]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
scratch: add magic bytes to beginning of structure
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
238305fd 19#include "include/secp256k1_preallocated.h"
f0709ac5 20#include "testrand_impl.h"
a41f32e6 21
dd08f037
PW		 22#ifdef ENABLE_OPENSSL_TESTS
23#include "openssl/bn.h"
24#include "openssl/ec.h"
25#include "openssl/ecdsa.h"
26#include "openssl/obj_mac.h"
31abd3ab
AB		 27# if OPENSSL_VERSION_NUMBER < 0x10100000L
28void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29# endif
dd08f037
PW		 30#endif
31
eed87af1
AP		 32#include "contrib/lax_der_parsing.c"
33#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 34
67f7da40
GM		 35#if !defined(VG_CHECK)
36# if defined(VALGRIND)
37# include <valgrind/memcheck.h>
38# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40# else
41# define VG_UNDEF(x,y)
42# define VG_CHECK(x,y)
43# endif
44#endif
45
79f599d3 46static int count = 64;
dd891e0e 47static secp256k1_context *ctx = NULL;
4adf6b2a 48
96be2046
GM		 49static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
51 int32_t *p;
52 (void)str;
53 p = data;
54 (*p)++;
55}
56
57static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
59 int32_t *p;
60 (void)str;
61 p = data;
62 (*p)--;
63}
64
dd891e0e 65void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 66 do {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
659b554d
PW		 69 if (secp256k1_fe_set_b32(fe, b32)) {
70 break;
71 }
9338dbf7
PW		 72 } while(1);
73}
74
dd891e0e
PW		 75void random_field_element_magnitude(secp256k1_fe *fe) {
76 secp256k1_fe zero;
fa57f1bd 77 int n = secp256k1_rand_int(9);
9338dbf7 78 secp256k1_fe_normalize(fe);
60571c6e
PW		 79 if (n == 0) {
80 return;
9338dbf7 81 }
60571c6e
PW		 82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
3f3964e4 86 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 87}
88
dd891e0e
PW		 89void random_group_element_test(secp256k1_ge *ge) {
90 secp256k1_fe fe;
9338dbf7
PW		 91 do {
92 random_field_element_test(&fe);
fa57f1bd 93 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 94 secp256k1_fe_normalize(&ge->y);
9338dbf7 95 break;
26320197 96 }
9338dbf7
PW		 97 } while(1);
98}
99
dd891e0e
PW		 100void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
101 secp256k1_fe z2, z3;
9338dbf7
PW		 102 do {
103 random_field_element_test(&gej->z);
104 if (!secp256k1_fe_is_zero(&gej->z)) {
105 break;
106 }
107 } while(1);
bf2e1ac7
GM		 108 secp256k1_fe_sqr(&z2, &gej->z);
109 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 110 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
111 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
112 gej->infinity = ge->infinity;
113}
114
dd891e0e 115void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 116 do {
117 unsigned char b32[32];
a9f5c8b8 118 int overflow = 0;
bf2e1ac7 119 secp256k1_rand256_test(b32);
eca6cdb1 120 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 121 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 122 continue;
26320197 123 }
a9f5c8b8
PW		 124 break;
125 } while(1);
126}
127
dd891e0e 128void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 129 do {
130 unsigned char b32[32];
f24041d6 131 int overflow = 0;
bf2e1ac7 132 secp256k1_rand256(b32);
f24041d6 133 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 134 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 135 continue;
26320197 136 }
f24041d6
PW		 137 break;
138 } while(1);
139}
140
814cc78d 141void run_context_tests(int use_prealloc) {
96be2046 142 secp256k1_pubkey pubkey;
8e48aa60 143 secp256k1_pubkey zero_pubkey;
96be2046
GM		 144 secp256k1_ecdsa_signature sig;
145 unsigned char ctmp[32];
146 int32_t ecount;
147 int32_t ecount2;
814cc78d
TR		 148 secp256k1_context *none;
149 secp256k1_context *sign;
150 secp256k1_context *vrfy;
151 secp256k1_context *both;
152 void *none_prealloc = NULL;
153 void *sign_prealloc = NULL;
154 void *vrfy_prealloc = NULL;
155 void *both_prealloc = NULL;
d899b5b6 156
dd891e0e
PW		 157 secp256k1_gej pubj;
158 secp256k1_ge pub;
159 secp256k1_scalar msg, key, nonce;
160 secp256k1_scalar sigr, sigs;
d899b5b6 161
814cc78d
TR		 162 if (use_prealloc) {
163 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
164 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
165 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
166 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
167 CHECK(none_prealloc != NULL);
168 CHECK(sign_prealloc != NULL);
169 CHECK(vrfy_prealloc != NULL);
170 CHECK(both_prealloc != NULL);
171 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
172 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
173 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
174 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
175 } else {
176 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
177 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
178 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
179 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 }
181
8e48aa60
AP		 182 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
183
96be2046
GM		 184 ecount = 0;
185 ecount2 = 10;
186 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
187 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
188 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
189 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
190
814cc78d
TR		 191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196
d899b5b6
AP		 197 /*** clone and destroy all of them to make sure cloning was complete ***/
198 {
dd891e0e 199 secp256k1_context *ctx_tmp;
d899b5b6 200
814cc78d
TR		 201 if (use_prealloc) {
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 } else {
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
220 void *prealloc_tmp;
221
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225 free(prealloc_tmp);
226
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230 free(prealloc_tmp);
231
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235 free(prealloc_tmp);
236
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240 free(prealloc_tmp);
241 }
d899b5b6
AP		 242 }
243
96be2046
GM		 244 /* Verify that the error callback makes it across the clone. */
245 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
246 /* And that it resets back to default. */
247 secp256k1_context_set_error_callback(sign, NULL, NULL);
248 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
249
d899b5b6
AP		 250 /*** attempt to use them ***/
251 random_scalar_order_test(&msg);
252 random_scalar_order_test(&key);
253 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
254 secp256k1_ge_set_gej(&pub, &pubj);
255
96be2046
GM		 256 /* Verify context-type checking illegal-argument errors. */
257 memset(ctmp, 1, 32);
258 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
259 CHECK(ecount == 1);
260 VG_UNDEF(&pubkey, sizeof(pubkey));
261 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
262 VG_CHECK(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
264 CHECK(ecount == 2);
265 VG_UNDEF(&sig, sizeof(sig));
266 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
267 VG_CHECK(&sig, sizeof(sig));
268 CHECK(ecount2 == 10);
269 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
270 CHECK(ecount2 == 11);
271 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
272 CHECK(ecount == 2);
273 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
274 CHECK(ecount2 == 12);
275 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
276 CHECK(ecount == 2);
277 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
278 CHECK(ecount2 == 13);
8e48aa60 279 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 280 CHECK(ecount == 2);
8e48aa60
AP		 281 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
282 CHECK(ecount == 2);
283 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
284 CHECK(ecount2 == 14);
285 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
286 CHECK(ecount == 3);
287 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 288 CHECK(ecount == 3);
61983752
TR		 289 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
290 CHECK(ecount == 3);
291 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
294 CHECK(ecount2 == 14);
96be2046 295 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 296 CHECK(ecount2 == 14);
96be2046
GM		 297 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
298 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
299
d899b5b6
AP		 300 /* obtain a working nonce */
301 do {
302 random_scalar_order_test(&nonce);
18c329c5 303 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 304
305 /* try signing */
18c329c5
PW		 306 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 308
309 /* try verifying */
18c329c5
PW		 310 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
311 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 312
313 /* cleanup */
814cc78d
TR		 314 if (use_prealloc) {
315 secp256k1_context_preallocated_destroy(none);
316 secp256k1_context_preallocated_destroy(sign);
317 secp256k1_context_preallocated_destroy(vrfy);
318 secp256k1_context_preallocated_destroy(both);
319 free(none_prealloc);
320 free(sign_prealloc);
321 free(vrfy_prealloc);
322 free(both_prealloc);
323 } else {
324 secp256k1_context_destroy(none);
325 secp256k1_context_destroy(sign);
326 secp256k1_context_destroy(vrfy);
327 secp256k1_context_destroy(both);
328 }
5b71a3f4
GM		 329 /* Defined as no-op. */
330 secp256k1_context_destroy(NULL);
814cc78d
TR		 331 secp256k1_context_preallocated_destroy(NULL);
332
d899b5b6
AP		 333}
334
548de42e
AP		 335void run_scratch_tests(void) {
336 int32_t ecount = 0;
337 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
338 secp256k1_scratch_space *scratch;
339
340 /* Test public API */
341 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
548de42e 342
6fe50439 343 scratch = secp256k1_scratch_space_create(none, 1000);
548de42e 344 CHECK(scratch != NULL);
6fe50439 345 CHECK(ecount == 0);
548de42e
AP		 346
347 /* Test internal API */
348 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
349 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
6fe50439
AP		 350
351 /* Allocating 500 bytes with no frame fails */
352 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
353 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
354
355 /* ...but pushing a new stack frame does affect the max allocation */
356 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
357 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
358 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
359 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
360
361 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
362
363 /* ...and this effect is undone by popping the frame */
364 secp256k1_scratch_deallocate_frame(scratch);
548de42e 365 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
6fe50439 366 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
548de42e
AP		 367
368 /* cleanup */
369 secp256k1_scratch_space_destroy(scratch);
370 secp256k1_context_destroy(none);
371}
372
b37fbc28
PW		 373/***** HASH TESTS *****/
374
375void run_sha256_tests(void) {
376 static const char *inputs[8] = {
377 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
378 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
379 "For this sample, this 63-byte string will be used as input data",
380 "This is exactly 64 bytes long, not counting the terminating byte"
381 };
382 static const unsigned char outputs[8][32] = {
383 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
384 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
385 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
386 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
387 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
388 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
389 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
390 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
391 };
bf2e1ac7
GM		 392 int i;
393 for (i = 0; i < 8; i++) {
394 unsigned char out[32];
d1dc9dfc 395 secp256k1_sha256 hasher;
b37fbc28
PW		 396 secp256k1_sha256_initialize(&hasher);
397 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 398 secp256k1_sha256_finalize(&hasher, out);
399 CHECK(memcmp(out, outputs[i], 32) == 0);
400 if (strlen(inputs[i]) > 0) {
fa57f1bd 401 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 402 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 403 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
404 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
405 secp256k1_sha256_finalize(&hasher, out);
406 CHECK(memcmp(out, outputs[i], 32) == 0);
407 }
408 }
409}
410
411void run_hmac_sha256_tests(void) {
412 static const char *keys[6] = {
413 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
414 "\x4a\x65\x66\x65",
415 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
416 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
417 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
418 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
419 };
420 static const char *inputs[6] = {
421 "\x48\x69\x20\x54\x68\x65\x72\x65",
422 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
423 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
424 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
425 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
426 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
427 };
428 static const unsigned char outputs[6][32] = {
429 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
430 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
431 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
432 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
433 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
434 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
435 };
bf2e1ac7
GM		 436 int i;
437 for (i = 0; i < 6; i++) {
d1dc9dfc 438 secp256k1_hmac_sha256 hasher;
bf2e1ac7 439 unsigned char out[32];
b37fbc28
PW		 440 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
441 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 442 secp256k1_hmac_sha256_finalize(&hasher, out);
443 CHECK(memcmp(out, outputs[i], 32) == 0);
444 if (strlen(inputs[i]) > 0) {
fa57f1bd 445 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 446 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 447 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
448 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
449 secp256k1_hmac_sha256_finalize(&hasher, out);
450 CHECK(memcmp(out, outputs[i], 32) == 0);
451 }
452 }
453}
454
455void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 456 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 457 static const unsigned char out1[3][32] = {
458 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
459 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
460 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
461 };
462
3e6f1e20 463 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 464 static const unsigned char out2[3][32] = {
465 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
466 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
467 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
468 };
469
d1dc9dfc 470 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 471 unsigned char out[32];
bf2e1ac7 472 int i;
b37fbc28 473
3e6f1e20 474 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 475 for (i = 0; i < 3; i++) {
b37fbc28
PW		 476 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
477 CHECK(memcmp(out, out1[i], 32) == 0);
478 }
479 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
480
3e6f1e20 481 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 482 for (i = 0; i < 3; i++) {
483 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
484 CHECK(memcmp(out, out1[i], 32) != 0);
485 }
486 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
487
3e6f1e20 488 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 489 for (i = 0; i < 3; i++) {
b37fbc28
PW		 490 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
491 CHECK(memcmp(out, out2[i], 32) == 0);
492 }
493 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
494}
495
49b37498
PW		 496/***** RANDOM TESTS *****/
497
498void test_rand_bits(int rand32, int bits) {
499 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
500 * get a false negative chance below once in a billion */
501 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
502 /* We try multiplying the results with various odd numbers, which shouldn't
503 * influence the uniform distribution modulo a power of 2. */
504 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
505 /* We only select up to 6 bits from the output to analyse */
506 unsigned int usebits = bits > 6 ? 6 : bits;
507 unsigned int maxshift = bits - usebits;
508 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
509 number, track all observed outcomes, one per bit in a uint64_t. */
510 uint64_t x[6][27] = {{0}};
511 unsigned int i, shift, m;
512 /* Multiply the output of all rand calls with the odd number m, which
513 should not change the uniformity of its distribution. */
514 for (i = 0; i < rounds[usebits]; i++) {
515 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
516 CHECK((((uint64_t)r) >> bits) == 0);
517 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
518 uint32_t rm = r * mults[m];
519 for (shift = 0; shift <= maxshift; shift++) {
520 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
521 }
522 }
523 }
524 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
525 for (shift = 0; shift <= maxshift; shift++) {
526 /* Test that the lower usebits bits of x[shift] are 1 */
527 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
528 }
529 }
530}
531
532/* Subrange must be a whole divisor of range, and at most 64 */
533void test_rand_int(uint32_t range, uint32_t subrange) {
534 /* (1-1/subrange)^rounds < 1/10^9 */
535 int rounds = (subrange * 2073) / 100;
536 int i;
537 uint64_t x = 0;
538 CHECK((range % subrange) == 0);
539 for (i = 0; i < rounds; i++) {
540 uint32_t r = secp256k1_rand_int(range);
541 CHECK(r < range);
542 r = r % subrange;
543 x |= (((uint64_t)1) << r);
544 }
545 /* Test that the lower subrange bits of x are 1. */
546 CHECK(((~x) << (64 - subrange)) == 0);
547}
548
549void run_rand_bits(void) {
550 size_t b;
551 test_rand_bits(1, 32);
552 for (b = 1; b <= 32; b++) {
553 test_rand_bits(0, b);
554 }
555}
556
557void run_rand_int(void) {
558 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
559 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
560 unsigned int m, s;
561 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
562 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
563 test_rand_int(ms[m] * ss[s], ss[s]);
564 }
565 }
566}
567
659b554d
