]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add ability to pass extra entropy to rfc6979
[secp256k1.git] / src / tests.c
CommitLineData
71712b27
GM		 1/**********************************************************************
2 * Copyright (c) 2013, 2014 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
a41f32e6 13
e06a9244
PJ		 14#include <time.h>
15
25f4aec0 16#include "secp256k1.c"
f0709ac5 17#include "testrand_impl.h"
a41f32e6 18
dd08f037
PW		 19#ifdef ENABLE_OPENSSL_TESTS
20#include "openssl/bn.h"
21#include "openssl/ec.h"
22#include "openssl/ecdsa.h"
23#include "openssl/obj_mac.h"
24#endif
25
79f599d3 26static int count = 64;
4adf6b2a 27
9338dbf7
PW		 28void random_field_element_test(secp256k1_fe_t *fe) {
29 do {
30 unsigned char b32[32];
31 secp256k1_rand256_test(b32);
659b554d
PW		 32 if (secp256k1_fe_set_b32(fe, b32)) {
33 break;
34 }
9338dbf7
PW		 35 } while(1);
36}
37
38void random_field_element_magnitude(secp256k1_fe_t *fe) {
bf2e1ac7 39 secp256k1_fe_t zero;
60571c6e 40 int n = secp256k1_rand32() % 9;
9338dbf7 41 secp256k1_fe_normalize(fe);
60571c6e
PW		 42 if (n == 0) {
43 return;
9338dbf7 44 }
60571c6e
PW		 45 secp256k1_fe_clear(&zero);
46 secp256k1_fe_negate(&zero, &zero, 0);
47 secp256k1_fe_mul_int(&zero, n - 1);
48 secp256k1_fe_add(fe, &zero);
49#ifdef VERIFY
50 CHECK(fe->magnitude == n);
51#endif
9338dbf7
PW		 52}
53
54void random_group_element_test(secp256k1_ge_t *ge) {
55 secp256k1_fe_t fe;
56 do {
57 random_field_element_test(&fe);
39bd94d8 58 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand32() & 1))
9338dbf7
PW		 59 break;
60 } while(1);
61}
62
63void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
bf2e1ac7 64 secp256k1_fe_t z2, z3;
9338dbf7
PW		 65 do {
66 random_field_element_test(&gej->z);
67 if (!secp256k1_fe_is_zero(&gej->z)) {
68 break;
69 }
70 } while(1);
bf2e1ac7
GM		 71 secp256k1_fe_sqr(&z2, &gej->z);
72 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 73 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
74 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
75 gej->infinity = ge->infinity;
76}
77
a9f5c8b8
PW		 78void random_scalar_order_test(secp256k1_scalar_t *num) {
79 do {
80 unsigned char b32[32];
a9f5c8b8 81 int overflow = 0;
bf2e1ac7 82 secp256k1_rand256_test(b32);
eca6cdb1 83 secp256k1_scalar_set_b32(num, b32, &overflow);
a9f5c8b8
PW		 84 if (overflow || secp256k1_scalar_is_zero(num))
85 continue;
86 break;
87 } while(1);
88}
89
f24041d6
PW		 90void random_scalar_order(secp256k1_scalar_t *num) {
91 do {
92 unsigned char b32[32];
f24041d6 93 int overflow = 0;
bf2e1ac7 94 secp256k1_rand256(b32);
f24041d6
PW		 95 secp256k1_scalar_set_b32(num, b32, &overflow);
96 if (overflow || secp256k1_scalar_is_zero(num))
97 continue;
98 break;
99 } while(1);
100}
101
b37fbc28
PW		 102/***** HASH TESTS *****/
103
104void run_sha256_tests(void) {
105 static const char *inputs[8] = {
106 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
107 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
108 "For this sample, this 63-byte string will be used as input data",
109 "This is exactly 64 bytes long, not counting the terminating byte"
110 };
111 static const unsigned char outputs[8][32] = {
112 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
113 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
114 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
115 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
116 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
117 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
118 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
119 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
120 };
bf2e1ac7
GM		 121 int i;
122 for (i = 0; i < 8; i++) {
123 unsigned char out[32];
b37fbc28
PW		 124 secp256k1_sha256_t hasher;
125 secp256k1_sha256_initialize(&hasher);
126 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 127 secp256k1_sha256_finalize(&hasher, out);
128 CHECK(memcmp(out, outputs[i], 32) == 0);
129 if (strlen(inputs[i]) > 0) {
b37fbc28 130 int split = secp256k1_rand32() % strlen(inputs[i]);
bf2e1ac7 131 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 132 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
133 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
134 secp256k1_sha256_finalize(&hasher, out);
135 CHECK(memcmp(out, outputs[i], 32) == 0);
136 }
137 }
138}
139
140void run_hmac_sha256_tests(void) {
141 static const char *keys[6] = {
142 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
143 "\x4a\x65\x66\x65",
144 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
145 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
146 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
147 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
148 };
149 static const char *inputs[6] = {
150 "\x48\x69\x20\x54\x68\x65\x72\x65",
151 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
152 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
153 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
154 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
155 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
156 };
157 static const unsigned char outputs[6][32] = {
158 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
159 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
160 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
161 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
162 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
163 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
164 };
bf2e1ac7
GM		 165 int i;
166 for (i = 0; i < 6; i++) {
b37fbc28 167 secp256k1_hmac_sha256_t hasher;
bf2e1ac7 168 unsigned char out[32];
b37fbc28
PW		 169 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
170 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 171 secp256k1_hmac_sha256_finalize(&hasher, out);
172 CHECK(memcmp(out, outputs[i], 32) == 0);
173 if (strlen(inputs[i]) > 0) {
b37fbc28 174 int split = secp256k1_rand32() % strlen(inputs[i]);
bf2e1ac7 175 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 176 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
177 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
178 secp256k1_hmac_sha256_finalize(&hasher, out);
179 CHECK(memcmp(out, outputs[i], 32) == 0);
180 }
181 }
182}
183
184void run_rfc6979_hmac_sha256_tests(void) {
185 static const unsigned char key1[32] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00};
186 static const unsigned char msg1[32] = {0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a};
187 static const unsigned char out1[3][32] = {
188 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
189 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
190 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
191 };
192
193 static const unsigned char key2[32] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
194 static const unsigned char msg2[32] = {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
195 static const unsigned char out2[3][32] = {
196 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
197 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
198 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
199 };
200
201 secp256k1_rfc6979_hmac_sha256_t rng;
202 unsigned char out[32];
1573a102 203 unsigned char zero[1] = {0};
bf2e1ac7 204 int i;
b37fbc28 205
1573a102 206 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, NULL, 1);
bf2e1ac7 207 for (i = 0; i < 3; i++) {
b37fbc28
PW		 208 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
209 CHECK(memcmp(out, out1[i], 32) == 0);
210 }
211 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
212
1573a102
PW		 213 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, zero, 1);
214 for (i = 0; i < 3; i++) {
215 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
216 CHECK(memcmp(out, out1[i], 32) != 0);
217 }
218 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
219
220 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 32, msg2, 32, zero, 0);
bf2e1ac7 221 for (i = 0; i < 3; i++) {
b37fbc28
PW		 222 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
223 CHECK(memcmp(out, out2[i], 32) == 0);
224 }
225 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
226}
227
659b554d
PW		 228/***** NUM TESTS *****/
229
597128d3 230#ifndef USE_NUM_NONE
659b554d
PW		 231void random_num_negate(secp256k1_num_t *num) {
232 if (secp256k1_rand32() & 1)
233 secp256k1_num_negate(num);
234}
235
236void random_num_order_test(secp256k1_num_t *num) {
237 secp256k1_scalar_t sc;
