. */
3503 if (secp256k1_rand_int(3) == 0) {
3506 unsigned char rnd
[32];
3507 secp256k1_pubkey pubkey2
;
3508 secp256k1_rand256_test(rnd
);
3509 ret1
= secp256k1_ec_privkey_tweak_mul(ctx
, privkey
, rnd
);
3510 ret2
= secp256k1_ec_pubkey_tweak_mul(ctx
, &pubkey
, rnd
);
3511 CHECK(ret1
== ret2
);
3515 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey2
, privkey
) == 1);
3516 CHECK(memcmp(&pubkey
, &pubkey2
, sizeof(pubkey
)) == 0);
3520 CHECK(secp256k1_ecdsa_sign(ctx
, &signature
[0], message
, privkey
, NULL
, NULL
) == 1);
3521 CHECK(secp256k1_ecdsa_sign(ctx
, &signature
[4], message
, privkey
, NULL
, NULL
) == 1);
3522 CHECK(secp256k1_ecdsa_sign(ctx
, &signature
[1], message
, privkey
, NULL
, extra
) == 1);
3524 CHECK(secp256k1_ecdsa_sign(ctx
, &signature
[2], message
, privkey
, NULL
, extra
) == 1);
3527 CHECK(secp256k1_ecdsa_sign(ctx
, &signature
[3], message
, privkey
, NULL
, extra
) == 1);
3528 CHECK(memcmp(&signature
[0], &signature
[4], sizeof(signature
[0])) == 0);
3529 CHECK(memcmp(&signature
[0], &signature
[1], sizeof(signature
[0])) != 0);
3530 CHECK(memcmp(&signature
[0], &signature
[2], sizeof(signature
[0])) != 0);
3531 CHECK(memcmp(&signature
[0], &signature
[3], sizeof(signature
[0])) != 0);
3532 CHECK(memcmp(&signature
[1], &signature
[2], sizeof(signature
[0])) != 0);
3533 CHECK(memcmp(&signature
[1], &signature
[3], sizeof(signature
[0])) != 0);
3534 CHECK(memcmp(&signature
[2], &signature
[3], sizeof(signature
[0])) != 0);
3536 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[0], message
, &pubkey
) == 1);
3537 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[1], message
, &pubkey
) == 1);
3538 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[2], message
, &pubkey
) == 1);
3539 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[3], message
, &pubkey
) == 1);
3540 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3541 CHECK(!secp256k1_ecdsa_signature_normalize(ctx
, NULL
, &signature
[0]));
3542 secp256k1_ecdsa_signature_load(ctx
, &r
, &s
, &signature
[0]);
3543 secp256k1_scalar_negate(&s
, &s
);
3544 secp256k1_ecdsa_signature_save(&signature
[5], &r
, &s
);
3545 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[5], message
, &pubkey
) == 0);
3546 CHECK(secp256k1_ecdsa_signature_normalize(ctx
, NULL
, &signature
[5]));
3547 CHECK(secp256k1_ecdsa_signature_normalize(ctx
, &signature
[5], &signature
[5]));
3548 CHECK(!secp256k1_ecdsa_signature_normalize(ctx
, NULL
, &signature
[5]));
3549 CHECK(!secp256k1_ecdsa_signature_normalize(ctx
, &signature
[5], &signature
[5]));
3550 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[5], message
, &pubkey
) == 1);
3551 secp256k1_scalar_negate(&s
, &s
);
3552 secp256k1_ecdsa_signature_save(&signature
[5], &r
, &s
);
3553 CHECK(!secp256k1_ecdsa_signature_normalize(ctx
, NULL
, &signature
[5]));
3554 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[5], message
, &pubkey
) == 1);
3555 CHECK(memcmp(&signature
[5], &signature
[0], 64) == 0);
3557 /* Serialize/parse DER and verify again */
3558 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, sig
, &siglen
, &signature
[0]) == 1);
3559 memset(&signature
[0], 0, sizeof(signature
[0]));
3560 CHECK(secp256k1_ecdsa_signature_parse_der(ctx
, &signature
[0], sig
, siglen
) == 1);
3561 CHECK(secp256k1_ecdsa_verify(ctx
, &signature
[0], message
, &pubkey
) == 1);
3562 /* Serialize/destroy/parse DER and verify again. */
3564 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, sig
, &siglen
, &signature
[0]) == 1);
3565 sig
[secp256k1_rand_int(siglen
)] += 1 + secp256k1_rand_int(255);
3566 CHECK(secp256k1_ecdsa_signature_parse_der(ctx
, &signature
[0], sig
, siglen
) == 0 ||
3567 secp256k1_ecdsa_verify(ctx
, &signature
[0], message
, &pubkey
) == 0);
3570 void test_random_pubkeys(void) {
3573 unsigned char in
[65];
3574 /* Generate some randomly sized pubkeys. */
3575 size_t len
= secp256k1_rand_bits(2) == 0 ? 65 : 33;
3576 if (secp256k1_rand_bits(2) == 0) {
3577 len
= secp256k1_rand_bits(6);
3580 in
[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
3582 in
[0] = secp256k1_rand_bits(1) ? 2 : 3;
3584 if (secp256k1_rand_bits(3) == 0) {
3585 in
[0] = secp256k1_rand_bits(8);