PW		 568/***** NUM TESTS *****/
569
597128d3 570#ifndef USE_NUM_NONE
dd891e0e 571void random_num_negate(secp256k1_num *num) {
fa57f1bd 572 if (secp256k1_rand_bits(1)) {
659b554d 573 secp256k1_num_negate(num);
26320197 574 }
659b554d
PW		 575}
576
dd891e0e
PW		 577void random_num_order_test(secp256k1_num *num) {
578 secp256k1_scalar sc;
659b554d
PW		 579 random_scalar_order_test(&sc);
580 secp256k1_scalar_get_num(num, &sc);
581}
582
dd891e0e
PW		 583void random_num_order(secp256k1_num *num) {
584 secp256k1_scalar sc;
659b554d
PW		 585 random_scalar_order(&sc);
586 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 587}
588
2cad067a 589void test_num_negate(void) {
dd891e0e
PW		 590 secp256k1_num n1;
591 secp256k1_num n2;
71712b27 592 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 593 random_num_negate(&n1);
71712b27
GM		 594 secp256k1_num_copy(&n2, &n1); /* n2 = R */
595 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 596 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 597 secp256k1_num_copy(&n1, &n2); /* n1 = R */
598 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 599 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 600 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 601 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 602 secp256k1_num_copy(&n1, &n2); /* n1 = R */
603 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 604 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 605 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 606 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 607}
608
2cad067a 609void test_num_add_sub(void) {
efd953a7
PD		 610 int i;
611 secp256k1_scalar s;
dd891e0e
PW		 612 secp256k1_num n1;
613 secp256k1_num n2;
614 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 615 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 616 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 617 random_num_negate(&n1);
618 }
71712b27 619 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 620 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 621 random_num_negate(&n2);
622 }
71712b27
GM		 623 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
624 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
625 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
626 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 627 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
628 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 629 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 630 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
631 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 632 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 633 CHECK(secp256k1_num_eq(&n2m1, &n1));
634 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 635 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 636 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 637
638 /* check is_one */
639 secp256k1_scalar_set_int(&s, 1);
640 secp256k1_scalar_get_num(&n1, &s);
641 CHECK(secp256k1_num_is_one(&n1));
642 /* check that 2^n + 1 is never 1 */
643 secp256k1_scalar_get_num(&n2, &s);
644 for (i = 0; i < 250; ++i) {
645 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
646 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
647 CHECK(!secp256k1_num_is_one(&n1p2));
648 }
649}
650
651void test_num_mod(void) {
652 int i;
653 secp256k1_scalar s;
654 secp256k1_num order, n;
655
656 /* check that 0 mod anything is 0 */
7d893f49 657 random_scalar_order_test(&s);
efd953a7
PD		 658 secp256k1_scalar_get_num(&order, &s);
659 secp256k1_scalar_set_int(&s, 0);
660 secp256k1_scalar_get_num(&n, &s);
661 secp256k1_num_mod(&n, &order);
662 CHECK(secp256k1_num_is_zero(&n));
663
664 /* check that anything mod 1 is 0 */
665 secp256k1_scalar_set_int(&s, 1);
666 secp256k1_scalar_get_num(&order, &s);
667 secp256k1_scalar_get_num(&n, &s);
668 secp256k1_num_mod(&n, &order);
669 CHECK(secp256k1_num_is_zero(&n));
670
671 /* check that increasing the number past 2^256 does not break this */
7d893f49 672 random_scalar_order_test(&s);
efd953a7
PD		 673 secp256k1_scalar_get_num(&n, &s);
674 /* multiply by 2^8, which'll test this case with high probability */
675 for (i = 0; i < 8; ++i) {
676 secp256k1_num_add(&n, &n, &n);
677 }
678 secp256k1_num_mod(&n, &order);
679 CHECK(secp256k1_num_is_zero(&n));
680}
681
682void test_num_jacobi(void) {
683 secp256k1_scalar sqr;
684 secp256k1_scalar small;
685 secp256k1_scalar five; /* five is not a quadratic residue */
686 secp256k1_num order, n;
687 int i;
688 /* squares mod 5 are 1, 4 */
689 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
690
691 /* check some small values with 5 as the order */
692 secp256k1_scalar_set_int(&five, 5);
693 secp256k1_scalar_get_num(&order, &five);
694 for (i = 0; i < 10; ++i) {
695 secp256k1_scalar_set_int(&small, i);
696 secp256k1_scalar_get_num(&n, &small);
697 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
698 }
699
700 /** test large values with 5 as group order */
701 secp256k1_scalar_get_num(&order, &five);
702 /* we first need a scalar which is not a multiple of 5 */
703 do {
704 secp256k1_num fiven;
7d893f49 705 random_scalar_order_test(&sqr);
efd953a7
PD		 706 secp256k1_scalar_get_num(&fiven, &five);
707 secp256k1_scalar_get_num(&n, &sqr);
708 secp256k1_num_mod(&n, &fiven);
709 } while (secp256k1_num_is_zero(&n));
710 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
711 * just multiply by two, i.e. add the number to itself */
712 if (secp256k1_num_jacobi(&n, &order) == -1) {
713 secp256k1_num_add(&n, &n, &n);
714 }
715
716 /* test residue */
717 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
718 /* test nonresidue */
719 secp256k1_num_add(&n, &n, &n);
720 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
721
722 /** test with secp group order as order */
723 secp256k1_scalar_order_get_num(&order);
7d893f49 724 random_scalar_order_test(&sqr);
efd953a7
PD		 725 secp256k1_scalar_sqr(&sqr, &sqr);
726 /* test residue */
727 secp256k1_scalar_get_num(&n, &sqr);
728 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
729 /* test nonresidue */
730 secp256k1_scalar_mul(&sqr, &sqr, &five);
731 secp256k1_scalar_get_num(&n, &sqr);
732 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
733 /* test multiple of the order*/
734 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
735
736 /* check one less than the order */
737 secp256k1_scalar_set_int(&small, 1);
738 secp256k1_scalar_get_num(&n, &small);
739 secp256k1_num_sub(&n, &order, &n);
740 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 741}
742
2cad067a 743void run_num_smalltests(void) {
bf2e1ac7
GM		 744 int i;
745 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 746 test_num_negate();
747 test_num_add_sub();
efd953a7
PD		 748 test_num_mod();
749 test_num_jacobi();
3f44e1ad 750 }
3f44e1ad 751}
597128d3 752#endif
3f44e1ad 753
79359302
PW		 754/***** SCALAR TESTS *****/
755
79359302 756void scalar_test(void) {
dd891e0e
PW		 757 secp256k1_scalar s;
758 secp256k1_scalar s1;
759 secp256k1_scalar s2;
bf2e1ac7 760#ifndef USE_NUM_NONE
dd891e0e
PW		 761 secp256k1_num snum, s1num, s2num;
762 secp256k1_num order, half_order;
bf2e1ac7 763#endif
79359302
PW		 764 unsigned char c[32];
765
71712b27 766 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 767 random_scalar_order_test(&s);
79359302 768
71712b27 769 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 770 random_scalar_order_test(&s1);
79359302 771
71712b27 772 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 773 random_scalar_order_test(&s2);
774 secp256k1_scalar_get_b32(c, &s2);
775
597128d3 776#ifndef USE_NUM_NONE
659b554d
PW		 777 secp256k1_scalar_get_num(&snum, &s);
778 secp256k1_scalar_get_num(&s1num, &s1);
779 secp256k1_scalar_get_num(&s2num, &s2);
780
659b554d 781 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 782 half_order = order;
659b554d 783 secp256k1_num_shift(&half_order, 1);
597128d3 784#endif
79359302
PW		 785
786 {
bf2e1ac7 787 int i;
71712b27 788 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 789 secp256k1_scalar n;
1e6c77c3 790 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 791 for (i = 0; i < 256; i += 4) {
dd891e0e 792 secp256k1_scalar t;
bf2e1ac7 793 int j;
1e6c77c3 794 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 795 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 796 secp256k1_scalar_add(&n, &n, &n);
797 }
798 secp256k1_scalar_add(&n, &n, &t);
79359302 799 }
1e6c77c3
PW		 800 CHECK(secp256k1_scalar_eq(&n, &s));
801 }
802
803 {
804 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 805 secp256k1_scalar n;
1e6c77c3 806 int i = 0;
bf2e1ac7 807 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 808 while (i < 256) {
dd891e0e 809 secp256k1_scalar t;
bf2e1ac7 810 int j;
fa57f1bd 811 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 812 if (now + i > 256) {
813 now = 256 - i;
814 }
1e6c77c3 815 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 816 for (j = 0; j < now; j++) {
1e6c77c3
PW		 817 secp256k1_scalar_add(&n, &n, &n);
818 }
819 secp256k1_scalar_add(&n, &n, &t);
820 i += now;
821 }
822 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 823 }
824
597128d3 825#ifndef USE_NUM_NONE
79359302 826 {
71712b27 827 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 828 secp256k1_num rnum;
829 secp256k1_num r2num;
830 secp256k1_scalar r;
79359302 831 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 832 secp256k1_num_mod(&rnum, &order);
79359302 833 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 834 secp256k1_scalar_get_num(&r2num, &r);
835 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 836 }
837
838 {
269d4227 839 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 840 secp256k1_scalar r;
841 secp256k1_num r2num;
842 secp256k1_num rnum;
79359302 843 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 844 secp256k1_num_mod(&rnum, &order);
79359302 845 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 846 secp256k1_scalar_get_num(&r2num, &r);
847 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 848 /* The result can only be zero if at least one of the factors was zero. */
79359302 849 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 850 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 851 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
852 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 853 }
854
855 {
dd891e0e
PW		 856 secp256k1_scalar neg;
857 secp256k1_num negnum;
858 secp256k1_num negnum2;
71712b27 859 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 860 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 861 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 862 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 863 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 864 secp256k1_num_sub(&negnum, &order, &snum);
865 secp256k1_num_mod(&negnum, &order);
71712b27 866 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 867 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 868 /* Negating should change the high property, unless the value was already zero. */
79359302 869 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 870 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 871 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 872 CHECK(secp256k1_num_eq(&negnum, &negnum2));
873 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 874 /* Adding a number to its negation should result in zero. */
79359302
PW		 875 CHECK(secp256k1_scalar_is_zero(&neg));
876 secp256k1_scalar_negate(&neg, &neg);
71712b27 877 /* Negating zero should still result in zero. */
79359302 878 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 879 }
ff8746d4
PW		 880
881 {
882 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 883 secp256k1_scalar r;
884 secp256k1_num one;
885 secp256k1_num rnum;
886 secp256k1_num rnum2;
bf2e1ac7 887 unsigned char cone[1] = {0x01};
fa57f1bd 888 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 889 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 890 secp256k1_num_mul(&rnum, &s1num, &s2num);
891 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 892 secp256k1_num_set_bin(&one, cone, 1);
893 secp256k1_num_add(&rnum, &rnum, &one);
894 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 895 secp256k1_scalar_get_num(&rnum2, &r);
896 CHECK(secp256k1_num_eq(&rnum, &rnum2));
897 }
44015000
AP		 898
899 {
900 /* test secp256k1_scalar_shr_int */
dd891e0e 901 secp256k1_scalar r;
44015000 902 int i;
44015000
AP		 903 random_scalar_order_test(&r);
904 for (i = 0; i < 100; ++i) {
cfe0ed91 905 int low;
fa57f1bd 906 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 907 int expected = r.d[0] % (1 << shift);
908 low = secp256k1_scalar_shr_int(&r, shift);
909 CHECK(expected == low);
910 }
911 }
597128d3 912#endif
79359302
PW		 913
914 {
71712b27 915 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 916 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 917 secp256k1_scalar inv;
597128d3 918#ifndef USE_NUM_NONE
dd891e0e
PW		 919 secp256k1_num invnum;
920 secp256k1_num invnum2;
bf2e1ac7
GM		 921#endif
922 secp256k1_scalar_inverse(&inv, &s);
923#ifndef USE_NUM_NONE
924 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 925 secp256k1_scalar_get_num(&invnum2, &inv);
926 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 927#endif
79359302 928 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 929 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 930 CHECK(secp256k1_scalar_is_one(&inv));
931 secp256k1_scalar_inverse(&inv, &inv);
71712b27 932 /* Inverting one must result in one. */
79359302 933 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 934#ifndef USE_NUM_NONE
935 secp256k1_scalar_get_num(&invnum, &inv);
936 CHECK(secp256k1_num_is_one(&invnum));
937#endif
79359302
PW		 938 }
939 }
940
941 {
71712b27 942 /* Test commutativity of add. */
dd891e0e 943 secp256k1_scalar r1, r2;
79359302
PW		 944 secp256k1_scalar_add(&r1, &s1, &s2);
945 secp256k1_scalar_add(&r2, &s2, &s1);
946 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 947 }
948
52132078 949 {
dd891e0e
PW		 950 secp256k1_scalar r1, r2;
951 secp256k1_scalar b;
bf2e1ac7 952 int i;
52132078 953 /* Test add_bit. */
fa57f1bd 954 int bit = secp256k1_rand_bits(8);
1e6c77c3 955 secp256k1_scalar_set_int(&b, 1);
52132078 956 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 957 for (i = 0; i < bit; i++) {
52132078
PW		 958 secp256k1_scalar_add(&b, &b, &b);
959 }
bf2e1ac7
GM		 960 r1 = s1;
961 r2 = s1;
29ae1310 962 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 963 /* No overflow happened. */
ed35d43a
AP		 964 secp256k1_scalar_cadd_bit(&r2, bit, 1);
965 CHECK(secp256k1_scalar_eq(&r1, &r2));
966 /* cadd is a noop when flag is zero */
967 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 968 CHECK(secp256k1_scalar_eq(&r1, &r2));
969 }
970 }
971
79359302 972 {
71712b27 973 /* Test commutativity of mul. */
dd891e0e 974 secp256k1_scalar r1, r2;
79359302
PW		 975 secp256k1_scalar_mul(&r1, &s1, &s2);
976 secp256k1_scalar_mul(&r2, &s2, &s1);
977 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 978 }
979
980 {
71712b27 981 /* Test associativity of add. */
dd891e0e 982 secp256k1_scalar r1, r2;
79359302
PW		 983 secp256k1_scalar_add(&r1, &s1, &s2);
984 secp256k1_scalar_add(&r1, &r1, &s);
985 secp256k1_scalar_add(&r2, &s2, &s);
986 secp256k1_scalar_add(&r2, &s1, &r2);
987 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 988 }
989
990 {
71712b27 991 /* Test associativity of mul. */
dd891e0e 992 secp256k1_scalar r1, r2;
79359302
PW		 993 secp256k1_scalar_mul(&r1, &s1, &s2);
994 secp256k1_scalar_mul(&r1, &r1, &s);
995 secp256k1_scalar_mul(&r2, &s2, &s);
996 secp256k1_scalar_mul(&r2, &s1, &r2);
997 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 998 }
999
1000 {
71712b27 1001 /* Test distributitivity of mul over add. */
dd891e0e 1002 secp256k1_scalar r1, r2, t;
79359302
PW		 1003 secp256k1_scalar_add(&r1, &s1, &s2);
1004 secp256k1_scalar_mul(&r1, &r1, &s);
1005 secp256k1_scalar_mul(&r2, &s1, &s);
1006 secp256k1_scalar_mul(&t, &s2, &s);
1007 secp256k1_scalar_add(&r2, &r2, &t);
1008 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 1009 }
1d52a8b1
PW		 1010
1011 {
71712b27 1012 /* Test square. */
dd891e0e 1013 secp256k1_scalar r1, r2;
1d52a8b1
PW		 1014 secp256k1_scalar_sqr(&r1, &s1);
1015 secp256k1_scalar_mul(&r2, &s1, &s1);
1016 CHECK(secp256k1_scalar_eq(&r1, &r2));
1017 }
ff8746d4 1018
8d11164b
GM		 1019 {
1020 /* Test multiplicative identity. */
dd891e0e 1021 secp256k1_scalar r1, v1;
8d11164b
GM		 1022 secp256k1_scalar_set_int(&v1,1);
1023 secp256k1_scalar_mul(&r1, &s1, &v1);
1024 CHECK(secp256k1_scalar_eq(&r1, &s1));
1025 }
1026
1027 {
1028 /* Test additive identity. */
dd891e0e 1029 secp256k1_scalar r1, v0;
8d11164b
GM		 1030 secp256k1_scalar_set_int(&v0,0);
1031 secp256k1_scalar_add(&r1, &s1, &v0);
1032 CHECK(secp256k1_scalar_eq(&r1, &s1));
1033 }
1034
1035 {
1036 /* Test zero product property. */
dd891e0e 1037 secp256k1_scalar r1, v0;
8d11164b
GM		 1038 secp256k1_scalar_set_int(&v0,0);
1039 secp256k1_scalar_mul(&r1, &s1, &v0);
1040 CHECK(secp256k1_scalar_eq(&r1, &v0));
1041 }
1042
79359302
PW		 1043}
1044
1045void run_scalar_tests(void) {
bf2e1ac7
GM		 1046 int i;
1047 for (i = 0; i < 128 * count; i++) {
79359302
PW		 1048 scalar_test();
1049 }
659b554d
PW		 1050
1051 {
ee3eb4be 1052 /* (-1)+1 should be zero. */
dd891e0e 1053 secp256k1_scalar s, o;
659b554d 1054 secp256k1_scalar_set_int(&s, 1);
8d11164b 1055 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 1056 secp256k1_scalar_negate(&o, &s);
1057 secp256k1_scalar_add(&o, &o, &s);
1058 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 1059 secp256k1_scalar_negate(&o, &o);
1060 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 1061 }
1062
597128d3 1063#ifndef USE_NUM_NONE
659b554d 1064 {
ee3eb4be 1065 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 1066 secp256k1_num order;
1067 secp256k1_scalar zero;
bf2e1ac7 1068 unsigned char bin[32];
659b554d 1069 int overflow = 0;
bf2e1ac7
GM		 1070 secp256k1_scalar_order_get_num(&order);
1071 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 1072 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1073 CHECK(overflow == 1);
1074 CHECK(secp256k1_scalar_is_zero(&zero));
1075 }
597128d3 1076#endif
26abce75
GM		 1077
1078 {
1079 /* Does check_overflow check catch all ones? */
1080 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1081 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1082 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1083 );
1084 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1085 }
1086
1087 {
1088 /* Static test vectors.
269d4227 1089 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1090 * and edge-case coverage on 32-bit and 64-bit implementations.
1091 * The responses were generated with Sage 5.9.