238 random_scalar_order_test(&sc);
239 secp256k1_scalar_get_num(num, &sc);
240}
241
404c30a8 242void random_num_order(secp256k1_num_t *num) {
659b554d
PW		 243 secp256k1_scalar_t sc;
244 random_scalar_order(&sc);
245 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 246}
247
2cad067a 248void test_num_negate(void) {
3f44e1ad
PW		 249 secp256k1_num_t n1;
250 secp256k1_num_t n2;
71712b27 251 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 252 random_num_negate(&n1);
71712b27
GM		 253 secp256k1_num_copy(&n2, &n1); /* n2 = R */
254 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 255 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 256 secp256k1_num_copy(&n1, &n2); /* n1 = R */
257 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 258 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 259 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 260 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 261 secp256k1_num_copy(&n1, &n2); /* n1 = R */
262 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 263 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 264 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 265 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 266}
267
2cad067a 268void test_num_add_sub(void) {
3f44e1ad
PW		 269 secp256k1_num_t n1;
270 secp256k1_num_t n2;
bf2e1ac7
GM		 271 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
272 int r = secp256k1_rand32();
71712b27 273 random_num_order_test(&n1); /* n1 = R1 */
1a749b4a
PW		 274 if (r & 1) {
275 random_num_negate(&n1);
276 }
71712b27 277 random_num_order_test(&n2); /* n2 = R2 */
1a749b4a
PW		 278 if (r & 2) {
279 random_num_negate(&n2);
280 }
71712b27
GM		 281 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
282 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
283 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
284 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 285 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
286 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 287 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 288 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
289 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 290 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 291 CHECK(secp256k1_num_eq(&n2m1, &n1));
292 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 293 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 294 CHECK(secp256k1_num_eq(&n2p1, &n1));
3f44e1ad
PW		 295}
296
2cad067a 297void run_num_smalltests(void) {
bf2e1ac7
GM		 298 int i;
299 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 300 test_num_negate();
301 test_num_add_sub();
302 }
3f44e1ad 303}
597128d3 304#endif
3f44e1ad 305
79359302
PW		 306/***** SCALAR TESTS *****/
307
79359302 308void scalar_test(void) {
bf2e1ac7
GM		 309 secp256k1_scalar_t s;
310 secp256k1_scalar_t s1;
311 secp256k1_scalar_t s2;
312#ifndef USE_NUM_NONE
313 secp256k1_num_t snum, s1num, s2num;
314 secp256k1_num_t order, half_order;
315#endif
79359302
PW		 316 unsigned char c[32];
317
71712b27 318 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 319 random_scalar_order_test(&s);
79359302 320
71712b27 321 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 322 random_scalar_order_test(&s1);
79359302 323
71712b27 324 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 325 random_scalar_order_test(&s2);
326 secp256k1_scalar_get_b32(c, &s2);
327
597128d3 328#ifndef USE_NUM_NONE
659b554d
PW		 329 secp256k1_scalar_get_num(&snum, &s);
330 secp256k1_scalar_get_num(&s1num, &s1);
331 secp256k1_scalar_get_num(&s2num, &s2);
332
659b554d 333 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 334 half_order = order;
659b554d 335 secp256k1_num_shift(&half_order, 1);
597128d3 336#endif
79359302
PW		 337
338 {
bf2e1ac7 339 int i;
71712b27 340 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1e6c77c3
PW		 341 secp256k1_scalar_t n;
342 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 343 for (i = 0; i < 256; i += 4) {
1e6c77c3 344 secp256k1_scalar_t t;
bf2e1ac7 345 int j;
1e6c77c3 346 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 347 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 348 secp256k1_scalar_add(&n, &n, &n);
349 }
350 secp256k1_scalar_add(&n, &n, &t);
79359302 351 }
1e6c77c3
PW		 352 CHECK(secp256k1_scalar_eq(&n, &s));
353 }
354
355 {
356 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
357 secp256k1_scalar_t n;
1e6c77c3 358 int i = 0;
bf2e1ac7 359 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 360 while (i < 256) {
bf2e1ac7
GM		 361 secp256k1_scalar_t t;
362 int j;
1e6c77c3
PW		 363 int now = (secp256k1_rand32() % 15) + 1;
364 if (now + i > 256) {
365 now = 256 - i;
366 }
1e6c77c3 367 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 368 for (j = 0; j < now; j++) {
1e6c77c3
PW		 369 secp256k1_scalar_add(&n, &n, &n);
370 }
371 secp256k1_scalar_add(&n, &n, &t);
372 i += now;
373 }
374 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 375 }
376
597128d3 377#ifndef USE_NUM_NONE
79359302 378 {
71712b27 379 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
79359302 380 secp256k1_num_t rnum;
bf2e1ac7
GM		 381 secp256k1_num_t r2num;
382 secp256k1_scalar_t r;
79359302 383 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 384 secp256k1_num_mod(&rnum, &order);
79359302 385 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 386 secp256k1_scalar_get_num(&r2num, &r);
387 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 388 }
389
390 {
71712b27 391 /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */
bf2e1ac7
GM		 392 secp256k1_scalar_t r;
393 secp256k1_num_t r2num;
79359302 394 secp256k1_num_t rnum;
79359302 395 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 396 secp256k1_num_mod(&rnum, &order);
79359302 397 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 398 secp256k1_scalar_get_num(&r2num, &r);
399 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 400 /* The result can only be zero if at least one of the factors was zero. */
79359302 401 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 402 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 403 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
404 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 405 }
406
407 {
bf2e1ac7
GM		 408 secp256k1_scalar_t neg;
409 secp256k1_num_t negnum;
410 secp256k1_num_t negnum2;
71712b27 411 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 412 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 413 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 414 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 415 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 416 secp256k1_num_sub(&negnum, &order, &snum);
417 secp256k1_num_mod(&negnum, &order);
71712b27 418 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 419 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 420 /* Negating should change the high property, unless the value was already zero. */
79359302 421 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 422 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 423 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 424 CHECK(secp256k1_num_eq(&negnum, &negnum2));
425 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 426 /* Adding a number to its negation should result in zero. */
79359302
PW		 427 CHECK(secp256k1_scalar_is_zero(&neg));
428 secp256k1_scalar_negate(&neg, &neg);
71712b27 429 /* Negating zero should still result in zero. */
79359302 430 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 431 }
ff8746d4
PW		 432
433 {
434 /* Test secp256k1_scalar_mul_shift_var. */
435 secp256k1_scalar_t r;
bf2e1ac7
GM		 436 secp256k1_num_t one;
437 secp256k1_num_t rnum;
438 secp256k1_num_t rnum2;
439 unsigned char cone[1] = {0x01};
ff8746d4
PW		 440 unsigned int shift = 256 + (secp256k1_rand32() % 257);
441 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 442 secp256k1_num_mul(&rnum, &s1num, &s2num);
443 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 444 secp256k1_num_set_bin(&one, cone, 1);
445 secp256k1_num_add(&rnum, &rnum, &one);
446 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 447 secp256k1_scalar_get_num(&rnum2, &r);
448 CHECK(secp256k1_num_eq(&rnum, &rnum2));
449 }
597128d3 450#endif
79359302
PW		 451
452 {
71712b27 453 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302
PW		 454 if (!secp256k1_scalar_is_zero(&s)) {
455 secp256k1_scalar_t inv;
597128d3 456#ifndef USE_NUM_NONE
79359302 457 secp256k1_num_t invnum;
79359302 458 secp256k1_num_t invnum2;
bf2e1ac7
GM		 459#endif