3588 secp256k1_rand256(&in
[1]);
3591 secp256k1_rand256(&in
[33]);
3593 if (secp256k1_eckey_pubkey_parse(&elem
, in
, len
)) {
3594 unsigned char out
[65];
3595 unsigned char firstb
;
3599 /* If the pubkey can be parsed, it should round-trip... */
3600 CHECK(secp256k1_eckey_pubkey_serialize(&elem
, out
, &size
, len
== 33));
3602 CHECK(memcmp(&in
[1], &out
[1], len
-1) == 0);
3603 /* ... except for the type of hybrid inputs. */
3604 if ((in
[0] != 6) && (in
[0] != 7)) {
3605 CHECK(in
[0] == out
[0]);
3608 CHECK(secp256k1_eckey_pubkey_serialize(&elem
, in
, &size
, 0));
3610 CHECK(secp256k1_eckey_pubkey_parse(&elem2
, in
, size
));
3611 ge_equals_ge(&elem
,&elem2
);
3612 /* Check that the X9.62 hybrid type is checked. */
3613 in
[0] = secp256k1_rand_bits(1) ? 6 : 7;
3614 res
= secp256k1_eckey_pubkey_parse(&elem2
, in
, size
);
3615 if (firstb
== 2 || firstb
== 3) {
3616 if (in
[0] == firstb
+ 4) {
3623 ge_equals_ge(&elem
,&elem2
);
3624 CHECK(secp256k1_eckey_pubkey_serialize(&elem
, out
, &size
, 0));
3625 CHECK(memcmp(&in
[1], &out
[1], 64) == 0);
3630 void run_random_pubkeys(void) {
3632 for (i
= 0; i
< 10*count
; i
++) {
3633 test_random_pubkeys();
3637 void run_ecdsa_end_to_end(void) {
3639 for (i
= 0; i
< 64*count
; i
++) {
3640 test_ecdsa_end_to_end();
3644 int test_ecdsa_der_parse(const unsigned char *sig
, size_t siglen
, int certainly_der
, int certainly_not_der
) {
3645 static const unsigned char zeroes
[32] = {0};
3646 #ifdef ENABLE_OPENSSL_TESTS
3647 static const unsigned char max_scalar
[32] = {
3648 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3649 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3650 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3651 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3657 secp256k1_ecdsa_signature sig_der
;
3658 unsigned char roundtrip_der
[2048];
3659 unsigned char compact_der
[64];
3660 size_t len_der
= 2048;
3661 int parsed_der
= 0, valid_der
= 0, roundtrips_der
= 0;
3663 secp256k1_ecdsa_signature sig_der_lax
;
3664 unsigned char roundtrip_der_lax
[2048];
3665 unsigned char compact_der_lax
[64];
3666 size_t len_der_lax
= 2048;
3667 int parsed_der_lax
= 0, valid_der_lax
= 0, roundtrips_der_lax
= 0;
3669 #ifdef ENABLE_OPENSSL_TESTS
3670 ECDSA_SIG
*sig_openssl
;
3671 const unsigned char *sigptr
;
3672 unsigned char roundtrip_openssl
[2048];
3673 int len_openssl
= 2048;
3674 int parsed_openssl
, valid_openssl
= 0, roundtrips_openssl
= 0;
3677 parsed_der
= secp256k1_ecdsa_signature_parse_der(ctx
, &sig_der
, sig
, siglen
);
3679 ret
|= (!secp256k1_ecdsa_signature_serialize_compact(ctx
, compact_der
, &sig_der
)) << 0;
3680 valid_der
= (memcmp(compact_der
, zeroes
, 32) != 0) && (memcmp(compact_der
+ 32, zeroes
, 32) != 0);
3683 ret
|= (!secp256k1_ecdsa_signature_serialize_der(ctx
, roundtrip_der
, &len_der
, &sig_der
)) << 1;
3684 roundtrips_der
= (len_der
== siglen
) && memcmp(roundtrip_der
, sig
, siglen
) == 0;
3687 parsed_der_lax
= ecdsa_signature_parse_der_lax(ctx
, &sig_der_lax
, sig
, siglen
);
3688 if (parsed_der_lax
) {
3689 ret
|= (!secp256k1_ecdsa_signature_serialize_compact(ctx
, compact_der_lax
, &sig_der_lax
)) << 10;
3690 valid_der_lax
= (memcmp(compact_der_lax
, zeroes
, 32) != 0) && (memcmp(compact_der_lax
+ 32, zeroes
, 32) != 0);
3692 if (valid_der_lax
) {
3693 ret
|= (!secp256k1_ecdsa_signature_serialize_der(ctx
, roundtrip_der_lax
, &len_der_lax
, &sig_der_lax
)) << 11;
3694 roundtrips_der_lax
= (len_der_lax
== siglen
) && memcmp(roundtrip_der_lax
, sig
, siglen
) == 0;
3697 if (certainly_der
) {
3698 ret
|= (!parsed_der
) << 2;
3700 if (certainly_not_der
) {
3701 ret
|= (parsed_der
) << 17;
3704 ret
|= (!roundtrips_der
) << 3;
3708 ret
|= (!roundtrips_der_lax
) << 12;
3709 ret
|= (len_der
!= len_der_lax
) << 13;
3710 ret
|= (memcmp(roundtrip_der_lax
, roundtrip_der
, len_der
) != 0) << 14;
3712 ret
|= (roundtrips_der
!= roundtrips_der_lax
) << 15;
3714 ret
|= (!parsed_der_lax
) << 16;
3717 #ifdef ENABLE_OPENSSL_TESTS
3718 sig_openssl
= ECDSA_SIG_new();
3720 parsed_openssl
= (d2i_ECDSA_SIG(&sig_openssl
, &sigptr
, siglen
) != NULL
);
3721 if (parsed_openssl
) {
3722 valid_openssl
= !BN_is_negative(sig_openssl
->r
) && !BN_is_negative(sig_openssl
->s
