]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Move _preallocated functions to separate header
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
238305fd 19#include "include/secp256k1_preallocated.h"
f0709ac5 20#include "testrand_impl.h"
a41f32e6 21
dd08f037
PW		 22#ifdef ENABLE_OPENSSL_TESTS
23#include "openssl/bn.h"
24#include "openssl/ec.h"
25#include "openssl/ecdsa.h"
26#include "openssl/obj_mac.h"
31abd3ab
AB		 27# if OPENSSL_VERSION_NUMBER < 0x10100000L
28void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29# endif
dd08f037
PW		 30#endif
31
eed87af1
AP		 32#include "contrib/lax_der_parsing.c"
33#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 34
67f7da40
GM		 35#if !defined(VG_CHECK)
36# if defined(VALGRIND)
37# include <valgrind/memcheck.h>
38# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40# else
41# define VG_UNDEF(x,y)
42# define VG_CHECK(x,y)
43# endif
44#endif
45
79f599d3 46static int count = 64;
dd891e0e 47static secp256k1_context *ctx = NULL;
4adf6b2a 48
96be2046
GM		 49static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
51 int32_t *p;
52 (void)str;
53 p = data;
54 (*p)++;
55}
56
57static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
59 int32_t *p;
60 (void)str;
61 p = data;
62 (*p)--;
63}
64
dd891e0e 65void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 66 do {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
659b554d
PW		 69 if (secp256k1_fe_set_b32(fe, b32)) {
70 break;
71 }
9338dbf7
PW		 72 } while(1);
73}
74
dd891e0e
PW		 75void random_field_element_magnitude(secp256k1_fe *fe) {
76 secp256k1_fe zero;
fa57f1bd 77 int n = secp256k1_rand_int(9);
9338dbf7 78 secp256k1_fe_normalize(fe);
60571c6e
PW		 79 if (n == 0) {
80 return;
9338dbf7 81 }
60571c6e
PW		 82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
3f3964e4 86 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 87}
88
dd891e0e
PW		 89void random_group_element_test(secp256k1_ge *ge) {
90 secp256k1_fe fe;
9338dbf7
PW		 91 do {
92 random_field_element_test(&fe);
fa57f1bd 93 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 94 secp256k1_fe_normalize(&ge->y);
9338dbf7 95 break;
26320197 96 }
9338dbf7
PW		 97 } while(1);
98}
99
dd891e0e
PW		 100void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
101 secp256k1_fe z2, z3;
9338dbf7
PW		 102 do {
103 random_field_element_test(&gej->z);
104 if (!secp256k1_fe_is_zero(&gej->z)) {
105 break;
106 }
107 } while(1);
bf2e1ac7
GM		 108 secp256k1_fe_sqr(&z2, &gej->z);
109 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 110 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
111 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
112 gej->infinity = ge->infinity;
113}
114
dd891e0e 115void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 116 do {
117 unsigned char b32[32];
a9f5c8b8 118 int overflow = 0;
bf2e1ac7 119 secp256k1_rand256_test(b32);
eca6cdb1 120 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 121 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 122 continue;
26320197 123 }
a9f5c8b8
PW		 124 break;
125 } while(1);
126}
127
dd891e0e 128void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 129 do {
130 unsigned char b32[32];
f24041d6 131 int overflow = 0;
bf2e1ac7 132 secp256k1_rand256(b32);
f24041d6 133 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 134 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 135 continue;
26320197 136 }
f24041d6
PW		 137 break;
138 } while(1);
139}
140
814cc78d 141void run_context_tests(int use_prealloc) {
96be2046 142 secp256k1_pubkey pubkey;
8e48aa60 143 secp256k1_pubkey zero_pubkey;
96be2046
GM		 144 secp256k1_ecdsa_signature sig;
145 unsigned char ctmp[32];
146 int32_t ecount;
147 int32_t ecount2;
814cc78d
TR		 148 secp256k1_context *none;
149 secp256k1_context *sign;
150 secp256k1_context *vrfy;
151 secp256k1_context *both;
152 void *none_prealloc = NULL;
153 void *sign_prealloc = NULL;
154 void *vrfy_prealloc = NULL;
155 void *both_prealloc = NULL;
d899b5b6 156
dd891e0e
PW		 157 secp256k1_gej pubj;
158 secp256k1_ge pub;
159 secp256k1_scalar msg, key, nonce;
160 secp256k1_scalar sigr, sigs;
d899b5b6 161
814cc78d
TR		 162 if (use_prealloc) {
163 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
164 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
165 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
166 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
167 CHECK(none_prealloc != NULL);
168 CHECK(sign_prealloc != NULL);
169 CHECK(vrfy_prealloc != NULL);
170 CHECK(both_prealloc != NULL);
171 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
172 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
173 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
174 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
175 } else {
176 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
177 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
178 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
179 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 }
181
8e48aa60
AP		 182 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
183
96be2046
GM		 184 ecount = 0;
185 ecount2 = 10;
186 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
187 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
188 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
189 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
190
814cc78d
TR		 191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196
d899b5b6
AP		 197 /*** clone and destroy all of them to make sure cloning was complete ***/
198 {
dd891e0e 199 secp256k1_context *ctx_tmp;
d899b5b6 200
814cc78d
TR		 201 if (use_prealloc) {
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 } else {
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
220 void *prealloc_tmp;
221
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225 free(prealloc_tmp);
226
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230 free(prealloc_tmp);
231
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235 free(prealloc_tmp);
236
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240 free(prealloc_tmp);
241 }
d899b5b6
AP		 242 }
243
96be2046
GM		 244 /* Verify that the error callback makes it across the clone. */
245 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
246 /* And that it resets back to default. */
247 secp256k1_context_set_error_callback(sign, NULL, NULL);
248 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
249
d899b5b6
AP		 250 /*** attempt to use them ***/
251 random_scalar_order_test(&msg);
252 random_scalar_order_test(&key);
253 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
254 secp256k1_ge_set_gej(&pub, &pubj);
255
96be2046
GM		 256 /* Verify context-type checking illegal-argument errors. */
257 memset(ctmp, 1, 32);
258 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
259 CHECK(ecount == 1);
260 VG_UNDEF(&pubkey, sizeof(pubkey));
261 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
262 VG_CHECK(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
264 CHECK(ecount == 2);
265 VG_UNDEF(&sig, sizeof(sig));
266 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
267 VG_CHECK(&sig, sizeof(sig));
268 CHECK(ecount2 == 10);
269 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
270 CHECK(ecount2 == 11);
271 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
272 CHECK(ecount == 2);
273 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
274 CHECK(ecount2 == 12);
275 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
276 CHECK(ecount == 2);
277 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
278 CHECK(ecount2 == 13);
8e48aa60 279 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 280 CHECK(ecount == 2);
8e48aa60
AP		 281 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
282 CHECK(ecount == 2);
283 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
284 CHECK(ecount2 == 14);
285 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
286 CHECK(ecount == 3);
287 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 288 CHECK(ecount == 3);
61983752
TR		 289 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
290 CHECK(ecount == 3);
291 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
294 CHECK(ecount2 == 14);
96be2046 295 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 296 CHECK(ecount2 == 14);
96be2046
GM		 297 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
298 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
299
d899b5b6
AP		 300 /* obtain a working nonce */
301 do {
302 random_scalar_order_test(&nonce);
18c329c5 303 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 304
305 /* try signing */
18c329c5
PW		 306 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 308
309 /* try verifying */
18c329c5
PW		 310 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
311 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 312
313 /* cleanup */
814cc78d
TR		 314 if (use_prealloc) {
315 secp256k1_context_preallocated_destroy(none);
316 secp256k1_context_preallocated_destroy(sign);
317 secp256k1_context_preallocated_destroy(vrfy);
318 secp256k1_context_preallocated_destroy(both);
319 free(none_prealloc);
320 free(sign_prealloc);
321 free(vrfy_prealloc);
322 free(both_prealloc);
323 } else {
324 secp256k1_context_destroy(none);
325 secp256k1_context_destroy(sign);
326 secp256k1_context_destroy(vrfy);
327 secp256k1_context_destroy(both);
328 }
5b71a3f4
GM		 329 /* Defined as no-op. */
330 secp256k1_context_destroy(NULL);
814cc78d
TR		 331 secp256k1_context_preallocated_destroy(NULL);
332
d899b5b6
AP		 333}
334
548de42e
AP		 335void run_scratch_tests(void) {
336 int32_t ecount = 0;
337 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
338 secp256k1_scratch_space *scratch;
339
340 /* Test public API */
341 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
548de42e 342
6fe50439 343 scratch = secp256k1_scratch_space_create(none, 1000);
548de42e 344 CHECK(scratch != NULL);
6fe50439 345 CHECK(ecount == 0);
548de42e
AP		 346
347 /* Test internal API */
348 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
349 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
6fe50439
AP		 350
351 /* Allocating 500 bytes with no frame fails */
352 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
353 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
354
355 /* ...but pushing a new stack frame does affect the max allocation */
356 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
357 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
358 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
359 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
360
361 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
362
363 /* ...and this effect is undone by popping the frame */
364 secp256k1_scratch_deallocate_frame(scratch);
548de42e 365 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
6fe50439 366 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
548de42e
AP		 367
368 /* cleanup */
369 secp256k1_scratch_space_destroy(scratch);
370 secp256k1_context_destroy(none);
371}
372
b37fbc28
PW		 373/***** HASH TESTS *****/
374
375void run_sha256_tests(void) {
376 static const char *inputs[8] = {
377 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
378 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
379 "For this sample, this 63-byte string will be used as input data",
380 "This is exactly 64 bytes long, not counting the terminating byte"
381 };
382 static const unsigned char outputs[8][32] = {
383 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
384 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
385 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
386 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
387 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
388 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
389 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
390 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
391 };
bf2e1ac7
GM		 392 int i;
393 for (i = 0; i < 8; i++) {
394 unsigned char out[32];
d1dc9dfc 395 secp256k1_sha256 hasher;
b37fbc28
PW		 396 secp256k1_sha256_initialize(&hasher);
397 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 398 secp256k1_sha256_finalize(&hasher, out);
399 CHECK(memcmp(out, outputs[i], 32) == 0);
400 if (strlen(inputs[i]) > 0) {
fa57f1bd 401 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 402 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 403 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
404 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
405 secp256k1_sha256_finalize(&hasher, out);
406 CHECK(memcmp(out, outputs[i], 32) == 0);
407 }
408 }
409}
410
411void run_hmac_sha256_tests(void) {
412 static const char *keys[6] = {
413 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
414 "\x4a\x65\x66\x65",
415 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
416 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
417 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
418 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
419 };
420 static const char *inputs[6] = {
421 "\x48\x69\x20\x54\x68\x65\x72\x65",
422 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
423 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
424 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
425 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
426 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
427 };
428 static const unsigned char outputs[6][32] = {
429 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
430 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
431 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
432 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
433 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
434 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
435 };
bf2e1ac7
GM		 436 int i;
437 for (i = 0; i < 6; i++) {
d1dc9dfc 438 secp256k1_hmac_sha256 hasher;
bf2e1ac7 439 unsigned char out[32];
b37fbc28
PW		 440 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
441 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 442 secp256k1_hmac_sha256_finalize(&hasher, out);
443 CHECK(memcmp(out, outputs[i], 32) == 0);
444 if (strlen(inputs[i]) > 0) {
fa57f1bd 445 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 446 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 447 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
448 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
449 secp256k1_hmac_sha256_finalize(&hasher, out);
450 CHECK(memcmp(out, outputs[i], 32) == 0);
451 }
452 }
453}
454
455void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 456 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 457 static const unsigned char out1[3][32] = {
458 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
459 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
460 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
461 };
462
3e6f1e20 463 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 464 static const unsigned char out2[3][32] = {
465 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
466 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
467 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
468 };
469
d1dc9dfc 470 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 471 unsigned char out[32];
bf2e1ac7 472 int i;
b37fbc28 473
3e6f1e20 474 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 475 for (i = 0; i < 3; i++) {
b37fbc28
PW		 476 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
477 CHECK(memcmp(out, out1[i], 32) == 0);
478 }
479 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
480
3e6f1e20 481 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 482 for (i = 0; i < 3; i++) {
483 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
484 CHECK(memcmp(out, out1[i], 32) != 0);
485 }
486 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
487
3e6f1e20 488 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 489 for (i = 0; i < 3; i++) {
b37fbc28
PW		 490 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
491 CHECK(memcmp(out, out2[i], 32) == 0);
492 }
493 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
494}
495
49b37498
PW		 496/***** RANDOM TESTS *****/
497
498void test_rand_bits(int rand32, int bits) {
499 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
500 * get a false negative chance below once in a billion */
501 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
502 /* We try multiplying the results with various odd numbers, which shouldn't
503 * influence the uniform distribution modulo a power of 2. */
504 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
505 /* We only select up to 6 bits from the output to analyse */
506 unsigned int usebits = bits > 6 ? 6 : bits;
507 unsigned int maxshift = bits - usebits;
508 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
509 number, track all observed outcomes, one per bit in a uint64_t. */
510 uint64_t x[6][27] = {{0}};
511 unsigned int i, shift, m;
512 /* Multiply the output of all rand calls with the odd number m, which
513 should not change the uniformity of its distribution. */
514 for (i = 0; i < rounds[usebits]; i++) {
515 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
516 CHECK((((uint64_t)r) >> bits) == 0);
517 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
518 uint32_t rm = r * mults[m];
519 for (shift = 0; shift <= maxshift; shift++) {
520 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
521 }
522 }
523 }
524 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
525 for (shift = 0; shift <= maxshift; shift++) {
526 /* Test that the lower usebits bits of x[shift] are 1 */
527 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
528 }
529 }
530}
531
532/* Subrange must be a whole divisor of range, and at most 64 */
533void test_rand_int(uint32_t range, uint32_t subrange) {
534 /* (1-1/subrange)^rounds < 1/10^9 */
535 int rounds = (subrange * 2073) / 100;
536 int i;
537 uint64_t x = 0;
538 CHECK((range % subrange) == 0);
539 for (i = 0; i < rounds; i++) {
540 uint32_t r = secp256k1_rand_int(range);
541 CHECK(r < range);
542 r = r % subrange;
543 x |= (((uint64_t)1) << r);
544 }
545 /* Test that the lower subrange bits of x are 1. */
546 CHECK(((~x) << (64 - subrange)) == 0);
547}
548
549void run_rand_bits(void) {
550 size_t b;
551 test_rand_bits(1, 32);
552 for (b = 1; b <= 32; b++) {
553 test_rand_bits(0, b);
554 }
555}
556
557void run_rand_int(void) {
558 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
559 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
560 unsigned int m, s;
561 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
562 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
563 test_rand_int(ms[m] * ss[s], ss[s]);
564 }
565 }
566}
567
659b554d