1092 */
1093 secp256k1_scalar x;
1094 secp256k1_scalar y;
1095 secp256k1_scalar z;
1096 secp256k1_scalar zz;
1097 secp256k1_scalar one;
1098 secp256k1_scalar r1;
1099 secp256k1_scalar r2;
1100#if defined(USE_SCALAR_INV_NUM)
1101 secp256k1_scalar zzv;
1102#endif
1103 int overflow;
093a497a 1104 unsigned char chal[33][2][32] = {
26abce75
GM		 1105 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1107 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1108 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1109 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1112 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1113 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1117 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1119 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1120 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1121 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1123 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1124 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1125 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1126 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1127 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1128 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1129 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1130 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1131 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1132 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1133 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1134 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1135 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1136 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1137 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1138 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1139 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1140 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1141 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1142 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1144 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1145 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1146 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1147 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1148 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1149 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1150 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1151 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1152 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1153 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1154 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1155 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1156 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1157 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1159 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1161 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1162 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1163 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1165 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1166 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1167 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1168 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1169 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1171 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1172 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1173 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1174 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1177 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1179 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1180 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1181 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1182 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1183 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1185 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1186 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1188 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1189 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1192 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1193 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1196 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1197 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1199 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1201 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1204 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1205 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1206 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1207 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1208 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1209 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1212 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1213 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1217 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1218 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1221 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1224 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1225 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1226 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1228 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1229 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1231 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1232 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1233 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1234 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1236 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1237 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1239 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1241 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1242 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1243 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1245 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1247 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1248 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1249 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1251 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1252 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1253 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1255 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1256 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1257 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1258 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1259 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1261 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1262 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1263 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1264 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1265 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1269 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1271 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1272 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1273 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1277 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1281 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1284 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1285 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1289 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1290 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1292 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1293 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1295 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1296 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1297 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1298 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1300 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1301 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1304 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1305 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1307 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1308 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1309 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1313 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1314 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1315 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1316 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1317 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1321 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1322 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1323 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1324 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1325 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1326 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1328 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1329 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1332 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1333 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1335 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1336 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1337 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1338 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1339 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1341 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1342 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1344 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1345 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1346 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1348 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1349 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1350 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1351 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1352 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1353 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1354 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1355 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1356 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1357 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1359 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1360 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1361 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1362 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1364 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1365 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1366 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1367 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1368 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1369 };
093a497a 1370 unsigned char res[33][2][32] = {
26abce75
GM		 1371 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1372 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1373 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1374 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1375 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1376 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1377 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1378 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1379 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1380 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1381 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1382 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1383 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1384 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1385 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1386 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1387 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1388 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1389 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1390 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1391 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1392 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1393 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1394 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1395 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1396 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1397 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1398 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1399 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1400 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1401 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1402 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1403 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1404 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1405 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1406 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1407 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1408 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1409 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1410 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1411 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1412 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1413 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1414 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1415 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1416 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1417 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1418 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1419 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1420 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1421 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1422 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1423 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1424 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1425 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1426 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1427 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1428 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1429 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1430 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1431 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1432 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1433 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1434 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1435 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1436 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1437 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1438 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1439 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1440 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1441 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1442 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1443 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1444 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1445 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1446 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1447 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1448 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1449 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1450 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1451 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1452 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1453 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1454 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1455 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1456 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1457 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1458 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1459 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1460 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1461 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1462 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1463 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1464 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1465 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1466 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1467 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1468 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1469 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1470 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1471 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1472 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1473 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1474 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1475 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1476 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1477 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1478 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1479 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1480 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1481 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1482 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1483 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1484 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1485 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1486 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1487 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1488 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1489 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1490 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1491 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1492 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1493 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1494 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1495 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1496 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1497 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1498 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1499 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1500 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1501 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1502 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1503 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1504 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1505 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1506 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1507 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1508 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1509 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1510 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1511 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1512 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1513 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1514 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1515 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1516 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1517 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1518 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1519 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1520 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1521 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1522 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1523 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1524 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1525 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1526 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1527 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1528 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1529 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1530 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1531 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1535 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1539 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1543 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1546 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1547 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1548 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1549 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1550 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1551 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1552 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1553 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1554 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1555 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1556 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1557 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1558 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1559 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1560 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1561 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1562 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1563 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1565 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1566 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1567 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1568 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1569 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1570 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1571 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1573 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1574 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1575 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1579 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1580 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1581 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1582 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1583 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1584 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1585 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1586 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1587 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1588 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1589 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1590 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1591 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1592 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1593 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1594 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1595 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1596 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1597 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1598 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1599 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1600 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1601 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1602 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1603 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1604 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1605 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1606 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1607 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1608 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1609 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1610 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1611 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1612 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1613 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1614 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1615 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1616 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1617 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1618 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1619 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1620 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1621 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1622 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1623 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1624 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1625 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1626 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1627 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1628 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1629 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1630 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1631 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1632 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1633 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1634 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1635 };
1636 secp256k1_scalar_set_int(&one, 1);
093a497a 1637 for (i = 0; i < 33; i++) {
26abce75
GM		 1638 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1639 CHECK(!overflow);
1640 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1641 CHECK(!overflow);
1642 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1643 CHECK(!overflow);
1644 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1645 CHECK(!overflow);
1646 secp256k1_scalar_mul(&z, &x, &y);
1647 CHECK(!secp256k1_scalar_check_overflow(&z));
1648 CHECK(secp256k1_scalar_eq(&r1, &z));
1649 if (!secp256k1_scalar_is_zero(&y)) {
1650 secp256k1_scalar_inverse(&zz, &y);
1651 CHECK(!secp256k1_scalar_check_overflow(&zz));
1652#if defined(USE_SCALAR_INV_NUM)
1653 secp256k1_scalar_inverse_var(&zzv, &y);
1654 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1655#endif
1656 secp256k1_scalar_mul(&z, &z, &zz);
1657 CHECK(!secp256k1_scalar_check_overflow(&z));
1658 CHECK(secp256k1_scalar_eq(&x, &z));
1659 secp256k1_scalar_mul(&zz, &zz, &y);
1660 CHECK(!secp256k1_scalar_check_overflow(&zz));
1661 CHECK(secp256k1_scalar_eq(&one, &zz));
1662 }
1663 secp256k1_scalar_mul(&z, &x, &x);
1664 CHECK(!secp256k1_scalar_check_overflow(&z));
1665 secp256k1_scalar_sqr(&zz, &x);
1666 CHECK(!secp256k1_scalar_check_overflow(&zz));
1667 CHECK(secp256k1_scalar_eq(&zz, &z));
1668 CHECK(secp256k1_scalar_eq(&r2, &zz));
1669 }
1670 }
79359302
PW		 1671}
1672
09ca4f32
PD		 1673/***** FIELD TESTS *****/
1674
dd891e0e 1675void random_fe(secp256k1_fe *x) {
09ca4f32 1676 unsigned char bin[32];
d907ebc0
PW		 1677 do {
1678 secp256k1_rand256(bin);
1679 if (secp256k1_fe_set_b32(x, bin)) {
1680 return;
1681 }
1682 } while(1);
09ca4f32
PD		 1683}
1684
64666251
PW		 1685void random_fe_test(secp256k1_fe *x) {
1686 unsigned char bin[32];
1687 do {
1688 secp256k1_rand256_test(bin);
1689 if (secp256k1_fe_set_b32(x, bin)) {
1690 return;
1691 }
1692 } while(1);
1693}
1694
dd891e0e 1695void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1696 int tries = 10;
09ca4f32 1697 while (--tries >= 0) {
6d6102fe
PD		 1698 random_fe(nz);
1699 secp256k1_fe_normalize(nz);
26320197 1700 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1701 break;
26320197 1702 }
09ca4f32 1703 }
71712b27 1704 /* Infinitesimal probability of spurious failure here */
0592d117 1705 CHECK(tries >= 0);
09ca4f32
PD		 1706}
1707
dd891e0e
PW		 1708void random_fe_non_square(secp256k1_fe *ns) {
1709 secp256k1_fe r;
bf2e1ac7 1710 random_fe_non_zero(ns);
926836ad 1711 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1712 secp256k1_fe_negate(ns, ns, 1);
1713 }
1714}
1715
dd891e0e
PW		 1716int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1717 secp256k1_fe an = *a;
1718 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1719 secp256k1_fe_normalize_weak(&an);
1720 secp256k1_fe_normalize_var(&bn);
d7174edf 1721 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1722}
1723
dd891e0e
PW		 1724int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1725 secp256k1_fe x;
1726 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1727 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1728 return check_fe_equal(&x, &one);
1729}
1730
ff889f7d
PW		 1731void run_field_convert(void) {
1732 static const unsigned char b32[32] = {
1733 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1734 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1735 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1736 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1737 };
dd891e0e 1738 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1739 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1740 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1741 );
dd891e0e 1742 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1743 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1744 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1745 );
dd891e0e 1746 secp256k1_fe fe2;
ff889f7d 1747 unsigned char b322[32];
dd891e0e 1748 secp256k1_fe_storage fes2;
ff889f7d
PW		 1749 /* Check conversions to fe. */
1750 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1751 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1752 secp256k1_fe_from_storage(&fe2, &fes);
1753 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1754 /* Check conversion from fe. */
1755 secp256k1_fe_get_b32(b322, &fe);
1756 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1757 secp256k1_fe_to_storage(&fes2, &fe);
1758 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1759}
1760
dd891e0e
PW		 1761int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1762 secp256k1_fe t = *b;
a0601cd7
PD		 1763#ifdef VERIFY
1764 t.magnitude = a->magnitude;
1765 t.normalized = a->normalized;
1766#endif
dd891e0e 1767 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1768}
1769
8d11164b 1770void run_field_misc(void) {
dd891e0e
PW		 1771 secp256k1_fe x;
1772 secp256k1_fe y;
1773 secp256k1_fe z;
1774 secp256k1_fe q;
1775 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1776 int i, j;
bf2e1ac7 1777 for (i = 0; i < 5*count; i++) {
dd891e0e 1778 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1779 random_fe(&x);
1780 random_fe_non_zero(&y);
1781 /* Test the fe equality and comparison operations. */
1782 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1783 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1784 z = x;
1785 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1786 /* Test fe conditional move; z is not normalized here. */
1787 q = x;
1788 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 1789 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 1790 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1791 CHECK(fe_memcmp(&x, &z) != 0);
1792 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1793 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 1794 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 1795 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1796 secp256k1_fe_normalize_var(&x);
1797 secp256k1_fe_normalize_var(&z);
9c4fb23d 1798 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1799 secp256k1_fe_normalize_var(&q);
1800 secp256k1_fe_cmov(&q, &z, (i&1));
1801 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1802 for (j = 0; j < 6; j++) {
1803 secp256k1_fe_negate(&z, &z, j+1);
1804 secp256k1_fe_normalize_var(&q);
1805 secp256k1_fe_cmov(&q, &z, (j&1));
1806 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1807 }
1808 secp256k1_fe_normalize_var(&z);
1809 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1810 secp256k1_fe_to_storage(&xs, &x);
1811 secp256k1_fe_to_storage(&ys, &y);
1812 secp256k1_fe_to_storage(&zs, &z);
1813 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1814 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1815 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1816 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1817 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1818 secp256k1_fe_from_storage(&x, &xs);
1819 secp256k1_fe_from_storage(&y, &ys);
1820 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1821 /* Test that mul_int, mul, and add agree. */
1822 secp256k1_fe_add(&y, &x);
1823 secp256k1_fe_add(&y, &x);
1824 z = x;
1825 secp256k1_fe_mul_int(&z, 3);
1826 CHECK(check_fe_equal(&y, &z));
1827 secp256k1_fe_add(&y, &x);
1828 secp256k1_fe_add(&z, &x);
1829 CHECK(check_fe_equal(&z, &y));
1830 z = x;
1831 secp256k1_fe_mul_int(&z, 5);
1832 secp256k1_fe_mul(&q, &x, &fe5);
1833 CHECK(check_fe_equal(&z, &q));
1834 secp256k1_fe_negate(&x, &x, 1);
1835 secp256k1_fe_add(&z, &x);
1836 secp256k1_fe_add(&q, &x);
1837 CHECK(check_fe_equal(&y, &z));
1838 CHECK(check_fe_equal(&q, &y));
1839 }
1840}
1841
2cad067a 1842void run_field_inv(void) {
dd891e0e 1843 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1844 int i;
1845 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1846 random_fe_non_zero(&x);
1847 secp256k1_fe_inv(&xi, &x);
1848 CHECK(check_fe_inverse(&x, &xi));
1849 secp256k1_fe_inv(&xii, &xi);
1850 CHECK(check_fe_equal(&x, &xii));
1851 }
1852}
1853
2cad067a 1854void run_field_inv_var(void) {
dd891e0e 1855 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1856 int i;
1857 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1858 random_fe_non_zero(&x);
1859 secp256k1_fe_inv_var(&xi, &x);
1860 CHECK(check_fe_inverse(&x, &xi));
1861 secp256k1_fe_inv_var(&xii, &xi);
1862 CHECK(check_fe_equal(&x, &xii));
1863 }
1864}
1865
2cad067a 1866void run_field_inv_all_var(void) {
dd891e0e 1867 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1868 int i;
71712b27 1869 /* Check it's safe to call for 0 elements */
7d893f49 1870 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1871 for (i = 0; i < count; i++) {
1872 size_t j;
fa57f1bd 1873 size_t len = secp256k1_rand_int(15) + 1;
26320197 1874 for (j = 0; j < len; j++) {
f16be77f 1875 random_fe_non_zero(&x[j]);
26320197 1876 }
7d893f49 1877 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1878 for (j = 0; j < len; j++) {
f16be77f 1879 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1880 }
7d893f49 1881 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1882 for (j = 0; j < len; j++) {
f16be77f 1883 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1884 }
f16be77f
PD		 1885 }
1886}
1887
2cad067a 1888void run_sqr(void) {
dd891e0e 1889 secp256k1_fe x, s;
59447da3 1890
59447da3 1891 {
bf2e1ac7 1892 int i;
59447da3
PD		 1893 secp256k1_fe_set_int(&x, 1);
1894 secp256k1_fe_negate(&x, &x, 1);
1895
bf2e1ac7 1896 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1897 secp256k1_fe_mul_int(&x, 2);
1898 secp256k1_fe_normalize(&x);
1899 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1900 }
1901 }
59447da3
PD		 1902}
1903
dd891e0e
PW		 1904void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1905 secp256k1_fe r1, r2;
926836ad 1906 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1907 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1908
1909 if (k != NULL) {
71712b27 1910 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1911 secp256k1_fe_negate(&r2, &r1, 1);
1912 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1913 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1914 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1915 }
1916}
1917
2cad067a 1918void run_sqrt(void) {
dd891e0e 1919 secp256k1_fe ns, x, s, t;
bf2e1ac7 1920 int i;
6d6102fe 1921
71712b27 1922 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1923 secp256k1_fe_set_int(&x, 0);
1924 secp256k1_fe_sqr(&s, &x);
1925 test_sqrt(&s, &x);
1926
71712b27 1927 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1928 for (i = 1; i <= 100; i++) {
6d6102fe 1929 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1930 secp256k1_fe_sqr(&s, &x);
1931 test_sqrt(&s, &x);
6d6102fe 1932 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1933 test_sqrt(&t, NULL);
1934 }
6d6102fe 1935
71712b27 1936 /* Consistency checks for large random values */
bf2e1ac7
GM		 1937 for (i = 0; i < 10; i++) {
1938 int j;
6d6102fe 1939 random_fe_non_square(&ns);
bf2e1ac7 1940 for (j = 0; j < count; j++) {
6d6102fe
PD		 1941 random_fe(&x);
1942 secp256k1_fe_sqr(&s, &x);
1943 test_sqrt(&s, &x);
1944 secp256k1_fe_negate(&t, &s, 1);
1945 test_sqrt(&t, NULL);
1946 secp256k1_fe_mul(&t, &s, &ns);
1947 test_sqrt(&t, NULL);
1948 }
1949 }
09ca4f32
PD		 1950}
1951
9338dbf7
PW		 1952/***** GROUP TESTS *****/
1953
dd891e0e 1954void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1955 CHECK(a->infinity == b->infinity);
26320197 1956 if (a->infinity) {
60571c6e 1957 return;
26320197 1958 }
60571c6e 1959 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 1960 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 1961}
1962
d2275795 1963/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 1964int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1965 secp256k1_gej a2;
1966 secp256k1_gej b2;
d2275795
GM		 1967 int ret = 1;
1968 ret &= a->infinity == b->infinity;
1969 if (ret && !a->infinity) {
1970 a2 = *a;
1971 b2 = *b;
1972 secp256k1_fe_normalize(&a2.x);
1973 secp256k1_fe_normalize(&a2.y);
1974 secp256k1_fe_normalize(&a2.z);
1975 secp256k1_fe_normalize(&b2.x);
1976 secp256k1_fe_normalize(&b2.y);
1977 secp256k1_fe_normalize(&b2.z);
1978 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1979 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1980 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1981 }
1982 return ret;
1983}
1984
dd891e0e
PW		 1985void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1986 secp256k1_fe z2s;
1987 secp256k1_fe u1, u2, s1, s2;
60571c6e 1988 CHECK(a->infinity == b->infinity);
26320197 1989 if (a->infinity) {
60571c6e 1990 return;
26320197 1991 }
60571c6e 1992 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 1993 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 1994 secp256k1_fe_mul(&u1, &a->x, &z2s);
1995 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1996 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1997 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1998 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1999 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 2000}
2001
2cad067a 2002void test_ge(void) {
bf2e1ac7 2003 int i, i1;
76574202
PW		 2004#ifdef USE_ENDOMORPHISM
2005 int runs = 6;
2006#else
60571c6e 2007 int runs = 4;
76574202 2008#endif
60571c6e
PW		 2009 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2010 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2011 * All magnitudes are randomized.
269d4227 2012 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 2013 *
2014 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 2015 */
5eb030ca
WL		 2016 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2017 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2018 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 2019 secp256k1_fe zf;
2020 secp256k1_fe zfi2, zfi3;
4f9791ab 2021
60571c6e
PW		 2022 secp256k1_gej_set_infinity(&gej[0]);
2023 secp256k1_ge_clear(&ge[0]);
2024 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 2025 for (i = 0; i < runs; i++) {
2026 int j;
dd891e0e 2027 secp256k1_ge g;
60571c6e 2028 random_group_element_test(&g);
76574202
PW		 2029#ifdef USE_ENDOMORPHISM
2030 if (i >= runs - 2) {
2031 secp256k1_ge_mul_lambda(&g, &ge[1]);
2032 }
2033 if (i >= runs - 1) {
2034 secp256k1_ge_mul_lambda(&g, &g);
2035 }
2036#endif
60571c6e
PW		 2037 ge[1 + 4 * i] = g;
2038 ge[2 + 4 * i] = g;
2039 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2040 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2041 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2042 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2043 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2044 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 2045 for (j = 0; j < 4; j++) {
60571c6e
PW		 2046 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2047 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2048 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2049 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2050 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2051 }
2052 }
2053
4f9791ab
PD		 2054 /* Compute z inverses. */
2055 {
5eb030ca 2056 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 2057 for (i = 0; i < 4 * runs + 1; i++) {
2058 if (i == 0) {
2059 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2060 do {
2061 random_field_element_test(&zs[i]);
2062 } while(secp256k1_fe_is_zero(&zs[i]));
2063 } else {
2064 zs[i] = gej[i].z;
2065 }
2066 }
7d893f49 2067 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 2068 free(zs);
2069 }
2070
2071 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2072 do {
2073 random_field_element_test(&zf);
2074 } while(secp256k1_fe_is_zero(&zf));
2075 random_field_element_magnitude(&zf);
2076 secp256k1_fe_inv_var(&zfi3, &zf);
2077 secp256k1_fe_sqr(&zfi2, &zfi3);
2078 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2079
bf2e1ac7
GM		 2080 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2081 int i2;
2082 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 2083 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 2084 secp256k1_gej refj, resj;
2085 secp256k1_ge ref;
2086 secp256k1_fe zr;
4f9791ab
PD		 2087 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2088 /* Check Z ratio. */
2089 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2090 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2091 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2092 }
60571c6e
PW		 2093 secp256k1_ge_set_gej_var(&ref, &refj);
2094
2d5a186c
PD		 2095 /* Test gej + ge with Z ratio result (var). */
2096 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2097 ge_equals_gej(&ref, &resj);
2d5a186c 2098 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2099 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2100 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2101 }
60571c6e 2102
4f9791ab
PD		 2103 /* Test gej + ge (var, with additional Z factor). */
2104 {
dd891e0e 2105 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2106 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2107 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2108 random_field_element_magnitude(&ge2_zfi.x);
2109 random_field_element_magnitude(&ge2_zfi.y);
2110 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2111 ge_equals_gej(&ref, &resj);
2112 }
2113
60571c6e
PW		 2114 /* Test gej + ge (const). */
2115 if (i2 != 0) {
2116 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2117 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2118 ge_equals_gej(&ref, &resj);
2119 }
2120
2121 /* Test doubling (var). */
2122 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2123 secp256k1_fe zr2;
4f9791ab
PD		 2124 /* Normal doubling with Z ratio result. */
2125 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2126 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2127 /* Check Z ratio. */
2128 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2129 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2130 /* Normal doubling. */
2131 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 2132 ge_equals_gej(&ref, &resj);
2133 }
2134
2135 /* Test adding opposites. */
2136 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2137 CHECK(secp256k1_ge_is_infinity(&ref));
2138 }
2139
2140 /* Test adding infinity. */
2141 if (i1 == 0) {
2142 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2143 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2144 ge_equals_gej(&ref, &gej[i2]);
2145 }
2146 if (i2 == 0) {
2147 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2148 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2149 ge_equals_gej(&ref, &gej[i1]);
2150 }
2151 }
2152 }
2153
9ab93355
PW		 2154 /* Test adding all points together in random order equals infinity. */
2155 {
dd891e0e 2156 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2157 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2158 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2159 gej_shuffled[i] = gej[i];
2160 }
bf2e1ac7 2161 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2162 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2163 if (swap != i) {
dd891e0e 2164 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2165 gej_shuffled[i] = gej_shuffled[swap];
2166 gej_shuffled[swap] = t;
2167 }
2168 }
bf2e1ac7 2169 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2170 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2171 }
2172 CHECK(secp256k1_gej_is_infinity(&sum));
2173 free(gej_shuffled);
2174 }
2175
4f9791ab 2176 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2177 {
5eb030ca 2178 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
5eb030ca 2179 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2180 for (i = 0; i < 4 * runs + 1; i++) {
2181 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2182 if (i < 4 * runs) {
2183 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2184 }
2185 }
7f7a2ed3 2186 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
bf2e1ac7 2187 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2188 secp256k1_fe s;
d2275795
GM		 2189 random_fe_non_zero(&s);
2190 secp256k1_gej_rescale(&gej[i], &s);
60571c6e
PW		 2191 ge_equals_gej(&ge_set_all[i], &gej[i]);
2192 }
2193 free(ge_set_all);
4f9791ab 2194 free(zr);
60571c6e
PW		 2195 }
2196
ffd3b346
AP		 2197 /* Test batch gej -> ge conversion with many infinities. */
2198 for (i = 0; i < 4 * runs + 1; i++) {
2199 random_group_element_test(&ge[i]);
2200 /* randomly set half the points to infinitiy */
2201 if(secp256k1_fe_is_odd(&ge[i].x)) {
2202 secp256k1_ge_set_infinity(&ge[i]);
2203 }
2204 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2205 }
2206 /* batch invert */
2207 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2208 /* check result */
2209 for (i = 0; i < 4 * runs + 1; i++) {
2210 ge_equals_gej(&ge[i], &gej[i]);
2211 }
2212
60571c6e
PW		 2213 free(ge);
2214 free(gej);
4f9791ab 2215 free(zinv);
9338dbf7
PW		 2216}
2217
8c5d5f7b
AP		 2218void test_add_neg_y_diff_x(void) {
2219 /* The point of this test is to check that we can add two points
2220 * whose y-coordinates are negatives of each other but whose x
2221 * coordinates differ. If the x-coordinates were the same, these
2222 * points would be negatives of each other and their sum is
2223 * infinity. This is cool because it "covers up" any degeneracy
2224 * in the addition algorithm that would cause the xy coordinates
2225 * of the sum to be wrong (since infinity has no xy coordinates).