) && BN_num_bits(sig_openssl
->r
) > 0 && BN_num_bits(sig_openssl
->r
) <= 256 && BN_num_bits(sig_openssl
->s
) > 0 && BN_num_bits(sig_openssl
->s
) <= 256;
3723 if (valid_openssl
) {
3724 unsigned char tmp
[32] = {0};
3725 BN_bn2bin(sig_openssl
->r
, tmp
+ 32 - BN_num_bytes(sig_openssl
->r
));
3726 valid_openssl
= memcmp(tmp
, max_scalar
, 32) < 0;
3728 if (valid_openssl
) {
3729 unsigned char tmp
[32] = {0};
3730 BN_bn2bin(sig_openssl
->s
, tmp
+ 32 - BN_num_bytes(sig_openssl
->s
));
3731 valid_openssl
= memcmp(tmp
, max_scalar
, 32) < 0;
3734 len_openssl
= i2d_ECDSA_SIG(sig_openssl
, NULL
);
3735 if (len_openssl
<= 2048) {
3736 unsigned char *ptr
= roundtrip_openssl
;
3737 CHECK(i2d_ECDSA_SIG(sig_openssl
, &ptr
) == len_openssl
);
3738 roundtrips_openssl
= valid_openssl
&& ((size_t)len_openssl
== siglen
) && (memcmp(roundtrip_openssl
, sig
, siglen
) == 0);
3742 ECDSA_SIG_free(sig_openssl
);
3744 ret
|= (parsed_der
&& !parsed_openssl
) << 4;
3745 ret
|= (valid_der
&& !valid_openssl
) << 5;
3746 ret
|= (roundtrips_openssl
&& !parsed_der
) << 6;
3747 ret
|= (roundtrips_der
!= roundtrips_openssl
) << 7;
3748 if (roundtrips_openssl
) {
3749 ret
|= (len_der
!= (size_t)len_openssl
) << 8;
3750 ret
|= (memcmp(roundtrip_der
, roundtrip_openssl
, len_der
) != 0) << 9;
3756 static void assign_big_endian(unsigned char *ptr
, size_t ptrlen
, uint32_t val
) {
3758 for (i
= 0; i
< ptrlen
; i
++) {
3759 int shift
= ptrlen
- 1 - i
;
3763 ptr
[i
] = (val
>> shift
) & 0xFF;
3768 static void damage_array(unsigned char *sig
, size_t *len
) {
3770 int action
= secp256k1_rand_bits(3);
3771 if (action
< 1 && *len
> 3) {
3772 /* Delete a byte. */
3773 pos
= secp256k1_rand_int(*len
);
3774 memmove(sig
+ pos
, sig
+ pos
+ 1, *len
- pos
- 1);
3777 } else if (action
< 2 && *len
< 2048) {
3778 /* Insert a byte. */
3779 pos
= secp256k1_rand_int(1 + *len
);
3780 memmove(sig
+ pos
+ 1, sig
+ pos
, *len
- pos
);
3781 sig
[pos
] = secp256k1_rand_bits(8);
3784 } else if (action
< 4) {
3785 /* Modify a byte. */
3786 sig
[secp256k1_rand_int(*len
)] += 1 + secp256k1_rand_int(255);
3788 } else { /* action < 8 */
3790 sig
[secp256k1_rand_int(*len
)] ^= 1 << secp256k1_rand_bits(3);
3795 static void random_ber_signature(unsigned char *sig
, size_t *len
, int* certainly_der
, int* certainly_not_der
) {
3797 int nlow
[2], nlen
[2], nlenlen
[2], nhbit
[2], nhbyte
[2], nzlen
[2];
3798 size_t tlen
, elen
, glen
;
3803 der
= secp256k1_rand_bits(2) == 0;
3804 *certainly_der
= der
;
3805 *certainly_not_der
= 0;
3806 indet
= der
? 0 : secp256k1_rand_int(10) == 0;
3808 for (n
= 0; n
< 2; n
++) {
3809 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3810 nlow
[n
] = der
? 1 : (secp256k1_rand_bits(3) != 0);
3811 /* The length of the number in bytes (the first byte of which will always be nonzero) */
3812 nlen
[n
] = nlow
[n
] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3813 CHECK(nlen
[n
] <= 232);
3814 /* The top bit of the number. */
3815 nhbit
[n
] = (nlow
[n
] == 0 && nlen
[n
] == 32) ? 1 : (nlen
[n
] == 0 ? 0 : secp256k1_rand_bits(1));
3816 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3817 nhbyte
[n
] = nlen
[n
] == 0 ? 0 : (nhbit
[n
] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3818 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3819 nzlen
[n
] = der
? ((nlen
[n
] == 0 || nhbit
[n
]) ? 1 : 0) : (nlow
[n
] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen
[n
]) * secp256k1_rand_int(8) / 8);
3820 if (nzlen
[n
] > ((nlen
[n
] == 0 || nhbit
[n
]) ? 1 : 0)) {
3821 *certainly_not_der
= 1;
3823 CHECK(nlen
[n
] + nzlen
[n
] <= 300);
3824 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3825 nlenlen
[n
] = nlen
[n
] + nzlen
[n
] < 128 ? 0 : (nlen
[n
] + nzlen
[n
] < 256 ? 1 : 2);
3827 /* nlenlen[n] max 127 bytes */
3828 int add
= secp256k1_rand_int(127 - nlenlen
[n
]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3831 *certainly_not_der
= 1;
3834 CHECK(nlen
[n
] + nzlen
[n
] + nlenlen
[n
] <= 427);
3837 /* The total length of the data to go, so far */
3838 tlen
= 2 + nlenlen
[0] + nlen
[0] + nzlen
[0] + 2 + nlenlen
[1] + nlen
[1] + nzlen
[1];
3841 /* The length of the garbage inside the tuple. */
3842 elen
= (der
|| indet
