]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge #713: Docstrings
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
238305fd 19#include "include/secp256k1_preallocated.h"
f0709ac5 20#include "testrand_impl.h"
a41f32e6 21
dd08f037
PW		 22#ifdef ENABLE_OPENSSL_TESTS
23#include "openssl/bn.h"
24#include "openssl/ec.h"
25#include "openssl/ecdsa.h"
26#include "openssl/obj_mac.h"
31abd3ab
AB		 27# if OPENSSL_VERSION_NUMBER < 0x10100000L
28void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29# endif
dd08f037
PW		 30#endif
31
eed87af1
AP		 32#include "contrib/lax_der_parsing.c"
33#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 34
67f7da40
GM		 35#if !defined(VG_CHECK)
36# if defined(VALGRIND)
37# include <valgrind/memcheck.h>
38# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40# else
41# define VG_UNDEF(x,y)
42# define VG_CHECK(x,y)
43# endif
44#endif
45
79f599d3 46static int count = 64;
dd891e0e 47static secp256k1_context *ctx = NULL;
4adf6b2a 48
96be2046
GM		 49static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
51 int32_t *p;
52 (void)str;
53 p = data;
54 (*p)++;
55}
56
57static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
59 int32_t *p;
60 (void)str;
61 p = data;
62 (*p)--;
63}
64
dd891e0e 65void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 66 do {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
659b554d
PW		 69 if (secp256k1_fe_set_b32(fe, b32)) {
70 break;
71 }
9338dbf7
PW		 72 } while(1);
73}
74
dd891e0e
PW		 75void random_field_element_magnitude(secp256k1_fe *fe) {
76 secp256k1_fe zero;
fa57f1bd 77 int n = secp256k1_rand_int(9);
9338dbf7 78 secp256k1_fe_normalize(fe);
60571c6e
PW		 79 if (n == 0) {
80 return;
9338dbf7 81 }
60571c6e
PW		 82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
dcf39202
GM		 86#ifdef VERIFY
87 CHECK(fe->magnitude == n);
88#endif
9338dbf7
PW		 89}
90
dd891e0e
PW		 91void random_group_element_test(secp256k1_ge *ge) {
92 secp256k1_fe fe;
9338dbf7
PW		 93 do {
94 random_field_element_test(&fe);
fa57f1bd 95 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 96 secp256k1_fe_normalize(&ge->y);
9338dbf7 97 break;
26320197 98 }
9338dbf7
PW		 99 } while(1);
100}
101
dd891e0e
PW		 102void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
103 secp256k1_fe z2, z3;
9338dbf7
PW		 104 do {
105 random_field_element_test(&gej->z);
106 if (!secp256k1_fe_is_zero(&gej->z)) {
107 break;
108 }
109 } while(1);
bf2e1ac7
GM		 110 secp256k1_fe_sqr(&z2, &gej->z);
111 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 112 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
113 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
114 gej->infinity = ge->infinity;
115}
116
dd891e0e 117void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 118 do {
119 unsigned char b32[32];
a9f5c8b8 120 int overflow = 0;
bf2e1ac7 121 secp256k1_rand256_test(b32);
eca6cdb1 122 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 123 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 124 continue;
26320197 125 }
a9f5c8b8
PW		 126 break;
127 } while(1);
128}
129
dd891e0e 130void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 131 do {
132 unsigned char b32[32];
f24041d6 133 int overflow = 0;
bf2e1ac7 134 secp256k1_rand256(b32);
f24041d6 135 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 136 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 137 continue;
26320197 138 }
f24041d6
PW		 139 break;
140 } while(1);
141}
142
814cc78d 143void run_context_tests(int use_prealloc) {
96be2046 144 secp256k1_pubkey pubkey;
8e48aa60 145 secp256k1_pubkey zero_pubkey;
96be2046
GM		 146 secp256k1_ecdsa_signature sig;
147 unsigned char ctmp[32];
148 int32_t ecount;
149 int32_t ecount2;
814cc78d
TR		 150 secp256k1_context *none;
151 secp256k1_context *sign;
152 secp256k1_context *vrfy;
153 secp256k1_context *both;
154 void *none_prealloc = NULL;
155 void *sign_prealloc = NULL;
156 void *vrfy_prealloc = NULL;
157 void *both_prealloc = NULL;
d899b5b6 158
dd891e0e
PW		 159 secp256k1_gej pubj;
160 secp256k1_ge pub;
161 secp256k1_scalar msg, key, nonce;
162 secp256k1_scalar sigr, sigs;
d899b5b6 163
814cc78d
TR		 164 if (use_prealloc) {
165 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
166 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
167 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
168 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
169 CHECK(none_prealloc != NULL);
170 CHECK(sign_prealloc != NULL);
171 CHECK(vrfy_prealloc != NULL);
172 CHECK(both_prealloc != NULL);
173 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
177 } else {
178 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
179 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
180 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
181 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
182 }
183
8e48aa60
AP		 184 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
185
96be2046
GM		 186 ecount = 0;
187 ecount2 = 10;
188 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
189 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
190 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
191 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
192
814cc78d
TR		 193 /* check if sizes for cloning are consistent */
194 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
195 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
196 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
197 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
198
d899b5b6
AP		 199 /*** clone and destroy all of them to make sure cloning was complete ***/
200 {
dd891e0e 201 secp256k1_context *ctx_tmp;
d899b5b6 202
814cc78d
TR		 203 if (use_prealloc) {
204 /* clone into a non-preallocated context and then again into a new preallocated one. */
205 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
206 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
207 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
208
209 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
210 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
211 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
212
213 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
214 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
215 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
216
217 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
218 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
219 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
220 } else {
221 /* clone into a preallocated context and then again into a new non-preallocated one. */
222 void *prealloc_tmp;
223
224 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
225 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
226 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
227 free(prealloc_tmp);
228
229 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
230 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
231 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
232 free(prealloc_tmp);
233
234 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
235 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
236 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
237 free(prealloc_tmp);
238
239 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
240 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
241 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
242 free(prealloc_tmp);
243 }
d899b5b6
AP		 244 }
245
96be2046
GM		 246 /* Verify that the error callback makes it across the clone. */
247 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
248 /* And that it resets back to default. */
249 secp256k1_context_set_error_callback(sign, NULL, NULL);
250 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
251
d899b5b6
AP		 252 /*** attempt to use them ***/
253 random_scalar_order_test(&msg);
254 random_scalar_order_test(&key);
255 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
256 secp256k1_ge_set_gej(&pub, &pubj);
257
96be2046
GM		 258 /* Verify context-type checking illegal-argument errors. */
259 memset(ctmp, 1, 32);
260 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
261 CHECK(ecount == 1);
262 VG_UNDEF(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
264 VG_CHECK(&pubkey, sizeof(pubkey));
265 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
266 CHECK(ecount == 2);
267 VG_UNDEF(&sig, sizeof(sig));
268 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
269 VG_CHECK(&sig, sizeof(sig));
270 CHECK(ecount2 == 10);
271 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
272 CHECK(ecount2 == 11);
273 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
274 CHECK(ecount == 2);
275 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
276 CHECK(ecount2 == 12);
277 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
278 CHECK(ecount == 2);
279 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
280 CHECK(ecount2 == 13);
8e48aa60 281 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 282 CHECK(ecount == 2);
8e48aa60
AP		 283 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
284 CHECK(ecount == 2);
285 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
286 CHECK(ecount2 == 14);
287 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
288 CHECK(ecount == 3);
289 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 290 CHECK(ecount == 3);
61983752
TR		 291 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
294 CHECK(ecount == 3);
295 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
296 CHECK(ecount2 == 14);
96be2046 297 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 298 CHECK(ecount2 == 14);
96be2046
GM		 299 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
300 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
301
d899b5b6
AP		 302 /* obtain a working nonce */
303 do {
304 random_scalar_order_test(&nonce);
18c329c5 305 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 306
307 /* try signing */
18c329c5
PW		 308 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 310
311 /* try verifying */
18c329c5
PW		 312 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 314
315 /* cleanup */
814cc78d
TR		 316 if (use_prealloc) {
317 secp256k1_context_preallocated_destroy(none);
318 secp256k1_context_preallocated_destroy(sign);
319 secp256k1_context_preallocated_destroy(vrfy);
320 secp256k1_context_preallocated_destroy(both);
321 free(none_prealloc);
322 free(sign_prealloc);
323 free(vrfy_prealloc);
324 free(both_prealloc);
325 } else {
326 secp256k1_context_destroy(none);
327 secp256k1_context_destroy(sign);
328 secp256k1_context_destroy(vrfy);
329 secp256k1_context_destroy(both);
330 }
5b71a3f4
GM		 331 /* Defined as no-op. */
332 secp256k1_context_destroy(NULL);
814cc78d
TR		 333 secp256k1_context_preallocated_destroy(NULL);
334
d899b5b6
AP		 335}
336
548de42e 337void run_scratch_tests(void) {
98836b11
AP		 338 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
339
548de42e 340 int32_t ecount = 0;
98836b11
AP		 341 size_t checkpoint;
342 size_t checkpoint_2;
548de42e
AP		 343 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
344 secp256k1_scratch_space *scratch;
c2b028a2 345 secp256k1_scratch_space local_scratch;
548de42e
AP		 346
347 /* Test public API */
348 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
c2b028a2 349 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
548de42e 350
6fe50439 351 scratch = secp256k1_scratch_space_create(none, 1000);
548de42e 352 CHECK(scratch != NULL);
6fe50439 353 CHECK(ecount == 0);
548de42e
AP		 354
355 /* Test internal API */
c2b028a2 356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
98836b11
AP		 357 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
358 CHECK(scratch->alloc_size == 0);
359 CHECK(scratch->alloc_size % ALIGNMENT == 0);
6fe50439 360
98836b11
AP		 361 /* Allocating 500 bytes succeeds */
362 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
c2b028a2 363 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
98836b11
AP		 364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
365 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
366 CHECK(scratch->alloc_size != 0);
367 CHECK(scratch->alloc_size % ALIGNMENT == 0);
6fe50439 368
98836b11 369 /* Allocating another 500 bytes fails */
c2b028a2 370 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
98836b11
AP		 371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
372 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
373 CHECK(scratch->alloc_size != 0);
374 CHECK(scratch->alloc_size % ALIGNMENT == 0);
375
376 /* ...but it succeeds once we apply the checkpoint to undo it */
377 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
378 CHECK(scratch->alloc_size == 0);
379 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
380 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
381 CHECK(scratch->alloc_size != 0);
548de42e 382
98836b11
AP		 383 /* try to apply a bad checkpoint */
384 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
c2b028a2 386 CHECK(ecount == 0);
98836b11
AP		 387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
388 CHECK(ecount == 1);
389 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
390 CHECK(ecount == 2);
c2b028a2
AP		 391
392 /* try to use badly initialized scratch space */
98836b11 393 secp256k1_scratch_space_destroy(none, scratch);
c2b028a2
AP		 394 memset(&local_scratch, 0, sizeof(local_scratch));
395 scratch = &local_scratch;
396 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
c2b028a2 397 CHECK(ecount == 3);
98836b11 398 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
c2b028a2
AP		 399 CHECK(ecount == 4);
400 secp256k1_scratch_space_destroy(none, scratch);
401 CHECK(ecount == 5);
402
98836b11
AP		 403 /* cleanup */
404 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
548de42e
AP		 405 secp256k1_context_destroy(none);
406}
407
b37fbc28
PW		 408/***** HASH TESTS *****/
409
410void run_sha256_tests(void) {
411 static const char *inputs[8] = {
412 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
413 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
414 "For this sample, this 63-byte string will be used as input data",
415 "This is exactly 64 bytes long, not counting the terminating byte"
416 };
417 static const unsigned char outputs[8][32] = {
418 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
419 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
420 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
421 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
422 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
423 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
424 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
425 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
426 };
bf2e1ac7
GM		 427 int i;
428 for (i = 0; i < 8; i++) {
429 unsigned char out[32];
d1dc9dfc 430 secp256k1_sha256 hasher;
b37fbc28
PW		 431 secp256k1_sha256_initialize(&hasher);
432 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 433 secp256k1_sha256_finalize(&hasher, out);
434 CHECK(memcmp(out, outputs[i], 32) == 0);
435 if (strlen(inputs[i]) > 0) {
fa57f1bd 436 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 437 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 438 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
439 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
440 secp256k1_sha256_finalize(&hasher, out);
441 CHECK(memcmp(out, outputs[i], 32) == 0);
442 }
443 }
444}
445
446void run_hmac_sha256_tests(void) {
447 static const char *keys[6] = {
448 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
449 "\x4a\x65\x66\x65",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
452 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
453 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
454 };
455 static const char *inputs[6] = {
456 "\x48\x69\x20\x54\x68\x65\x72\x65",
457 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
458 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
459 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
460 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
461 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
462 };
463 static const unsigned char outputs[6][32] = {
464 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
465 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
466 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
467 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
468 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
469 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
470 };
bf2e1ac7
GM		 471 int i;
472 for (i = 0; i < 6; i++) {
d1dc9dfc 473 secp256k1_hmac_sha256 hasher;
bf2e1ac7 474 unsigned char out[32];
b37fbc28
PW		 475 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
476 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 477 secp256k1_hmac_sha256_finalize(&hasher, out);
478 CHECK(memcmp(out, outputs[i], 32) == 0);
479 if (strlen(inputs[i]) > 0) {
fa57f1bd 480 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 481 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 482 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
483 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
484 secp256k1_hmac_sha256_finalize(&hasher, out);
485 CHECK(memcmp(out, outputs[i], 32) == 0);
486 }
487 }
488}
489
490void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 491 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 492 static const unsigned char out1[3][32] = {
493 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
494 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
495 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
496 };
497
3e6f1e20 498 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 499 static const unsigned char out2[3][32] = {
500 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
501 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
502 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
503 };
504
d1dc9dfc 505 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 506 unsigned char out[32];
bf2e1ac7 507 int i;
b37fbc28 508
3e6f1e20 509 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 510 for (i = 0; i < 3; i++) {
b37fbc28
PW		 511 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
512 CHECK(memcmp(out, out1[i], 32) == 0);
513 }
514 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
515
3e6f1e20 516 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 517 for (i = 0; i < 3; i++) {
518 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
519 CHECK(memcmp(out, out1[i], 32) != 0);
520 }
521 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
522
3e6f1e20 523 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 524 for (i = 0; i < 3; i++) {
b37fbc28
PW		 525 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
526 CHECK(memcmp(out, out2[i], 32) == 0);
527 }
528 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
529}
530
49b37498
PW		 531/***** RANDOM TESTS *****/
532
533void test_rand_bits(int rand32, int bits) {
534 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
535 * get a false negative chance below once in a billion */
536 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
537 /* We try multiplying the results with various odd numbers, which shouldn't
538 * influence the uniform distribution modulo a power of 2. */
539 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
540 /* We only select up to 6 bits from the output to analyse */
541 unsigned int usebits = bits > 6 ? 6 : bits;
542 unsigned int maxshift = bits - usebits;
543 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
544 number, track all observed outcomes, one per bit in a uint64_t. */
545 uint64_t x[6][27] = {{0}};
546 unsigned int i, shift, m;
547 /* Multiply the output of all rand calls with the odd number m, which
548 should not change the uniformity of its distribution. */
549 for (i = 0; i < rounds[usebits]; i++) {
550 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
551 CHECK((((uint64_t)r) >> bits) == 0);
552 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
553 uint32_t rm = r * mults[m];
554 for (shift = 0; shift <= maxshift; shift++) {