2226 * HOWEVER, if the x-coordinates are different, infinity is the
2227 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2228 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2229 * which this test is a regression test for.
8c5d5f7b
AP		 2230 *
2231 * These points were generated in sage as
2232 * # secp256k1 params
2233 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2234 * C = EllipticCurve ([F (0), F (7)])
2235 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2236 * N = FiniteField(G.order())
2237 *
2238 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2239 * x = polygen(N)
2240 * lam = (1 - x^3).roots()[1][0]
2241 *
2242 * # random "bad pair"
2243 * P = C.random_element()
2244 * Q = -int(lam) * P
2245 * print " P: %x %x" % P.xy()
2246 * print " Q: %x %x" % Q.xy()
2247 * print "P + Q: %x %x" % (P + Q).xy()
2248 */
dd891e0e 2249 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2250 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2251 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2252 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2253 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2254 );
dd891e0e 2255 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2256 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2257 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2258 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2259 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2260 );
dd891e0e 2261 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2262 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2263 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2264 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2265 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2266 );
dd891e0e
PW		 2267 secp256k1_ge b;
2268 secp256k1_gej resj;
2269 secp256k1_ge res;
8c5d5f7b
AP		 2270 secp256k1_ge_set_gej(&b, &bj);
2271
2272 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2273 secp256k1_ge_set_gej(&res, &resj);
2274 ge_equals_gej(&res, &sumj);
2275
2276 secp256k1_gej_add_ge(&resj, &aj, &b);
2277 secp256k1_ge_set_gej(&res, &resj);
2278 ge_equals_gej(&res, &sumj);
2279
2280 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2281 secp256k1_ge_set_gej(&res, &resj);
2282 ge_equals_gej(&res, &sumj);
2283}
2284
2cad067a 2285void run_ge(void) {
bf2e1ac7
GM		 2286 int i;
2287 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2288 test_ge();
2289 }
8c5d5f7b 2290 test_add_neg_y_diff_x();
9338dbf7
PW		 2291}
2292
a5a66c70 2293void test_ec_combine(void) {
dd891e0e
PW		 2294 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2295 secp256k1_pubkey data[6];
2296 const secp256k1_pubkey* d[6];
2297 secp256k1_pubkey sd;
2298 secp256k1_pubkey sd2;
2299 secp256k1_gej Qj;
2300 secp256k1_ge Q;
a5a66c70
PW		 2301 int i;
2302 for (i = 1; i <= 6; i++) {
dd891e0e 2303 secp256k1_scalar s;
a5a66c70
PW		 2304 random_scalar_order_test(&s);
2305 secp256k1_scalar_add(&sum, &sum, &s);
2306 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2307 secp256k1_ge_set_gej(&Q, &Qj);
2308 secp256k1_pubkey_save(&data[i - 1], &Q);
2309 d[i - 1] = &data[i - 1];
2310 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2311 secp256k1_ge_set_gej(&Q, &Qj);
2312 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2313 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2314 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2315 }
2316}
2317
2318void run_ec_combine(void) {
2319 int i;
2320 for (i = 0; i < count * 8; i++) {
2321 test_ec_combine();
2322 }
2323}
2324
64666251
PW		 2325void test_group_decompress(const secp256k1_fe* x) {
2326 /* The input itself, normalized. */
2327 secp256k1_fe fex = *x;
e6e9805f 2328 secp256k1_fe fez;
64666251
PW		 2329 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2330 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2331 secp256k1_gej gej_quad;
64666251
PW		 2332 /* Return values of the above calls. */
2333 int res_quad, res_even, res_odd;
2334
2335 secp256k1_fe_normalize_var(&fex);
2336
926836ad 2337 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2338 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2339 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2340
2341 CHECK(res_quad == res_even);
2342 CHECK(res_quad == res_odd);
2343
2344 if (res_quad) {
2345 secp256k1_fe_normalize_var(&ge_quad.x);
2346 secp256k1_fe_normalize_var(&ge_odd.x);
2347 secp256k1_fe_normalize_var(&ge_even.x);
2348 secp256k1_fe_normalize_var(&ge_quad.y);
2349 secp256k1_fe_normalize_var(&ge_odd.y);
2350 secp256k1_fe_normalize_var(&ge_even.y);
2351
2352 /* No infinity allowed. */
2353 CHECK(!ge_quad.infinity);
2354 CHECK(!ge_even.infinity);
2355 CHECK(!ge_odd.infinity);
2356
2357 /* Check that the x coordinates check out. */
2358 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2359 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2360 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2361
2362 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2363 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2364
2365 /* Check odd/even Y in ge_odd, ge_even. */
2366 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2367 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2368
2369 /* Check secp256k1_gej_has_quad_y_var. */
2370 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2371 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2372 do {
2373 random_fe_test(&fez);
2374 } while (secp256k1_fe_is_zero(&fez));
2375 secp256k1_gej_rescale(&gej_quad, &fez);
2376 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2377 secp256k1_gej_neg(&gej_quad, &gej_quad);
2378 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2379 do {
2380 random_fe_test(&fez);
2381 } while (secp256k1_fe_is_zero(&fez));
2382 secp256k1_gej_rescale(&gej_quad, &fez);
2383 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2384 secp256k1_gej_neg(&gej_quad, &gej_quad);
2385 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2386 }
2387}
2388
2389void run_group_decompress(void) {
2390 int i;
2391 for (i = 0; i < count * 4; i++) {
2392 secp256k1_fe fe;
2393 random_fe_test(&fe);
2394 test_group_decompress(&fe);
2395 }
2396}
2397
09ca4f32
PD		 2398/***** ECMULT TESTS *****/
2399
2cad067a 2400void run_ecmult_chain(void) {
443cd4b8 2401 /* random starting point A (on the curve) */
dd891e0e 2402 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2403 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2404 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2405 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2406 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2407 );
71712b27 2408 /* two random initial factors xn and gn */
dd891e0e 2409 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2410 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2411 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2412 );
dd891e0e 2413 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2414 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2415 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2416 );
71712b27 2417 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2418 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2419 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2420 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2421 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2422 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2423 /* actual points */
cfe0ed91 2424 secp256k1_gej x;
dd891e0e 2425 secp256k1_gej x2;
443cd4b8
PW		 2426 int i;
2427
71712b27 2428 /* the point being computed */
bf2e1ac7
GM		 2429 x = a;
2430 for (i = 0; i < 200*count; i++) {
71712b27 2431 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2432 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2433 /* also compute ae and ge: the actual accumulated factors for A and G */
2434 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2435 secp256k1_scalar_mul(&ae, &ae, &xn);
2436 secp256k1_scalar_mul(&ge, &ge, &xn);
2437 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2438 /* modify xn and gn */
f24041d6
PW		 2439 secp256k1_scalar_mul(&xn, &xn, &xf);
2440 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2441
71712b27 2442 /* verify */
404c30a8 2443 if (i == 19999) {
443cd4b8 2444 /* expected result after 19999 iterations */
dd891e0e 2445 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2446 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2447 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2448 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2449 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2450 );
2451
2452 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2453 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2454 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2455 }
4adf6b2a 2456 }
71712b27 2457 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2458 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2459 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2460 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2461 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2462}
2463
dd891e0e 2464void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2465 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2466 secp256k1_scalar x;
2467 secp256k1_scalar nx;
2468 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2469 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2470 secp256k1_gej res1, res2;
2471 secp256k1_ge res3;
bf2e1ac7 2472 unsigned char pub[65];
788038d3 2473 size_t psize = 65;
bf2e1ac7
GM		 2474 random_scalar_order_test(&x);
2475 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2476 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2477 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2478 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2479 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2480 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2481 secp256k1_ge_set_gej(&res3, &res1);
2482 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2483 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2484 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2485 psize = 65;
9234391e 2486 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2487 /* check zero/one edge cases */
2488 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2489 secp256k1_ge_set_gej(&res3, &res1);
2490 CHECK(secp256k1_ge_is_infinity(&res3));
2491 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2492 secp256k1_ge_set_gej(&res3, &res1);
2493 ge_equals_gej(&res3, point);
2494 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2495 secp256k1_ge_set_gej(&res3, &res1);
2496 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2497}
2498
2cad067a 2499void run_point_times_order(void) {
bf2e1ac7 2500 int i;
dd891e0e
PW		 2501 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2502 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2503 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2504 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2505 );
bf2e1ac7 2506 for (i = 0; i < 500; i++) {
dd891e0e 2507 secp256k1_ge p;
39bd94d8 2508 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2509 secp256k1_gej j;
bf2e1ac7 2510 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2511 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2512 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2513 test_point_times_order(&j);
2514 }
910d0de4 2515 secp256k1_fe_sqr(&x, &x);
4e0ed539 2516 }
443cd4b8
PW		 2517 secp256k1_fe_normalize_var(&x);
2518 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2519}
2520
44015000
AP		 2521void ecmult_const_random_mult(void) {
2522 /* random starting point A (on the curve) */
dd891e0e 2523 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2524 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2525 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2526 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2527 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2528 );
2529 /* random initial factor xn */
dd891e0e 2530 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2531 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2532 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2533 );
2534 /* expected xn * A (from sage) */
dd891e0e 2535 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2536 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2537 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2538 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2539 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2540 );
dd891e0e 2541 secp256k1_gej b;
7c1b91ba 2542 secp256k1_ecmult_const(&b, &a, &xn, 256);
44015000
AP		 2543
2544 CHECK(secp256k1_ge_is_valid_var(&a));
2545 ge_equals_gej(&expected_b, &b);
2546}
2547
2548void ecmult_const_commutativity(void) {
dd891e0e
PW		 2549 secp256k1_scalar a;
2550 secp256k1_scalar b;
2551 secp256k1_gej res1;
2552 secp256k1_gej res2;
2553 secp256k1_ge mid1;
2554 secp256k1_ge mid2;
44015000
AP		 2555 random_scalar_order_test(&a);
2556 random_scalar_order_test(&b);
2557
7c1b91ba
AP		 2558 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2559 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
44015000
AP		 2560 secp256k1_ge_set_gej(&mid1, &res1);
2561 secp256k1_ge_set_gej(&mid2, &res2);
7c1b91ba
AP		 2562 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2563 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
44015000
AP		 2564 secp256k1_ge_set_gej(&mid1, &res1);
2565 secp256k1_ge_set_gej(&mid2, &res2);
2566 ge_equals_ge(&mid1, &mid2);
2567}
2568
2569void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2570 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2571 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2572 secp256k1_scalar negone;
2573 secp256k1_gej res1;
2574 secp256k1_ge res2;
2575 secp256k1_ge point;
44015000
AP		 2576 secp256k1_scalar_negate(&negone, &one);
2577
2578 random_group_element_test(&point);
7c1b91ba 2579 secp256k1_ecmult_const(&res1, &point, &zero, 3);
44015000
AP		 2580 secp256k1_ge_set_gej(&res2, &res1);
2581 CHECK(secp256k1_ge_is_infinity(&res2));
7c1b91ba 2582 secp256k1_ecmult_const(&res1, &point, &one, 2);
44015000
AP		 2583 secp256k1_ge_set_gej(&res2, &res1);
2584 ge_equals_ge(&res2, &point);
7c1b91ba 2585 secp256k1_ecmult_const(&res1, &point, &negone, 256);
44015000
AP		 2586 secp256k1_gej_neg(&res1, &res1);
2587 secp256k1_ge_set_gej(&res2, &res1);
2588 ge_equals_ge(&res2, &point);
2589}
2590
2591void ecmult_const_chain_multiply(void) {
2592 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2593 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2594 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2595 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2596 );
dd891e0e 2597 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2598 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2599 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2600 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2601 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2602 );
dd891e0e
PW		 2603 secp256k1_gej point;
2604 secp256k1_ge res;
44015000
AP		 2605 int i;
2606
2607 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2608 for (i = 0; i < 100; ++i) {
dd891e0e 2609 secp256k1_ge tmp;
44015000 2610 secp256k1_ge_set_gej(&tmp, &point);
7c1b91ba 2611 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
44015000
AP		 2612 }
2613 secp256k1_ge_set_gej(&res, &point);
2614 ge_equals_gej(&res, &expected_point);
2615}
2616
2617void run_ecmult_const_tests(void) {
2618 ecmult_const_mult_zero_one();
2619 ecmult_const_random_mult();
2620 ecmult_const_commutativity();
2621 ecmult_const_chain_multiply();
2622}
2623
dba5471b
AP		 2624typedef struct {
2625 secp256k1_scalar *sc;
2626 secp256k1_ge *pt;
2627} ecmult_multi_data;
2628
2629static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2630 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2631 *sc = data->sc[idx];
2632 *pt = data->pt[idx];
2633 return 1;
2634}
2635
355a38f1
JN		 2636static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2637 (void)sc;
2638 (void)pt;
2639 (void)idx;
2640 (void)cbdata;
2641 return 0;
2642}
2643
2644void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2645 int ncount;
2646 secp256k1_scalar szero;
2647 secp256k1_scalar sc[32];
2648 secp256k1_ge pt[32];
2649 secp256k1_gej r;
2650 secp256k1_gej r2;
2651 ecmult_multi_data data;
dba5471b
AP		 2652
2653 data.sc = sc;
2654 data.pt = pt;
dba5471b 2655 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2656
2657 /* No points to multiply */
2658 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2659
2660 /* Check 1- and 2-point multiplies against ecmult */
2661 for (ncount = 0; ncount < count; ncount++) {
2662 secp256k1_ge ptg;
2663 secp256k1_gej ptgj;
2664 random_scalar_order(&sc[0]);
2665 random_scalar_order(&sc[1]);
2666
2667 random_group_element_test(&ptg);
2668 secp256k1_gej_set_ge(&ptgj, &ptg);
2669 pt[0] = ptg;
2670 pt[1] = secp256k1_ge_const_g;
2671
355a38f1
JN		 2672 /* only G scalar */
2673 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2674 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2675 secp256k1_gej_neg(&r2, &r2);
2676 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2677 CHECK(secp256k1_gej_is_infinity(&r));
2678
dba5471b
AP		 2679 /* 1-point */
2680 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
355a38f1 2681 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2682 secp256k1_gej_neg(&r2, &r2);
2683 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2684 CHECK(secp256k1_gej_is_infinity(&r));
2685
355a38f1
JN		 2686 /* Try to multiply 1 point, but callback returns false */
2687 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2688
dba5471b
AP		 2689 /* 2-point */
2690 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2691 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2692 secp256k1_gej_neg(&r2, &r2);
2693 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2694 CHECK(secp256k1_gej_is_infinity(&r));
2695
2696 /* 2-point with G scalar */
2697 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2698 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2699 secp256k1_gej_neg(&r2, &r2);
2700 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2701 CHECK(secp256k1_gej_is_infinity(&r));
2702 }
2703
2704 /* Check infinite outputs of various forms */
2705 for (ncount = 0; ncount < count; ncount++) {
2706 secp256k1_ge ptg;
2707 size_t i, j;
2708 size_t sizes[] = { 2, 10, 32 };
2709
2710 for (j = 0; j < 3; j++) {
2711 for (i = 0; i < 32; i++) {
2712 random_scalar_order(&sc[i]);
2713 secp256k1_ge_set_infinity(&pt[i]);
2714 }
355a38f1 2715 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2716 CHECK(secp256k1_gej_is_infinity(&r));
2717 }
2718
2719 for (j = 0; j < 3; j++) {
2720 for (i = 0; i < 32; i++) {
2721 random_group_element_test(&ptg);
2722 pt[i] = ptg;
2723 secp256k1_scalar_set_int(&sc[i], 0);
2724 }
355a38f1 2725 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2726 CHECK(secp256k1_gej_is_infinity(&r));
2727 }
2728
2729 for (j = 0; j < 3; j++) {
2730 random_group_element_test(&ptg);
2731 for (i = 0; i < 16; i++) {
2732 random_scalar_order(&sc[2*i]);
2733 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2734 pt[2 * i] = ptg;
2735 pt[2 * i + 1] = ptg;
2736 }
2737
355a38f1 2738 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2739 CHECK(secp256k1_gej_is_infinity(&r));
2740
2741 random_scalar_order(&sc[0]);
2742 for (i = 0; i < 16; i++) {
2743 random_group_element_test(&ptg);
2744
2745 sc[2*i] = sc[0];
2746 sc[2*i+1] = sc[0];
2747 pt[2 * i] = ptg;
2748 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2749 }
2750
355a38f1 2751 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2752 CHECK(secp256k1_gej_is_infinity(&r));
2753 }
2754
2755 random_group_element_test(&ptg);
2756 secp256k1_scalar_set_int(&sc[0], 0);
2757 pt[0] = ptg;
2758 for (i = 1; i < 32; i++) {
2759 pt[i] = ptg;
2760
2761 random_scalar_order(&sc[i]);
2762 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2763 secp256k1_scalar_negate(&sc[i], &sc[i]);
2764 }
2765
355a38f1 2766 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2767 CHECK(secp256k1_gej_is_infinity(&r));
2768 }
2769
2770 /* Check random points, constant scalar */
2771 for (ncount = 0; ncount < count; ncount++) {
2772 size_t i;
2773 secp256k1_gej_set_infinity(&r);
2774
2775 random_scalar_order(&sc[0]);
2776 for (i = 0; i < 20; i++) {
2777 secp256k1_ge ptg;
2778 sc[i] = sc[0];
2779 random_group_element_test(&ptg);
2780 pt[i] = ptg;
2781 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2782 }
2783
2784 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
355a38f1 2785 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2786 secp256k1_gej_neg(&r2, &r2);
2787 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2788 CHECK(secp256k1_gej_is_infinity(&r));
2789 }
2790
2791 /* Check random scalars, constant point */
2792 for (ncount = 0; ncount < count; ncount++) {
2793 size_t i;
2794 secp256k1_ge ptg;
2795 secp256k1_gej p0j;
2796 secp256k1_scalar rs;
2797 secp256k1_scalar_set_int(&rs, 0);
2798
2799 random_group_element_test(&ptg);
2800 for (i = 0; i < 20; i++) {
2801 random_scalar_order(&sc[i]);
2802 pt[i] = ptg;
2803 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2804 }
2805
2806 secp256k1_gej_set_ge(&p0j, &pt[0]);
2807 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
355a38f1 2808 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2809 secp256k1_gej_neg(&r2, &r2);
2810 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2811 CHECK(secp256k1_gej_is_infinity(&r));
2812 }
2813
2814 /* Sanity check that zero scalars don't cause problems */
95e99f19
AP		 2815 for (ncount = 0; ncount < 20; ncount++) {
2816 random_scalar_order(&sc[ncount]);
2817 random_group_element_test(&pt[ncount]);
2818 }
2819
dba5471b 2820 secp256k1_scalar_clear(&sc[0]);
355a38f1 2821 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2822 secp256k1_scalar_clear(&sc[1]);
2823 secp256k1_scalar_clear(&sc[2]);
2824 secp256k1_scalar_clear(&sc[3]);
2825 secp256k1_scalar_clear(&sc[4]);
355a38f1
JN		 2826 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2827 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2828 CHECK(secp256k1_gej_is_infinity(&r));
2829
2830 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2831 {
2832 const size_t TOP = 8;
2833 size_t s0i, s1i;
2834 size_t t0i, t1i;
2835 secp256k1_ge ptg;
2836 secp256k1_gej ptgj;
2837
2838 random_group_element_test(&ptg);
2839 secp256k1_gej_set_ge(&ptgj, &ptg);
2840
2841 for(t0i = 0; t0i < TOP; t0i++) {
2842 for(t1i = 0; t1i < TOP; t1i++) {
2843 secp256k1_gej t0p, t1p;
2844 secp256k1_scalar t0, t1;
2845
2846 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2847 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2848 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2849 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2850
2851 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2852 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2853
2854 for(s0i = 0; s0i < TOP; s0i++) {
2855 for(s1i = 0; s1i < TOP; s1i++) {
2856 secp256k1_scalar tmp1, tmp2;
2857 secp256k1_gej expected, actual;
2858
2859 secp256k1_ge_set_gej(&pt[0], &t0p);
2860 secp256k1_ge_set_gej(&pt[1], &t1p);
2861
2862 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2863 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2864 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2865 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2866
2867 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2868 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2869 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2870
2871 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
355a38f1 2872 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2873 secp256k1_gej_neg(&expected, &expected);
2874 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2875 CHECK(secp256k1_gej_is_infinity(&actual));
2876 }
2877 }
2878 }
2879 }
2880 }
355a38f1
JN		 2881}
2882
9ab96f7b
JN		 2883void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2884 secp256k1_scalar szero;
2885 secp256k1_scalar sc[32];
2886 secp256k1_ge pt[32];
2887 secp256k1_gej r;
2888 ecmult_multi_data data;
2889 secp256k1_scratch *scratch_empty;
2890
2891 data.sc = sc;
2892 data.pt = pt;
2893 secp256k1_scalar_set_int(&szero, 0);
2894
2895 /* Try to multiply 1 point, but scratch space is empty.*/
2896 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2897 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2898 secp256k1_scratch_destroy(scratch_empty);
2899}
2900
36b22c93
JN		 2901void test_secp256k1_pippenger_bucket_window_inv(void) {
2902 int i;
2903
2904 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2905 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2906#ifdef USE_ENDOMORPHISM
2907 /* Bucket_window of 8 is not used with endo */
2908 if (i == 8) {
2909 continue;
2910 }
2911#endif
2912 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2913 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2914 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2915 }
2916 }
2917}
2918
2919/**
2920 * Probabilistically test the function returning the maximum number of possible points
2921 * for a given scratch space.
