search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Squashed 'src/secp256k1/' changes from 8225239..84973d3
[bitcoinplatinum.git] / src / tests.c
blob3d9bd5ebb48d46dff2d677976f850ad8809592e7
1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14
15 #include <time.h>
16
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
20
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 #endif
27
28 #include "contrib/lax_der_parsing.c"
29 #include "contrib/lax_der_privatekey_parsing.c"
30
31 #if !defined(VG_CHECK)
32 # if defined(VALGRIND)
33 # include <valgrind/memcheck.h>
34 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
35 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
36 # else
37 # define VG_UNDEF(x,y)
38 # define VG_CHECK(x,y)
39 # endif
40 #endif
41
42 static int count = 64;
43 static secp256k1_context *ctx = NULL;
44
45 static void counting_illegal_callback_fn(const char* str, void* data) {
46 /* Dummy callback function that just counts. */
47 int32_t *p;
48 (void)str;
49 p = data;
50 (*p)++;
51 }
52
53 static void uncounting_illegal_callback_fn(const char* str, void* data) {
54 /* Dummy callback function that just counts (backwards). */
55 int32_t *p;
56 (void)str;
57 p = data;
58 (*p)--;
59 }
60
61 void random_field_element_test(secp256k1_fe *fe) {
62 do {
63 unsigned char b32[32];
64 secp256k1_rand256_test(b32);
65 if (secp256k1_fe_set_b32(fe, b32)) {
66 break;
67 }
68 } while(1);
69 }
70
71 void random_field_element_magnitude(secp256k1_fe *fe) {
72 secp256k1_fe zero;
73 int n = secp256k1_rand_int(9);
74 secp256k1_fe_normalize(fe);
75 if (n == 0) {
76 return;
77 }
78 secp256k1_fe_clear(&zero);
79 secp256k1_fe_negate(&zero, &zero, 0);
80 secp256k1_fe_mul_int(&zero, n - 1);
81 secp256k1_fe_add(fe, &zero);
82 VERIFY_CHECK(fe->magnitude == n);
83 }
84
85 void random_group_element_test(secp256k1_ge *ge) {
86 secp256k1_fe fe;
87 do {
88 random_field_element_test(&fe);
89 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
90 secp256k1_fe_normalize(&ge->y);
91 break;
92 }
93 } while(1);
94 }
95
96 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
97 secp256k1_fe z2, z3;
98 do {
99 random_field_element_test(&gej->z);
100 if (!secp256k1_fe_is_zero(&gej->z)) {
101 break;
102 }
103 } while(1);
104 secp256k1_fe_sqr(&z2, &gej->z);
105 secp256k1_fe_mul(&z3, &z2, &gej->z);
106 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
107 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
108 gej->infinity = ge->infinity;
109 }
110
111 void random_scalar_order_test(secp256k1_scalar *num) {
112 do {
113 unsigned char b32[32];
114 int overflow = 0;
115 secp256k1_rand256_test(b32);
116 secp256k1_scalar_set_b32(num, b32, &overflow);
117 if (overflow || secp256k1_scalar_is_zero(num)) {
118 continue;
119 }
120 break;
121 } while(1);
122 }
123
124 void random_scalar_order(secp256k1_scalar *num) {
125 do {
126 unsigned char b32[32];
127 int overflow = 0;
128 secp256k1_rand256(b32);
129 secp256k1_scalar_set_b32(num, b32, &overflow);
130 if (overflow || secp256k1_scalar_is_zero(num)) {
131 continue;
132 }
133 break;
134 } while(1);
135 }
136
137 void run_context_tests(void) {
138 secp256k1_pubkey pubkey;
139 secp256k1_pubkey zero_pubkey;
140 secp256k1_ecdsa_signature sig;
141 unsigned char ctmp[32];
142 int32_t ecount;
143 int32_t ecount2;
144 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
145 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
146 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
147 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
148
149 secp256k1_gej pubj;
150 secp256k1_ge pub;
151 secp256k1_scalar msg, key, nonce;
152 secp256k1_scalar sigr, sigs;
153
154 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
155
156 ecount = 0;
157 ecount2 = 10;
158 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
159 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
160 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
161 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
162
163 /*** clone and destroy all of them to make sure cloning was complete ***/
164 {
165 secp256k1_context *ctx_tmp;
166
167 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
168 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
169 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
170 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
171 }
172
173 /* Verify that the error callback makes it across the clone. */
174 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
175 /* And that it resets back to default. */
176 secp256k1_context_set_error_callback(sign, NULL, NULL);
177 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
178
179 /*** attempt to use them ***/
180 random_scalar_order_test(&msg);
181 random_scalar_order_test(&key);
182 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
183 secp256k1_ge_set_gej(&pub, &pubj);
184
185 /* Verify context-type checking illegal-argument errors. */
186 memset(ctmp, 1, 32);
187 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
188 CHECK(ecount == 1);
189 VG_UNDEF(&pubkey, sizeof(pubkey));
190 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
191 VG_CHECK(&pubkey, sizeof(pubkey));
192 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
193 CHECK(ecount == 2);
194 VG_UNDEF(&sig, sizeof(sig));
195 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
196 VG_CHECK(&sig, sizeof(sig));
197 CHECK(ecount2 == 10);
198 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
199 CHECK(ecount2 == 11);
200 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
201 CHECK(ecount == 2);
202 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
203 CHECK(ecount2 == 12);
204 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
205 CHECK(ecount == 2);
206 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
207 CHECK(ecount2 == 13);
208 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
209 CHECK(ecount == 2);
210 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
211 CHECK(ecount == 2);
212 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
213 CHECK(ecount2 == 14);
214 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
215 CHECK(ecount == 3);
216 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
217 CHECK(ecount == 3);
218 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
219 CHECK(ecount == 4);
220 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
221 CHECK(ecount2 == 14);
222 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
223 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
224
225 /* This shouldn't leak memory, due to already-set tests. */
226 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
227 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
228
229 /* obtain a working nonce */
230 do {
231 random_scalar_order_test(&nonce);
232 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
233
234 /* try signing */
235 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
236 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
237
238 /* try verifying */
239 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
240 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
241
242 /* cleanup */
243 secp256k1_context_destroy(none);
244 secp256k1_context_destroy(sign);
245 secp256k1_context_destroy(vrfy);
246 secp256k1_context_destroy(both);
247 /* Defined as no-op. */
248 secp256k1_context_destroy(NULL);
249 }
250
251 /***** HASH TESTS *****/
252
253 void run_sha256_tests(void) {
254 static const char *inputs[8] = {
255 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
256 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
257 "For this sample, this 63-byte string will be used as input data",
258 "This is exactly 64 bytes long, not counting the terminating byte"
259 };
260 static const unsigned char outputs[8][32] = {
261 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
262 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
263 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
264 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
265 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
266 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
267 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
268 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
269 };
270 int i;
271 for (i = 0; i < 8; i++) {
272 unsigned char out[32];
273 secp256k1_sha256_t hasher;
274 secp256k1_sha256_initialize(&hasher);
275 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
276 secp256k1_sha256_finalize(&hasher, out);
277 CHECK(memcmp(out, outputs[i], 32) == 0);
278 if (strlen(inputs[i]) > 0) {
279 int split = secp256k1_rand_int(strlen(inputs[i]));
280 secp256k1_sha256_initialize(&hasher);
281 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
282 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
283 secp256k1_sha256_finalize(&hasher, out);
284 CHECK(memcmp(out, outputs[i], 32) == 0);
285 }
286 }
287 }
288
289 void run_hmac_sha256_tests(void) {
290 static const char *keys[6] = {
291 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
292 "\x4a\x65\x66\x65",
293 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
294 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
295 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
296 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
297 };
298 static const char *inputs[6] = {
299 "\x48\x69\x20\x54\x68\x65\x72\x65",
300 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
301 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
302 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
303 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
304 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
305 };
306 static const unsigned char outputs[6][32] = {
307 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
308 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
309 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
310 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
311 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
312 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
313 };
314 int i;
315 for (i = 0; i < 6; i++) {
316 secp256k1_hmac_sha256_t hasher;
317 unsigned char out[32];
318 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
319 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
320 secp256k1_hmac_sha256_finalize(&hasher, out);
321 CHECK(memcmp(out, outputs[i], 32) == 0);
322 if (strlen(inputs[i]) > 0) {
323 int split = secp256k1_rand_int(strlen(inputs[i]));
324 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
325 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
326 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
327 secp256k1_hmac_sha256_finalize(&hasher, out);
328 CHECK(memcmp(out, outputs[i], 32) == 0);
329 }
330 }
331 }
332
333 void run_rfc6979_hmac_sha256_tests(void) {
334 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
335 static const unsigned char out1[3][32] = {
336 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
337 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
338 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
339 };
340
341 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
342 static const unsigned char out2[3][32] = {
343 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
344 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
345 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
346 };
347
348 secp256k1_rfc6979_hmac_sha256_t rng;
349 unsigned char out[32];
350 int i;
351
352 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
353 for (i = 0; i < 3; i++) {
354 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
355 CHECK(memcmp(out, out1[i], 32) == 0);
356 }
357 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
358
359 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
360 for (i = 0; i < 3; i++) {
361 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
362 CHECK(memcmp(out, out1[i], 32) != 0);
363 }
364 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
365
366 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
367 for (i = 0; i < 3; i++) {
368 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
369 CHECK(memcmp(out, out2[i], 32) == 0);
370 }
371 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
372 }
373
374 /***** RANDOM TESTS *****/
375
376 void test_rand_bits(int rand32, int bits) {
377 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
378 * get a false negative chance below once in a billion */
379 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
380 /* We try multiplying the results with various odd numbers, which shouldn't
381 * influence the uniform distribution modulo a power of 2. */
382 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
383 /* We only select up to 6 bits from the output to analyse */
384 unsigned int usebits = bits > 6 ? 6 : bits;
385 unsigned int maxshift = bits - usebits;
386 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
387 number, track all observed outcomes, one per bit in a uint64_t. */
388 uint64_t x[6][27] = {{0}};
389 unsigned int i, shift, m;
390 /* Multiply the output of all rand calls with the odd number m, which
391 should not change the uniformity of its distribution. */
392 for (i = 0; i < rounds[usebits]; i++) {
393 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
394 CHECK((((uint64_t)r) >> bits) == 0);
395 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
396 uint32_t rm = r * mults[m];
397 for (shift = 0; shift <= maxshift; shift++) {
398 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
399 }
400 }
401 }
402 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
403 for (shift = 0; shift <= maxshift; shift++) {
404 /* Test that the lower usebits bits of x[shift] are 1 */
405 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
406 }
407 }
408 }
409
410 /* Subrange must be a whole divisor of range, and at most 64 */
411 void test_rand_int(uint32_t range, uint32_t subrange) {
412 /* (1-1/subrange)^rounds < 1/10^9 */
413 int rounds = (subrange * 2073) / 100;
414 int i;
415 uint64_t x = 0;
416 CHECK((range % subrange) == 0);
417 for (i = 0; i < rounds; i++) {
418 uint32_t r = secp256k1_rand_int(range);
419 CHECK(r < range);
420 r = r % subrange;
421 x |= (((uint64_t)1) << r);
422 }
423 /* Test that the lower subrange bits of x are 1. */
424 CHECK(((~x) << (64 - subrange)) == 0);
425 }
426
427 void run_rand_bits(void) {
428 size_t b;
429 test_rand_bits(1, 32);
430 for (b = 1; b <= 32; b++) {
431 test_rand_bits(0, b);
432 }
433 }
434
435 void run_rand_int(void) {
436 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
437 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
438 unsigned int m, s;
439 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
440 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
441 test_rand_int(ms[m] * ss[s], ss[s]);
442 }
443 }
444 }
445
446 /***** NUM TESTS *****/
447
448 #ifndef USE_NUM_NONE
449 void random_num_negate(secp256k1_num *num) {
450 if (secp256k1_rand_bits(1)) {
451 secp256k1_num_negate(num);
452 }
453 }
454
455 void random_num_order_test(secp256k1_num *num) {
456 secp256k1_scalar sc;
457 random_scalar_order_test(&sc);
458 secp256k1_scalar_get_num(num, &sc);
459 }
460
461 void random_num_order(secp256k1_num *num) {
462 secp256k1_scalar sc;
463 random_scalar_order(&sc);
464 secp256k1_scalar_get_num(num, &sc);
465 }
466
467 void test_num_negate(void) {
468 secp256k1_num n1;
469 secp256k1_num n2;
470 random_num_order_test(&n1); /* n1 = R */
471 random_num_negate(&n1);
472 secp256k1_num_copy(&n2, &n1); /* n2 = R */
473 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