) ? 0 : secp256k1_rand_int(980 - tlen
) * secp256k1_rand_int(8) / 8;
3844 *certainly_not_der
= 1;
3849 /* The length of the garbage after the end of the tuple. */
3850 glen
= der
? 0 : secp256k1_rand_int(990 - tlen
) * secp256k1_rand_int(8) / 8;
3852 *certainly_not_der
= 1;
3854 CHECK(tlen
+ glen
<= 990);
3856 /* Write the tuple header. */
3857 sig
[(*len
)++] = 0x30;
3859 /* Indeterminate length */
3860 sig
[(*len
)++] = 0x80;
3861 *certainly_not_der
= 1;
3863 int tlenlen
= tlen
< 128 ? 0 : (tlen
< 256 ? 1 : 2);
3865 int add
= secp256k1_rand_int(127 - tlenlen
) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3868 *certainly_not_der
= 1;
3872 /* Short length notation */
3873 sig
[(*len
)++] = tlen
;
3875 /* Long length notation */
3876 sig
[(*len
)++] = 128 + tlenlen
;
3877 assign_big_endian(sig
+ *len
, tlenlen
, tlen
);
3883 CHECK(tlen
+ glen
<= 1119);
3885 for (n
= 0; n
< 2; n
++) {
3886 /* Write the integer header. */
3887 sig
[(*len
)++] = 0x02;
3888 if (nlenlen
[n
] == 0) {
3889 /* Short length notation */
3890 sig
[(*len
)++] = nlen
[n
] + nzlen
[n
];
3892 /* Long length notation. */
3893 sig
[(*len
)++] = 128 + nlenlen
[n
];
3894 assign_big_endian(sig
+ *len
, nlenlen
[n
], nlen
[n
] + nzlen
[n
]);
3897 /* Write zero padding */
3898 while (nzlen
[n
] > 0) {
3899 sig
[(*len
)++] = 0x00;
3902 if (nlen
[n
] == 32 && !nlow
[n
]) {
3903 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3905 for (i
= 0; i
< 16; i
++) {
3906 sig
[(*len
)++] = 0xFF;
3910 /* Write first byte of number */
3912 sig
[(*len
)++] = nhbyte
[n
];
3915 /* Generate remaining random bytes of number */
3916 secp256k1_rand_bytes_test(sig
+ *len
, nlen
[n
]);
3921 /* Generate random garbage inside tuple. */
3922 secp256k1_rand_bytes_test(sig
+ *len
, elen
);
3925 /* Generate end-of-contents bytes. */
3931 CHECK(tlen
+ glen
<= 1121);
3933 /* Generate random garbage outside tuple. */
3934 secp256k1_rand_bytes_test(sig
+ *len
, glen
);
3937 CHECK(tlen
<= 1121);
3938 CHECK(tlen
== *len
);
3941 void run_ecdsa_der_parse(void) {
3943 for (i
= 0; i
< 200 * count
; i
++) {
3944 unsigned char buffer
[2048];
3946 int certainly_der
= 0;
3947 int certainly_not_der
= 0;
3948 random_ber_signature(buffer
, &buflen
, &certainly_der
, &certainly_not_der
);
3949 CHECK(buflen
<= 2048);
3950 for (j
= 0; j
< 16; j
++) {
3953 damage_array(buffer
, &buflen
);
3954 /* We don't know anything anymore about the DERness of the result */
3956 certainly_not_der
= 0;
3958 ret
= test_ecdsa_der_parse(buffer
, buflen
, certainly_der
, certainly_not_der
);
3961 fprintf(stderr
, "Failure %x on ", ret
);
3962 for (k
= 0; k
< buflen
; k
++) {
3963 fprintf(stderr
, "%02x ", buffer
[k
]);
3965 fprintf(stderr
, "\n");
3972 /* Tests several edge cases. */
3973 void test_ecdsa_edge_cases(void) {
3975 secp256k1_ecdsa_signature sig
;
3977 /* Test the case where ECDSA recomputes a point that is infinity. */
3981 secp256k1_scalar msg
;
3982 secp256k1_scalar sr
, ss
;
3983 secp256k1_scalar_set_int(&ss
, 1);
3984 secp256k1_scalar_negate(&ss
, &ss
);
3985 secp256k1_scalar_inverse(&ss
, &ss
);
3986 secp256k1_scalar_set_int(&sr
, 1);
3987 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &keyj
, &sr
);
3988 secp256k1_ge_set_gej(&key
, &keyj
);
3990 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
3993 /* Verify signature with r of zero fails. */
3995 const unsigned char pubkey_mods_zero
[33] = {
3996 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3998 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3999 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4003 secp256k1_scalar msg
;
4004 secp256k1_scalar sr
, ss
;
4005 secp256k1_scalar_set_int(&ss
, 1);
4006 secp256k1_scalar_set_int(&msg
, 0);
4007 secp256k1_scalar_set_int(&sr
, 0);
4008 CHECK(secp256k1_eckey_pubkey_parse(&key
, pubkey_mods_zero
, 33));
4009 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
4012 /* Verify signature with s of zero fails. */
4014 const unsigned char pubkey
[33] = {
4015 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4022 secp256k1_scalar msg
;
4023 secp256k1_scalar sr
, ss
;
4024 secp256k1_scalar_set_int(&ss
, 0);
4025 secp256k1_scalar_set_int(&msg
, 0);
4026 secp256k1_scalar_set_int(&sr
, 1);