555 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
556 }
557 }
558 }
559 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
560 for (shift = 0; shift <= maxshift; shift++) {
561 /* Test that the lower usebits bits of x[shift] are 1 */
562 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
563 }
564 }
565}
566
567/* Subrange must be a whole divisor of range, and at most 64 */
568void test_rand_int(uint32_t range, uint32_t subrange) {
569 /* (1-1/subrange)^rounds < 1/10^9 */
570 int rounds = (subrange * 2073) / 100;
571 int i;
572 uint64_t x = 0;
573 CHECK((range % subrange) == 0);
574 for (i = 0; i < rounds; i++) {
575 uint32_t r = secp256k1_rand_int(range);
576 CHECK(r < range);
577 r = r % subrange;
578 x |= (((uint64_t)1) << r);
579 }
580 /* Test that the lower subrange bits of x are 1. */
581 CHECK(((~x) << (64 - subrange)) == 0);
582}
583
584void run_rand_bits(void) {
585 size_t b;
586 test_rand_bits(1, 32);
587 for (b = 1; b <= 32; b++) {
588 test_rand_bits(0, b);
589 }
590}
591
592void run_rand_int(void) {
593 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
594 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
595 unsigned int m, s;
596 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
597 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
598 test_rand_int(ms[m] * ss[s], ss[s]);
599 }
600 }
601}
602
659b554d
PW		 603/***** NUM TESTS *****/
604
597128d3 605#ifndef USE_NUM_NONE
dd891e0e 606void random_num_negate(secp256k1_num *num) {
fa57f1bd 607 if (secp256k1_rand_bits(1)) {
659b554d 608 secp256k1_num_negate(num);
26320197 609 }
659b554d
PW		 610}
611
dd891e0e
PW		 612void random_num_order_test(secp256k1_num *num) {
613 secp256k1_scalar sc;
659b554d
PW		 614 random_scalar_order_test(&sc);
615 secp256k1_scalar_get_num(num, &sc);
616}
617
dd891e0e
PW		 618void random_num_order(secp256k1_num *num) {
619 secp256k1_scalar sc;
659b554d
PW		 620 random_scalar_order(&sc);
621 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 622}
623
2cad067a 624void test_num_negate(void) {
dd891e0e
PW		 625 secp256k1_num n1;
626 secp256k1_num n2;
71712b27 627 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 628 random_num_negate(&n1);
71712b27
GM		 629 secp256k1_num_copy(&n2, &n1); /* n2 = R */
630 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 631 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 632 secp256k1_num_copy(&n1, &n2); /* n1 = R */
633 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 634 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 635 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 636 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 637 secp256k1_num_copy(&n1, &n2); /* n1 = R */
638 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 639 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 640 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 641 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 642}
643
2cad067a 644void test_num_add_sub(void) {
efd953a7
PD		 645 int i;
646 secp256k1_scalar s;
dd891e0e
PW		 647 secp256k1_num n1;
648 secp256k1_num n2;
649 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 650 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 651 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 652 random_num_negate(&n1);
653 }
71712b27 654 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 655 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 656 random_num_negate(&n2);
657 }
71712b27
GM		 658 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
659 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
660 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
661 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 662 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
663 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 664 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 665 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
666 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 667 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 668 CHECK(secp256k1_num_eq(&n2m1, &n1));
669 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 670 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 671 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 672
673 /* check is_one */
674 secp256k1_scalar_set_int(&s, 1);
675 secp256k1_scalar_get_num(&n1, &s);
676 CHECK(secp256k1_num_is_one(&n1));
677 /* check that 2^n + 1 is never 1 */
678 secp256k1_scalar_get_num(&n2, &s);
679 for (i = 0; i < 250; ++i) {
680 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
681 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
682 CHECK(!secp256k1_num_is_one(&n1p2));
683 }
684}
685
686void test_num_mod(void) {
687 int i;
688 secp256k1_scalar s;
689 secp256k1_num order, n;
690
691 /* check that 0 mod anything is 0 */
7d893f49 692 random_scalar_order_test(&s);
efd953a7
PD		 693 secp256k1_scalar_get_num(&order, &s);
694 secp256k1_scalar_set_int(&s, 0);
695 secp256k1_scalar_get_num(&n, &s);
696 secp256k1_num_mod(&n, &order);
697 CHECK(secp256k1_num_is_zero(&n));
698
699 /* check that anything mod 1 is 0 */
700 secp256k1_scalar_set_int(&s, 1);
701 secp256k1_scalar_get_num(&order, &s);
702 secp256k1_scalar_get_num(&n, &s);
703 secp256k1_num_mod(&n, &order);
704 CHECK(secp256k1_num_is_zero(&n));
705
706 /* check that increasing the number past 2^256 does not break this */
7d893f49 707 random_scalar_order_test(&s);
efd953a7
PD		 708 secp256k1_scalar_get_num(&n, &s);
709 /* multiply by 2^8, which'll test this case with high probability */
710 for (i = 0; i < 8; ++i) {
711 secp256k1_num_add(&n, &n, &n);
712 }
713 secp256k1_num_mod(&n, &order);
714 CHECK(secp256k1_num_is_zero(&n));
715}
716
717void test_num_jacobi(void) {
718 secp256k1_scalar sqr;
719 secp256k1_scalar small;
720 secp256k1_scalar five; /* five is not a quadratic residue */
721 secp256k1_num order, n;
722 int i;
723 /* squares mod 5 are 1, 4 */
724 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
725
726 /* check some small values with 5 as the order */
727 secp256k1_scalar_set_int(&five, 5);
728 secp256k1_scalar_get_num(&order, &five);
729 for (i = 0; i < 10; ++i) {
730 secp256k1_scalar_set_int(&small, i);
731 secp256k1_scalar_get_num(&n, &small);
732 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
733 }
734
735 /** test large values with 5 as group order */
736 secp256k1_scalar_get_num(&order, &five);
737 /* we first need a scalar which is not a multiple of 5 */
738 do {
739 secp256k1_num fiven;
7d893f49 740 random_scalar_order_test(&sqr);
efd953a7
PD		 741 secp256k1_scalar_get_num(&fiven, &five);
742 secp256k1_scalar_get_num(&n, &sqr);
743 secp256k1_num_mod(&n, &fiven);
744 } while (secp256k1_num_is_zero(&n));
745 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
746 * just multiply by two, i.e. add the number to itself */
747 if (secp256k1_num_jacobi(&n, &order) == -1) {
748 secp256k1_num_add(&n, &n, &n);
749 }
750
751 /* test residue */
752 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
753 /* test nonresidue */
754 secp256k1_num_add(&n, &n, &n);
755 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
756
757 /** test with secp group order as order */
758 secp256k1_scalar_order_get_num(&order);
7d893f49 759 random_scalar_order_test(&sqr);
efd953a7
PD		 760 secp256k1_scalar_sqr(&sqr, &sqr);
761 /* test residue */
762 secp256k1_scalar_get_num(&n, &sqr);
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_scalar_mul(&sqr, &sqr, &five);
766 secp256k1_scalar_get_num(&n, &sqr);
767 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
768 /* test multiple of the order*/
769 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
770
771 /* check one less than the order */
772 secp256k1_scalar_set_int(&small, 1);
773 secp256k1_scalar_get_num(&n, &small);
774 secp256k1_num_sub(&n, &order, &n);
775 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 776}
777
2cad067a 778void run_num_smalltests(void) {
bf2e1ac7
GM		 779 int i;
780 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 781 test_num_negate();
782 test_num_add_sub();
efd953a7
PD		 783 test_num_mod();
784 test_num_jacobi();
3f44e1ad 785 }
3f44e1ad 786}
597128d3 787#endif
3f44e1ad 788
79359302
PW		 789/***** SCALAR TESTS *****/
790
79359302 791void scalar_test(void) {
dd891e0e
PW		 792 secp256k1_scalar s;
793 secp256k1_scalar s1;
794 secp256k1_scalar s2;
bf2e1ac7 795#ifndef USE_NUM_NONE
dd891e0e
PW		 796 secp256k1_num snum, s1num, s2num;
797 secp256k1_num order, half_order;
bf2e1ac7 798#endif
79359302
PW		 799 unsigned char c[32];
800
71712b27 801 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 802 random_scalar_order_test(&s);
79359302 803
71712b27 804 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 805 random_scalar_order_test(&s1);
79359302 806
71712b27 807 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 808 random_scalar_order_test(&s2);
809 secp256k1_scalar_get_b32(c, &s2);
810
597128d3 811#ifndef USE_NUM_NONE
659b554d
PW		 812 secp256k1_scalar_get_num(&snum, &s);
813 secp256k1_scalar_get_num(&s1num, &s1);
814 secp256k1_scalar_get_num(&s2num, &s2);
815
659b554d 816 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 817 half_order = order;
659b554d 818 secp256k1_num_shift(&half_order, 1);
597128d3 819#endif
79359302
PW		 820
821 {
bf2e1ac7 822 int i;
71712b27 823 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 824 secp256k1_scalar n;
1e6c77c3 825 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 826 for (i = 0; i < 256; i += 4) {
dd891e0e 827 secp256k1_scalar t;
bf2e1ac7 828 int j;
1e6c77c3 829 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 830 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 831 secp256k1_scalar_add(&n, &n, &n);
832 }
833 secp256k1_scalar_add(&n, &n, &t);
79359302 834 }
1e6c77c3
PW		 835 CHECK(secp256k1_scalar_eq(&n, &s));
836 }
837
838 {
839 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 840 secp256k1_scalar n;
1e6c77c3 841 int i = 0;
bf2e1ac7 842 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 843 while (i < 256) {
dd891e0e 844 secp256k1_scalar t;
bf2e1ac7 845 int j;
fa57f1bd 846 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 847 if (now + i > 256) {
848 now = 256 - i;
849 }
1e6c77c3 850 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 851 for (j = 0; j < now; j++) {
1e6c77c3
PW		 852 secp256k1_scalar_add(&n, &n, &n);
853 }
854 secp256k1_scalar_add(&n, &n, &t);
855 i += now;
856 }
857 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 858 }
859
597128d3 860#ifndef USE_NUM_NONE
79359302 861 {
71712b27 862 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 863 secp256k1_num rnum;
864 secp256k1_num r2num;
865 secp256k1_scalar r;
79359302 866 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 867 secp256k1_num_mod(&rnum, &order);
79359302 868 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 869 secp256k1_scalar_get_num(&r2num, &r);
870 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 871 }
872
873 {
269d4227 874 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 875 secp256k1_scalar r;
876 secp256k1_num r2num;
877 secp256k1_num rnum;
79359302 878 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 879 secp256k1_num_mod(&rnum, &order);
79359302 880 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 881 secp256k1_scalar_get_num(&r2num, &r);
882 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 883 /* The result can only be zero if at least one of the factors was zero. */
79359302 884 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 885 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 886 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
887 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 888 }
889
890 {
dd891e0e
PW		 891 secp256k1_scalar neg;
892 secp256k1_num negnum;
893 secp256k1_num negnum2;
71712b27 894 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 895 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 896 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 897 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 898 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 899 secp256k1_num_sub(&negnum, &order, &snum);
900 secp256k1_num_mod(&negnum, &order);
71712b27 901 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 902 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 903 /* Negating should change the high property, unless the value was already zero. */
79359302 904 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 905 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 906 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 907 CHECK(secp256k1_num_eq(&negnum, &negnum2));
908 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 909 /* Adding a number to its negation should result in zero. */
79359302
PW		 910 CHECK(secp256k1_scalar_is_zero(&neg));
911 secp256k1_scalar_negate(&neg, &neg);
71712b27 912 /* Negating zero should still result in zero. */
79359302 913 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 914 }
ff8746d4
PW		 915
916 {
917 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 918 secp256k1_scalar r;
919 secp256k1_num one;
920 secp256k1_num rnum;
921 secp256k1_num rnum2;
bf2e1ac7 922 unsigned char cone[1] = {0x01};
fa57f1bd 923 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 924 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 925 secp256k1_num_mul(&rnum, &s1num, &s2num);
926 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 927 secp256k1_num_set_bin(&one, cone, 1);
928 secp256k1_num_add(&rnum, &rnum, &one);
929 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 930 secp256k1_scalar_get_num(&rnum2, &r);
931 CHECK(secp256k1_num_eq(&rnum, &rnum2));
932 }
44015000
AP		 933
934 {
935 /* test secp256k1_scalar_shr_int */
dd891e0e 936 secp256k1_scalar r;
44015000 937 int i;
44015000
AP		 938 random_scalar_order_test(&r);
939 for (i = 0; i < 100; ++i) {
cfe0ed91 940 int low;
fa57f1bd 941 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 942 int expected = r.d[0] % (1 << shift);
943 low = secp256k1_scalar_shr_int(&r, shift);
944 CHECK(expected == low);
945 }
946 }
597128d3 947#endif
79359302
PW		 948
949 {
71712b27 950 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 951 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 952 secp256k1_scalar inv;
597128d3 953#ifndef USE_NUM_NONE
dd891e0e
PW		 954 secp256k1_num invnum;
955 secp256k1_num invnum2;
bf2e1ac7
GM		 956#endif
957 secp256k1_scalar_inverse(&inv, &s);
958#ifndef USE_NUM_NONE
959 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 960 secp256k1_scalar_get_num(&invnum2, &inv);
961 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 962#endif
79359302 963 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 964 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 965 CHECK(secp256k1_scalar_is_one(&inv));
966 secp256k1_scalar_inverse(&inv, &inv);
71712b27 967 /* Inverting one must result in one. */
79359302 968 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 969#ifndef USE_NUM_NONE
970 secp256k1_scalar_get_num(&invnum, &inv);
971 CHECK(secp256k1_num_is_one(&invnum));
972#endif
79359302
PW		 973 }
974 }
975
976 {
71712b27 977 /* Test commutativity of add. */
dd891e0e 978 secp256k1_scalar r1, r2;
79359302
PW		 979 secp256k1_scalar_add(&r1, &s1, &s2);
980 secp256k1_scalar_add(&r2, &s2, &s1);
981 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 982 }
983
52132078 984 {
dd891e0e
PW		 985 secp256k1_scalar r1, r2;
986 secp256k1_scalar b;
bf2e1ac7 987 int i;
52132078 988 /* Test add_bit. */
fa57f1bd 989 int bit = secp256k1_rand_bits(8);
1e6c77c3 990 secp256k1_scalar_set_int(&b, 1);
52132078 991 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 992 for (i = 0; i < bit; i++) {
52132078
PW		 993 secp256k1_scalar_add(&b, &b, &b);
994 }
bf2e1ac7
GM		 995 r1 = s1;
996 r2 = s1;
29ae1310 997 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 998 /* No overflow happened. */
ed35d43a
AP		 999 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1000 CHECK(secp256k1_scalar_eq(&r1, &r2));
1001 /* cadd is a noop when flag is zero */
1002 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 1003 CHECK(secp256k1_scalar_eq(&r1, &r2));
1004 }
1005 }
1006
79359302 1007 {
71712b27 1008 /* Test commutativity of mul. */
dd891e0e 1009 secp256k1_scalar r1, r2;
79359302
PW		 1010 secp256k1_scalar_mul(&r1, &s1, &s2);
1011 secp256k1_scalar_mul(&r2, &s2, &s1);
1012 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1013 }
1014
1015 {
71712b27 1016 /* Test associativity of add. */
dd891e0e 1017 secp256k1_scalar r1, r2;
79359302
PW		 1018 secp256k1_scalar_add(&r1, &s1, &s2);
1019 secp256k1_scalar_add(&r1, &r1, &s);
1020 secp256k1_scalar_add(&r2, &s2, &s);
1021 secp256k1_scalar_add(&r2, &s1, &r2);
1022 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1023 }
1024
1025 {
71712b27 1026 /* Test associativity of mul. */
dd891e0e 1027 secp256k1_scalar r1, r2;
79359302
PW		 1028 secp256k1_scalar_mul(&r1, &s1, &s2);
1029 secp256k1_scalar_mul(&r1, &r1, &s);
1030 secp256k1_scalar_mul(&r2, &s2, &s);
1031 secp256k1_scalar_mul(&r2, &s1, &r2);
1032 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1033 }
1034
1035 {
71712b27 1036 /* Test distributitivity of mul over add. */
dd891e0e 1037 secp256k1_scalar r1, r2, t;
79359302
PW		 1038 secp256k1_scalar_add(&r1, &s1, &s2);
1039 secp256k1_scalar_mul(&r1, &r1, &s);
1040 secp256k1_scalar_mul(&r2, &s1, &s);
1041 secp256k1_scalar_mul(&t, &s2, &s);
1042 secp256k1_scalar_add(&r2, &r2, &t);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 1044 }
1d52a8b1
PW		 1045
1046 {
71712b27 1047 /* Test square. */
dd891e0e 1048 secp256k1_scalar r1, r2;
1d52a8b1
PW		 1049 secp256k1_scalar_sqr(&r1, &s1);
1050 secp256k1_scalar_mul(&r2, &s1, &s1);
1051 CHECK(secp256k1_scalar_eq(&r1, &r2));
1052 }
ff8746d4 1053
8d11164b
GM		 1054 {
1055 /* Test multiplicative identity. */
dd891e0e 1056 secp256k1_scalar r1, v1;
8d11164b
GM		 1057 secp256k1_scalar_set_int(&v1,1);
1058 secp256k1_scalar_mul(&r1, &s1, &v1);
1059 CHECK(secp256k1_scalar_eq(&r1, &s1));
1060 }
1061
1062 {
1063 /* Test additive identity. */
dd891e0e 1064 secp256k1_scalar r1, v0;
8d11164b
GM		 1065 secp256k1_scalar_set_int(&v0,0);
1066 secp256k1_scalar_add(&r1, &s1, &v0);
1067 CHECK(secp256k1_scalar_eq(&r1, &s1));
1068 }
1069
1070 {
1071 /* Test zero product property. */
dd891e0e 1072 secp256k1_scalar r1, v0;
8d11164b
GM		 1073 secp256k1_scalar_set_int(&v0,0);
1074 secp256k1_scalar_mul(&r1, &s1, &v0);
1075 CHECK(secp256k1_scalar_eq(&r1, &v0));
1076 }
1077
79359302
PW		 1078}
1079
1080void run_scalar_tests(void) {
bf2e1ac7
GM		 1081 int i;
1082 for (i = 0; i < 128 * count; i++) {
79359302
PW		 1083 scalar_test();
1084 }
659b554d
PW		 1085
1086 {
ee3eb4be 1087 /* (-1)+1 should be zero. */
dd891e0e 1088 secp256k1_scalar s, o;
659b554d 1089 secp256k1_scalar_set_int(&s, 1);
8d11164b 1090 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 1091 secp256k1_scalar_negate(&o, &s);
1092 secp256k1_scalar_add(&o, &o, &s);
1093 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 1094 secp256k1_scalar_negate(&o, &o);
1095 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 1096 }
1097
597128d3 1098#ifndef USE_NUM_NONE
659b554d 1099 {
ee3eb4be 1100 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 1101 secp256k1_num order;
1102 secp256k1_scalar zero;
bf2e1ac7 1103 unsigned char bin[32];
659b554d 1104 int overflow = 0;
bf2e1ac7
GM		 1105 secp256k1_scalar_order_get_num(&order);
1106 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 1107 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1108 CHECK(overflow == 1);
1109 CHECK(secp256k1_scalar_is_zero(&zero));
1110 }
597128d3 1111#endif
26abce75
GM		 1112
1113 {
1114 /* Does check_overflow check catch all ones? */
1115 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1116 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1117 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1118 );
1119 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1120 }
1121
1122 {
1123 /* Static test vectors.
269d4227 1124 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1125 * and edge-case coverage on 32-bit and 64-bit implementations.
1126 * The responses were generated with Sage 5.9.