474 CHECK(secp256k1_num_is_zero(&n1));
475 secp256k1_num_copy(&n1, &n2); /* n1 = R */
476 secp256k1_num_negate(&n1); /* n1 = -R */
477 CHECK(!secp256k1_num_is_zero(&n1));
478 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
479 CHECK(secp256k1_num_is_zero(&n1));
480 secp256k1_num_copy(&n1, &n2); /* n1 = R */
481 secp256k1_num_negate(&n1); /* n1 = -R */
482 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
483 secp256k1_num_negate(&n1); /* n1 = R */
484 CHECK(secp256k1_num_eq(&n1, &n2));
485 }
486
487 void test_num_add_sub(void) {
488 int i;
489 secp256k1_scalar s;
490 secp256k1_num n1;
491 secp256k1_num n2;
492 secp256k1_num n1p2, n2p1, n1m2, n2m1;
493 random_num_order_test(&n1); /* n1 = R1 */
494 if (secp256k1_rand_bits(1)) {
495 random_num_negate(&n1);
496 }
497 random_num_order_test(&n2); /* n2 = R2 */
498 if (secp256k1_rand_bits(1)) {
499 random_num_negate(&n2);
500 }
501 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
502 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
503 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
504 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
505 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
506 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
507 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
508 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
509 CHECK(!secp256k1_num_eq(&n2m1, &n1));
510 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
511 CHECK(secp256k1_num_eq(&n2m1, &n1));
512 CHECK(!secp256k1_num_eq(&n2p1, &n1));
513 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
514 CHECK(secp256k1_num_eq(&n2p1, &n1));
515
516 /* check is_one */
517 secp256k1_scalar_set_int(&s, 1);
518 secp256k1_scalar_get_num(&n1, &s);
519 CHECK(secp256k1_num_is_one(&n1));
520 /* check that 2^n + 1 is never 1 */
521 secp256k1_scalar_get_num(&n2, &s);
522 for (i = 0; i < 250; ++i) {
523 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
524 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
525 CHECK(!secp256k1_num_is_one(&n1p2));
526 }
527 }
528
529 void test_num_mod(void) {
530 int i;
531 secp256k1_scalar s;
532 secp256k1_num order, n;
533
534 /* check that 0 mod anything is 0 */
535 random_scalar_order_test(&s);
536 secp256k1_scalar_get_num(&order, &s);
537 secp256k1_scalar_set_int(&s, 0);
538 secp256k1_scalar_get_num(&n, &s);
539 secp256k1_num_mod(&n, &order);
540 CHECK(secp256k1_num_is_zero(&n));
541
542 /* check that anything mod 1 is 0 */
543 secp256k1_scalar_set_int(&s, 1);
544 secp256k1_scalar_get_num(&order, &s);
545 secp256k1_scalar_get_num(&n, &s);
546 secp256k1_num_mod(&n, &order);
547 CHECK(secp256k1_num_is_zero(&n));
548
549 /* check that increasing the number past 2^256 does not break this */
550 random_scalar_order_test(&s);
551 secp256k1_scalar_get_num(&n, &s);
552 /* multiply by 2^8, which'll test this case with high probability */
553 for (i = 0; i < 8; ++i) {
554 secp256k1_num_add(&n, &n, &n);
555 }
556 secp256k1_num_mod(&n, &order);
557 CHECK(secp256k1_num_is_zero(&n));
558 }
559
560 void test_num_jacobi(void) {
561 secp256k1_scalar sqr;
562 secp256k1_scalar small;
563 secp256k1_scalar five; /* five is not a quadratic residue */
564 secp256k1_num order, n;
565 int i;
566 /* squares mod 5 are 1, 4 */
567 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
568
569 /* check some small values with 5 as the order */
570 secp256k1_scalar_set_int(&five, 5);
571 secp256k1_scalar_get_num(&order, &five);
572 for (i = 0; i < 10; ++i) {
573 secp256k1_scalar_set_int(&small, i);
574 secp256k1_scalar_get_num(&n, &small);
575 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
576 }
577
578 /** test large values with 5 as group order */
579 secp256k1_scalar_get_num(&order, &five);
580 /* we first need a scalar which is not a multiple of 5 */
581 do {
582 secp256k1_num fiven;
583 random_scalar_order_test(&sqr);
584 secp256k1_scalar_get_num(&fiven, &five);
585 secp256k1_scalar_get_num(&n, &sqr);
586 secp256k1_num_mod(&n, &fiven);
587 } while (secp256k1_num_is_zero(&n));
588 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
589 * just multiply by two, i.e. add the number to itself */
590 if (secp256k1_num_jacobi(&n, &order) == -1) {
591 secp256k1_num_add(&n, &n, &n);
592 }
593
594 /* test residue */
595 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
596 /* test nonresidue */
597 secp256k1_num_add(&n, &n, &n);
598 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
599
600 /** test with secp group order as order */
601 secp256k1_scalar_order_get_num(&order);
602 random_scalar_order_test(&sqr);
603 secp256k1_scalar_sqr(&sqr, &sqr);
604 /* test residue */
605 secp256k1_scalar_get_num(&n, &sqr);
606 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
607 /* test nonresidue */
608 secp256k1_scalar_mul(&sqr, &sqr, &five);
609 secp256k1_scalar_get_num(&n, &sqr);
610 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
611 /* test multiple of the order*/
612 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
613
614 /* check one less than the order */
615 secp256k1_scalar_set_int(&small, 1);
616 secp256k1_scalar_get_num(&n, &small);
617 secp256k1_num_sub(&n, &order, &n);
618 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
619 }
620
621 void run_num_smalltests(void) {
622 int i;
623 for (i = 0; i < 100*count; i++) {
624 test_num_negate();
625 test_num_add_sub();
626 test_num_mod();
627 test_num_jacobi();
628 }
629 }
630 #endif
631
632 /***** SCALAR TESTS *****/
633
634 void scalar_test(void) {
635 secp256k1_scalar s;
636 secp256k1_scalar s1;
637 secp256k1_scalar s2;
638 #ifndef USE_NUM_NONE
639 secp256k1_num snum, s1num, s2num;
640 secp256k1_num order, half_order;
641 #endif
642 unsigned char c[32];
643
644 /* Set 's' to a random scalar, with value 'snum'. */
645 random_scalar_order_test(&s);
646
647 /* Set 's1' to a random scalar, with value 's1num'. */
648 random_scalar_order_test(&s1);
649
650 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
651 random_scalar_order_test(&s2);
652 secp256k1_scalar_get_b32(c, &s2);
653
654 #ifndef USE_NUM_NONE
655 secp256k1_scalar_get_num(&snum, &s);
656 secp256k1_scalar_get_num(&s1num, &s1);
657 secp256k1_scalar_get_num(&s2num, &s2);
658
659 secp256k1_scalar_order_get_num(&order);
660 half_order = order;
661 secp256k1_num_shift(&half_order, 1);
662 #endif
663
664 {
665 int i;
666 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
667 secp256k1_scalar n;
668 secp256k1_scalar_set_int(&n, 0);
669 for (i = 0; i < 256; i += 4) {
670 secp256k1_scalar t;
671 int j;
672 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
673 for (j = 0; j < 4; j++) {
674 secp256k1_scalar_add(&n, &n, &n);
675 }
676 secp256k1_scalar_add(&n, &n, &t);
677 }
678 CHECK(secp256k1_scalar_eq(&n, &s));
679 }
680
681 {
682 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
683 secp256k1_scalar n;
684 int i = 0;
685 secp256k1_scalar_set_int(&n, 0);
686 while (i < 256) {
687 secp256k1_scalar t;
688 int j;
689 int now = secp256k1_rand_int(15) + 1;
690 if (now + i > 256) {
691 now = 256 - i;
692 }
693 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
694 for (j = 0; j < now; j++) {
695 secp256k1_scalar_add(&n, &n, &n);
696 }
697 secp256k1_scalar_add(&n, &n, &t);
698 i += now;
699 }
700 CHECK(secp256k1_scalar_eq(&n, &s));
701 }
702
703 #ifndef USE_NUM_NONE
704 {
705 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
706 secp256k1_num rnum;
707 secp256k1_num r2num;
708 secp256k1_scalar r;
709 secp256k1_num_add(&rnum, &snum, &s2num);
710 secp256k1_num_mod(&rnum, &order);
711 secp256k1_scalar_add(&r, &s, &s2);
712 secp256k1_scalar_get_num(&r2num, &r);
713 CHECK(secp256k1_num_eq(&rnum, &r2num));
714 }
715
716 {
717 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
718 secp256k1_scalar r;
719 secp256k1_num r2num;
720 secp256k1_num rnum;
721 secp256k1_num_mul(&rnum, &snum, &s2num);
722 secp256k1_num_mod(&rnum, &order);
723 secp256k1_scalar_mul(&r, &s, &s2);
724 secp256k1_scalar_get_num(&r2num, &r);
725 CHECK(secp256k1_num_eq(&rnum, &r2num));
726 /* The result can only be zero if at least one of the factors was zero. */
727 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
728 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
729 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
730 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
731 }
732
733 {
734 secp256k1_scalar neg;
735 secp256k1_num negnum;
736 secp256k1_num negnum2;
737 /* Check that comparison with zero matches comparison with zero on the number. */
738 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
739 /* Check that comparison with the half order is equal to testing for high scalar. */
740 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
741 secp256k1_scalar_negate(&neg, &s);
742 secp256k1_num_sub(&negnum, &order, &snum);
743 secp256k1_num_mod(&negnum, &order);
744 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
745 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
746 /* Negating should change the high property, unless the value was already zero. */
747 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
748 secp256k1_scalar_get_num(&negnum2, &neg);
749 /* Negating a scalar should be equal to (order - n) mod order on the number. */
750 CHECK(secp256k1_num_eq(&negnum, &negnum2));
751 secp256k1_scalar_add(&neg, &neg, &s);
752 /* Adding a number to its negation should result in zero. */
753 CHECK(secp256k1_scalar_is_zero(&neg));
754 secp256k1_scalar_negate(&neg, &neg);
755 /* Negating zero should still result in zero. */
756 CHECK(secp256k1_scalar_is_zero(&neg));
757 }
758
759 {
760 /* Test secp256k1_scalar_mul_shift_var. */
761 secp256k1_scalar r;
762 secp256k1_num one;
763 secp256k1_num rnum;
764 secp256k1_num rnum2;
765 unsigned char cone[1] = {0x01};
766 unsigned int shift = 256 + secp256k1_rand_int(257);
767 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
768 secp256k1_num_mul(&rnum, &s1num, &s2num);
769 secp256k1_num_shift(&rnum, shift - 1);
770 secp256k1_num_set_bin(&one, cone, 1);
771 secp256k1_num_add(&rnum, &rnum, &one);
772 secp256k1_num_shift(&rnum, 1);
773 secp256k1_scalar_get_num(&rnum2, &r);
774 CHECK(secp256k1_num_eq(&rnum, &rnum2));
775 }
776
777 {
778 /* test secp256k1_scalar_shr_int */
779 secp256k1_scalar r;
780 int i;
781 random_scalar_order_test(&r);
782 for (i = 0; i < 100; ++i) {
783 int low;
784 int shift = 1 + secp256k1_rand_int(15);
785 int expected = r.d[0] % (1 << shift);
786 low = secp256k1_scalar_shr_int(&r, shift);
787 CHECK(expected == low);
788 }
789 }
790 #endif
791
792 {
793 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
794 if (!secp256k1_scalar_is_zero(&s)) {
795 secp256k1_scalar inv;
796 #ifndef USE_NUM_NONE
797 secp256k1_num invnum;
798 secp256k1_num invnum2;
799 #endif
800 secp256k1_scalar_inverse(&inv, &s);
801 #ifndef USE_NUM_NONE
802 secp256k1_num_mod_inverse(&invnum, &snum, &order);
803 secp256k1_scalar_get_num(&invnum2, &inv);
804 CHECK(secp256k1_num_eq(&invnum, &invnum2));
805 #endif
806 secp256k1_scalar_mul(&inv, &inv, &s);
807 /* Multiplying a scalar with its inverse must result in one. */
808 CHECK(secp256k1_scalar_is_one(&inv));
809 secp256k1_scalar_inverse(&inv, &inv);
810 /* Inverting one must result in one. */
811 CHECK(secp256k1_scalar_is_one(&inv));
812 #ifndef USE_NUM_NONE
813 secp256k1_scalar_get_num(&invnum, &inv);
814 CHECK(secp256k1_num_is_one(&invnum));
815 #endif
816 }
817 }
818
819 {
820 /* Test commutativity of add. */
821 secp256k1_scalar r1, r2;
822 secp256k1_scalar_add(&r1, &s1, &s2);
823 secp256k1_scalar_add(&r2, &s2, &s1);
824 CHECK(secp256k1_scalar_eq(&r1, &r2));
825 }
826
827 {
828 secp256k1_scalar r1, r2;
829 secp256k1_scalar b;
830 int i;
831 /* Test add_bit. */
832 int bit = secp256k1_rand_bits(8);
833 secp256k1_scalar_set_int(&b, 1);
834 CHECK(secp256k1_scalar_is_one(&b));
835 for (i = 0; i < bit; i++) {
836 secp256k1_scalar_add(&b, &b, &b);
837 }
838 r1 = s1;
839 r2 = s1;
840 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
841 /* No overflow happened. */
842 secp256k1_scalar_cadd_bit(&r2, bit, 1);
843 CHECK(secp256k1_scalar_eq(&r1, &r2));
844 /* cadd is a noop when flag is zero */
845 secp256k1_scalar_cadd_bit(&r2, bit, 0);
846 CHECK(secp256k1_scalar_eq(&r1, &r2));
847 }
848 }
849
850 {
851 /* Test commutativity of mul. */
852 secp256k1_scalar r1, r2;
853 secp256k1_scalar_mul(&r1, &s1, &s2);
854 secp256k1_scalar_mul(&r2, &s2, &s1);
855 CHECK(secp256k1_scalar_eq(&r1, &r2));
856 }
857
858 {
859 /* Test associativity of add. */
860 secp256k1_scalar r1, r2;
861 secp256k1_scalar_add(&r1, &s1, &s2);
862 secp256k1_scalar_add(&r1, &r1, &s);
863 secp256k1_scalar_add(&r2, &s2, &s);
864 secp256k1_scalar_add(&r2, &s1, &r2);
865 CHECK(secp256k1_scalar_eq(&r1, &r2));
866 }
867
868 {
869 /* Test associativity of mul. */
870 secp256k1_scalar r1, r2;
871 secp256k1_scalar_mul(&r1, &s1, &s2);
872 secp256k1_scalar_mul(&r1, &r1, &s);
873 secp256k1_scalar_mul(&r2, &s2, &s);
874 secp256k1_scalar_mul(&r2, &s1, &r2);
875 CHECK(secp256k1_scalar_eq(&r1, &r2));
876 }
877
878 {
879 /* Test distributitivity of mul over add. */
880 secp256k1_scalar r1, r2, t;
881 secp256k1_scalar_add(&r1, &s1, &s2);
882 secp256k1_scalar_mul(&r1, &r1, &s);
883 secp256k1_scalar_mul(&r2, &s1, &s);
884 secp256k1_scalar_mul(&t, &s2, &s);
885 secp256k1_scalar_add(&r2, &r2, &t);
886 CHECK(secp256k1_scalar_eq(&r1, &r2));
887 }
888
889 {
890 /* Test square. */
891 secp256k1_scalar r1, r2;
892 secp256k1_scalar_sqr(&r1, &s1);
893 secp256k1_scalar_mul(&r2, &s1, &s1);
894 CHECK(secp256k1_scalar_eq(&r1, &r2));
895 }
896
897 {
898 /* Test multiplicative identity. */
899 secp256k1_scalar r1, v1;
900 secp256k1_scalar_set_int(&v1,1);
901 secp256k1_scalar_mul(&r1, &s1, &v1);
902 CHECK(secp256k1_scalar_eq(&r1, &s1));
903 }
904
905 {
906 /* Test additive identity. */
907 secp256k1_scalar r1, v0;
908 secp256k1_scalar_set_int(&v0,0);
909 secp256k1_scalar_add(&r1, &s1, &v0);
910 CHECK(secp256k1_scalar_eq(&r1, &s1));
911 }
912
913 {
914 /* Test zero product property. */
915 secp256k1_scalar r1, v0;
916 secp256k1_scalar_set_int(&v0,0);
917 secp256k1_scalar_mul(&r1, &s1, &v0);
918 CHECK(secp256k1_scalar_eq(&r1, &v0));
919 }
920
921 }
922
923 void run_scalar_tests(void) {
924 int i;
925 for (i = 0; i < 128 * count; i++) {
926 scalar_test();
927 }
928
929 {
930 /* (-1)+1 should be zero. */
931 secp256k1_scalar s, o;
932 secp256k1_scalar_set_int(&s, 1);
933 CHECK(secp256k1_scalar_is_one(&s));
934 secp256k1_scalar_negate(&o, &s);
935 secp256k1_scalar_add(&o, &o, &s);
936 CHECK(secp256k1_scalar_is_zero(&o));
937 secp256k1_scalar_negate(&o, &o);
938 CHECK(secp256k1_scalar_is_zero(&o));
939 }
940
941 #ifndef USE_NUM_NONE
942 {
943 /* A scalar with value of the curve order should be 0. */
944 secp256k1_num order;
945 secp256k1_scalar zero;
946 unsigned char bin[32];
947 int overflow = 0;
948 secp256k1_scalar_order_get_num(&order);
949 secp256k1_num_get_bin(bin, 32, &order);
950 secp256k1_scalar_set_b32(&zero, bin, &overflow);
951 CHECK(overflow == 1);
952 CHECK(secp256k1_scalar_is_zero(&zero));
953 }
954 #endif
955
956 {
957 /* Does check_overflow check catch all ones? */
958 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
959 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
960 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
961 );
962 CHECK(secp256k1_scalar_check_overflow(&overflowed));
963 }
964
965 {
966 /* Static test vectors.
967 * These were reduced from ~10^12 random vectors based on comparison-decision
968 * and edge-case coverage on 32-bit and 64-bit implementations.
969 * The responses were generated with Sage 5.9.