PW		 568/***** NUM TESTS *****/
569
597128d3 570#ifndef USE_NUM_NONE
dd891e0e 571void random_num_negate(secp256k1_num *num) {
fa57f1bd 572 if (secp256k1_rand_bits(1)) {
659b554d 573 secp256k1_num_negate(num);
26320197 574 }
659b554d
PW		 575}
576
dd891e0e
PW		 577void random_num_order_test(secp256k1_num *num) {
578 secp256k1_scalar sc;
659b554d
PW		 579 random_scalar_order_test(&sc);
580 secp256k1_scalar_get_num(num, &sc);
581}
582
dd891e0e
PW		 583void random_num_order(secp256k1_num *num) {
584 secp256k1_scalar sc;
659b554d
PW		 585 random_scalar_order(&sc);
586 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 587}
588
2cad067a 589void test_num_negate(void) {
dd891e0e
PW		 590 secp256k1_num n1;
591 secp256k1_num n2;
71712b27 592 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 593 random_num_negate(&n1);
71712b27
GM		 594 secp256k1_num_copy(&n2, &n1); /* n2 = R */
595 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 596 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 597 secp256k1_num_copy(&n1, &n2); /* n1 = R */
598 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 599 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 600 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 601 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 602 secp256k1_num_copy(&n1, &n2); /* n1 = R */
603 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 604 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 605 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 606 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 607}
608
2cad067a 609void test_num_add_sub(void) {
efd953a7
PD		 610 int i;
611 secp256k1_scalar s;
dd891e0e
PW		 612 secp256k1_num n1;
613 secp256k1_num n2;
614 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 615 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 616 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 617 random_num_negate(&n1);
618 }
71712b27 619 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 620 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 621 random_num_negate(&n2);
622 }
71712b27
GM		 623 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
624 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
625 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
626 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 627 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
628 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 629 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 630 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
631 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 632 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 633 CHECK(secp256k1_num_eq(&n2m1, &n1));
634 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 635 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 636 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 637
638 /* check is_one */
639 secp256k1_scalar_set_int(&s, 1);
640 secp256k1_scalar_get_num(&n1, &s);
641 CHECK(secp256k1_num_is_one(&n1));
642 /* check that 2^n + 1 is never 1 */
643 secp256k1_scalar_get_num(&n2, &s);
644 for (i = 0; i < 250; ++i) {
645 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
646 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
647 CHECK(!secp256k1_num_is_one(&n1p2));
648 }
649}
650
651void test_num_mod(void) {
652 int i;
653 secp256k1_scalar s;
654 secp256k1_num order, n;
655
656 /* check that 0 mod anything is 0 */
7d893f49 657 random_scalar_order_test(&s);
efd953a7
PD		 658 secp256k1_scalar_get_num(&order, &s);
659 secp256k1_scalar_set_int(&s, 0);
660 secp256k1_scalar_get_num(&n, &s);
661 secp256k1_num_mod(&n, &order);
662 CHECK(secp256k1_num_is_zero(&n));
663
664 /* check that anything mod 1 is 0 */
665 secp256k1_scalar_set_int(&s, 1);
666 secp256k1_scalar_get_num(&order, &s);
667 secp256k1_scalar_get_num(&n, &s);
668 secp256k1_num_mod(&n, &order);
669 CHECK(secp256k1_num_is_zero(&n));
670
671 /* check that increasing the number past 2^256 does not break this */
7d893f49 672 random_scalar_order_test(&s);
efd953a7
PD		 673 secp256k1_scalar_get_num(&n, &s);
674 /* multiply by 2^8, which'll test this case with high probability */
675 for (i = 0; i < 8; ++i) {
676 secp256k1_num_add(&n, &n, &n);
677 }
678 secp256k1_num_mod(&n, &order);
679 CHECK(secp256k1_num_is_zero(&n));
680}
681
682void test_num_jacobi(void) {
683 secp256k1_scalar sqr;
684 secp256k1_scalar small;
685 secp256k1_scalar five; /* five is not a quadratic residue */
686 secp256k1_num order, n;
687 int i;
688 /* squares mod 5 are 1, 4 */
689 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
690
691 /* check some small values with 5 as the order */
692 secp256k1_scalar_set_int(&five, 5);
693 secp256k1_scalar_get_num(&order, &five);
694 for (i = 0; i < 10; ++i) {
695 secp256k1_scalar_set_int(&small, i);
696 secp256k1_scalar_get_num(&n, &small);
697 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
698 }
699
700 /** test large values with 5 as group order */
701 secp256k1_scalar_get_num(&order, &five);
702 /* we first need a scalar which is not a multiple of 5 */
703 do {
704 secp256k1_num fiven;
7d893f49 705 random_scalar_order_test(&sqr);
efd953a7
PD		 706 secp256k1_scalar_get_num(&fiven, &five);
707 secp256k1_scalar_get_num(&n, &sqr);
708 secp256k1_num_mod(&n, &fiven);
709 } while (secp256k1_num_is_zero(&n));
710 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
711 * just multiply by two, i.e. add the number to itself */
712 if (secp256k1_num_jacobi(&n, &order) == -1) {
713 secp256k1_num_add(&n, &n, &n);
714 }
715
716 /* test residue */
717 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
718 /* test nonresidue */
719 secp256k1_num_add(&n, &n, &n);
720 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
721
722 /** test with secp group order as order */
723 secp256k1_scalar_order_get_num(&order);
7d893f49 724 random_scalar_order_test(&sqr);
efd953a7
PD		 725 secp256k1_scalar_sqr(&sqr, &sqr);
726 /* test residue */
727 secp256k1_scalar_get_num(&n, &sqr);
728 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
729 /* test nonresidue */
730 secp256k1_scalar_mul(&sqr, &sqr, &five);
731 secp256k1_scalar_get_num(&n, &sqr);
732 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
733 /* test multiple of the order*/
734 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
735
736 /* check one less than the order */
737 secp256k1_scalar_set_int(&small, 1);
738 secp256k1_scalar_get_num(&n, &small);
739 secp256k1_num_sub(&n, &order, &n);
740 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 741}
742
2cad067a 743void run_num_smalltests(void) {
bf2e1ac7
GM		 744 int i;
745 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 746 test_num_negate();
747 test_num_add_sub();
efd953a7
PD		 748 test_num_mod();
749 test_num_jacobi();
3f44e1ad 750 }
3f44e1ad 751}
597128d3 752#endif
3f44e1ad 753
79359302
PW		 754/***** SCALAR TESTS *****/
755
79359302 756void scalar_test(void) {
dd891e0e
PW		 757 secp256k1_scalar s;
758 secp256k1_scalar s1;
759 secp256k1_scalar s2;
bf2e1ac7 760#ifndef USE_NUM_NONE
dd891e0e
PW		 761 secp256k1_num snum, s1num, s2num;
762 secp256k1_num order, half_order;
bf2e1ac7 763#endif
79359302
PW		 764 unsigned char c[32];
765
71712b27 766 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 767 random_scalar_order_test(&s);
79359302 768
71712b27 769 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 770 random_scalar_order_test(&s1);
79359302 771
71712b27 772 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 773 random_scalar_order_test(&s2);
774 secp256k1_scalar_get_b32(c, &s2);
775
597128d3 776#ifndef USE_NUM_NONE
659b554d
PW		 777 secp256k1_scalar_get_num(&snum, &s);
778 secp256k1_scalar_get_num(&s1num, &s1);
779 secp256k1_scalar_get_num(&s2num, &s2);
780
659b554d 781 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 782 half_order = order;
659b554d 783 secp256k1_num_shift(&half_order, 1);
597128d3 784#endif
79359302
PW		 785
786 {
bf2e1ac7 787 int i;
71712b27 788 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 789 secp256k1_scalar n;
1e6c77c3 790 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 791 for (i = 0; i < 256; i += 4) {
dd891e0e 792 secp256k1_scalar t;
bf2e1ac7 793 int j;
1e6c77c3 794 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 795 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 796 secp256k1_scalar_add(&n, &n, &n);
797 }
798 secp256k1_scalar_add(&n, &n, &t);
79359302 799 }
1e6c77c3
PW		 800 CHECK(secp256k1_scalar_eq(&n, &s));
801 }
802
803 {
804 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 805 secp256k1_scalar n;
1e6c77c3 806 int i = 0;
bf2e1ac7 807 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 808 while (i < 256) {
dd891e0e 809 secp256k1_scalar t;
bf2e1ac7 810 int j;
fa57f1bd 811 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 812 if (now + i > 256) {
813 now = 256 - i;
814 }
1e6c77c3 815 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 816 for (j = 0; j < now; j++) {
1e6c77c3
PW		 817 secp256k1_scalar_add(&n, &n, &n);
818 }
819 secp256k1_scalar_add(&n, &n, &t);
820 i += now;
821 }
822 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 823 }
824
597128d3 825#ifndef USE_NUM_NONE
79359302 826 {
71712b27 827 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 828 secp256k1_num rnum;
829 secp256k1_num r2num;
830 secp256k1_scalar r;
79359302 831 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 832 secp256k1_num_mod(&rnum, &order);
79359302 833 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 834 secp256k1_scalar_get_num(&r2num, &r);
835 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 836 }
837
838 {
269d4227 839 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 840 secp256k1_scalar r;
841 secp256k1_num r2num;
842 secp256k1_num rnum;
79359302 843 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 844 secp256k1_num_mod(&rnum, &order);
79359302 845 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 846 secp256k1_scalar_get_num(&r2num, &r);
847 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 848 /* The result can only be zero if at least one of the factors was zero. */
79359302 849 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 850 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 851 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
852 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 853 }
854
855 {
dd891e0e
PW		 856 secp256k1_scalar neg;
857 secp256k1_num negnum;
858 secp256k1_num negnum2;
71712b27 859 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 860 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 861 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 862 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 863 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 864 secp256k1_num_sub(&negnum, &order, &snum);
865 secp256k1_num_mod(&negnum, &order);
71712b27 866 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 867 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 868 /* Negating should change the high property, unless the value was already zero. */
79359302 869 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 870 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 871 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 872 CHECK(secp256k1_num_eq(&negnum, &negnum2));
873 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 874 /* Adding a number to its negation should result in zero. */
79359302
PW		 875 CHECK(secp256k1_scalar_is_zero(&neg));
876 secp256k1_scalar_negate(&neg, &neg);
71712b27 877 /* Negating zero should still result in zero. */
79359302 878 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 879 }
ff8746d4
PW		 880
881 {
882 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 883 secp256k1_scalar r;
884 secp256k1_num one;
885 secp256k1_num rnum;
886 secp256k1_num rnum2;
bf2e1ac7 887 unsigned char cone[1] = {0x01};
fa57f1bd 888 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 889 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 890 secp256k1_num_mul(&rnum, &s1num, &s2num);
891 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 892 secp256k1_num_set_bin(&one, cone, 1);
893 secp256k1_num_add(&rnum, &rnum, &one);
894 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 895 secp256k1_scalar_get_num(&rnum2, &r);
896 CHECK(secp256k1_num_eq(&rnum, &rnum2));
897 }
44015000
AP		 898
899 {
900 /* test secp256k1_scalar_shr_int */
dd891e0e 901 secp256k1_scalar r;
44015000 902 int i;
44015000
AP		 903 random_scalar_order_test(&r);
904 for (i = 0; i < 100; ++i) {
cfe0ed91 905 int low;
fa57f1bd 906 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 907 int expected = r.d[0] % (1 << shift);
908 low = secp256k1_scalar_shr_int(&r, shift);
909 CHECK(expected == low);
910 }
911 }
597128d3 912#endif
79359302
PW		 913
914 {
71712b27 915 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 916 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 917 secp256k1_scalar inv;
597128d3 918#ifndef USE_NUM_NONE
dd891e0e
PW		 919 secp256k1_num invnum;
920 secp256k1_num invnum2;
bf2e1ac7
GM		 921#endif
922 secp256k1_scalar_inverse(&inv, &s);
923#ifndef USE_NUM_NONE
924 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 925 secp256k1_scalar_get_num(&invnum2, &inv);
926 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 927#endif
79359302 928 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 929 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 930 CHECK(secp256k1_scalar_is_one(&inv));
931 secp256k1_scalar_inverse(&inv, &inv);
71712b27 932 /* Inverting one must result in one. */
79359302 933 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 934#ifndef USE_NUM_NONE
935 secp256k1_scalar_get_num(&invnum, &inv);
936 CHECK(secp256k1_num_is_one(&invnum));
937#endif
79359302
PW		 938 }
939 }
940
941 {
71712b27 942 /* Test commutativity of add. */
dd891e0e 943 secp256k1_scalar r1, r2;
79359302
PW		 944 secp256k1_scalar_add(&r1, &s1, &s2);
945 secp256k1_scalar_add(&r2, &s2, &s1);
946 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 947 }
948
52132078 949 {
dd891e0e
PW		 950 secp256k1_scalar r1, r2;
951 secp256k1_scalar b;
bf2e1ac7 952 int i;
52132078 953 /* Test add_bit. */
fa57f1bd 954 int bit = secp256k1_rand_bits(8);
1e6c77c3 955 secp256k1_scalar_set_int(&b, 1);
52132078 956 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 957 for (i = 0; i < bit; i++) {
52132078
PW		 958 secp256k1_scalar_add(&b, &b, &b);
959 }
bf2e1ac7
GM		 960 r1 = s1;
961 r2 = s1;
29ae1310 962 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 963 /* No overflow happened. */
ed35d43a
AP		 964 secp256k1_scalar_cadd_bit(&r2, bit, 1);
965 CHECK(secp256k1_scalar_eq(&r1, &r2));
966 /* cadd is a noop when flag is zero */
967 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 968 CHECK(secp256k1_scalar_eq(&r1, &r2));
969 }
970 }
971
79359302 972 {
71712b27 973 /* Test commutativity of mul. */
dd891e0e 974 secp256k1_scalar r1, r2;
79359302
PW		 975 secp256k1_scalar_mul(&r1, &s1, &s2);
976 secp256k1_scalar_mul(&r2, &s2, &s1);
977 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 978 }
979
980 {
71712b27 981 /* Test associativity of add. */
dd891e0e 982 secp256k1_scalar r1, r2;
79359302
PW		 983 secp256k1_scalar_add(&r1, &s1, &s2);
984 secp256k1_scalar_add(&r1, &r1, &s);
985 secp256k1_scalar_add(&r2, &s2, &s);
986 secp256k1_scalar_add(&r2, &s1, &r2);
987 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 988 }
989
990 {
71712b27 991 /* Test associativity of mul. */
dd891e0e 992 secp256k1_scalar r1, r2;
79359302
PW		 993 secp256k1_scalar_mul(&r1, &s1, &s2);
994 secp256k1_scalar_mul(&r1, &r1, &s);
995 secp256k1_scalar_mul(&r2, &s2, &s);
996 secp256k1_scalar_mul(&r2, &s1, &r2);
997 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 998 }
999
1000 {
71712b27 1001 /* Test distributitivity of mul over add. */
dd891e0e 1002 secp256k1_scalar r1, r2, t;
79359302
PW		 1003 secp256k1_scalar_add(&r1, &s1, &s2);
1004 secp256k1_scalar_mul(&r1, &r1, &s);
1005 secp256k1_scalar_mul(&r2, &s1, &s);
1006 secp256k1_scalar_mul(&t, &s2, &s);
1007 secp256k1_scalar_add(&r2, &r2, &t);
1008 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 1009 }
1d52a8b1
PW		 1010
1011 {
71712b27 1012 /* Test square. */
dd891e0e 1013 secp256k1_scalar r1, r2;
1d52a8b1
PW		 1014 secp256k1_scalar_sqr(&r1, &s1);
1015 secp256k1_scalar_mul(&r2, &s1, &s1);
1016 CHECK(secp256k1_scalar_eq(&r1, &r2));
1017 }
ff8746d4 1018
8d11164b
GM		 1019 {
1020 /* Test multiplicative identity. */
dd891e0e 1021 secp256k1_scalar r1, v1;
8d11164b
GM		 1022 secp256k1_scalar_set_int(&v1,1);
1023 secp256k1_scalar_mul(&r1, &s1, &v1);
1024 CHECK(secp256k1_scalar_eq(&r1, &s1));
1025 }
1026
1027 {
1028 /* Test additive identity. */
dd891e0e 1029 secp256k1_scalar r1, v0;
8d11164b
GM		 1030 secp256k1_scalar_set_int(&v0,0);
1031 secp256k1_scalar_add(&r1, &s1, &v0);
1032 CHECK(secp256k1_scalar_eq(&r1, &s1));
1033 }
1034
1035 {
1036 /* Test zero product property. */
dd891e0e 1037 secp256k1_scalar r1, v0;
8d11164b
GM		 1038 secp256k1_scalar_set_int(&v0,0);
1039 secp256k1_scalar_mul(&r1, &s1, &v0);
1040 CHECK(secp256k1_scalar_eq(&r1, &v0));
1041 }
1042
79359302
PW		 1043}
1044
1045void run_scalar_tests(void) {
bf2e1ac7
GM		 1046 int i;
1047 for (i = 0; i < 128 * count; i++) {
79359302
PW		 1048 scalar_test();
1049 }
659b554d
PW		 1050
1051 {
ee3eb4be 1052 /* (-1)+1 should be zero. */
dd891e0e 1053 secp256k1_scalar s, o;
659b554d 1054 secp256k1_scalar_set_int(&s, 1);
8d11164b 1055 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 1056 secp256k1_scalar_negate(&o, &s);
1057 secp256k1_scalar_add(&o, &o, &s);
1058 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 1059 secp256k1_scalar_negate(&o, &o);
1060 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 1061 }
1062
597128d3 1063#ifndef USE_NUM_NONE
659b554d 1064 {
ee3eb4be 1065 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 1066 secp256k1_num order;
1067 secp256k1_scalar zero;
bf2e1ac7 1068 unsigned char bin[32];
659b554d 1069 int overflow = 0;
bf2e1ac7
GM		 1070 secp256k1_scalar_order_get_num(&order);
1071 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 1072 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1073 CHECK(overflow == 1);
1074 CHECK(secp256k1_scalar_is_zero(&zero));
1075 }
597128d3 1076#endif
26abce75
GM		 1077
1078 {
1079 /* Does check_overflow check catch all ones? */
1080 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1081 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1082 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1083 );
1084 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1085 }
1086
1087 {
1088 /* Static test vectors.
269d4227 1089 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1090 * and edge-case coverage on 32-bit and 64-bit implementations.
1091 * The responses were generated with Sage 5.9.