4027 CHECK(secp256k1_eckey_pubkey_parse(&key
, pubkey
, 33));
4028 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
4031 /* Verify signature with message 0 passes. */
4033 const unsigned char pubkey
[33] = {
4034 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4036 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4040 const unsigned char pubkey2
[33] = {
4041 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4042 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4043 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4044 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4049 secp256k1_scalar msg
;
4050 secp256k1_scalar sr
, ss
;
4051 secp256k1_scalar_set_int(&ss
, 2);
4052 secp256k1_scalar_set_int(&msg
, 0);
4053 secp256k1_scalar_set_int(&sr
, 2);
4054 CHECK(secp256k1_eckey_pubkey_parse(&key
, pubkey
, 33));
4055 CHECK(secp256k1_eckey_pubkey_parse(&key2
, pubkey2
, 33));
4056 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4057 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 1);
4058 secp256k1_scalar_negate(&ss
, &ss
);
4059 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4060 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 1);
4061 secp256k1_scalar_set_int(&ss
, 1);
4062 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
4063 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 0);
4066 /* Verify signature with message 1 passes. */
4068 const unsigned char pubkey
[33] = {
4069 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4070 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4071 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4072 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4075 const unsigned char pubkey2
[33] = {
4076 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4077 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4078 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4079 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4082 const unsigned char csr
[32] = {
4083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4085 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4086 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4090 secp256k1_scalar msg
;
4091 secp256k1_scalar sr
, ss
;
4092 secp256k1_scalar_set_int(&ss
, 1);
4093 secp256k1_scalar_set_int(&msg
, 1);
4094 secp256k1_scalar_set_b32(&sr
, csr
, NULL
);
4095 CHECK(secp256k1_eckey_pubkey_parse(&key
, pubkey
, 33));
4096 CHECK(secp256k1_eckey_pubkey_parse(&key2
, pubkey2
, 33));
4097 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4098 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 1);
4099 secp256k1_scalar_negate(&ss
, &ss
);
4100 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4101 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 1);
4102 secp256k1_scalar_set_int(&ss
, 2);
4103 secp256k1_scalar_inverse_var(&ss
, &ss
);
4104 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
4105 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key2
, &msg
) == 0);
4108 /* Verify signature with message -1 passes. */
4110 const unsigned char pubkey
[33] = {
4111 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4112 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4113 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4114 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4117 const unsigned char csr
[32] = {
4118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4120 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4121 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4124 secp256k1_scalar msg
;
4125 secp256k1_scalar sr
, ss
;
4126 secp256k1_scalar_set_int(&ss
, 1);
4127 secp256k1_scalar_set_int(&msg
, 1);
4128 secp256k1_scalar_negate(&msg
, &msg
);
4129 secp256k1_scalar_set_b32(&sr
, csr
, NULL
);
4130 CHECK(secp256k1_eckey_pubkey_parse(&key
, pubkey
, 33));
4131 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4132 secp256k1_scalar_negate(&ss
, &ss
);
4133 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 1);
4134 secp256k1_scalar_set_int(&ss
, 3);
4135 secp256k1_scalar_inverse_var(&ss
, &ss
);
4136 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sr
, &ss
, &key
, &msg
) == 0);
4139 /* Signature where s would be zero. */
4141 secp256k1_pubkey pubkey