970 */
971 secp256k1_scalar x;
972 secp256k1_scalar y;
973 secp256k1_scalar z;
974 secp256k1_scalar zz;
975 secp256k1_scalar one;
976 secp256k1_scalar r1;
977 secp256k1_scalar r2;
978 #if defined(USE_SCALAR_INV_NUM)
979 secp256k1_scalar zzv;
980 #endif
981 int overflow;
982 unsigned char chal[33][2][32] = {
983 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
984 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
985 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
986 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
987 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
989 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
990 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
991 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
992 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
993 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
994 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
995 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
997 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
998 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
999 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1000 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1001 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1002 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1003 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1004 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1005 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1006 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1007 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1008 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1009 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1010 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1011 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1012 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1013 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1014 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1015 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1016 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1017 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1018 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1019 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1020 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1021 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1022 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1023 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1024 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1025 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1026 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1027 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1028 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1029 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1030 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1031 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1032 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1033 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1034 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1035 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1036 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1037 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1039 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1040 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1041 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1042 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1043 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1044 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1045 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1046 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1047 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1048 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1049 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1051 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1052 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1054 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1055 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1056 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1057 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1058 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1059 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1060 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1061 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1062 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1063 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1064 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1065 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1067 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1068 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1070 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1071 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1072 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1073 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1074 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1075 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1076 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1077 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1079 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1081 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1083 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1084 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1085 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1086 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1087 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1088 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1091 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1092 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1094 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1095 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1096 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1097 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1099 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1103 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1104 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1107 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1108 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1109 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1110 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1111 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1112 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1114 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1115 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1117 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1119 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1121 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1123 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1124 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1125 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1126 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1127 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1128 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1131 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1132 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1133 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1134 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1135 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1136 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1137 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1139 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1140 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1141 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1142 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1143 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1147 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1148 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1149 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1150 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1151 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1152 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1155 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1156 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1159 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1163 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1165 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1167 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1168 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1171 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1172 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1173 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1175 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1176 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1179 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1182 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1183 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1184 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1185 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1186 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1187 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1191 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1193 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1194 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1195 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1196 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1197 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1198 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1199 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1200 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1201 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1202 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1203 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1204 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1207 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1211 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1212 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1213 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1214 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1215 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1216 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1217 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1218 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1219 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1220 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1221 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1223 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1224 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1226 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1227 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1228 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1229 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1230 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1231 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1232 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1233 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1234 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1235 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1236 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1237 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1238 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1239 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1240 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1242 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1243 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1244 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1245 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1246 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1247 };
1248 unsigned char res[33][2][32] = {
1249 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1250 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1251 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1252 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1253 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1254 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1255 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1256 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1257 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1258 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1259 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1260 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1261 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1262 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1263 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1264 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1265 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1266 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1267 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1268 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1269 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1270 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1271 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1272 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1273 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1274 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1275 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1276 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1277 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1278 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1279 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1280 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1281 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1282 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1283 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1284 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1285 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1286 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1287 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1288 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1289 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1290 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1291 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1292 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1293 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1294 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1295 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1296 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1297 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1298 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1299 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1300 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1301 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1302 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1303 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1304 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1305 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1306 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1307 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1308 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1309 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1310 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1311 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1312 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1313 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1314 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1315 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1316 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1317 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1318 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1319 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1320 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1321 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1322 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1323 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1324 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1325 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1326 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1327 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1328 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1329 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1330 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1331 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1332 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1333 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1334 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1335 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1336 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1337 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1338 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1339 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1340 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1341 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1342 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1343 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1344 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1345 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1346 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1347 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1348 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1349 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1350 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1351 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1352 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1353 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1354 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1355 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1356 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1357 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1358 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1359 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1360 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1361 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1362 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1363 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1364 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1365 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1366 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1367 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1368 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1369 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1370 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1371 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1372 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1373 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1374 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1375 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1376 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1377 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1378 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1379 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1380 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1381 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1382 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1383 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1384 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1385 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1386 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1387 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1388 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1389 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1390 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1391 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1392 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1393 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1394 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1395 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1396 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1397 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1398 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1399 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1400 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1401 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1402 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1403 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1404 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1405 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1406 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1407 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1408 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1409 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1413 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1417 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1419 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1420 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1421 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1423 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1424 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1425 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1426 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1427 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1428 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1429 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1430 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1431 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1432 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1433 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1434 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1435 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1436 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1437 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1438 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1439 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1440 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1441 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1443 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1444 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1445 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1446 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1447 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1448 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1449 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1451 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1452 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1453 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1457 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1458 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1459 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1460 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1461 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1462 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1463 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1464 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1465 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1466 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1467 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1468 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1469 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1470 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1471 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1472 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1473 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1474 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1475 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1476 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1477 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1478 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1479 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1480 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1481 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1482 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1483 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1484 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1485 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1486 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1487 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1488 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1489 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1490 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1491 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1492 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1493 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1494 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1495 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1496 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1497 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1498 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1499 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1500 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1501 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1502 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1503 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1504 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1505 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1506 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1507 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1508 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1509 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1510 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1511 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1512 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1513 };
1514 secp256k1_scalar_set_int(&one, 1);
1515 for (i = 0; i < 33; i++) {
1516 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1517 CHECK(!overflow);
1518 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1519 CHECK(!overflow);
1520 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1521 CHECK(!overflow);
1522 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1523 CHECK(!overflow);
1524 secp256k1_scalar_mul(&z, &x, &y);
1525 CHECK(!secp256k1_scalar_check_overflow(&z));
1526 CHECK(secp256k1_scalar_eq(&r1, &z));
1527 if (!secp256k1_scalar_is_zero(&y)) {
1528 secp256k1_scalar_inverse(&zz, &y);
1529 CHECK(!secp256k1_scalar_check_overflow(&zz));
1530 #if defined(USE_SCALAR_INV_NUM)
1531 secp256k1_scalar_inverse_var(&zzv, &y);
1532 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1533 #endif
1534 secp256k1_scalar_mul(&z, &z, &zz);
1535 CHECK(!secp256k1_scalar_check_overflow(&z));
1536 CHECK(secp256k1_scalar_eq(&x, &z));
1537 secp256k1_scalar_mul(&zz, &zz, &y);
1538 CHECK(!secp256k1_scalar_check_overflow(&zz));
1539 CHECK(secp256k1_scalar_eq(&one, &zz));
1540 }
1541 secp256k1_scalar_mul(&z, &x, &x);
1542 CHECK(!secp256k1_scalar_check_overflow(&z));
1543 secp256k1_scalar_sqr(&zz, &x);
1544 CHECK(!secp256k1_scalar_check_overflow(&zz));
1545 CHECK(secp256k1_scalar_eq(&zz, &z));
1546 CHECK(secp256k1_scalar_eq(&r2, &zz));
1547 }
1548 }
1549 }
1550
1551 /***** FIELD TESTS *****/
1552
1553 void random_fe(secp256k1_fe *x) {
1554 unsigned char bin[32];
1555 do {
1556 secp256k1_rand256(bin);
1557 if (secp256k1_fe_set_b32(x, bin)) {
1558 return;
1559 }
1560 } while(1);
1561 }
1562
1563 void random_fe_test(secp256k1_fe *x) {
1564 unsigned char bin[32];
1565 do {
1566 secp256k1_rand256_test(bin);
1567 if (secp256k1_fe_set_b32(x, bin)) {
1568 return;
1569 }
1570 } while(1);
1571 }
1572
1573 void random_fe_non_zero(secp256k1_fe *nz) {
1574 int tries = 10;
1575 while (--tries >= 0) {
1576 random_fe(nz);
1577 secp256k1_fe_normalize(nz);
1578 if (!secp256k1_fe_is_zero(nz)) {
1579 break;
1580 }
1581 }
1582 /* Infinitesimal probability of spurious failure here */
1583 CHECK(tries >= 0);
1584 }
1585
1586 void random_fe_non_square(secp256k1_fe *ns) {
1587 secp256k1_fe r;
1588 random_fe_non_zero(ns);
1589 if (secp256k1_fe_sqrt(&r, ns)) {
1590 secp256k1_fe_negate(ns, ns, 1);
1591 }
1592 }
1593
1594 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1595 secp256k1_fe an = *a;
1596 secp256k1_fe bn = *b;
1597 secp256k1_fe_normalize_weak(&an);
1598 secp256k1_fe_normalize_var(&bn);
1599 return secp256k1_fe_equal_var(&an, &bn);
1600 }
1601
1602 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1603 secp256k1_fe x;
1604 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1605 secp256k1_fe_mul(&x, a, ai);
1606 return check_fe_equal(&x, &one);
1607 }
1608
1609 void run_field_convert(void) {
1610 static const unsigned char b32[32] = {
1611 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1612 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1613 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1614 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1615 };
1616 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1617 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1618 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1619 );
1620 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1621 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1622 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1623 );
1624 secp256k1_fe fe2;
1625 unsigned char b322[32];
1626 secp256k1_fe_storage fes2;
1627 /* Check conversions to fe. */
1628 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1629 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1630 secp256k1_fe_from_storage(&fe2, &fes);
1631 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1632 /* Check conversion from fe. */
1633 secp256k1_fe_get_b32(b322, &fe);
1634 CHECK(memcmp(b322, b32, 32) == 0);
1635 secp256k1_fe_to_storage(&fes2, &fe);
1636 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1637 }
1638
1639 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1640 secp256k1_fe t = *b;
1641 #ifdef VERIFY
1642 t.magnitude = a->magnitude;
1643 t.normalized = a->normalized;
1644 #endif
1645 return memcmp(a, &t, sizeof(secp256k1_fe));
1646 }
1647
1648 void run_field_misc(void) {
1649 secp256k1_fe x;
1650 secp256k1_fe y;
1651 secp256k1_fe z;
1652 secp256k1_fe q;
1653 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1654 int i, j;
1655 for (i = 0; i < 5*count; i++) {
1656 secp256k1_fe_storage xs, ys, zs;
1657 random_fe(&x);
1658 random_fe_non_zero(&y);
1659 /* Test the fe equality and comparison operations. */
1660 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1661 CHECK(secp256k1_fe_equal_var(&x, &x));
1662 z = x;
1663 secp256k1_fe_add(&z,&y);
1664 /* Test fe conditional move; z is not normalized here. */
1665 q = x;
1666 secp256k1_fe_cmov(&x, &z, 0);
1667 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1668 secp256k1_fe_cmov(&x, &x, 1);
1669 CHECK(fe_memcmp(&x, &z) != 0);
1670 CHECK(fe_memcmp(&x, &q) == 0);
1671 secp256k1_fe_cmov(&q, &z, 1);
1672 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1673 CHECK(fe_memcmp(&q, &z) == 0);
1674 secp256k1_fe_normalize_var(&x);
1675 secp256k1_fe_normalize_var(&z);
1676 CHECK(!secp256k1_fe_equal_var(&x, &z));
1677 secp256k1_fe_normalize_var(&q);
1678 secp256k1_fe_cmov(&q, &z, (i&1));
1679 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1680 for (j = 0; j < 6; j++) {
1681 secp256k1_fe_negate(&z, &z, j+1);
1682 secp256k1_fe_normalize_var(&q);
1683 secp256k1_fe_cmov(&q, &z, (j&1));
1684 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1685 }
1686 secp256k1_fe_normalize_var(&z);
1687 /* Test storage conversion and conditional moves. */
1688 secp256k1_fe_to_storage(&xs, &x);
1689 secp256k1_fe_to_storage(&ys, &y);
1690 secp256k1_fe_to_storage(&zs, &z);
1691 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1692 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1693 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1694 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1695 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1696 secp256k1_fe_from_storage(&x, &xs);
1697 secp256k1_fe_from_storage(&y, &ys);
1698 secp256k1_fe_from_storage(&z, &zs);
1699 /* Test that mul_int, mul, and add agree. */
1700 secp256k1_fe_add(&y, &x);
1701 secp256k1_fe_add(&y, &x);
1702 z = x;
1703 secp256k1_fe_mul_int(&z, 3);
1704 CHECK(check_fe_equal(&y, &z));
1705 secp256k1_fe_add(&y, &x);
1706 secp256k1_fe_add(&z, &x);
1707 CHECK(check_fe_equal(&z, &y));
1708 z = x;
1709 secp256k1_fe_mul_int(&z, 5);
1710 secp256k1_fe_mul(&q, &x, &fe5);
1711 CHECK(check_fe_equal(&z, &q));
1712 secp256k1_fe_negate(&x, &x, 1);
1713 secp256k1_fe_add(&z, &x);
1714 secp256k1_fe_add(&q, &x);
1715 CHECK(check_fe_equal(&y, &z));
1716 CHECK(check_fe_equal(&q, &y));
1717 }
1718 }
1719
1720 void run_field_inv(void) {
1721 secp256k1_fe x, xi, xii;
1722 int i;
1723 for (i = 0; i < 10*count; i++) {
1724 random_fe_non_zero(&x);
1725 secp256k1_fe_inv(&xi, &x);
1726 CHECK(check_fe_inverse(&x, &xi));
1727 secp256k1_fe_inv(&xii, &xi);
1728 CHECK(check_fe_equal(&x, &xii));
1729 }
1730 }
1731
1732 void run_field_inv_var(void) {
1733 secp256k1_fe x, xi, xii;
1734 int i;
1735 for (i = 0; i < 10*count; i++) {
1736 random_fe_non_zero(&x);
1737 secp256k1_fe_inv_var(&xi, &x);
1738 CHECK(check_fe_inverse(&x, &xi));
1739 secp256k1_fe_inv_var(&xii, &xi);
1740 CHECK(check_fe_equal(&x, &xii));
1741 }
1742 }
1743
1744 void run_field_inv_all_var(void) {
1745 secp256k1_fe x[16], xi[16], xii[16];
1746 int i;
1747 /* Check it's safe to call for 0 elements */
1748 secp256k1_fe_inv_all_var(xi, x, 0);
1749 for (i = 0; i < count; i++) {
1750 size_t j;
1751 size_t len = secp256k1_rand_int(15) + 1;
1752 for (j = 0; j < len; j++) {
1753 random_fe_non_zero(&x[j]);
1754 }
1755 secp256k1_fe_inv_all_var(xi, x, len);
1756 for (j = 0; j < len; j++) {
1757 CHECK(check_fe_inverse(&x[j], &xi[j]));
1758 }
1759 secp256k1_fe_inv_all_var(xii, xi, len);
1760 for (j = 0; j < len; j++) {
1761 CHECK(check_fe_equal(&x[j], &xii[j]));
1762 }
1763 }
1764 }
1765
1766 void run_sqr(void) {
1767 secp256k1_fe x, s;
1768
1769 {
1770 int i;
1771 secp256k1_fe_set_int(&x, 1);
1772 secp256k1_fe_negate(&x, &x, 1);
1773
1774 for (i = 1; i <= 512; ++i) {
1775 secp256k1_fe_mul_int(&x, 2);
1776 secp256k1_fe_normalize(&x);
1777 secp256k1_fe_sqr(&s, &x);
1778 }
1779 }
1780 }
1781
1782 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1783 secp256k1_fe r1, r2;
1784 int v = secp256k1_fe_sqrt(&r1, a);
1785 CHECK((v == 0) == (k == NULL));
1786
1787 if (k != NULL) {
1788 /* Check that the returned root is +/- the given known answer */
1789 secp256k1_fe_negate(&r2, &r1, 1);
1790 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1791 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1792 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1793 }
1794 }
1795
1796 void run_sqrt(void) {
1797 secp256k1_fe ns, x, s, t;
1798 int i;
1799
1800 /* Check sqrt(0) is 0 */
1801 secp256k1_fe_set_int(&x, 0);
1802 secp256k1_fe_sqr(&s, &x);
1803 test_sqrt(&s, &x);
1804
1805 /* Check sqrt of small squares (and their negatives) */
1806 for (i = 1; i <= 100; i++) {
1807 secp256k1_fe_set_int(&x, i);
1808 secp256k1_fe_sqr(&s, &x);
1809 test_sqrt(&s, &x);
1810 secp256k1_fe_negate(&t, &s, 1);
1811 test_sqrt(&t, NULL);
1812 }
1813
1814 /* Consistency checks for large random values */
1815 for (i = 0; i < 10; i++) {
1816 int j;
1817 random_fe_non_square(&ns);
1818 for (j = 0; j < count; j++) {
1819 random_fe(&x);
1820 secp256k1_fe_sqr(&s, &x);
1821 test_sqrt(&s, &x);
1822 secp256k1_fe_negate(&t, &s, 1);
1823 test_sqrt(&t, NULL);
1824 secp256k1_fe_mul(&t, &s, &ns);
1825 test_sqrt(&t, NULL);
1826 }
1827 }
1828 }
1829
1830 /***** GROUP TESTS *****/
1831
1832 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1833 CHECK(a->infinity == b->infinity);
1834 if (a->infinity) {
1835 return;
1836 }
1837 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1838 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1839 }
1840
1841 /* This compares jacobian points including their Z, not just their geometric meaning. */
1842 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1843 secp256k1_gej a2;
1844 secp256k1_gej b2;
1845 int ret = 1;
1846 ret &= a->infinity == b->infinity;
1847 if (ret && !a->infinity) {
1848 a2 = *a;
1849 b2 = *b;
1850 secp256k1_fe_normalize(&a2.x);
1851 secp256k1_fe_normalize(&a2.y);
1852 secp256k1_fe_normalize(&a2.z);
1853 secp256k1_fe_normalize(&b2.x);
1854 secp256k1_fe_normalize(&b2.y);
1855 secp256k1_fe_normalize(&b2.z);
1856 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1857 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1858 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1859 }
1860 return ret;
1861 }
1862
1863 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1864 secp256k1_fe z2s;
1865 secp256k1_fe u1, u2, s1, s2;
1866 CHECK(a->infinity == b->infinity);
1867 if (a->infinity) {
1868 return;
1869 }
1870 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1871 secp256k1_fe_sqr(&z2s, &b->z);
1872 secp256k1_fe_mul(&u1, &a->x, &z2s);
1873 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1874 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1875 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1876 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1877 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1878 }
1879
1880 void test_ge(void) {
1881 int i, i1;
1882 #ifdef USE_ENDOMORPHISM
1883 int runs = 6;
1884 #else
1885 int runs = 4;
1886 #endif
1887 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1888 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1889 * All magnitudes are randomized.