1092 */
1093 secp256k1_scalar x;
1094 secp256k1_scalar y;
1095 secp256k1_scalar z;
1096 secp256k1_scalar zz;
1097 secp256k1_scalar one;
1098 secp256k1_scalar r1;
1099 secp256k1_scalar r2;
1100#if defined(USE_SCALAR_INV_NUM)
1101 secp256k1_scalar zzv;
1102#endif
1103 int overflow;
093a497a 1104 unsigned char chal[33][2][32] = {
26abce75
GM		 1105 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1106 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1107 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1108 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1109 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1111 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1112 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1113 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1117 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1119 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1120 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1121 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1122 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1123 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1124 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1125 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1126 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1127 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1128 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1129 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1130 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1131 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1132 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1133 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1134 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1135 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1136 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1137 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1138 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1139 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1140 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1141 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1142 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1144 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1145 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1146 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1147 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1148 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1149 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1150 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1151 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1152 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1153 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1154 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1155 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1156 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1157 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1159 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1161 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1162 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1163 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1165 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1166 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1167 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1168 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1169 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1171 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1172 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1173 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1174 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1177 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1179 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1180 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1181 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1182 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1183 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1184 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1185 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1186 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1188 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1189 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1192 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1193 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1196 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1197 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1199 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1201 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1202 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1204 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1205 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1206 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1207 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1208 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1209 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1212 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1213 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1214 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1217 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1218 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1219 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1220 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1221 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1224 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1225 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1226 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1227 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1228 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1229 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1231 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1232 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1233 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1234 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1236 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1237 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1239 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1240 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1241 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1242 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1243 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1245 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1246 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1247 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1248 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1249 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1251 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1252 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1253 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1255 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1256 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1257 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1258 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1259 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1261 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1262 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1263 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1264 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1265 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1269 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1271 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1272 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1273 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1274 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1275 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1276 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1277 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1281 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1284 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1285 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1287 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1289 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1290 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1292 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1293 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1294 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1295 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1296 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1297 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1298 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1299 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1300 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1301 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1302 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1304 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1305 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1307 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1308 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1309 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1311 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1313 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1314 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1315 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1316 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1317 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1321 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1322 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1323 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1324 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1325 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1326 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1328 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1329 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1331 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1332 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1333 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1334 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1335 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1336 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1337 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1338 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1339 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1341 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1342 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1344 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1345 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1346 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1348 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1349 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1350 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1351 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1352 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1353 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1354 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1355 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1356 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1357 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1359 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1360 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1361 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1362 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1364 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1365 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1366 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1367 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1368 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1369 };
093a497a 1370 unsigned char res[33][2][32] = {
26abce75
GM		 1371 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1372 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1373 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1374 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1375 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1376 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1377 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1378 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1379 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1380 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1381 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1382 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1383 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1384 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1385 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1386 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1387 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1388 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1389 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1390 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1391 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1392 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1393 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1394 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1395 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1396 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1397 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1398 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1399 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1400 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1401 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1402 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1403 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1404 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1405 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1406 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1407 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1408 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1409 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1410 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1411 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1412 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1413 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1414 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1415 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1416 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1417 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1418 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1419 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1420 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1421 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1422 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1423 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1424 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1425 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1426 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1427 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1428 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1429 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1430 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1431 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1432 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1433 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1434 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1435 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1436 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1437 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1438 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1439 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1440 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1441 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1442 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1443 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1444 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1445 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1446 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1447 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1448 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1449 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1450 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1451 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1452 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1453 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1454 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1455 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1456 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1457 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1458 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1459 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1460 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1461 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1462 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1463 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1464 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1465 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1466 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1467 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1468 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1469 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1470 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1471 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1472 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1473 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1474 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1475 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1476 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1477 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1478 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1479 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1480 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1481 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1482 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1483 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1484 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1485 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1486 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1487 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1488 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1489 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1490 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1491 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1492 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1493 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1494 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1495 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1496 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1497 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1498 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1499 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1500 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1501 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1502 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1503 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1504 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1505 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1506 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1507 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1508 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1509 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1510 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1511 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1512 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1513 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1514 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1515 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1516 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1517 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1518 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1519 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1520 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1521 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1522 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1523 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1524 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1525 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1526 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1527 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1528 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1529 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1530 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1531 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1535 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1539 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1543 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1544 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1545 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1546 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1547 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1548 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1549 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1550 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1551 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1552 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1553 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1554 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1555 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1556 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1557 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1558 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1559 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1560 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1561 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1562 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1563 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1565 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1566 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1567 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1568 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1569 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1570 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1571 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1573 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1574 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1575 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1579 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1580 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1581 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1582 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1583 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1584 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1585 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1586 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1587 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1588 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1589 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1590 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1591 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1592 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1593 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1594 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1595 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1596 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1597 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1598 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1599 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1600 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1601 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1602 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1603 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1604 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1605 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1606 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1607 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1608 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1609 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1610 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1611 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1612 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1613 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1614 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1615 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1616 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1617 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1618 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1619 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1620 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1621 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1622 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1623 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1624 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1625 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1626 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1627 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1628 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1629 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1630 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1631 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1632 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1633 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1634 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1635 };
1636 secp256k1_scalar_set_int(&one, 1);
093a497a 1637 for (i = 0; i < 33; i++) {
26abce75
GM		 1638 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1639 CHECK(!overflow);
1640 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1641 CHECK(!overflow);
1642 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1643 CHECK(!overflow);
1644 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1645 CHECK(!overflow);
1646 secp256k1_scalar_mul(&z, &x, &y);
1647 CHECK(!secp256k1_scalar_check_overflow(&z));
1648 CHECK(secp256k1_scalar_eq(&r1, &z));
1649 if (!secp256k1_scalar_is_zero(&y)) {
1650 secp256k1_scalar_inverse(&zz, &y);
1651 CHECK(!secp256k1_scalar_check_overflow(&zz));
1652#if defined(USE_SCALAR_INV_NUM)
1653 secp256k1_scalar_inverse_var(&zzv, &y);
1654 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1655#endif
1656 secp256k1_scalar_mul(&z, &z, &zz);
1657 CHECK(!secp256k1_scalar_check_overflow(&z));
1658 CHECK(secp256k1_scalar_eq(&x, &z));
1659 secp256k1_scalar_mul(&zz, &zz, &y);
1660 CHECK(!secp256k1_scalar_check_overflow(&zz));
1661 CHECK(secp256k1_scalar_eq(&one, &zz));
1662 }
1663 secp256k1_scalar_mul(&z, &x, &x);
1664 CHECK(!secp256k1_scalar_check_overflow(&z));
1665 secp256k1_scalar_sqr(&zz, &x);
1666 CHECK(!secp256k1_scalar_check_overflow(&zz));
1667 CHECK(secp256k1_scalar_eq(&zz, &z));
1668 CHECK(secp256k1_scalar_eq(&r2, &zz));
1669 }
1670 }
79359302
PW		 1671}
1672
09ca4f32
PD		 1673/***** FIELD TESTS *****/
1674
dd891e0e 1675void random_fe(secp256k1_fe *x) {
09ca4f32 1676 unsigned char bin[32];
d907ebc0
PW		 1677 do {
1678 secp256k1_rand256(bin);
1679 if (secp256k1_fe_set_b32(x, bin)) {
1680 return;
1681 }
1682 } while(1);
09ca4f32
PD		 1683}
1684
64666251
PW		 1685void random_fe_test(secp256k1_fe *x) {
1686 unsigned char bin[32];
1687 do {
1688 secp256k1_rand256_test(bin);
1689 if (secp256k1_fe_set_b32(x, bin)) {
1690 return;
1691 }
1692 } while(1);
1693}
1694
dd891e0e 1695void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1696 int tries = 10;
09ca4f32 1697 while (--tries >= 0) {
6d6102fe
PD		 1698 random_fe(nz);
1699 secp256k1_fe_normalize(nz);
26320197 1700 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1701 break;
26320197 1702 }
09ca4f32 1703 }
71712b27 1704 /* Infinitesimal probability of spurious failure here */
0592d117 1705 CHECK(tries >= 0);
09ca4f32
PD		 1706}
1707
dd891e0e
PW		 1708void random_fe_non_square(secp256k1_fe *ns) {
1709 secp256k1_fe r;
bf2e1ac7 1710 random_fe_non_zero(ns);
926836ad 1711 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1712 secp256k1_fe_negate(ns, ns, 1);
1713 }
1714}
1715
dd891e0e
PW		 1716int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1717 secp256k1_fe an = *a;
1718 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1719 secp256k1_fe_normalize_weak(&an);
1720 secp256k1_fe_normalize_var(&bn);
d7174edf 1721 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1722}
1723
dd891e0e
PW		 1724int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1725 secp256k1_fe x;
1726 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1727 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1728 return check_fe_equal(&x, &one);
1729}
1730
ff889f7d
PW		 1731void run_field_convert(void) {
1732 static const unsigned char b32[32] = {
1733 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1734 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1735 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1736 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1737 };
dd891e0e 1738 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1739 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1740 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1741 );
dd891e0e 1742 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1743 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1744 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1745 );
dd891e0e 1746 secp256k1_fe fe2;
ff889f7d 1747 unsigned char b322[32];
dd891e0e 1748 secp256k1_fe_storage fes2;
ff889f7d
PW		 1749 /* Check conversions to fe. */
1750 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1751 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1752 secp256k1_fe_from_storage(&fe2, &fes);
1753 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1754 /* Check conversion from fe. */
1755 secp256k1_fe_get_b32(b322, &fe);
1756 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1757 secp256k1_fe_to_storage(&fes2, &fe);
1758 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1759}
1760
dd891e0e
PW		 1761int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1762 secp256k1_fe t = *b;
a0601cd7
PD		 1763#ifdef VERIFY
1764 t.magnitude = a->magnitude;
1765 t.normalized = a->normalized;
1766#endif
dd891e0e 1767 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1768}
1769
8d11164b 1770void run_field_misc(void) {
dd891e0e
PW		 1771 secp256k1_fe x;
1772 secp256k1_fe y;
1773 secp256k1_fe z;
1774 secp256k1_fe q;
1775 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1776 int i, j;
bf2e1ac7 1777 for (i = 0; i < 5*count; i++) {
dd891e0e 1778 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1779 random_fe(&x);
1780 random_fe_non_zero(&y);
1781 /* Test the fe equality and comparison operations. */
1782 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1783 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1784 z = x;
1785 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1786 /* Test fe conditional move; z is not normalized here. */
1787 q = x;
1788 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 1789 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 1790 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1791 CHECK(fe_memcmp(&x, &z) != 0);
1792 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1793 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 1794 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 1795 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1796 secp256k1_fe_normalize_var(&x);
1797 secp256k1_fe_normalize_var(&z);
9c4fb23d 1798 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1799 secp256k1_fe_normalize_var(&q);
1800 secp256k1_fe_cmov(&q, &z, (i&1));
1801 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1802 for (j = 0; j < 6; j++) {
1803 secp256k1_fe_negate(&z, &z, j+1);
1804 secp256k1_fe_normalize_var(&q);
1805 secp256k1_fe_cmov(&q, &z, (j&1));
1806 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1807 }
1808 secp256k1_fe_normalize_var(&z);
1809 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1810 secp256k1_fe_to_storage(&xs, &x);
1811 secp256k1_fe_to_storage(&ys, &y);
1812 secp256k1_fe_to_storage(&zs, &z);
1813 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1814 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1815 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1816 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1817 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1818 secp256k1_fe_from_storage(&x, &xs);
1819 secp256k1_fe_from_storage(&y, &ys);
1820 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1821 /* Test that mul_int, mul, and add agree. */
1822 secp256k1_fe_add(&y, &x);
1823 secp256k1_fe_add(&y, &x);
1824 z = x;
1825 secp256k1_fe_mul_int(&z, 3);
1826 CHECK(check_fe_equal(&y, &z));
1827 secp256k1_fe_add(&y, &x);
1828 secp256k1_fe_add(&z, &x);
1829 CHECK(check_fe_equal(&z, &y));
1830 z = x;
1831 secp256k1_fe_mul_int(&z, 5);
1832 secp256k1_fe_mul(&q, &x, &fe5);
1833 CHECK(check_fe_equal(&z, &q));
1834 secp256k1_fe_negate(&x, &x, 1);
1835 secp256k1_fe_add(&z, &x);
1836 secp256k1_fe_add(&q, &x);
1837 CHECK(check_fe_equal(&y, &z));
1838 CHECK(check_fe_equal(&q, &y));
1839 }
1840}
1841
2cad067a 1842void run_field_inv(void) {
dd891e0e 1843 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1844 int i;
1845 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1846 random_fe_non_zero(&x);
1847 secp256k1_fe_inv(&xi, &x);
1848 CHECK(check_fe_inverse(&x, &xi));
1849 secp256k1_fe_inv(&xii, &xi);
1850 CHECK(check_fe_equal(&x, &xii));
1851 }
1852}
1853
2cad067a 1854void run_field_inv_var(void) {
dd891e0e 1855 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1856 int i;
1857 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1858 random_fe_non_zero(&x);
1859 secp256k1_fe_inv_var(&xi, &x);
1860 CHECK(check_fe_inverse(&x, &xi));
1861 secp256k1_fe_inv_var(&xii, &xi);
1862 CHECK(check_fe_equal(&x, &xii));
1863 }
1864}
1865
2cad067a 1866void run_field_inv_all_var(void) {
dd891e0e 1867 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1868 int i;
71712b27 1869 /* Check it's safe to call for 0 elements */
7d893f49 1870 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1871 for (i = 0; i < count; i++) {
1872 size_t j;
fa57f1bd 1873 size_t len = secp256k1_rand_int(15) + 1;
26320197 1874 for (j = 0; j < len; j++) {
f16be77f 1875 random_fe_non_zero(&x[j]);
26320197 1876 }
7d893f49 1877 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1878 for (j = 0; j < len; j++) {
f16be77f 1879 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1880 }
7d893f49 1881 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1882 for (j = 0; j < len; j++) {
f16be77f 1883 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1884 }
f16be77f
PD		 1885 }
1886}
1887
2cad067a 1888void run_sqr(void) {
dd891e0e 1889 secp256k1_fe x, s;
59447da3 1890
59447da3 1891 {
bf2e1ac7 1892 int i;
59447da3
PD		 1893 secp256k1_fe_set_int(&x, 1);
1894 secp256k1_fe_negate(&x, &x, 1);
1895
bf2e1ac7 1896 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1897 secp256k1_fe_mul_int(&x, 2);
1898 secp256k1_fe_normalize(&x);
1899 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1900 }
1901 }
59447da3
PD		 1902}
1903
dd891e0e
PW		 1904void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1905 secp256k1_fe r1, r2;
926836ad 1906 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1907 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1908
1909 if (k != NULL) {
71712b27 1910 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1911 secp256k1_fe_negate(&r2, &r1, 1);
1912 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1913 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1914 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1915 }
1916}
1917
2cad067a 1918void run_sqrt(void) {
dd891e0e 1919 secp256k1_fe ns, x, s, t;
bf2e1ac7 1920 int i;
6d6102fe 1921
71712b27 1922 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1923 secp256k1_fe_set_int(&x, 0);
1924 secp256k1_fe_sqr(&s, &x);
1925 test_sqrt(&s, &x);
1926
71712b27 1927 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1928 for (i = 1; i <= 100; i++) {
6d6102fe 1929 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1930 secp256k1_fe_sqr(&s, &x);
1931 test_sqrt(&s, &x);
6d6102fe 1932 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1933 test_sqrt(&t, NULL);
1934 }
6d6102fe 1935
71712b27 1936 /* Consistency checks for large random values */
bf2e1ac7
GM		 1937 for (i = 0; i < 10; i++) {
1938 int j;
6d6102fe 1939 random_fe_non_square(&ns);
bf2e1ac7 1940 for (j = 0; j < count; j++) {
6d6102fe
PD		 1941 random_fe(&x);
1942 secp256k1_fe_sqr(&s, &x);
1943 test_sqrt(&s, &x);
1944 secp256k1_fe_negate(&t, &s, 1);
1945 test_sqrt(&t, NULL);
1946 secp256k1_fe_mul(&t, &s, &ns);
1947 test_sqrt(&t, NULL);
1948 }
1949 }
09ca4f32
PD		 1950}
1951
9338dbf7
PW		 1952/***** GROUP TESTS *****/
1953
dd891e0e 1954void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1955 CHECK(a->infinity == b->infinity);
26320197 1956 if (a->infinity) {
60571c6e 1957 return;
26320197 1958 }
60571c6e 1959 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 1960 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 1961}
1962
d2275795 1963/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 1964int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1965 secp256k1_gej a2;
1966 secp256k1_gej b2;
d2275795
GM		 1967 int ret = 1;
1968 ret &= a->infinity == b->infinity;
1969 if (ret && !a->infinity) {
1970 a2 = *a;
1971 b2 = *b;
1972 secp256k1_fe_normalize(&a2.x);
1973 secp256k1_fe_normalize(&a2.y);
1974 secp256k1_fe_normalize(&a2.z);
1975 secp256k1_fe_normalize(&b2.x);
1976 secp256k1_fe_normalize(&b2.y);
1977 secp256k1_fe_normalize(&b2.z);
1978 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1979 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1980 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1981 }
1982 return ret;
1983}
1984
dd891e0e
PW		 1985void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1986 secp256k1_fe z2s;
1987 secp256k1_fe u1, u2, s1, s2;
60571c6e 1988 CHECK(a->infinity == b->infinity);
26320197 1989 if (a->infinity) {
60571c6e 1990 return;
26320197 1991 }
60571c6e 1992 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 1993 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 1994 secp256k1_fe_mul(&u1, &a->x, &z2s);
1995 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1996 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1997 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1998 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1999 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 2000}
2001
2cad067a 2002void test_ge(void) {
bf2e1ac7 2003 int i, i1;
76574202
PW		 2004#ifdef USE_ENDOMORPHISM
2005 int runs = 6;
2006#else
60571c6e 2007 int runs = 4;
76574202 2008#endif
60571c6e
PW		 2009 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2010 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2011 * All magnitudes are randomized.
269d4227 2012 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 2013 *
2014 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 2015 */
5eb030ca
WL		 2016 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2017 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2018 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 2019 secp256k1_fe zf;
2020 secp256k1_fe zfi2, zfi3;
4f9791ab 2021
60571c6e
PW		 2022 secp256k1_gej_set_infinity(&gej[0]);
2023 secp256k1_ge_clear(&ge[0]);
2024 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 2025 for (i = 0; i < runs; i++) {
2026 int j;
dd891e0e 2027 secp256k1_ge g;
60571c6e 2028 random_group_element_test(&g);
76574202
PW		 2029#ifdef USE_ENDOMORPHISM
2030 if (i >= runs - 2) {
2031 secp256k1_ge_mul_lambda(&g, &ge[1]);
2032 }
2033 if (i >= runs - 1) {
2034 secp256k1_ge_mul_lambda(&g, &g);
2035 }
2036#endif
60571c6e
PW		 2037 ge[1 + 4 * i] = g;
2038 ge[2 + 4 * i] = g;
2039 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2040 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2041 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2042 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2043 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2044 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 2045 for (j = 0; j < 4; j++) {
60571c6e
PW		 2046 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2047 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2048 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2049 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2050 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2051 }
2052 }
2053
4f9791ab
PD		 2054 /* Compute z inverses. */
2055 {
5eb030ca 2056 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 2057 for (i = 0; i < 4 * runs + 1; i++) {
2058 if (i == 0) {
2059 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2060 do {
2061 random_field_element_test(&zs[i]);
2062 } while(secp256k1_fe_is_zero(&zs[i]));
2063 } else {
2064 zs[i] = gej[i].z;
2065 }
2066 }
7d893f49 2067 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 2068 free(zs);
2069 }
2070
2071 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2072 do {
2073 random_field_element_test(&zf);
2074 } while(secp256k1_fe_is_zero(&zf));
2075 random_field_element_magnitude(&zf);
2076 secp256k1_fe_inv_var(&zfi3, &zf);
2077 secp256k1_fe_sqr(&zfi2, &zfi3);
2078 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2079
bf2e1ac7
GM		 2080 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2081 int i2;
2082 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 2083 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 2084 secp256k1_gej refj, resj;
2085 secp256k1_ge ref;
2086 secp256k1_fe zr;
4f9791ab
PD		 2087 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2088 /* Check Z ratio. */
2089 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2090 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2091 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2092 }
60571c6e
PW		 2093 secp256k1_ge_set_gej_var(&ref, &refj);
2094
2d5a186c
PD		 2095 /* Test gej + ge with Z ratio result (var). */
2096 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2097 ge_equals_gej(&ref, &resj);
2d5a186c 2098 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2099 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2100 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2101 }
60571c6e 2102
4f9791ab
PD		 2103 /* Test gej + ge (var, with additional Z factor). */
2104 {
dd891e0e 2105 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2106 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2107 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2108 random_field_element_magnitude(&ge2_zfi.x);
2109 random_field_element_magnitude(&ge2_zfi.y);
2110 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2111 ge_equals_gej(&ref, &resj);
2112 }
2113
60571c6e
PW		 2114 /* Test gej + ge (const). */
2115 if (i2 != 0) {
2116 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2117 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2118 ge_equals_gej(&ref, &resj);
2119 }
2120
2121 /* Test doubling (var). */
2122 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2123 secp256k1_fe zr2;
4f9791ab
PD		 2124 /* Normal doubling with Z ratio result. */
2125 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2126 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2127 /* Check Z ratio. */
2128 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2129 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2130 /* Normal doubling. */
2131 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 2132 ge_equals_gej(&ref, &resj);
2133 }
2134
2135 /* Test adding opposites. */
2136 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2137 CHECK(secp256k1_ge_is_infinity(&ref));
2138 }
2139
2140 /* Test adding infinity. */
2141 if (i1 == 0) {
2142 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2143 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2144 ge_equals_gej(&ref, &gej[i2]);
2145 }
2146 if (i2 == 0) {
2147 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2148 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2149 ge_equals_gej(&ref, &gej[i1]);
2150 }
2151 }
2152 }
2153
9ab93355
PW		 2154 /* Test adding all points together in random order equals infinity. */
2155 {
dd891e0e 2156 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2157 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2158 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2159 gej_shuffled[i] = gej[i];
2160 }
bf2e1ac7 2161 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2162 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2163 if (swap != i) {
dd891e0e 2164 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2165 gej_shuffled[i] = gej_shuffled[swap];
2166 gej_shuffled[swap] = t;
2167 }
2168 }
bf2e1ac7 2169 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2170 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2171 }
2172 CHECK(secp256k1_gej_is_infinity(&sum));
2173 free(gej_shuffled);
2174 }
2175
4f9791ab 2176 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2177 {
5eb030ca 2178 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
5eb030ca 2179 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2180 for (i = 0; i < 4 * runs + 1; i++) {
2181 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2182 if (i < 4 * runs) {
2183 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2184 }
2185 }
7f7a2ed3 2186 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
bf2e1ac7 2187 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2188 secp256k1_fe s;
d2275795
GM		 2189 random_fe_non_zero(&s);
2190 secp256k1_gej_rescale(&gej[i], &s);
60571c6e
PW		 2191 ge_equals_gej(&ge_set_all[i], &gej[i]);
2192 }
2193 free(ge_set_all);
4f9791ab 2194 free(zr);
60571c6e
PW		 2195 }
2196
ffd3b346
AP		 2197 /* Test batch gej -> ge conversion with many infinities. */
2198 for (i = 0; i < 4 * runs + 1; i++) {
2199 random_group_element_test(&ge[i]);
2200 /* randomly set half the points to infinitiy */
2201 if(secp256k1_fe_is_odd(&ge[i].x)) {
2202 secp256k1_ge_set_infinity(&ge[i]);
2203 }
2204 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2205 }
2206 /* batch invert */
2207 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2208 /* check result */
2209 for (i = 0; i < 4 * runs + 1; i++) {
2210 ge_equals_gej(&ge[i], &gej[i]);
2211 }
2212
60571c6e
PW		 2213 free(ge);
2214 free(gej);
4f9791ab 2215 free(zinv);
9338dbf7
PW		 2216}
2217
8c5d5f7b
AP		 2218void test_add_neg_y_diff_x(void) {
2219 /* The point of this test is to check that we can add two points
2220 * whose y-coordinates are negatives of each other but whose x
2221 * coordinates differ. If the x-coordinates were the same, these
2222 * points would be negatives of each other and their sum is
2223 * infinity. This is cool because it "covers up" any degeneracy
2224 * in the addition algorithm that would cause the xy coordinates
2225 * of the sum to be wrong (since infinity has no xy coordinates).