;
4144 unsigned char signature
[72];
4145 static const unsigned char nonce
[32] = {
4146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4147 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4151 static const unsigned char nonce2
[32] = {
4152 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4153 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4154 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4155 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4157 const unsigned char key
[32] = {
4158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4163 unsigned char msg
[32] = {
4164 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4165 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4166 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4167 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4170 secp256k1_context_set_illegal_callback(ctx
, counting_illegal_callback_fn
, &ecount
);
4171 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, precomputed_nonce_function
, nonce
) == 0);
4172 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, precomputed_nonce_function
, nonce2
) == 0);
4174 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, precomputed_nonce_function
, nonce
) == 1);
4176 CHECK(secp256k1_ecdsa_sign(ctx
, NULL
, msg
, key
, precomputed_nonce_function
, nonce2
) == 0);
4178 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, NULL
, key
, precomputed_nonce_function
, nonce2
) == 0);
4180 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, NULL
, precomputed_nonce_function
, nonce2
) == 0);
4182 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, precomputed_nonce_function
, nonce2
) == 1);
4183 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, key
) == 1);
4184 CHECK(secp256k1_ecdsa_verify(ctx
, NULL
, msg
, &pubkey
) == 0);
4186 CHECK(secp256k1_ecdsa_verify(ctx
, &sig
, NULL
, &pubkey
) == 0);
4188 CHECK(secp256k1_ecdsa_verify(ctx
, &sig
, msg
, NULL
) == 0);
4190 CHECK(secp256k1_ecdsa_verify(ctx
, &sig
, msg
, &pubkey
) == 1);
4192 CHECK(secp256k1_ec_pubkey_create(ctx
, &pubkey
, NULL
) == 0);
4194 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4195 CHECK(secp256k1_ecdsa_verify(ctx
, &sig
, msg
, &pubkey
) == 0);
4198 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, NULL
, &siglen
, &sig
) == 0);
4200 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, signature
, NULL
, &sig
) == 0);
4201 CHECK(ecount
== 10);
4202 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, signature
, &siglen
, NULL
) == 0);
4203 CHECK(ecount
== 11);
4204 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, signature
, &siglen
, &sig
) == 1);
4205 CHECK(ecount
== 11);
4206 CHECK(secp256k1_ecdsa_signature_parse_der(ctx
, NULL
, signature
, siglen
) == 0);
4207 CHECK(ecount
== 12);
4208 CHECK(secp256k1_ecdsa_signature_parse_der(ctx
, &sig
, NULL
, siglen
) == 0);
4209 CHECK(ecount
== 13);
4210 CHECK(secp256k1_ecdsa_signature_parse_der(ctx
, &sig
, signature
, siglen
) == 1);
4211 CHECK(ecount
== 13);
4213 /* Too little room for a signature does not fail via ARGCHECK. */
4214 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx
, signature
, &siglen
, &sig
) == 0);
4215 CHECK(ecount
== 13);
4217 CHECK(secp256k1_ecdsa_signature_normalize(ctx
, NULL
, NULL
) == 0);
4219 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx
, NULL
, &sig
) == 0);
4221 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx
, signature
, NULL
) == 0);
4223 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx
, signature
, &sig
) == 1);
4225 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx
, NULL
, signature
) == 0);
4227 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx
, &sig
, NULL
) == 0);
4229 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx
, &sig
, signature
) == 1);
4231 memset(signature
, 255, 64);
4232 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx
, &sig
, signature
) == 0);
4234 secp256k1_context_set_illegal_callback(ctx
, NULL
, NULL
);
4237 /* Nonce function corner cases. */
4238 for (t
= 0; t
< 2; t
++) {
4239 static const unsigned char zero
[32] = {0x00};
4241 unsigned char key
[32];
4242 unsigned char msg
[32];
4243 secp256k1_ecdsa_signature sig2