1127 */
1128 secp256k1_scalar x;
1129 secp256k1_scalar y;
1130 secp256k1_scalar z;
1131 secp256k1_scalar zz;
1132 secp256k1_scalar one;
1133 secp256k1_scalar r1;
1134 secp256k1_scalar r2;
1135#if defined(USE_SCALAR_INV_NUM)
1136 secp256k1_scalar zzv;
1137#endif
1138 int overflow;
093a497a 1139 unsigned char chal[33][2][32] = {
26abce75
GM		 1140 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1143 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1148 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1149 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1150 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1152 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1154 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1155 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1156 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1158 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1159 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1160 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1161 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1163 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1164 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1167 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1168 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1169 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1170 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1171 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1172 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1173 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1174 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1176 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1177 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1179 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1180 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1181 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1182 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1183 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1184 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1185 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1186 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1188 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1189 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1190 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1191 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1192 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1196 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1197 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1200 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1201 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1202 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1203 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1204 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1205 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1208 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1212 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1215 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1216 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1217 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1218 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1219 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1220 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1221 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1223 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1224 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1228 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1229 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1231 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1234 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1240 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1241 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1242 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1243 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1244 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1247 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1248 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1250 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1251 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1252 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1253 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1254 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1256 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1260 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1262 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1264 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1267 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1270 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1271 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1272 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1273 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1274 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1276 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1278 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1280 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1281 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1283 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1284 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1286 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1288 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1290 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1291 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1292 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1293 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1296 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1297 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1298 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1300 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1301 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1304 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1306 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1307 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1308 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1312 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1316 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1320 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1322 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1324 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1325 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1326 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1328 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1329 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1332 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1335 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1336 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1339 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1340 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1342 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1343 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1344 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1345 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1348 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1349 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1350 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1351 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1352 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1354 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1355 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1356 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1357 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1358 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1359 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1360 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1361 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1364 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1365 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1368 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1370 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1371 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1372 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1373 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1374 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1376 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1377 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1378 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1380 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1381 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1383 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1384 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1386 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1387 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1388 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1389 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1390 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1391 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1392 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1394 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1395 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1396 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1397 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1399 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1400 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1401 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1402 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1403 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1404 };
093a497a 1405 unsigned char res[33][2][32] = {
26abce75
GM		 1406 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1407 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1408 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1409 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1410 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1411 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1412 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1413 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1414 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1415 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1416 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1417 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1418 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1419 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1420 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1421 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1422 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1423 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1424 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1425 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1426 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1427 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1428 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1429 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1430 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1431 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1432 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1433 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1434 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1435 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1436 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1437 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1438 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1439 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1440 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1441 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1442 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1443 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1444 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1445 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1446 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1447 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1448 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1449 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1450 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1451 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1452 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1453 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1454 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1455 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1456 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1457 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1458 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1459 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1460 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1461 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1462 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1463 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1464 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1465 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1466 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1467 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1468 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1469 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1470 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1471 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1472 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1473 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1474 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1475 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1476 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1477 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1478 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1479 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1480 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1481 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1482 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1483 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1484 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1485 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1486 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1487 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1488 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1489 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1490 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1491 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1492 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1493 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1494 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1495 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1496 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1497 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1498 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1499 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1500 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1501 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1502 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1503 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1504 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1505 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1506 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1507 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1508 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1509 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1510 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1511 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1512 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1513 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1514 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1515 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1516 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1517 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1518 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1519 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1520 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1521 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1522 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1523 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1524 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1525 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1526 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1527 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1528 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1529 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1530 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1531 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1532 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1533 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1534 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1535 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1536 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1537 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1538 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1539 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1540 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1541 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1542 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1543 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1544 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1545 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1546 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1547 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1548 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1549 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1550 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1551 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1552 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1553 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1554 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1555 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1556 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1557 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1558 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1559 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1560 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1561 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1562 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1563 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1564 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1565 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1566 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1567 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1568 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1569 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1570 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1572 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1573 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1574 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1578 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1580 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1581 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1582 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1583 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1584 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1585 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1586 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1587 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1588 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1589 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1590 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1591 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1592 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1593 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1594 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1595 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1596 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1597 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1598 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1600 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1601 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1602 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1603 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1604 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1605 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1606 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1608 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1609 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1610 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1614 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1615 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1616 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1617 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1618 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1619 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1620 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1621 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1622 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1623 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1624 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1625 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1626 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1627 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1628 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1629 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1630 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1631 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1632 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1633 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1634 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1635 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1636 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1637 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1638 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1639 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1640 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1641 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1642 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1643 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1644 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1645 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1646 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1647 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1648 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1649 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1650 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1651 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1652 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1653 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1654 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1655 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1656 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1657 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1658 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1659 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1660 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1661 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1662 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1663 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1664 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1665 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1666 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1667 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1668 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1669 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1670 };
1671 secp256k1_scalar_set_int(&one, 1);
093a497a 1672 for (i = 0; i < 33; i++) {
26abce75
GM		 1673 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1674 CHECK(!overflow);
1675 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1676 CHECK(!overflow);
1677 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1678 CHECK(!overflow);
1679 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1680 CHECK(!overflow);
1681 secp256k1_scalar_mul(&z, &x, &y);
1682 CHECK(!secp256k1_scalar_check_overflow(&z));
1683 CHECK(secp256k1_scalar_eq(&r1, &z));
1684 if (!secp256k1_scalar_is_zero(&y)) {
1685 secp256k1_scalar_inverse(&zz, &y);
1686 CHECK(!secp256k1_scalar_check_overflow(&zz));
1687#if defined(USE_SCALAR_INV_NUM)
1688 secp256k1_scalar_inverse_var(&zzv, &y);
1689 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1690#endif
1691 secp256k1_scalar_mul(&z, &z, &zz);
1692 CHECK(!secp256k1_scalar_check_overflow(&z));
1693 CHECK(secp256k1_scalar_eq(&x, &z));
1694 secp256k1_scalar_mul(&zz, &zz, &y);
1695 CHECK(!secp256k1_scalar_check_overflow(&zz));
1696 CHECK(secp256k1_scalar_eq(&one, &zz));
1697 }
1698 secp256k1_scalar_mul(&z, &x, &x);
1699 CHECK(!secp256k1_scalar_check_overflow(&z));
1700 secp256k1_scalar_sqr(&zz, &x);
1701 CHECK(!secp256k1_scalar_check_overflow(&zz));
1702 CHECK(secp256k1_scalar_eq(&zz, &z));
1703 CHECK(secp256k1_scalar_eq(&r2, &zz));
1704 }
1705 }
79359302
PW		 1706}
1707
09ca4f32
PD		 1708/***** FIELD TESTS *****/
1709
dd891e0e 1710void random_fe(secp256k1_fe *x) {
09ca4f32 1711 unsigned char bin[32];
d907ebc0
PW		 1712 do {
1713 secp256k1_rand256(bin);
1714 if (secp256k1_fe_set_b32(x, bin)) {
1715 return;
1716 }
1717 } while(1);
09ca4f32
PD		 1718}
1719
64666251
PW		 1720void random_fe_test(secp256k1_fe *x) {
1721 unsigned char bin[32];
1722 do {
1723 secp256k1_rand256_test(bin);
1724 if (secp256k1_fe_set_b32(x, bin)) {
1725 return;
1726 }
1727 } while(1);
1728}
1729
dd891e0e 1730void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1731 int tries = 10;
09ca4f32 1732 while (--tries >= 0) {
6d6102fe
PD		 1733 random_fe(nz);
1734 secp256k1_fe_normalize(nz);
26320197 1735 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1736 break;
26320197 1737 }
09ca4f32 1738 }
71712b27 1739 /* Infinitesimal probability of spurious failure here */
0592d117 1740 CHECK(tries >= 0);
09ca4f32
PD		 1741}
1742
dd891e0e
PW		 1743void random_fe_non_square(secp256k1_fe *ns) {
1744 secp256k1_fe r;
bf2e1ac7 1745 random_fe_non_zero(ns);
926836ad 1746 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1747 secp256k1_fe_negate(ns, ns, 1);
1748 }
1749}
1750
dd891e0e
PW		 1751int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1752 secp256k1_fe an = *a;
1753 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1754 secp256k1_fe_normalize_weak(&an);
1755 secp256k1_fe_normalize_var(&bn);
d7174edf 1756 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1757}
1758
dd891e0e
PW		 1759int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1760 secp256k1_fe x;
1761 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1762 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1763 return check_fe_equal(&x, &one);
1764}
1765
ff889f7d
PW		 1766void run_field_convert(void) {
1767 static const unsigned char b32[32] = {
1768 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1769 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1770 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1771 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1772 };
dd891e0e 1773 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1774 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1775 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1776 );
dd891e0e 1777 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1778 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1779 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1780 );
dd891e0e 1781 secp256k1_fe fe2;
ff889f7d 1782 unsigned char b322[32];
dd891e0e 1783 secp256k1_fe_storage fes2;
ff889f7d
PW		 1784 /* Check conversions to fe. */
1785 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1786 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1787 secp256k1_fe_from_storage(&fe2, &fes);
1788 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1789 /* Check conversion from fe. */
1790 secp256k1_fe_get_b32(b322, &fe);
1791 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1792 secp256k1_fe_to_storage(&fes2, &fe);
1793 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1794}
1795
dd891e0e
PW		 1796int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe t = *b;
a0601cd7
PD		 1798#ifdef VERIFY
1799 t.magnitude = a->magnitude;
1800 t.normalized = a->normalized;
1801#endif
dd891e0e 1802 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1803}
1804
8d11164b 1805void run_field_misc(void) {
dd891e0e
PW		 1806 secp256k1_fe x;
1807 secp256k1_fe y;
1808 secp256k1_fe z;
1809 secp256k1_fe q;
1810 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1811 int i, j;
bf2e1ac7 1812 for (i = 0; i < 5*count; i++) {
dd891e0e 1813 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1814 random_fe(&x);
1815 random_fe_non_zero(&y);
1816 /* Test the fe equality and comparison operations. */
1817 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1818 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1819 z = x;
1820 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1821 /* Test fe conditional move; z is not normalized here. */
1822 q = x;
1823 secp256k1_fe_cmov(&x, &z, 0);
dcf39202
GM		 1824#ifdef VERIFY
1825 CHECK(!x.normalized && x.magnitude == z.magnitude);
1826#endif
9c4fb23d 1827 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1828 CHECK(fe_memcmp(&x, &z) != 0);
1829 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1830 secp256k1_fe_cmov(&q, &z, 1);
dcf39202
GM		 1831#ifdef VERIFY
1832 CHECK(!q.normalized && q.magnitude == z.magnitude);
1833#endif
a0601cd7 1834 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1835 secp256k1_fe_normalize_var(&x);
1836 secp256k1_fe_normalize_var(&z);
9c4fb23d 1837 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1838 secp256k1_fe_normalize_var(&q);
1839 secp256k1_fe_cmov(&q, &z, (i&1));
dcf39202
GM		 1840#ifdef VERIFY
1841 CHECK(q.normalized && q.magnitude == 1);
1842#endif
3f3964e4
PD		 1843 for (j = 0; j < 6; j++) {
1844 secp256k1_fe_negate(&z, &z, j+1);
1845 secp256k1_fe_normalize_var(&q);
1846 secp256k1_fe_cmov(&q, &z, (j&1));
dcf39202
GM		 1847#ifdef VERIFY
1848 CHECK(!q.normalized && q.magnitude == (j+2));
1849#endif
3f3964e4
PD		 1850 }
1851 secp256k1_fe_normalize_var(&z);
1852 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1853 secp256k1_fe_to_storage(&xs, &x);
1854 secp256k1_fe_to_storage(&ys, &y);
1855 secp256k1_fe_to_storage(&zs, &z);
1856 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1857 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1858 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1859 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1860 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1861 secp256k1_fe_from_storage(&x, &xs);
1862 secp256k1_fe_from_storage(&y, &ys);
1863 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1864 /* Test that mul_int, mul, and add agree. */
1865 secp256k1_fe_add(&y, &x);
1866 secp256k1_fe_add(&y, &x);
1867 z = x;
1868 secp256k1_fe_mul_int(&z, 3);
1869 CHECK(check_fe_equal(&y, &z));
1870 secp256k1_fe_add(&y, &x);
1871 secp256k1_fe_add(&z, &x);
1872 CHECK(check_fe_equal(&z, &y));
1873 z = x;
1874 secp256k1_fe_mul_int(&z, 5);
1875 secp256k1_fe_mul(&q, &x, &fe5);
1876 CHECK(check_fe_equal(&z, &q));
1877 secp256k1_fe_negate(&x, &x, 1);
1878 secp256k1_fe_add(&z, &x);
1879 secp256k1_fe_add(&q, &x);
1880 CHECK(check_fe_equal(&y, &z));
1881 CHECK(check_fe_equal(&q, &y));
1882 }
1883}
1884
2cad067a 1885void run_field_inv(void) {
dd891e0e 1886 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1887 int i;
1888 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1889 random_fe_non_zero(&x);
1890 secp256k1_fe_inv(&xi, &x);
1891 CHECK(check_fe_inverse(&x, &xi));
1892 secp256k1_fe_inv(&xii, &xi);
1893 CHECK(check_fe_equal(&x, &xii));
1894 }
1895}
1896
2cad067a 1897void run_field_inv_var(void) {
dd891e0e 1898 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1899 int i;
1900 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1901 random_fe_non_zero(&x);
1902 secp256k1_fe_inv_var(&xi, &x);
1903 CHECK(check_fe_inverse(&x, &xi));
1904 secp256k1_fe_inv_var(&xii, &xi);
1905 CHECK(check_fe_equal(&x, &xii));
1906 }
1907}
1908
2cad067a 1909void run_field_inv_all_var(void) {
dd891e0e 1910 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1911 int i;
71712b27 1912 /* Check it's safe to call for 0 elements */
7d893f49 1913 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1914 for (i = 0; i < count; i++) {
1915 size_t j;
fa57f1bd 1916 size_t len = secp256k1_rand_int(15) + 1;
26320197 1917 for (j = 0; j < len; j++) {
f16be77f 1918 random_fe_non_zero(&x[j]);
26320197 1919 }
7d893f49 1920 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1921 for (j = 0; j < len; j++) {
f16be77f 1922 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1923 }
7d893f49 1924 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1925 for (j = 0; j < len; j++) {
f16be77f 1926 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1927 }
f16be77f
PD		 1928 }
1929}
1930
2cad067a 1931void run_sqr(void) {
dd891e0e 1932 secp256k1_fe x, s;
59447da3 1933
59447da3 1934 {
bf2e1ac7 1935 int i;
59447da3
PD		 1936 secp256k1_fe_set_int(&x, 1);
1937 secp256k1_fe_negate(&x, &x, 1);
1938
bf2e1ac7 1939 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1940 secp256k1_fe_mul_int(&x, 2);
1941 secp256k1_fe_normalize(&x);
1942 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1943 }
1944 }
59447da3
PD		 1945}
1946
dd891e0e
PW		 1947void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1948 secp256k1_fe r1, r2;
926836ad 1949 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1950 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1951
1952 if (k != NULL) {
71712b27 1953 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1954 secp256k1_fe_negate(&r2, &r1, 1);
1955 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1956 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1957 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1958 }
1959}
1960
2cad067a 1961void run_sqrt(void) {
dd891e0e 1962 secp256k1_fe ns, x, s, t;
bf2e1ac7 1963 int i;
6d6102fe 1964
71712b27 1965 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1966 secp256k1_fe_set_int(&x, 0);
1967 secp256k1_fe_sqr(&s, &x);
1968 test_sqrt(&s, &x);
1969
71712b27 1970 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1971 for (i = 1; i <= 100; i++) {
6d6102fe 1972 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1973 secp256k1_fe_sqr(&s, &x);
1974 test_sqrt(&s, &x);
6d6102fe 1975 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1976 test_sqrt(&t, NULL);
1977 }
6d6102fe 1978
71712b27 1979 /* Consistency checks for large random values */
bf2e1ac7
GM		 1980 for (i = 0; i < 10; i++) {
1981 int j;
6d6102fe 1982 random_fe_non_square(&ns);
bf2e1ac7 1983 for (j = 0; j < count; j++) {
6d6102fe
PD		 1984 random_fe(&x);
1985 secp256k1_fe_sqr(&s, &x);
1986 test_sqrt(&s, &x);
1987 secp256k1_fe_negate(&t, &s, 1);
1988 test_sqrt(&t, NULL);
1989 secp256k1_fe_mul(&t, &s, &ns);
1990 test_sqrt(&t, NULL);
1991 }
1992 }
09ca4f32
PD		 1993}
1994
9338dbf7
PW		 1995/***** GROUP TESTS *****/
1996
dd891e0e 1997void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1998 CHECK(a->infinity == b->infinity);
26320197 1999 if (a->infinity) {
60571c6e 2000 return;
26320197 2001 }
60571c6e 2002 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 2003 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 2004}
2005
d2275795 2006/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 2007int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2008 secp256k1_gej a2;
2009 secp256k1_gej b2;
d2275795
GM		 2010 int ret = 1;
2011 ret &= a->infinity == b->infinity;
2012 if (ret && !a->infinity) {
2013 a2 = *a;
2014 b2 = *b;
2015 secp256k1_fe_normalize(&a2.x);
2016 secp256k1_fe_normalize(&a2.y);
2017 secp256k1_fe_normalize(&a2.z);
2018 secp256k1_fe_normalize(&b2.x);
2019 secp256k1_fe_normalize(&b2.y);
2020 secp256k1_fe_normalize(&b2.z);
2021 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2022 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2023 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2024 }
2025 return ret;
2026}
2027
dd891e0e
PW		 2028void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2029 secp256k1_fe z2s;
2030 secp256k1_fe u1, u2, s1, s2;
60571c6e 2031 CHECK(a->infinity == b->infinity);
26320197 2032 if (a->infinity) {
60571c6e 2033 return;
26320197 2034 }
60571c6e 2035 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 2036 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 2037 secp256k1_fe_mul(&u1, &a->x, &z2s);
2038 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2039 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2040 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2041 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2042 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 2043}
2044
2cad067a 2045void test_ge(void) {
bf2e1ac7 2046 int i, i1;
76574202
PW		 2047#ifdef USE_ENDOMORPHISM
2048 int runs = 6;
2049#else
60571c6e 2050 int runs = 4;
76574202 2051#endif
60571c6e
PW		 2052 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2053 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2054 * All magnitudes are randomized.
269d4227 2055 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 2056 *
2057 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 2058 */
5eb030ca
WL		 2059 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2060 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2061 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 2062 secp256k1_fe zf;
2063 secp256k1_fe zfi2, zfi3;
4f9791ab 2064
60571c6e
PW		 2065 secp256k1_gej_set_infinity(&gej[0]);
2066 secp256k1_ge_clear(&ge[0]);
2067 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 2068 for (i = 0; i < runs; i++) {
2069 int j;
dd891e0e 2070 secp256k1_ge g;
60571c6e 2071 random_group_element_test(&g);
76574202
PW		 2072#ifdef USE_ENDOMORPHISM
2073 if (i >= runs - 2) {
2074 secp256k1_ge_mul_lambda(&g, &ge[1]);
2075 }
2076 if (i >= runs - 1) {
2077 secp256k1_ge_mul_lambda(&g, &g);
2078 }
2079#endif
60571c6e
PW		 2080 ge[1 + 4 * i] = g;
2081 ge[2 + 4 * i] = g;
2082 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2083 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2084 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2085 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2086 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2087 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 2088 for (j = 0; j < 4; j++) {
60571c6e
PW		 2089 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2090 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2091 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2092 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2093 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2094 }
2095 }
2096
4f9791ab
PD		 2097 /* Compute z inverses. */
2098 {
5eb030ca 2099 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 2100 for (i = 0; i < 4 * runs + 1; i++) {
2101 if (i == 0) {
2102 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2103 do {
2104 random_field_element_test(&zs[i]);
2105 } while(secp256k1_fe_is_zero(&zs[i]));
2106 } else {
2107 zs[i] = gej[i].z;
2108 }
2109 }
7d893f49 2110 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 2111 free(zs);
2112 }
2113
2114 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2115 do {
2116 random_field_element_test(&zf);
2117 } while(secp256k1_fe_is_zero(&zf));
2118 random_field_element_magnitude(&zf);
2119 secp256k1_fe_inv_var(&zfi3, &zf);
2120 secp256k1_fe_sqr(&zfi2, &zfi3);
2121 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2122
bf2e1ac7
GM		 2123 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2124 int i2;
2125 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 2126 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 2127 secp256k1_gej refj, resj;
2128 secp256k1_ge ref;
2129 secp256k1_fe zr;
4f9791ab
PD		 2130 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2131 /* Check Z ratio. */
2132 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2133 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2134 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2135 }
60571c6e
PW		 2136 secp256k1_ge_set_gej_var(&ref, &refj);
2137
2d5a186c
PD		 2138 /* Test gej + ge with Z ratio result (var). */
2139 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2140 ge_equals_gej(&ref, &resj);
2d5a186c 2141 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2142 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2143 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2144 }
60571c6e 2145
4f9791ab
PD		 2146 /* Test gej + ge (var, with additional Z factor). */
2147 {
dd891e0e 2148 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2149 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2150 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2151 random_field_element_magnitude(&ge2_zfi.x);
2152 random_field_element_magnitude(&ge2_zfi.y);
2153 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2154 ge_equals_gej(&ref, &resj);
2155 }
2156
60571c6e
PW		 2157 /* Test gej + ge (const). */
2158 if (i2 != 0) {
2159 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2160 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2161 ge_equals_gej(&ref, &resj);
2162 }
2163
2164 /* Test doubling (var). */
2165 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2166 secp256k1_fe zr2;
4f9791ab
PD		 2167 /* Normal doubling with Z ratio result. */
2168 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2169 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2170 /* Check Z ratio. */
2171 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2172 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2173 /* Normal doubling. */
2174 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 2175 ge_equals_gej(&ref, &resj);
2176 }
2177
2178 /* Test adding opposites. */
2179 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2180 CHECK(secp256k1_ge_is_infinity(&ref));
2181 }
2182
2183 /* Test adding infinity. */
2184 if (i1 == 0) {
2185 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2186 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2187 ge_equals_gej(&ref, &gej[i2]);
2188 }
2189 if (i2 == 0) {
2190 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2191 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2192 ge_equals_gej(&ref, &gej[i1]);
2193 }
2194 }
2195 }
2196
9ab93355
PW		 2197 /* Test adding all points together in random order equals infinity. */
2198 {
dd891e0e 2199 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2200 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2201 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2202 gej_shuffled[i] = gej[i];
2203 }
bf2e1ac7 2204 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2205 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2206 if (swap != i) {
dd891e0e 2207 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2208 gej_shuffled[i] = gej_shuffled[swap];
2209 gej_shuffled[swap] = t;
2210 }
2211 }
bf2e1ac7 2212 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2213 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2214 }
2215 CHECK(secp256k1_gej_is_infinity(&sum));
2216 free(gej_shuffled);
2217 }
2218
4f9791ab 2219 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2220 {
5eb030ca 2221 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
5eb030ca 2222 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2223 for (i = 0; i < 4 * runs + 1; i++) {
2224 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2225 if (i < 4 * runs) {
2226 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2227 }
2228 }
7f7a2ed3 2229 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
bf2e1ac7 2230 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2231 secp256k1_fe s;
d2275795
GM		 2232 random_fe_non_zero(&s);
2233 secp256k1_gej_rescale(&gej[i], &s);
60571c6e
PW		 2234 ge_equals_gej(&ge_set_all[i], &gej[i]);
2235 }
2236 free(ge_set_all);
4f9791ab 2237 free(zr);
60571c6e
PW		 2238 }
2239
ffd3b346
AP		 2240 /* Test batch gej -> ge conversion with many infinities. */
2241 for (i = 0; i < 4 * runs + 1; i++) {
2242 random_group_element_test(&ge[i]);
271582b3 2243 /* randomly set half the points to infinity */
ffd3b346
AP		 2244 if(secp256k1_fe_is_odd(&ge[i].x)) {
2245 secp256k1_ge_set_infinity(&ge[i]);
2246 }
2247 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2248 }
2249 /* batch invert */
2250 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2251 /* check result */
2252 for (i = 0; i < 4 * runs + 1; i++) {
2253 ge_equals_gej(&ge[i], &gej[i]);
2254 }
2255
60571c6e
PW		 2256 free(ge);
2257 free(gej);
4f9791ab 2258 free(zinv);
9338dbf7
PW		 2259}
2260
8c5d5f7b
AP		 2261void test_add_neg_y_diff_x(void) {
2262 /* The point of this test is to check that we can add two points
2263 * whose y-coordinates are negatives of each other but whose x
2264 * coordinates differ. If the x-coordinates were the same, these
2265 * points would be negatives of each other and their sum is
2266 * infinity. This is cool because it "covers up" any degeneracy
2267 * in the addition algorithm that would cause the xy coordinates
2268 * of the sum to be wrong (since infinity has no xy coordinates).