2226 * HOWEVER, if the x-coordinates are different, infinity is the
2227 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2228 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2229 * which this test is a regression test for.
8c5d5f7b
AP		 2230 *
2231 * These points were generated in sage as
2232 * # secp256k1 params
2233 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2234 * C = EllipticCurve ([F (0), F (7)])
2235 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2236 * N = FiniteField(G.order())
2237 *
2238 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2239 * x = polygen(N)
2240 * lam = (1 - x^3).roots()[1][0]
2241 *
2242 * # random "bad pair"
2243 * P = C.random_element()
2244 * Q = -int(lam) * P
2245 * print " P: %x %x" % P.xy()
2246 * print " Q: %x %x" % Q.xy()
2247 * print "P + Q: %x %x" % (P + Q).xy()
2248 */
dd891e0e 2249 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2250 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2251 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2252 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2253 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2254 );
dd891e0e 2255 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2256 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2257 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2258 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2259 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2260 );
dd891e0e 2261 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2262 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2263 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2264 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2265 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2266 );
dd891e0e
PW		 2267 secp256k1_ge b;
2268 secp256k1_gej resj;
2269 secp256k1_ge res;
8c5d5f7b
AP		 2270 secp256k1_ge_set_gej(&b, &bj);
2271
2272 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2273 secp256k1_ge_set_gej(&res, &resj);
2274 ge_equals_gej(&res, &sumj);
2275
2276 secp256k1_gej_add_ge(&resj, &aj, &b);
2277 secp256k1_ge_set_gej(&res, &resj);
2278 ge_equals_gej(&res, &sumj);
2279
2280 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2281 secp256k1_ge_set_gej(&res, &resj);
2282 ge_equals_gej(&res, &sumj);
2283}
2284
2cad067a 2285void run_ge(void) {
bf2e1ac7
GM		 2286 int i;
2287 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2288 test_ge();
2289 }
8c5d5f7b 2290 test_add_neg_y_diff_x();
9338dbf7
PW		 2291}
2292
a5a66c70 2293void test_ec_combine(void) {
dd891e0e
PW		 2294 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2295 secp256k1_pubkey data[6];
2296 const secp256k1_pubkey* d[6];
2297 secp256k1_pubkey sd;
2298 secp256k1_pubkey sd2;
2299 secp256k1_gej Qj;
2300 secp256k1_ge Q;
a5a66c70
PW		 2301 int i;
2302 for (i = 1; i <= 6; i++) {
dd891e0e 2303 secp256k1_scalar s;
a5a66c70
PW		 2304 random_scalar_order_test(&s);
2305 secp256k1_scalar_add(&sum, &sum, &s);
2306 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2307 secp256k1_ge_set_gej(&Q, &Qj);
2308 secp256k1_pubkey_save(&data[i - 1], &Q);
2309 d[i - 1] = &data[i - 1];
2310 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2311 secp256k1_ge_set_gej(&Q, &Qj);
2312 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2313 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2314 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2315 }
2316}
2317
2318void run_ec_combine(void) {
2319 int i;
2320 for (i = 0; i < count * 8; i++) {
2321 test_ec_combine();
2322 }
2323}
2324
64666251
PW		 2325void test_group_decompress(const secp256k1_fe* x) {
2326 /* The input itself, normalized. */
2327 secp256k1_fe fex = *x;
e6e9805f 2328 secp256k1_fe fez;
64666251
PW		 2329 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2330 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2331 secp256k1_gej gej_quad;
64666251
PW		 2332 /* Return values of the above calls. */
2333 int res_quad, res_even, res_odd;
2334
2335 secp256k1_fe_normalize_var(&fex);
2336
926836ad 2337 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2338 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2339 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2340
2341 CHECK(res_quad == res_even);
2342 CHECK(res_quad == res_odd);
2343
2344 if (res_quad) {
2345 secp256k1_fe_normalize_var(&ge_quad.x);
2346 secp256k1_fe_normalize_var(&ge_odd.x);
2347 secp256k1_fe_normalize_var(&ge_even.x);
2348 secp256k1_fe_normalize_var(&ge_quad.y);
2349 secp256k1_fe_normalize_var(&ge_odd.y);
2350 secp256k1_fe_normalize_var(&ge_even.y);
2351
2352 /* No infinity allowed. */
2353 CHECK(!ge_quad.infinity);
2354 CHECK(!ge_even.infinity);
2355 CHECK(!ge_odd.infinity);
2356
2357 /* Check that the x coordinates check out. */
2358 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2359 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2360 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2361
2362 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2363 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2364
2365 /* Check odd/even Y in ge_odd, ge_even. */
2366 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2367 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2368
2369 /* Check secp256k1_gej_has_quad_y_var. */
2370 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2371 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2372 do {
2373 random_fe_test(&fez);
2374 } while (secp256k1_fe_is_zero(&fez));
2375 secp256k1_gej_rescale(&gej_quad, &fez);
2376 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2377 secp256k1_gej_neg(&gej_quad, &gej_quad);
2378 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2379 do {
2380 random_fe_test(&fez);
2381 } while (secp256k1_fe_is_zero(&fez));
2382 secp256k1_gej_rescale(&gej_quad, &fez);
2383 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2384 secp256k1_gej_neg(&gej_quad, &gej_quad);
2385 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2386 }
2387}
2388
2389void run_group_decompress(void) {
2390 int i;
2391 for (i = 0; i < count * 4; i++) {
2392 secp256k1_fe fe;
2393 random_fe_test(&fe);
2394 test_group_decompress(&fe);
2395 }
2396}
2397
09ca4f32
PD		 2398/***** ECMULT TESTS *****/
2399
2cad067a 2400void run_ecmult_chain(void) {
443cd4b8 2401 /* random starting point A (on the curve) */
dd891e0e 2402 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2403 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2404 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2405 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2406 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2407 );
71712b27 2408 /* two random initial factors xn and gn */
dd891e0e 2409 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2410 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2411 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2412 );
dd891e0e 2413 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2414 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2415 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2416 );
71712b27 2417 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2418 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2419 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2420 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2421 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2422 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2423 /* actual points */
cfe0ed91 2424 secp256k1_gej x;
dd891e0e 2425 secp256k1_gej x2;
443cd4b8
PW		 2426 int i;
2427
71712b27 2428 /* the point being computed */
bf2e1ac7
GM		 2429 x = a;
2430 for (i = 0; i < 200*count; i++) {
71712b27 2431 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2432 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2433 /* also compute ae and ge: the actual accumulated factors for A and G */
2434 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2435 secp256k1_scalar_mul(&ae, &ae, &xn);
2436 secp256k1_scalar_mul(&ge, &ge, &xn);
2437 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2438 /* modify xn and gn */
f24041d6
PW		 2439 secp256k1_scalar_mul(&xn, &xn, &xf);
2440 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2441
71712b27 2442 /* verify */
404c30a8 2443 if (i == 19999) {
443cd4b8 2444 /* expected result after 19999 iterations */
dd891e0e 2445 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2446 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2447 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2448 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2449 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2450 );
2451
2452 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2453 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2454 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2455 }
4adf6b2a 2456 }
71712b27 2457 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2458 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2459 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2460 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2461 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2462}
2463
dd891e0e 2464void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2465 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2466 secp256k1_scalar x;
2467 secp256k1_scalar nx;
2468 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2469 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2470 secp256k1_gej res1, res2;
2471 secp256k1_ge res3;
bf2e1ac7 2472 unsigned char pub[65];
788038d3 2473 size_t psize = 65;
bf2e1ac7
GM		 2474 random_scalar_order_test(&x);
2475 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2476 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2477 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2478 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2479 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2480 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2481 secp256k1_ge_set_gej(&res3, &res1);
2482 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2483 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2484 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2485 psize = 65;
9234391e 2486 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2487 /* check zero/one edge cases */
2488 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2489 secp256k1_ge_set_gej(&res3, &res1);
2490 CHECK(secp256k1_ge_is_infinity(&res3));
2491 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2492 secp256k1_ge_set_gej(&res3, &res1);
2493 ge_equals_gej(&res3, point);
2494 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2495 secp256k1_ge_set_gej(&res3, &res1);
2496 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2497}
2498
2cad067a 2499void run_point_times_order(void) {
bf2e1ac7 2500 int i;
dd891e0e
PW		 2501 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2502 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2503 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2504 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2505 );
bf2e1ac7 2506 for (i = 0; i < 500; i++) {
dd891e0e 2507 secp256k1_ge p;
39bd94d8 2508 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2509 secp256k1_gej j;
bf2e1ac7 2510 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2511 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2512 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2513 test_point_times_order(&j);
2514 }
910d0de4 2515 secp256k1_fe_sqr(&x, &x);
4e0ed539 2516 }
443cd4b8
PW		 2517 secp256k1_fe_normalize_var(&x);
2518 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2519}
2520
44015000
AP		 2521void ecmult_const_random_mult(void) {
2522 /* random starting point A (on the curve) */
dd891e0e 2523 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2524 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2525 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2526 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2527 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2528 );
2529 /* random initial factor xn */
dd891e0e 2530 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2531 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2532 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2533 );
2534 /* expected xn * A (from sage) */
dd891e0e 2535 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2536 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2537 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2538 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2539 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2540 );
dd891e0e 2541 secp256k1_gej b;
7c1b91ba 2542 secp256k1_ecmult_const(&b, &a, &xn, 256);
44015000
AP		 2543
2544 CHECK(secp256k1_ge_is_valid_var(&a));
2545 ge_equals_gej(&expected_b, &b);
2546}
2547
2548void ecmult_const_commutativity(void) {
dd891e0e
PW		 2549 secp256k1_scalar a;
2550 secp256k1_scalar b;
2551 secp256k1_gej res1;
2552 secp256k1_gej res2;
2553 secp256k1_ge mid1;
2554 secp256k1_ge mid2;
44015000
AP		 2555 random_scalar_order_test(&a);
2556 random_scalar_order_test(&b);
2557
7c1b91ba
AP		 2558 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2559 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
44015000
AP		 2560 secp256k1_ge_set_gej(&mid1, &res1);
2561 secp256k1_ge_set_gej(&mid2, &res2);
7c1b91ba
AP		 2562 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2563 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
44015000
AP		 2564 secp256k1_ge_set_gej(&mid1, &res1);
2565 secp256k1_ge_set_gej(&mid2, &res2);
2566 ge_equals_ge(&mid1, &mid2);
2567}
2568
2569void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2570 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2571 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2572 secp256k1_scalar negone;
2573 secp256k1_gej res1;
2574 secp256k1_ge res2;
2575 secp256k1_ge point;
44015000
AP		 2576 secp256k1_scalar_negate(&negone, &one);
2577
2578 random_group_element_test(&point);
7c1b91ba 2579 secp256k1_ecmult_const(&res1, &point, &zero, 3);
44015000
AP		 2580 secp256k1_ge_set_gej(&res2, &res1);
2581 CHECK(secp256k1_ge_is_infinity(&res2));
7c1b91ba 2582 secp256k1_ecmult_const(&res1, &point, &one, 2);
44015000
AP		 2583 secp256k1_ge_set_gej(&res2, &res1);
2584 ge_equals_ge(&res2, &point);
7c1b91ba 2585 secp256k1_ecmult_const(&res1, &point, &negone, 256);
44015000
AP		 2586 secp256k1_gej_neg(&res1, &res1);
2587 secp256k1_ge_set_gej(&res2, &res1);
2588 ge_equals_ge(&res2, &point);
2589}
2590
2591void ecmult_const_chain_multiply(void) {
2592 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2593 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2594 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2595 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2596 );
dd891e0e 2597 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2598 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2599 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2600 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2601 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2602 );
dd891e0e
PW		 2603 secp256k1_gej point;
2604 secp256k1_ge res;
44015000
AP		 2605 int i;
2606
2607 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2608 for (i = 0; i < 100; ++i) {
dd891e0e 2609 secp256k1_ge tmp;
44015000 2610 secp256k1_ge_set_gej(&tmp, &point);
7c1b91ba 2611 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
44015000
AP		 2612 }
2613 secp256k1_ge_set_gej(&res, &point);
2614 ge_equals_gej(&res, &expected_point);
2615}
2616
2617void run_ecmult_const_tests(void) {
2618 ecmult_const_mult_zero_one();
2619 ecmult_const_random_mult();
2620 ecmult_const_commutativity();
2621 ecmult_const_chain_multiply();
2622}
2623
dba5471b
AP		 2624typedef struct {
2625 secp256k1_scalar *sc;
2626 secp256k1_ge *pt;
2627} ecmult_multi_data;
2628
2629static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2630 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2631 *sc = data->sc[idx];
2632 *pt = data->pt[idx];
2633 return 1;
2634}
2635
355a38f1
JN		 2636static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2637 (void)sc;
2638 (void)pt;
2639 (void)idx;
2640 (void)cbdata;
2641 return 0;
2642}
2643
2644void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2645 int ncount;
2646 secp256k1_scalar szero;
2647 secp256k1_scalar sc[32];
2648 secp256k1_ge pt[32];
2649 secp256k1_gej r;
2650 secp256k1_gej r2;
2651 ecmult_multi_data data;
355a38f1 2652 secp256k1_scratch *scratch_empty;
dba5471b
AP		 2653
2654 data.sc = sc;
2655 data.pt = pt;
dba5471b 2656 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2657
2658 /* No points to multiply */
2659 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2660
2661 /* Check 1- and 2-point multiplies against ecmult */
2662 for (ncount = 0; ncount < count; ncount++) {
2663 secp256k1_ge ptg;
2664 secp256k1_gej ptgj;
2665 random_scalar_order(&sc[0]);
2666 random_scalar_order(&sc[1]);
2667
2668 random_group_element_test(&ptg);
2669 secp256k1_gej_set_ge(&ptgj, &ptg);
2670 pt[0] = ptg;
2671 pt[1] = secp256k1_ge_const_g;
2672
355a38f1
JN		 2673 /* only G scalar */
2674 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2675 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2676 secp256k1_gej_neg(&r2, &r2);
2677 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2678 CHECK(secp256k1_gej_is_infinity(&r));
2679
dba5471b
AP		 2680 /* 1-point */
2681 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
355a38f1 2682 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2683 secp256k1_gej_neg(&r2, &r2);
2684 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2685 CHECK(secp256k1_gej_is_infinity(&r));
2686
355a38f1 2687 /* Try to multiply 1 point, but scratch space is empty */
6fe50439 2688 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
355a38f1
JN		 2689 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2690 secp256k1_scratch_destroy(scratch_empty);
2691
2692 /* Try to multiply 1 point, but callback returns false */
2693 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2694
dba5471b
AP		 2695 /* 2-point */
2696 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2697 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2698 secp256k1_gej_neg(&r2, &r2);
2699 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2700 CHECK(secp256k1_gej_is_infinity(&r));
2701
2702 /* 2-point with G scalar */
2703 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2704 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2705 secp256k1_gej_neg(&r2, &r2);
2706 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2707 CHECK(secp256k1_gej_is_infinity(&r));
2708 }
2709
2710 /* Check infinite outputs of various forms */
2711 for (ncount = 0; ncount < count; ncount++) {
2712 secp256k1_ge ptg;
2713 size_t i, j;
2714 size_t sizes[] = { 2, 10, 32 };
2715
2716 for (j = 0; j < 3; j++) {
2717 for (i = 0; i < 32; i++) {
2718 random_scalar_order(&sc[i]);
2719 secp256k1_ge_set_infinity(&pt[i]);
2720 }
355a38f1 2721 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2722 CHECK(secp256k1_gej_is_infinity(&r));
2723 }
2724
2725 for (j = 0; j < 3; j++) {
2726 for (i = 0; i < 32; i++) {
2727 random_group_element_test(&ptg);
2728 pt[i] = ptg;
2729 secp256k1_scalar_set_int(&sc[i], 0);
2730 }
355a38f1 2731 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2732 CHECK(secp256k1_gej_is_infinity(&r));
2733 }
2734
2735 for (j = 0; j < 3; j++) {
2736 random_group_element_test(&ptg);
2737 for (i = 0; i < 16; i++) {
2738 random_scalar_order(&sc[2*i]);
2739 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2740 pt[2 * i] = ptg;
2741 pt[2 * i + 1] = ptg;
2742 }
2743
355a38f1 2744 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2745 CHECK(secp256k1_gej_is_infinity(&r));
2746
2747 random_scalar_order(&sc[0]);
2748 for (i = 0; i < 16; i++) {
2749 random_group_element_test(&ptg);
2750
2751 sc[2*i] = sc[0];
2752 sc[2*i+1] = sc[0];
2753 pt[2 * i] = ptg;
2754 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2755 }
2756
355a38f1 2757 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2758 CHECK(secp256k1_gej_is_infinity(&r));
2759 }
2760
2761 random_group_element_test(&ptg);
2762 secp256k1_scalar_set_int(&sc[0], 0);
2763 pt[0] = ptg;
2764 for (i = 1; i < 32; i++) {
2765 pt[i] = ptg;
2766
2767 random_scalar_order(&sc[i]);
2768 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2769 secp256k1_scalar_negate(&sc[i], &sc[i]);
2770 }
2771
355a38f1 2772 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2773 CHECK(secp256k1_gej_is_infinity(&r));
2774 }
2775
2776 /* Check random points, constant scalar */
2777 for (ncount = 0; ncount < count; ncount++) {
2778 size_t i;
2779 secp256k1_gej_set_infinity(&r);
2780
2781 random_scalar_order(&sc[0]);
2782 for (i = 0; i < 20; i++) {
2783 secp256k1_ge ptg;
2784 sc[i] = sc[0];
2785 random_group_element_test(&ptg);
2786 pt[i] = ptg;
2787 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2788 }
2789
2790 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
355a38f1 2791 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2792 secp256k1_gej_neg(&r2, &r2);
2793 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2794 CHECK(secp256k1_gej_is_infinity(&r));
2795 }
2796
2797 /* Check random scalars, constant point */
2798 for (ncount = 0; ncount < count; ncount++) {
2799 size_t i;
2800 secp256k1_ge ptg;
2801 secp256k1_gej p0j;
2802 secp256k1_scalar rs;
2803 secp256k1_scalar_set_int(&rs, 0);
2804
2805 random_group_element_test(&ptg);
2806 for (i = 0; i < 20; i++) {
2807 random_scalar_order(&sc[i]);
2808 pt[i] = ptg;
2809 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2810 }
2811
2812 secp256k1_gej_set_ge(&p0j, &pt[0]);
2813 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
355a38f1 2814 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2815 secp256k1_gej_neg(&r2, &r2);
2816 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2817 CHECK(secp256k1_gej_is_infinity(&r));
2818 }
2819
2820 /* Sanity check that zero scalars don't cause problems */
95e99f19
AP		 2821 for (ncount = 0; ncount < 20; ncount++) {
2822 random_scalar_order(&sc[ncount]);
2823 random_group_element_test(&pt[ncount]);
2824 }
2825
dba5471b 2826 secp256k1_scalar_clear(&sc[0]);
355a38f1 2827 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2828 secp256k1_scalar_clear(&sc[1]);
2829 secp256k1_scalar_clear(&sc[2]);
2830 secp256k1_scalar_clear(&sc[3]);
2831 secp256k1_scalar_clear(&sc[4]);
355a38f1
JN		 2832 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2833 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2834 CHECK(secp256k1_gej_is_infinity(&r));
2835
2836 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2837 {
2838 const size_t TOP = 8;
2839 size_t s0i, s1i;
2840 size_t t0i, t1i;
2841 secp256k1_ge ptg;
2842 secp256k1_gej ptgj;
2843
2844 random_group_element_test(&ptg);
2845 secp256k1_gej_set_ge(&ptgj, &ptg);
2846
2847 for(t0i = 0; t0i < TOP; t0i++) {
2848 for(t1i = 0; t1i < TOP; t1i++) {
2849 secp256k1_gej t0p, t1p;
2850 secp256k1_scalar t0, t1;
2851
2852 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2853 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2854 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2855 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2856
2857 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2858 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2859
2860 for(s0i = 0; s0i < TOP; s0i++) {
2861 for(s1i = 0; s1i < TOP; s1i++) {
2862 secp256k1_scalar tmp1, tmp2;
2863 secp256k1_gej expected, actual;
2864
2865 secp256k1_ge_set_gej(&pt[0], &t0p);
2866 secp256k1_ge_set_gej(&pt[1], &t1p);
2867
2868 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2869 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2870 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2871 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2872
2873 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2874 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2875 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2876
2877 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
355a38f1 2878 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2879 secp256k1_gej_neg(&expected, &expected);
2880 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2881 CHECK(secp256k1_gej_is_infinity(&actual));
2882 }
2883 }
2884 }
2885 }
2886 }
355a38f1
JN		 2887}
2888
36b22c93
JN		 2889void test_secp256k1_pippenger_bucket_window_inv(void) {
2890 int i;
2891
2892 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2893 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2894#ifdef USE_ENDOMORPHISM
2895 /* Bucket_window of 8 is not used with endo */
2896 if (i == 8) {
2897 continue;
2898 }
2899#endif
2900 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2901 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2902 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2903 }
2904 }
2905}
2906
2907/**
2908 * Probabilistically test the function returning the maximum number of possible points
2909 * for a given scratch space.