460 secp256k1_scalar_inverse(&inv, &s);
461#ifndef USE_NUM_NONE
462 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 463 secp256k1_scalar_get_num(&invnum2, &inv);
464 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 465#endif
79359302 466 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 467 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 468 CHECK(secp256k1_scalar_is_one(&inv));
469 secp256k1_scalar_inverse(&inv, &inv);
71712b27 470 /* Inverting one must result in one. */
79359302 471 CHECK(secp256k1_scalar_is_one(&inv));
79359302
PW		 472 }
473 }
474
475 {
71712b27 476 /* Test commutativity of add. */
79359302 477 secp256k1_scalar_t r1, r2;
79359302
PW		 478 secp256k1_scalar_add(&r1, &s1, &s2);
479 secp256k1_scalar_add(&r2, &s2, &s1);
480 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 481 }
482
52132078 483 {
bf2e1ac7
GM		 484 secp256k1_scalar_t r1, r2;
485 secp256k1_scalar_t b;
486 int i;
52132078
PW		 487 /* Test add_bit. */
488 int bit = secp256k1_rand32() % 256;
1e6c77c3 489 secp256k1_scalar_set_int(&b, 1);
52132078 490 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 491 for (i = 0; i < bit; i++) {
52132078
PW		 492 secp256k1_scalar_add(&b, &b, &b);
493 }
bf2e1ac7
GM		 494 r1 = s1;
495 r2 = s1;
29ae1310 496 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078
PW		 497 /* No overflow happened. */
498 secp256k1_scalar_add_bit(&r2, bit);
499 CHECK(secp256k1_scalar_eq(&r1, &r2));
500 }
501 }
502
79359302 503 {
71712b27 504 /* Test commutativity of mul. */
79359302 505 secp256k1_scalar_t r1, r2;
79359302
PW		 506 secp256k1_scalar_mul(&r1, &s1, &s2);
507 secp256k1_scalar_mul(&r2, &s2, &s1);
508 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 509 }
510
511 {
71712b27 512 /* Test associativity of add. */
79359302 513 secp256k1_scalar_t r1, r2;
79359302
PW		 514 secp256k1_scalar_add(&r1, &s1, &s2);
515 secp256k1_scalar_add(&r1, &r1, &s);
516 secp256k1_scalar_add(&r2, &s2, &s);
517 secp256k1_scalar_add(&r2, &s1, &r2);
518 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 519 }
520
521 {
71712b27 522 /* Test associativity of mul. */
79359302 523 secp256k1_scalar_t r1, r2;
79359302
PW		 524 secp256k1_scalar_mul(&r1, &s1, &s2);
525 secp256k1_scalar_mul(&r1, &r1, &s);
526 secp256k1_scalar_mul(&r2, &s2, &s);
527 secp256k1_scalar_mul(&r2, &s1, &r2);
528 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 529 }
530
531 {
71712b27 532 /* Test distributitivity of mul over add. */
79359302 533 secp256k1_scalar_t r1, r2, t;
79359302
PW		 534 secp256k1_scalar_add(&r1, &s1, &s2);
535 secp256k1_scalar_mul(&r1, &r1, &s);
536 secp256k1_scalar_mul(&r2, &s1, &s);
537 secp256k1_scalar_mul(&t, &s2, &s);
538 secp256k1_scalar_add(&r2, &r2, &t);
539 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 540 }
1d52a8b1
PW		 541
542 {
71712b27 543 /* Test square. */
1d52a8b1
PW		 544 secp256k1_scalar_t r1, r2;
545 secp256k1_scalar_sqr(&r1, &s1);
546 secp256k1_scalar_mul(&r2, &s1, &s1);
547 CHECK(secp256k1_scalar_eq(&r1, &r2));
548 }
ff8746d4 549
8d11164b
GM		 550 {
551 /* Test multiplicative identity. */
552 secp256k1_scalar_t r1, v1;
553 secp256k1_scalar_set_int(&v1,1);
554 secp256k1_scalar_mul(&r1, &s1, &v1);
555 CHECK(secp256k1_scalar_eq(&r1, &s1));
556 }
557
558 {
559 /* Test additive identity. */
560 secp256k1_scalar_t r1, v0;
561 secp256k1_scalar_set_int(&v0,0);
562 secp256k1_scalar_add(&r1, &s1, &v0);
563 CHECK(secp256k1_scalar_eq(&r1, &s1));
564 }
565
566 {
567 /* Test zero product property. */
568 secp256k1_scalar_t r1, v0;
569 secp256k1_scalar_set_int(&v0,0);
570 secp256k1_scalar_mul(&r1, &s1, &v0);
571 CHECK(secp256k1_scalar_eq(&r1, &v0));
572 }
573
79359302
PW		 574}
575
576void run_scalar_tests(void) {
bf2e1ac7
GM		 577 int i;
578 for (i = 0; i < 128 * count; i++) {
79359302
PW		 579 scalar_test();
580 }
659b554d
PW		 581
582 {
ee3eb4be 583 /* (-1)+1 should be zero. */
659b554d
PW		 584 secp256k1_scalar_t s, o;
585 secp256k1_scalar_set_int(&s, 1);
8d11164b 586 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 587 secp256k1_scalar_negate(&o, &s);
588 secp256k1_scalar_add(&o, &o, &s);
589 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 590 secp256k1_scalar_negate(&o, &o);
591 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 592 }
593
597128d3 594#ifndef USE_NUM_NONE
659b554d 595 {
ee3eb4be 596 /* A scalar with value of the curve order should be 0. */
659b554d 597 secp256k1_num_t order;
659b554d 598 secp256k1_scalar_t zero;
bf2e1ac7 599 unsigned char bin[32];
659b554d 600 int overflow = 0;
bf2e1ac7
GM		 601 secp256k1_scalar_order_get_num(&order);
602 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 603 secp256k1_scalar_set_b32(&zero, bin, &overflow);
604 CHECK(overflow == 1);
605 CHECK(secp256k1_scalar_is_zero(&zero));
606 }
597128d3 607#endif
79359302
PW		 608}
609
09ca4f32
PD		 610/***** FIELD TESTS *****/
611
612void random_fe(secp256k1_fe_t *x) {
613 unsigned char bin[32];
d907ebc0
PW		 614 do {
615 secp256k1_rand256(bin);
616 if (secp256k1_fe_set_b32(x, bin)) {
617 return;
618 }
619 } while(1);
09ca4f32
PD		 620}
621
6d6102fe
PD		 622void random_fe_non_zero(secp256k1_fe_t *nz) {
623 int tries = 10;
09ca4f32 624 while (--tries >= 0) {
6d6102fe
PD		 625 random_fe(nz);
626 secp256k1_fe_normalize(nz);
627 if (!secp256k1_fe_is_zero(nz))
09ca4f32
PD		 628 break;
629 }
71712b27 630 /* Infinitesimal probability of spurious failure here */
0592d117 631 CHECK(tries >= 0);
09ca4f32
PD		 632}
633
6d6102fe 634void random_fe_non_square(secp256k1_fe_t *ns) {
6d6102fe 635 secp256k1_fe_t r;
bf2e1ac7 636 random_fe_non_zero(ns);
39bd94d8 637 if (secp256k1_fe_sqrt_var(&r, ns)) {
6d6102fe
PD		 638 secp256k1_fe_negate(ns, ns, 1);
639 }
640}
641
f16be77f 642int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
bf2e1ac7
GM		 643 secp256k1_fe_t an = *a;
644 secp256k1_fe_t bn = *b;
645 secp256k1_fe_normalize_weak(&an);
646 secp256k1_fe_normalize_var(&bn);
d7174edf 647 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 648}
649
650int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
bf2e1ac7 651 secp256k1_fe_t x;
443cd4b8 652 secp256k1_fe_t one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 653 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 654 return check_fe_equal(&x, &one);
655}
656
ff889f7d
PW		 657void run_field_convert(void) {
658 static const unsigned char b32[32] = {
659 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
660 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
661 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
662 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
663 };
ff889f7d
PW		 664 static const secp256k1_fe_storage_t fes = SECP256K1_FE_STORAGE_CONST(
665 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
666 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
667 );
668 static const secp256k1_fe_t fe = SECP256K1_FE_CONST(
669 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
670 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
671 );
672 secp256k1_fe_t fe2;
673 unsigned char b322[32];
ff889f7d
PW		 674 secp256k1_fe_storage_t fes2;
675 /* Check conversions to fe. */
676 CHECK(secp256k1_fe_set_b32(&fe2, b32));
677 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 678 secp256k1_fe_from_storage(&fe2, &fes);
679 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
680 /* Check conversion from fe. */
681 secp256k1_fe_get_b32(b322, &fe);
682 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 683 secp256k1_fe_to_storage(&fes2, &fe);
684 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
685}
686
8d11164b 687void run_field_misc(void) {
8d11164b
GM		 688 secp256k1_fe_t x;
689 secp256k1_fe_t y;
690 secp256k1_fe_t z;
691 secp256k1_fe_t q;
443cd4b8 692 secp256k1_fe_t fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
bf2e1ac7 693 int i;
bf2e1ac7
GM		 694 for (i = 0; i < 5*count; i++) {
695 secp256k1_fe_storage_t xs, ys, zs;
8d11164b
GM		 696 random_fe(&x);
697 random_fe_non_zero(&y);
698 /* Test the fe equality and comparison operations. */
699 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 700 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 701 z = x;
702 secp256k1_fe_add(&z,&y);
703 secp256k1_fe_normalize(&z);
fcc48c45 704 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 705 secp256k1_fe_to_storage(&xs, &x);
706 secp256k1_fe_to_storage(&ys, &y);
707 secp256k1_fe_to_storage(&zs, &z);
708 secp256k1_fe_storage_cmov(&zs, &xs, 0);
709 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
710 secp256k1_fe_storage_cmov(&ys, &xs, 1);
711 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