;
4244 secp256k1_scalar sr
[512], ss
;
4245 const unsigned char *extra
;
4246 extra
= t
== 0 ? NULL
: zero
;
4249 /* High key results in signature failure. */
4250 memset(key
, 0xFF, 32);
4251 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, NULL
, extra
) == 0);
4252 CHECK(is_empty_signature(&sig
));
4253 /* Zero key results in signature failure. */
4255 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, NULL
, extra
) == 0);
4256 CHECK(is_empty_signature(&sig
));
4257 /* Nonce function failure results in signature failure. */
4259 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, nonce_function_test_fail
, extra
) == 0);
4260 CHECK(is_empty_signature(&sig
));
4261 /* The retry loop successfully makes its way to the first good value. */
4262 CHECK(secp256k1_ecdsa_sign(ctx
, &sig
, msg
, key
, nonce_function_test_retry
, extra
) == 1);
4263 CHECK(!is_empty_signature(&sig
));
4264 CHECK(secp256k1_ecdsa_sign(ctx
, &sig2
, msg
, key
, nonce_function_rfc6979
, extra
) == 1);
4265 CHECK(!is_empty_signature(&sig2
));
4266 CHECK(memcmp(&sig
, &sig2
, sizeof(sig
)) == 0);
4267 /* The default nonce function is deterministic. */
4268 CHECK(secp256k1_ecdsa_sign(ctx
, &sig2
, msg
, key
, NULL
, extra
) == 1);
4269 CHECK(!is_empty_signature(&sig2
));
4270 CHECK(memcmp(&sig
, &sig2
, sizeof(sig
)) == 0);
4271 /* The default nonce function changes output with different messages. */
4272 for(i
= 0; i
< 256; i
++) {
4275 CHECK(secp256k1_ecdsa_sign(ctx
, &sig2
, msg
, key
, NULL
, extra
) == 1);
4276 CHECK(!is_empty_signature(&sig2
));
4277 secp256k1_ecdsa_signature_load(ctx
, &sr
[i
], &ss
, &sig2
);
4278 for (j
= 0; j
< i
; j
++) {
4279 CHECK(!secp256k1_scalar_eq(&sr
[i
], &sr
[j
]));
4284 /* The default nonce function changes output with different keys. */
4285 for(i
= 256; i
< 512; i
++) {
4288 CHECK(secp256k1_ecdsa_sign(ctx
, &sig2
, msg
, key
, NULL
, extra
) == 1);
4289 CHECK(!is_empty_signature(&sig2
));
4290 secp256k1_ecdsa_signature_load(ctx
, &sr
[i
], &ss
, &sig2
);
4291 for (j
= 0; j
< i
; j
++) {
4292 CHECK(!secp256k1_scalar_eq(&sr
[i
], &sr
[j
]));
4299 /* Check that optional nonce arguments do not have equivalent effect. */
4300 const unsigned char zeros
[32] = {0};
4301 unsigned char nonce
[32];
4302 unsigned char nonce2
[32];
4303 unsigned char nonce3
[32];
4304 unsigned char nonce4
[32];
4306 VG_UNDEF(nonce2
,32);
4307 VG_UNDEF(nonce3
,32);
4308 VG_UNDEF(nonce4
,32);
4309 CHECK(nonce_function_rfc6979(nonce
, zeros
, zeros
, NULL
, NULL
, 0) == 1);
4311 CHECK(nonce_function_rfc6979(nonce2
, zeros
, zeros
, zeros
, NULL
, 0) == 1);
4312 VG_CHECK(nonce2
,32);
4313 CHECK(nonce_function_rfc6979(nonce3
, zeros
, zeros
, NULL
, (void *)zeros
, 0) == 1);
4314 VG_CHECK(nonce3
,32);
4315 CHECK(nonce_function_rfc6979(nonce4
, zeros
, zeros
, zeros
, (void *)zeros
, 0) == 1);
4316 VG_CHECK(nonce4
,32);
4317 CHECK(memcmp(nonce
, nonce2
, 32) != 0);
4318 CHECK(memcmp(nonce
, nonce3
, 32) != 0);
4319 CHECK(memcmp(nonce
, nonce4
, 32) != 0);
4320 CHECK(memcmp(nonce2
, nonce3
, 32) != 0);
4321 CHECK(memcmp(nonce2
, nonce4
, 32) != 0);
4322 CHECK(memcmp(nonce3
, nonce4
, 32) != 0);
4326 /* Privkey export where pubkey is the point at infinity. */
4328 unsigned char privkey
[300];
4329 unsigned char seckey
[32] = {
4330 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4331 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4332 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4333 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4335 size_t outlen
= 300;
4336 CHECK(!ec_privkey_export_der(ctx
, privkey
, &outlen
, seckey
, 0));
4338 CHECK(!ec_privkey_export_der(ctx
, privkey
, &outlen
, seckey
, 1));
4342 void run_ecdsa_edge_cases(void) {
4343 test_ecdsa_edge_cases();
4346 #ifdef ENABLE_OPENSSL_TESTS
4347 EC_KEY
*get_openssl_key(const unsigned char *key32
) {
4348 unsigned char privkey
[300];
4350 const unsigned char* pbegin
= privkey
;
4351 int compr
= secp256k1_rand_bits(1);
4352 EC_KEY
*ec_key
= EC_KEY_new_by_curve_name(NID_secp256k1
);
4353 CHECK(ec_privkey_export_der(ctx
, privkey
, &privkeylen
, key32
, compr
));
4354 CHECK(d2i_ECPrivateKey(&ec_key
, &pbegin
, privkeylen
));
4355 CHECK(EC_KEY_check_key(ec_key