2910 */
2911void test_ecmult_multi_pippenger_max_points(void) {
2912 size_t scratch_size = secp256k1_rand_int(256);
2913 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2914 secp256k1_scratch *scratch;
2915 size_t n_points_supported;
2916 int bucket_window = 0;
2917
2918 for(; scratch_size < max_size; scratch_size+=256) {
6fe50439 2919 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
36b22c93
JN		 2920 CHECK(scratch != NULL);
2921 n_points_supported = secp256k1_pippenger_max_points(scratch);
2922 if (n_points_supported == 0) {
2923 secp256k1_scratch_destroy(scratch);
2924 continue;
2925 }
2926 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
6fe50439
AP		 2927 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2928 secp256k1_scratch_deallocate_frame(scratch);
36b22c93
JN		 2929 secp256k1_scratch_destroy(scratch);
2930 }
2931 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2932}
2933
2277af5f
JN		 2934void test_ecmult_multi_batch_size_helper(void) {
2935 size_t n_batches, n_batch_points, max_n_batch_points, n;
2936
2937 max_n_batch_points = 0;
2938 n = 1;
2939 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2940
2941 max_n_batch_points = 1;
2942 n = 0;
2943 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2944 CHECK(n_batches == 0);
2945 CHECK(n_batch_points == 0);
2946
2947 max_n_batch_points = 2;
2948 n = 5;
2949 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2950 CHECK(n_batches == 3);
2951 CHECK(n_batch_points == 2);
2952
2953 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2954 n = ECMULT_MAX_POINTS_PER_BATCH;
2955 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2956 CHECK(n_batches == 1);
2957 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2958
2959 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2960 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2961 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2962 CHECK(n_batches == 2);
2963 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2964
2965 max_n_batch_points = 1;
2966 n = SIZE_MAX;
2967 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2968 CHECK(n_batches == SIZE_MAX);
2969 CHECK(n_batch_points == 1);
2970
2971 max_n_batch_points = 2;
2972 n = SIZE_MAX;
2973 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2974 CHECK(n_batches == SIZE_MAX/2 + 1);
2975 CHECK(n_batch_points == 2);
2976}
2977
36b22c93
JN		 2978/**
2979 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2980 * 1 <= i <= num points.
2981 */
355a38f1 2982void test_ecmult_multi_batching(void) {
36b22c93 2983 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
355a38f1
JN		 2984 secp256k1_scalar scG;
2985 secp256k1_scalar szero;
2986 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2987 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2988 secp256k1_gej r;
2989 secp256k1_gej r2;
2990 ecmult_multi_data data;
2991 int i;
2992 secp256k1_scratch *scratch;
2993
355a38f1
JN		 2994 secp256k1_gej_set_infinity(&r2);
2995 secp256k1_scalar_set_int(&szero, 0);
2996
36b22c93 2997 /* Get random scalars and group elements and compute result */
355a38f1
JN		 2998 random_scalar_order(&scG);
2999 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3000 for(i = 0; i < n_points; i++) {
3001 secp256k1_ge ptg;
36b22c93 3002 secp256k1_gej ptgj;
355a38f1 3003 random_group_element_test(&ptg);
36b22c93 3004 secp256k1_gej_set_ge(&ptgj, &ptg);
355a38f1
JN		 3005 pt[i] = ptg;
3006 random_scalar_order(&sc[i]);
36b22c93
JN		 3007 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3008 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
355a38f1
JN		 3009 }
3010 data.sc = sc;
3011 data.pt = pt;
3012
3013 /* Test with empty scratch space */
6fe50439 3014 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
355a38f1
JN		 3015 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
3016 secp256k1_scratch_destroy(scratch);
3017
3018 /* Test with space for 1 point in pippenger. That's not enough because
3019 * ecmult_multi selects strauss which requires more memory. */
6fe50439 3020 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3021 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
3022 secp256k1_scratch_destroy(scratch);
3023
36b22c93
JN		 3024 secp256k1_gej_neg(&r2, &r2);
3025 for(i = 1; i <= n_points; i++) {
355a38f1
JN		 3026 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3027 int bucket_window = secp256k1_pippenger_bucket_window(i);
3028 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
6fe50439 3029 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3030 } else {
3031 size_t scratch_size = secp256k1_strauss_scratch_size(i);
6fe50439 3032 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1 3033 }
36b22c93 3034 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
355a38f1
JN		 3035 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3036 CHECK(secp256k1_gej_is_infinity(&r));
3037 secp256k1_scratch_destroy(scratch);
3038 }
355a38f1
JN		 3039 free(sc);
3040 free(pt);
3041}
3042
3043void run_ecmult_multi_tests(void) {
3044 secp256k1_scratch *scratch;
dba5471b 3045
36b22c93
JN		 3046 test_secp256k1_pippenger_bucket_window_inv();
3047 test_ecmult_multi_pippenger_max_points();
6fe50439 3048 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
36b22c93 3049 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
bade6174 3050 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
36b22c93
JN		 3051 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3052 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3053 secp256k1_scratch_destroy(scratch);
3054
3055 /* Run test_ecmult_multi with space for exactly one point */
6fe50439 3056 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
36b22c93 3057 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
dba5471b 3058 secp256k1_scratch_destroy(scratch);
355a38f1 3059
2277af5f 3060 test_ecmult_multi_batch_size_helper();
355a38f1 3061 test_ecmult_multi_batching();
dba5471b
AP		 3062}
3063
dd891e0e
PW		 3064void test_wnaf(const secp256k1_scalar *number, int w) {
3065 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 3066 int wnaf[256];
3067 int zeroes = -1;
3068 int i;
3069 int bits;
f24041d6
PW		 3070 secp256k1_scalar_set_int(&x, 0);
3071 secp256k1_scalar_set_int(&two, 2);
55399c23 3072 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 3073 CHECK(bits <= 256);
bf2e1ac7 3074 for (i = bits-1; i >= 0; i--) {
b1483f87 3075 int v = wnaf[i];
bf2e1ac7 3076 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 3077 if (v) {
71712b27 3078 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 3079 zeroes=0;
71712b27
GM		 3080 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3081 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3082 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 3083 } else {
71712b27 3084 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 3085 zeroes++;
3086 }
f24041d6
PW		 3087 if (v >= 0) {
3088 secp256k1_scalar_set_int(&t, v);
3089 } else {
3090 secp256k1_scalar_set_int(&t, -v);
3091 secp256k1_scalar_negate(&t, &t);
3092 }
3093 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 3094 }
f24041d6 3095 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 3096}
3097
dd891e0e
PW		 3098void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3099 secp256k1_scalar neg1 = *number;
3100 secp256k1_scalar neg2 = *number;
44015000
AP		 3101 int sign1 = 1;
3102 int sign2 = 1;
3103
3104 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3105 secp256k1_scalar_negate(&neg1, &neg1);
3106 sign1 = -1;
3107 }
3108 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3109 CHECK(sign1 == sign2);
3110 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3111}
3112
dd891e0e
PW		 3113void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3114 secp256k1_scalar x, shift;
44015000
AP		 3115 int wnaf[256] = {0};
3116 int i;
92e53fc4 3117 int skew;
7c1b91ba 3118 int bits = 256;
dd891e0e 3119 secp256k1_scalar num = *number;
44015000
AP		 3120
3121 secp256k1_scalar_set_int(&x, 0);
3122 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 3123 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3124#ifdef USE_ENDOMORPHISM
912f203f 3125 for (i = 0; i < 16; ++i) {
92e53fc4 3126 secp256k1_scalar_shr_int(&num, 8);
912f203f 3127 }
7c1b91ba 3128 bits = 128;
92e53fc4 3129#endif
8979ec0d 3130 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
44015000 3131
7c1b91ba 3132 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
dd891e0e 3133 secp256k1_scalar t;
44015000
AP		 3134 int v = wnaf[i];
3135 CHECK(v != 0); /* check nonzero */
3136 CHECK(v & 1); /* check parity */
3137 CHECK(v > -(1 << w)); /* check range above */
3138 CHECK(v < (1 << w)); /* check range below */
3139
3140 secp256k1_scalar_mul(&x, &x, &shift);
3141 if (v >= 0) {
3142 secp256k1_scalar_set_int(&t, v);
3143 } else {
3144 secp256k1_scalar_set_int(&t, -v);
3145 secp256k1_scalar_negate(&t, &t);
3146 }
3147 secp256k1_scalar_add(&x, &x, &t);
3148 }
c6191fde 3149 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 3150 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 3151 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 3152}
3153
355a38f1
JN		 3154void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3155 secp256k1_scalar x, shift;
3156 int wnaf[256] = {0};
3157 int i;
3158 int skew;
3159 secp256k1_scalar num = *number;
3160
3161 secp256k1_scalar_set_int(&x, 0);
3162 secp256k1_scalar_set_int(&shift, 1 << w);
3163 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3164#ifdef USE_ENDOMORPHISM
3165 for (i = 0; i < 16; ++i) {
3166 secp256k1_scalar_shr_int(&num, 8);
3167 }
3168#endif
3169 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3170
3171 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3172 secp256k1_scalar t;
3173 int v = wnaf[i];
6dbb0078 3174 CHECK(v == 0 || v & 1); /* check parity */
355a38f1
JN		 3175 CHECK(v > -(1 << w)); /* check range above */
3176 CHECK(v < (1 << w)); /* check range below */
3177
3178 secp256k1_scalar_mul(&x, &x, &shift);
3179 if (v >= 0) {
3180 secp256k1_scalar_set_int(&t, v);
3181 } else {
3182 secp256k1_scalar_set_int(&t, -v);
3183 secp256k1_scalar_negate(&t, &t);
3184 }
3185 secp256k1_scalar_add(&x, &x, &t);
3186 }
3187 /* If skew is 1 then add 1 to num */
3188 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3189 CHECK(secp256k1_scalar_eq(&x, &num));
3190}
3191
ec0a7b3a
JN		 3192/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3193 * rest is 0.*/
3194void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3195 int i;
3196 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3197 CHECK(wnaf[i] == 0);
3198 }
3199 for (i = 7; i >= 0; --i) {
3200 CHECK(wnaf[i] == wnaf_expected[i]);
3201 }
3202}
3203
3204void test_fixed_wnaf_small(void) {
3205 int w = 4;
355a38f1
JN		 3206 int wnaf[256] = {0};
3207 int i;
3208 int skew;
3209 secp256k1_scalar num;
3210
3211 secp256k1_scalar_set_int(&num, 0);
3212 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
355a38f1
JN		 3213 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3214 int v = wnaf[i];
3215 CHECK(v == 0);
3216 }
3217 CHECK(skew == 0);
ec0a7b3a
JN		 3218
3219 secp256k1_scalar_set_int(&num, 1);
3220 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3221 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3222 int v = wnaf[i];
3223 CHECK(v == 0);
3224 }
3225 CHECK(wnaf[0] == 1);
3226 CHECK(skew == 0);
3227
3228 {
3229 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3230 secp256k1_scalar_set_int(&num, 0xffffffff);
3231 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3232 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3233 CHECK(skew == 0);
3234 }
3235 {
3236 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3237 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3238 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3239 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3240 CHECK(skew == 1);
3241 }
3242 {
3243 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3244 secp256k1_scalar_set_int(&num, 0x01010101);
3245 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3246 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3247 CHECK(skew == 0);
3248 }
3249 {
3250 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3251 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3252 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3253 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3254 CHECK(skew == 0);
3255 }
355a38f1
JN		 3256}
3257
2cad067a 3258void run_wnaf(void) {
bf2e1ac7 3259 int i;
dd891e0e 3260 secp256k1_scalar n = {{0}};
44015000
AP		 3261
3262 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3263 * have easier-to-diagnose failure modes */
3264 n.d[0] = 1;
3265 test_constant_wnaf(&n, 4);
3266 n.d[0] = 2;
3267 test_constant_wnaf(&n, 4);
355a38f1 3268 /* Test 0 */
ec0a7b3a 3269 test_fixed_wnaf_small();
44015000 3270 /* Random tests */
bf2e1ac7 3271 for (i = 0; i < count; i++) {
f24041d6 3272 random_scalar_order(&n);
eb0be8ee 3273 test_wnaf(&n, 4+(i%10));
44015000
AP		 3274 test_constant_wnaf_negate(&n);
3275 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3276 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3277 }
96be2046
GM		 3278 secp256k1_scalar_set_int(&n, 0);
3279 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3280 CHECK(secp256k1_scalar_is_zero(&n));
3281 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3282 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3283}
a41f32e6 3284
d2275795
GM		 3285void test_ecmult_constants(void) {
3286 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3287 secp256k1_scalar x;
3288 secp256k1_gej r;
3289 secp256k1_ge ng;
d2275795
GM		 3290 int i;
3291 int j;
3292 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3293 for (i = 0; i < 36; i++ ) {
3294 secp256k1_scalar_set_int(&x, i);
3295 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3296 for (j = 0; j < i; j++) {
3297 if (j == i - 1) {
3298 ge_equals_gej(&secp256k1_ge_const_g, &r);
3299 }
3300 secp256k1_gej_add_ge(&r, &r, &ng);
3301 }
3302 CHECK(secp256k1_gej_is_infinity(&r));
3303 }
3304 for (i = 1; i <= 36; i++ ) {
3305 secp256k1_scalar_set_int(&x, i);
3306 secp256k1_scalar_negate(&x, &x);
3307 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3308 for (j = 0; j < i; j++) {
3309 if (j == i - 1) {
3310 ge_equals_gej(&ng, &r);
3311 }
3312 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3313 }
3314 CHECK(secp256k1_gej_is_infinity(&r));
3315 }
3316}
3317
3318void run_ecmult_constants(void) {
3319 test_ecmult_constants();
3320}
3321
3322void test_ecmult_gen_blind(void) {
269d4227 3323 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3324 secp256k1_scalar key;
3325 secp256k1_scalar b;
d2275795 3326 unsigned char seed32[32];
dd891e0e
PW		 3327 secp256k1_gej pgej;
3328 secp256k1_gej pgej2;
3329 secp256k1_gej i;
3330 secp256k1_ge pge;
d2275795
GM		 3331 random_scalar_order_test(&key);
3332 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3333 secp256k1_rand256(seed32);
3334 b = ctx->ecmult_gen_ctx.blind;
3335 i = ctx->ecmult_gen_ctx.initial;
3336 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3337 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3338 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3339 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3340 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3341 secp256k1_ge_set_gej(&pge, &pgej);
3342 ge_equals_gej(&pge, &pgej2);
3343}
3344
3345void test_ecmult_gen_blind_reset(void) {
3346 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3347 secp256k1_scalar b;
3348 secp256k1_gej initial;
d2275795
GM		 3349 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3350 b = ctx->ecmult_gen_ctx.blind;
3351 initial = ctx->ecmult_gen_ctx.initial;
3352 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3353 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3354 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3355}
3356
3357void run_ecmult_gen_blind(void) {
3358 int i;
3359 test_ecmult_gen_blind_reset();
3360 for (i = 0; i < 10; i++) {
3361 test_ecmult_gen_blind();
3362 }
3363}
3364
baa75da5
AP		 3365#ifdef USE_ENDOMORPHISM
3366/***** ENDOMORPHISH TESTS *****/
3367void test_scalar_split(void) {
dd891e0e
PW		 3368 secp256k1_scalar full;
3369 secp256k1_scalar s1, slam;
baa75da5
AP		 3370 const unsigned char zero[32] = {0};
3371 unsigned char tmp[32];
3372
3373 random_scalar_order_test(&full);
ed35d43a 3374 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3375
3376 /* check that both are <= 128 bits in size */
912f203f 3377 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3378 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3379 }
3380 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3381 secp256k1_scalar_negate(&slam, &slam);
912f203f 3382 }
baa75da5
AP		 3383
3384 secp256k1_scalar_get_b32(tmp, &s1);
3385 CHECK(memcmp(zero, tmp, 16) == 0);
3386 secp256k1_scalar_get_b32(tmp, &slam);
3387 CHECK(memcmp(zero, tmp, 16) == 0);
3388}
3389
3390void run_endomorphism_tests(void) {
3391 test_scalar_split();
3392}
3393#endif
d2275795 3394
67f7da40
GM		 3395void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3396 unsigned char pubkeyc[65];
3397 secp256k1_pubkey pubkey;
3398 secp256k1_ge ge;
3399 size_t pubkeyclen;
3400 int32_t ecount;
3401 ecount = 0;
3402 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3403 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3404 /* Smaller sizes are tested exhaustively elsewhere. */
3405 int32_t i;
3406 memcpy(&pubkeyc[1], input, 64);
3407 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3408 for (i = 0; i < 256; i++) {
3409 /* Try all type bytes. */
3410 int xpass;
3411 int ypass;
3412 int ysign;
3413 pubkeyc[0] = i;
3414 /* What sign does this point have? */
3415 ysign = (input[63] & 1) + 2;
3416 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3417 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3418 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3419 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3420 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3421 if (xpass || ypass) {
3422 /* These cases must parse. */
3423 unsigned char pubkeyo[65];
3424 size_t outl;
3425 memset(&pubkey, 0, sizeof(pubkey));
3426 VG_UNDEF(&pubkey, sizeof(pubkey));
3427 ecount = 0;
3428 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3429 VG_CHECK(&pubkey, sizeof(pubkey));
3430 outl = 65;
3431 VG_UNDEF(pubkeyo, 65);
3432 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3433 VG_CHECK(pubkeyo, outl);
3434 CHECK(outl == 33);
3435 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3436 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3437 if (ypass) {
3438 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3439 CHECK(pubkeyo[0] == ysign);
3440 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3441 memset(&pubkey, 0, sizeof(pubkey));
3442 VG_UNDEF(&pubkey, sizeof(pubkey));
3443 secp256k1_pubkey_save(&pubkey, &ge);
3444 VG_CHECK(&pubkey, sizeof(pubkey));
3445 outl = 65;
3446 VG_UNDEF(pubkeyo, 65);
1a368980 3447 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3448 VG_CHECK(pubkeyo, outl);
3449 CHECK(outl == 65);
3450 CHECK(pubkeyo[0] == 4);
3451 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3452 }
3453 CHECK(ecount == 0);
3454 } else {
3455 /* These cases must fail to parse. */
3456 memset(&pubkey, 0xfe, sizeof(pubkey));
3457 ecount = 0;
3458 VG_UNDEF(&pubkey, sizeof(pubkey));
3459 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3460 VG_CHECK(&pubkey, sizeof(pubkey));
3461 CHECK(ecount == 0);
3462 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3463 CHECK(ecount == 1);
3464 }
3465 }
3466 }
3467 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3468}
3469
3470void run_ec_pubkey_parse_test(void) {
3471#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3472 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3473 {
3474 /* Point with leading and trailing zeros in x and y serialization. */
3475 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3476 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3477 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3478 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3479 },
3480 {
3481 /* Point with x equal to a 3rd root of unity.*/
3482 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3483 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3484 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3485 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3486 },
3487 {
3488 /* Point with largest x. (1/2) */
3489 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3490 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3491 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3492 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3493 },
3494 {
3495 /* Point with largest x. (2/2) */
3496 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3497 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3498 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3499 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3500 },
3501 {
3502 /* Point with smallest x. (1/2) */
3503 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3504 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3505 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3506 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3507 },