2269 * HOWEVER, if the x-coordinates are different, infinity is the
2270 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2271 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2272 * which this test is a regression test for.
8c5d5f7b
AP		 2273 *
2274 * These points were generated in sage as
2275 * # secp256k1 params
2276 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2277 * C = EllipticCurve ([F (0), F (7)])
2278 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2279 * N = FiniteField(G.order())
2280 *
2281 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2282 * x = polygen(N)
2283 * lam = (1 - x^3).roots()[1][0]
2284 *
2285 * # random "bad pair"
2286 * P = C.random_element()
2287 * Q = -int(lam) * P
2288 * print " P: %x %x" % P.xy()
2289 * print " Q: %x %x" % Q.xy()
2290 * print "P + Q: %x %x" % (P + Q).xy()
2291 */
dd891e0e 2292 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2293 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2294 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2295 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2296 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2297 );
dd891e0e 2298 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2299 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2300 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2301 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2302 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2303 );
dd891e0e 2304 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2305 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2306 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2307 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2308 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2309 );
dd891e0e
PW		 2310 secp256k1_ge b;
2311 secp256k1_gej resj;
2312 secp256k1_ge res;
8c5d5f7b
AP		 2313 secp256k1_ge_set_gej(&b, &bj);
2314
2315 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2316 secp256k1_ge_set_gej(&res, &resj);
2317 ge_equals_gej(&res, &sumj);
2318
2319 secp256k1_gej_add_ge(&resj, &aj, &b);
2320 secp256k1_ge_set_gej(&res, &resj);
2321 ge_equals_gej(&res, &sumj);
2322
2323 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2324 secp256k1_ge_set_gej(&res, &resj);
2325 ge_equals_gej(&res, &sumj);
2326}
2327
2cad067a 2328void run_ge(void) {
bf2e1ac7
GM		 2329 int i;
2330 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2331 test_ge();
2332 }
8c5d5f7b 2333 test_add_neg_y_diff_x();
9338dbf7
PW		 2334}
2335
a5a66c70 2336void test_ec_combine(void) {
dd891e0e
PW		 2337 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2338 secp256k1_pubkey data[6];
2339 const secp256k1_pubkey* d[6];
2340 secp256k1_pubkey sd;
2341 secp256k1_pubkey sd2;
2342 secp256k1_gej Qj;
2343 secp256k1_ge Q;
a5a66c70
PW		 2344 int i;
2345 for (i = 1; i <= 6; i++) {
dd891e0e 2346 secp256k1_scalar s;
a5a66c70
PW		 2347 random_scalar_order_test(&s);
2348 secp256k1_scalar_add(&sum, &sum, &s);
2349 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2350 secp256k1_ge_set_gej(&Q, &Qj);
2351 secp256k1_pubkey_save(&data[i - 1], &Q);
2352 d[i - 1] = &data[i - 1];
2353 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2354 secp256k1_ge_set_gej(&Q, &Qj);
2355 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2356 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2357 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2358 }
2359}
2360
2361void run_ec_combine(void) {
2362 int i;
2363 for (i = 0; i < count * 8; i++) {
2364 test_ec_combine();
2365 }
2366}
2367
64666251
PW		 2368void test_group_decompress(const secp256k1_fe* x) {
2369 /* The input itself, normalized. */
2370 secp256k1_fe fex = *x;
e6e9805f 2371 secp256k1_fe fez;
64666251
PW		 2372 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2373 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2374 secp256k1_gej gej_quad;
64666251
PW		 2375 /* Return values of the above calls. */
2376 int res_quad, res_even, res_odd;
2377
2378 secp256k1_fe_normalize_var(&fex);
2379
926836ad 2380 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2381 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2382 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2383
2384 CHECK(res_quad == res_even);
2385 CHECK(res_quad == res_odd);
2386
2387 if (res_quad) {
2388 secp256k1_fe_normalize_var(&ge_quad.x);
2389 secp256k1_fe_normalize_var(&ge_odd.x);
2390 secp256k1_fe_normalize_var(&ge_even.x);
2391 secp256k1_fe_normalize_var(&ge_quad.y);
2392 secp256k1_fe_normalize_var(&ge_odd.y);
2393 secp256k1_fe_normalize_var(&ge_even.y);
2394
2395 /* No infinity allowed. */
2396 CHECK(!ge_quad.infinity);
2397 CHECK(!ge_even.infinity);
2398 CHECK(!ge_odd.infinity);
2399
2400 /* Check that the x coordinates check out. */
2401 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2402 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2403 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2404
2405 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2406 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2407
2408 /* Check odd/even Y in ge_odd, ge_even. */
2409 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2410 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2411
2412 /* Check secp256k1_gej_has_quad_y_var. */
2413 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2414 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2415 do {
2416 random_fe_test(&fez);
2417 } while (secp256k1_fe_is_zero(&fez));
2418 secp256k1_gej_rescale(&gej_quad, &fez);
2419 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2420 secp256k1_gej_neg(&gej_quad, &gej_quad);
2421 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2422 do {
2423 random_fe_test(&fez);
2424 } while (secp256k1_fe_is_zero(&fez));
2425 secp256k1_gej_rescale(&gej_quad, &fez);
2426 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2427 secp256k1_gej_neg(&gej_quad, &gej_quad);
2428 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2429 }
2430}
2431
2432void run_group_decompress(void) {
2433 int i;
2434 for (i = 0; i < count * 4; i++) {
2435 secp256k1_fe fe;
2436 random_fe_test(&fe);
2437 test_group_decompress(&fe);
2438 }
2439}
2440
09ca4f32
PD		 2441/***** ECMULT TESTS *****/
2442
2cad067a 2443void run_ecmult_chain(void) {
443cd4b8 2444 /* random starting point A (on the curve) */
dd891e0e 2445 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2446 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2447 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2448 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2449 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2450 );
71712b27 2451 /* two random initial factors xn and gn */
dd891e0e 2452 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2453 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2454 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2455 );
dd891e0e 2456 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2457 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2458 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2459 );
71712b27 2460 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2461 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2462 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2463 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2464 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2465 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2466 /* actual points */
cfe0ed91 2467 secp256k1_gej x;
dd891e0e 2468 secp256k1_gej x2;
443cd4b8
PW		 2469 int i;
2470
71712b27 2471 /* the point being computed */
bf2e1ac7
GM		 2472 x = a;
2473 for (i = 0; i < 200*count; i++) {
71712b27 2474 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2475 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2476 /* also compute ae and ge: the actual accumulated factors for A and G */
2477 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2478 secp256k1_scalar_mul(&ae, &ae, &xn);
2479 secp256k1_scalar_mul(&ge, &ge, &xn);
2480 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2481 /* modify xn and gn */
f24041d6
PW		 2482 secp256k1_scalar_mul(&xn, &xn, &xf);
2483 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2484
71712b27 2485 /* verify */
404c30a8 2486 if (i == 19999) {
443cd4b8 2487 /* expected result after 19999 iterations */
dd891e0e 2488 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2489 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2490 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2491 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2492 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2493 );
2494
2495 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2496 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2497 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2498 }
4adf6b2a 2499 }
71712b27 2500 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2501 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2502 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2503 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2504 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2505}
2506
dd891e0e 2507void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2508 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2509 secp256k1_scalar x;
2510 secp256k1_scalar nx;
2511 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2512 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2513 secp256k1_gej res1, res2;
2514 secp256k1_ge res3;
bf2e1ac7 2515 unsigned char pub[65];
788038d3 2516 size_t psize = 65;
bf2e1ac7
GM		 2517 random_scalar_order_test(&x);
2518 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2519 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2520 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2521 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2522 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2523 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2524 secp256k1_ge_set_gej(&res3, &res1);
2525 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2526 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2527 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2528 psize = 65;
9234391e 2529 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2530 /* check zero/one edge cases */
2531 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2532 secp256k1_ge_set_gej(&res3, &res1);
2533 CHECK(secp256k1_ge_is_infinity(&res3));
2534 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2535 secp256k1_ge_set_gej(&res3, &res1);
2536 ge_equals_gej(&res3, point);
2537 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2538 secp256k1_ge_set_gej(&res3, &res1);
2539 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2540}
2541
2cad067a 2542void run_point_times_order(void) {
bf2e1ac7 2543 int i;
dd891e0e
PW		 2544 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2545 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2546 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2547 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2548 );
bf2e1ac7 2549 for (i = 0; i < 500; i++) {
dd891e0e 2550 secp256k1_ge p;
39bd94d8 2551 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2552 secp256k1_gej j;
bf2e1ac7 2553 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2554 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2555 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2556 test_point_times_order(&j);
2557 }
910d0de4 2558 secp256k1_fe_sqr(&x, &x);
4e0ed539 2559 }
443cd4b8
PW		 2560 secp256k1_fe_normalize_var(&x);
2561 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2562}
2563
44015000
AP		 2564void ecmult_const_random_mult(void) {
2565 /* random starting point A (on the curve) */
dd891e0e 2566 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2567 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2568 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2569 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2570 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2571 );
2572 /* random initial factor xn */
dd891e0e 2573 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2574 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2575 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2576 );
2577 /* expected xn * A (from sage) */
dd891e0e 2578 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2579 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2580 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2581 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2582 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2583 );
dd891e0e 2584 secp256k1_gej b;
7c1b91ba 2585 secp256k1_ecmult_const(&b, &a, &xn, 256);
44015000
AP		 2586
2587 CHECK(secp256k1_ge_is_valid_var(&a));
2588 ge_equals_gej(&expected_b, &b);
2589}
2590
2591void ecmult_const_commutativity(void) {
dd891e0e
PW		 2592 secp256k1_scalar a;
2593 secp256k1_scalar b;
2594 secp256k1_gej res1;
2595 secp256k1_gej res2;
2596 secp256k1_ge mid1;
2597 secp256k1_ge mid2;
44015000
AP		 2598 random_scalar_order_test(&a);
2599 random_scalar_order_test(&b);
2600
7c1b91ba
AP		 2601 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2602 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
44015000
AP		 2603 secp256k1_ge_set_gej(&mid1, &res1);
2604 secp256k1_ge_set_gej(&mid2, &res2);
7c1b91ba
AP		 2605 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2606 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
44015000
AP		 2607 secp256k1_ge_set_gej(&mid1, &res1);
2608 secp256k1_ge_set_gej(&mid2, &res2);
2609 ge_equals_ge(&mid1, &mid2);
2610}
2611
2612void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2613 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2614 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2615 secp256k1_scalar negone;
2616 secp256k1_gej res1;
2617 secp256k1_ge res2;
2618 secp256k1_ge point;
44015000
AP		 2619 secp256k1_scalar_negate(&negone, &one);
2620
2621 random_group_element_test(&point);
7c1b91ba 2622 secp256k1_ecmult_const(&res1, &point, &zero, 3);
44015000
AP		 2623 secp256k1_ge_set_gej(&res2, &res1);
2624 CHECK(secp256k1_ge_is_infinity(&res2));
7c1b91ba 2625 secp256k1_ecmult_const(&res1, &point, &one, 2);
44015000
AP		 2626 secp256k1_ge_set_gej(&res2, &res1);
2627 ge_equals_ge(&res2, &point);
7c1b91ba 2628 secp256k1_ecmult_const(&res1, &point, &negone, 256);
44015000
AP		 2629 secp256k1_gej_neg(&res1, &res1);
2630 secp256k1_ge_set_gej(&res2, &res1);
2631 ge_equals_ge(&res2, &point);
2632}
2633
2634void ecmult_const_chain_multiply(void) {
2635 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2636 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2637 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2638 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2639 );
dd891e0e 2640 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2641 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2642 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2643 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2644 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2645 );
dd891e0e
PW		 2646 secp256k1_gej point;
2647 secp256k1_ge res;
44015000
AP		 2648 int i;
2649
2650 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2651 for (i = 0; i < 100; ++i) {
dd891e0e 2652 secp256k1_ge tmp;
44015000 2653 secp256k1_ge_set_gej(&tmp, &point);
7c1b91ba 2654 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
44015000
AP		 2655 }
2656 secp256k1_ge_set_gej(&res, &point);
2657 ge_equals_gej(&res, &expected_point);
2658}
2659
2660void run_ecmult_const_tests(void) {
2661 ecmult_const_mult_zero_one();
2662 ecmult_const_random_mult();
2663 ecmult_const_commutativity();
2664 ecmult_const_chain_multiply();
2665}
2666
dba5471b
AP		 2667typedef struct {
2668 secp256k1_scalar *sc;
2669 secp256k1_ge *pt;
2670} ecmult_multi_data;
2671
2672static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2673 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2674 *sc = data->sc[idx];
2675 *pt = data->pt[idx];
2676 return 1;
2677}
2678
355a38f1
JN		 2679static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2680 (void)sc;
2681 (void)pt;
2682 (void)idx;
2683 (void)cbdata;
2684 return 0;
2685}
2686
2687void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2688 int ncount;
2689 secp256k1_scalar szero;
2690 secp256k1_scalar sc[32];
2691 secp256k1_ge pt[32];
2692 secp256k1_gej r;
2693 secp256k1_gej r2;
2694 ecmult_multi_data data;
dba5471b
AP		 2695
2696 data.sc = sc;
2697 data.pt = pt;
dba5471b 2698 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2699
2700 /* No points to multiply */
c2b028a2 2701 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2702
2703 /* Check 1- and 2-point multiplies against ecmult */
2704 for (ncount = 0; ncount < count; ncount++) {
2705 secp256k1_ge ptg;
2706 secp256k1_gej ptgj;
2707 random_scalar_order(&sc[0]);
2708 random_scalar_order(&sc[1]);
2709
2710 random_group_element_test(&ptg);
2711 secp256k1_gej_set_ge(&ptgj, &ptg);
2712 pt[0] = ptg;
2713 pt[1] = secp256k1_ge_const_g;
2714
355a38f1
JN		 2715 /* only G scalar */
2716 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
c2b028a2 2717 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
355a38f1
JN		 2718 secp256k1_gej_neg(&r2, &r2);
2719 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2720 CHECK(secp256k1_gej_is_infinity(&r));
2721
dba5471b
AP		 2722 /* 1-point */
2723 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
c2b028a2 2724 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2725 secp256k1_gej_neg(&r2, &r2);
2726 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2727 CHECK(secp256k1_gej_is_infinity(&r));
2728
355a38f1 2729 /* Try to multiply 1 point, but callback returns false */
c2b028a2 2730 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
355a38f1 2731
dba5471b
AP		 2732 /* 2-point */
2733 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2734 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2735 secp256k1_gej_neg(&r2, &r2);
2736 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2737 CHECK(secp256k1_gej_is_infinity(&r));
2738
2739 /* 2-point with G scalar */
2740 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2741 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2742 secp256k1_gej_neg(&r2, &r2);
2743 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2744 CHECK(secp256k1_gej_is_infinity(&r));
2745 }
2746
2747 /* Check infinite outputs of various forms */
2748 for (ncount = 0; ncount < count; ncount++) {
2749 secp256k1_ge ptg;
2750 size_t i, j;
2751 size_t sizes[] = { 2, 10, 32 };
2752
2753 for (j = 0; j < 3; j++) {
2754 for (i = 0; i < 32; i++) {
2755 random_scalar_order(&sc[i]);
2756 secp256k1_ge_set_infinity(&pt[i]);
2757 }
c2b028a2 2758 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2759 CHECK(secp256k1_gej_is_infinity(&r));
2760 }
2761
2762 for (j = 0; j < 3; j++) {
2763 for (i = 0; i < 32; i++) {
2764 random_group_element_test(&ptg);
2765 pt[i] = ptg;
2766 secp256k1_scalar_set_int(&sc[i], 0);
2767 }
c2b028a2 2768 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2769 CHECK(secp256k1_gej_is_infinity(&r));
2770 }
2771
2772 for (j = 0; j < 3; j++) {
2773 random_group_element_test(&ptg);
2774 for (i = 0; i < 16; i++) {
2775 random_scalar_order(&sc[2*i]);
2776 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2777 pt[2 * i] = ptg;
2778 pt[2 * i + 1] = ptg;
2779 }
2780
c2b028a2 2781 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2782 CHECK(secp256k1_gej_is_infinity(&r));
2783
2784 random_scalar_order(&sc[0]);
2785 for (i = 0; i < 16; i++) {
2786 random_group_element_test(&ptg);
2787
2788 sc[2*i] = sc[0];
2789 sc[2*i+1] = sc[0];
2790 pt[2 * i] = ptg;
2791 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2792 }
2793
c2b028a2 2794 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2795 CHECK(secp256k1_gej_is_infinity(&r));
2796 }
2797
2798 random_group_element_test(&ptg);
2799 secp256k1_scalar_set_int(&sc[0], 0);
2800 pt[0] = ptg;
2801 for (i = 1; i < 32; i++) {
2802 pt[i] = ptg;
2803
2804 random_scalar_order(&sc[i]);
2805 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2806 secp256k1_scalar_negate(&sc[i], &sc[i]);
2807 }
2808
c2b028a2 2809 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2810 CHECK(secp256k1_gej_is_infinity(&r));
2811 }
2812
2813 /* Check random points, constant scalar */
2814 for (ncount = 0; ncount < count; ncount++) {
2815 size_t i;
2816 secp256k1_gej_set_infinity(&r);
2817
2818 random_scalar_order(&sc[0]);
2819 for (i = 0; i < 20; i++) {
2820 secp256k1_ge ptg;
2821 sc[i] = sc[0];
2822 random_group_element_test(&ptg);
2823 pt[i] = ptg;
2824 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2825 }
2826
2827 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
c2b028a2 2828 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2829 secp256k1_gej_neg(&r2, &r2);
2830 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2831 CHECK(secp256k1_gej_is_infinity(&r));
2832 }
2833
2834 /* Check random scalars, constant point */
2835 for (ncount = 0; ncount < count; ncount++) {
2836 size_t i;
2837 secp256k1_ge ptg;
2838 secp256k1_gej p0j;
2839 secp256k1_scalar rs;
2840 secp256k1_scalar_set_int(&rs, 0);
2841
2842 random_group_element_test(&ptg);
2843 for (i = 0; i < 20; i++) {
2844 random_scalar_order(&sc[i]);
2845 pt[i] = ptg;
2846 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2847 }
2848
2849 secp256k1_gej_set_ge(&p0j, &pt[0]);
2850 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
c2b028a2 2851 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2852 secp256k1_gej_neg(&r2, &r2);
2853 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2854 CHECK(secp256k1_gej_is_infinity(&r));
2855 }
2856
2857 /* Sanity check that zero scalars don't cause problems */
95e99f19
AP		 2858 for (ncount = 0; ncount < 20; ncount++) {
2859 random_scalar_order(&sc[ncount]);
2860 random_group_element_test(&pt[ncount]);
2861 }
2862
dba5471b 2863 secp256k1_scalar_clear(&sc[0]);
c2b028a2 2864 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2865 secp256k1_scalar_clear(&sc[1]);
2866 secp256k1_scalar_clear(&sc[2]);
2867 secp256k1_scalar_clear(&sc[3]);
2868 secp256k1_scalar_clear(&sc[4]);
c2b028a2
AP		 2869 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2870 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2871 CHECK(secp256k1_gej_is_infinity(&r));
2872
2873 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2874 {
2875 const size_t TOP = 8;
