]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Fix secp256k1_ge_set_table_gej_var parameter order
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
a41f32e6 13
e06a9244
PJ		 14#include <time.h>
15
25f4aec0 16#include "secp256k1.c"
67f7da40 17#include "include/secp256k1.h"
f0709ac5 18#include "testrand_impl.h"
a41f32e6 19
dd08f037
PW		 20#ifdef ENABLE_OPENSSL_TESTS
21#include "openssl/bn.h"
22#include "openssl/ec.h"
23#include "openssl/ecdsa.h"
24#include "openssl/obj_mac.h"
25#endif
26
eed87af1
AP		 27#include "contrib/lax_der_parsing.c"
28#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 29
67f7da40
GM		 30#if !defined(VG_CHECK)
31# if defined(VALGRIND)
32# include <valgrind/memcheck.h>
33# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
34# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
35# else
36# define VG_UNDEF(x,y)
37# define VG_CHECK(x,y)
38# endif
39#endif
40
79f599d3 41static int count = 64;
dd891e0e 42static secp256k1_context *ctx = NULL;
4adf6b2a 43
96be2046
GM		 44static void counting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts. */
46 int32_t *p;
47 (void)str;
48 p = data;
49 (*p)++;
50}
51
52static void uncounting_illegal_callback_fn(const char* str, void* data) {
53 /* Dummy callback function that just counts (backwards). */
54 int32_t *p;
55 (void)str;
56 p = data;
57 (*p)--;
58}
59
dd891e0e 60void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 61 do {
62 unsigned char b32[32];
63 secp256k1_rand256_test(b32);
659b554d
PW		 64 if (secp256k1_fe_set_b32(fe, b32)) {
65 break;
66 }
9338dbf7
PW		 67 } while(1);
68}
69
dd891e0e
PW		 70void random_field_element_magnitude(secp256k1_fe *fe) {
71 secp256k1_fe zero;
fa57f1bd 72 int n = secp256k1_rand_int(9);
9338dbf7 73 secp256k1_fe_normalize(fe);
60571c6e
PW		 74 if (n == 0) {
75 return;
9338dbf7 76 }
60571c6e
PW		 77 secp256k1_fe_clear(&zero);
78 secp256k1_fe_negate(&zero, &zero, 0);
79 secp256k1_fe_mul_int(&zero, n - 1);
80 secp256k1_fe_add(fe, &zero);
3f3964e4 81 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 82}
83
dd891e0e
PW		 84void random_group_element_test(secp256k1_ge *ge) {
85 secp256k1_fe fe;
9338dbf7
PW		 86 do {
87 random_field_element_test(&fe);
fa57f1bd 88 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 89 secp256k1_fe_normalize(&ge->y);
9338dbf7 90 break;
26320197 91 }
9338dbf7
PW		 92 } while(1);
93}
94
dd891e0e
PW		 95void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
96 secp256k1_fe z2, z3;
9338dbf7
PW		 97 do {
98 random_field_element_test(&gej->z);
99 if (!secp256k1_fe_is_zero(&gej->z)) {
100 break;
101 }
102 } while(1);
bf2e1ac7
GM		 103 secp256k1_fe_sqr(&z2, &gej->z);
104 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 105 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
106 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
107 gej->infinity = ge->infinity;
108}
109
dd891e0e 110void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 111 do {
112 unsigned char b32[32];
a9f5c8b8 113 int overflow = 0;
bf2e1ac7 114 secp256k1_rand256_test(b32);
eca6cdb1 115 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 116 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 117 continue;
26320197 118 }
a9f5c8b8
PW		 119 break;
120 } while(1);
121}
122
dd891e0e 123void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 124 do {
125 unsigned char b32[32];
f24041d6 126 int overflow = 0;
bf2e1ac7 127 secp256k1_rand256(b32);
f24041d6 128 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 129 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 130 continue;
26320197 131 }
f24041d6
PW		 132 break;
133 } while(1);
134}
135
d899b5b6 136void run_context_tests(void) {
96be2046
GM		 137 secp256k1_pubkey pubkey;
138 secp256k1_ecdsa_signature sig;
139 unsigned char ctmp[32];
140 int32_t ecount;
141 int32_t ecount2;
1a368980 142 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
dd891e0e
PW		 143 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
144 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
145 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
d899b5b6 146
dd891e0e
PW		 147 secp256k1_gej pubj;
148 secp256k1_ge pub;
149 secp256k1_scalar msg, key, nonce;
150 secp256k1_scalar sigr, sigs;
d899b5b6 151
96be2046
GM		 152 ecount = 0;
153 ecount2 = 10;
154 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
155 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
156 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
157 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
158
d899b5b6
AP		 159 /*** clone and destroy all of them to make sure cloning was complete ***/
160 {
dd891e0e 161 secp256k1_context *ctx_tmp;
d899b5b6
AP		 162
163 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
164 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
165 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
166 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
167 }
168
96be2046
GM		 169 /* Verify that the error callback makes it across the clone. */
170 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
171 /* And that it resets back to default. */
172 secp256k1_context_set_error_callback(sign, NULL, NULL);
173 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
174
d899b5b6
AP		 175 /*** attempt to use them ***/
176 random_scalar_order_test(&msg);
177 random_scalar_order_test(&key);
178 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
179 secp256k1_ge_set_gej(&pub, &pubj);
180
96be2046
GM		 181 /* Verify context-type checking illegal-argument errors. */
182 memset(ctmp, 1, 32);
183 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
184 CHECK(ecount == 1);
185 VG_UNDEF(&pubkey, sizeof(pubkey));
186 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
187 VG_CHECK(&pubkey, sizeof(pubkey));
188 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
189 CHECK(ecount == 2);
190 VG_UNDEF(&sig, sizeof(sig));
191 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
192 VG_CHECK(&sig, sizeof(sig));
193 CHECK(ecount2 == 10);
194 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