3508 {
3509 /* Point with smallest x. (2/2) */
3510 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3511 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3512 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3513 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3514 },
3515 {
3516 /* Point with largest y. (1/3) */
3517 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3518 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3519 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3520 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3521 },
3522 {
3523 /* Point with largest y. (2/3) */
3524 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3525 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3526 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3527 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3528 },
3529 {
3530 /* Point with largest y. (3/3) */
3531 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3532 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3533 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3534 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3535 },
3536 {
3537 /* Point with smallest y. (1/3) */
3538 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3539 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3542 },
3543 {
3544 /* Point with smallest y. (2/3) */
3545 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3546 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3547 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3549 },
3550 {
3551 /* Point with smallest y. (3/3) */
3552 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3553 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3555 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3556 }
3557 };
3558#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3559 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3560 {
3561 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3562 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3563 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3564 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3565 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3566 },
3567 {
3568 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3569 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3570 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3573 },
3574 {
3575 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3576 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3577 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3578 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3579 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3580 },
3581 {
3582 /* x on curve, y is from y^2 = x^3 + 8. */
3583 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3584 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3587 }
3588 };
3589#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3590 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3591 {
3592 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3593 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3594 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3597 },
3598 {
3599 /* Valid if x overflow ignored (x = 1 mod p). */
3600 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3601 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3602 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3603 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3604 },
3605 {
3606 /* Valid if x overflow ignored (x = 1 mod p). */
3607 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3608 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3609 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3610 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3611 },
3612 {
3613 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3614 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3615 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3616 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3617 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3618 },
3619 {
3620 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3621 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3622 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3623 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3624 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3625 },
3626 {
3627 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3628 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3630 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3631 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3632 },
3633 {
3634 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3636 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3637 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3638 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3639 }
3640 };
3641 const unsigned char pubkeyc[66] = {
3642 /* Serialization of G. */
3643 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3644 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3645 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3646 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3647 0xB8, 0x00
3648 };
5b71a3f4 3649 unsigned char sout[65];
67f7da40
GM		 3650 unsigned char shortkey[2];
3651 secp256k1_ge ge;
3652 secp256k1_pubkey pubkey;
5b71a3f4 3653 size_t len;
67f7da40
GM		 3654 int32_t i;
3655 int32_t ecount;
3656 int32_t ecount2;
3657 ecount = 0;
3658 /* Nothing should be reading this far into pubkeyc. */
3659 VG_UNDEF(&pubkeyc[65], 1);
3660 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3661 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3662 memset(&pubkey, 0xfe, sizeof(pubkey));
3663 ecount = 0;
3664 VG_UNDEF(shortkey, 2);
3665 VG_UNDEF(&pubkey, sizeof(pubkey));
3666 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3667 VG_CHECK(&pubkey, sizeof(pubkey));
3668 CHECK(ecount == 0);
3669 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3670 CHECK(ecount == 1);
3671 /* Length one claimed, fail, zeroize, no illegal arg error. */
3672 for (i = 0; i < 256 ; i++) {
3673 memset(&pubkey, 0xfe, sizeof(pubkey));
3674 ecount = 0;
3675 shortkey[0] = i;
3676 VG_UNDEF(&shortkey[1], 1);
3677 VG_UNDEF(&pubkey, sizeof(pubkey));
3678 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3679 VG_CHECK(&pubkey, sizeof(pubkey));
3680 CHECK(ecount == 0);
3681 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3682 CHECK(ecount == 1);
3683 }
3684 /* Length two claimed, fail, zeroize, no illegal arg error. */
3685 for (i = 0; i < 65536 ; i++) {
3686 memset(&pubkey, 0xfe, sizeof(pubkey));
3687 ecount = 0;
3688 shortkey[0] = i & 255;
3689 shortkey[1] = i >> 8;
3690 VG_UNDEF(&pubkey, sizeof(pubkey));
3691 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3692 VG_CHECK(&pubkey, sizeof(pubkey));
3693 CHECK(ecount == 0);
3694 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3695 CHECK(ecount == 1);
3696 }
3697 memset(&pubkey, 0xfe, sizeof(pubkey));
3698 ecount = 0;
3699 VG_UNDEF(&pubkey, sizeof(pubkey));
3700 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3701 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3702 VG_CHECK(&pubkey, sizeof(pubkey));
3703 CHECK(ecount == 0);
3704 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3705 CHECK(ecount == 1);
3706 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3707 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3708 CHECK(ecount == 2);
3709 /* NULL input string. Illegal arg and zeroize output. */
3710 memset(&pubkey, 0xfe, sizeof(pubkey));
3711 ecount = 0;
3712 VG_UNDEF(&pubkey, sizeof(pubkey));
3713 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3714 VG_CHECK(&pubkey, sizeof(pubkey));
3715 CHECK(ecount == 1);
3716 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3717 CHECK(ecount == 2);
3718 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3719 memset(&pubkey, 0xfe, sizeof(pubkey));
3720 ecount = 0;
3721 VG_UNDEF(&pubkey, sizeof(pubkey));
3722 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3723 VG_CHECK(&pubkey, sizeof(pubkey));
3724 CHECK(ecount == 0);
3725 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3726 CHECK(ecount == 1);
3727 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3728 memset(&pubkey, 0xfe, sizeof(pubkey));
3729 ecount = 0;
3730 VG_UNDEF(&pubkey, sizeof(pubkey));
3731 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3732 VG_CHECK(&pubkey, sizeof(pubkey));
3733 CHECK(ecount == 0);
3734 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3735 CHECK(ecount == 1);
3736 /* Valid parse. */
3737 memset(&pubkey, 0, sizeof(pubkey));
3738 ecount = 0;
3739 VG_UNDEF(&pubkey, sizeof(pubkey));
3740 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
ed7c0841 3741 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
67f7da40
GM		 3742 VG_CHECK(&pubkey, sizeof(pubkey));
3743 CHECK(ecount == 0);
3744 VG_UNDEF(&ge, sizeof(ge));
3745 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3746 VG_CHECK(&ge.x, sizeof(ge.x));
3747 VG_CHECK(&ge.y, sizeof(ge.y));
3748 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3749 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3750 CHECK(ecount == 0);
5b71a3f4
GM		 3751 /* secp256k1_ec_pubkey_serialize illegal args. */
3752 ecount = 0;
3753 len = 65;
3754 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3755 CHECK(ecount == 1);
3756 CHECK(len == 0);
3757 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3758 CHECK(ecount == 2);
3759 len = 65;
3760 VG_UNDEF(sout, 65);
3761 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3762 VG_CHECK(sout, 65);
3763 CHECK(ecount == 3);
3764 CHECK(len == 0);
3765 len = 65;
3766 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3767 CHECK(ecount == 4);
3768 CHECK(len == 0);
3769 len = 65;
3770 VG_UNDEF(sout, 65);
3771 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3772 VG_CHECK(sout, 65);
3773 CHECK(ecount == 4);
3774 CHECK(len == 65);
67f7da40
GM		 3775 /* Multiple illegal args. Should still set arg error only once. */
3776 ecount = 0;
3777 ecount2 = 11;
3778 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3779 CHECK(ecount == 1);
3780 /* Does the illegal arg callback actually change the behavior? */
3781 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3782 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3783 CHECK(ecount == 1);
3784 CHECK(ecount2 == 10);
3785 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3786 /* Try a bunch of prefabbed points with all possible encodings. */
3787 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3788 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3789 }
3790 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3791 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3792 }
3793 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3794 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3795 }
3796}
3797
96be2046
GM		 3798void run_eckey_edge_case_test(void) {
3799 const unsigned char orderc[32] = {
3800 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3802 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3803 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3804 };
3805 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3806 unsigned char ctmp[33];
3807 unsigned char ctmp2[33];
96be2046
GM		 3808 secp256k1_pubkey pubkey;
3809 secp256k1_pubkey pubkey2;
c69dea02
GM		 3810 secp256k1_pubkey pubkey_one;
3811 secp256k1_pubkey pubkey_negone;
3812 const secp256k1_pubkey *pubkeys[3];
3813 size_t len;
96be2046
GM		 3814 int32_t ecount;
3815 /* Group order is too large, reject. */
3816 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3817 VG_UNDEF(&pubkey, sizeof(pubkey));
3818 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3819 VG_CHECK(&pubkey, sizeof(pubkey));
3820 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3821 /* Maximum value is too large, reject. */
3822 memset(ctmp, 255, 32);
3823 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3824 memset(&pubkey, 1, sizeof(pubkey));
3825 VG_UNDEF(&pubkey, sizeof(pubkey));
3826 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3827 VG_CHECK(&pubkey, sizeof(pubkey));
3828 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3829 /* Zero is too small, reject. */
3830 memset(ctmp, 0, 32);
3831 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3832 memset(&pubkey, 1, sizeof(pubkey));
3833 VG_UNDEF(&pubkey, sizeof(pubkey));
3834 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3835 VG_CHECK(&pubkey, sizeof(pubkey));
3836 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3837 /* One must be accepted. */
3838 ctmp[31] = 0x01;
3839 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3840 memset(&pubkey, 0, sizeof(pubkey));
3841 VG_UNDEF(&pubkey, sizeof(pubkey));
3842 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3843 VG_CHECK(&pubkey, sizeof(pubkey));
3844 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3845 pubkey_one = pubkey;
96be2046
GM		 3846 /* Group order + 1 is too large, reject. */
3847 memcpy(ctmp, orderc, 32);
3848 ctmp[31] = 0x42;
3849 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3850 memset(&pubkey, 1, sizeof(pubkey));
3851 VG_UNDEF(&pubkey, sizeof(pubkey));
3852 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3853 VG_CHECK(&pubkey, sizeof(pubkey));
3854 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3855 /* -1 must be accepted. */
3856 ctmp[31] = 0x40;
3857 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3858 memset(&pubkey, 0, sizeof(pubkey));
3859 VG_UNDEF(&pubkey, sizeof(pubkey));
3860 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3861 VG_CHECK(&pubkey, sizeof(pubkey));
3862 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3863 pubkey_negone = pubkey;
0e96cdc6 3864 /* Tweak of zero leaves the value unchanged. */
96be2046
GM		 3865 memset(ctmp2, 0, 32);
3866 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3867 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3868 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3869 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3870 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3871 /* Multiply tweak of zero zeroizes the output. */
3872 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3873 CHECK(memcmp(zeros, ctmp, 32) == 0);
3874 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3875 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3876 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3877 /* Overflowing key tweak zeroizes. */
3878 memcpy(ctmp, orderc, 32);
3879 ctmp[31] = 0x40;
3880 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3881 CHECK(memcmp(zeros, ctmp, 32) == 0);
3882 memcpy(ctmp, orderc, 32);
3883 ctmp[31] = 0x40;
3884 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3885 CHECK(memcmp(zeros, ctmp, 32) == 0);
3886 memcpy(ctmp, orderc, 32);
3887 ctmp[31] = 0x40;
3888 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3889 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3890 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3891 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3892 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3893 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3894 /* Private key tweaks results in a key of zero. */
3895 ctmp2[31] = 1;
3896 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3897 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3898 ctmp2[31] = 1;
3899 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3900 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3901 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3902 /* Tweak computation wraps and results in a key of 1. */
3903 ctmp2[31] = 2;
3904 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3905 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3906 ctmp2[31] = 2;
3907 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3908 ctmp2[31] = 1;
3909 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3910 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3911 /* Tweak mul * 2 = 1+1. */
3912 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3913 ctmp2[31] = 2;
3914 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3915 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3916 /* Test argument errors. */
3917 ecount = 0;
3918 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3919 CHECK(ecount == 0);
3920 /* Zeroize pubkey on parse error. */
3921 memset(&pubkey, 0, 32);
3922 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3923 CHECK(ecount == 1);
3924 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3925 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3926 memset(&pubkey2, 0, 32);
3927 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3928 CHECK(ecount == 2);
3929 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3930 /* Plain argument errors. */
3931 ecount = 0;
3932 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3933 CHECK(ecount == 0);
3934 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3935 CHECK(ecount == 1);
3936 ecount = 0;
3937 memset(ctmp2, 0, 32);
3938 ctmp2[31] = 4;
3939 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3940 CHECK(ecount == 1);
3941 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3942 CHECK(ecount == 2);
3943 ecount = 0;
3944 memset(ctmp2, 0, 32);
3945 ctmp2[31] = 4;
3946 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3947 CHECK(ecount == 1);
3948 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3949 CHECK(ecount == 2);
3950 ecount = 0;
3951 memset(ctmp2, 0, 32);
3952 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3953 CHECK(ecount == 1);
3954 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3955 CHECK(ecount == 2);
3956 ecount = 0;
3957 memset(ctmp2, 0, 32);
3958 ctmp2[31] = 1;
3959 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3960 CHECK(ecount == 1);
3961 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3962 CHECK(ecount == 2);
3963 ecount = 0;
3964 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3965 CHECK(ecount == 1);
3966 memset(&pubkey, 1, sizeof(pubkey));
3967 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3968 CHECK(ecount == 2);
5b71a3f4 3969 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 3970 /* secp256k1_ec_pubkey_combine tests. */
3971 ecount = 0;
3972 pubkeys[0] = &pubkey_one;
3973 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3974 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3975 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3976 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3977 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3978 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3979 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3980 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3981 CHECK(ecount == 1);
c69dea02
GM		 3982 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3983 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3984 CHECK(ecount == 2);
c69dea02
GM		 3985 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3986 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3987 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3988 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3989 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3990 CHECK(ecount == 3);
c69dea02
GM		 3991 pubkeys[0] = &pubkey_negone;
3992 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3993 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3994 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3995 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3996 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3997 CHECK(ecount == 3);
c69dea02
GM		 3998 len = 33;
3999 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4000 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4001 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4002 /* Result is infinity. */
4003 pubkeys[0] = &pubkey_one;
4004 pubkeys[1] = &pubkey_negone;
4005 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4006 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4007 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4008 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4009 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4010 CHECK(ecount == 3);
c69dea02
GM		 4011 /* Passes through infinity but comes out one. */
4012 pubkeys[2] = &pubkey_one;
4013 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4014 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4015 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4016 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4017 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4018 CHECK(ecount == 3);
c69dea02
GM		 4019 len = 33;
4020 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4021 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4022 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4023 /* Adds to two. */
4024 pubkeys[1] = &pubkey_one;
4025 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4026 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4027 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4028 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4029 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4030 CHECK(ecount == 3);
96be2046
GM		 4031 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4032}
4033
dd891e0e