2876 size_t s0i, s1i;
2877 size_t t0i, t1i;
2878 secp256k1_ge ptg;
2879 secp256k1_gej ptgj;
2880
2881 random_group_element_test(&ptg);
2882 secp256k1_gej_set_ge(&ptgj, &ptg);
2883
2884 for(t0i = 0; t0i < TOP; t0i++) {
2885 for(t1i = 0; t1i < TOP; t1i++) {
2886 secp256k1_gej t0p, t1p;
2887 secp256k1_scalar t0, t1;
2888
2889 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2890 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2891 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2892 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2893
2894 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2895 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2896
2897 for(s0i = 0; s0i < TOP; s0i++) {
2898 for(s1i = 0; s1i < TOP; s1i++) {
2899 secp256k1_scalar tmp1, tmp2;
2900 secp256k1_gej expected, actual;
2901
2902 secp256k1_ge_set_gej(&pt[0], &t0p);
2903 secp256k1_ge_set_gej(&pt[1], &t1p);
2904
2905 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2906 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2907 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2908 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2909
2910 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2911 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2912 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2913
2914 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
c2b028a2 2915 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2916 secp256k1_gej_neg(&expected, &expected);
2917 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2918 CHECK(secp256k1_gej_is_infinity(&actual));
2919 }
2920 }
2921 }
2922 }
2923 }
355a38f1
JN		 2924}
2925
9ab96f7b
JN		 2926void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2927 secp256k1_scalar szero;
2928 secp256k1_scalar sc[32];
2929 secp256k1_ge pt[32];
2930 secp256k1_gej r;
2931 ecmult_multi_data data;
2932 secp256k1_scratch *scratch_empty;
2933
2934 data.sc = sc;
2935 data.pt = pt;
2936 secp256k1_scalar_set_int(&szero, 0);
2937
2938 /* Try to multiply 1 point, but scratch space is empty.*/
2939 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2
AP		 2940 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2941 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
9ab96f7b
JN		 2942}
2943
36b22c93
JN		 2944void test_secp256k1_pippenger_bucket_window_inv(void) {
2945 int i;
2946
2947 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2948 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2949#ifdef USE_ENDOMORPHISM
2950 /* Bucket_window of 8 is not used with endo */
2951 if (i == 8) {
2952 continue;
2953 }
2954#endif
2955 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2956 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2957 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2958 }
2959 }
2960}
2961
2962/**
2963 * Probabilistically test the function returning the maximum number of possible points
2964 * for a given scratch space.
2965 */
2966void test_ecmult_multi_pippenger_max_points(void) {
2967 size_t scratch_size = secp256k1_rand_int(256);
2968 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2969 secp256k1_scratch *scratch;
2970 size_t n_points_supported;
2971 int bucket_window = 0;
2972
2973 for(; scratch_size < max_size; scratch_size+=256) {
98836b11
AP		 2974 size_t i;
2975 size_t total_alloc;
2976 size_t checkpoint;
6fe50439 2977 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
36b22c93 2978 CHECK(scratch != NULL);
98836b11 2979 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
c2b028a2 2980 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
36b22c93 2981 if (n_points_supported == 0) {
c2b028a2 2982 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 2983 continue;
2984 }
2985 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
98836b11
AP		 2986 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
2987 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
2988 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
2989 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
2990 total_alloc--;
2991 }
2992 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
2993 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
c2b028a2 2994 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 2995 }
2996 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2997}
2998
2277af5f
JN		 2999void test_ecmult_multi_batch_size_helper(void) {
3000 size_t n_batches, n_batch_points, max_n_batch_points, n;
3001
3002 max_n_batch_points = 0;
3003 n = 1;
3004 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3005
3006 max_n_batch_points = 1;
3007 n = 0;
3008 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3009 CHECK(n_batches == 0);
3010 CHECK(n_batch_points == 0);
3011
3012 max_n_batch_points = 2;
3013 n = 5;
3014 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3015 CHECK(n_batches == 3);
3016 CHECK(n_batch_points == 2);
3017
3018 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3019 n = ECMULT_MAX_POINTS_PER_BATCH;
3020 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3021 CHECK(n_batches == 1);
3022 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3023
3024 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3025 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3026 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3027 CHECK(n_batches == 2);
3028 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3029
3030 max_n_batch_points = 1;
3031 n = SIZE_MAX;
3032 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3033 CHECK(n_batches == SIZE_MAX);
3034 CHECK(n_batch_points == 1);
3035
3036 max_n_batch_points = 2;
3037 n = SIZE_MAX;
3038 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3039 CHECK(n_batches == SIZE_MAX/2 + 1);
3040 CHECK(n_batch_points == 2);
3041}
3042
36b22c93
JN		 3043/**
3044 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3045 * 1 <= i <= num points.
3046 */
355a38f1 3047void test_ecmult_multi_batching(void) {
36b22c93 3048 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
355a38f1
JN		 3049 secp256k1_scalar scG;
3050 secp256k1_scalar szero;
3051 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3052 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3053 secp256k1_gej r;
3054 secp256k1_gej r2;
3055 ecmult_multi_data data;
3056 int i;
3057 secp256k1_scratch *scratch;
3058
355a38f1
JN		 3059 secp256k1_gej_set_infinity(&r2);
3060 secp256k1_scalar_set_int(&szero, 0);
3061
36b22c93 3062 /* Get random scalars and group elements and compute result */
355a38f1
JN		 3063 random_scalar_order(&scG);
3064 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3065 for(i = 0; i < n_points; i++) {
3066 secp256k1_ge ptg;
36b22c93 3067 secp256k1_gej ptgj;
355a38f1 3068 random_group_element_test(&ptg);
36b22c93 3069 secp256k1_gej_set_ge(&ptgj, &ptg);
355a38f1
JN		 3070 pt[i] = ptg;
3071 random_scalar_order(&sc[i]);
36b22c93
JN		 3072 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3073 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
355a38f1
JN		 3074 }
3075 data.sc = sc;
3076 data.pt = pt;
9ab96f7b 3077 secp256k1_gej_neg(&r2, &r2);
355a38f1 3078
9ab96f7b
JN		 3079 /* Test with empty scratch space. It should compute the correct result using
3080 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
6fe50439 3081 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2 3082 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3083 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3084 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3085 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1
JN		 3086
3087 /* Test with space for 1 point in pippenger. That's not enough because
9ab96f7b
JN		 3088 * ecmult_multi selects strauss which requires more memory. It should
3089 * therefore select the simple algorithm. */
6fe50439 3090 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
c2b028a2 3091 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3092 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3093 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3094 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3095
36b22c93 3096 for(i = 1; i <= n_points; i++) {
355a38f1
JN		 3097 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3098 int bucket_window = secp256k1_pippenger_bucket_window(i);
3099 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
6fe50439 3100 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3101 } else {
3102 size_t scratch_size = secp256k1_strauss_scratch_size(i);
6fe50439 3103 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1 3104 }
c2b028a2 3105 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
355a38f1
JN		 3106 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3107 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3108 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3109 }
355a38f1
JN		 3110 free(sc);
3111 free(pt);
3112}
3113
3114void run_ecmult_multi_tests(void) {
3115 secp256k1_scratch *scratch;
dba5471b 3116
36b22c93
JN		 3117 test_secp256k1_pippenger_bucket_window_inv();
3118 test_ecmult_multi_pippenger_max_points();
6fe50439 3119 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
36b22c93 3120 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
bade6174 3121 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
36b22c93 3122 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
9ab96f7b 3123 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
36b22c93 3124 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
9ab96f7b 3125 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
c2b028a2 3126 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 3127
3128 /* Run test_ecmult_multi with space for exactly one point */
6fe50439 3129 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
36b22c93 3130 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
c2b028a2 3131 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3132
2277af5f 3133 test_ecmult_multi_batch_size_helper();
355a38f1 3134 test_ecmult_multi_batching();
dba5471b
AP		 3135}
3136
dd891e0e
PW		 3137void test_wnaf(const secp256k1_scalar *number, int w) {
3138 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 3139 int wnaf[256];
3140 int zeroes = -1;
3141 int i;
3142 int bits;
f24041d6
PW		 3143 secp256k1_scalar_set_int(&x, 0);
3144 secp256k1_scalar_set_int(&two, 2);
55399c23 3145 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 3146 CHECK(bits <= 256);
bf2e1ac7 3147 for (i = bits-1; i >= 0; i--) {
b1483f87 3148 int v = wnaf[i];
bf2e1ac7 3149 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 3150 if (v) {
71712b27 3151 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 3152 zeroes=0;
71712b27
GM		 3153 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3154 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3155 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 3156 } else {
71712b27 3157 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 3158 zeroes++;
3159 }
f24041d6
PW		 3160 if (v >= 0) {
3161 secp256k1_scalar_set_int(&t, v);
3162 } else {
3163 secp256k1_scalar_set_int(&t, -v);
3164 secp256k1_scalar_negate(&t, &t);
3165 }
3166 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 3167 }
f24041d6 3168 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 3169}
3170
dd891e0e
PW		 3171void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3172 secp256k1_scalar neg1 = *number;
3173 secp256k1_scalar neg2 = *number;
44015000
AP		 3174 int sign1 = 1;
3175 int sign2 = 1;
3176
3177 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3178 secp256k1_scalar_negate(&neg1, &neg1);
3179 sign1 = -1;
3180 }
3181 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3182 CHECK(sign1 == sign2);
3183 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3184}
3185
dd891e0e
PW		 3186void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3187 secp256k1_scalar x, shift;
44015000
AP		 3188 int wnaf[256] = {0};
3189 int i;
92e53fc4 3190 int skew;
7c1b91ba 3191 int bits = 256;
dd891e0e 3192 secp256k1_scalar num = *number;
44015000
AP		 3193
3194 secp256k1_scalar_set_int(&x, 0);
3195 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 3196 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3197#ifdef USE_ENDOMORPHISM
912f203f 3198 for (i = 0; i < 16; ++i) {
92e53fc4 3199 secp256k1_scalar_shr_int(&num, 8);
912f203f 3200 }
7c1b91ba 3201 bits = 128;
92e53fc4 3202#endif
8979ec0d 3203 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
44015000 3204
7c1b91ba 3205 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
dd891e0e 3206 secp256k1_scalar t;
44015000
AP		 3207 int v = wnaf[i];
3208 CHECK(v != 0); /* check nonzero */
3209 CHECK(v & 1); /* check parity */
3210 CHECK(v > -(1 << w)); /* check range above */
3211 CHECK(v < (1 << w)); /* check range below */
3212
3213 secp256k1_scalar_mul(&x, &x, &shift);
3214 if (v >= 0) {
3215 secp256k1_scalar_set_int(&t, v);
3216 } else {
3217 secp256k1_scalar_set_int(&t, -v);
3218 secp256k1_scalar_negate(&t, &t);
3219 }
3220 secp256k1_scalar_add(&x, &x, &t);
3221 }
c6191fde 3222 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 3223 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 3224 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 3225}
3226
355a38f1
JN		 3227void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3228 secp256k1_scalar x, shift;
3229 int wnaf[256] = {0};
3230 int i;
3231 int skew;
3232 secp256k1_scalar num = *number;
3233
3234 secp256k1_scalar_set_int(&x, 0);
3235 secp256k1_scalar_set_int(&shift, 1 << w);
3236 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3237#ifdef USE_ENDOMORPHISM
3238 for (i = 0; i < 16; ++i) {
3239 secp256k1_scalar_shr_int(&num, 8);
3240 }
3241#endif
3242 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3243
3244 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3245 secp256k1_scalar t;
3246 int v = wnaf[i];
6dbb0078 3247 CHECK(v == 0 || v & 1); /* check parity */
355a38f1
JN		 3248 CHECK(v > -(1 << w)); /* check range above */
3249 CHECK(v < (1 << w)); /* check range below */
3250
3251 secp256k1_scalar_mul(&x, &x, &shift);
3252 if (v >= 0) {
3253 secp256k1_scalar_set_int(&t, v);
3254 } else {
3255 secp256k1_scalar_set_int(&t, -v);
3256 secp256k1_scalar_negate(&t, &t);
3257 }
3258 secp256k1_scalar_add(&x, &x, &t);
3259 }
3260 /* If skew is 1 then add 1 to num */
3261 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3262 CHECK(secp256k1_scalar_eq(&x, &num));
3263}
3264
ec0a7b3a
JN		 3265/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3266 * rest is 0.*/
3267void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3268 int i;
3269 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3270 CHECK(wnaf[i] == 0);
3271 }
3272 for (i = 7; i >= 0; --i) {
3273 CHECK(wnaf[i] == wnaf_expected[i]);
3274 }
3275}
3276
3277void test_fixed_wnaf_small(void) {
3278 int w = 4;
355a38f1
JN		 3279 int wnaf[256] = {0};
3280 int i;
3281 int skew;
3282 secp256k1_scalar num;
3283
3284 secp256k1_scalar_set_int(&num, 0);
3285 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
355a38f1
JN		 3286 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3287 int v = wnaf[i];
3288 CHECK(v == 0);
3289 }
3290 CHECK(skew == 0);
ec0a7b3a
JN		 3291
3292 secp256k1_scalar_set_int(&num, 1);
3293 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3294 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3295 int v = wnaf[i];
3296 CHECK(v == 0);
3297 }
3298 CHECK(wnaf[0] == 1);
3299 CHECK(skew == 0);
3300
3301 {
3302 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3303 secp256k1_scalar_set_int(&num, 0xffffffff);
3304 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3305 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3306 CHECK(skew == 0);
3307 }
3308 {
3309 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3310 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3311 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3312 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3313 CHECK(skew == 1);
3314 }
3315 {
3316 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3317 secp256k1_scalar_set_int(&num, 0x01010101);
3318 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3319 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3320 CHECK(skew == 0);
3321 }
3322 {
3323 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3324 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3325 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3326 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3327 CHECK(skew == 0);
3328 }
355a38f1
JN		 3329}
3330
2cad067a 3331void run_wnaf(void) {
bf2e1ac7 3332 int i;
dd891e0e 3333 secp256k1_scalar n = {{0}};
44015000
AP		 3334
3335 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3336 * have easier-to-diagnose failure modes */
3337 n.d[0] = 1;
3338 test_constant_wnaf(&n, 4);
3339 n.d[0] = 2;
3340 test_constant_wnaf(&n, 4);
355a38f1 3341 /* Test 0 */
ec0a7b3a 3342 test_fixed_wnaf_small();
44015000 3343 /* Random tests */
bf2e1ac7 3344 for (i = 0; i < count; i++) {
f24041d6 3345 random_scalar_order(&n);
eb0be8ee 3346 test_wnaf(&n, 4+(i%10));
44015000
AP		 3347 test_constant_wnaf_negate(&n);
3348 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3349 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3350 }
96be2046
GM		 3351 secp256k1_scalar_set_int(&n, 0);
3352 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3353 CHECK(secp256k1_scalar_is_zero(&n));
3354 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3355 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3356}
a41f32e6 3357
d2275795
GM		 3358void test_ecmult_constants(void) {
3359 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3360 secp256k1_scalar x;
3361 secp256k1_gej r;
3362 secp256k1_ge ng;
d2275795
GM		 3363 int i;
3364 int j;
3365 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3366 for (i = 0; i < 36; i++ ) {
3367 secp256k1_scalar_set_int(&x, i);
3368 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3369 for (j = 0; j < i; j++) {
3370 if (j == i - 1) {
3371 ge_equals_gej(&secp256k1_ge_const_g, &r);
3372 }
3373 secp256k1_gej_add_ge(&r, &r, &ng);
3374 }
3375 CHECK(secp256k1_gej_is_infinity(&r));
3376 }
3377 for (i = 1; i <= 36; i++ ) {
3378 secp256k1_scalar_set_int(&x, i);
3379 secp256k1_scalar_negate(&x, &x);
3380 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3381 for (j = 0; j < i; j++) {
3382 if (j == i - 1) {
3383 ge_equals_gej(&ng, &r);
3384 }
3385 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3386 }
3387 CHECK(secp256k1_gej_is_infinity(&r));
3388 }
3389}
3390
3391void run_ecmult_constants(void) {
3392 test_ecmult_constants();
3393}
3394
3395void test_ecmult_gen_blind(void) {
269d4227 3396 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3397 secp256k1_scalar key;
3398 secp256k1_scalar b;
d2275795 3399 unsigned char seed32[32];
dd891e0e
PW		 3400 secp256k1_gej pgej;
3401 secp256k1_gej pgej2;
3402 secp256k1_gej i;
3403 secp256k1_ge pge;
d2275795
GM		 3404 random_scalar_order_test(&key);
3405 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3406 secp256k1_rand256(seed32);
3407 b = ctx->ecmult_gen_ctx.blind;
3408 i = ctx->ecmult_gen_ctx.initial;
3409 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3410 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3411 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3412 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3413 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3414 secp256k1_ge_set_gej(&pge, &pgej);
3415 ge_equals_gej(&pge, &pgej2);
3416}
3417
3418void test_ecmult_gen_blind_reset(void) {
3419 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3420 secp256k1_scalar b;
3421 secp256k1_gej initial;
d2275795
GM		 3422 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3423 b = ctx->ecmult_gen_ctx.blind;
3424 initial = ctx->ecmult_gen_ctx.initial;
3425 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3426 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3427 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3428}
3429
3430void run_ecmult_gen_blind(void) {
3431 int i;
3432 test_ecmult_gen_blind_reset();
3433 for (i = 0; i < 10; i++) {
3434 test_ecmult_gen_blind();
3435 }
3436}
3437
baa75da5
AP		 3438#ifdef USE_ENDOMORPHISM
3439/***** ENDOMORPHISH TESTS *****/
3440void test_scalar_split(void) {
dd891e0e
PW		 3441 secp256k1_scalar full;
3442 secp256k1_scalar s1, slam;
baa75da5
AP		 3443 const unsigned char zero[32] = {0};
3444 unsigned char tmp[32];
3445
3446 random_scalar_order_test(&full);
ed35d43a 3447 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3448
3449 /* check that both are <= 128 bits in size */
912f203f 3450 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3451 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3452 }
3453 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3454 secp256k1_scalar_negate(&slam, &slam);
912f203f 3455 }
baa75da5
AP		 3456
3457 secp256k1_scalar_get_b32(tmp, &s1);
3458 CHECK(memcmp(zero, tmp, 16) == 0);
3459 secp256k1_scalar_get_b32(tmp, &slam);
3460 CHECK(memcmp(zero, tmp, 16) == 0);
3461}
3462
3463void run_endomorphism_tests(void) {
3464 test_scalar_split();
3465}
3466#endif
d2275795 3467
67f7da40
GM		 3468void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3469 unsigned char pubkeyc[65];
3470 secp256k1_pubkey pubkey;
3471 secp256k1_ge ge;
3472 size_t pubkeyclen;
3473 int32_t ecount;
3474 ecount = 0;
3475 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3476 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3477 /* Smaller sizes are tested exhaustively elsewhere. */
3478 int32_t i;
3479 memcpy(&pubkeyc[1], input, 64);
3480 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3481 for (i = 0; i < 256; i++) {
3482 /* Try all type bytes. */
3483 int xpass;
3484 int ypass;
3485 int ysign;
3486 pubkeyc[0] = i;
3487 /* What sign does this point have? */
3488 ysign = (input[63] & 1) + 2;
3489 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3490 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3491 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3492 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3493 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3494 if (xpass || ypass) {
3495 /* These cases must parse. */
3496 unsigned char pubkeyo[65];
3497 size_t outl;
3498 memset(&pubkey, 0, sizeof(pubkey));
3499 VG_UNDEF(&pubkey, sizeof(pubkey));
3500 ecount = 0;
3501 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3502 VG_CHECK(&pubkey, sizeof(pubkey));
3503 outl = 65;