2922 */
2923void test_ecmult_multi_pippenger_max_points(void) {
2924 size_t scratch_size = secp256k1_rand_int(256);
2925 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2926 secp256k1_scratch *scratch;
2927 size_t n_points_supported;
2928 int bucket_window = 0;
2929
2930 for(; scratch_size < max_size; scratch_size+=256) {
6fe50439 2931 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
36b22c93
JN		 2932 CHECK(scratch != NULL);
2933 n_points_supported = secp256k1_pippenger_max_points(scratch);
2934 if (n_points_supported == 0) {
2935 secp256k1_scratch_destroy(scratch);
2936 continue;
2937 }
2938 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
6fe50439
AP		 2939 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2940 secp256k1_scratch_deallocate_frame(scratch);
36b22c93
JN		 2941 secp256k1_scratch_destroy(scratch);
2942 }
2943 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2944}
2945
2277af5f
JN		 2946void test_ecmult_multi_batch_size_helper(void) {
2947 size_t n_batches, n_batch_points, max_n_batch_points, n;
2948
2949 max_n_batch_points = 0;
2950 n = 1;
2951 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2952
2953 max_n_batch_points = 1;
2954 n = 0;
2955 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2956 CHECK(n_batches == 0);
2957 CHECK(n_batch_points == 0);
2958
2959 max_n_batch_points = 2;
2960 n = 5;
2961 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2962 CHECK(n_batches == 3);
2963 CHECK(n_batch_points == 2);
2964
2965 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2966 n = ECMULT_MAX_POINTS_PER_BATCH;
2967 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2968 CHECK(n_batches == 1);
2969 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2970
2971 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2972 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2973 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2974 CHECK(n_batches == 2);
2975 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2976
2977 max_n_batch_points = 1;
2978 n = SIZE_MAX;
2979 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2980 CHECK(n_batches == SIZE_MAX);
2981 CHECK(n_batch_points == 1);
2982
2983 max_n_batch_points = 2;
2984 n = SIZE_MAX;
2985 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2986 CHECK(n_batches == SIZE_MAX/2 + 1);
2987 CHECK(n_batch_points == 2);
2988}
2989
36b22c93
JN		 2990/**
2991 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2992 * 1 <= i <= num points.
2993 */
355a38f1 2994void test_ecmult_multi_batching(void) {
36b22c93 2995 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
355a38f1
JN		 2996 secp256k1_scalar scG;
2997 secp256k1_scalar szero;
2998 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2999 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3000 secp256k1_gej r;
3001 secp256k1_gej r2;
3002 ecmult_multi_data data;
3003 int i;
3004 secp256k1_scratch *scratch;
3005
355a38f1
JN		 3006 secp256k1_gej_set_infinity(&r2);
3007 secp256k1_scalar_set_int(&szero, 0);
3008
36b22c93 3009 /* Get random scalars and group elements and compute result */
355a38f1
JN		 3010 random_scalar_order(&scG);
3011 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3012 for(i = 0; i < n_points; i++) {
3013 secp256k1_ge ptg;
36b22c93 3014 secp256k1_gej ptgj;
355a38f1 3015 random_group_element_test(&ptg);
36b22c93 3016 secp256k1_gej_set_ge(&ptgj, &ptg);
355a38f1
JN		 3017 pt[i] = ptg;
3018 random_scalar_order(&sc[i]);
36b22c93
JN		 3019 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3020 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
355a38f1
JN		 3021 }
3022 data.sc = sc;
3023 data.pt = pt;
9ab96f7b 3024 secp256k1_gej_neg(&r2, &r2);
355a38f1 3025
9ab96f7b
JN		 3026 /* Test with empty scratch space. It should compute the correct result using
3027 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
6fe50439 3028 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
9ab96f7b
JN		 3029 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3030 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3031 CHECK(secp256k1_gej_is_infinity(&r));
355a38f1
JN		 3032 secp256k1_scratch_destroy(scratch);
3033
3034 /* Test with space for 1 point in pippenger. That's not enough because
9ab96f7b
JN		 3035 * ecmult_multi selects strauss which requires more memory. It should
3036 * therefore select the simple algorithm. */
6fe50439 3037 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
9ab96f7b
JN		 3038 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3039 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3040 CHECK(secp256k1_gej_is_infinity(&r));
355a38f1
JN		 3041 secp256k1_scratch_destroy(scratch);
3042
36b22c93 3043 for(i = 1; i <= n_points; i++) {
355a38f1
JN		 3044 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3045 int bucket_window = secp256k1_pippenger_bucket_window(i);
3046 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
6fe50439 3047 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3048 } else {
3049 size_t scratch_size = secp256k1_strauss_scratch_size(i);
6fe50439 3050 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1 3051 }
36b22c93 3052 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
355a38f1
JN		 3053 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3054 CHECK(secp256k1_gej_is_infinity(&r));
3055 secp256k1_scratch_destroy(scratch);
3056 }
355a38f1
JN		 3057 free(sc);
3058 free(pt);
3059}
3060
3061void run_ecmult_multi_tests(void) {
3062 secp256k1_scratch *scratch;
dba5471b 3063
36b22c93
JN		 3064 test_secp256k1_pippenger_bucket_window_inv();
3065 test_ecmult_multi_pippenger_max_points();
6fe50439 3066 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
36b22c93 3067 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
bade6174 3068 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
36b22c93 3069 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
9ab96f7b 3070 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
36b22c93 3071 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
9ab96f7b 3072 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
36b22c93
JN		 3073 secp256k1_scratch_destroy(scratch);
3074
3075 /* Run test_ecmult_multi with space for exactly one point */
6fe50439 3076 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
36b22c93 3077 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
dba5471b 3078 secp256k1_scratch_destroy(scratch);
355a38f1 3079
2277af5f 3080 test_ecmult_multi_batch_size_helper();
355a38f1 3081 test_ecmult_multi_batching();
dba5471b
AP		 3082}
3083
dd891e0e
PW		 3084void test_wnaf(const secp256k1_scalar *number, int w) {
3085 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 3086 int wnaf[256];
3087 int zeroes = -1;
3088 int i;
3089 int bits;
f24041d6
PW		 3090 secp256k1_scalar_set_int(&x, 0);
3091 secp256k1_scalar_set_int(&two, 2);
55399c23 3092 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 3093 CHECK(bits <= 256);
bf2e1ac7 3094 for (i = bits-1; i >= 0; i--) {
b1483f87 3095 int v = wnaf[i];
bf2e1ac7 3096 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 3097 if (v) {
71712b27 3098 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 3099 zeroes=0;
71712b27
GM		 3100 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3101 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3102 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 3103 } else {
71712b27 3104 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 3105 zeroes++;
3106 }
f24041d6
PW		 3107 if (v >= 0) {
3108 secp256k1_scalar_set_int(&t, v);
3109 } else {
3110 secp256k1_scalar_set_int(&t, -v);
3111 secp256k1_scalar_negate(&t, &t);
3112 }
3113 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 3114 }
f24041d6 3115 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 3116}
3117
dd891e0e
PW		 3118void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3119 secp256k1_scalar neg1 = *number;
3120 secp256k1_scalar neg2 = *number;
44015000
AP		 3121 int sign1 = 1;
3122 int sign2 = 1;
3123
3124 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3125 secp256k1_scalar_negate(&neg1, &neg1);
3126 sign1 = -1;
3127 }
3128 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3129 CHECK(sign1 == sign2);
3130 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3131}
3132
dd891e0e
PW		 3133void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3134 secp256k1_scalar x, shift;
44015000
AP		 3135 int wnaf[256] = {0};
3136 int i;
92e53fc4 3137 int skew;
7c1b91ba 3138 int bits = 256;
dd891e0e 3139 secp256k1_scalar num = *number;
44015000
AP		 3140
3141 secp256k1_scalar_set_int(&x, 0);
3142 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 3143 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3144#ifdef USE_ENDOMORPHISM
912f203f 3145 for (i = 0; i < 16; ++i) {
92e53fc4 3146 secp256k1_scalar_shr_int(&num, 8);
912f203f 3147 }
7c1b91ba 3148 bits = 128;
92e53fc4 3149#endif
8979ec0d 3150 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
44015000 3151
7c1b91ba 3152 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
dd891e0e 3153 secp256k1_scalar t;
44015000
AP		 3154 int v = wnaf[i];
3155 CHECK(v != 0); /* check nonzero */
3156 CHECK(v & 1); /* check parity */
3157 CHECK(v > -(1 << w)); /* check range above */
3158 CHECK(v < (1 << w)); /* check range below */
3159
3160 secp256k1_scalar_mul(&x, &x, &shift);
3161 if (v >= 0) {
3162 secp256k1_scalar_set_int(&t, v);
3163 } else {
3164 secp256k1_scalar_set_int(&t, -v);
3165 secp256k1_scalar_negate(&t, &t);
3166 }
3167 secp256k1_scalar_add(&x, &x, &t);
3168 }
c6191fde 3169 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 3170 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 3171 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 3172}
3173
355a38f1
JN		 3174void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3175 secp256k1_scalar x, shift;
3176 int wnaf[256] = {0};
3177 int i;
3178 int skew;
3179 secp256k1_scalar num = *number;
3180
3181 secp256k1_scalar_set_int(&x, 0);
3182 secp256k1_scalar_set_int(&shift, 1 << w);
3183 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3184#ifdef USE_ENDOMORPHISM
3185 for (i = 0; i < 16; ++i) {
3186 secp256k1_scalar_shr_int(&num, 8);
3187 }
3188#endif
3189 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3190
3191 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3192 secp256k1_scalar t;
3193 int v = wnaf[i];
6dbb0078 3194 CHECK(v == 0 || v & 1); /* check parity */
355a38f1
JN		 3195 CHECK(v > -(1 << w)); /* check range above */
3196 CHECK(v < (1 << w)); /* check range below */
3197
3198 secp256k1_scalar_mul(&x, &x, &shift);
3199 if (v >= 0) {
3200 secp256k1_scalar_set_int(&t, v);
3201 } else {
3202 secp256k1_scalar_set_int(&t, -v);
3203 secp256k1_scalar_negate(&t, &t);
3204 }
3205 secp256k1_scalar_add(&x, &x, &t);
3206 }
3207 /* If skew is 1 then add 1 to num */
3208 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3209 CHECK(secp256k1_scalar_eq(&x, &num));
3210}
3211
ec0a7b3a
JN		 3212/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3213 * rest is 0.*/
3214void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3215 int i;
3216 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3217 CHECK(wnaf[i] == 0);
3218 }
3219 for (i = 7; i >= 0; --i) {
3220 CHECK(wnaf[i] == wnaf_expected[i]);
3221 }
3222}
3223
3224void test_fixed_wnaf_small(void) {
3225 int w = 4;
355a38f1
JN		 3226 int wnaf[256] = {0};
3227 int i;
3228 int skew;
3229 secp256k1_scalar num;
3230
3231 secp256k1_scalar_set_int(&num, 0);
3232 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
355a38f1
JN		 3233 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3234 int v = wnaf[i];
3235 CHECK(v == 0);
3236 }
3237 CHECK(skew == 0);
ec0a7b3a
JN		 3238
3239 secp256k1_scalar_set_int(&num, 1);
3240 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3241 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3242 int v = wnaf[i];
3243 CHECK(v == 0);
3244 }
3245 CHECK(wnaf[0] == 1);
3246 CHECK(skew == 0);
3247
3248 {
3249 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3250 secp256k1_scalar_set_int(&num, 0xffffffff);
3251 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3252 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3253 CHECK(skew == 0);
3254 }
3255 {
3256 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3257 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3258 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3259 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3260 CHECK(skew == 1);
3261 }
3262 {
3263 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3264 secp256k1_scalar_set_int(&num, 0x01010101);
3265 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3266 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3267 CHECK(skew == 0);
3268 }
3269 {
3270 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3271 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3272 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3273 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3274 CHECK(skew == 0);
3275 }
355a38f1
JN		 3276}
3277
2cad067a 3278void run_wnaf(void) {
bf2e1ac7 3279 int i;
dd891e0e 3280 secp256k1_scalar n = {{0}};
44015000
AP		 3281
3282 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3283 * have easier-to-diagnose failure modes */
3284 n.d[0] = 1;
3285 test_constant_wnaf(&n, 4);
3286 n.d[0] = 2;
3287 test_constant_wnaf(&n, 4);
355a38f1 3288 /* Test 0 */
ec0a7b3a 3289 test_fixed_wnaf_small();
44015000 3290 /* Random tests */
bf2e1ac7 3291 for (i = 0; i < count; i++) {
f24041d6 3292 random_scalar_order(&n);
eb0be8ee 3293 test_wnaf(&n, 4+(i%10));
44015000
AP		 3294 test_constant_wnaf_negate(&n);
3295 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3296 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3297 }
96be2046
GM		 3298 secp256k1_scalar_set_int(&n, 0);
3299 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3300 CHECK(secp256k1_scalar_is_zero(&n));
3301 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3302 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3303}
a41f32e6 3304
d2275795
GM		 3305void test_ecmult_constants(void) {
3306 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3307 secp256k1_scalar x;
3308 secp256k1_gej r;
3309 secp256k1_ge ng;
d2275795
GM		 3310 int i;
3311 int j;
3312 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3313 for (i = 0; i < 36; i++ ) {
3314 secp256k1_scalar_set_int(&x, i);
3315 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3316 for (j = 0; j < i; j++) {
3317 if (j == i - 1) {
3318 ge_equals_gej(&secp256k1_ge_const_g, &r);
3319 }
3320 secp256k1_gej_add_ge(&r, &r, &ng);
3321 }
3322 CHECK(secp256k1_gej_is_infinity(&r));
3323 }
3324 for (i = 1; i <= 36; i++ ) {
3325 secp256k1_scalar_set_int(&x, i);
3326 secp256k1_scalar_negate(&x, &x);
3327 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3328 for (j = 0; j < i; j++) {
3329 if (j == i - 1) {
3330 ge_equals_gej(&ng, &r);
3331 }
3332 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3333 }
3334 CHECK(secp256k1_gej_is_infinity(&r));
3335 }
3336}
3337
3338void run_ecmult_constants(void) {
3339 test_ecmult_constants();
3340}
3341
3342void test_ecmult_gen_blind(void) {
269d4227 3343 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3344 secp256k1_scalar key;
3345 secp256k1_scalar b;
d2275795 3346 unsigned char seed32[32];
dd891e0e
PW		 3347 secp256k1_gej pgej;
3348 secp256k1_gej pgej2;
3349 secp256k1_gej i;
3350 secp256k1_ge pge;
d2275795
GM		 3351 random_scalar_order_test(&key);
3352 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3353 secp256k1_rand256(seed32);
3354 b = ctx->ecmult_gen_ctx.blind;
3355 i = ctx->ecmult_gen_ctx.initial;
3356 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3357 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3358 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3359 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3360 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3361 secp256k1_ge_set_gej(&pge, &pgej);
3362 ge_equals_gej(&pge, &pgej2);
3363}
3364
3365void test_ecmult_gen_blind_reset(void) {
3366 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3367 secp256k1_scalar b;
3368 secp256k1_gej initial;
d2275795
GM		 3369 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3370 b = ctx->ecmult_gen_ctx.blind;
3371 initial = ctx->ecmult_gen_ctx.initial;
3372 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3373 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3374 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3375}
3376
3377void run_ecmult_gen_blind(void) {
3378 int i;
3379 test_ecmult_gen_blind_reset();
3380 for (i = 0; i < 10; i++) {
3381 test_ecmult_gen_blind();
3382 }
3383}
3384
baa75da5
AP		 3385#ifdef USE_ENDOMORPHISM
3386/***** ENDOMORPHISH TESTS *****/
3387void test_scalar_split(void) {
dd891e0e
PW		 3388 secp256k1_scalar full;
3389 secp256k1_scalar s1, slam;
baa75da5
AP		 3390 const unsigned char zero[32] = {0};
3391 unsigned char tmp[32];
3392
3393 random_scalar_order_test(&full);
ed35d43a 3394 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3395
3396 /* check that both are <= 128 bits in size */
912f203f 3397 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3398 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3399 }
3400 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3401 secp256k1_scalar_negate(&slam, &slam);
912f203f 3402 }
baa75da5
AP		 3403
3404 secp256k1_scalar_get_b32(tmp, &s1);
3405 CHECK(memcmp(zero, tmp, 16) == 0);
3406 secp256k1_scalar_get_b32(tmp, &slam);
3407 CHECK(memcmp(zero, tmp, 16) == 0);
3408}
3409
3410void run_endomorphism_tests(void) {
3411 test_scalar_split();
3412}
3413#endif
d2275795 3414
67f7da40
GM		 3415void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3416 unsigned char pubkeyc[65];
3417 secp256k1_pubkey pubkey;
3418 secp256k1_ge ge;
3419 size_t pubkeyclen;
3420 int32_t ecount;
3421 ecount = 0;
3422 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3423 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3424 /* Smaller sizes are tested exhaustively elsewhere. */
3425 int32_t i;
3426 memcpy(&pubkeyc[1], input, 64);
3427 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3428 for (i = 0; i < 256; i++) {
3429 /* Try all type bytes. */
3430 int xpass;
3431 int ypass;
3432 int ysign;
3433 pubkeyc[0] = i;
3434 /* What sign does this point have? */
3435 ysign = (input[63] & 1) + 2;
3436 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3437 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3438 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3439 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3440 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3441 if (xpass || ypass) {
3442 /* These cases must parse. */
3443 unsigned char pubkeyo[65];
3444 size_t outl;
3445 memset(&pubkey, 0, sizeof(pubkey));
3446 VG_UNDEF(&pubkey, sizeof(pubkey));
3447 ecount = 0;
3448 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3449 VG_CHECK(&pubkey, sizeof(pubkey));
3450 outl = 65;
3451 VG_UNDEF(pubkeyo, 65);
3452 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3453 VG_CHECK(pubkeyo, outl);
3454 CHECK(outl == 33);
3455 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3456 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3457 if (ypass) {
3458 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3459 CHECK(pubkeyo[0] == ysign);
3460 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3461 memset(&pubkey, 0, sizeof(pubkey));
3462 VG_UNDEF(&pubkey, sizeof(pubkey));
3463 secp256k1_pubkey_save(&pubkey, &ge);
3464 VG_CHECK(&pubkey, sizeof(pubkey));
3465 outl = 65;
3466 VG_UNDEF(pubkeyo, 65);
1a368980 3467 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3468 VG_CHECK(pubkeyo, outl);
3469 CHECK(outl == 65);
3470 CHECK(pubkeyo[0] == 4);
3471 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3472 }
3473 CHECK(ecount == 0);
3474 } else {
3475 /* These cases must fail to parse. */
3476 memset(&pubkey, 0xfe, sizeof(pubkey));
3477 ecount = 0;
3478 VG_UNDEF(&pubkey, sizeof(pubkey));
3479 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3480 VG_CHECK(&pubkey, sizeof(pubkey));
3481 CHECK(ecount == 0);
3482 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3483 CHECK(ecount == 1);
3484 }
3485 }
3486 }
3487 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3488}
3489
3490void run_ec_pubkey_parse_test(void) {
3491#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3492 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3493 {
3494 /* Point with leading and trailing zeros in x and y serialization. */
3495 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3497 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3498 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3499 },
3500 {
3501 /* Point with x equal to a 3rd root of unity.*/
3502 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3503 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3504 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3505 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3506 },
3507 {
3508 /* Point with largest x. (1/2) */
3509 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3510 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3511 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3512 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3513 },
3514 {
3515 /* Point with largest x. (2/2) */
3516 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3517 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3518 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3519 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3520 },