PW		 4034void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4035 secp256k1_scalar nonce;
dd08f037 4036 do {
a9f5c8b8 4037 random_scalar_order_test(&nonce);
18c329c5 4038 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 4039}
4040
2cad067a 4041void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 4042 secp256k1_gej pubj;
4043 secp256k1_ge pub;
4044 secp256k1_scalar one;
4045 secp256k1_scalar msg, key;
4046 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 4047 int recid;
4048 int getrec;
a9f5c8b8 4049 random_scalar_order_test(&msg);
a9f5c8b8 4050 random_scalar_order_test(&key);
a9b6595e 4051 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 4052 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 4053 getrec = secp256k1_rand_bits(1);
18c329c5 4054 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 4055 if (getrec) {
4056 CHECK(recid >= 0 && recid < 4);
4057 }
18c329c5 4058 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 4059 secp256k1_scalar_set_int(&one, 1);
4060 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 4061 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 4062}
4063
2cad067a 4064void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 4065 int i;
4066 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 4067 test_ecdsa_sign_verify();
4068 }
4069}
4070
c6e7f4e8 4071/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 4072static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 4073 (void)msg32;
4074 (void)key32;
a5a66c70 4075 (void)algo16;
c6e7f4e8
PW		 4076 memcpy(nonce32, data, 32);
4077 return (counter == 0);
4078}
4079
05732c5a 4080static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 4081 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 4082 if (counter == 0) {
4083 return 0;
4084 }
dc0ce9fc 4085 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 4086}
4087
05732c5a 4088static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 4089 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4090 if (counter < 3) {
4091 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 4092 if (counter == 2) {
4093 nonce32[31]--;
4094 }
941e221f
GM		 4095 return 1;
4096 }
4097 if (counter < 5) {
4098 static const unsigned char order[] = {
4099 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4100 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4101 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4102 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4103 };
4104 memcpy(nonce32, order, 32);
26320197
GM		 4105 if (counter == 4) {
4106 nonce32[31]++;
4107 }
941e221f
GM		 4108 return 1;
4109 }
269d4227 4110 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 4111 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 4112 if (counter > 5) {
4113 return 0;
4114 }
dc0ce9fc 4115 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 4116}
4117
dd891e0e
PW		 4118int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4119 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4120 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 4121}
4122
2cad067a 4123void test_ecdsa_end_to_end(void) {
efc571ce 4124 unsigned char extra[32] = {0x00};
25f4aec0
PW		 4125 unsigned char privkey[32];
4126 unsigned char message[32];
bf2e1ac7 4127 unsigned char privkey2[32];
0c6ab2ff
PW		 4128 secp256k1_ecdsa_signature signature[6];
4129 secp256k1_scalar r, s;
74a2acdb 4130 unsigned char sig[74];
788038d3 4131 size_t siglen = 74;
23cfa914 4132 unsigned char pubkeyc[65];
788038d3 4133 size_t pubkeyclen = 65;
dd891e0e 4134 secp256k1_pubkey pubkey;
8e48aa60 4135 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 4136 unsigned char seckey[300];
788038d3 4137 size_t seckeylen = 300;
25f4aec0 4138
71712b27 4139 /* Generate a random key and message. */
25f4aec0 4140 {
dd891e0e 4141 secp256k1_scalar msg, key;
659b554d
PW		 4142 random_scalar_order_test(&msg);
4143 random_scalar_order_test(&key);
4144 secp256k1_scalar_get_b32(privkey, &key);
4145 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 4146 }
4147
71712b27 4148 /* Construct and verify corresponding public key. */
a9b6595e 4149 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 4150 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 4151
23cfa914 4152 /* Verify exporting and importing public key. */
1a368980 4153 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 4154 memset(&pubkey, 0, sizeof(pubkey));
4155 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 4156
8e48aa60
AP		 4157 /* Verify negation changes the key and changes it back */
4158 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4159 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4160 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4161 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4162 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4163
71712b27 4164 /* Verify private key import and export. */
eed87af1
AP		 4165 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4166 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 4167 CHECK(memcmp(privkey, privkey2, 32) == 0);
4168
71712b27 4169 /* Optionally tweak the keys using addition. */
fa57f1bd 4170 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4171 int ret1;
4172 int ret2;
25f4aec0 4173 unsigned char rnd[32];
dd891e0e 4174 secp256k1_pubkey pubkey2;
25f4aec0 4175 secp256k1_rand256_test(rnd);
a9b6595e 4176 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 4177 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 4178 CHECK(ret1 == ret2);
26320197
GM		 4179 if (ret1 == 0) {
4180 return;
4181 }
23cfa914
PW		 4182 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4183 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4184 }
4185
71712b27 4186 /* Optionally tweak the keys using multiplication. */
fa57f1bd 4187 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4188 int ret1;
4189 int ret2;
25f4aec0 4190 unsigned char rnd[32];
dd891e0e 4191 secp256k1_pubkey pubkey2;
25f4aec0 4192 secp256k1_rand256_test(rnd);
a9b6595e 4193 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 4194 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 4195 CHECK(ret1 == ret2);
26320197
GM		 4196 if (ret1 == 0) {
4197 return;
4198 }
23cfa914
PW		 4199 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4200 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4201 }
4202
71712b27 4203 /* Sign. */
dc0ce9fc
PW		 4204 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4205 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4206 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 4207 extra[31] = 1;
dc0ce9fc 4208 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 4209 extra[31] = 0;
4210 extra[0] = 1;
dc0ce9fc 4211 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 4212 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4213 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4214 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4215 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4216 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4217 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4218 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 4219 /* Verify. */
dc0ce9fc
PW		 4220 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4221 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4222 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4223 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 4224 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4225 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4226 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4227 secp256k1_scalar_negate(&s, &s);
4228 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4229 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4230 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4231 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4232 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4233 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4234 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4235 secp256k1_scalar_negate(&s, &s);
4236 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4237 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4238 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4239 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4240
4241 /* Serialize/parse DER and verify again */
4242 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4243 memset(&signature[0], 0, sizeof(signature[0]));
4244 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4245 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4246 /* Serialize/destroy/parse DER and verify again. */
1973c737 4247 siglen = 74;
74a2acdb 4248 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4249 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4250 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4251 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4252}
4253
7c6fed28 4254void test_random_pubkeys(void) {
dd891e0e
PW		 4255 secp256k1_ge elem;
4256 secp256k1_ge elem2;
7c6fed28
GM		 4257 unsigned char in[65];
4258 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4259 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4260 if (secp256k1_rand_bits(2) == 0) {
4261 len = secp256k1_rand_bits(6);
26320197 4262 }
7c6fed28 4263 if (len == 65) {
fa57f1bd 4264 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4265 } else {
fa57f1bd 4266 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4267 }
fa57f1bd
PW		 4268 if (secp256k1_rand_bits(3) == 0) {
4269 in[0] = secp256k1_rand_bits(8);
26320197 4270 }
26320197
GM		 4271 if (len > 1) {
4272 secp256k1_rand256(&in[1]);
4273 }
4274 if (len > 33) {
4275 secp256k1_rand256(&in[33]);
4276 }
7c6fed28
GM		 4277 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4278 unsigned char out[65];
4279 unsigned char firstb;
4280 int res;
788038d3 4281 size_t size = len;
7c6fed28
GM		 4282 firstb = in[0];
4283 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4284 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4285 CHECK(size == len);
4286 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4287 /* ... except for the type of hybrid inputs. */
26320197
GM		 4288 if ((in[0] != 6) && (in[0] != 7)) {
4289 CHECK(in[0] == out[0]);
4290 }
7c6fed28 4291 size = 65;
9234391e 4292 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4293 CHECK(size == 65);
4294 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4295 ge_equals_ge(&elem,&elem2);
7c6fed28 4296 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4297 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4298 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4299 if (firstb == 2 || firstb == 3) {
26320197
GM		 4300 if (in[0] == firstb + 4) {
4301 CHECK(res);
4302 } else {
4303 CHECK(!res);
4304 }
7c6fed28
GM		 4305 }
4306 if (res) {
60571c6e 4307 ge_equals_ge(&elem,&elem2);
9234391e 4308 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4309 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4310 }
4311 }
4312}
4313
4314void run_random_pubkeys(void) {
bf2e1ac7
GM		 4315 int i;
4316 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4317 test_random_pubkeys();
4318 }
4319}
4320
2cad067a 4321void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4322 int i;
4323 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4324 test_ecdsa_end_to_end();
4325 }
4326}
4327
3bb9c447
PW		 4328int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4329 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4330#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4331 static const unsigned char max_scalar[32] = {
4332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4334 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4335 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4336 };
a9b2a5d8 4337#endif
3bb9c447
PW		 4338
4339 int ret = 0;
4340
4341 secp256k1_ecdsa_signature sig_der;
4342 unsigned char roundtrip_der[2048];
4343 unsigned char compact_der[64];
4344 size_t len_der = 2048;
4345 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4346
fea19e7b
PW		 4347 secp256k1_ecdsa_signature sig_der_lax;
4348 unsigned char roundtrip_der_lax[2048];
4349 unsigned char compact_der_lax[64];
4350 size_t len_der_lax = 2048;
4351 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4352
3bb9c447
PW		 4353#ifdef ENABLE_OPENSSL_TESTS
4354 ECDSA_SIG *sig_openssl;
31abd3ab 4355 const BIGNUM *r = NULL, *s = NULL;
3bb9c447
PW		 4356 const unsigned char *sigptr;
4357 unsigned char roundtrip_openssl[2048];
4358 int len_openssl = 2048;
4359 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4360#endif
4361
4362 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4363 if (parsed_der) {
4364 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4365 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4366 }
4367 if (valid_der) {
4368 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4369 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4370 }
4371
eed87af1 4372 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4373 if (parsed_der_lax) {
4374 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4375 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4376 }
4377 if (valid_der_lax) {
4378 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4379 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4380 }
4381
3bb9c447
PW		 4382 if (certainly_der) {
4383 ret |= (!parsed_der) << 2;
4384 }
4385 if (certainly_not_der) {
4386 ret |= (parsed_der) << 17;
4387 }
4388 if (valid_der) {
4389 ret |= (!roundtrips_der) << 3;
4390 }
4391
fea19e7b
PW		 4392 if (valid_der) {
4393 ret |= (!roundtrips_der_lax) << 12;
4394 ret |= (len_der != len_der_lax) << 13;
4395 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4396 }
4397 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4398 if (parsed_der) {
4399 ret |= (!parsed_der_lax) << 16;
4400 }
4401
3bb9c447
PW		 4402#ifdef ENABLE_OPENSSL_TESTS
4403 sig_openssl = ECDSA_SIG_new();
4404 sigptr = sig;
4405 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4406 if (parsed_openssl) {
31abd3ab
AB		 4407 ECDSA_SIG_get0(sig_openssl, &r, &s);
4408 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
3bb9c447
PW		 4409 if (valid_openssl) {
4410 unsigned char tmp[32] = {0};
31abd3ab 4411 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
3bb9c447
PW		 4412 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4413 }
4414 if (valid_openssl) {
4415 unsigned char tmp[32] = {0};
31abd3ab 4416 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
3bb9c447
PW		 4417 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4418 }
4419 }
4420 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4421 if (len_openssl <= 2048) {
4422 unsigned char *ptr = roundtrip_openssl;
4423 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4424 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4425 } else {
4426 len_openssl = 0;
4427 }
4428 ECDSA_SIG_free(sig_openssl);
4429
4430 ret |= (parsed_der && !parsed_openssl) << 4;
4431 ret |= (valid_der && !valid_openssl) << 5;
4432 ret |= (roundtrips_openssl && !parsed_der) << 6;
4433 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4434 if (roundtrips_openssl) {
4435 ret |= (len_der != (size_t)len_openssl) << 8;
4436 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4437 }
4438#endif
4439 return ret;
4440}
4441
4442static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4443 size_t i;
4444 for (i = 0; i < ptrlen; i++) {
4445 int shift = ptrlen - 1 - i;
4446 if (shift >= 4) {
4447 ptr[i] = 0;
4448 } else {
4449 ptr[i] = (val >> shift) & 0xFF;
4450 }
4451 }
4452}
4453
4454static void damage_array(unsigned char *sig, size_t *len) {
4455 int pos;
4456 int action = secp256k1_rand_bits(3);
5d4c5a31 4457 if (action < 1 && *len > 3) {
3bb9c447
PW		 4458 /* Delete a byte. */
4459 pos = secp256k1_rand_int(*len);
4460 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4461 (*len)--;
4462 return;
5d4c5a31 4463 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4464 /* Insert a byte. */
4465 pos = secp256k1_rand_int(1 + *len);
4466 memmove(sig + pos + 1, sig + pos, *len - pos);
4467 sig[pos] = secp256k1_rand_bits(8);
4468 (*len)++;
4469 return;
4470 } else if (action < 4) {
4471 /* Modify a byte. */
4472 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4473 return;
4474 } else { /* action < 8 */
4475 /* Modify a bit. */
4476 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4477 return;
4478 }
4479}
4480
4481static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4482 int der;
4483 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4484 size_t tlen, elen, glen;
4485 int indet;
4486 int n;
4487
4488 *len = 0;
4489 der = secp256k1_rand_bits(2) == 0;
4490 *certainly_der = der;
4491 *certainly_not_der = 0;
4492 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4493
4494 for (n = 0; n < 2; n++) {
4495 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4496 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4497 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4498 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4499 CHECK(nlen[n] <= 232);
4500 /* The top bit of the number. */
4501 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4502 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4503 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4504 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4505 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4506 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4507 *certainly_not_der = 1;
4508 }
4509 CHECK(nlen[n] + nzlen[n] <= 300);
4510 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4511 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4512 if (!der) {
4513 /* nlenlen[n] max 127 bytes */
4514 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4515 nlenlen[n] += add;
4516 if (add != 0) {
4517 *certainly_not_der = 1;
4518 }
4519 }
4520 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4521 }
4522
4523 /* The total length of the data to go, so far */
4524 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4525 CHECK(tlen <= 856);
4526
4527 /* The length of the garbage inside the tuple. */
4528 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4529 if (elen != 0) {
4530 *certainly_not_der = 1;
4531 }
4532 tlen += elen;
4533 CHECK(tlen <= 980);
4534
4535 /* The length of the garbage after the end of the tuple. */
4536 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4537 if (glen != 0) {
4538 *certainly_not_der = 1;
4539 }
4540 CHECK(tlen + glen <= 990);
4541
4542 /* Write the tuple header. */
4543 sig[(*len)++] = 0x30;
4544 if (indet) {
4545 /* Indeterminate length */
4546 sig[(*len)++] = 0x80;
4547 *certainly_not_der = 1;
4548 } else {
4549 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4550 if (!der) {
4551 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4552 tlenlen += add;
4553 if (add != 0) {
4554 *certainly_not_der = 1;
4555 }
4556 }
4557 if (tlenlen == 0) {
4558 /* Short length notation */
4559 sig[(*len)++] = tlen;
4560 } else {
4561 /* Long length notation */
4562 sig[(*len)++] = 128 + tlenlen;
4563 assign_big_endian(sig + *len, tlenlen, tlen);
4564 *len += tlenlen;
4565 }
4566 tlen += tlenlen;
4567 }
4568 tlen += 2;
4569 CHECK(tlen + glen <= 1119);
4570
4571 for (n = 0; n < 2; n++) {
4572 /* Write the integer header. */
4573 sig[(*len)++] = 0x02;
4574 if (nlenlen[n] == 0) {
4575 /* Short length notation */
4576 sig[(*len)++] = nlen[n] + nzlen[n];
4577 } else {
4578 /* Long length notation. */
4579 sig[(*len)++] = 128 + nlenlen[n];
4580 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4581 *len += nlenlen[n];
4582 }
4583 /* Write zero padding */
4584 while (nzlen[n] > 0) {
4585 sig[(*len)++] = 0x00;
4586 nzlen[n]--;
4587 }
4588 if (nlen[n] == 32 && !nlow[n]) {
4589 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4590 int i;
4591 for (i = 0; i < 16; i++) {
4592 sig[(*len)++] = 0xFF;
4593 }
4594 nlen[n] -= 16;
4595 }
4596 /* Write first byte of number */
4597 if (nlen[n] > 0) {
4598 sig[(*len)++] = nhbyte[n];
4599 nlen[n]--;
4600 }
4601 /* Generate remaining random bytes of number */
4602 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4603 *len += nlen[n];
4604 nlen[n] = 0;
4605 }
4606
4607 /* Generate random garbage inside tuple. */
4608 secp256k1_rand_bytes_test(sig + *len, elen);
4609 *len += elen;
4610
4611 /* Generate end-of-contents bytes. */
4612 if (indet) {
4613 sig[(*len)++] = 0;
4614 sig[(*len)++] = 0;
4615 tlen += 2;
4616 }
4617 CHECK(tlen + glen <= 1121);
4618
4619 /* Generate random garbage outside tuple. */
4620 secp256k1_rand_bytes_test(sig + *len, glen);
4621 *len += glen;
4622 tlen += glen;
4623 CHECK(tlen <= 1121);
4624 CHECK(tlen == *len);
4625}
4626
4627void run_ecdsa_der_parse(void) {
4628 int i,j;
4629 for (i = 0; i < 200 * count; i++) {
4630 unsigned char buffer[2048];
4631 size_t buflen = 0;
4632 int certainly_der = 0;
4633 int certainly_not_der = 0;
4634 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4635 CHECK(buflen <= 2048);
3bb9c447
PW		 4636 for (j = 0; j < 16; j++) {
4637 int ret = 0;
4638 if (j > 0) {
4639 damage_array(buffer, &buflen);
4640 /* We don't know anything anymore about the DERness of the result */
4641 certainly_der = 0;
4642 certainly_not_der = 0;
4643 }
4644 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4645 if (ret != 0) {