712 secp256k1_fe_from_storage(&x, &xs);
713 secp256k1_fe_from_storage(&y, &ys);
714 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 715 /* Test that mul_int, mul, and add agree. */
716 secp256k1_fe_add(&y, &x);
717 secp256k1_fe_add(&y, &x);
718 z = x;
719 secp256k1_fe_mul_int(&z, 3);
720 CHECK(check_fe_equal(&y, &z));
721 secp256k1_fe_add(&y, &x);
722 secp256k1_fe_add(&z, &x);
723 CHECK(check_fe_equal(&z, &y));
724 z = x;
725 secp256k1_fe_mul_int(&z, 5);
726 secp256k1_fe_mul(&q, &x, &fe5);
727 CHECK(check_fe_equal(&z, &q));
728 secp256k1_fe_negate(&x, &x, 1);
729 secp256k1_fe_add(&z, &x);
730 secp256k1_fe_add(&q, &x);
731 CHECK(check_fe_equal(&y, &z));
732 CHECK(check_fe_equal(&q, &y));
733 }
734}
735
2cad067a 736void run_field_inv(void) {
f16be77f 737 secp256k1_fe_t x, xi, xii;
bf2e1ac7
GM		 738 int i;
739 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 740 random_fe_non_zero(&x);
741 secp256k1_fe_inv(&xi, &x);
742 CHECK(check_fe_inverse(&x, &xi));
743 secp256k1_fe_inv(&xii, &xi);
744 CHECK(check_fe_equal(&x, &xii));
745 }
746}
747
2cad067a 748void run_field_inv_var(void) {
f16be77f 749 secp256k1_fe_t x, xi, xii;
bf2e1ac7
GM		 750 int i;
751 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 752 random_fe_non_zero(&x);
753 secp256k1_fe_inv_var(&xi, &x);
754 CHECK(check_fe_inverse(&x, &xi));
755 secp256k1_fe_inv_var(&xii, &xi);
756 CHECK(check_fe_equal(&x, &xii));
757 }
758}
759
2cad067a 760void run_field_inv_all_var(void) {
f16be77f 761 secp256k1_fe_t x[16], xi[16], xii[16];
bf2e1ac7 762 int i;
71712b27 763 /* Check it's safe to call for 0 elements */
f16be77f 764 secp256k1_fe_inv_all_var(0, xi, x);
bf2e1ac7
GM		 765 for (i = 0; i < count; i++) {
766 size_t j;
f16be77f 767 size_t len = (secp256k1_rand32() & 15) + 1;
bf2e1ac7 768 for (j = 0; j < len; j++)
f16be77f
PD		 769 random_fe_non_zero(&x[j]);
770 secp256k1_fe_inv_all_var(len, xi, x);
bf2e1ac7 771 for (j = 0; j < len; j++)
f16be77f
PD		 772 CHECK(check_fe_inverse(&x[j], &xi[j]));
773 secp256k1_fe_inv_all_var(len, xii, xi);
bf2e1ac7 774 for (j = 0; j < len; j++)
f16be77f
PD		 775 CHECK(check_fe_equal(&x[j], &xii[j]));
776 }
777}
778
2cad067a 779void run_sqr(void) {
59447da3
PD		 780 secp256k1_fe_t x, s;
781
59447da3 782 {
bf2e1ac7 783 int i;
59447da3
PD		 784 secp256k1_fe_set_int(&x, 1);
785 secp256k1_fe_negate(&x, &x, 1);
786
bf2e1ac7 787 for (i = 1; i <= 512; ++i) {
59447da3
PD		 788 secp256k1_fe_mul_int(&x, 2);
789 secp256k1_fe_normalize(&x);
790 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 791 }
792 }
59447da3
PD		 793}
794
09ca4f32
PD		 795void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
796 secp256k1_fe_t r1, r2;
39bd94d8 797 int v = secp256k1_fe_sqrt_var(&r1, a);
0592d117 798 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 799
800 if (k != NULL) {
71712b27 801 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 802 secp256k1_fe_negate(&r2, &r1, 1);
803 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
804 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 805 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 806 }
807}
808
2cad067a 809void run_sqrt(void) {
09ca4f32 810 secp256k1_fe_t ns, x, s, t;
bf2e1ac7 811 int i;
6d6102fe 812
71712b27 813 /* Check sqrt(0) is 0 */
6d6102fe
PD		 814 secp256k1_fe_set_int(&x, 0);
815 secp256k1_fe_sqr(&s, &x);
816 test_sqrt(&s, &x);
817
71712b27 818 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 819 for (i = 1; i <= 100; i++) {
6d6102fe 820 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 821 secp256k1_fe_sqr(&s, &x);
822 test_sqrt(&s, &x);
6d6102fe 823 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 824 test_sqrt(&t, NULL);
825 }
6d6102fe 826
71712b27 827 /* Consistency checks for large random values */
bf2e1ac7
GM		 828 for (i = 0; i < 10; i++) {
829 int j;
6d6102fe 830 random_fe_non_square(&ns);
bf2e1ac7 831 for (j = 0; j < count; j++) {
6d6102fe
PD		 832 random_fe(&x);
833 secp256k1_fe_sqr(&s, &x);
834 test_sqrt(&s, &x);
835 secp256k1_fe_negate(&t, &s, 1);
836 test_sqrt(&t, NULL);
837 secp256k1_fe_mul(&t, &s, &ns);
838 test_sqrt(&t, NULL);
839 }
840 }
09ca4f32
PD		 841}
842
9338dbf7
PW		 843/***** GROUP TESTS *****/
844
60571c6e
PW		 845void ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
846 CHECK(a->infinity == b->infinity);
847 if (a->infinity)
848 return;
849 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
850 CHECK(secp256k1_fe_equal_var(&b->y, &b->y));
9338dbf7
PW		 851}
852
853void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
bf2e1ac7
GM		 854 secp256k1_fe_t z2s;
855 secp256k1_fe_t u1, u2, s1, s2;
60571c6e
PW		 856 CHECK(a->infinity == b->infinity);
857 if (a->infinity)
858 return;
859 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 860 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 861 secp256k1_fe_mul(&u1, &a->x, &z2s);
862 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
863 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
864 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
865 CHECK(secp256k1_fe_equal_var(&u1, &u2));
866 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 867}
868
2cad067a 869void test_ge(void) {
bf2e1ac7 870 int i, i1;
60571c6e
PW		 871 int runs = 4;
872 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
873 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
874 * All magnitudes are randomized.
875 * All 17*17 combinations of points are added to eachother, using all applicable methods.
876 */
877 secp256k1_ge_t *ge = malloc(sizeof(secp256k1_ge_t) * (1 + 4 * runs));
878 secp256k1_gej_t *gej = malloc(sizeof(secp256k1_gej_t) * (1 + 4 * runs));
879 secp256k1_gej_set_infinity(&gej[0]);
880 secp256k1_ge_clear(&ge[0]);
881 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 882 for (i = 0; i < runs; i++) {
883 int j;
60571c6e
PW		 884 secp256k1_ge_t g;
885 random_group_element_test(&g);
886 ge[1 + 4 * i] = g;
887 ge[2 + 4 * i] = g;
888 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
889 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
890 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
891 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
892 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
893 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 894 for (j = 0; j < 4; j++) {
60571c6e
PW		 895 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
896 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
897 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
898 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
899 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
900 }
901 }
902
bf2e1ac7
GM		 903 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
904 int i2;
905 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e
PW		 906 /* Compute reference result using gej + gej (var). */
907 secp256k1_gej_t refj, resj;
908 secp256k1_ge_t ref;
909 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2]);
910 secp256k1_ge_set_gej_var(&ref, &refj);
911
912 /* Test gej + ge (var). */
913 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2]);
914 ge_equals_gej(&ref, &resj);
915
916 /* Test gej + ge (const). */
917 if (i2 != 0) {
918 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
919 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
920 ge_equals_gej(&ref, &resj);
921 }
922
923 /* Test doubling (var). */
924 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
925 /* Normal doubling. */
926 secp256k1_gej_double_var(&resj, &gej[i1]);
927 ge_equals_gej(&ref, &resj);
928 secp256k1_gej_double_var(&resj, &gej[i2]);
929 ge_equals_gej(&ref, &resj);
930 }
931
932 /* Test adding opposites. */
933 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
934 CHECK(secp256k1_ge_is_infinity(&ref));
935 }
936
937 /* Test adding infinity. */
938 if (i1 == 0) {
939 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
940 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
941 ge_equals_gej(&ref, &gej[i2]);
942 }
943 if (i2 == 0) {
944 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
945 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
946 ge_equals_gej(&ref, &gej[i1]);
947 }
948 }
949 }
950
9ab93355
PW		 951 /* Test adding all points together in random order equals infinity. */
952 {
443cd4b8 953 secp256k1_gej_t sum = SECP256K1_GEJ_CONST_INFINITY;
9ab93355 954 secp256k1_gej_t *gej_shuffled = malloc((4 * runs + 1) * sizeof(secp256k1_gej_t));
bf2e1ac7 955 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 956 gej_shuffled[i] = gej[i];
957 }