195 CHECK(ecount2 == 11);
196 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
197 CHECK(ecount == 2);
198 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
199 CHECK(ecount2 == 12);
200 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
201 CHECK(ecount == 2);
202 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
203 CHECK(ecount2 == 13);
204 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
205 CHECK(ecount == 2);
206 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
207 CHECK(ecount == 3);
208 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
209 CHECK(ecount2 == 13);
210 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
211 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
212
213 /* This shouldn't leak memory, due to already-set tests. */
214 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
215 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
216
d899b5b6
AP		 217 /* obtain a working nonce */
218 do {
219 random_scalar_order_test(&nonce);
18c329c5 220 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 221
222 /* try signing */
18c329c5
PW		 223 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
224 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 225
226 /* try verifying */
18c329c5
PW		 227 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
228 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 229
230 /* cleanup */
231 secp256k1_context_destroy(none);
232 secp256k1_context_destroy(sign);
233 secp256k1_context_destroy(vrfy);
234 secp256k1_context_destroy(both);
5b71a3f4
GM		 235 /* Defined as no-op. */
236 secp256k1_context_destroy(NULL);
d899b5b6
AP		 237}
238
b37fbc28
PW		 239/***** HASH TESTS *****/
240
241void run_sha256_tests(void) {
242 static const char *inputs[8] = {
243 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
244 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
245 "For this sample, this 63-byte string will be used as input data",
246 "This is exactly 64 bytes long, not counting the terminating byte"
247 };
248 static const unsigned char outputs[8][32] = {
249 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
250 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
251 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
252 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
253 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
254 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
255 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
256 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
257 };
bf2e1ac7
GM		 258 int i;
259 for (i = 0; i < 8; i++) {
260 unsigned char out[32];
b37fbc28
PW		 261 secp256k1_sha256_t hasher;
262 secp256k1_sha256_initialize(&hasher);
263 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 264 secp256k1_sha256_finalize(&hasher, out);
265 CHECK(memcmp(out, outputs[i], 32) == 0);
266 if (strlen(inputs[i]) > 0) {
fa57f1bd 267 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 268 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 269 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
270 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
271 secp256k1_sha256_finalize(&hasher, out);
272 CHECK(memcmp(out, outputs[i], 32) == 0);
273 }
274 }
275}
276
277void run_hmac_sha256_tests(void) {
278 static const char *keys[6] = {
279 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
280 "\x4a\x65\x66\x65",
281 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
282 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
283 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
284 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
285 };
286 static const char *inputs[6] = {
287 "\x48\x69\x20\x54\x68\x65\x72\x65",
288 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
289 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
290 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
291 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
292 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
293 };
294 static const unsigned char outputs[6][32] = {
295 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
296 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
297 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
298 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
299 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
300 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
301 };
bf2e1ac7
GM		 302 int i;
303 for (i = 0; i < 6; i++) {
b37fbc28 304 secp256k1_hmac_sha256_t hasher;
bf2e1ac7 305 unsigned char out[32];
b37fbc28
PW		 306 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
307 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 308 secp256k1_hmac_sha256_finalize(&hasher, out);
309 CHECK(memcmp(out, outputs[i], 32) == 0);
310 if (strlen(inputs[i]) > 0) {
fa57f1bd 311 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 312 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 313 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
314 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
315 secp256k1_hmac_sha256_finalize(&hasher, out);
316 CHECK(memcmp(out, outputs[i], 32) == 0);
317 }
318 }
319}
320
321void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 322 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 323 static const unsigned char out1[3][32] = {
324 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
325 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
326 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
327 };
328
3e6f1e20 329 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 330 static const unsigned char out2[3][32] = {
331 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
332 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
333 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
334 };
335
336 secp256k1_rfc6979_hmac_sha256_t rng;
337 unsigned char out[32];
bf2e1ac7 338 int i;
b37fbc28 339
3e6f1e20 340 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 341 for (i = 0; i < 3; i++) {