3521 {
3522 /* Point with smallest x. (1/2) */
3523 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3525 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3526 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3527 },
3528 {
3529 /* Point with smallest x. (2/2) */
3530 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3531 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3532 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3533 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3534 },
3535 {
3536 /* Point with largest y. (1/3) */
3537 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3538 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3539 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3540 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3541 },
3542 {
3543 /* Point with largest y. (2/3) */
3544 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3545 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3546 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3547 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3548 },
3549 {
3550 /* Point with largest y. (3/3) */
3551 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3552 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3553 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3554 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3555 },
3556 {
3557 /* Point with smallest y. (1/3) */
3558 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3559 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3561 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3562 },
3563 {
3564 /* Point with smallest y. (2/3) */
3565 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3566 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3569 },
3570 {
3571 /* Point with smallest y. (3/3) */
3572 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3573 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3574 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3576 }
3577 };
3578#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3579 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3580 {
3581 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3582 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3583 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3584 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3585 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3586 },
3587 {
3588 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3589 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3590 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3591 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3593 },
3594 {
3595 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3596 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3597 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3598 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3600 },
3601 {
3602 /* x on curve, y is from y^2 = x^3 + 8. */
3603 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3604 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3605 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3606 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3607 }
3608 };
3609#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3610 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3611 {
3612 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3613 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3614 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3615 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3616 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3617 },
3618 {
3619 /* Valid if x overflow ignored (x = 1 mod p). */
3620 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3621 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3622 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3623 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3624 },
3625 {
3626 /* Valid if x overflow ignored (x = 1 mod p). */
3627 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3628 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3629 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3630 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3631 },
3632 {
3633 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3634 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3635 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3636 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3637 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3638 },
3639 {
3640 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3641 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3642 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3643 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3644 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3645 },
3646 {
3647 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3649 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3650 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3651 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3652 },
3653 {
3654 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3657 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3658 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3659 }
3660 };
3661 const unsigned char pubkeyc[66] = {
3662 /* Serialization of G. */
3663 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3664 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3665 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3666 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3667 0xB8, 0x00
3668 };
5b71a3f4 3669 unsigned char sout[65];
67f7da40
GM		 3670 unsigned char shortkey[2];
3671 secp256k1_ge ge;
3672 secp256k1_pubkey pubkey;
5b71a3f4 3673 size_t len;
67f7da40
GM		 3674 int32_t i;
3675 int32_t ecount;
3676 int32_t ecount2;
3677 ecount = 0;
3678 /* Nothing should be reading this far into pubkeyc. */
3679 VG_UNDEF(&pubkeyc[65], 1);
3680 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3681 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3682 memset(&pubkey, 0xfe, sizeof(pubkey));
3683 ecount = 0;
3684 VG_UNDEF(shortkey, 2);
3685 VG_UNDEF(&pubkey, sizeof(pubkey));
3686 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3687 VG_CHECK(&pubkey, sizeof(pubkey));
3688 CHECK(ecount == 0);
3689 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3690 CHECK(ecount == 1);
3691 /* Length one claimed, fail, zeroize, no illegal arg error. */
3692 for (i = 0; i < 256 ; i++) {
3693 memset(&pubkey, 0xfe, sizeof(pubkey));
3694 ecount = 0;
3695 shortkey[0] = i;
3696 VG_UNDEF(&shortkey[1], 1);
3697 VG_UNDEF(&pubkey, sizeof(pubkey));
3698 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3699 VG_CHECK(&pubkey, sizeof(pubkey));
3700 CHECK(ecount == 0);
3701 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3702 CHECK(ecount == 1);
3703 }
3704 /* Length two claimed, fail, zeroize, no illegal arg error. */
3705 for (i = 0; i < 65536 ; i++) {
3706 memset(&pubkey, 0xfe, sizeof(pubkey));
3707 ecount = 0;
3708 shortkey[0] = i & 255;
3709 shortkey[1] = i >> 8;
3710 VG_UNDEF(&pubkey, sizeof(pubkey));
3711 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3712 VG_CHECK(&pubkey, sizeof(pubkey));
3713 CHECK(ecount == 0);
3714 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3715 CHECK(ecount == 1);
3716 }
3717 memset(&pubkey, 0xfe, sizeof(pubkey));
3718 ecount = 0;
3719 VG_UNDEF(&pubkey, sizeof(pubkey));
3720 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3721 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3722 VG_CHECK(&pubkey, sizeof(pubkey));
3723 CHECK(ecount == 0);
3724 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3725 CHECK(ecount == 1);
3726 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3727 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3728 CHECK(ecount == 2);
3729 /* NULL input string. Illegal arg and zeroize output. */
3730 memset(&pubkey, 0xfe, sizeof(pubkey));
3731 ecount = 0;
3732 VG_UNDEF(&pubkey, sizeof(pubkey));
3733 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3734 VG_CHECK(&pubkey, sizeof(pubkey));
3735 CHECK(ecount == 1);
3736 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3737 CHECK(ecount == 2);
3738 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3739 memset(&pubkey, 0xfe, sizeof(pubkey));
3740 ecount = 0;
3741 VG_UNDEF(&pubkey, sizeof(pubkey));
3742 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3743 VG_CHECK(&pubkey, sizeof(pubkey));
3744 CHECK(ecount == 0);
3745 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3746 CHECK(ecount == 1);
3747 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3748 memset(&pubkey, 0xfe, sizeof(pubkey));
3749 ecount = 0;
3750 VG_UNDEF(&pubkey, sizeof(pubkey));
3751 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3752 VG_CHECK(&pubkey, sizeof(pubkey));
3753 CHECK(ecount == 0);
3754 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3755 CHECK(ecount == 1);
3756 /* Valid parse. */
3757 memset(&pubkey, 0, sizeof(pubkey));
3758 ecount = 0;
3759 VG_UNDEF(&pubkey, sizeof(pubkey));
3760 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
ed7c0841 3761 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
67f7da40
GM		 3762 VG_CHECK(&pubkey, sizeof(pubkey));
3763 CHECK(ecount == 0);
3764 VG_UNDEF(&ge, sizeof(ge));
3765 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3766 VG_CHECK(&ge.x, sizeof(ge.x));
3767 VG_CHECK(&ge.y, sizeof(ge.y));
3768 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3769 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3770 CHECK(ecount == 0);
5b71a3f4
GM		 3771 /* secp256k1_ec_pubkey_serialize illegal args. */
3772 ecount = 0;
3773 len = 65;
3774 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3775 CHECK(ecount == 1);
3776 CHECK(len == 0);
3777 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3778 CHECK(ecount == 2);
3779 len = 65;
3780 VG_UNDEF(sout, 65);
3781 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3782 VG_CHECK(sout, 65);
3783 CHECK(ecount == 3);
3784 CHECK(len == 0);
3785 len = 65;
3786 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3787 CHECK(ecount == 4);
3788 CHECK(len == 0);
3789 len = 65;
3790 VG_UNDEF(sout, 65);
3791 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3792 VG_CHECK(sout, 65);
3793 CHECK(ecount == 4);
3794 CHECK(len == 65);
67f7da40
GM		 3795 /* Multiple illegal args. Should still set arg error only once. */
3796 ecount = 0;
3797 ecount2 = 11;
3798 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3799 CHECK(ecount == 1);
3800 /* Does the illegal arg callback actually change the behavior? */
3801 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3802 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3803 CHECK(ecount == 1);
3804 CHECK(ecount2 == 10);
3805 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3806 /* Try a bunch of prefabbed points with all possible encodings. */
3807 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3808 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3809 }
3810 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3811 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3812 }
3813 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3814 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3815 }
3816}
3817
96be2046
GM		 3818void run_eckey_edge_case_test(void) {
3819 const unsigned char orderc[32] = {
3820 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3821 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3822 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3823 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3824 };
3825 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3826 unsigned char ctmp[33];
3827 unsigned char ctmp2[33];
96be2046
GM		 3828 secp256k1_pubkey pubkey;
3829 secp256k1_pubkey pubkey2;
c69dea02
GM		 3830 secp256k1_pubkey pubkey_one;
3831 secp256k1_pubkey pubkey_negone;
3832 const secp256k1_pubkey *pubkeys[3];
3833 size_t len;
96be2046
GM		 3834 int32_t ecount;
3835 /* Group order is too large, reject. */
3836 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3837 VG_UNDEF(&pubkey, sizeof(pubkey));
3838 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3839 VG_CHECK(&pubkey, sizeof(pubkey));
3840 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3841 /* Maximum value is too large, reject. */
3842 memset(ctmp, 255, 32);
3843 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3844 memset(&pubkey, 1, sizeof(pubkey));
3845 VG_UNDEF(&pubkey, sizeof(pubkey));
3846 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3847 VG_CHECK(&pubkey, sizeof(pubkey));
3848 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3849 /* Zero is too small, reject. */
3850 memset(ctmp, 0, 32);
3851 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3852 memset(&pubkey, 1, sizeof(pubkey));
3853 VG_UNDEF(&pubkey, sizeof(pubkey));
3854 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3855 VG_CHECK(&pubkey, sizeof(pubkey));
3856 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3857 /* One must be accepted. */
3858 ctmp[31] = 0x01;
3859 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3860 memset(&pubkey, 0, sizeof(pubkey));
3861 VG_UNDEF(&pubkey, sizeof(pubkey));
3862 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3863 VG_CHECK(&pubkey, sizeof(pubkey));
3864 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3865 pubkey_one = pubkey;
96be2046
GM		 3866 /* Group order + 1 is too large, reject. */
3867 memcpy(ctmp, orderc, 32);
3868 ctmp[31] = 0x42;
3869 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3870 memset(&pubkey, 1, sizeof(pubkey));
3871 VG_UNDEF(&pubkey, sizeof(pubkey));
3872 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3873 VG_CHECK(&pubkey, sizeof(pubkey));
3874 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3875 /* -1 must be accepted. */
3876 ctmp[31] = 0x40;
3877 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3878 memset(&pubkey, 0, sizeof(pubkey));
3879 VG_UNDEF(&pubkey, sizeof(pubkey));
3880 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3881 VG_CHECK(&pubkey, sizeof(pubkey));
3882 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3883 pubkey_negone = pubkey;
0e96cdc6 3884 /* Tweak of zero leaves the value unchanged. */
96be2046
GM		 3885 memset(ctmp2, 0, 32);
3886 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3887 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3888 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3889 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3890 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3891 /* Multiply tweak of zero zeroizes the output. */
3892 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3893 CHECK(memcmp(zeros, ctmp, 32) == 0);
3894 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3895 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3896 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3897 /* Overflowing key tweak zeroizes. */
3898 memcpy(ctmp, orderc, 32);
3899 ctmp[31] = 0x40;
3900 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3901 CHECK(memcmp(zeros, ctmp, 32) == 0);
3902 memcpy(ctmp, orderc, 32);
3903 ctmp[31] = 0x40;
3904 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3905 CHECK(memcmp(zeros, ctmp, 32) == 0);
3906 memcpy(ctmp, orderc, 32);
3907 ctmp[31] = 0x40;
3908 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3909 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3910 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3911 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3912 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3913 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3914 /* Private key tweaks results in a key of zero. */
3915 ctmp2[31] = 1;
3916 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3917 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3918 ctmp2[31] = 1;
3919 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3920 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3921 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3922 /* Tweak computation wraps and results in a key of 1. */
3923 ctmp2[31] = 2;
3924 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3925 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3926 ctmp2[31] = 2;
3927 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3928 ctmp2[31] = 1;
3929 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3930 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3931 /* Tweak mul * 2 = 1+1. */
3932 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3933 ctmp2[31] = 2;
3934 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3935 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3936 /* Test argument errors. */
3937 ecount = 0;
3938 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3939 CHECK(ecount == 0);
3940 /* Zeroize pubkey on parse error. */
3941 memset(&pubkey, 0, 32);
3942 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3943 CHECK(ecount == 1);
3944 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3945 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3946 memset(&pubkey2, 0, 32);
3947 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3948 CHECK(ecount == 2);
3949 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3950 /* Plain argument errors. */
3951 ecount = 0;
3952 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3953 CHECK(ecount == 0);
3954 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3955 CHECK(ecount == 1);
3956 ecount = 0;
3957 memset(ctmp2, 0, 32);
3958 ctmp2[31] = 4;
3959 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3960 CHECK(ecount == 1);
3961 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3962 CHECK(ecount == 2);
3963 ecount = 0;
3964 memset(ctmp2, 0, 32);
3965 ctmp2[31] = 4;
3966 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3967 CHECK(ecount == 1);
3968 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3969 CHECK(ecount == 2);
3970 ecount = 0;
3971 memset(ctmp2, 0, 32);
3972 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3973 CHECK(ecount == 1);
3974 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3975 CHECK(ecount == 2);
3976 ecount = 0;
3977 memset(ctmp2, 0, 32);
3978 ctmp2[31] = 1;
3979 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3980 CHECK(ecount == 1);
3981 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3982 CHECK(ecount == 2);
3983 ecount = 0;
3984 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3985 CHECK(ecount == 1);
3986 memset(&pubkey, 1, sizeof(pubkey));
3987 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3988 CHECK(ecount == 2);
5b71a3f4 3989 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 3990 /* secp256k1_ec_pubkey_combine tests. */
3991 ecount = 0;
3992 pubkeys[0] = &pubkey_one;
3993 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3994 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3995 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3996 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3997 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3998 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3999 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4000 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4001 CHECK(ecount == 1);
c69dea02
GM		 4002 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4003 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4004 CHECK(ecount == 2);
c69dea02
GM		 4005 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4006 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4007 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4008 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4009 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4010 CHECK(ecount == 3);
c69dea02
GM		 4011 pubkeys[0] = &pubkey_negone;
4012 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4013 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4014 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4015 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4016 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4017 CHECK(ecount == 3);
c69dea02
GM		 4018 len = 33;
4019 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4020 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4021 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4022 /* Result is infinity. */
4023 pubkeys[0] = &pubkey_one;
4024 pubkeys[1] = &pubkey_negone;
4025 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4026 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4027 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4028 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4029 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4030 CHECK(ecount == 3);
c69dea02
GM		 4031 /* Passes through infinity but comes out one. */
4032 pubkeys[2] = &pubkey_one;
4033 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4034 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4035 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4036 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4037 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4038 CHECK(ecount == 3);
c69dea02
GM		 4039 len = 33;
4040 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4041 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4042 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4043 /* Adds to two. */