4646 size_t k;
4647 fprintf(stderr, "Failure %x on ", ret);
4648 for (k = 0; k < buflen; k++) {
4649 fprintf(stderr, "%02x ", buffer[k]);
4650 }
4651 fprintf(stderr, "\n");
4652 }
4653 CHECK(ret == 0);
4654 }
4655 }
4656}
4657
6e052878
PW		 4658/* Tests several edge cases. */
4659void test_ecdsa_edge_cases(void) {
d49abbd5 4660 int t;
dd891e0e 4661 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4662
4663 /* Test the case where ECDSA recomputes a point that is infinity. */
4664 {
dd891e0e
PW		 4665 secp256k1_gej keyj;
4666 secp256k1_ge key;
4667 secp256k1_scalar msg;
4668 secp256k1_scalar sr, ss;
d49abbd5
PW		 4669 secp256k1_scalar_set_int(&ss, 1);
4670 secp256k1_scalar_negate(&ss, &ss);
4671 secp256k1_scalar_inverse(&ss, &ss);
4672 secp256k1_scalar_set_int(&sr, 1);
4673 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4674 secp256k1_ge_set_gej(&key, &keyj);
4675 msg = ss;
4676 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4677 }
4678
96be2046 4679 /* Verify signature with r of zero fails. */
d49abbd5 4680 {
96be2046
GM		 4681 const unsigned char pubkey_mods_zero[33] = {
4682 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4683 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4684 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4685 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4686 0x41
4687 };
4688 secp256k1_ge key;
4689 secp256k1_scalar msg;
4690 secp256k1_scalar sr, ss;
4691 secp256k1_scalar_set_int(&ss, 1);
4692 secp256k1_scalar_set_int(&msg, 0);
4693 secp256k1_scalar_set_int(&sr, 0);
4694 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4695 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4696 }
4697
4698 /* Verify signature with s of zero fails. */
4699 {
4700 const unsigned char pubkey[33] = {
4701 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4702 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4703 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4704 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4705 0x01
4706 };
4707 secp256k1_ge key;
4708 secp256k1_scalar msg;
4709 secp256k1_scalar sr, ss;
4710 secp256k1_scalar_set_int(&ss, 0);
4711 secp256k1_scalar_set_int(&msg, 0);
4712 secp256k1_scalar_set_int(&sr, 1);
4713 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4714 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4715 }
4716
4717 /* Verify signature with message 0 passes. */
4718 {
4719 const unsigned char pubkey[33] = {
4720 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4721 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4722 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4723 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4724 0x02
4725 };
4726 const unsigned char pubkey2[33] = {
4727 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4728 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4729 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4730 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4731 0x43
4732 };
4733 secp256k1_ge key;
4734 secp256k1_ge key2;
4735 secp256k1_scalar msg;
4736 secp256k1_scalar sr, ss;
4737 secp256k1_scalar_set_int(&ss, 2);
4738 secp256k1_scalar_set_int(&msg, 0);
4739 secp256k1_scalar_set_int(&sr, 2);
4740 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4741 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4742 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4743 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4744 secp256k1_scalar_negate(&ss, &ss);
4745 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4746 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4747 secp256k1_scalar_set_int(&ss, 1);
4748 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4749 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4750 }
4751
4752 /* Verify signature with message 1 passes. */
4753 {
4754 const unsigned char pubkey[33] = {
4755 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4756 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4757 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4758 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4759 0x25
4760 };
4761 const unsigned char pubkey2[33] = {
4762 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4763 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4764 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4765 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4766 0x62
4767 };
4768 const unsigned char csr[32] = {
4769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4771 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4772 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4773 };
4774 secp256k1_ge key;
4775 secp256k1_ge key2;
4776 secp256k1_scalar msg;
4777 secp256k1_scalar sr, ss;
4778 secp256k1_scalar_set_int(&ss, 1);
4779 secp256k1_scalar_set_int(&msg, 1);
4780 secp256k1_scalar_set_b32(&sr, csr, NULL);
4781 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4782 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4783 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4784 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4785 secp256k1_scalar_negate(&ss, &ss);
4786 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4787 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4788 secp256k1_scalar_set_int(&ss, 2);
4789 secp256k1_scalar_inverse_var(&ss, &ss);
4790 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4791 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4792 }
4793
4794 /* Verify signature with message -1 passes. */
4795 {
4796 const unsigned char pubkey[33] = {
4797 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4798 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4799 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4800 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4801 0xf1
4802 };
4803 const unsigned char csr[32] = {
4804 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4805 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4806 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4807 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4808 };
4809 secp256k1_ge key;
4810 secp256k1_scalar msg;
4811 secp256k1_scalar sr, ss;
4812 secp256k1_scalar_set_int(&ss, 1);
4813 secp256k1_scalar_set_int(&msg, 1);
4814 secp256k1_scalar_negate(&msg, &msg);
4815 secp256k1_scalar_set_b32(&sr, csr, NULL);
4816 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4817 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4818 secp256k1_scalar_negate(&ss, &ss);
4819 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4820 secp256k1_scalar_set_int(&ss, 3);
4821 secp256k1_scalar_inverse_var(&ss, &ss);
4822 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4823 }
4824
4825 /* Signature where s would be zero. */
4826 {
4827 secp256k1_pubkey pubkey;
788038d3 4828 size_t siglen;
96be2046
GM		 4829 int32_t ecount;
4830 unsigned char signature[72];
4831 static const unsigned char nonce[32] = {
d49abbd5
PW		 4832 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4833 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4834 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4835 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4836 };
4837 static const unsigned char nonce2[32] = {
4838 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4839 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4840 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4841 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4842 };
4843 const unsigned char key[32] = {
4844 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4847 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4848 };
4849 unsigned char msg[32] = {
4850 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4851 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4852 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4853 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4854 };
96be2046
GM		 4855 ecount = 0;
4856 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4857 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4858 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4859 msg[31] = 0xaa;
dc0ce9fc 4860 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4861 CHECK(ecount == 0);
4862 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4863 CHECK(ecount == 1);
4864 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4865 CHECK(ecount == 2);
4866 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4867 CHECK(ecount == 3);
dc0ce9fc 4868 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4869 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4870 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4871 CHECK(ecount == 4);
4872 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4873 CHECK(ecount == 5);
4874 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4875 CHECK(ecount == 6);
4876 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4877 CHECK(ecount == 6);
4878 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4879 CHECK(ecount == 7);
4880 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4881 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4882 CHECK(ecount == 8);
d49abbd5 4883 siglen = 72;
96be2046 4884 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4885 CHECK(ecount == 9);
96be2046 4886 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4887 CHECK(ecount == 10);
96be2046 4888 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4889 CHECK(ecount == 11);
d49abbd5 4890 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4891 CHECK(ecount == 11);
4892 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4893 CHECK(ecount == 12);
4894 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4895 CHECK(ecount == 13);
4896 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4897 CHECK(ecount == 13);
d49abbd5 4898 siglen = 10;
5b71a3f4 4899 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4900 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4901 CHECK(ecount == 13);
4902 ecount = 0;
4903 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4904 CHECK(ecount == 1);
4905 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4906 CHECK(ecount == 2);
4907 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4908 CHECK(ecount == 3);
4909 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4910 CHECK(ecount == 3);
4911 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4912 CHECK(ecount == 4);
4913 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4914 CHECK(ecount == 5);
4915 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4916 CHECK(ecount == 5);
c69dea02
GM		 4917 memset(signature, 255, 64);
4918 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4919 CHECK(ecount == 5);
96be2046 4920 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4921 }
4922
4923 /* Nonce function corner cases. */
4924 for (t = 0; t < 2; t++) {
4925 static const unsigned char zero[32] = {0x00};
4926 int i;
4927 unsigned char key[32];
4928 unsigned char msg[32];
dd891e0e
PW		 4929 secp256k1_ecdsa_signature sig2;
4930 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 4931 const unsigned char *extra;
4932 extra = t == 0 ? NULL : zero;
4933 memset(msg, 0, 32);
4934 msg[31] = 1;
4935 /* High key results in signature failure. */
4936 memset(key, 0xFF, 32);
dc0ce9fc 4937 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4938 CHECK(is_empty_signature(&sig));
4939 /* Zero key results in signature failure. */
4940 memset(key, 0, 32);
dc0ce9fc 4941 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4942 CHECK(is_empty_signature(&sig));
4943 /* Nonce function failure results in signature failure. */
4944 key[31] = 1;
dc0ce9fc 4945 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 4946 CHECK(is_empty_signature(&sig));
4947 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 4948 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 4949 CHECK(!is_empty_signature(&sig));
dc0ce9fc 4950 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 4951 CHECK(!is_empty_signature(&sig2));
4952 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 4953 /* The default nonce function is deterministic. */
dc0ce9fc 4954 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4955 CHECK(!is_empty_signature(&sig2));
4956 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4957 /* The default nonce function changes output with different messages. */
4958 for(i = 0; i < 256; i++) {
4959 int j;
4960 msg[0] = i;
dc0ce9fc 4961 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4962 CHECK(!is_empty_signature(&sig2));
4963 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4964 for (j = 0; j < i; j++) {
4965 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4966 }
4967 }
4968 msg[0] = 0;
4969 msg[31] = 2;
4970 /* The default nonce function changes output with different keys. */
4971 for(i = 256; i < 512; i++) {
4972 int j;
4973 key[0] = i - 256;
dc0ce9fc 4974 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4975 CHECK(!is_empty_signature(&sig2));
4976 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4977 for (j = 0; j < i; j++) {
4978 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4979 }
4980 }
4981 key[0] = 0;
4982 }
4983
b30fc85c 4984 {
269d4227 4985 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 4986 const unsigned char zeros[32] = {0};
4987 unsigned char nonce[32];
4988 unsigned char nonce2[32];
4989 unsigned char nonce3[32];
4990 unsigned char nonce4[32];
4991 VG_UNDEF(nonce,32);
4992 VG_UNDEF(nonce2,32);
4993 VG_UNDEF(nonce3,32);
4994 VG_UNDEF(nonce4,32);
4995 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4996 VG_CHECK(nonce,32);
4997 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4998 VG_CHECK(nonce2,32);
4999 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5000 VG_CHECK(nonce3,32);
5001 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5002 VG_CHECK(nonce4,32);
5003 CHECK(memcmp(nonce, nonce2, 32) != 0);
5004 CHECK(memcmp(nonce, nonce3, 32) != 0);
5005 CHECK(memcmp(nonce, nonce4, 32) != 0);
5006 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5007 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5008 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5009 }
5010
5011
d49abbd5
PW		 5012 /* Privkey export where pubkey is the point at infinity. */
5013 {
5014 unsigned char privkey[300];
5015 unsigned char seckey[32] = {
5016 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5017 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5018 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5019 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5020 };
788038d3 5021 size_t outlen = 300;
eed87af1 5022 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 5023 outlen = 300;
eed87af1 5024 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 5025 }
5026}
5027
6e052878
PW		 5028void run_ecdsa_edge_cases(void) {
5029 test_ecdsa_edge_cases();
3bf029d6 5030}
25f4aec0 5031
dd08f037 5032#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 5033EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 5034 unsigned char privkey[300];
788038d3 5035 size_t privkeylen;
12e29b32 5036 const unsigned char* pbegin = privkey;
fa57f1bd 5037 int compr = secp256k1_rand_bits(1);
dd08f037 5038 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 5039 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 5040 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5041 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 5042 return ec_key;
5043}
5044
2cad067a 5045void test_ecdsa_openssl(void) {
dd891e0e
PW		 5046 secp256k1_gej qj;
5047 secp256k1_ge q;
5048 secp256k1_scalar sigr, sigs;
5049 secp256k1_scalar one;
5050 secp256k1_scalar msg2;
5051 secp256k1_scalar key, msg;
bf2e1ac7
GM		 5052 EC_KEY *ec_key;
5053 unsigned int sigsize = 80;
788038d3 5054 size_t secp_sigsize = 80;
dd08f037 5055 unsigned char message[32];
bf2e1ac7 5056 unsigned char signature[80];
7914a6eb 5057 unsigned char key32[32];
dd08f037 5058 secp256k1_rand256_test(message);
eca6cdb1 5059 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 5060 random_scalar_order_test(&key);
7914a6eb 5061 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 5062 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 5063 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 5064 ec_key = get_openssl_key(key32);
2b199de8 5065 CHECK(ec_key != NULL);
0592d117 5066 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 5067 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5068 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 5069 secp256k1_scalar_set_int(&one, 1);
f24041d6 5070 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 5071 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 5072
18c329c5
PW		 5073 random_sign(&sigr, &sigs, &key, &msg, NULL);
5074 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 5075 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 5076
dd08f037 5077 EC_KEY_free(ec_key);
dd08f037
PW		 5078}
5079
2cad067a 5080void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 5081 int i;
5082 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 5083 test_ecdsa_openssl();
5084 }
5085}
5086#endif
5087
0739bbb6
AP		 5088#ifdef ENABLE_MODULE_ECDH
5089# include "modules/ecdh/tests_impl.h"
5090#endif
5091
9f443be0
PW		 5092#ifdef ENABLE_MODULE_RECOVERY
5093# include "modules/recovery/tests_impl.h"
5094#endif
5095
404c30a8 5096int main(int argc, char **argv) {
89561118
PW		 5097 unsigned char seed16[16] = {0};
5098 unsigned char run32[32] = {0};
71712b27 5099 /* find iteration count */
3fd6253e
PW		 5100 if (argc > 1) {
5101 count = strtol(argv[1], NULL, 0);
5102 }
5103
71712b27 5104 /* find random seed */
3fd6253e 5105 if (argc > 2) {
89561118
PW		 5106 int pos = 0;
5107 const char* ch = argv[2];
5108 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5109 unsigned short sh;
5110 if (sscanf(ch, "%2hx", &sh)) {
5111 seed16[pos] = sh;
5112 } else {
5113 break;
5114 }
5115 ch += 2;
5116 pos++;
5117 }
3fd6253e
PW		 5118 } else {
5119 FILE *frand = fopen("/dev/urandom", "r");
8b3841c9 5120 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
89561118 5121 uint64_t t = time(NULL) * (uint64_t)1337;
be40c4d0 5122 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
89561118
PW		 5123 seed16[0] ^= t;
5124 seed16[1] ^= t >> 8;
5125 seed16[2] ^= t >> 16;
5126 seed16[3] ^= t >> 24;
5127 seed16[4] ^= t >> 32;
5128 seed16[5] ^= t >> 40;
5129 seed16[6] ^= t >> 48;
5130 seed16[7] ^= t >> 56;
3fd6253e 5131 }
5aae5b5b 5132 if (frand) {
5133 fclose(frand);
5134 }
3fd6253e 5135 }
89561118 5136 secp256k1_rand_seed(seed16);
404c30a8 5137
dd08f037 5138 printf("test count = %i\n", count);
89561118 5139 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 5140
71712b27 5141 /* initialize */
814cc78d
TR		 5142 run_context_tests(0);
5143 run_context_tests(1);
548de42e 5144 run_scratch_tests();
a9b6595e 5145 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 5146 if (secp256k1_rand_bits(1)) {
d2275795 5147 secp256k1_rand256(run32);
fa57f1bd 5148 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 5149 }
49b37498
PW		 5150
5151 run_rand_bits();
5152 run_rand_int();
5153
b37fbc28
PW		 5154 run_sha256_tests();
5155 run_hmac_sha256_tests();
5156 run_rfc6979_hmac_sha256_tests();
5157
597128d3 5158#ifndef USE_NUM_NONE
71712b27 5159 /* num tests */
3f44e1ad 5160 run_num_smalltests();
597128d3 5161#endif
404c30a8 5162
71712b27 5163 /* scalar tests */
79359302
PW		 5164 run_scalar_tests();
5165
71712b27 5166 /* field tests */
f16be77f
PD		 5167 run_field_inv();
5168 run_field_inv_var();
f16be77f 5169 run_field_inv_all_var();
8d11164b 5170 run_field_misc();
ff889f7d 5171 run_field_convert();
59447da3 5172 run_sqr();
09ca4f32
PD		 5173 run_sqrt();
5174
71712b27 5175 /* group tests */
9338dbf7 5176 run_ge();
64666251 5177 run_group_decompress();
9338dbf7 5178
71712b27 5179 /* ecmult tests */
404c30a8
PW		 5180 run_wnaf();
5181 run_point_times_order();
5182 run_ecmult_chain();
d2275795
GM		 5183 run_ecmult_constants();
5184 run_ecmult_gen_blind();
44015000 5185 run_ecmult_const_tests();
dba5471b 5186 run_ecmult_multi_tests();
a5a66c70 5187 run_ec_combine();
404c30a8 5188
baa75da5
AP		 5189 /* endomorphism tests */
5190#ifdef USE_ENDOMORPHISM
5191 run_endomorphism_tests();
5192#endif
5193
96be2046 5194 /* EC point parser test */
67f7da40
GM		 5195 run_ec_pubkey_parse_test();
5196
96be2046
GM		 5197 /* EC key edge cases */
5198 run_eckey_edge_case_test();
5199
0739bbb6
AP		 5200#ifdef ENABLE_MODULE_ECDH
5201 /* ecdh tests */
5202 run_ecdh_tests();
5203#endif
5204
71712b27 5205 /* ecdsa tests */
7c6fed28 5206 run_random_pubkeys();
3bb9c447 5207 run_ecdsa_der_parse();
404c30a8 5208 run_ecdsa_sign_verify();
25f4aec0 5209 run_ecdsa_end_to_end();
6e052878 5210 run_ecdsa_edge_cases();
dd08f037
PW		 5211#ifdef ENABLE_OPENSSL_TESTS
5212 run_ecdsa_openssl();
5213#endif
910d0de4 5214
9f443be0
PW		 5215#ifdef ENABLE_MODULE_RECOVERY
5216 /* ECDSA pubkey recovery tests */
5217 run_recovery_tests();
5218#endif
5219
89561118
PW		 5220 secp256k1_rand256(run32);
5221 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 5222
71712b27 5223 /* shutdown */
a9b6595e 5224 secp256k1_context_destroy(ctx);
c996d53a
PW		 5225
5226 printf("no problems found\n");
a41f32e6
PW		 5227 return 0;
5228}
Empty description
This page took 0.838849 seconds and 4 git commands to generate.