));
4359 void test_ecdsa_openssl(void) {
4362 secp256k1_scalar sigr
, sigs
;
4363 secp256k1_scalar one
;
4364 secp256k1_scalar msg2
;
4365 secp256k1_scalar key
, msg
;
4367 unsigned int sigsize
= 80;
4368 size_t secp_sigsize
= 80;
4369 unsigned char message
[32];
4370 unsigned char signature
[80];
4371 unsigned char key32
[32];
4372 secp256k1_rand256_test(message
);
4373 secp256k1_scalar_set_b32(&msg
, message
, NULL
);
4374 random_scalar_order_test(&key
);
4375 secp256k1_scalar_get_b32(key32
, &key
);
4376 secp256k1_ecmult_gen(&ctx
->ecmult_gen_ctx
, &qj
, &key
);
4377 secp256k1_ge_set_gej(&q
, &qj
);
4378 ec_key
= get_openssl_key(key32
);
4379 CHECK(ec_key
!= NULL
);
4380 CHECK(ECDSA_sign(0, message
, sizeof(message
), signature
, &sigsize
, ec_key
));
4381 CHECK(secp256k1_ecdsa_sig_parse(&sigr
, &sigs
, signature
, sigsize
));
4382 CHECK(secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sigr
, &sigs
, &q
, &msg
));
4383 secp256k1_scalar_set_int(&one
, 1);
4384 secp256k1_scalar_add(&msg2
, &msg
, &one
);
4385 CHECK(!secp256k1_ecdsa_sig_verify(&ctx
->ecmult_ctx
, &sigr
, &sigs
, &q
, &msg2
));
4387 random_sign(&sigr
, &sigs
, &key
, &msg
, NULL
);
4388 CHECK(secp256k1_ecdsa_sig_serialize(signature
, &secp_sigsize
, &sigr
, &sigs
));
4389 CHECK(ECDSA_verify(0, message
, sizeof(message
), signature
, secp_sigsize
, ec_key
) == 1);
4391 EC_KEY_free(ec_key
);
4394 void run_ecdsa_openssl(void) {
4396 for (i
= 0; i
< 10*count
; i
++) {
4397 test_ecdsa_openssl();
4402 #ifdef ENABLE_MODULE_ECDH
4403 # include "modules/ecdh/tests_impl.h"
4406 #ifdef ENABLE_MODULE_RECOVERY
4407 # include "modules/recovery/tests_impl.h"
4410 int main(int argc
, char **argv
) {
4411 unsigned char seed16
[16] = {0};
4412 unsigned char run32
[32] = {0};
4413 /* find iteration count */
4415 count
= strtol(argv
[1], NULL
, 0);
4418 /* find random seed */
4421 const char* ch
= argv
[2];
4422 while (pos
< 16 && ch
[0] != 0 && ch
[1] != 0) {
4424 if (sscanf(ch
, "%2hx", &sh
)) {
4433 FILE *frand
= fopen("/dev/urandom", "r");
4434 if ((frand
== NULL
) || !fread(&seed16
, sizeof(seed16
), 1, frand
)) {
4435 uint64_t t
= time(NULL
) * (uint64_t)1337;
4437 seed16
[1] ^= t
>> 8;
4438 seed16
[2] ^= t
>> 16;
4439 seed16
[3] ^= t
>> 24;
4440 seed16
[4] ^= t
>> 32;
4441 seed16
[5] ^= t
>> 40;
4442 seed16
[6] ^= t
>> 48;
4443 seed16
[7] ^= t
>> 56;
4447 secp256k1_rand_seed(seed16
);
4449 printf("test count = %i\n", count
);
4450 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16
[0], seed16
[1], seed16
[2], seed16
[3], seed16
[4], seed16
[5], seed16
[6], seed16
[7], seed16
[8], seed16
[9], seed16
[10], seed16
[11], seed16
[12], seed16
[13], seed16
[14], seed16
[15]);
4453 run_context_tests();
4454 ctx
= secp256k1_context_create(SECP256K1_CONTEXT_SIGN
| SECP256K1_CONTEXT_VERIFY
);
4455 if (secp256k1_rand_bits(1)) {
4456 secp256k1_rand256(run32
);
4457 CHECK(secp256k1_context_randomize(ctx
, secp256k1_rand_bits(1) ? run32
: NULL
));
4464 run_hmac_sha256_tests();
4465 run_rfc6979_hmac_sha256_tests();
4467 #ifndef USE_NUM_NONE
4469 run_num_smalltests();
4477 run_field_inv_var();
4478 run_field_inv_all_var();
4480 run_field_convert();
4486 run_group_decompress();
4490 run_point_times_order();
4492 run_ecmult_constants();
4493 run_ecmult_gen_blind();
4494 run_ecmult_const_tests();
4497 /* endomorphism tests */
4498 #ifdef USE_ENDOMORPHISM
4499 run_endomorphism_tests();
4502 /* EC point parser test */
4503 run_ec_pubkey_parse_test();
4505 /* EC key edge cases */
4506 run_eckey_edge_case_test();
4508 #ifdef ENABLE_MODULE_ECDH
4514 run_random_pubkeys();
4515 run_ecdsa_der_parse();
4516 run_ecdsa_sign_verify();
4517 run_ecdsa_end_to_end();
4518 run_ecdsa_edge_cases();
4519 #ifdef ENABLE_OPENSSL_TESTS
4520 run_ecdsa_openssl();
4523 #ifdef ENABLE_MODULE_RECOVERY
4524 /* ECDSA pubkey recovery tests */
4525 run_recovery_tests();
4528 secp256k1_rand256(run32
);
4529 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32
[0], run32
[1], run32
[2], run32
[3], run32
[4], run32
[5], run32
[6], run32
[7], run32
[8], run32
[9], run32
[10], run32
[11], run32
[12], run32
[13], run32
[14], run32
[15]);
4532 secp256k1_context_destroy(ctx
);
4534 printf("no problems found\n");