4044 pubkeys[1] = &pubkey_one;
4045 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4046 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4047 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4048 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4049 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4050 CHECK(ecount == 3);
96be2046
GM		 4051 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4052}
4053
dd891e0e
PW		 4054void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4055 secp256k1_scalar nonce;
dd08f037 4056 do {
a9f5c8b8 4057 random_scalar_order_test(&nonce);
18c329c5 4058 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 4059}
4060
2cad067a 4061void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 4062 secp256k1_gej pubj;
4063 secp256k1_ge pub;
4064 secp256k1_scalar one;
4065 secp256k1_scalar msg, key;
4066 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 4067 int recid;
4068 int getrec;
a9f5c8b8 4069 random_scalar_order_test(&msg);
a9f5c8b8 4070 random_scalar_order_test(&key);
a9b6595e 4071 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 4072 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 4073 getrec = secp256k1_rand_bits(1);
18c329c5 4074 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 4075 if (getrec) {
4076 CHECK(recid >= 0 && recid < 4);
4077 }
18c329c5 4078 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 4079 secp256k1_scalar_set_int(&one, 1);
4080 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 4081 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 4082}
4083
2cad067a 4084void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 4085 int i;
4086 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 4087 test_ecdsa_sign_verify();
4088 }
4089}
4090
c6e7f4e8 4091/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 4092static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 4093 (void)msg32;
4094 (void)key32;
a5a66c70 4095 (void)algo16;
c6e7f4e8
PW		 4096 memcpy(nonce32, data, 32);
4097 return (counter == 0);
4098}
4099
05732c5a 4100static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 4101 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 4102 if (counter == 0) {
4103 return 0;
4104 }
dc0ce9fc 4105 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 4106}
4107
05732c5a 4108static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 4109 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4110 if (counter < 3) {
4111 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 4112 if (counter == 2) {
4113 nonce32[31]--;
4114 }
941e221f
GM		 4115 return 1;
4116 }
4117 if (counter < 5) {
4118 static const unsigned char order[] = {
4119 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4120 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4121 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4122 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4123 };
4124 memcpy(nonce32, order, 32);
26320197
GM		 4125 if (counter == 4) {
4126 nonce32[31]++;
4127 }
941e221f
GM		 4128 return 1;
4129 }
269d4227 4130 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 4131 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 4132 if (counter > 5) {
4133 return 0;
4134 }
dc0ce9fc 4135 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 4136}
4137
dd891e0e
PW		 4138int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4139 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4140 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 4141}
4142
2cad067a 4143void test_ecdsa_end_to_end(void) {
efc571ce 4144 unsigned char extra[32] = {0x00};
25f4aec0
PW		 4145 unsigned char privkey[32];
4146 unsigned char message[32];
bf2e1ac7 4147 unsigned char privkey2[32];
0c6ab2ff
PW		 4148 secp256k1_ecdsa_signature signature[6];
4149 secp256k1_scalar r, s;
74a2acdb 4150 unsigned char sig[74];
788038d3 4151 size_t siglen = 74;
23cfa914 4152 unsigned char pubkeyc[65];
788038d3 4153 size_t pubkeyclen = 65;
dd891e0e 4154 secp256k1_pubkey pubkey;
8e48aa60 4155 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 4156 unsigned char seckey[300];
788038d3 4157 size_t seckeylen = 300;
25f4aec0 4158
71712b27 4159 /* Generate a random key and message. */
25f4aec0 4160 {
dd891e0e 4161 secp256k1_scalar msg, key;
659b554d
PW		 4162 random_scalar_order_test(&msg);
4163 random_scalar_order_test(&key);
4164 secp256k1_scalar_get_b32(privkey, &key);
4165 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 4166 }
4167
71712b27 4168 /* Construct and verify corresponding public key. */
a9b6595e 4169 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 4170 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 4171
23cfa914 4172 /* Verify exporting and importing public key. */
1a368980 4173 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 4174 memset(&pubkey, 0, sizeof(pubkey));
4175 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 4176
8e48aa60
AP		 4177 /* Verify negation changes the key and changes it back */
4178 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4179 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4180 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4181 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4182 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4183
71712b27 4184 /* Verify private key import and export. */
eed87af1
AP		 4185 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4186 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 4187 CHECK(memcmp(privkey, privkey2, 32) == 0);
4188
71712b27 4189 /* Optionally tweak the keys using addition. */
fa57f1bd 4190 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4191 int ret1;
4192 int ret2;
25f4aec0 4193 unsigned char rnd[32];
dd891e0e 4194 secp256k1_pubkey pubkey2;
25f4aec0 4195 secp256k1_rand256_test(rnd);
a9b6595e 4196 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 4197 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 4198 CHECK(ret1 == ret2);
26320197
GM		 4199 if (ret1 == 0) {
4200 return;
4201 }
23cfa914
PW		 4202 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4203 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4204 }
4205
71712b27 4206 /* Optionally tweak the keys using multiplication. */
fa57f1bd 4207 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4208 int ret1;
4209 int ret2;
25f4aec0 4210 unsigned char rnd[32];
dd891e0e 4211 secp256k1_pubkey pubkey2;
25f4aec0 4212 secp256k1_rand256_test(rnd);
a9b6595e 4213 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 4214 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 4215 CHECK(ret1 == ret2);
26320197
GM		 4216 if (ret1 == 0) {
4217 return;
4218 }
23cfa914
PW		 4219 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4220 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4221 }
4222
71712b27 4223 /* Sign. */
dc0ce9fc
PW		 4224 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4225 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4226 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 4227 extra[31] = 1;
dc0ce9fc 4228 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 4229 extra[31] = 0;
4230 extra[0] = 1;
dc0ce9fc 4231 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 4232 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4233 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4234 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4235 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4236 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4237 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4238 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 4239 /* Verify. */
dc0ce9fc
PW		 4240 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4241 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4242 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4243 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 4244 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4245 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4246 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4247 secp256k1_scalar_negate(&s, &s);
4248 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4249 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4250 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4251 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4252 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4253 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4254 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4255 secp256k1_scalar_negate(&s, &s);
4256 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4257 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4258 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4259 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4260
4261 /* Serialize/parse DER and verify again */
4262 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4263 memset(&signature[0], 0, sizeof(signature[0]));
4264 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4265 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4266 /* Serialize/destroy/parse DER and verify again. */
1973c737 4267 siglen = 74;
74a2acdb 4268 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4269 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4270 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4271 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4272}
4273
7c6fed28 4274void test_random_pubkeys(void) {
dd891e0e
PW		 4275 secp256k1_ge elem;
4276 secp256k1_ge elem2;
7c6fed28
GM		 4277 unsigned char in[65];
4278 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4279 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4280 if (secp256k1_rand_bits(2) == 0) {
4281 len = secp256k1_rand_bits(6);
26320197 4282 }
7c6fed28 4283 if (len == 65) {
fa57f1bd 4284 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4285 } else {
fa57f1bd 4286 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4287 }
fa57f1bd
PW		 4288 if (secp256k1_rand_bits(3) == 0) {
4289 in[0] = secp256k1_rand_bits(8);
26320197 4290 }
26320197
GM		 4291 if (len > 1) {
4292 secp256k1_rand256(&in[1]);
4293 }
4294 if (len > 33) {
4295 secp256k1_rand256(&in[33]);
4296 }
7c6fed28
GM		 4297 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4298 unsigned char out[65];
4299 unsigned char firstb;
4300 int res;
788038d3 4301 size_t size = len;
7c6fed28
GM		 4302 firstb = in[0];
4303 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4304 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4305 CHECK(size == len);
4306 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4307 /* ... except for the type of hybrid inputs. */
26320197
GM		 4308 if ((in[0] != 6) && (in[0] != 7)) {
4309 CHECK(in[0] == out[0]);
4310 }
7c6fed28 4311 size = 65;
9234391e 4312 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4313 CHECK(size == 65);
4314 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4315 ge_equals_ge(&elem,&elem2);
7c6fed28 4316 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4317 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4318 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4319 if (firstb == 2 || firstb == 3) {
26320197
GM		 4320 if (in[0] == firstb + 4) {
4321 CHECK(res);
4322 } else {
4323 CHECK(!res);
4324 }
7c6fed28
GM		 4325 }
4326 if (res) {
60571c6e 4327 ge_equals_ge(&elem,&elem2);
9234391e 4328 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4329 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4330 }
4331 }
4332}
4333
4334void run_random_pubkeys(void) {
bf2e1ac7
GM		 4335 int i;
4336 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4337 test_random_pubkeys();
4338 }
4339}
4340
2cad067a 4341void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4342 int i;
4343 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4344 test_ecdsa_end_to_end();
4345 }
4346}
4347
3bb9c447
PW		 4348int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4349 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4350#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4351 static const unsigned char max_scalar[32] = {
4352 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4354 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4355 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4356 };
a9b2a5d8 4357#endif
3bb9c447
PW		 4358
4359 int ret = 0;
4360
4361 secp256k1_ecdsa_signature sig_der;
4362 unsigned char roundtrip_der[2048];
4363 unsigned char compact_der[64];
4364 size_t len_der = 2048;
4365 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4366
fea19e7b
PW		 4367 secp256k1_ecdsa_signature sig_der_lax;
4368 unsigned char roundtrip_der_lax[2048];
4369 unsigned char compact_der_lax[64];
4370 size_t len_der_lax = 2048;
4371 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4372
3bb9c447
PW		 4373#ifdef ENABLE_OPENSSL_TESTS
4374 ECDSA_SIG *sig_openssl;
31abd3ab 4375 const BIGNUM *r = NULL, *s = NULL;
3bb9c447
PW		 4376 const unsigned char *sigptr;
4377 unsigned char roundtrip_openssl[2048];
4378 int len_openssl = 2048;
4379 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4380#endif
4381
4382 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4383 if (parsed_der) {
4384 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4385 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4386 }
4387 if (valid_der) {
4388 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4389 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4390 }
4391
eed87af1 4392 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4393 if (parsed_der_lax) {
4394 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4395 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4396 }
4397 if (valid_der_lax) {
4398 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4399 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4400 }
4401
3bb9c447
PW		 4402 if (certainly_der) {
4403 ret |= (!parsed_der) << 2;
4404 }
4405 if (certainly_not_der) {
4406 ret |= (parsed_der) << 17;
4407 }
4408 if (valid_der) {
4409 ret |= (!roundtrips_der) << 3;
4410 }
4411
fea19e7b
PW		 4412 if (valid_der) {
4413 ret |= (!roundtrips_der_lax) << 12;
4414 ret |= (len_der != len_der_lax) << 13;
4415 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4416 }
4417 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4418 if (parsed_der) {
4419 ret |= (!parsed_der_lax) << 16;
4420 }
4421
3bb9c447
PW		 4422#ifdef ENABLE_OPENSSL_TESTS
4423 sig_openssl = ECDSA_SIG_new();
4424 sigptr = sig;
4425 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4426 if (parsed_openssl) {
31abd3ab
AB		 4427 ECDSA_SIG_get0(sig_openssl, &r, &s);
4428 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
3bb9c447
PW		 4429 if (valid_openssl) {
4430 unsigned char tmp[32] = {0};
31abd3ab 4431 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
3bb9c447
PW		 4432 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4433 }
4434 if (valid_openssl) {
4435 unsigned char tmp[32] = {0};
31abd3ab 4436 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
3bb9c447
PW		 4437 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4438 }
4439 }
4440 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4441 if (len_openssl <= 2048) {
4442 unsigned char *ptr = roundtrip_openssl;
4443 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4444 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4445 } else {
4446 len_openssl = 0;
4447 }
4448 ECDSA_SIG_free(sig_openssl);
4449
4450 ret |= (parsed_der && !parsed_openssl) << 4;
4451 ret |= (valid_der && !valid_openssl) << 5;
4452 ret |= (roundtrips_openssl && !parsed_der) << 6;
4453 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4454 if (roundtrips_openssl) {
4455 ret |= (len_der != (size_t)len_openssl) << 8;
4456 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4457 }
4458#endif
4459 return ret;
4460}
4461
4462static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4463 size_t i;
4464 for (i = 0; i < ptrlen; i++) {
4465 int shift = ptrlen - 1 - i;
4466 if (shift >= 4) {
4467 ptr[i] = 0;
4468 } else {
4469 ptr[i] = (val >> shift) & 0xFF;
4470 }
4471 }
4472}
4473
4474static void damage_array(unsigned char *sig, size_t *len) {
4475 int pos;
4476 int action = secp256k1_rand_bits(3);
5d4c5a31 4477 if (action < 1 && *len > 3) {
3bb9c447
PW		 4478 /* Delete a byte. */
4479 pos = secp256k1_rand_int(*len);
4480 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4481 (*len)--;
4482 return;
5d4c5a31 4483 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4484 /* Insert a byte. */
4485 pos = secp256k1_rand_int(1 + *len);
4486 memmove(sig + pos + 1, sig + pos, *len - pos);
4487 sig[pos] = secp256k1_rand_bits(8);
4488 (*len)++;
4489 return;
4490 } else if (action < 4) {
4491 /* Modify a byte. */
4492 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4493 return;
4494 } else { /* action < 8 */
4495 /* Modify a bit. */
4496 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4497 return;
4498 }
4499}
4500
4501static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4502 int der;
4503 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4504 size_t tlen, elen, glen;
4505 int indet;
4506 int n;
4507
4508 *len = 0;
4509 der = secp256k1_rand_bits(2) == 0;
4510 *certainly_der = der;
4511 *certainly_not_der = 0;
4512 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4513
4514 for (n = 0; n < 2; n++) {
4515 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4516 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4517 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4518 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4519 CHECK(nlen[n] <= 232);
4520 /* The top bit of the number. */
4521 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4522 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4523 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4524 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4525 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4526 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4527 *certainly_not_der = 1;
4528 }
4529 CHECK(nlen[n] + nzlen[n] <= 300);
4530 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4531 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4532 if (!der) {
4533 /* nlenlen[n] max 127 bytes */
4534 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4535 nlenlen[n] += add;
4536 if (add != 0) {
4537 *certainly_not_der = 1;
4538 }
4539 }
4540 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4541 }
4542
4543 /* The total length of the data to go, so far */
4544 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4545 CHECK(tlen <= 856);
4546
4547 /* The length of the garbage inside the tuple. */
4548 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4549 if (elen != 0) {
4550 *certainly_not_der = 1;
4551 }
4552 tlen += elen;
4553 CHECK(tlen <= 980);
4554
4555 /* The length of the garbage after the end of the tuple. */
4556 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4557 if (glen != 0) {
4558 *certainly_not_der = 1;
4559 }
4560 CHECK(tlen + glen <= 990);
4561
4562 /* Write the tuple header. */
4563 sig[(*len)++] = 0x30;
4564 if (indet) {
4565 /* Indeterminate length */
4566 sig[(*len)++] = 0x80;
4567 *certainly_not_der = 1;
4568 } else {
4569 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4570 if (!der) {
4571 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4572 tlenlen += add;
4573 if (add != 0) {
4574 *certainly_not_der = 1;
4575 }
4576 }
4577 if (tlenlen == 0) {
4578 /* Short length notation */
4579 sig[(*len)++] = tlen;
4580 } else {
4581 /* Long length notation */
4582 sig[(*len)++] = 128 + tlenlen;
4583 assign_big_endian(sig + *len, tlenlen, tlen);
4584 *len += tlenlen;
4585 }
4586 tlen += tlenlen;
4587 }
4588 tlen += 2;
4589 CHECK(tlen + glen <= 1119);
4590
4591 for (n = 0; n < 2; n++) {
4592 /* Write the integer header. */
4593 sig[(*len)++] = 0x02;
4594 if (nlenlen[n] == 0) {
4595 /* Short length notation */
4596 sig[(*len)++] = nlen[n] + nzlen[n];
4597 } else {
4598 /* Long length notation. */
4599 sig[(*len)++] = 128 + nlenlen[n];
4600 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4601 *len += nlenlen[n];
4602 }
4603 /* Write zero padding */
4604 while (nzlen[n] > 0) {
4605 sig[(*len)++] = 0x00;
4606 nzlen[n]--;
4607 }
4608 if (nlen[n] == 32 && !nlow[n]) {
4609 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4610 int i;
4611 for (i = 0; i < 16; i++) {
4612 sig[(*len)++] = 0xFF;
4613 }
4614 nlen[n] -= 16;
4615 }
4616 /* Write first byte of number */
4617 if (nlen[n] > 0) {
4618 sig[(*len)++] = nhbyte[n];
4619 nlen[n]--;
4620 }
4621 /* Generate remaining random bytes of number */
4622 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4623 *len += nlen[n];
4624 nlen[n] = 0;
4625 }
4626
4627 /* Generate random garbage inside tuple. */
4628 secp256k1_rand_bytes_test(sig + *len, elen);
4629 *len += elen;
4630
4631 /* Generate end-of-contents bytes. */
4632 if (indet) {
4633 sig[(*len)++] = 0;
4634 sig[(*len)++] = 0;
4635 tlen += 2;
4636 }
4637 CHECK(tlen + glen <= 1121);
4638
4639 /* Generate random garbage outside tuple. */
4640 secp256k1_rand_bytes_test(sig + *len, glen);
4641 *len += glen;
4642 tlen += glen;
4643 CHECK(tlen <= 1121);
4644 CHECK(tlen == *len);
4645}
4646
4647void run_ecdsa_der_parse(void) {
4648 int i,j;
4649 for (i = 0; i < 200 * count; i++) {
4650 unsigned char buffer[2048];
4651 size_t buflen = 0;
4652 int certainly_der = 0;
4653 int certainly_not_der = 0;
4654 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4655 CHECK(buflen <= 2048);