3504 VG_UNDEF(pubkeyo, 65);
3505 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3506 VG_CHECK(pubkeyo, outl);
3507 CHECK(outl == 33);
3508 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3509 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3510 if (ypass) {
3511 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3512 CHECK(pubkeyo[0] == ysign);
3513 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3514 memset(&pubkey, 0, sizeof(pubkey));
3515 VG_UNDEF(&pubkey, sizeof(pubkey));
3516 secp256k1_pubkey_save(&pubkey, &ge);
3517 VG_CHECK(&pubkey, sizeof(pubkey));
3518 outl = 65;
3519 VG_UNDEF(pubkeyo, 65);
1a368980 3520 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3521 VG_CHECK(pubkeyo, outl);
3522 CHECK(outl == 65);
3523 CHECK(pubkeyo[0] == 4);
3524 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3525 }
3526 CHECK(ecount == 0);
3527 } else {
3528 /* These cases must fail to parse. */
3529 memset(&pubkey, 0xfe, sizeof(pubkey));
3530 ecount = 0;
3531 VG_UNDEF(&pubkey, sizeof(pubkey));
3532 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3533 VG_CHECK(&pubkey, sizeof(pubkey));
3534 CHECK(ecount == 0);
3535 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3536 CHECK(ecount == 1);
3537 }
3538 }
3539 }
3540 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3541}
3542
3543void run_ec_pubkey_parse_test(void) {
3544#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3545 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3546 {
3547 /* Point with leading and trailing zeros in x and y serialization. */
3548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3550 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3551 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3552 },
3553 {
3554 /* Point with x equal to a 3rd root of unity.*/
3555 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3556 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3557 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3558 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3559 },
3560 {
3561 /* Point with largest x. (1/2) */
3562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3563 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3564 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3565 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3566 },
3567 {
3568 /* Point with largest x. (2/2) */
3569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3570 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3571 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3572 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3573 },
3574 {
3575 /* Point with smallest x. (1/2) */
3576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3578 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3579 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3580 },
3581 {
3582 /* Point with smallest x. (2/2) */
3583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3585 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3586 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3587 },
3588 {
3589 /* Point with largest y. (1/3) */
3590 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3591 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3592 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3593 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3594 },
3595 {
3596 /* Point with largest y. (2/3) */
3597 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3598 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3599 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3601 },
3602 {
3603 /* Point with largest y. (3/3) */
3604 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3605 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3608 },
3609 {
3610 /* Point with smallest y. (1/3) */
3611 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3612 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3614 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3615 },
3616 {
3617 /* Point with smallest y. (2/3) */
3618 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3619 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3622 },
3623 {
3624 /* Point with smallest y. (3/3) */
3625 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3626 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3629 }
3630 };
3631#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3632 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3633 {
3634 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3635 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3636 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3637 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3638 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3639 },
3640 {
3641 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3642 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3643 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3644 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3645 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3646 },
3647 {
3648 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3649 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3650 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3651 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3652 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3653 },
3654 {
3655 /* x on curve, y is from y^2 = x^3 + 8. */
3656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3659 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3660 }
3661 };
3662#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3663 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3664 {
3665 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3666 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3667 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3668 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3670 },
3671 {
3672 /* Valid if x overflow ignored (x = 1 mod p). */
3673 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3674 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3675 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3676 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3677 },
3678 {
3679 /* Valid if x overflow ignored (x = 1 mod p). */
3680 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3681 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3682 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3683 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3684 },
3685 {
3686 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3688 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3689 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3690 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3691 },
3692 {
3693 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3694 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3695 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3696 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3697 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3698 },
3699 {
3700 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3701 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3703 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3704 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3705 },
3706 {
3707 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3708 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3709 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3710 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3711 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3712 }
3713 };
3714 const unsigned char pubkeyc[66] = {
3715 /* Serialization of G. */
3716 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3717 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3718 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3719 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3720 0xB8, 0x00
3721 };
5b71a3f4 3722 unsigned char sout[65];
67f7da40
GM		 3723 unsigned char shortkey[2];
3724 secp256k1_ge ge;
3725 secp256k1_pubkey pubkey;
5b71a3f4 3726 size_t len;
67f7da40
GM		 3727 int32_t i;
3728 int32_t ecount;
3729 int32_t ecount2;
3730 ecount = 0;
3731 /* Nothing should be reading this far into pubkeyc. */
3732 VG_UNDEF(&pubkeyc[65], 1);
3733 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3734 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3735 memset(&pubkey, 0xfe, sizeof(pubkey));
3736 ecount = 0;
3737 VG_UNDEF(shortkey, 2);
3738 VG_UNDEF(&pubkey, sizeof(pubkey));
3739 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3740 VG_CHECK(&pubkey, sizeof(pubkey));
3741 CHECK(ecount == 0);
3742 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3743 CHECK(ecount == 1);
3744 /* Length one claimed, fail, zeroize, no illegal arg error. */
3745 for (i = 0; i < 256 ; i++) {
3746 memset(&pubkey, 0xfe, sizeof(pubkey));
3747 ecount = 0;
3748 shortkey[0] = i;
3749 VG_UNDEF(&shortkey[1], 1);
3750 VG_UNDEF(&pubkey, sizeof(pubkey));
3751 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3752 VG_CHECK(&pubkey, sizeof(pubkey));
3753 CHECK(ecount == 0);
3754 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3755 CHECK(ecount == 1);
3756 }
3757 /* Length two claimed, fail, zeroize, no illegal arg error. */
3758 for (i = 0; i < 65536 ; i++) {
3759 memset(&pubkey, 0xfe, sizeof(pubkey));
3760 ecount = 0;
3761 shortkey[0] = i & 255;
3762 shortkey[1] = i >> 8;
3763 VG_UNDEF(&pubkey, sizeof(pubkey));
3764 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3765 VG_CHECK(&pubkey, sizeof(pubkey));
3766 CHECK(ecount == 0);
3767 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3768 CHECK(ecount == 1);
3769 }
3770 memset(&pubkey, 0xfe, sizeof(pubkey));
3771 ecount = 0;
3772 VG_UNDEF(&pubkey, sizeof(pubkey));
3773 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3774 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3775 VG_CHECK(&pubkey, sizeof(pubkey));
3776 CHECK(ecount == 0);
3777 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3778 CHECK(ecount == 1);
3779 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3780 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3781 CHECK(ecount == 2);
3782 /* NULL input string. Illegal arg and zeroize output. */
3783 memset(&pubkey, 0xfe, sizeof(pubkey));
3784 ecount = 0;
3785 VG_UNDEF(&pubkey, sizeof(pubkey));
3786 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3787 VG_CHECK(&pubkey, sizeof(pubkey));
3788 CHECK(ecount == 1);
3789 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3790 CHECK(ecount == 2);
3791 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3792 memset(&pubkey, 0xfe, sizeof(pubkey));
3793 ecount = 0;
3794 VG_UNDEF(&pubkey, sizeof(pubkey));
3795 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3796 VG_CHECK(&pubkey, sizeof(pubkey));
3797 CHECK(ecount == 0);
3798 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3799 CHECK(ecount == 1);
3800 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3801 memset(&pubkey, 0xfe, sizeof(pubkey));
3802 ecount = 0;
3803 VG_UNDEF(&pubkey, sizeof(pubkey));
3804 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3805 VG_CHECK(&pubkey, sizeof(pubkey));
3806 CHECK(ecount == 0);
3807 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3808 CHECK(ecount == 1);
3809 /* Valid parse. */
3810 memset(&pubkey, 0, sizeof(pubkey));
3811 ecount = 0;
3812 VG_UNDEF(&pubkey, sizeof(pubkey));
3813 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
ed7c0841 3814 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
67f7da40
GM		 3815 VG_CHECK(&pubkey, sizeof(pubkey));
3816 CHECK(ecount == 0);
3817 VG_UNDEF(&ge, sizeof(ge));
3818 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3819 VG_CHECK(&ge.x, sizeof(ge.x));
3820 VG_CHECK(&ge.y, sizeof(ge.y));
3821 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3822 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3823 CHECK(ecount == 0);
5b71a3f4
GM		 3824 /* secp256k1_ec_pubkey_serialize illegal args. */
3825 ecount = 0;
3826 len = 65;
3827 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3828 CHECK(ecount == 1);
3829 CHECK(len == 0);
3830 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3831 CHECK(ecount == 2);
3832 len = 65;
3833 VG_UNDEF(sout, 65);
3834 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3835 VG_CHECK(sout, 65);
3836 CHECK(ecount == 3);
3837 CHECK(len == 0);
3838 len = 65;
3839 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3840 CHECK(ecount == 4);
3841 CHECK(len == 0);
3842 len = 65;
3843 VG_UNDEF(sout, 65);
3844 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3845 VG_CHECK(sout, 65);
3846 CHECK(ecount == 4);
3847 CHECK(len == 65);
67f7da40
GM		 3848 /* Multiple illegal args. Should still set arg error only once. */
3849 ecount = 0;
3850 ecount2 = 11;
3851 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3852 CHECK(ecount == 1);
3853 /* Does the illegal arg callback actually change the behavior? */
3854 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3855 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3856 CHECK(ecount == 1);
3857 CHECK(ecount2 == 10);
3858 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3859 /* Try a bunch of prefabbed points with all possible encodings. */
3860 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3861 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3862 }
3863 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3864 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3865 }
3866 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3867 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3868 }
3869}
3870
96be2046
GM		 3871void run_eckey_edge_case_test(void) {
3872 const unsigned char orderc[32] = {
3873 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3874 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3875 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3876 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3877 };
3878 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3879 unsigned char ctmp[33];
3880 unsigned char ctmp2[33];
96be2046
GM		 3881 secp256k1_pubkey pubkey;
3882 secp256k1_pubkey pubkey2;
c69dea02
GM		 3883 secp256k1_pubkey pubkey_one;
3884 secp256k1_pubkey pubkey_negone;
3885 const secp256k1_pubkey *pubkeys[3];
3886 size_t len;
96be2046
GM		 3887 int32_t ecount;
3888 /* Group order is too large, reject. */
3889 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3890 VG_UNDEF(&pubkey, sizeof(pubkey));
3891 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3892 VG_CHECK(&pubkey, sizeof(pubkey));
3893 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3894 /* Maximum value is too large, reject. */
3895 memset(ctmp, 255, 32);
3896 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3897 memset(&pubkey, 1, sizeof(pubkey));
3898 VG_UNDEF(&pubkey, sizeof(pubkey));
3899 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3900 VG_CHECK(&pubkey, sizeof(pubkey));
3901 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3902 /* Zero is too small, reject. */
3903 memset(ctmp, 0, 32);
3904 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3905 memset(&pubkey, 1, sizeof(pubkey));
3906 VG_UNDEF(&pubkey, sizeof(pubkey));
3907 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3908 VG_CHECK(&pubkey, sizeof(pubkey));
3909 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3910 /* One must be accepted. */
3911 ctmp[31] = 0x01;
3912 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3913 memset(&pubkey, 0, sizeof(pubkey));
3914 VG_UNDEF(&pubkey, sizeof(pubkey));
3915 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3916 VG_CHECK(&pubkey, sizeof(pubkey));
3917 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3918 pubkey_one = pubkey;
96be2046
GM		 3919 /* Group order + 1 is too large, reject. */
3920 memcpy(ctmp, orderc, 32);
3921 ctmp[31] = 0x42;
3922 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3923 memset(&pubkey, 1, sizeof(pubkey));
3924 VG_UNDEF(&pubkey, sizeof(pubkey));
3925 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3926 VG_CHECK(&pubkey, sizeof(pubkey));
3927 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3928 /* -1 must be accepted. */
3929 ctmp[31] = 0x40;
3930 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3931 memset(&pubkey, 0, sizeof(pubkey));
3932 VG_UNDEF(&pubkey, sizeof(pubkey));
3933 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3934 VG_CHECK(&pubkey, sizeof(pubkey));
3935 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3936 pubkey_negone = pubkey;
0e96cdc6 3937 /* Tweak of zero leaves the value unchanged. */
96be2046
GM		 3938 memset(ctmp2, 0, 32);
3939 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3940 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3941 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3942 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3943 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3944 /* Multiply tweak of zero zeroizes the output. */
3945 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3946 CHECK(memcmp(zeros, ctmp, 32) == 0);
3947 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3948 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3949 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3950 /* Overflowing key tweak zeroizes. */
3951 memcpy(ctmp, orderc, 32);
3952 ctmp[31] = 0x40;
3953 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3954 CHECK(memcmp(zeros, ctmp, 32) == 0);
3955 memcpy(ctmp, orderc, 32);
3956 ctmp[31] = 0x40;
3957 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3958 CHECK(memcmp(zeros, ctmp, 32) == 0);
3959 memcpy(ctmp, orderc, 32);
3960 ctmp[31] = 0x40;
3961 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3962 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3963 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3964 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3965 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3966 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3967 /* Private key tweaks results in a key of zero. */
3968 ctmp2[31] = 1;
3969 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3970 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3971 ctmp2[31] = 1;
3972 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3973 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3974 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3975 /* Tweak computation wraps and results in a key of 1. */
3976 ctmp2[31] = 2;
3977 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3978 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3979 ctmp2[31] = 2;
3980 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3981 ctmp2[31] = 1;
3982 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3983 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3984 /* Tweak mul * 2 = 1+1. */
3985 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3986 ctmp2[31] = 2;
3987 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3988 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3989 /* Test argument errors. */
3990 ecount = 0;
3991 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3992 CHECK(ecount == 0);
3993 /* Zeroize pubkey on parse error. */
3994 memset(&pubkey, 0, 32);
3995 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3996 CHECK(ecount == 1);
3997 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3998 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3999 memset(&pubkey2, 0, 32);
4000 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4001 CHECK(ecount == 2);
4002 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4003 /* Plain argument errors. */
4004 ecount = 0;
4005 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4006 CHECK(ecount == 0);
4007 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4008 CHECK(ecount == 1);
4009 ecount = 0;
4010 memset(ctmp2, 0, 32);
4011 ctmp2[31] = 4;
4012 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4013 CHECK(ecount == 1);
4014 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4015 CHECK(ecount == 2);
4016 ecount = 0;
4017 memset(ctmp2, 0, 32);
4018 ctmp2[31] = 4;
4019 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4020 CHECK(ecount == 1);
4021 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4022 CHECK(ecount == 2);
4023 ecount = 0;
4024 memset(ctmp2, 0, 32);
4025 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
4026 CHECK(ecount == 1);
4027 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
4028 CHECK(ecount == 2);
4029 ecount = 0;
4030 memset(ctmp2, 0, 32);
4031 ctmp2[31] = 1;
4032 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4033 CHECK(ecount == 1);
4034 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
4035 CHECK(ecount == 2);
4036 ecount = 0;
4037 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4038 CHECK(ecount == 1);
4039 memset(&pubkey, 1, sizeof(pubkey));
4040 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4041 CHECK(ecount == 2);
5b71a3f4 4042 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 4043 /* secp256k1_ec_pubkey_combine tests. */
4044 ecount = 0;
4045 pubkeys[0] = &pubkey_one;
4046 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4047 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4048 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4049 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4050 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4051 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4052 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4053 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4054 CHECK(ecount == 1);
c69dea02
GM		 4055 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4056 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4057 CHECK(ecount == 2);
c69dea02
GM		 4058 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4059 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4060 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4061 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4062 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4063 CHECK(ecount == 3);
c69dea02
GM		 4064 pubkeys[0] = &pubkey_negone;
4065 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4066 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4067 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4068 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4069 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4070 CHECK(ecount == 3);
c69dea02
GM		 4071 len = 33;