1890 * All 17*17 combinations of points are added to each other, using all applicable methods.
1891 *
1892 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1893 */
1894 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1895 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1896 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1897 secp256k1_fe zf;
1898 secp256k1_fe zfi2, zfi3;
1899
1900 secp256k1_gej_set_infinity(&gej[0]);
1901 secp256k1_ge_clear(&ge[0]);
1902 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1903 for (i = 0; i < runs; i++) {
1904 int j;
1905 secp256k1_ge g;
1906 random_group_element_test(&g);
1907 #ifdef USE_ENDOMORPHISM
1908 if (i >= runs - 2) {
1909 secp256k1_ge_mul_lambda(&g, &ge[1]);
1910 }
1911 if (i >= runs - 1) {
1912 secp256k1_ge_mul_lambda(&g, &g);
1913 }
1914 #endif
1915 ge[1 + 4 * i] = g;
1916 ge[2 + 4 * i] = g;
1917 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1918 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1919 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1920 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1921 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1922 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1923 for (j = 0; j < 4; j++) {
1924 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1925 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1926 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1927 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1928 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1929 }
1930 }
1931
1932 /* Compute z inverses. */
1933 {
1934 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1935 for (i = 0; i < 4 * runs + 1; i++) {
1936 if (i == 0) {
1937 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1938 do {
1939 random_field_element_test(&zs[i]);
1940 } while(secp256k1_fe_is_zero(&zs[i]));
1941 } else {
1942 zs[i] = gej[i].z;
1943 }
1944 }
1945 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1946 free(zs);
1947 }
1948
1949 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1950 do {
1951 random_field_element_test(&zf);
1952 } while(secp256k1_fe_is_zero(&zf));
1953 random_field_element_magnitude(&zf);
1954 secp256k1_fe_inv_var(&zfi3, &zf);
1955 secp256k1_fe_sqr(&zfi2, &zfi3);
1956 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1957
1958 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1959 int i2;
1960 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1961 /* Compute reference result using gej + gej (var). */
1962 secp256k1_gej refj, resj;
1963 secp256k1_ge ref;
1964 secp256k1_fe zr;
1965 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1966 /* Check Z ratio. */
1967 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
1968 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1969 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1970 }
1971 secp256k1_ge_set_gej_var(&ref, &refj);
1972
1973 /* Test gej + ge with Z ratio result (var). */
1974 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1975 ge_equals_gej(&ref, &resj);
1976 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
1977 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1978 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1979 }
1980
1981 /* Test gej + ge (var, with additional Z factor). */
1982 {
1983 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
1984 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1985 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1986 random_field_element_magnitude(&ge2_zfi.x);
1987 random_field_element_magnitude(&ge2_zfi.y);
1988 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1989 ge_equals_gej(&ref, &resj);
1990 }
1991
1992 /* Test gej + ge (const). */
1993 if (i2 != 0) {
1994 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1995 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1996 ge_equals_gej(&ref, &resj);
1997 }
1998
1999 /* Test doubling (var). */
2000 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2001 secp256k1_fe zr2;
2002 /* Normal doubling with Z ratio result. */
2003 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2004 ge_equals_gej(&ref, &resj);
2005 /* Check Z ratio. */
2006 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2007 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2008 /* Normal doubling. */
2009 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2010 ge_equals_gej(&ref, &resj);
2011 }
2012
2013 /* Test adding opposites. */
2014 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2015 CHECK(secp256k1_ge_is_infinity(&ref));
2016 }
2017
2018 /* Test adding infinity. */
2019 if (i1 == 0) {
2020 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2021 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2022 ge_equals_gej(&ref, &gej[i2]);
2023 }
2024 if (i2 == 0) {
2025 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2026 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2027 ge_equals_gej(&ref, &gej[i1]);
2028 }
2029 }
2030 }
2031
2032 /* Test adding all points together in random order equals infinity. */
2033 {
2034 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2035 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2036 for (i = 0; i < 4 * runs + 1; i++) {
2037 gej_shuffled[i] = gej[i];
2038 }
2039 for (i = 0; i < 4 * runs + 1; i++) {
2040 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2041 if (swap != i) {
2042 secp256k1_gej t = gej_shuffled[i];
2043 gej_shuffled[i] = gej_shuffled[swap];
2044 gej_shuffled[swap] = t;
2045 }
2046 }
2047 for (i = 0; i < 4 * runs + 1; i++) {
2048 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2049 }
2050 CHECK(secp256k1_gej_is_infinity(&sum));
2051 free(gej_shuffled);
2052 }
2053
2054 /* Test batch gej -> ge conversion with and without known z ratios. */
2055 {
2056 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2057 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2058 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2059 for (i = 0; i < 4 * runs + 1; i++) {
2060 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2061 if (i < 4 * runs) {
2062 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2063 }
2064 }
2065 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2066 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2067 for (i = 0; i < 4 * runs + 1; i++) {
2068 secp256k1_fe s;
2069 random_fe_non_zero(&s);
2070 secp256k1_gej_rescale(&gej[i], &s);
2071 ge_equals_gej(&ge_set_table[i], &gej[i]);
2072 ge_equals_gej(&ge_set_all[i], &gej[i]);
2073 }
2074 free(ge_set_table);
2075 free(ge_set_all);
2076 free(zr);
2077 }
2078
2079 free(ge);
2080 free(gej);
2081 free(zinv);
2082 }
2083
2084 void test_add_neg_y_diff_x(void) {
2085 /* The point of this test is to check that we can add two points
2086 * whose y-coordinates are negatives of each other but whose x
2087 * coordinates differ. If the x-coordinates were the same, these
2088 * points would be negatives of each other and their sum is
2089 * infinity. This is cool because it "covers up" any degeneracy
2090 * in the addition algorithm that would cause the xy coordinates
2091 * of the sum to be wrong (since infinity has no xy coordinates).
2092 * HOWEVER, if the x-coordinates are different, infinity is the
2093 * wrong answer, and such degeneracies are exposed. This is the
2094 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2095 * which this test is a regression test for.
2096 *
2097 * These points were generated in sage as
2098 * # secp256k1 params
2099 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2100 * C = EllipticCurve ([F (0), F (7)])
2101 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2102 * N = FiniteField(G.order())
2103 *
2104 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2105 * x = polygen(N)
2106 * lam = (1 - x^3).roots()[1][0]
2107 *
2108 * # random "bad pair"
2109 * P = C.random_element()
2110 * Q = -int(lam) * P
2111 * print " P: %x %x" % P.xy()
2112 * print " Q: %x %x" % Q.xy()
2113 * print "P + Q: %x %x" % (P + Q).xy()
2114 */
2115 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2116 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2117 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2118 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2119 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2120 );
2121 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2122 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2123 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2124 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2125 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2126 );
2127 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2128 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2129 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2130 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2131 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2132 );
2133 secp256k1_ge b;
2134 secp256k1_gej resj;
2135 secp256k1_ge res;
2136 secp256k1_ge_set_gej(&b, &bj);
2137
2138 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2139 secp256k1_ge_set_gej(&res, &resj);
2140 ge_equals_gej(&res, &sumj);
2141
2142 secp256k1_gej_add_ge(&resj, &aj, &b);
2143 secp256k1_ge_set_gej(&res, &resj);
2144 ge_equals_gej(&res, &sumj);
2145
2146 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2147 secp256k1_ge_set_gej(&res, &resj);
2148 ge_equals_gej(&res, &sumj);
2149 }
2150
2151 void run_ge(void) {
2152 int i;
2153 for (i = 0; i < count * 32; i++) {
2154 test_ge();
2155 }
2156 test_add_neg_y_diff_x();
2157 }
2158
2159 void test_ec_combine(void) {
2160 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2161 secp256k1_pubkey data[6];
2162 const secp256k1_pubkey* d[6];
2163 secp256k1_pubkey sd;
2164 secp256k1_pubkey sd2;
2165 secp256k1_gej Qj;
2166 secp256k1_ge Q;
2167 int i;
2168 for (i = 1; i <= 6; i++) {
2169 secp256k1_scalar s;
2170 random_scalar_order_test(&s);
2171 secp256k1_scalar_add(&sum, &sum, &s);
2172 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2173 secp256k1_ge_set_gej(&Q, &Qj);
2174 secp256k1_pubkey_save(&data[i - 1], &Q);
2175 d[i - 1] = &data[i - 1];
2176 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2177 secp256k1_ge_set_gej(&Q, &Qj);
2178 secp256k1_pubkey_save(&sd, &Q);
2179 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2180 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2181 }
2182 }
2183
2184 void run_ec_combine(void) {
2185 int i;
2186 for (i = 0; i < count * 8; i++) {
2187 test_ec_combine();
2188 }
2189 }
2190
2191 void test_group_decompress(const secp256k1_fe* x) {
2192 /* The input itself, normalized. */
2193 secp256k1_fe fex = *x;
2194 secp256k1_fe fez;
2195 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2196 secp256k1_ge ge_quad, ge_even, ge_odd;
2197 secp256k1_gej gej_quad;
2198 /* Return values of the above calls. */
2199 int res_quad, res_even, res_odd;
2200
2201 secp256k1_fe_normalize_var(&fex);
2202
2203 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2204 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2205 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2206
2207 CHECK(res_quad == res_even);
2208 CHECK(res_quad == res_odd);
2209
2210 if (res_quad) {
2211 secp256k1_fe_normalize_var(&ge_quad.x);
2212 secp256k1_fe_normalize_var(&ge_odd.x);
2213 secp256k1_fe_normalize_var(&ge_even.x);
2214 secp256k1_fe_normalize_var(&ge_quad.y);
2215 secp256k1_fe_normalize_var(&ge_odd.y);
2216 secp256k1_fe_normalize_var(&ge_even.y);
2217
2218 /* No infinity allowed. */
2219 CHECK(!ge_quad.infinity);
2220 CHECK(!ge_even.infinity);
2221 CHECK(!ge_odd.infinity);
2222
2223 /* Check that the x coordinates check out. */
2224 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2225 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2226 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2227
2228 /* Check that the Y coordinate result in ge_quad is a square. */
2229 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2230
2231 /* Check odd/even Y in ge_odd, ge_even. */
2232 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2233 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2234
2235 /* Check secp256k1_gej_has_quad_y_var. */
2236 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2237 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2238 do {
2239 random_fe_test(&fez);
2240 } while (secp256k1_fe_is_zero(&fez));
2241 secp256k1_gej_rescale(&gej_quad, &fez);
2242 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2243 secp256k1_gej_neg(&gej_quad, &gej_quad);
2244 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2245 do {
2246 random_fe_test(&fez);
2247 } while (secp256k1_fe_is_zero(&fez));
2248 secp256k1_gej_rescale(&gej_quad, &fez);
2249 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2250 secp256k1_gej_neg(&gej_quad, &gej_quad);
2251 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2252 }
2253 }
2254
2255 void run_group_decompress(void) {
2256 int i;
2257 for (i = 0; i < count * 4; i++) {
2258 secp256k1_fe fe;
2259 random_fe_test(&fe);
2260 test_group_decompress(&fe);
2261 }
2262 }
2263
2264 /***** ECMULT TESTS *****/
2265
2266 void run_ecmult_chain(void) {
2267 /* random starting point A (on the curve) */
2268 secp256k1_gej a = SECP256K1_GEJ_CONST(
2269 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2270 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2271 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2272 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2273 );
2274 /* two random initial factors xn and gn */
2275 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2276 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2277 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2278 );
2279 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2280 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2281 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2282 );
2283 /* two small multipliers to be applied to xn and gn in every iteration: */
2284 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2285 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2286 /* accumulators with the resulting coefficients to A and G */
2287 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2288 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2289 /* actual points */
2290 secp256k1_gej x;
2291 secp256k1_gej x2;
2292 int i;
2293
2294 /* the point being computed */
2295 x = a;
2296 for (i = 0; i < 200*count; i++) {
2297 /* in each iteration, compute X = xn*X + gn*G; */
2298 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2299 /* also compute ae and ge: the actual accumulated factors for A and G */
2300 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2301 secp256k1_scalar_mul(&ae, &ae, &xn);
2302 secp256k1_scalar_mul(&ge, &ge, &xn);
2303 secp256k1_scalar_add(&ge, &ge, &gn);
2304 /* modify xn and gn */
2305 secp256k1_scalar_mul(&xn, &xn, &xf);
2306 secp256k1_scalar_mul(&gn, &gn, &gf);
2307
2308 /* verify */
2309 if (i == 19999) {
2310 /* expected result after 19999 iterations */
2311 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2312 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2313 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2314 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2315 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2316 );
2317
2318 secp256k1_gej_neg(&rp, &rp);
2319 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2320 CHECK(secp256k1_gej_is_infinity(&rp));
2321 }
2322 }
2323 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2324 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2325 secp256k1_gej_neg(&x2, &x2);
2326 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2327 CHECK(secp256k1_gej_is_infinity(&x2));
2328 }
2329
2330 void test_point_times_order(const secp256k1_gej *point) {
2331 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2332 secp256k1_scalar x;
2333 secp256k1_scalar nx;
2334 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2335 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2336 secp256k1_gej res1, res2;
2337 secp256k1_ge res3;
2338 unsigned char pub[65];
2339 size_t psize = 65;
2340 random_scalar_order_test(&x);
2341 secp256k1_scalar_negate(&nx, &x);
2342 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2343 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2344 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2345 CHECK(secp256k1_gej_is_infinity(&res1));
2346 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2347 secp256k1_ge_set_gej(&res3, &res1);
2348 CHECK(secp256k1_ge_is_infinity(&res3));
2349 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2350 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2351 psize = 65;
2352 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2353 /* check zero/one edge cases */
2354 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2355 secp256k1_ge_set_gej(&res3, &res1);
2356 CHECK(secp256k1_ge_is_infinity(&res3));
2357 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2358 secp256k1_ge_set_gej(&res3, &res1);
2359 ge_equals_gej(&res3, point);
2360 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2361 secp256k1_ge_set_gej(&res3, &res1);
2362 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2363 }
2364
2365 void run_point_times_order(void) {
2366 int i;
2367 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2368 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2369 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2370 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2371 );
2372 for (i = 0; i < 500; i++) {
2373 secp256k1_ge p;
2374 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2375 secp256k1_gej j;
2376 CHECK(secp256k1_ge_is_valid_var(&p));
2377 secp256k1_gej_set_ge(&j, &p);
2378 CHECK(secp256k1_gej_is_valid_var(&j));
2379 test_point_times_order(&j);
2380 }
2381 secp256k1_fe_sqr(&x, &x);
2382 }
2383 secp256k1_fe_normalize_var(&x);
2384 CHECK(secp256k1_fe_equal_var(&x, &xr));
2385 }
2386
2387 void ecmult_const_random_mult(void) {
2388 /* random starting point A (on the curve) */
2389 secp256k1_ge a = SECP256K1_GE_CONST(
2390 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2391 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2392 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2393 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2394 );
2395 /* random initial factor xn */
2396 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2397 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2398 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2399 );
2400 /* expected xn * A (from sage) */