bf2e1ac7 958 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 959 int swap = i + secp256k1_rand32() % (4 * runs + 1 - i);
960 if (swap != i) {
961 secp256k1_gej_t t = gej_shuffled[i];
962 gej_shuffled[i] = gej_shuffled[swap];
963 gej_shuffled[swap] = t;
964 }
965 }
bf2e1ac7 966 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 967 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i]);
968 }
969 CHECK(secp256k1_gej_is_infinity(&sum));
970 free(gej_shuffled);
971 }
972
60571c6e
PW		 973 /* Test batch gej -> ge conversion. */
974 {
975 secp256k1_ge_t *ge_set_all = malloc((4 * runs + 1) * sizeof(secp256k1_ge_t));
976 secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej);
bf2e1ac7 977 for (i = 0; i < 4 * runs + 1; i++) {
60571c6e
PW		 978 ge_equals_gej(&ge_set_all[i], &gej[i]);
979 }
980 free(ge_set_all);
981 }
982
983 free(ge);
984 free(gej);
9338dbf7
PW		 985}
986
2cad067a 987void run_ge(void) {
bf2e1ac7
GM		 988 int i;
989 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 990 test_ge();
991 }
992}
993
09ca4f32
PD		 994/***** ECMULT TESTS *****/
995
2cad067a 996void run_ecmult_chain(void) {
443cd4b8
PW		 997 /* random starting point A (on the curve) */
998 secp256k1_gej_t a = SECP256K1_GEJ_CONST(
999 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
1000 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
1001 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
1002 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
1003 );
71712b27 1004 /* two random initial factors xn and gn */
443cd4b8
PW		 1005 secp256k1_scalar_t xn = SECP256K1_SCALAR_CONST(
1006 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
1007 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
1008 );
1009 secp256k1_scalar_t gn = SECP256K1_SCALAR_CONST(
1010 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
1011 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
1012 );
71712b27 1013 /* two small multipliers to be applied to xn and gn in every iteration: */
443cd4b8
PW		 1014 static const secp256k1_scalar_t xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
1015 static const secp256k1_scalar_t gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 1016 /* accumulators with the resulting coefficients to A and G */
443cd4b8
PW		 1017 secp256k1_scalar_t ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1018 secp256k1_scalar_t ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
1019 /* actual points */
1020 secp256k1_gej_t x = a;
1021 secp256k1_gej_t x2;
1022 int i;
1023
71712b27 1024 /* the point being computed */
bf2e1ac7
GM		 1025 x = a;
1026 for (i = 0; i < 200*count; i++) {
71712b27 1027 /* in each iteration, compute X = xn*X + gn*G; */
b1483f87 1028 secp256k1_ecmult(&x, &x, &xn, &gn);
71712b27
GM		 1029 /* also compute ae and ge: the actual accumulated factors for A and G */
1030 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 1031 secp256k1_scalar_mul(&ae, &ae, &xn);
1032 secp256k1_scalar_mul(&ge, &ge, &xn);
1033 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 1034 /* modify xn and gn */
f24041d6
PW		 1035 secp256k1_scalar_mul(&xn, &xn, &xf);
1036 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 1037
71712b27 1038 /* verify */
404c30a8 1039 if (i == 19999) {
443cd4b8
PW		 1040 /* expected result after 19999 iterations */
1041 secp256k1_gej_t rp = SECP256K1_GEJ_CONST(
1042 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
1043 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
1044 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
1045 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
1046 );
1047
1048 secp256k1_gej_neg(&rp, &rp);
1049 secp256k1_gej_add_var(&rp, &rp, &x);
1050 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 1051 }
4adf6b2a 1052 }
71712b27 1053 /* redo the computation, but directly with the resulting ae and ge coefficients: */
bf2e1ac7 1054 secp256k1_ecmult(&x2, &a, &ae, &ge);
443cd4b8
PW		 1055 secp256k1_gej_neg(&x2, &x2);
1056 secp256k1_gej_add_var(&x2, &x2, &x);
1057 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 1058}
1059
eb0be8ee 1060void test_point_times_order(const secp256k1_gej_t *point) {
b5c9ee75 1061 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
f24041d6 1062 secp256k1_scalar_t x;
f24041d6 1063 secp256k1_scalar_t nx;
b5c9ee75 1064 secp256k1_gej_t res1, res2;
bf2e1ac7
GM		 1065 secp256k1_ge_t res3;
1066 unsigned char pub[65];
1067 int psize = 65;
1068 random_scalar_order_test(&x);
1069 secp256k1_scalar_negate(&nx, &x);
b5c9ee75
PW		 1070 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
1071 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
1072 secp256k1_gej_add_var(&res1, &res1, &res2);
1073 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 1074 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 1075 secp256k1_ge_set_gej(&res3, &res1);
1076 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 1077 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
8d11164b
GM		 1078 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
1079 psize = 65;
1080 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
4e0ed539
PW		 1081}
1082
2cad067a 1083void run_point_times_order(void) {
bf2e1ac7 1084 int i;
443cd4b8
PW		 1085 secp256k1_fe_t x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
1086 static const secp256k1_fe_t xr = SECP256K1_FE_CONST(
1087 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
1088 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
1089 );
bf2e1ac7 1090 for (i = 0; i < 500; i++) {
09ca4f32 1091 secp256k1_ge_t p;
39bd94d8 1092 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
09ca4f32 1093 secp256k1_gej_t j;
bf2e1ac7 1094 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 1095 secp256k1_gej_set_ge(&j, &p);
39bd94d8 1096 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 1097 test_point_times_order(&j);
1098 }
910d0de4 1099 secp256k1_fe_sqr(&x, &x);
4e0ed539 1100 }
443cd4b8
PW		 1101 secp256k1_fe_normalize_var(&x);
1102 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 1103}
1104
f24041d6
PW		 1105void test_wnaf(const secp256k1_scalar_t *number, int w) {
1106 secp256k1_scalar_t x, two, t;
bf2e1ac7
GM		 1107 int wnaf[256];
1108 int zeroes = -1;
1109 int i;
1110 int bits;
f24041d6
PW		 1111 secp256k1_scalar_set_int(&x, 0);
1112 secp256k1_scalar_set_int(&two, 2);
bf2e1ac7 1113 bits = secp256k1_ecmult_wnaf(wnaf, number, w);
0b730597 1114 CHECK(bits <= 256);
bf2e1ac7 1115 for (i = bits-1; i >= 0; i--) {
b1483f87 1116 int v = wnaf[i];
bf2e1ac7 1117 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 1118 if (v) {
71712b27 1119 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 1120 zeroes=0;
71712b27
GM		 1121 CHECK((v & 1) == 1); /* check non-zero elements are odd */
1122 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
1123 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 1124 } else {
71712b27 1125 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 1126 zeroes++;
1127 }
f24041d6
PW		 1128 if (v >= 0) {
1129 secp256k1_scalar_set_int(&t, v);
1130 } else {
1131 secp256k1_scalar_set_int(&t, -v);
1132 secp256k1_scalar_negate(&t, &t);
1133 }
1134 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 1135 }
f24041d6 1136 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 1137}
1138
2cad067a 1139void run_wnaf(void) {
bf2e1ac7 1140 int i;
f24041d6 1141 secp256k1_scalar_t n;
bf2e1ac7 1142 for (i = 0; i < count; i++) {
f24041d6 1143 random_scalar_order(&n);
d06e61cb 1144 if (i % 1)
f24041d6 1145 secp256k1_scalar_negate(&n, &n);
eb0be8ee 1146 test_wnaf(&n, 4+(i%10));
4e0ed539
PW		 1147 }
1148}
a41f32e6 1149
a9f5c8b8
PW		 1150void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
1151 secp256k1_scalar_t nonce;
dd08f037 1152 do {
a9f5c8b8 1153 random_scalar_order_test(&nonce);
dd08f037 1154 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
dd08f037
PW		 1155}
1156
2cad067a 1157void test_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 1158 secp256k1_gej_t pubj;
1159 secp256k1_ge_t pub;
1160 secp256k1_scalar_t one;
1161 secp256k1_scalar_t msg, key;
1162 secp256k1_ecdsa_sig_t sig;
ee3eb4be
GM		 1163 int recid;
1164 int getrec;
a9f5c8b8 1165 random_scalar_order_test(&msg);
a9f5c8b8 1166 random_scalar_order_test(&key);
bf2e1ac7
GM		 1167 secp256k1_ecmult_gen(&pubj, &key);
1168 secp256k1_ge_set_gej(&pub, &pubj);
ee3eb4be
GM		 1169 getrec = secp256k1_rand32()&1;
1170 random_sign(&sig, &key, &msg, getrec?&recid:NULL);
1171 if (getrec) CHECK(recid >= 0 && recid < 4);
f24041d6 1172 CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
f24041d6
PW		 1173 secp256k1_scalar_set_int(&one, 1);