4072 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4073 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4074 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4075 /* Result is infinity. */
4076 pubkeys[0] = &pubkey_one;
4077 pubkeys[1] = &pubkey_negone;
4078 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4079 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4080 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4081 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4082 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4083 CHECK(ecount == 3);
c69dea02
GM		 4084 /* Passes through infinity but comes out one. */
4085 pubkeys[2] = &pubkey_one;
4086 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4087 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4088 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4089 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4090 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4091 CHECK(ecount == 3);
c69dea02
GM		 4092 len = 33;
4093 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4094 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4095 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4096 /* Adds to two. */
4097 pubkeys[1] = &pubkey_one;
4098 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4099 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4100 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4101 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4102 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4103 CHECK(ecount == 3);
96be2046
GM		 4104 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4105}
4106
dd891e0e
PW		 4107void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4108 secp256k1_scalar nonce;
dd08f037 4109 do {
a9f5c8b8 4110 random_scalar_order_test(&nonce);
18c329c5 4111 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 4112}
4113
2cad067a 4114void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 4115 secp256k1_gej pubj;
4116 secp256k1_ge pub;
4117 secp256k1_scalar one;
4118 secp256k1_scalar msg, key;
4119 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 4120 int recid;
4121 int getrec;
a9f5c8b8 4122 random_scalar_order_test(&msg);
a9f5c8b8 4123 random_scalar_order_test(&key);
a9b6595e 4124 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 4125 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 4126 getrec = secp256k1_rand_bits(1);
18c329c5 4127 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 4128 if (getrec) {
4129 CHECK(recid >= 0 && recid < 4);
4130 }
18c329c5 4131 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 4132 secp256k1_scalar_set_int(&one, 1);
4133 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 4134 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 4135}
4136
2cad067a 4137void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 4138 int i;
4139 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 4140 test_ecdsa_sign_verify();
4141 }
4142}
4143
c6e7f4e8 4144/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 4145static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 4146 (void)msg32;
4147 (void)key32;
a5a66c70 4148 (void)algo16;
c6e7f4e8
PW		 4149 memcpy(nonce32, data, 32);
4150 return (counter == 0);
4151}
4152
05732c5a 4153static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 4154 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 4155 if (counter == 0) {
4156 return 0;
4157 }
dc0ce9fc 4158 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 4159}
4160
05732c5a 4161static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 4162 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4163 if (counter < 3) {
4164 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 4165 if (counter == 2) {
4166 nonce32[31]--;
4167 }
941e221f
GM		 4168 return 1;
4169 }
4170 if (counter < 5) {
4171 static const unsigned char order[] = {
4172 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4173 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4174 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4175 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4176 };
4177 memcpy(nonce32, order, 32);
26320197
GM		 4178 if (counter == 4) {
4179 nonce32[31]++;
4180 }
941e221f
GM		 4181 return 1;
4182 }
269d4227 4183 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 4184 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 4185 if (counter > 5) {
4186 return 0;
4187 }
dc0ce9fc 4188 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 4189}
4190
dd891e0e
PW		 4191int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4192 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4193 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 4194}
4195
2cad067a 4196void test_ecdsa_end_to_end(void) {
efc571ce 4197 unsigned char extra[32] = {0x00};
25f4aec0
PW		 4198 unsigned char privkey[32];
4199 unsigned char message[32];
bf2e1ac7 4200 unsigned char privkey2[32];
0c6ab2ff
PW		 4201 secp256k1_ecdsa_signature signature[6];
4202 secp256k1_scalar r, s;
74a2acdb 4203 unsigned char sig[74];
788038d3 4204 size_t siglen = 74;
23cfa914 4205 unsigned char pubkeyc[65];
788038d3 4206 size_t pubkeyclen = 65;
dd891e0e 4207 secp256k1_pubkey pubkey;
8e48aa60 4208 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 4209 unsigned char seckey[300];
788038d3 4210 size_t seckeylen = 300;
25f4aec0 4211
71712b27 4212 /* Generate a random key and message. */
25f4aec0 4213 {
dd891e0e 4214 secp256k1_scalar msg, key;
659b554d
PW		 4215 random_scalar_order_test(&msg);
4216 random_scalar_order_test(&key);
4217 secp256k1_scalar_get_b32(privkey, &key);
4218 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 4219 }
4220
71712b27 4221 /* Construct and verify corresponding public key. */
a9b6595e 4222 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 4223 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 4224
23cfa914 4225 /* Verify exporting and importing public key. */
1a368980 4226 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 4227 memset(&pubkey, 0, sizeof(pubkey));
4228 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 4229
8e48aa60
AP		 4230 /* Verify negation changes the key and changes it back */
4231 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4232 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4233 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4234 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4235 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4236
71712b27 4237 /* Verify private key import and export. */
eed87af1
AP		 4238 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4239 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 4240 CHECK(memcmp(privkey, privkey2, 32) == 0);
4241
71712b27 4242 /* Optionally tweak the keys using addition. */
fa57f1bd 4243 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4244 int ret1;
4245 int ret2;
25f4aec0 4246 unsigned char rnd[32];
dd891e0e 4247 secp256k1_pubkey pubkey2;
25f4aec0 4248 secp256k1_rand256_test(rnd);
a9b6595e 4249 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 4250 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 4251 CHECK(ret1 == ret2);
26320197
GM		 4252 if (ret1 == 0) {
4253 return;
4254 }
23cfa914
PW		 4255 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4256 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4257 }
4258
71712b27 4259 /* Optionally tweak the keys using multiplication. */
fa57f1bd 4260 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4261 int ret1;
4262 int ret2;
25f4aec0 4263 unsigned char rnd[32];
dd891e0e 4264 secp256k1_pubkey pubkey2;
25f4aec0 4265 secp256k1_rand256_test(rnd);
a9b6595e 4266 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 4267 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 4268 CHECK(ret1 == ret2);
26320197
GM		 4269 if (ret1 == 0) {
4270 return;
4271 }
23cfa914
PW		 4272 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4273 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4274 }
4275
71712b27 4276 /* Sign. */
dc0ce9fc
PW		 4277 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4278 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4279 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 4280 extra[31] = 1;
dc0ce9fc 4281 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 4282 extra[31] = 0;
4283 extra[0] = 1;
dc0ce9fc 4284 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 4285 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4286 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4287 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4288 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4289 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4290 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4291 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 4292 /* Verify. */
dc0ce9fc
PW		 4293 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4294 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4295 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4296 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 4297 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4298 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4299 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4300 secp256k1_scalar_negate(&s, &s);
4301 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4302 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4303 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4304 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4305 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4306 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4307 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4308 secp256k1_scalar_negate(&s, &s);
4309 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4310 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4311 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4312 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4313
4314 /* Serialize/parse DER and verify again */
4315 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4316 memset(&signature[0], 0, sizeof(signature[0]));
4317 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4318 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4319 /* Serialize/destroy/parse DER and verify again. */
1973c737 4320 siglen = 74;
74a2acdb 4321 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4322 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4323 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4324 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4325}
4326
7c6fed28 4327void test_random_pubkeys(void) {
dd891e0e
PW		 4328 secp256k1_ge elem;
4329 secp256k1_ge elem2;
7c6fed28
GM		 4330 unsigned char in[65];
4331 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4332 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4333 if (secp256k1_rand_bits(2) == 0) {
4334 len = secp256k1_rand_bits(6);
26320197 4335 }
7c6fed28 4336 if (len == 65) {
fa57f1bd 4337 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4338 } else {
fa57f1bd 4339 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4340 }
fa57f1bd
PW		 4341 if (secp256k1_rand_bits(3) == 0) {
4342 in[0] = secp256k1_rand_bits(8);
26320197 4343 }
26320197
GM		 4344 if (len > 1) {
4345 secp256k1_rand256(&in[1]);
4346 }
4347 if (len > 33) {
4348 secp256k1_rand256(&in[33]);
4349 }
7c6fed28
GM		 4350 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4351 unsigned char out[65];
4352 unsigned char firstb;
4353 int res;
788038d3 4354 size_t size = len;
7c6fed28
GM		 4355 firstb = in[0];
4356 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4357 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4358 CHECK(size == len);
4359 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4360 /* ... except for the type of hybrid inputs. */
26320197
GM		 4361 if ((in[0] != 6) && (in[0] != 7)) {
4362 CHECK(in[0] == out[0]);
4363 }
7c6fed28 4364 size = 65;
9234391e 4365 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4366 CHECK(size == 65);
4367 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4368 ge_equals_ge(&elem,&elem2);
7c6fed28 4369 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4370 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4371 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4372 if (firstb == 2 || firstb == 3) {
26320197
GM		 4373 if (in[0] == firstb + 4) {
4374 CHECK(res);
4375 } else {
4376 CHECK(!res);
4377 }
7c6fed28
GM		 4378 }
4379 if (res) {
60571c6e 4380 ge_equals_ge(&elem,&elem2);
9234391e 4381 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4382 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4383 }
4384 }
4385}
4386
4387void run_random_pubkeys(void) {
bf2e1ac7
GM		 4388 int i;
4389 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4390 test_random_pubkeys();
4391 }
4392}
4393
2cad067a 4394void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4395 int i;
4396 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4397 test_ecdsa_end_to_end();
4398 }
4399}
4400
3bb9c447
PW		 4401int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4402 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4403#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4404 static const unsigned char max_scalar[32] = {
4405 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4406 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4407 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4408 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4409 };
a9b2a5d8 4410#endif
3bb9c447
PW		 4411
4412 int ret = 0;
4413
4414 secp256k1_ecdsa_signature sig_der;
4415 unsigned char roundtrip_der[2048];
4416 unsigned char compact_der[64];
4417 size_t len_der = 2048;
4418 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4419
fea19e7b
PW		 4420 secp256k1_ecdsa_signature sig_der_lax;
4421 unsigned char roundtrip_der_lax[2048];
4422 unsigned char compact_der_lax[64];
4423 size_t len_der_lax = 2048;
4424 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4425
3bb9c447
PW		 4426#ifdef ENABLE_OPENSSL_TESTS
4427 ECDSA_SIG *sig_openssl;
31abd3ab 4428 const BIGNUM *r = NULL, *s = NULL;
3bb9c447
PW		 4429 const unsigned char *sigptr;
4430 unsigned char roundtrip_openssl[2048];
4431 int len_openssl = 2048;
4432 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4433#endif
4434
4435 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4436 if (parsed_der) {
4437 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4438 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4439 }
4440 if (valid_der) {
4441 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4442 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4443 }
4444
eed87af1 4445 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4446 if (parsed_der_lax) {
4447 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4448 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4449 }
4450 if (valid_der_lax) {
4451 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4452 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4453 }
4454
3bb9c447
PW		 4455 if (certainly_der) {
4456 ret |= (!parsed_der) << 2;
4457 }
4458 if (certainly_not_der) {
4459 ret |= (parsed_der) << 17;
4460 }
4461 if (valid_der) {
4462 ret |= (!roundtrips_der) << 3;
4463 }
4464
fea19e7b
PW		 4465 if (valid_der) {
4466 ret |= (!roundtrips_der_lax) << 12;
4467 ret |= (len_der != len_der_lax) << 13;
248bffb0 4468 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
fea19e7b
PW		 4469 }
4470 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4471 if (parsed_der) {
4472 ret |= (!parsed_der_lax) << 16;
4473 }
4474
3bb9c447
PW		 4475#ifdef ENABLE_OPENSSL_TESTS
4476 sig_openssl = ECDSA_SIG_new();
4477 sigptr = sig;
4478 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4479 if (parsed_openssl) {
31abd3ab
AB		 4480 ECDSA_SIG_get0(sig_openssl, &r, &s);
4481 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
3bb9c447
PW		 4482 if (valid_openssl) {
4483 unsigned char tmp[32] = {0};
31abd3ab 4484 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
3bb9c447
PW		 4485 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4486 }
4487 if (valid_openssl) {
4488 unsigned char tmp[32] = {0};
31abd3ab 4489 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
3bb9c447
PW		 4490 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4491 }
4492 }
4493 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4494 if (len_openssl <= 2048) {
4495 unsigned char *ptr = roundtrip_openssl;
4496 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4497 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4498 } else {
4499 len_openssl = 0;
4500 }
4501 ECDSA_SIG_free(sig_openssl);
4502
4503 ret |= (parsed_der && !parsed_openssl) << 4;
4504 ret |= (valid_der && !valid_openssl) << 5;
4505 ret |= (roundtrips_openssl && !parsed_der) << 6;
4506 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4507 if (roundtrips_openssl) {
4508 ret |= (len_der != (size_t)len_openssl) << 8;
248bffb0 4509 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
3bb9c447
PW		 4510 }
4511#endif
4512 return ret;
4513}
4514
4515static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4516 size_t i;
4517 for (i = 0; i < ptrlen; i++) {
4518 int shift = ptrlen - 1 - i;
4519 if (shift >= 4) {
4520 ptr[i] = 0;
4521 } else {
4522 ptr[i] = (val >> shift) & 0xFF;
4523 }
4524 }
4525}
4526
4527static void damage_array(unsigned char *sig, size_t *len) {
4528 int pos;
4529 int action = secp256k1_rand_bits(3);
5d4c5a31 4530 if (action < 1 && *len > 3) {
3bb9c447
PW		 4531 /* Delete a byte. */
4532 pos = secp256k1_rand_int(*len);
4533 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4534 (*len)--;
4535 return;
5d4c5a31 4536 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4537 /* Insert a byte. */
4538 pos = secp256k1_rand_int(1 + *len);
4539 memmove(sig + pos + 1, sig + pos, *len - pos);
4540 sig[pos] = secp256k1_rand_bits(8);
4541 (*len)++;
4542 return;
4543 } else if (action < 4) {
4544 /* Modify a byte. */
4545 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4546 return;
4547 } else { /* action < 8 */
4548 /* Modify a bit. */
4549 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4550 return;
4551 }
4552}
4553
4554static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4555 int der;
4556 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4557 size_t tlen, elen, glen;
4558 int indet;
4559 int n;
4560
4561 *len = 0;
4562 der = secp256k1_rand_bits(2) == 0;
4563 *certainly_der = der;
4564 *certainly_not_der = 0;
4565 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4566
4567 for (n = 0; n < 2; n++) {
4568 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4569 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4570 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4571 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4572 CHECK(nlen[n] <= 232);
4573 /* The top bit of the number. */
4574 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4575 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4576 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4577 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4578 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4579 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4580 *certainly_not_der = 1;
4581 }
4582 CHECK(nlen[n] + nzlen[n] <= 300);
4583 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4584 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4585 if (!der) {
4586 /* nlenlen[n] max 127 bytes */
4587 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4588 nlenlen[n] += add;
4589 if (add != 0) {
4590 *certainly_not_der = 1;
4591 }
4592 }
4593 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4594 }
4595
4596 /* The total length of the data to go, so far */
4597 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4598 CHECK(tlen <= 856);
4599
4600 /* The length of the garbage inside the tuple. */
4601 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4602 if (elen != 0) {
4603 *certainly_not_der = 1;
4604 }
4605 tlen += elen;
4606 CHECK(tlen <= 980);
4607
4608 /* The length of the garbage after the end of the tuple. */
4609 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4610 if (glen != 0) {
4611 *certainly_not_der = 1;
4612 }
4613 CHECK(tlen + glen <= 990);
4614
4615 /* Write the tuple header. */
4616 sig[(*len)++] = 0x30;
4617 if (indet) {
4618 /* Indeterminate length */
4619 sig[(*len)++] = 0x80;
4620 *certainly_not_der = 1;
4621 } else {
4622 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4623 if (!der) {
4624 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4625 tlenlen += add;
4626 if (add != 0) {
4627 *certainly_not_der = 1;
4628 }
4629 }
4630 if (tlenlen == 0) {
4631 /* Short length notation */
4632 sig[(*len)++] = tlen;
4633 } else {
4634 /* Long length notation */
4635 sig[(*len)++] = 128 + tlenlen;
4636 assign_big_endian(sig + *len, tlenlen, tlen);
4637 *len += tlenlen;
4638 }
4639 tlen += tlenlen;
4640 }
4641 tlen += 2;
4642 CHECK(tlen + glen <= 1119);
4643
4644 for (n = 0; n < 2; n++) {
4645 /* Write the integer header. */
4646 sig[(*len)++] = 0x02;
4647 if (nlenlen[n] == 0) {
4648 /* Short length notation */
4649 sig[(*len)++] = nlen[n] + nzlen[n];
4650 } else {
4651 /* Long length notation. */
4652 sig[(*len)++] = 128 + nlenlen[n];
4653 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4654 *len += nlenlen[n];
4655 }
4656 /* Write zero padding */
4657 while (nzlen[n] > 0) {
4658 sig[(*len)++] = 0x00;
4659 nzlen[n]--;
4660 }
4661 if (nlen[n] == 32 && !nlow[n]) {
4662 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4663 int i;
4664 for (i = 0; i < 16; i++) {
4665 sig[(*len)++] = 0xFF;
4666 }
4667 nlen[n] -= 16;
4668 }
4669 /* Write first byte of number */
4670 if (nlen[n] > 0) {
4671 sig[(*len)++] = nhbyte[n];
4672 nlen[n]--;
4673 }
4674 /* Generate remaining random bytes of number */
4675 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4676 *len += nlen[n];
4677 nlen[n] = 0;
4678 }
4679
4680 /* Generate random garbage inside tuple. */
4681 secp256k1_rand_bytes_test(sig + *len, elen);
4682 *len += elen;
4683
4684 /* Generate end-of-contents bytes. */
4685 if (indet) {
4686 sig[(*len)++] = 0;
4687 sig[(*len)++] = 0;
4688 tlen += 2;
4689 }
4690 CHECK(tlen + glen <= 1121);
4691
4692 /* Generate random garbage outside tuple. */
4693 secp256k1_rand_bytes_test(sig + *len, glen);
4694 *len += glen;
4695 tlen += glen;