2401 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2402 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2403 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2404 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2405 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2406 );
2407 secp256k1_gej b;
2408 secp256k1_ecmult_const(&b, &a, &xn);
2409
2410 CHECK(secp256k1_ge_is_valid_var(&a));
2411 ge_equals_gej(&expected_b, &b);
2412 }
2413
2414 void ecmult_const_commutativity(void) {
2415 secp256k1_scalar a;
2416 secp256k1_scalar b;
2417 secp256k1_gej res1;
2418 secp256k1_gej res2;
2419 secp256k1_ge mid1;
2420 secp256k1_ge mid2;
2421 random_scalar_order_test(&a);
2422 random_scalar_order_test(&b);
2423
2424 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2425 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2426 secp256k1_ge_set_gej(&mid1, &res1);
2427 secp256k1_ge_set_gej(&mid2, &res2);
2428 secp256k1_ecmult_const(&res1, &mid1, &b);
2429 secp256k1_ecmult_const(&res2, &mid2, &a);
2430 secp256k1_ge_set_gej(&mid1, &res1);
2431 secp256k1_ge_set_gej(&mid2, &res2);
2432 ge_equals_ge(&mid1, &mid2);
2433 }
2434
2435 void ecmult_const_mult_zero_one(void) {
2436 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2437 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2438 secp256k1_scalar negone;
2439 secp256k1_gej res1;
2440 secp256k1_ge res2;
2441 secp256k1_ge point;
2442 secp256k1_scalar_negate(&negone, &one);
2443
2444 random_group_element_test(&point);
2445 secp256k1_ecmult_const(&res1, &point, &zero);
2446 secp256k1_ge_set_gej(&res2, &res1);
2447 CHECK(secp256k1_ge_is_infinity(&res2));
2448 secp256k1_ecmult_const(&res1, &point, &one);
2449 secp256k1_ge_set_gej(&res2, &res1);
2450 ge_equals_ge(&res2, &point);
2451 secp256k1_ecmult_const(&res1, &point, &negone);
2452 secp256k1_gej_neg(&res1, &res1);
2453 secp256k1_ge_set_gej(&res2, &res1);
2454 ge_equals_ge(&res2, &point);
2455 }
2456
2457 void ecmult_const_chain_multiply(void) {
2458 /* Check known result (randomly generated test problem from sage) */
2459 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2460 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2461 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2462 );
2463 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2464 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2465 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2466 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2467 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2468 );
2469 secp256k1_gej point;
2470 secp256k1_ge res;
2471 int i;
2472
2473 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2474 for (i = 0; i < 100; ++i) {
2475 secp256k1_ge tmp;
2476 secp256k1_ge_set_gej(&tmp, &point);
2477 secp256k1_ecmult_const(&point, &tmp, &scalar);
2478 }
2479 secp256k1_ge_set_gej(&res, &point);
2480 ge_equals_gej(&res, &expected_point);
2481 }
2482
2483 void run_ecmult_const_tests(void) {
2484 ecmult_const_mult_zero_one();
2485 ecmult_const_random_mult();
2486 ecmult_const_commutativity();
2487 ecmult_const_chain_multiply();
2488 }
2489
2490 void test_wnaf(const secp256k1_scalar *number, int w) {
2491 secp256k1_scalar x, two, t;
2492 int wnaf[256];
2493 int zeroes = -1;
2494 int i;
2495 int bits;
2496 secp256k1_scalar_set_int(&x, 0);
2497 secp256k1_scalar_set_int(&two, 2);
2498 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2499 CHECK(bits <= 256);
2500 for (i = bits-1; i >= 0; i--) {
2501 int v = wnaf[i];
2502 secp256k1_scalar_mul(&x, &x, &two);
2503 if (v) {
2504 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2505 zeroes=0;
2506 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2507 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2508 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2509 } else {
2510 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2511 zeroes++;
2512 }
2513 if (v >= 0) {
2514 secp256k1_scalar_set_int(&t, v);
2515 } else {
2516 secp256k1_scalar_set_int(&t, -v);
2517 secp256k1_scalar_negate(&t, &t);
2518 }
2519 secp256k1_scalar_add(&x, &x, &t);
2520 }
2521 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2522 }
2523
2524 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2525 secp256k1_scalar neg1 = *number;
2526 secp256k1_scalar neg2 = *number;
2527 int sign1 = 1;
2528 int sign2 = 1;
2529
2530 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2531 secp256k1_scalar_negate(&neg1, &neg1);
2532 sign1 = -1;
2533 }
2534 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2535 CHECK(sign1 == sign2);
2536 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2537 }
2538
2539 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2540 secp256k1_scalar x, shift;
2541 int wnaf[256] = {0};
2542 int i;
2543 int skew;
2544 secp256k1_scalar num = *number;
2545
2546 secp256k1_scalar_set_int(&x, 0);
2547 secp256k1_scalar_set_int(&shift, 1 << w);
2548 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2549 #ifdef USE_ENDOMORPHISM
2550 for (i = 0; i < 16; ++i) {
2551 secp256k1_scalar_shr_int(&num, 8);
2552 }
2553 #endif
2554 skew = secp256k1_wnaf_const(wnaf, num, w);
2555
2556 for (i = WNAF_SIZE(w); i >= 0; --i) {
2557 secp256k1_scalar t;
2558 int v = wnaf[i];
2559 CHECK(v != 0); /* check nonzero */
2560 CHECK(v & 1); /* check parity */
2561 CHECK(v > -(1 << w)); /* check range above */
2562 CHECK(v < (1 << w)); /* check range below */
2563
2564 secp256k1_scalar_mul(&x, &x, &shift);
2565 if (v >= 0) {
2566 secp256k1_scalar_set_int(&t, v);
2567 } else {
2568 secp256k1_scalar_set_int(&t, -v);
2569 secp256k1_scalar_negate(&t, &t);
2570 }
2571 secp256k1_scalar_add(&x, &x, &t);
2572 }
2573 /* Skew num because when encoding numbers as odd we use an offset */
2574 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
2575 CHECK(secp256k1_scalar_eq(&x, &num));
2576 }
2577
2578 void run_wnaf(void) {
2579 int i;
2580 secp256k1_scalar n = {{0}};
2581
2582 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2583 * have easier-to-diagnose failure modes */
2584 n.d[0] = 1;
2585 test_constant_wnaf(&n, 4);
2586 n.d[0] = 2;
2587 test_constant_wnaf(&n, 4);
2588 /* Random tests */
2589 for (i = 0; i < count; i++) {
2590 random_scalar_order(&n);
2591 test_wnaf(&n, 4+(i%10));
2592 test_constant_wnaf_negate(&n);
2593 test_constant_wnaf(&n, 4 + (i % 10));
2594 }
2595 secp256k1_scalar_set_int(&n, 0);
2596 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
2597 CHECK(secp256k1_scalar_is_zero(&n));
2598 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
2599 CHECK(secp256k1_scalar_is_zero(&n));
2600 }
2601
2602 void test_ecmult_constants(void) {
2603 /* Test ecmult_gen() for [0..36) and [order-36..0). */
2604 secp256k1_scalar x;
2605 secp256k1_gej r;
2606 secp256k1_ge ng;
2607 int i;
2608 int j;
2609 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
2610 for (i = 0; i < 36; i++ ) {
2611 secp256k1_scalar_set_int(&x, i);
2612 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2613 for (j = 0; j < i; j++) {
2614 if (j == i - 1) {
2615 ge_equals_gej(&secp256k1_ge_const_g, &r);
2616 }
2617 secp256k1_gej_add_ge(&r, &r, &ng);
2618 }
2619 CHECK(secp256k1_gej_is_infinity(&r));
2620 }
2621 for (i = 1; i <= 36; i++ ) {
2622 secp256k1_scalar_set_int(&x, i);
2623 secp256k1_scalar_negate(&x, &x);
2624 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2625 for (j = 0; j < i; j++) {
2626 if (j == i - 1) {
2627 ge_equals_gej(&ng, &r);
2628 }
2629 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
2630 }
2631 CHECK(secp256k1_gej_is_infinity(&r));
2632 }
2633 }
2634
2635 void run_ecmult_constants(void) {
2636 test_ecmult_constants();
2637 }
2638
2639 void test_ecmult_gen_blind(void) {
2640 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
2641 secp256k1_scalar key;
2642 secp256k1_scalar b;
2643 unsigned char seed32[32];
2644 secp256k1_gej pgej;
2645 secp256k1_gej pgej2;
2646 secp256k1_gej i;
2647 secp256k1_ge pge;
2648 random_scalar_order_test(&key);
2649 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
2650 secp256k1_rand256(seed32);
2651 b = ctx->ecmult_gen_ctx.blind;
2652 i = ctx->ecmult_gen_ctx.initial;
2653 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
2654 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2655 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
2656 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
2657 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
2658 secp256k1_ge_set_gej(&pge, &pgej);
2659 ge_equals_gej(&pge, &pgej2);
2660 }
2661
2662 void test_ecmult_gen_blind_reset(void) {
2663 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
2664 secp256k1_scalar b;
2665 secp256k1_gej initial;
2666 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2667 b = ctx->ecmult_gen_ctx.blind;
2668 initial = ctx->ecmult_gen_ctx.initial;
2669 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2670 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2671 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
2672 }
2673
2674 void run_ecmult_gen_blind(void) {
2675 int i;
2676 test_ecmult_gen_blind_reset();
2677 for (i = 0; i < 10; i++) {
2678 test_ecmult_gen_blind();
2679 }
2680 }
2681
2682 #ifdef USE_ENDOMORPHISM
2683 /***** ENDOMORPHISH TESTS *****/
2684 void test_scalar_split(void) {
2685 secp256k1_scalar full;
2686 secp256k1_scalar s1, slam;
2687 const unsigned char zero[32] = {0};
2688 unsigned char tmp[32];
2689
2690 random_scalar_order_test(&full);
2691 secp256k1_scalar_split_lambda(&s1, &slam, &full);
2692
2693 /* check that both are <= 128 bits in size */
2694 if (secp256k1_scalar_is_high(&s1)) {
2695 secp256k1_scalar_negate(&s1, &s1);
2696 }
2697 if (secp256k1_scalar_is_high(&slam)) {
2698 secp256k1_scalar_negate(&slam, &slam);
2699 }
2700
2701 secp256k1_scalar_get_b32(tmp, &s1);
2702 CHECK(memcmp(zero, tmp, 16) == 0);
2703 secp256k1_scalar_get_b32(tmp, &slam);
2704 CHECK(memcmp(zero, tmp, 16) == 0);
2705 }
2706
2707 void run_endomorphism_tests(void) {
2708 test_scalar_split();
2709 }
2710 #endif
2711
2712 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
2713 unsigned char pubkeyc[65];
2714 secp256k1_pubkey pubkey;
2715 secp256k1_ge ge;
2716 size_t pubkeyclen;
2717 int32_t ecount;
2718 ecount = 0;
2719 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2720 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
2721 /* Smaller sizes are tested exhaustively elsewhere. */
2722 int32_t i;
2723 memcpy(&pubkeyc[1], input, 64);
2724 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
2725 for (i = 0; i < 256; i++) {
2726 /* Try all type bytes. */
2727 int xpass;
2728 int ypass;
2729 int ysign;
2730 pubkeyc[0] = i;
2731 /* What sign does this point have? */
2732 ysign = (input[63] & 1) + 2;
2733 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2734 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
2735 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2736 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
2737 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
2738 if (xpass || ypass) {
2739 /* These cases must parse. */
2740 unsigned char pubkeyo[65];
2741 size_t outl;
2742 memset(&pubkey, 0, sizeof(pubkey));
2743 VG_UNDEF(&pubkey, sizeof(pubkey));
2744 ecount = 0;
2745 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
2746 VG_CHECK(&pubkey, sizeof(pubkey));
2747 outl = 65;
2748 VG_UNDEF(pubkeyo, 65);
2749 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
2750 VG_CHECK(pubkeyo, outl);
2751 CHECK(outl == 33);
2752 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
2753 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
2754 if (ypass) {
2755 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2756 CHECK(pubkeyo[0] == ysign);
2757 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2758 memset(&pubkey, 0, sizeof(pubkey));
2759 VG_UNDEF(&pubkey, sizeof(pubkey));
2760 secp256k1_pubkey_save(&pubkey, &ge);
2761 VG_CHECK(&pubkey, sizeof(pubkey));
2762 outl = 65;
2763 VG_UNDEF(pubkeyo, 65);
2764 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
2765 VG_CHECK(pubkeyo, outl);
2766 CHECK(outl == 65);
2767 CHECK(pubkeyo[0] == 4);
2768 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
2769 }
2770 CHECK(ecount == 0);
2771 } else {
2772 /* These cases must fail to parse. */
2773 memset(&pubkey, 0xfe, sizeof(pubkey));
2774 ecount = 0;
2775 VG_UNDEF(&pubkey, sizeof(pubkey));
2776 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
2777 VG_CHECK(&pubkey, sizeof(pubkey));
2778 CHECK(ecount == 0);
2779 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2780 CHECK(ecount == 1);
2781 }
2782 }
2783 }
2784 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2785 }
2786
2787 void run_ec_pubkey_parse_test(void) {
2788 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
2789 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
2790 {
2791 /* Point with leading and trailing zeros in x and y serialization. */
2792 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2793 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2794 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2795 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2796 },
2797 {
2798 /* Point with x equal to a 3rd root of unity.*/
2799 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2800 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2801 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2802 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2803 },
2804 {
2805 /* Point with largest x. (1/2) */
2806 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2807 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2808 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2809 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2810 },
2811 {
2812 /* Point with largest x. (2/2) */
2813 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2814 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2815 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2816 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2817 },
2818 {
2819 /* Point with smallest x. (1/2) */
2820 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2822 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2823 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2824 },
2825 {
2826 /* Point with smallest x. (2/2) */
2827 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2829 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2830 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2831 },
2832 {
2833 /* Point with largest y. (1/3) */
2834 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2835 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2836 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2837 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2838 },
2839 {
2840 /* Point with largest y. (2/3) */
2841 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2842 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2843 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2844 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2845 },
2846 {
2847 /* Point with largest y. (3/3) */
2848 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2849 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2850 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2851 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2852 },
2853 {
2854 /* Point with smallest y. (1/3) */
2855 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2856 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2859 },
2860 {
2861 /* Point with smallest y. (2/3) */
2862 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2863 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2865 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2866 },
2867 {
2868 /* Point with smallest y. (3/3) */
2869 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2870 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2873 }
2874 };
2875 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2876 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
2877 {
2878 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2879 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2880 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2881 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2882 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2883 },
2884 {
2885 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2886 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2887 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2888 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2889 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2890 },
2891 {
2892 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2893 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2894 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2895 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2897 },
2898 {
2899 /* x on curve, y is from y^2 = x^3 + 8. */
2900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2902 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2903 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2904 }
2905 };
2906 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2907 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
2908 {
2909 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2910 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2911 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2912 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2913 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2914 },
2915 {
2916 /* Valid if x overflow ignored (x = 1 mod p). */
2917 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2918 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2919 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2920 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2921 },
2922 {
2923 /* Valid if x overflow ignored (x = 1 mod p). */
2924 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2925 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2926 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2927 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2928 },
2929 {
2930 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2931 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2932 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2933 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2934 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2935 },
2936 {
2937 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2938 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2939 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2940 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2941 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2942 },