1174 secp256k1_scalar_add(&msg, &msg, &one);
1175 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
0a07e62f
PW		 1176}
1177
2cad067a 1178void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 1179 int i;
1180 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 1181 test_ecdsa_sign_verify();
1182 }
1183}
1184
c6e7f4e8
PW		 1185/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
1186static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1187 (void)msg32;
1188 (void)key32;
1189 memcpy(nonce32, data, 32);
1190 return (counter == 0);
1191}
1192
941e221f
GM		 1193static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1194 /* Dummy nonce generator that has a fatal error on the first counter value. */
1195 if (counter == 0) return 0;
1196 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 1, data);
1197}
1198
1199static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1200 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
1201 if (counter < 3) {
1202 memset(nonce32, counter==0 ? 0 : 255, 32);
1203 if (counter == 2) nonce32[31]--;
1204 return 1;
1205 }
1206 if (counter < 5) {
1207 static const unsigned char order[] = {
1208 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
1209 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
1210 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
1211 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
1212 };
1213 memcpy(nonce32, order, 32);
1214 if (counter == 4) nonce32[31]++;
1215 return 1;
1216 }
1217 /* Retry rate of 6979 is negligible esp. as we only call this in determinstic tests. */
1218 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
1219 if (counter > 5) return 0;
1220 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 5, data);
1221}
1222
8030d7c0
PW		 1223int is_empty_compact_signature(const unsigned char *sig64) {
1224 static const unsigned char res[64] = {0};
1225 return memcmp(sig64, res, 64) == 0;
1226}
1227
2cad067a 1228void test_ecdsa_end_to_end(void) {
25f4aec0
PW		 1229 unsigned char privkey[32];
1230 unsigned char message[32];
bf2e1ac7
GM		 1231 unsigned char privkey2[32];
1232 unsigned char csignature[64];
1233 unsigned char signature[72];
1234 unsigned char pubkey[65];
1235 unsigned char recpubkey[65];
1236 unsigned char seckey[300];
1237 int signaturelen = 72;
1238 int recid = 0;
1239 int recpubkeylen = 0;
1240 int pubkeylen = 65;
1241 int seckeylen = 300;
25f4aec0 1242
71712b27 1243 /* Generate a random key and message. */
25f4aec0 1244 {
659b554d
PW		 1245 secp256k1_scalar_t msg, key;
1246 random_scalar_order_test(&msg);
1247 random_scalar_order_test(&key);
1248 secp256k1_scalar_get_b32(privkey, &key);
1249 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 1250 }
1251
71712b27 1252 /* Construct and verify corresponding public key. */
ae6bc76e 1253 CHECK(secp256k1_ec_seckey_verify(privkey) == 1);
8d11164b
GM		 1254 CHECK(secp256k1_ec_pubkey_create(pubkey, &pubkeylen, privkey, (secp256k1_rand32() & 3) != 0) == 1);
1255 if (secp256k1_rand32() & 1) {
1256 CHECK(secp256k1_ec_pubkey_decompress(pubkey, &pubkeylen));
1257 }
ae6bc76e 1258 CHECK(secp256k1_ec_pubkey_verify(pubkey, pubkeylen));
25f4aec0 1259
71712b27 1260 /* Verify private key import and export. */
ae6bc76e 1261 CHECK(secp256k1_ec_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
ae6bc76e 1262 CHECK(secp256k1_ec_privkey_import(privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 1263 CHECK(memcmp(privkey, privkey2, 32) == 0);
1264
71712b27 1265 /* Optionally tweak the keys using addition. */
25f4aec0 1266 if (secp256k1_rand32() % 3 == 0) {
bf2e1ac7
GM		 1267 int ret1;
1268 int ret2;
25f4aec0 1269 unsigned char rnd[32];
bf2e1ac7
GM		 1270 unsigned char pubkey2[65];
1271 int pubkeylen2 = 65;
25f4aec0 1272 secp256k1_rand256_test(rnd);
bf2e1ac7
GM		 1273 ret1 = secp256k1_ec_privkey_tweak_add(privkey, rnd);
1274 ret2 = secp256k1_ec_pubkey_tweak_add(pubkey, pubkeylen, rnd);
25f4aec0
PW		 1275 CHECK(ret1 == ret2);
1276 if (ret1 == 0) return;
ae6bc76e 1277 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
25f4aec0
PW		 1278 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1279 }
1280
71712b27 1281 /* Optionally tweak the keys using multiplication. */
25f4aec0 1282 if (secp256k1_rand32() % 3 == 0) {
bf2e1ac7
GM		 1283 int ret1;
1284 int ret2;
25f4aec0 1285 unsigned char rnd[32];
bf2e1ac7
GM		 1286 unsigned char pubkey2[65];
1287 int pubkeylen2 = 65;
25f4aec0 1288 secp256k1_rand256_test(rnd);
bf2e1ac7
GM		 1289 ret1 = secp256k1_ec_privkey_tweak_mul(privkey, rnd);
1290 ret2 = secp256k1_ec_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
25f4aec0
PW		 1291 CHECK(ret1 == ret2);
1292 if (ret1 == 0) return;
ae6bc76e 1293 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
25f4aec0
PW		 1294 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1295 }
1296
71712b27 1297 /* Sign. */
bbd5ba7c 1298 CHECK(secp256k1_ecdsa_sign(message, signature, &signaturelen, privkey, NULL, NULL) == 1);
8030d7c0 1299 CHECK(signaturelen > 0);
71712b27 1300 /* Verify. */
cf7b2b46 1301 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) == 1);
71712b27 1302 /* Destroy signature and verify again. */
25f4aec0 1303 signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
cf7b2b46 1304 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) != 1);
25f4aec0 1305
71712b27 1306 /* Compact sign. */
bbd5ba7c 1307 CHECK(secp256k1_ecdsa_sign_compact(message, csignature, privkey, NULL, NULL, &recid) == 1);
8030d7c0 1308 CHECK(!is_empty_compact_signature(csignature));
71712b27 1309 /* Recover. */
cf7b2b46 1310 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
25f4aec0
PW		 1311 CHECK(recpubkeylen == pubkeylen);
1312 CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
71712b27 1313 /* Destroy signature and verify again. */
25f4aec0 1314 csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
cf7b2b46 1315 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
25f4aec0
PW		 1316 memcmp(pubkey, recpubkey, pubkeylen) != 0);
1317 CHECK(recpubkeylen == pubkeylen);
3fd6253e 1318
25f4aec0
PW		 1319}
1320
7c6fed28 1321void test_random_pubkeys(void) {
bf2e1ac7
GM		 1322 secp256k1_ge_t elem;
1323 secp256k1_ge_t elem2;
7c6fed28
GM		 1324 unsigned char in[65];
1325 /* Generate some randomly sized pubkeys. */
1326 uint32_t r = secp256k1_rand32();
1327 int len = (r & 3) == 0 ? 65 : 33;
1328 r>>=2;
1329 if ((r & 3) == 0) len = (r & 252) >> 3;
1330 r>>=8;
1331 if (len == 65) {
1332 in[0] = (r & 2) ? 4 : (r & 1? 6 : 7);
1333 } else {
1334 in[0] = (r & 1) ? 2 : 3;
1335 }
1336 r>>=2;
1337 if ((r & 7) == 0) in[0] = (r & 2040) >> 3;
1338 r>>=11;
1339 if (len > 1) secp256k1_rand256(&in[1]);
1340 if (len > 33) secp256k1_rand256(&in[33]);
7c6fed28
GM		 1341 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
1342 unsigned char out[65];
1343 unsigned char firstb;
1344 int res;
1345 int size = len;
1346 firstb = in[0];
1347 /* If the pubkey can be parsed, it should round-trip... */
1348 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
1349 CHECK(size == len);
1350 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
1351 /* ... except for the type of hybrid inputs. */
1352 if ((in[0] != 6) && (in[0] != 7)) CHECK(in[0] == out[0]);
1353 size = 65;
1354 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
1355 CHECK(size == 65);
1356 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 1357 ge_equals_ge(&elem,&elem2);
7c6fed28
GM		 1358 /* Check that the X9.62 hybrid type is checked. */
1359 in[0] = (r & 1) ? 6 : 7;
1360 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
1361 if (firstb == 2 || firstb == 3) {
1362 if (in[0] == firstb + 4) CHECK(res);
1363 else CHECK(!res);
1364 }
1365 if (res) {
60571c6e 1366 ge_equals_ge(&elem,&elem2);
7c6fed28
GM		 1367 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
1368 CHECK(memcmp(&in[1], &out[1], 64) == 0);
1369 }
1370 }
1371}
1372
1373void run_random_pubkeys(void) {
bf2e1ac7
GM		 1374 int i;
1375 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 1376 test_random_pubkeys();
1377 }
1378}
1379
2cad067a 1380void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 1381 int i;
1382 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 1383 test_ecdsa_end_to_end();
1384 }
1385}
1386
6e052878
PW		 1387/* Tests several edge cases. */
1388void test_ecdsa_edge_cases(void) {
3bf029d6
PW		 1389 const unsigned char msg32[32] = {
1390 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
1391 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
1392 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
1393 's', 's', 'a', 'g', 'e', '.', '.', '.'