4696 CHECK(tlen <= 1121);
4697 CHECK(tlen == *len);
4698}
4699
4700void run_ecdsa_der_parse(void) {
4701 int i,j;
4702 for (i = 0; i < 200 * count; i++) {
4703 unsigned char buffer[2048];
4704 size_t buflen = 0;
4705 int certainly_der = 0;
4706 int certainly_not_der = 0;
4707 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4708 CHECK(buflen <= 2048);
3bb9c447
PW		 4709 for (j = 0; j < 16; j++) {
4710 int ret = 0;
4711 if (j > 0) {
4712 damage_array(buffer, &buflen);
4713 /* We don't know anything anymore about the DERness of the result */
4714 certainly_der = 0;
4715 certainly_not_der = 0;
4716 }
4717 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4718 if (ret != 0) {
4719 size_t k;
4720 fprintf(stderr, "Failure %x on ", ret);
4721 for (k = 0; k < buflen; k++) {
4722 fprintf(stderr, "%02x ", buffer[k]);
4723 }
4724 fprintf(stderr, "\n");
4725 }
4726 CHECK(ret == 0);
4727 }
4728 }
4729}
4730
6e052878
PW		 4731/* Tests several edge cases. */
4732void test_ecdsa_edge_cases(void) {
d49abbd5 4733 int t;
dd891e0e 4734 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4735
4736 /* Test the case where ECDSA recomputes a point that is infinity. */
4737 {
dd891e0e
PW		 4738 secp256k1_gej keyj;
4739 secp256k1_ge key;
4740 secp256k1_scalar msg;
4741 secp256k1_scalar sr, ss;
d49abbd5
PW		 4742 secp256k1_scalar_set_int(&ss, 1);
4743 secp256k1_scalar_negate(&ss, &ss);
4744 secp256k1_scalar_inverse(&ss, &ss);
4745 secp256k1_scalar_set_int(&sr, 1);
4746 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4747 secp256k1_ge_set_gej(&key, &keyj);
4748 msg = ss;
4749 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4750 }
4751
96be2046 4752 /* Verify signature with r of zero fails. */
d49abbd5 4753 {
96be2046
GM		 4754 const unsigned char pubkey_mods_zero[33] = {
4755 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4756 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4757 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4758 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4759 0x41
4760 };
4761 secp256k1_ge key;
4762 secp256k1_scalar msg;
4763 secp256k1_scalar sr, ss;
4764 secp256k1_scalar_set_int(&ss, 1);
4765 secp256k1_scalar_set_int(&msg, 0);
4766 secp256k1_scalar_set_int(&sr, 0);
4767 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4768 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4769 }
4770
4771 /* Verify signature with s of zero fails. */
4772 {
4773 const unsigned char pubkey[33] = {
4774 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4775 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4776 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4778 0x01
4779 };
4780 secp256k1_ge key;
4781 secp256k1_scalar msg;
4782 secp256k1_scalar sr, ss;
4783 secp256k1_scalar_set_int(&ss, 0);
4784 secp256k1_scalar_set_int(&msg, 0);
4785 secp256k1_scalar_set_int(&sr, 1);
4786 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4787 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4788 }
4789
4790 /* Verify signature with message 0 passes. */
4791 {
4792 const unsigned char pubkey[33] = {
4793 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4794 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4795 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4796 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4797 0x02
4798 };
4799 const unsigned char pubkey2[33] = {
4800 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4802 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4803 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4804 0x43
4805 };
4806 secp256k1_ge key;
4807 secp256k1_ge key2;
4808 secp256k1_scalar msg;
4809 secp256k1_scalar sr, ss;
4810 secp256k1_scalar_set_int(&ss, 2);
4811 secp256k1_scalar_set_int(&msg, 0);
4812 secp256k1_scalar_set_int(&sr, 2);
4813 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4814 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4815 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4816 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4817 secp256k1_scalar_negate(&ss, &ss);
4818 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4819 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4820 secp256k1_scalar_set_int(&ss, 1);
4821 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4822 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4823 }
4824
4825 /* Verify signature with message 1 passes. */
4826 {
4827 const unsigned char pubkey[33] = {
4828 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4829 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4830 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4831 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4832 0x25
4833 };
4834 const unsigned char pubkey2[33] = {
4835 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4836 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4837 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4838 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4839 0x62
4840 };
4841 const unsigned char csr[32] = {
4842 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4843 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4844 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4845 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4846 };
4847 secp256k1_ge key;
4848 secp256k1_ge key2;
4849 secp256k1_scalar msg;
4850 secp256k1_scalar sr, ss;
4851 secp256k1_scalar_set_int(&ss, 1);
4852 secp256k1_scalar_set_int(&msg, 1);
4853 secp256k1_scalar_set_b32(&sr, csr, NULL);
4854 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4855 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4856 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4857 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4858 secp256k1_scalar_negate(&ss, &ss);
4859 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4860 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4861 secp256k1_scalar_set_int(&ss, 2);
4862 secp256k1_scalar_inverse_var(&ss, &ss);
4863 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4864 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4865 }
4866
4867 /* Verify signature with message -1 passes. */
4868 {
4869 const unsigned char pubkey[33] = {
4870 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4871 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4872 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4873 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4874 0xf1
4875 };
4876 const unsigned char csr[32] = {
4877 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4878 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4879 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4880 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4881 };
4882 secp256k1_ge key;
4883 secp256k1_scalar msg;
4884 secp256k1_scalar sr, ss;
4885 secp256k1_scalar_set_int(&ss, 1);
4886 secp256k1_scalar_set_int(&msg, 1);
4887 secp256k1_scalar_negate(&msg, &msg);
4888 secp256k1_scalar_set_b32(&sr, csr, NULL);
4889 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4890 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4891 secp256k1_scalar_negate(&ss, &ss);
4892 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4893 secp256k1_scalar_set_int(&ss, 3);
4894 secp256k1_scalar_inverse_var(&ss, &ss);
4895 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4896 }
4897
4898 /* Signature where s would be zero. */
4899 {
4900 secp256k1_pubkey pubkey;
788038d3 4901 size_t siglen;
96be2046
GM		 4902 int32_t ecount;
4903 unsigned char signature[72];
4904 static const unsigned char nonce[32] = {
d49abbd5
PW		 4905 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4906 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4907 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4908 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4909 };
4910 static const unsigned char nonce2[32] = {
4911 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4912 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4913 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4914 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4915 };
4916 const unsigned char key[32] = {
4917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4918 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4919 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4920 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4921 };
4922 unsigned char msg[32] = {
4923 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4924 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4925 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4926 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4927 };
96be2046
GM		 4928 ecount = 0;
4929 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4930 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4931 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4932 msg[31] = 0xaa;
dc0ce9fc 4933 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4934 CHECK(ecount == 0);
4935 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4936 CHECK(ecount == 1);
4937 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4938 CHECK(ecount == 2);
4939 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4940 CHECK(ecount == 3);
dc0ce9fc 4941 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4942 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4943 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4944 CHECK(ecount == 4);
4945 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4946 CHECK(ecount == 5);
4947 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4948 CHECK(ecount == 6);
4949 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4950 CHECK(ecount == 6);
4951 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4952 CHECK(ecount == 7);
4953 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4954 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4955 CHECK(ecount == 8);
d49abbd5 4956 siglen = 72;
96be2046 4957 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4958 CHECK(ecount == 9);
96be2046 4959 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4960 CHECK(ecount == 10);
96be2046 4961 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4962 CHECK(ecount == 11);
d49abbd5 4963 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4964 CHECK(ecount == 11);
4965 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4966 CHECK(ecount == 12);
4967 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4968 CHECK(ecount == 13);
4969 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4970 CHECK(ecount == 13);
d49abbd5 4971 siglen = 10;
5b71a3f4 4972 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4973 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4974 CHECK(ecount == 13);
4975 ecount = 0;
4976 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4977 CHECK(ecount == 1);
4978 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4979 CHECK(ecount == 2);
4980 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4981 CHECK(ecount == 3);
4982 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4983 CHECK(ecount == 3);
4984 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4985 CHECK(ecount == 4);
4986 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4987 CHECK(ecount == 5);
4988 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4989 CHECK(ecount == 5);
c69dea02
GM		 4990 memset(signature, 255, 64);
4991 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4992 CHECK(ecount == 5);
96be2046 4993 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4994 }
4995
4996 /* Nonce function corner cases. */
4997 for (t = 0; t < 2; t++) {
4998 static const unsigned char zero[32] = {0x00};
4999 int i;
5000 unsigned char key[32];
5001 unsigned char msg[32];
dd891e0e
PW		 5002 secp256k1_ecdsa_signature sig2;
5003 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 5004 const unsigned char *extra;
5005 extra = t == 0 ? NULL : zero;
5006 memset(msg, 0, 32);
5007 msg[31] = 1;
5008 /* High key results in signature failure. */
5009 memset(key, 0xFF, 32);
dc0ce9fc 5010 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 5011 CHECK(is_empty_signature(&sig));
5012 /* Zero key results in signature failure. */
5013 memset(key, 0, 32);
dc0ce9fc 5014 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 5015 CHECK(is_empty_signature(&sig));
5016 /* Nonce function failure results in signature failure. */
5017 key[31] = 1;
dc0ce9fc 5018 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 5019 CHECK(is_empty_signature(&sig));
5020 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 5021 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 5022 CHECK(!is_empty_signature(&sig));
dc0ce9fc 5023 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 5024 CHECK(!is_empty_signature(&sig2));
5025 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 5026 /* The default nonce function is deterministic. */
dc0ce9fc 5027 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5028 CHECK(!is_empty_signature(&sig2));
5029 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5030 /* The default nonce function changes output with different messages. */
5031 for(i = 0; i < 256; i++) {
5032 int j;
5033 msg[0] = i;
dc0ce9fc 5034 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5035 CHECK(!is_empty_signature(&sig2));
5036 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5037 for (j = 0; j < i; j++) {
5038 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5039 }
5040 }
5041 msg[0] = 0;
5042 msg[31] = 2;
5043 /* The default nonce function changes output with different keys. */
5044 for(i = 256; i < 512; i++) {
5045 int j;
5046 key[0] = i - 256;
dc0ce9fc 5047 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5048 CHECK(!is_empty_signature(&sig2));
5049 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5050 for (j = 0; j < i; j++) {
5051 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5052 }
5053 }
5054 key[0] = 0;
5055 }
5056
b30fc85c 5057 {
269d4227 5058 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 5059 const unsigned char zeros[32] = {0};
5060 unsigned char nonce[32];
5061 unsigned char nonce2[32];
5062 unsigned char nonce3[32];
5063 unsigned char nonce4[32];
5064 VG_UNDEF(nonce,32);
5065 VG_UNDEF(nonce2,32);
5066 VG_UNDEF(nonce3,32);
5067 VG_UNDEF(nonce4,32);
5068 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5069 VG_CHECK(nonce,32);
5070 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5071 VG_CHECK(nonce2,32);
5072 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5073 VG_CHECK(nonce3,32);
5074 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5075 VG_CHECK(nonce4,32);
5076 CHECK(memcmp(nonce, nonce2, 32) != 0);
5077 CHECK(memcmp(nonce, nonce3, 32) != 0);
5078 CHECK(memcmp(nonce, nonce4, 32) != 0);
5079 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5080 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5081 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5082 }
5083
5084
d49abbd5
PW		 5085 /* Privkey export where pubkey is the point at infinity. */
5086 {
5087 unsigned char privkey[300];
5088 unsigned char seckey[32] = {
5089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5091 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5092 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5093 };
788038d3 5094 size_t outlen = 300;
eed87af1 5095 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 5096 outlen = 300;
eed87af1 5097 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 5098 }
5099}
5100
6e052878
PW		 5101void run_ecdsa_edge_cases(void) {
5102 test_ecdsa_edge_cases();
3bf029d6 5103}
25f4aec0 5104
dd08f037 5105#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 5106EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 5107 unsigned char privkey[300];
788038d3 5108 size_t privkeylen;
12e29b32 5109 const unsigned char* pbegin = privkey;
fa57f1bd 5110 int compr = secp256k1_rand_bits(1);
dd08f037 5111 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 5112 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 5113 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5114 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 5115 return ec_key;
5116}
5117
2cad067a 5118void test_ecdsa_openssl(void) {
dd891e0e
PW		 5119 secp256k1_gej qj;
5120 secp256k1_ge q;
5121 secp256k1_scalar sigr, sigs;
5122 secp256k1_scalar one;
5123 secp256k1_scalar msg2;
5124 secp256k1_scalar key, msg;
bf2e1ac7
GM		 5125 EC_KEY *ec_key;
5126 unsigned int sigsize = 80;
788038d3 5127 size_t secp_sigsize = 80;
dd08f037 5128 unsigned char message[32];
bf2e1ac7 5129 unsigned char signature[80];
7914a6eb 5130 unsigned char key32[32];
dd08f037 5131 secp256k1_rand256_test(message);
eca6cdb1 5132 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 5133 random_scalar_order_test(&key);
7914a6eb 5134 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 5135 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 5136 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 5137 ec_key = get_openssl_key(key32);
2b199de8 5138 CHECK(ec_key != NULL);
0592d117 5139 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 5140 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5141 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 5142 secp256k1_scalar_set_int(&one, 1);
f24041d6 5143 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 5144 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 5145
18c329c5
PW		 5146 random_sign(&sigr, &sigs, &key, &msg, NULL);
5147 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 5148 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 5149
dd08f037 5150 EC_KEY_free(ec_key);
dd08f037
PW		 5151}
5152
2cad067a 5153void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 5154 int i;
5155 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 5156 test_ecdsa_openssl();
5157 }
5158}
5159#endif
5160
0739bbb6
AP		 5161#ifdef ENABLE_MODULE_ECDH
5162# include "modules/ecdh/tests_impl.h"
5163#endif
5164
9f443be0
PW		 5165#ifdef ENABLE_MODULE_RECOVERY
5166# include "modules/recovery/tests_impl.h"
5167#endif
5168
404c30a8 5169int main(int argc, char **argv) {
89561118
PW		 5170 unsigned char seed16[16] = {0};
5171 unsigned char run32[32] = {0};
fb424fbb
JN		 5172
5173 /* Disable buffering for stdout to improve reliability of getting
5174 * diagnostic information. Happens right at the start of main because
5175 * setbuf must be used before any other operation on the stream. */
5176 setbuf(stdout, NULL);
a0771d15
JN		 5177 /* Also disable buffering for stderr because it's not guaranteed that it's
5178 * unbuffered on all systems. */
5179 setbuf(stderr, NULL);
fb424fbb 5180
71712b27 5181 /* find iteration count */
3fd6253e
PW		 5182 if (argc > 1) {
5183 count = strtol(argv[1], NULL, 0);
5184 }
5185
71712b27 5186 /* find random seed */
3fd6253e 5187 if (argc > 2) {
89561118
PW		 5188 int pos = 0;
5189 const char* ch = argv[2];
5190 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5191 unsigned short sh;
a11c76c5 5192 if ((sscanf(ch, "%2hx", &sh)) == 1) {
89561118
PW		 5193 seed16[pos] = sh;
5194 } else {
5195 break;
5196 }
5197 ch += 2;
5198 pos++;
5199 }
3fd6253e
PW		 5200 } else {
5201 FILE *frand = fopen("/dev/urandom", "r");
8b3841c9 5202 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
89561118 5203 uint64_t t = time(NULL) * (uint64_t)1337;
be40c4d0 5204 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
89561118
PW		 5205 seed16[0] ^= t;
5206 seed16[1] ^= t >> 8;
5207 seed16[2] ^= t >> 16;
5208 seed16[3] ^= t >> 24;
5209 seed16[4] ^= t >> 32;
5210 seed16[5] ^= t >> 40;
5211 seed16[6] ^= t >> 48;
5212 seed16[7] ^= t >> 56;
3fd6253e 5213 }
5aae5b5b 5214 if (frand) {
5215 fclose(frand);
5216 }
3fd6253e 5217 }
89561118 5218 secp256k1_rand_seed(seed16);
404c30a8 5219
dd08f037 5220 printf("test count = %i\n", count);
89561118 5221 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 5222
71712b27 5223 /* initialize */
814cc78d
TR		 5224 run_context_tests(0);
5225 run_context_tests(1);
548de42e 5226 run_scratch_tests();
a9b6595e 5227 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 5228 if (secp256k1_rand_bits(1)) {
d2275795 5229 secp256k1_rand256(run32);
fa57f1bd 5230 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 5231 }
49b37498
PW		 5232
5233 run_rand_bits();
5234 run_rand_int();
5235
b37fbc28
PW		 5236 run_sha256_tests();
5237 run_hmac_sha256_tests();
5238 run_rfc6979_hmac_sha256_tests();
5239
597128d3 5240#ifndef USE_NUM_NONE
71712b27 5241 /* num tests */
3f44e1ad 5242 run_num_smalltests();
597128d3 5243#endif
404c30a8 5244
71712b27 5245 /* scalar tests */
79359302
PW		 5246 run_scalar_tests();
5247
71712b27 5248 /* field tests */
f16be77f
PD		 5249 run_field_inv();
5250 run_field_inv_var();
f16be77f 5251 run_field_inv_all_var();
8d11164b 5252 run_field_misc();
ff889f7d 5253 run_field_convert();
59447da3 5254 run_sqr();
09ca4f32
PD		 5255 run_sqrt();
5256
71712b27 5257 /* group tests */
9338dbf7 5258 run_ge();
64666251 5259 run_group_decompress();
9338dbf7 5260
71712b27 5261 /* ecmult tests */
404c30a8
PW		 5262 run_wnaf();
5263 run_point_times_order();
5264 run_ecmult_chain();
d2275795
GM		 5265 run_ecmult_constants();
5266 run_ecmult_gen_blind();
44015000 5267 run_ecmult_const_tests();
dba5471b 5268 run_ecmult_multi_tests();
a5a66c70 5269 run_ec_combine();
404c30a8 5270
baa75da5
AP		 5271 /* endomorphism tests */
5272#ifdef USE_ENDOMORPHISM
5273 run_endomorphism_tests();
5274#endif
5275
96be2046 5276 /* EC point parser test */
67f7da40
GM		 5277 run_ec_pubkey_parse_test();
5278
96be2046
GM		 5279 /* EC key edge cases */
5280 run_eckey_edge_case_test();
5281
0739bbb6
AP		 5282#ifdef ENABLE_MODULE_ECDH
5283 /* ecdh tests */
5284 run_ecdh_tests();
5285#endif
5286
71712b27 5287 /* ecdsa tests */
7c6fed28 5288 run_random_pubkeys();
3bb9c447 5289 run_ecdsa_der_parse();
404c30a8 5290 run_ecdsa_sign_verify();
25f4aec0 5291 run_ecdsa_end_to_end();
6e052878 5292 run_ecdsa_edge_cases();
dd08f037
PW		 5293#ifdef ENABLE_OPENSSL_TESTS
5294 run_ecdsa_openssl();
5295#endif
910d0de4 5296
9f443be0
PW		 5297#ifdef ENABLE_MODULE_RECOVERY
5298 /* ECDSA pubkey recovery tests */
5299 run_recovery_tests();
5300#endif
5301
89561118
PW		 5302 secp256k1_rand256(run32);
5303 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 5304
71712b27 5305 /* shutdown */
a9b6595e 5306 secp256k1_context_destroy(ctx);
c996d53a
PW		 5307
5308 printf("no problems found\n");
a41f32e6
PW		 5309 return 0;
5310}
Empty description
This page took 0.854865 seconds and 4 git commands to generate.