3bb9c447
PW		 4656 for (j = 0; j < 16; j++) {
4657 int ret = 0;
4658 if (j > 0) {
4659 damage_array(buffer, &buflen);
4660 /* We don't know anything anymore about the DERness of the result */
4661 certainly_der = 0;
4662 certainly_not_der = 0;
4663 }
4664 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4665 if (ret != 0) {
4666 size_t k;
4667 fprintf(stderr, "Failure %x on ", ret);
4668 for (k = 0; k < buflen; k++) {
4669 fprintf(stderr, "%02x ", buffer[k]);
4670 }
4671 fprintf(stderr, "\n");
4672 }
4673 CHECK(ret == 0);
4674 }
4675 }
4676}
4677
6e052878
PW		 4678/* Tests several edge cases. */
4679void test_ecdsa_edge_cases(void) {
d49abbd5 4680 int t;
dd891e0e 4681 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4682
4683 /* Test the case where ECDSA recomputes a point that is infinity. */
4684 {
dd891e0e
PW		 4685 secp256k1_gej keyj;
4686 secp256k1_ge key;
4687 secp256k1_scalar msg;
4688 secp256k1_scalar sr, ss;
d49abbd5
PW		 4689 secp256k1_scalar_set_int(&ss, 1);
4690 secp256k1_scalar_negate(&ss, &ss);
4691 secp256k1_scalar_inverse(&ss, &ss);
4692 secp256k1_scalar_set_int(&sr, 1);
4693 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4694 secp256k1_ge_set_gej(&key, &keyj);
4695 msg = ss;
4696 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4697 }
4698
96be2046 4699 /* Verify signature with r of zero fails. */
d49abbd5 4700 {
96be2046
GM		 4701 const unsigned char pubkey_mods_zero[33] = {
4702 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4703 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4704 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4705 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4706 0x41
4707 };
4708 secp256k1_ge key;
4709 secp256k1_scalar msg;
4710 secp256k1_scalar sr, ss;
4711 secp256k1_scalar_set_int(&ss, 1);
4712 secp256k1_scalar_set_int(&msg, 0);
4713 secp256k1_scalar_set_int(&sr, 0);
4714 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4715 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4716 }
4717
4718 /* Verify signature with s of zero fails. */
4719 {
4720 const unsigned char pubkey[33] = {
4721 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4724 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4725 0x01
4726 };
4727 secp256k1_ge key;
4728 secp256k1_scalar msg;
4729 secp256k1_scalar sr, ss;
4730 secp256k1_scalar_set_int(&ss, 0);
4731 secp256k1_scalar_set_int(&msg, 0);
4732 secp256k1_scalar_set_int(&sr, 1);
4733 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4734 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4735 }
4736
4737 /* Verify signature with message 0 passes. */
4738 {
4739 const unsigned char pubkey[33] = {
4740 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4743 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4744 0x02
4745 };
4746 const unsigned char pubkey2[33] = {
4747 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4748 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4749 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4750 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4751 0x43
4752 };
4753 secp256k1_ge key;
4754 secp256k1_ge key2;
4755 secp256k1_scalar msg;
4756 secp256k1_scalar sr, ss;
4757 secp256k1_scalar_set_int(&ss, 2);
4758 secp256k1_scalar_set_int(&msg, 0);
4759 secp256k1_scalar_set_int(&sr, 2);
4760 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4761 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4762 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4763 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4764 secp256k1_scalar_negate(&ss, &ss);
4765 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4766 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4767 secp256k1_scalar_set_int(&ss, 1);
4768 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4769 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4770 }
4771
4772 /* Verify signature with message 1 passes. */
4773 {
4774 const unsigned char pubkey[33] = {
4775 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4776 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4777 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4778 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4779 0x25
4780 };
4781 const unsigned char pubkey2[33] = {
4782 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4783 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4784 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4785 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4786 0x62
4787 };
4788 const unsigned char csr[32] = {
4789 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4790 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4791 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4792 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4793 };
4794 secp256k1_ge key;
4795 secp256k1_ge key2;
4796 secp256k1_scalar msg;
4797 secp256k1_scalar sr, ss;
4798 secp256k1_scalar_set_int(&ss, 1);
4799 secp256k1_scalar_set_int(&msg, 1);
4800 secp256k1_scalar_set_b32(&sr, csr, NULL);
4801 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4802 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4803 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4804 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4805 secp256k1_scalar_negate(&ss, &ss);
4806 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4807 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4808 secp256k1_scalar_set_int(&ss, 2);
4809 secp256k1_scalar_inverse_var(&ss, &ss);
4810 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4811 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4812 }
4813
4814 /* Verify signature with message -1 passes. */
4815 {
4816 const unsigned char pubkey[33] = {
4817 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4818 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4819 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4820 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4821 0xf1
4822 };
4823 const unsigned char csr[32] = {
4824 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4825 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4826 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4827 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4828 };
4829 secp256k1_ge key;
4830 secp256k1_scalar msg;
4831 secp256k1_scalar sr, ss;
4832 secp256k1_scalar_set_int(&ss, 1);
4833 secp256k1_scalar_set_int(&msg, 1);
4834 secp256k1_scalar_negate(&msg, &msg);
4835 secp256k1_scalar_set_b32(&sr, csr, NULL);
4836 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4837 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4838 secp256k1_scalar_negate(&ss, &ss);
4839 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4840 secp256k1_scalar_set_int(&ss, 3);
4841 secp256k1_scalar_inverse_var(&ss, &ss);
4842 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4843 }
4844
4845 /* Signature where s would be zero. */
4846 {
4847 secp256k1_pubkey pubkey;
788038d3 4848 size_t siglen;
96be2046
GM		 4849 int32_t ecount;
4850 unsigned char signature[72];
4851 static const unsigned char nonce[32] = {
d49abbd5
PW		 4852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4855 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4856 };
4857 static const unsigned char nonce2[32] = {
4858 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4859 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4860 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4861 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4862 };
4863 const unsigned char key[32] = {
4864 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4865 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4866 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4867 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4868 };
4869 unsigned char msg[32] = {
4870 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4871 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4872 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4873 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4874 };
96be2046
GM		 4875 ecount = 0;
4876 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4877 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4878 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4879 msg[31] = 0xaa;
dc0ce9fc 4880 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4881 CHECK(ecount == 0);
4882 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4883 CHECK(ecount == 1);
4884 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4885 CHECK(ecount == 2);
4886 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4887 CHECK(ecount == 3);
dc0ce9fc 4888 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4889 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4890 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4891 CHECK(ecount == 4);
4892 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4893 CHECK(ecount == 5);
4894 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4895 CHECK(ecount == 6);
4896 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4897 CHECK(ecount == 6);
4898 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4899 CHECK(ecount == 7);
4900 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4901 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4902 CHECK(ecount == 8);
d49abbd5 4903 siglen = 72;
96be2046 4904 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4905 CHECK(ecount == 9);
96be2046 4906 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4907 CHECK(ecount == 10);
96be2046 4908 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4909 CHECK(ecount == 11);
d49abbd5 4910 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4911 CHECK(ecount == 11);
4912 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4913 CHECK(ecount == 12);
4914 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4915 CHECK(ecount == 13);
4916 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4917 CHECK(ecount == 13);
d49abbd5 4918 siglen = 10;
5b71a3f4 4919 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4920 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4921 CHECK(ecount == 13);
4922 ecount = 0;
4923 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4924 CHECK(ecount == 1);
4925 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4926 CHECK(ecount == 2);
4927 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4928 CHECK(ecount == 3);
4929 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4930 CHECK(ecount == 3);
4931 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4932 CHECK(ecount == 4);
4933 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4934 CHECK(ecount == 5);
4935 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4936 CHECK(ecount == 5);
c69dea02
GM		 4937 memset(signature, 255, 64);
4938 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4939 CHECK(ecount == 5);
96be2046 4940 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4941 }
4942
4943 /* Nonce function corner cases. */
4944 for (t = 0; t < 2; t++) {
4945 static const unsigned char zero[32] = {0x00};
4946 int i;
4947 unsigned char key[32];
4948 unsigned char msg[32];
dd891e0e
PW		 4949 secp256k1_ecdsa_signature sig2;
4950 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 4951 const unsigned char *extra;
4952 extra = t == 0 ? NULL : zero;
4953 memset(msg, 0, 32);
4954 msg[31] = 1;
4955 /* High key results in signature failure. */
4956 memset(key, 0xFF, 32);
dc0ce9fc 4957 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4958 CHECK(is_empty_signature(&sig));
4959 /* Zero key results in signature failure. */
4960 memset(key, 0, 32);
dc0ce9fc 4961 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4962 CHECK(is_empty_signature(&sig));
4963 /* Nonce function failure results in signature failure. */
4964 key[31] = 1;
dc0ce9fc 4965 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 4966 CHECK(is_empty_signature(&sig));
4967 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 4968 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 4969 CHECK(!is_empty_signature(&sig));
dc0ce9fc 4970 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 4971 CHECK(!is_empty_signature(&sig2));
4972 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 4973 /* The default nonce function is deterministic. */
dc0ce9fc 4974 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4975 CHECK(!is_empty_signature(&sig2));
4976 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4977 /* The default nonce function changes output with different messages. */
4978 for(i = 0; i < 256; i++) {
4979 int j;
4980 msg[0] = i;
dc0ce9fc 4981 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4982 CHECK(!is_empty_signature(&sig2));
4983 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4984 for (j = 0; j < i; j++) {
4985 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4986 }
4987 }
4988 msg[0] = 0;
4989 msg[31] = 2;
4990 /* The default nonce function changes output with different keys. */
4991 for(i = 256; i < 512; i++) {
4992 int j;
4993 key[0] = i - 256;
dc0ce9fc 4994 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4995 CHECK(!is_empty_signature(&sig2));
4996 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4997 for (j = 0; j < i; j++) {
4998 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4999 }
5000 }
5001 key[0] = 0;
5002 }
5003
b30fc85c 5004 {
269d4227 5005 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 5006 const unsigned char zeros[32] = {0};
5007 unsigned char nonce[32];
5008 unsigned char nonce2[32];
5009 unsigned char nonce3[32];
5010 unsigned char nonce4[32];
5011 VG_UNDEF(nonce,32);
5012 VG_UNDEF(nonce2,32);
5013 VG_UNDEF(nonce3,32);
5014 VG_UNDEF(nonce4,32);
5015 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5016 VG_CHECK(nonce,32);
5017 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5018 VG_CHECK(nonce2,32);
5019 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5020 VG_CHECK(nonce3,32);
5021 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5022 VG_CHECK(nonce4,32);
5023 CHECK(memcmp(nonce, nonce2, 32) != 0);
5024 CHECK(memcmp(nonce, nonce3, 32) != 0);
5025 CHECK(memcmp(nonce, nonce4, 32) != 0);
5026 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5027 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5028 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5029 }
5030
5031
d49abbd5
PW		 5032 /* Privkey export where pubkey is the point at infinity. */
5033 {
5034 unsigned char privkey[300];
5035 unsigned char seckey[32] = {
5036 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5037 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5038 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5039 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5040 };
788038d3 5041 size_t outlen = 300;
eed87af1 5042 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 5043 outlen = 300;
eed87af1 5044 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 5045 }
5046}
5047
6e052878
PW		 5048void run_ecdsa_edge_cases(void) {
5049 test_ecdsa_edge_cases();
3bf029d6 5050}
25f4aec0 5051
dd08f037 5052#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 5053EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 5054 unsigned char privkey[300];
788038d3 5055 size_t privkeylen;
12e29b32 5056 const unsigned char* pbegin = privkey;
fa57f1bd 5057 int compr = secp256k1_rand_bits(1);
dd08f037 5058 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 5059 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 5060 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5061 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 5062 return ec_key;
5063}
5064
2cad067a 5065void test_ecdsa_openssl(void) {
dd891e0e
PW		 5066 secp256k1_gej qj;
5067 secp256k1_ge q;
5068 secp256k1_scalar sigr, sigs;
5069 secp256k1_scalar one;
5070 secp256k1_scalar msg2;
5071 secp256k1_scalar key, msg;
bf2e1ac7
GM		 5072 EC_KEY *ec_key;
5073 unsigned int sigsize = 80;
788038d3 5074 size_t secp_sigsize = 80;
dd08f037 5075 unsigned char message[32];
bf2e1ac7 5076 unsigned char signature[80];
7914a6eb 5077 unsigned char key32[32];
dd08f037 5078 secp256k1_rand256_test(message);
eca6cdb1 5079 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 5080 random_scalar_order_test(&key);
7914a6eb 5081 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 5082 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 5083 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 5084 ec_key = get_openssl_key(key32);
2b199de8 5085 CHECK(ec_key != NULL);
0592d117 5086 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 5087 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5088 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 5089 secp256k1_scalar_set_int(&one, 1);
f24041d6 5090 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 5091 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 5092
18c329c5
PW		 5093 random_sign(&sigr, &sigs, &key, &msg, NULL);
5094 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 5095 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 5096
dd08f037 5097 EC_KEY_free(ec_key);
dd08f037
PW		 5098}
5099
2cad067a 5100void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 5101 int i;
5102 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 5103 test_ecdsa_openssl();
5104 }
5105}
5106#endif
5107
0739bbb6
AP		 5108#ifdef ENABLE_MODULE_ECDH
5109# include "modules/ecdh/tests_impl.h"
5110#endif
5111
9f443be0
PW		 5112#ifdef ENABLE_MODULE_RECOVERY
5113# include "modules/recovery/tests_impl.h"
5114#endif
5115
404c30a8 5116int main(int argc, char **argv) {
89561118
PW		 5117 unsigned char seed16[16] = {0};
5118 unsigned char run32[32] = {0};
71712b27 5119 /* find iteration count */
3fd6253e
PW		 5120 if (argc > 1) {
5121 count = strtol(argv[1], NULL, 0);
5122 }
5123
71712b27 5124 /* find random seed */
3fd6253e 5125 if (argc > 2) {
89561118
PW		 5126 int pos = 0;
5127 const char* ch = argv[2];
5128 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5129 unsigned short sh;
5130 if (sscanf(ch, "%2hx", &sh)) {
5131 seed16[pos] = sh;
5132 } else {
5133 break;
5134 }
5135 ch += 2;
5136 pos++;
5137 }
3fd6253e
PW		 5138 } else {
5139 FILE *frand = fopen("/dev/urandom", "r");
8b3841c9 5140 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
89561118 5141 uint64_t t = time(NULL) * (uint64_t)1337;
be40c4d0 5142 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
89561118
PW		 5143 seed16[0] ^= t;
5144 seed16[1] ^= t >> 8;
5145 seed16[2] ^= t >> 16;
5146 seed16[3] ^= t >> 24;
5147 seed16[4] ^= t >> 32;
5148 seed16[5] ^= t >> 40;
5149 seed16[6] ^= t >> 48;
5150 seed16[7] ^= t >> 56;
3fd6253e 5151 }
5aae5b5b 5152 if (frand) {
5153 fclose(frand);
5154 }
3fd6253e 5155 }
89561118 5156 secp256k1_rand_seed(seed16);
404c30a8 5157
dd08f037 5158 printf("test count = %i\n", count);
89561118 5159 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 5160
71712b27 5161 /* initialize */
814cc78d
TR		 5162 run_context_tests(0);
5163 run_context_tests(1);
548de42e 5164 run_scratch_tests();
a9b6595e 5165 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 5166 if (secp256k1_rand_bits(1)) {
d2275795 5167 secp256k1_rand256(run32);
fa57f1bd 5168 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 5169 }
49b37498
PW		 5170
5171 run_rand_bits();
5172 run_rand_int();
5173
b37fbc28
PW		 5174 run_sha256_tests();
5175 run_hmac_sha256_tests();
5176 run_rfc6979_hmac_sha256_tests();
5177
597128d3 5178#ifndef USE_NUM_NONE
71712b27 5179 /* num tests */
3f44e1ad 5180 run_num_smalltests();
597128d3 5181#endif
404c30a8 5182
71712b27 5183 /* scalar tests */
79359302
PW		 5184 run_scalar_tests();
5185
71712b27 5186 /* field tests */
f16be77f
PD		 5187 run_field_inv();
5188 run_field_inv_var();
f16be77f 5189 run_field_inv_all_var();
8d11164b 5190 run_field_misc();
ff889f7d 5191 run_field_convert();
59447da3 5192 run_sqr();
09ca4f32
PD		 5193 run_sqrt();
5194
71712b27 5195 /* group tests */
9338dbf7 5196 run_ge();
64666251 5197 run_group_decompress();
9338dbf7 5198
71712b27 5199 /* ecmult tests */
404c30a8
PW		 5200 run_wnaf();
5201 run_point_times_order();
5202 run_ecmult_chain();
d2275795
GM		 5203 run_ecmult_constants();
5204 run_ecmult_gen_blind();
44015000 5205 run_ecmult_const_tests();
dba5471b 5206 run_ecmult_multi_tests();
a5a66c70 5207 run_ec_combine();
404c30a8 5208
baa75da5
AP		 5209 /* endomorphism tests */
5210#ifdef USE_ENDOMORPHISM
5211 run_endomorphism_tests();
5212#endif
5213
96be2046 5214 /* EC point parser test */
67f7da40
GM		 5215 run_ec_pubkey_parse_test();
5216
96be2046
GM		 5217 /* EC key edge cases */
5218 run_eckey_edge_case_test();
5219
0739bbb6
AP		 5220#ifdef ENABLE_MODULE_ECDH
5221 /* ecdh tests */
5222 run_ecdh_tests();
5223#endif
5224
71712b27 5225 /* ecdsa tests */
7c6fed28 5226 run_random_pubkeys();
3bb9c447 5227 run_ecdsa_der_parse();
404c30a8 5228 run_ecdsa_sign_verify();
25f4aec0 5229 run_ecdsa_end_to_end();
6e052878 5230 run_ecdsa_edge_cases();
dd08f037
PW		 5231#ifdef ENABLE_OPENSSL_TESTS
5232 run_ecdsa_openssl();
5233#endif
910d0de4 5234
9f443be0
PW		 5235#ifdef ENABLE_MODULE_RECOVERY
5236 /* ECDSA pubkey recovery tests */
5237 run_recovery_tests();
5238#endif
5239
89561118
PW		 5240 secp256k1_rand256(run32);
5241 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 5242
71712b27 5243 /* shutdown */
a9b6595e 5244 secp256k1_context_destroy(ctx);
c996d53a
PW		 5245
5246 printf("no problems found\n");
a41f32e6
PW		 5247 return 0;
5248}
Empty description
This page took 0.774821 seconds and 4 git commands to generate.