1394 };
1395 const unsigned char sig64[64] = {
6e052878
PW		 1396 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
1397 * and secret key 0 (which is not valid), resulting in recid 0. */
3bf029d6
PW		 1398 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
1399 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
1400 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
1401 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
1402 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
1403 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
1404 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
1405 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
1406 };
1407 unsigned char pubkey[65];
1408 int pubkeylen = 65;
6e052878
PW		 1409 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
1410 const unsigned char sigb64[64] = {
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1419 };
1420 unsigned char pubkeyb[33];
1421 int pubkeyblen = 33;
bf2e1ac7
GM		 1422 int recid;
1423
1424 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 0));
1425 CHECK(secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 1));
1426 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 2));
1427 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 3));
1428
1429 for (recid = 0; recid < 4; recid++) {
1430 int i;
1431 int recid2;
ee3eb4be 1432 /* (4,4) encoded in DER. */
6e052878 1433 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
8d11164b
GM		 1434 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
1435 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
1436 unsigned char sigbderalt1[39] = {
1437 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1441 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1442 };
1443 unsigned char sigbderalt2[39] = {
1444 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
1445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1449 };
1450 unsigned char sigbderalt3[40] = {
1451 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1456 };
1457 unsigned char sigbderalt4[40] = {
1458 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1463 };
ee3eb4be 1464 /* (order + r,4) encoded in DER. */
32600e50
PW		 1465 unsigned char sigbderlong[40] = {
1466 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1467 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1468 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1469 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1470 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1471 };
cf7b2b46
PW		 1472 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkeyb, &pubkeyblen, 1, recid));
1473 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 1);
bf2e1ac7 1474 for (recid2 = 0; recid2 < 4; recid2++) {
32600e50
PW		 1475 unsigned char pubkey2b[33];
1476 int pubkey2blen = 33;
cf7b2b46 1477 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkey2b, &pubkey2blen, 1, recid2));
ee3eb4be 1478 /* Verifying with (order + r,4) should always fail. */
cf7b2b46 1479 CHECK(secp256k1_ecdsa_verify(msg32, sigbderlong, sizeof(sigbderlong), pubkey2b, pubkey2blen) != 1);
32600e50 1480 }
8d11164b
GM		 1481 /* DER parsing tests. */
1482 /* Zero length r/s. */
cf7b2b46
PW		 1483 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zr, sizeof(sigcder_zr), pubkeyb, pubkeyblen) == -2);
1484 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zs, sizeof(sigcder_zs), pubkeyb, pubkeyblen) == -2);
8d11164b 1485 /* Leading zeros. */
cf7b2b46
PW		 1486 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt1, sizeof(sigbderalt1), pubkeyb, pubkeyblen) == 1);
1487 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt2, sizeof(sigbderalt2), pubkeyb, pubkeyblen) == 1);
1488 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == 1);
1489 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == 1);
8d11164b 1490 sigbderalt3[4] = 1;
cf7b2b46 1491 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == -2);
8d11164b 1492 sigbderalt4[7] = 1;
cf7b2b46 1493 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == -2);
6e052878
PW		 1494 /* Damage signature. */
1495 sigbder[7]++;
cf7b2b46 1496 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 0);
8d11164b 1497 sigbder[7]--;
cf7b2b46
PW		 1498 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, 6, pubkeyb, pubkeyblen) == -2);
1499 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder)-1, pubkeyb, pubkeyblen) == -2);
bf2e1ac7
GM		 1500 for(i = 0; i < 8; i++) {
1501 int c;
8d11164b
GM		 1502 unsigned char orig = sigbder[i];
1503 /*Try every single-byte change.*/
bf2e1ac7 1504 for (c = 0; c < 256; c++) {
8d11164b
GM		 1505 if (c == orig ) continue;
1506 sigbder[i] = c;
cf7b2b46 1507 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) ==
8d11164b
GM		 1508 (i==4 || i==7) ? 0 : -2 );
1509 }
1510 sigbder[i] = orig;
1511 }
6e052878 1512 }
24b3c65e
PW		 1513
1514 /* Test the case where ECDSA recomputes a point that is infinity. */
1515 {
bf2e1ac7
GM		 1516 secp256k1_gej_t keyj;
1517 secp256k1_ge_t key;
1518 secp256k1_scalar_t msg;
24b3c65e
PW		 1519 secp256k1_ecdsa_sig_t sig;
1520 secp256k1_scalar_set_int(&sig.s, 1);
1521 secp256k1_scalar_negate(&sig.s, &sig.s);
1522 secp256k1_scalar_inverse(&sig.s, &sig.s);
1523 secp256k1_scalar_set_int(&sig.r, 1);
24b3c65e 1524 secp256k1_ecmult_gen(&keyj, &sig.r);
24b3c65e 1525 secp256k1_ge_set_gej(&key, &keyj);
bf2e1ac7 1526 msg = sig.s;
24b3c65e
PW		 1527 CHECK(secp256k1_ecdsa_sig_verify(&sig, &key, &msg) == 0);
1528 }
ee3eb4be
GM		 1529
1530 /* Test r/s equal to zero */
1531 {
1532 /* (1,1) encoded in DER. */
1533 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
1534 unsigned char sigc64[64] = {
1535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1543 };
1544 unsigned char pubkeyc[65];
1545 int pubkeyclen = 65;
cf7b2b46
PW		 1546 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyc, &pubkeyclen, 0, 0) == 1);
1547 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 1);
ee3eb4be
GM		 1548 sigcder[4] = 0;
1549 sigc64[31] = 0;
cf7b2b46
PW		 1550 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1551 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
ee3eb4be
GM		 1552 sigcder[4] = 1;
1553 sigcder[7] = 0;
1554 sigc64[31] = 1;
1555 sigc64[63] = 0;
cf7b2b46
PW		 1556 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1557 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
ee3eb4be 1558 }
8d11164b
GM		 1559
1560 /*Signature where s would be zero.*/
1561 {
1562 const unsigned char nonce[32] = {
1563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1566 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1567 };
941e221f
GM		 1568 static const unsigned char nonce2[32] = {
1569 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
1570 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
1571 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
1572 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
1573 };
8d11164b
GM		 1574 const unsigned char key[32] = {
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1579 };
1580 unsigned char msg[32] = {
1581 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
1582 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
1583 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
1584 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
1585 };
1586 unsigned char sig[72];
1587 int siglen = 72;
c6e7f4e8 1588 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 0);
8030d7c0 1589 CHECK(siglen == 0);
941e221f 1590 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce2) == 0);
8030d7c0 1591 CHECK(siglen == 0);
8d11164b
GM		 1592 msg[31] = 0xaa;
1593 siglen = 72;
c6e7f4e8 1594 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 1);
8030d7c0 1595 CHECK(siglen > 0);
941e221f 1596 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce2) == 1);
8030d7c0 1597 CHECK(siglen > 0);
603c33bc 1598 siglen = 10;
c6e7f4e8 1599 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) != 1);
8030d7c0 1600 CHECK(siglen == 0);
8d11164b 1601 }
7c6fed28 1602
941e221f
GM		 1603 /* Nonce function corner cases. */
1604 {
bf2e1ac7 1605 int i;
941e221f
GM		 1606 unsigned char key[32];
1607 unsigned char msg[32];
1608 unsigned char sig[72];
bf2e1ac7
GM		 1609 unsigned char sig2[72];
1610 secp256k1_ecdsa_sig_t s[512];
1611 int siglen = 72;
1612 int siglen2 = 72;
1613 int recid2;
941e221f 1614 memset(msg, 0, 32);
941e221f 1615 msg[31] = 1;
8030d7c0
PW		 1616 /* High key results in signature failure. */
1617 memset(key, 0xFF, 32);
1618 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1619 CHECK(siglen == 0);
1620 /* Zero key results in signature failure. */
1621 memset(key, 0, 32);
1622 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1623 CHECK(siglen == 0);