2943 {
2944 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2945 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2946 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2947 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2948 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2949 },
2950 {
2951 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2953 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2954 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2955 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2956 }
2957 };
2958 const unsigned char pubkeyc[66] = {
2959 /* Serialization of G. */
2960 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2961 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2962 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2963 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2964 0xB8, 0x00
2965 };
2966 unsigned char sout[65];
2967 unsigned char shortkey[2];
2968 secp256k1_ge ge;
2969 secp256k1_pubkey pubkey;
2970 size_t len;
2971 int32_t i;
2972 int32_t ecount;
2973 int32_t ecount2;
2974 ecount = 0;
2975 /* Nothing should be reading this far into pubkeyc. */
2976 VG_UNDEF(&pubkeyc[65], 1);
2977 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2978 /* Zero length claimed, fail, zeroize, no illegal arg error. */
2979 memset(&pubkey, 0xfe, sizeof(pubkey));
2980 ecount = 0;
2981 VG_UNDEF(shortkey, 2);
2982 VG_UNDEF(&pubkey, sizeof(pubkey));
2983 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
2984 VG_CHECK(&pubkey, sizeof(pubkey));
2985 CHECK(ecount == 0);
2986 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2987 CHECK(ecount == 1);
2988 /* Length one claimed, fail, zeroize, no illegal arg error. */
2989 for (i = 0; i < 256 ; i++) {
2990 memset(&pubkey, 0xfe, sizeof(pubkey));
2991 ecount = 0;
2992 shortkey[0] = i;
2993 VG_UNDEF(&shortkey[1], 1);
2994 VG_UNDEF(&pubkey, sizeof(pubkey));
2995 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
2996 VG_CHECK(&pubkey, sizeof(pubkey));
2997 CHECK(ecount == 0);
2998 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2999 CHECK(ecount == 1);
3000 }
3001 /* Length two claimed, fail, zeroize, no illegal arg error. */
3002 for (i = 0; i < 65536 ; i++) {
3003 memset(&pubkey, 0xfe, sizeof(pubkey));
3004 ecount = 0;
3005 shortkey[0] = i & 255;
3006 shortkey[1] = i >> 8;
3007 VG_UNDEF(&pubkey, sizeof(pubkey));
3008 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3009 VG_CHECK(&pubkey, sizeof(pubkey));
3010 CHECK(ecount == 0);
3011 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3012 CHECK(ecount == 1);
3013 }
3014 memset(&pubkey, 0xfe, sizeof(pubkey));
3015 ecount = 0;
3016 VG_UNDEF(&pubkey, sizeof(pubkey));
3017 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3018 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3019 VG_CHECK(&pubkey, sizeof(pubkey));
3020 CHECK(ecount == 0);
3021 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3022 CHECK(ecount == 1);
3023 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3024 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3025 CHECK(ecount == 2);
3026 /* NULL input string. Illegal arg and zeroize output. */
3027 memset(&pubkey, 0xfe, sizeof(pubkey));
3028 ecount = 0;
3029 VG_UNDEF(&pubkey, sizeof(pubkey));
3030 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3031 VG_CHECK(&pubkey, sizeof(pubkey));
3032 CHECK(ecount == 1);
3033 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3034 CHECK(ecount == 2);
3035 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3036 memset(&pubkey, 0xfe, sizeof(pubkey));
3037 ecount = 0;
3038 VG_UNDEF(&pubkey, sizeof(pubkey));
3039 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3040 VG_CHECK(&pubkey, sizeof(pubkey));
3041 CHECK(ecount == 0);
3042 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3043 CHECK(ecount == 1);
3044 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3045 memset(&pubkey, 0xfe, sizeof(pubkey));
3046 ecount = 0;
3047 VG_UNDEF(&pubkey, sizeof(pubkey));
3048 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3049 VG_CHECK(&pubkey, sizeof(pubkey));
3050 CHECK(ecount == 0);
3051 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3052 CHECK(ecount == 1);
3053 /* Valid parse. */
3054 memset(&pubkey, 0, sizeof(pubkey));
3055 ecount = 0;
3056 VG_UNDEF(&pubkey, sizeof(pubkey));
3057 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3058 VG_CHECK(&pubkey, sizeof(pubkey));
3059 CHECK(ecount == 0);
3060 VG_UNDEF(&ge, sizeof(ge));
3061 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3062 VG_CHECK(&ge.x, sizeof(ge.x));
3063 VG_CHECK(&ge.y, sizeof(ge.y));
3064 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3065 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3066 CHECK(ecount == 0);
3067 /* secp256k1_ec_pubkey_serialize illegal args. */
3068 ecount = 0;
3069 len = 65;
3070 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3071 CHECK(ecount == 1);
3072 CHECK(len == 0);
3073 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3074 CHECK(ecount == 2);
3075 len = 65;
3076 VG_UNDEF(sout, 65);
3077 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3078 VG_CHECK(sout, 65);
3079 CHECK(ecount == 3);
3080 CHECK(len == 0);
3081 len = 65;
3082 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3083 CHECK(ecount == 4);
3084 CHECK(len == 0);
3085 len = 65;
3086 VG_UNDEF(sout, 65);
3087 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3088 VG_CHECK(sout, 65);
3089 CHECK(ecount == 4);
3090 CHECK(len == 65);
3091 /* Multiple illegal args. Should still set arg error only once. */
3092 ecount = 0;
3093 ecount2 = 11;
3094 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3095 CHECK(ecount == 1);
3096 /* Does the illegal arg callback actually change the behavior? */
3097 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3098 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3099 CHECK(ecount == 1);
3100 CHECK(ecount2 == 10);
3101 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3102 /* Try a bunch of prefabbed points with all possible encodings. */
3103 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3104 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3105 }
3106 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3107 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3108 }
3109 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3110 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3111 }
3112 }
3113
3114 void run_eckey_edge_case_test(void) {
3115 const unsigned char orderc[32] = {
3116 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3117 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3118 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3119 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3120 };
3121 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3122 unsigned char ctmp[33];
3123 unsigned char ctmp2[33];
3124 secp256k1_pubkey pubkey;
3125 secp256k1_pubkey pubkey2;
3126 secp256k1_pubkey pubkey_one;
3127 secp256k1_pubkey pubkey_negone;
3128 const secp256k1_pubkey *pubkeys[3];
3129 size_t len;
3130 int32_t ecount;
3131 /* Group order is too large, reject. */
3132 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3133 VG_UNDEF(&pubkey, sizeof(pubkey));
3134 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3135 VG_CHECK(&pubkey, sizeof(pubkey));
3136 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3137 /* Maximum value is too large, reject. */
3138 memset(ctmp, 255, 32);
3139 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3140 memset(&pubkey, 1, sizeof(pubkey));
3141 VG_UNDEF(&pubkey, sizeof(pubkey));
3142 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3143 VG_CHECK(&pubkey, sizeof(pubkey));
3144 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3145 /* Zero is too small, reject. */
3146 memset(ctmp, 0, 32);
3147 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3148 memset(&pubkey, 1, sizeof(pubkey));
3149 VG_UNDEF(&pubkey, sizeof(pubkey));
3150 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3151 VG_CHECK(&pubkey, sizeof(pubkey));
3152 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3153 /* One must be accepted. */
3154 ctmp[31] = 0x01;
3155 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3156 memset(&pubkey, 0, sizeof(pubkey));
3157 VG_UNDEF(&pubkey, sizeof(pubkey));
3158 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3159 VG_CHECK(&pubkey, sizeof(pubkey));
3160 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3161 pubkey_one = pubkey;
3162 /* Group order + 1 is too large, reject. */
3163 memcpy(ctmp, orderc, 32);
3164 ctmp[31] = 0x42;
3165 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3166 memset(&pubkey, 1, sizeof(pubkey));
3167 VG_UNDEF(&pubkey, sizeof(pubkey));
3168 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3169 VG_CHECK(&pubkey, sizeof(pubkey));
3170 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3171 /* -1 must be accepted. */
3172 ctmp[31] = 0x40;
3173 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3174 memset(&pubkey, 0, sizeof(pubkey));
3175 VG_UNDEF(&pubkey, sizeof(pubkey));
3176 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3177 VG_CHECK(&pubkey, sizeof(pubkey));
3178 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3179 pubkey_negone = pubkey;
3180 /* Tweak of zero leaves the value changed. */
3181 memset(ctmp2, 0, 32);
3182 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3183 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3184 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3185 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3186 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3187 /* Multiply tweak of zero zeroizes the output. */
3188 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3189 CHECK(memcmp(zeros, ctmp, 32) == 0);
3190 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3191 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3192 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3193 /* Overflowing key tweak zeroizes. */
3194 memcpy(ctmp, orderc, 32);
3195 ctmp[31] = 0x40;
3196 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3197 CHECK(memcmp(zeros, ctmp, 32) == 0);
3198 memcpy(ctmp, orderc, 32);
3199 ctmp[31] = 0x40;
3200 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3201 CHECK(memcmp(zeros, ctmp, 32) == 0);
3202 memcpy(ctmp, orderc, 32);
3203 ctmp[31] = 0x40;
3204 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3205 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3206 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3207 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3208 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3209 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3210 /* Private key tweaks results in a key of zero. */
3211 ctmp2[31] = 1;
3212 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3213 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3214 ctmp2[31] = 1;
3215 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3216 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3217 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3218 /* Tweak computation wraps and results in a key of 1. */
3219 ctmp2[31] = 2;
3220 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3221 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3222 ctmp2[31] = 2;
3223 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3224 ctmp2[31] = 1;
3225 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3226 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3227 /* Tweak mul * 2 = 1+1. */
3228 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3229 ctmp2[31] = 2;
3230 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3231 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3232 /* Test argument errors. */
3233 ecount = 0;
3234 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3235 CHECK(ecount == 0);
3236 /* Zeroize pubkey on parse error. */
3237 memset(&pubkey, 0, 32);
3238 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3239 CHECK(ecount == 1);
3240 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3241 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3242 memset(&pubkey2, 0, 32);
3243 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3244 CHECK(ecount == 2);
3245 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3246 /* Plain argument errors. */
3247 ecount = 0;
3248 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3249 CHECK(ecount == 0);
3250 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3251 CHECK(ecount == 1);
3252 ecount = 0;
3253 memset(ctmp2, 0, 32);
3254 ctmp2[31] = 4;
3255 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3256 CHECK(ecount == 1);
3257 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3258 CHECK(ecount == 2);
3259 ecount = 0;
3260 memset(ctmp2, 0, 32);
3261 ctmp2[31] = 4;
3262 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3263 CHECK(ecount == 1);
3264 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3265 CHECK(ecount == 2);
3266 ecount = 0;
3267 memset(ctmp2, 0, 32);
3268 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3269 CHECK(ecount == 1);
3270 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3271 CHECK(ecount == 2);
3272 ecount = 0;
3273 memset(ctmp2, 0, 32);
3274 ctmp2[31] = 1;
3275 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3276 CHECK(ecount == 1);
3277 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3278 CHECK(ecount == 2);
3279 ecount = 0;
3280 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3281 CHECK(ecount == 1);
3282 memset(&pubkey, 1, sizeof(pubkey));
3283 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3284 CHECK(ecount == 2);
3285 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3286 /* secp256k1_ec_pubkey_combine tests. */
3287 ecount = 0;
3288 pubkeys[0] = &pubkey_one;
3289 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3290 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3291 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3292 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3293 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3294 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3295 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3296 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3297 CHECK(ecount == 1);
3298 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3299 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3300 CHECK(ecount == 2);
3301 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3302 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3303 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3304 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3305 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3306 CHECK(ecount == 3);
3307 pubkeys[0] = &pubkey_negone;
3308 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3309 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3310 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3311 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3312 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3313 CHECK(ecount == 3);
3314 len = 33;
3315 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3316 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3317 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3318 /* Result is infinity. */
3319 pubkeys[0] = &pubkey_one;
3320 pubkeys[1] = &pubkey_negone;
3321 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3322 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3323 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3324 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3325 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3326 CHECK(ecount == 3);
3327 /* Passes through infinity but comes out one. */
3328 pubkeys[2] = &pubkey_one;
3329 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3330 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3331 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3332 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3333 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3334 CHECK(ecount == 3);
3335 len = 33;
3336 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3337 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3338 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3339 /* Adds to two. */
3340 pubkeys[1] = &pubkey_one;
3341 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3342 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3343 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3344 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3345 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3346 CHECK(ecount == 3);
3347 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3348 }
3349
3350 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3351 secp256k1_scalar nonce;
3352 do {
3353 random_scalar_order_test(&nonce);
3354 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3355 }
3356
3357 void test_ecdsa_sign_verify(void) {
3358 secp256k1_gej pubj;
3359 secp256k1_ge pub;
3360 secp256k1_scalar one;
3361 secp256k1_scalar msg, key;
3362 secp256k1_scalar sigr, sigs;
3363 int recid;
3364 int getrec;
3365 random_scalar_order_test(&msg);
3366 random_scalar_order_test(&key);
3367 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3368 secp256k1_ge_set_gej(&pub, &pubj);
3369 getrec = secp256k1_rand_bits(1);
3370 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3371 if (getrec) {
3372 CHECK(recid >= 0 && recid < 4);
3373 }
3374 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3375 secp256k1_scalar_set_int(&one, 1);
3376 secp256k1_scalar_add(&msg, &msg, &one);
3377 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3378 }
3379
3380 void run_ecdsa_sign_verify(void) {
3381 int i;
3382 for (i = 0; i < 10*count; i++) {
3383 test_ecdsa_sign_verify();
3384 }
3385 }
3386
3387 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
3388 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3389 (void)msg32;
3390 (void)key32;
3391 (void)algo16;
3392 memcpy(nonce32, data, 32);
3393 return (counter == 0);
3394 }
3395
3396 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3397 /* Dummy nonce generator that has a fatal error on the first counter value. */
3398 if (counter == 0) {
3399 return 0;
3400 }
3401 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3402 }
3403
3404 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3405 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3406 if (counter < 3) {
3407 memset(nonce32, counter==0 ? 0 : 255, 32);
3408 if (counter == 2) {
3409 nonce32[31]--;
3410 }
3411 return 1;
3412 }
3413 if (counter < 5) {
3414 static const unsigned char order[] = {
3415 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3416 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3417 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3418 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3419 };
3420 memcpy(nonce32, order, 32);
3421 if (counter == 4) {
3422 nonce32[31]++;
3423 }
3424 return 1;
3425 }
3426 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3427 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3428 if (counter > 5) {
3429 return 0;
3430 }
3431 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3432 }
3433
3434 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3435 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3436 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3437 }
3438
3439 void test_ecdsa_end_to_end(void) {
3440 unsigned char extra[32] = {0x00};
3441 unsigned char privkey[32];
3442 unsigned char message[32];
3443 unsigned char privkey2[32];
3444 secp256k1_ecdsa_signature signature[6];
3445 secp256k1_scalar r, s;
3446 unsigned char sig[74];
3447 size_t siglen = 74;
3448 unsigned char pubkeyc[65];
3449 size_t pubkeyclen = 65;
3450 secp256k1_pubkey pubkey;
3451 secp256k1_pubkey pubkey_tmp;
3452 unsigned char seckey[300];
3453 size_t seckeylen = 300;
3454
3455 /* Generate a random key and message. */
3456 {
3457 secp256k1_scalar msg, key;
3458 random_scalar_order_test(&msg);
3459 random_scalar_order_test(&key);
3460 secp256k1_scalar_get_b32(privkey, &key);
3461 secp256k1_scalar_get_b32(message, &msg);
3462 }
3463
3464 /* Construct and verify corresponding public key. */
3465 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
3466 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
3467
3468 /* Verify exporting and importing public key. */
3469 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
3470 memset(&pubkey, 0, sizeof(pubkey));
3471 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3472
3473 /* Verify negation changes the key and changes it back */
3474 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
3475 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3476 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
3477 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3478 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
3479
3480 /* Verify private key import and export. */
3481 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3482 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
3483 CHECK(memcmp(privkey, privkey2, 32) == 0);
3484
3485 /* Optionally tweak the keys using addition. */
3486 if (secp256k1_rand_int(3) == 0) {
3487 int ret1;
3488 int ret2;
3489 unsigned char rnd[32];
3490 secp256k1_pubkey pubkey2;
3491 secp256k1_rand256_test(rnd);
3492 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
3493 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
3494 CHECK(ret1 == ret2);
3495 if (ret1 == 0) {
3496 return;
3497 }
3498 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3499 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3500 }
3501
3502 /* Optionally tweak the keys using multiplication. */
3503 if (secp256k1_rand_int(3) == 0) {
3504 int ret1;
3505 int ret2;
3506 unsigned char rnd[32];
3507 secp256k1_pubkey pubkey2;
3508 secp256k1_rand256_test(rnd);
3509 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
3510 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
3511 CHECK(ret1 == ret2);
3512 if (ret1 == 0) {
3513 return;
3514 }
3515 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3516 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3517 }
3518
3519 /* Sign. */
3520 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3521 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3522 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
3523 extra[31] = 1;
3524 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
3525 extra[31] = 0;
3526 extra[0] = 1;
3527 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
3528 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3529 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3530 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3531 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3532 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3533 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3534 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
3535 /* Verify. */
3536 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3537 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3538 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3539 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
3540 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3541 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3542 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3543 secp256k1_scalar_negate(&s, &s);
3544 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3545 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3546 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3547 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3548 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3549 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3550 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3551 secp256k1_scalar_negate(&s, &s);
3552 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3553 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3554 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3555 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
3556
3557 /* Serialize/parse DER and verify again */
3558 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3559 memset(&signature[0], 0, sizeof(signature[0]));
3560 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
3561 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3562 /* Serialize/destroy/parse DER and verify again. */
3563 siglen = 74;
3564 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3565 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
3566 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
3567 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
3568 }
3569
3570 void test_random_pubkeys(void) {
3571 secp256k1_ge elem;
3572 secp256k1_ge elem2;
3573 unsigned char in[65];
3574 /* Generate some randomly sized pubkeys. */
3575 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
3576 if (secp256k1_rand_bits(2) == 0) {
3577 len = secp256k1_rand_bits(6);
3578 }
3579 if (len == 65) {
3580 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
3581 } else {
3582 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
3583 }
3584 if (secp256k1_rand_bits(3) == 0) {
3585 in[0] = secp256k1_rand_bits(8);
3586 }
3587 if (len > 1) {
3588 secp256k1_rand256(&in[1]);
3589 }
3590 if (len > 33) {
3591 secp256k1_rand256(&in[33]);
3592 }
3593 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
3594 unsigned char out[65];
3595 unsigned char firstb;
3596 int res;
3597 size_t size = len;
3598 firstb = in[0];
3599 /* If the pubkey can be parsed, it should round-trip... */
3600 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
3601 CHECK(size == len);
3602 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
3603 /* ... except for the type of hybrid inputs. */
3604 if ((in[0] != 6) && (in[0] != 7)) {
3605 CHECK(in[0] == out[0]);
3606 }
3607 size = 65;
3608 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
3609 CHECK(size == 65);
3610 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
3611 ge_equals_ge(&elem,&elem2);
3612 /* Check that the X9.62 hybrid type is checked. */
3613 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
3614 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
3615 if (firstb == 2 || firstb == 3) {
3616 if (in[0] == firstb + 4) {
3617 CHECK(res);
3618 } else {
3619 CHECK(!res);
3620 }
3621 }
3622 if (res) {
3623 ge_equals_ge(&elem,&elem2);
3624 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
3625 CHECK(memcmp(&in[1], &out[1], 64) == 0);
3626 }
3627 }
3628 }
3629
3630 void run_random_pubkeys(void) {
3631 int i;
3632 for (i = 0; i < 10*count; i++) {
3633 test_random_pubkeys();
3634 }
3635 }
3636
3637 void run_ecdsa_end_to_end(void) {
3638 int i;
3639 for (i = 0; i < 64*count; i++) {
3640 test_ecdsa_end_to_end();
3641 }
3642 }
3643
3644 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
3645 static const unsigned char zeroes[32] = {0};
3646 #ifdef ENABLE_OPENSSL_TESTS
3647 static const unsigned char max_scalar[32] = {
3648 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3649 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3650 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3651 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3652 };
3653 #endif
3654
3655 int ret = 0;
3656
3657 secp256k1_ecdsa_signature sig_der;
3658 unsigned char roundtrip_der[2048];
3659 unsigned char compact_der[64];
3660 size_t len_der = 2048;
3661 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
3662
3663 secp256k1_ecdsa_signature sig_der_lax;
3664 unsigned char roundtrip_der_lax[2048];
3665 unsigned char compact_der_lax[64];
3666 size_t len_der_lax = 2048;
3667 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
3668
3669 #ifdef ENABLE_OPENSSL_TESTS
3670 ECDSA_SIG *sig_openssl;
3671 const unsigned char *sigptr;
3672 unsigned char roundtrip_openssl[2048];
3673 int len_openssl = 2048;
3674 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
3675 #endif
3676
3677 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
3678 if (parsed_der) {
3679 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
3680 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
3681 }
3682 if (valid_der) {
3683 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
3684 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
3685 }
3686
3687 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
3688 if (parsed_der_lax) {
3689 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
3690 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
3691 }
3692 if (valid_der_lax) {
3693 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
3694 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
3695 }
3696
3697 if (certainly_der) {
3698 ret |= (!parsed_der) << 2;
3699 }
3700 if (certainly_not_der) {
3701 ret |= (parsed_der) << 17;
3702 }
3703 if (valid_der) {
3704 ret |= (!roundtrips_der) << 3;
3705 }
3706
3707 if (valid_der) {
3708 ret |= (!roundtrips_der_lax) << 12;
3709 ret |= (len_der != len_der_lax) << 13;
3710 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
3711 }
3712 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
3713 if (parsed_der) {
3714 ret |= (!parsed_der_lax) << 16;
3715 }
3716
3717 #ifdef ENABLE_OPENSSL_TESTS
3718 sig_openssl = ECDSA_SIG_new();
3719 sigptr = sig;
3720 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
3721 if (parsed_openssl) {
3722 valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
3723 if (valid_openssl) {
3724 unsigned char tmp[32] = {0};
3725 BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
3726 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3727 }
3728 if (valid_openssl) {
3729 unsigned char tmp[32] = {0};
3730 BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
3731 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3732 }
3733 }
3734 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
3735 if (len_openssl <= 2048) {
3736 unsigned char *ptr = roundtrip_openssl;
3737 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
3738 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
3739 } else {
3740 len_openssl = 0;
3741 }
3742 ECDSA_SIG_free(sig_openssl);
3743
3744 ret |= (parsed_der && !parsed_openssl) << 4;
3745 ret |= (valid_der && !valid_openssl) << 5;
3746 ret |= (roundtrips_openssl && !parsed_der) << 6;
3747 ret |= (roundtrips_der != roundtrips_openssl) << 7;
3748 if (roundtrips_openssl) {
3749 ret |= (len_der != (size_t)len_openssl) << 8;
3750 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
3751 }
3752 #endif
3753 return ret;
3754 }
3755
3756 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
3757 size_t i;
3758 for (i = 0; i < ptrlen; i++) {
3759 int shift = ptrlen - 1 - i;
3760 if (shift >= 4) {
3761 ptr[i] = 0;
3762 } else {
3763 ptr[i] = (val >> shift) & 0xFF;
3764 }
3765 }
3766 }
3767
3768 static void damage_array(unsigned char *sig, size_t *len) {
3769 int pos;
3770 int action = secp256k1_rand_bits(3);
3771 if (action < 1 && *len > 3) {
3772 /* Delete a byte. */
3773 pos = secp256k1_rand_int(*len);
3774 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
3775 (*len)--;
3776 return;
3777 } else if (action < 2 && *len < 2048) {
3778 /* Insert a byte. */
3779 pos = secp256k1_rand_int(1 + *len);
3780 memmove(sig + pos + 1, sig + pos, *len - pos);
3781 sig[pos] = secp256k1_rand_bits(8);
3782 (*len)++;
3783 return;
3784 } else if (action < 4) {
3785 /* Modify a byte. */
3786 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
3787 return;
3788 } else { /* action < 8 */
3789 /* Modify a bit. */
3790 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
3791 return;
3792 }
3793 }
3794
3795 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
3796 int der;
3797 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
3798 size_t tlen, elen, glen;
3799 int indet;
3800 int n;
3801
3802 *len = 0;
3803 der = secp256k1_rand_bits(2) == 0;
3804 *certainly_der = der;
3805 *certainly_not_der = 0;
3806 indet = der ? 0 : secp256k1_rand_int(10) == 0;
3807
3808 for (n = 0; n < 2; n++) {
3809 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3810 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
3811 /* The length of the number in bytes (the first byte of which will always be nonzero) */
3812 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3813 CHECK(nlen[n] <= 232);
3814 /* The top bit of the number. */
3815 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
3816 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3817 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3818 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3819 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
3820 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
3821 *certainly_not_der = 1;
3822 }
3823 CHECK(nlen[n] + nzlen[n] <= 300);
3824 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3825 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
3826 if (!der) {
3827 /* nlenlen[n] max 127 bytes */
3828 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3829 nlenlen[n] += add;
3830 if (add != 0) {
3831 *certainly_not_der = 1;
3832 }
3833 }
3834 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
3835 }
3836
3837 /* The total length of the data to go, so far */
3838 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
3839 CHECK(tlen <= 856);
3840
3841 /* The length of the garbage inside the tuple. */
3842 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
3843 if (elen != 0) {
3844 *certainly_not_der = 1;
3845 }
3846 tlen += elen;
3847 CHECK(tlen <= 980);
3848
3849 /* The length of the garbage after the end of the tuple. */
3850 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
3851 if (glen != 0) {
3852 *certainly_not_der = 1;
3853 }
3854 CHECK(tlen + glen <= 990);
3855
3856 /* Write the tuple header. */
3857 sig[(*len)++] = 0x30;
3858 if (indet) {
3859 /* Indeterminate length */
3860 sig[(*len)++] = 0x80;
3861 *certainly_not_der = 1;
3862 } else {
3863 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
3864 if (!der) {
3865 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3866 tlenlen += add;
3867 if (add != 0) {
3868 *certainly_not_der = 1;
3869 }
3870 }
3871 if (tlenlen == 0) {
3872 /* Short length notation */
3873 sig[(*len)++] = tlen;
3874 } else {
3875 /* Long length notation */
3876 sig[(*len)++] = 128 + tlenlen;
3877 assign_big_endian(sig + *len, tlenlen, tlen);
3878 *len += tlenlen;
3879 }
3880 tlen += tlenlen;
3881 }
3882 tlen += 2;
3883 CHECK(tlen + glen <= 1119);
3884
3885 for (n = 0; n < 2; n++) {
3886 /* Write the integer header. */
3887 sig[(*len)++] = 0x02;
3888 if (nlenlen[n] == 0) {
3889 /* Short length notation */
3890 sig[(*len)++] = nlen[n] + nzlen[n];
3891 } else {
3892 /* Long length notation. */
3893 sig[(*len)++] = 128 + nlenlen[n];
3894 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
3895 *len += nlenlen[n];
3896 }
3897 /* Write zero padding */
3898 while (nzlen[n] > 0) {
3899 sig[(*len)++] = 0x00;
3900 nzlen[n]--;
3901 }
3902 if (nlen[n] == 32 && !nlow[n]) {
3903 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3904 int i;
3905 for (i = 0; i < 16; i++) {
3906 sig[(*len)++] = 0xFF;
3907 }
3908 nlen[n] -= 16;
3909 }
3910 /* Write first byte of number */
3911 if (nlen[n] > 0) {
3912 sig[(*len)++] = nhbyte[n];
3913 nlen[n]--;
3914 }
3915 /* Generate remaining random bytes of number */
3916 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
3917 *len += nlen[n];
3918 nlen[n] = 0;
3919 }
3920
3921 /* Generate random garbage inside tuple. */
3922 secp256k1_rand_bytes_test(sig + *len, elen);
3923 *len += elen;
3924
3925 /* Generate end-of-contents bytes. */
3926 if (indet) {
3927 sig[(*len)++] = 0;
3928 sig[(*len)++] = 0;
3929 tlen += 2;
3930 }
3931 CHECK(tlen + glen <= 1121);
3932
3933 /* Generate random garbage outside tuple. */
3934 secp256k1_rand_bytes_test(sig + *len, glen);
3935 *len += glen;
3936 tlen += glen;
3937 CHECK(tlen <= 1121);
3938 CHECK(tlen == *len);
3939 }
3940
3941 void run_ecdsa_der_parse(void) {
3942 int i,j;
3943 for (i = 0; i < 200 * count; i++) {
3944 unsigned char buffer[2048];
3945 size_t buflen = 0;
3946 int certainly_der = 0;
3947 int certainly_not_der = 0;
3948 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
3949 CHECK(buflen <= 2048);
3950 for (j = 0; j < 16; j++) {
3951 int ret = 0;
3952 if (j > 0) {
3953 damage_array(buffer, &buflen);
3954 /* We don't know anything anymore about the DERness of the result */
3955 certainly_der = 0;
3956 certainly_not_der = 0;
3957 }
3958 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
3959 if (ret != 0) {
3960 size_t k;
3961 fprintf(stderr, "Failure %x on ", ret);
3962 for (k = 0; k < buflen; k++) {
3963 fprintf(stderr, "%02x ", buffer[k]);
3964 }
3965 fprintf(stderr, "\n");
3966 }
3967 CHECK(ret == 0);
3968 }
3969 }
3970 }
3971
3972 /* Tests several edge cases. */
3973 void test_ecdsa_edge_cases(void) {
3974 int t;
3975 secp256k1_ecdsa_signature sig;
3976
3977 /* Test the case where ECDSA recomputes a point that is infinity. */
3978 {
3979 secp256k1_gej keyj;
3980 secp256k1_ge key;
3981 secp256k1_scalar msg;
3982 secp256k1_scalar sr, ss;
3983 secp256k1_scalar_set_int(&ss, 1);
3984 secp256k1_scalar_negate(&ss, &ss);