941e221f 1624 /* Nonce function failure results in signature failure. */
8030d7c0 1625 key[31] = 1;
941e221f 1626 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_fail, NULL) == 0);
8030d7c0 1627 CHECK(siglen == 0);
941e221f 1628 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_fail, NULL, &recid) == 0);
8030d7c0 1629 CHECK(is_empty_compact_signature(sig));
941e221f 1630 /* The retry loop successfully makes its way to the first good value. */
941e221f
GM		 1631 siglen = 72;
1632 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_retry, NULL) == 1);
8030d7c0 1633 CHECK(siglen > 0);
941e221f 1634 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, nonce_function_rfc6979, NULL) == 1);
8030d7c0 1635 CHECK(siglen > 0);
941e221f 1636 CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
941e221f 1637 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_retry, NULL, &recid) == 1);
8030d7c0 1638 CHECK(!is_empty_compact_signature(sig));
941e221f 1639 CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, nonce_function_rfc6979, NULL, &recid2) == 1);
8030d7c0 1640 CHECK(!is_empty_compact_signature(sig2));
941e221f
GM		 1641 CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
1642 /* The default nonce function is determinstic. */
1643 siglen = 72;
1644 siglen2 = 72;
1645 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 1);
8030d7c0 1646 CHECK(siglen > 0);
941e221f 1647 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
8030d7c0 1648 CHECK(siglen2 > 0);
941e221f
GM		 1649 CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
1650 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, NULL, NULL, &recid) == 1);
8030d7c0 1651 CHECK(!is_empty_compact_signature(sig));
941e221f 1652 CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, NULL, NULL, &recid2) == 1);
8030d7c0 1653 CHECK(!is_empty_compact_signature(sig));
941e221f
GM		 1654 CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
1655 /* The default nonce function changes output with different messages. */
bf2e1ac7
GM		 1656 for(i = 0; i < 256; i++) {
1657 int j;
941e221f
GM		 1658 siglen2 = 72;
1659 msg[0] = i;
1660 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
8030d7c0 1661 CHECK(!is_empty_compact_signature(sig));
941e221f 1662 CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
bf2e1ac7 1663 for (j = 0; j < i; j++) {
941e221f
GM		 1664 CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
1665 }
1666 }
1667 msg[0] = 0;
1668 msg[31] = 2;
1669 /* The default nonce function changes output with different keys. */
bf2e1ac7
GM		 1670 for(i = 256; i < 512; i++) {
1671 int j;
941e221f
GM		 1672 siglen2 = 72;
1673 key[0] = i - 256;
1674 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1675 CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
bf2e1ac7 1676 for (j = 0; j < i; j++) {
941e221f
GM		 1677 CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
1678 }
1679 }
1680 key[0] = 0;
1681 }
1682
7c6fed28
GM		 1683 /* Privkey export where pubkey is the point at infinity. */
1684 {
1685 unsigned char privkey[300];
1686 unsigned char seckey[32] = {
1687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1688 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1689 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1690 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
1691 };
1692 int outlen = 300;
1693 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 0));
1694 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 1));
1695 }
3bf029d6
PW		 1696}
1697
6e052878
PW		 1698void run_ecdsa_edge_cases(void) {
1699 test_ecdsa_edge_cases();
3bf029d6 1700}
25f4aec0 1701
dd08f037 1702#ifdef ENABLE_OPENSSL_TESTS
a9f5c8b8 1703EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
12e29b32
PW		 1704 unsigned char privkey[300];
1705 int privkeylen;
12e29b32 1706 const unsigned char* pbegin = privkey;
bf2e1ac7 1707 int compr = secp256k1_rand32() & 1;
dd08f037 1708 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
ffffc878 1709 CHECK(secp256k1_eckey_privkey_serialize(privkey, &privkeylen, key, compr));
0592d117
PW		 1710 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
1711 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 1712 return ec_key;
1713}
1714
2cad067a 1715void test_ecdsa_openssl(void) {
bf2e1ac7
GM		 1716 secp256k1_gej_t qj;
1717 secp256k1_ge_t q;
1718 secp256k1_ecdsa_sig_t sig;
1719 secp256k1_scalar_t one;
1720 secp256k1_scalar_t msg2;
a9f5c8b8 1721 secp256k1_scalar_t key, msg;
bf2e1ac7
GM		 1722 EC_KEY *ec_key;
1723 unsigned int sigsize = 80;
1724 int secp_sigsize = 80;
dd08f037 1725 unsigned char message[32];
bf2e1ac7 1726 unsigned char signature[80];
dd08f037 1727 secp256k1_rand256_test(message);
eca6cdb1 1728 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 1729 random_scalar_order_test(&key);
dd08f037 1730 secp256k1_ecmult_gen(&qj, &key);
dd08f037 1731 secp256k1_ge_set_gej(&q, &qj);
bf2e1ac7 1732 ec_key = get_openssl_key(&key);
0592d117 1733 CHECK(ec_key);
0592d117 1734 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
0592d117 1735 CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
f24041d6 1736 CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
f24041d6 1737 secp256k1_scalar_set_int(&one, 1);
f24041d6
PW		 1738 secp256k1_scalar_add(&msg2, &msg, &one);
1739 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg2));
dd08f037
PW		 1740
1741 random_sign(&sig, &key, &msg, NULL);
9974d869
GM		 1742 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
1743 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 1744
dd08f037 1745 EC_KEY_free(ec_key);
dd08f037
PW		 1746}
1747
2cad067a 1748void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 1749 int i;
1750 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 1751 test_ecdsa_openssl();
1752 }
1753}
1754#endif
1755
404c30a8 1756int main(int argc, char **argv) {
89561118
PW		 1757 unsigned char seed16[16] = {0};
1758 unsigned char run32[32] = {0};
71712b27 1759 /* find iteration count */
3fd6253e
PW		 1760 if (argc > 1) {
1761 count = strtol(argv[1], NULL, 0);
1762 }
1763
71712b27 1764 /* find random seed */
3fd6253e 1765 if (argc > 2) {
89561118
PW		 1766 int pos = 0;
1767 const char* ch = argv[2];
1768 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
1769 unsigned short sh;
1770 if (sscanf(ch, "%2hx", &sh)) {
1771 seed16[pos] = sh;
1772 } else {
1773 break;
1774 }
1775 ch += 2;
1776 pos++;
1777 }
3fd6253e
PW		 1778 } else {
1779 FILE *frand = fopen("/dev/urandom", "r");
89561118
PW		 1780 if (!frand || !fread(&seed16, sizeof(seed16), 1, frand)) {
1781 uint64_t t = time(NULL) * (uint64_t)1337;
1782 seed16[0] ^= t;
1783 seed16[1] ^= t >> 8;
1784 seed16[2] ^= t >> 16;
1785 seed16[3] ^= t >> 24;
1786 seed16[4] ^= t >> 32;
1787 seed16[5] ^= t >> 40;
1788 seed16[6] ^= t >> 48;
1789 seed16[7] ^= t >> 56;
3fd6253e
PW		 1790 }
1791 fclose(frand);
1792 }
89561118 1793 secp256k1_rand_seed(seed16);
404c30a8 1794
dd08f037 1795 printf("test count = %i\n", count);
89561118 1796 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 1797
71712b27 1798 /* initialize */
04e34d18 1799 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
4adf6b2a 1800
ee3eb4be
GM		 1801 /* initializing a second time shouldn't cause any harm or memory leaks. */
1802 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1803
b37fbc28
PW		 1804 run_sha256_tests();
1805 run_hmac_sha256_tests();
1806 run_rfc6979_hmac_sha256_tests();
1807
597128d3 1808#ifndef USE_NUM_NONE
71712b27 1809 /* num tests */
3f44e1ad 1810 run_num_smalltests();
597128d3 1811#endif
404c30a8 1812
71712b27 1813 /* scalar tests */
79359302
PW		 1814 run_scalar_tests();
1815
71712b27 1816 /* field tests */
f16be77f
PD		 1817 run_field_inv();
1818 run_field_inv_var();
f16be77f 1819 run_field_inv_all_var();
8d11164b 1820 run_field_misc();
ff889f7d 1821 run_field_convert();
59447da3 1822 run_sqr();
09ca4f32
PD		 1823 run_sqrt();
1824
71712b27 1825 /* group tests */
9338dbf7
PW		 1826 run_ge();
1827
71712b27 1828 /* ecmult tests */
404c30a8
PW		 1829 run_wnaf();
1830 run_point_times_order();
1831 run_ecmult_chain();
1832
71712b27 1833 /* ecdsa tests */
7c6fed28 1834 run_random_pubkeys();
404c30a8 1835 run_ecdsa_sign_verify();
25f4aec0 1836 run_ecdsa_end_to_end();
6e052878 1837 run_ecdsa_edge_cases();
dd08f037
PW		 1838#ifdef ENABLE_OPENSSL_TESTS
1839 run_ecdsa_openssl();
1840#endif
910d0de4 1841
89561118
PW		 1842 secp256k1_rand256(run32);
1843 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 1844
71712b27 1845 /* shutdown */
25f4aec0 1846 secp256k1_stop();
ee3eb4be
GM		 1847
1848 /* shutting down twice shouldn't cause any double frees. */
1849 secp256k1_stop();
a41f32e6
PW		 1850 return 0;
1851}
Empty description
This page took 0.343387 seconds and 4 git commands to generate.