3985 secp256k1_scalar_inverse(&ss, &ss);
3986 secp256k1_scalar_set_int(&sr, 1);
3987 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
3988 secp256k1_ge_set_gej(&key, &keyj);
3989 msg = ss;
3990 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3991 }
3992
3993 /* Verify signature with r of zero fails. */
3994 {
3995 const unsigned char pubkey_mods_zero[33] = {
3996 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3998 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3999 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4000 0x41
4001 };
4002 secp256k1_ge key;
4003 secp256k1_scalar msg;
4004 secp256k1_scalar sr, ss;
4005 secp256k1_scalar_set_int(&ss, 1);
4006 secp256k1_scalar_set_int(&msg, 0);
4007 secp256k1_scalar_set_int(&sr, 0);
4008 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4009 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4010 }
4011
4012 /* Verify signature with s of zero fails. */
4013 {
4014 const unsigned char pubkey[33] = {
4015 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4019 0x01
4020 };
4021 secp256k1_ge key;
4022 secp256k1_scalar msg;
4023 secp256k1_scalar sr, ss;
4024 secp256k1_scalar_set_int(&ss, 0);
4025 secp256k1_scalar_set_int(&msg, 0);
4026 secp256k1_scalar_set_int(&sr, 1);
4027 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4028 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4029 }
4030
4031 /* Verify signature with message 0 passes. */
4032 {
4033 const unsigned char pubkey[33] = {
4034 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4036 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4037 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4038 0x02
4039 };
4040 const unsigned char pubkey2[33] = {
4041 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4042 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4043 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4044 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4045 0x43
4046 };
4047 secp256k1_ge key;
4048 secp256k1_ge key2;
4049 secp256k1_scalar msg;
4050 secp256k1_scalar sr, ss;
4051 secp256k1_scalar_set_int(&ss, 2);
4052 secp256k1_scalar_set_int(&msg, 0);
4053 secp256k1_scalar_set_int(&sr, 2);
4054 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4055 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4056 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4057 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4058 secp256k1_scalar_negate(&ss, &ss);
4059 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4060 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4061 secp256k1_scalar_set_int(&ss, 1);
4062 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4063 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4064 }
4065
4066 /* Verify signature with message 1 passes. */
4067 {
4068 const unsigned char pubkey[33] = {
4069 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4070 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4071 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4072 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4073 0x25
4074 };
4075 const unsigned char pubkey2[33] = {
4076 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4077 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4078 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4079 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4080 0x62
4081 };
4082 const unsigned char csr[32] = {
4083 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4084 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4085 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4086 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4087 };
4088 secp256k1_ge key;
4089 secp256k1_ge key2;
4090 secp256k1_scalar msg;
4091 secp256k1_scalar sr, ss;
4092 secp256k1_scalar_set_int(&ss, 1);
4093 secp256k1_scalar_set_int(&msg, 1);
4094 secp256k1_scalar_set_b32(&sr, csr, NULL);
4095 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4096 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4097 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4098 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4099 secp256k1_scalar_negate(&ss, &ss);
4100 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4101 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4102 secp256k1_scalar_set_int(&ss, 2);
4103 secp256k1_scalar_inverse_var(&ss, &ss);
4104 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4105 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4106 }
4107
4108 /* Verify signature with message -1 passes. */
4109 {
4110 const unsigned char pubkey[33] = {
4111 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4112 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4113 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4114 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4115 0xf1
4116 };
4117 const unsigned char csr[32] = {
4118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4120 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4121 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4122 };
4123 secp256k1_ge key;
4124 secp256k1_scalar msg;
4125 secp256k1_scalar sr, ss;
4126 secp256k1_scalar_set_int(&ss, 1);
4127 secp256k1_scalar_set_int(&msg, 1);
4128 secp256k1_scalar_negate(&msg, &msg);
4129 secp256k1_scalar_set_b32(&sr, csr, NULL);
4130 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4131 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4132 secp256k1_scalar_negate(&ss, &ss);
4133 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4134 secp256k1_scalar_set_int(&ss, 3);
4135 secp256k1_scalar_inverse_var(&ss, &ss);
4136 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4137 }
4138
4139 /* Signature where s would be zero. */
4140 {
4141 secp256k1_pubkey pubkey;
4142 size_t siglen;
4143 int32_t ecount;
4144 unsigned char signature[72];
4145 static const unsigned char nonce[32] = {
4146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4147 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4149 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4150 };
4151 static const unsigned char nonce2[32] = {
4152 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4153 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4154 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4155 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4156 };
4157 const unsigned char key[32] = {
4158 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4159 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4160 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4162 };
4163 unsigned char msg[32] = {
4164 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4165 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4166 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4167 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4168 };
4169 ecount = 0;
4170 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4171 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4172 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4173 msg[31] = 0xaa;
4174 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4175 CHECK(ecount == 0);
4176 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4177 CHECK(ecount == 1);
4178 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4179 CHECK(ecount == 2);
4180 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4181 CHECK(ecount == 3);
4182 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4183 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4184 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4185 CHECK(ecount == 4);
4186 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4187 CHECK(ecount == 5);
4188 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4189 CHECK(ecount == 6);
4190 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4191 CHECK(ecount == 6);
4192 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4193 CHECK(ecount == 7);
4194 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4195 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4196 CHECK(ecount == 8);
4197 siglen = 72;
4198 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4199 CHECK(ecount == 9);
4200 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4201 CHECK(ecount == 10);
4202 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4203 CHECK(ecount == 11);
4204 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4205 CHECK(ecount == 11);
4206 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4207 CHECK(ecount == 12);
4208 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4209 CHECK(ecount == 13);
4210 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4211 CHECK(ecount == 13);
4212 siglen = 10;
4213 /* Too little room for a signature does not fail via ARGCHECK. */
4214 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4215 CHECK(ecount == 13);
4216 ecount = 0;
4217 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4218 CHECK(ecount == 1);
4219 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4220 CHECK(ecount == 2);
4221 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4222 CHECK(ecount == 3);
4223 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4224 CHECK(ecount == 3);
4225 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4226 CHECK(ecount == 4);
4227 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4228 CHECK(ecount == 5);
4229 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4230 CHECK(ecount == 5);
4231 memset(signature, 255, 64);
4232 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4233 CHECK(ecount == 5);
4234 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4235 }
4236
4237 /* Nonce function corner cases. */
4238 for (t = 0; t < 2; t++) {
4239 static const unsigned char zero[32] = {0x00};
4240 int i;
4241 unsigned char key[32];
4242 unsigned char msg[32];
4243 secp256k1_ecdsa_signature sig2;
4244 secp256k1_scalar sr[512], ss;
4245 const unsigned char *extra;
4246 extra = t == 0 ? NULL : zero;
4247 memset(msg, 0, 32);
4248 msg[31] = 1;
4249 /* High key results in signature failure. */
4250 memset(key, 0xFF, 32);
4251 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4252 CHECK(is_empty_signature(&sig));
4253 /* Zero key results in signature failure. */
4254 memset(key, 0, 32);
4255 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4256 CHECK(is_empty_signature(&sig));
4257 /* Nonce function failure results in signature failure. */
4258 key[31] = 1;
4259 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4260 CHECK(is_empty_signature(&sig));
4261 /* The retry loop successfully makes its way to the first good value. */
4262 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4263 CHECK(!is_empty_signature(&sig));
4264 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4265 CHECK(!is_empty_signature(&sig2));
4266 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4267 /* The default nonce function is deterministic. */
4268 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4269 CHECK(!is_empty_signature(&sig2));
4270 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4271 /* The default nonce function changes output with different messages. */
4272 for(i = 0; i < 256; i++) {
4273 int j;
4274 msg[0] = i;
4275 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4276 CHECK(!is_empty_signature(&sig2));
4277 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4278 for (j = 0; j < i; j++) {
4279 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4280 }
4281 }
4282 msg[0] = 0;
4283 msg[31] = 2;
4284 /* The default nonce function changes output with different keys. */
4285 for(i = 256; i < 512; i++) {
4286 int j;
4287 key[0] = i - 256;
4288 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4289 CHECK(!is_empty_signature(&sig2));
4290 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4291 for (j = 0; j < i; j++) {
4292 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4293 }
4294 }
4295 key[0] = 0;
4296 }
4297
4298 {
4299 /* Check that optional nonce arguments do not have equivalent effect. */
4300 const unsigned char zeros[32] = {0};
4301 unsigned char nonce[32];
4302 unsigned char nonce2[32];
4303 unsigned char nonce3[32];
4304 unsigned char nonce4[32];
4305 VG_UNDEF(nonce,32);
4306 VG_UNDEF(nonce2,32);
4307 VG_UNDEF(nonce3,32);
4308 VG_UNDEF(nonce4,32);
4309 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4310 VG_CHECK(nonce,32);
4311 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4312 VG_CHECK(nonce2,32);
4313 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4314 VG_CHECK(nonce3,32);
4315 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4316 VG_CHECK(nonce4,32);
4317 CHECK(memcmp(nonce, nonce2, 32) != 0);
4318 CHECK(memcmp(nonce, nonce3, 32) != 0);
4319 CHECK(memcmp(nonce, nonce4, 32) != 0);
4320 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4321 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4322 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4323 }
4324
4325
4326 /* Privkey export where pubkey is the point at infinity. */
4327 {
4328 unsigned char privkey[300];
4329 unsigned char seckey[32] = {
4330 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4331 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4332 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4333 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4334 };
4335 size_t outlen = 300;
4336 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4337 outlen = 300;
4338 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4339 }
4340 }
4341
4342 void run_ecdsa_edge_cases(void) {
4343 test_ecdsa_edge_cases();
4344 }
4345
4346 #ifdef ENABLE_OPENSSL_TESTS
4347 EC_KEY *get_openssl_key(const unsigned char *key32) {
4348 unsigned char privkey[300];
4349 size_t privkeylen;
4350 const unsigned char* pbegin = privkey;
4351 int compr = secp256k1_rand_bits(1);
4352 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4353 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4354 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4355 CHECK(EC_KEY_check_key(ec_key));
4356 return ec_key;
4357 }
4358
4359 void test_ecdsa_openssl(void) {
4360 secp256k1_gej qj;
4361 secp256k1_ge q;
4362 secp256k1_scalar sigr, sigs;
4363 secp256k1_scalar one;
4364 secp256k1_scalar msg2;
4365 secp256k1_scalar key, msg;
4366 EC_KEY *ec_key;
4367 unsigned int sigsize = 80;
4368 size_t secp_sigsize = 80;
4369 unsigned char message[32];
4370 unsigned char signature[80];
4371 unsigned char key32[32];
4372 secp256k1_rand256_test(message);
4373 secp256k1_scalar_set_b32(&msg, message, NULL);
4374 random_scalar_order_test(&key);
4375 secp256k1_scalar_get_b32(key32, &key);
4376 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4377 secp256k1_ge_set_gej(&q, &qj);
4378 ec_key = get_openssl_key(key32);
4379 CHECK(ec_key != NULL);
4380 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4381 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4382 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4383 secp256k1_scalar_set_int(&one, 1);
4384 secp256k1_scalar_add(&msg2, &msg, &one);
4385 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4386
4387 random_sign(&sigr, &sigs, &key, &msg, NULL);
4388 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4389 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4390
4391 EC_KEY_free(ec_key);
4392 }
4393
4394 void run_ecdsa_openssl(void) {
4395 int i;
4396 for (i = 0; i < 10*count; i++) {
4397 test_ecdsa_openssl();
4398 }
4399 }
4400 #endif
4401
4402 #ifdef ENABLE_MODULE_ECDH
4403 # include "modules/ecdh/tests_impl.h"
4404 #endif
4405
4406 #ifdef ENABLE_MODULE_RECOVERY
4407 # include "modules/recovery/tests_impl.h"
4408 #endif
4409
4410 int main(int argc, char **argv) {
4411 unsigned char seed16[16] = {0};
4412 unsigned char run32[32] = {0};
4413 /* find iteration count */
4414 if (argc > 1) {
4415 count = strtol(argv[1], NULL, 0);
4416 }
4417
4418 /* find random seed */
4419 if (argc > 2) {
4420 int pos = 0;
4421 const char* ch = argv[2];
4422 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4423 unsigned short sh;
4424 if (sscanf(ch, "%2hx", &sh)) {
4425 seed16[pos] = sh;
4426 } else {
4427 break;
4428 }
4429 ch += 2;
4430 pos++;
4431 }
4432 } else {
4433 FILE *frand = fopen("/dev/urandom", "r");
4434 if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
4435 uint64_t t = time(NULL) * (uint64_t)1337;
4436 seed16[0] ^= t;
4437 seed16[1] ^= t >> 8;
4438 seed16[2] ^= t >> 16;
4439 seed16[3] ^= t >> 24;
4440 seed16[4] ^= t >> 32;
4441 seed16[5] ^= t >> 40;
4442 seed16[6] ^= t >> 48;
4443 seed16[7] ^= t >> 56;
4444 }
4445 fclose(frand);
4446 }
4447 secp256k1_rand_seed(seed16);
4448
4449 printf("test count = %i\n", count);
4450 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4451
4452 /* initialize */
4453 run_context_tests();
4454 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
4455 if (secp256k1_rand_bits(1)) {
4456 secp256k1_rand256(run32);
4457 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
4458 }
4459
4460 run_rand_bits();
4461 run_rand_int();
4462
4463 run_sha256_tests();
4464 run_hmac_sha256_tests();
4465 run_rfc6979_hmac_sha256_tests();
4466
4467 #ifndef USE_NUM_NONE
4468 /* num tests */
4469 run_num_smalltests();
4470 #endif
4471
4472 /* scalar tests */
4473 run_scalar_tests();
4474
4475 /* field tests */
4476 run_field_inv();
4477 run_field_inv_var();
4478 run_field_inv_all_var();
4479 run_field_misc();
4480 run_field_convert();
4481 run_sqr();
4482 run_sqrt();
4483
4484 /* group tests */
4485 run_ge();
4486 run_group_decompress();
4487
4488 /* ecmult tests */
4489 run_wnaf();
4490 run_point_times_order();
4491 run_ecmult_chain();
4492 run_ecmult_constants();
4493 run_ecmult_gen_blind();
4494 run_ecmult_const_tests();
4495 run_ec_combine();
4496
4497 /* endomorphism tests */
4498 #ifdef USE_ENDOMORPHISM
4499 run_endomorphism_tests();
4500 #endif
4501
4502 /* EC point parser test */
4503 run_ec_pubkey_parse_test();
4504
4505 /* EC key edge cases */
4506 run_eckey_edge_case_test();
4507
4508 #ifdef ENABLE_MODULE_ECDH
4509 /* ecdh tests */
4510 run_ecdh_tests();
4511 #endif
4512
4513 /* ecdsa tests */
4514 run_random_pubkeys();
4515 run_ecdsa_der_parse();
4516 run_ecdsa_sign_verify();
4517 run_ecdsa_end_to_end();
4518 run_ecdsa_edge_cases();
4519 #ifdef ENABLE_OPENSSL_TESTS
4520 run_ecdsa_openssl();
4521 #endif
4522
4523 #ifdef ENABLE_MODULE_RECOVERY
4524 /* ECDSA pubkey recovery tests */
4525 run_recovery_tests();
4526 #endif
4527
4528 secp256k1_rand256(run32);
4529 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
4530
4531 /* shutdown */
4532 secp256k1_context_destroy(ctx);
4533
4534 printf("no problems found\n");
4535 return 0;
4536 }