b37fbc28
PW		 342 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
343 CHECK(memcmp(out, out1[i], 32) == 0);
344 }
345 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
346
3e6f1e20 347 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 348 for (i = 0; i < 3; i++) {
349 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
350 CHECK(memcmp(out, out1[i], 32) != 0);
351 }
352 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
353
3e6f1e20 354 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 355 for (i = 0; i < 3; i++) {
b37fbc28
PW		 356 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
357 CHECK(memcmp(out, out2[i], 32) == 0);
358 }
359 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
360}
361
49b37498
PW		 362/***** RANDOM TESTS *****/
363
364void test_rand_bits(int rand32, int bits) {
365 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
366 * get a false negative chance below once in a billion */
367 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
368 /* We try multiplying the results with various odd numbers, which shouldn't
369 * influence the uniform distribution modulo a power of 2. */
370 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
371 /* We only select up to 6 bits from the output to analyse */
372 unsigned int usebits = bits > 6 ? 6 : bits;
373 unsigned int maxshift = bits - usebits;
374 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
375 number, track all observed outcomes, one per bit in a uint64_t. */
376 uint64_t x[6][27] = {{0}};
377 unsigned int i, shift, m;
378 /* Multiply the output of all rand calls with the odd number m, which
379 should not change the uniformity of its distribution. */
380 for (i = 0; i < rounds[usebits]; i++) {
381 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
382 CHECK((((uint64_t)r) >> bits) == 0);
383 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
384 uint32_t rm = r * mults[m];
385 for (shift = 0; shift <= maxshift; shift++) {
386 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
387 }
388 }
389 }
390 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
391 for (shift = 0; shift <= maxshift; shift++) {
392 /* Test that the lower usebits bits of x[shift] are 1 */
393 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
394 }
395 }
396}
397
398/* Subrange must be a whole divisor of range, and at most 64 */
399void test_rand_int(uint32_t range, uint32_t subrange) {
400 /* (1-1/subrange)^rounds < 1/10^9 */
401 int rounds = (subrange * 2073) / 100;
402 int i;
403 uint64_t x = 0;
404 CHECK((range % subrange) == 0);
405 for (i = 0; i < rounds; i++) {
406 uint32_t r = secp256k1_rand_int(range);
407 CHECK(r < range);
408 r = r % subrange;
409 x |= (((uint64_t)1) << r);
410 }
411 /* Test that the lower subrange bits of x are 1. */
412 CHECK(((~x) << (64 - subrange)) == 0);
413}
414
415void run_rand_bits(void) {
416 size_t b;
417 test_rand_bits(1, 32);
418 for (b = 1; b <= 32; b++) {
419 test_rand_bits(0, b);
420 }
421}
422
423void run_rand_int(void) {
424 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
425 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
426 unsigned int m, s;
427 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
428 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
429 test_rand_int(ms[m] * ss[s], ss[s]);
430 }
431 }
432}
433
659b554d
PW		 434/***** NUM TESTS *****/
435
597128d3 436#ifndef USE_NUM_NONE
dd891e0e 437void random_num_negate(secp256k1_num *num) {
fa57f1bd 438 if (secp256k1_rand_bits(1)) {
659b554d 439 secp256k1_num_negate(num);
26320197 440 }
659b554d
PW		 441}
442
dd891e0e
PW		 443void random_num_order_test(secp256k1_num *num) {
444 secp256k1_scalar sc;
659b554d
PW		 445 random_scalar_order_test(&sc);
446 secp256k1_scalar_get_num(num, &sc);
447}
448
dd891e0e
PW		 449void random_num_order(secp256k1_num *num) {
450 secp256k1_scalar sc;
659b554d
PW		 451 random_scalar_order(&sc);
452 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 453}
454
2cad067a 455void test_num_negate(void) {
dd891e0e
PW		 456 secp256k1_num n1;
457 secp256k1_num n2;
71712b27 458 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 459 random_num_negate(&n1);
71712b27
GM		 460 secp256k1_num_copy(&n2, &n1); /* n2 = R */
461 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 462 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 463 secp256k1_num_copy(&n1, &n2); /* n1 = R */
464 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 465 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 466 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 467 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 468 secp256k1_num_copy(&n1, &n2); /* n1 = R */
469 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 470 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 471 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 472 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 473}
474
2cad067a 475void test_num_add_sub(void) {
efd953a7
PD		 476 int i;
477 secp256k1_scalar s;
dd891e0e
PW		 478 secp256k1_num n1;
479 secp256k1_num n2;
480 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 481 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 482 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 483 random_num_negate(&n1);
484 }
71712b27 485 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 486 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 487 random_num_negate(&n2);
488 }
71712b27
GM		 489 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
490 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
491 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
492 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 493 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
494 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 495 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 496 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
497 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 498 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 499 CHECK(secp256k1_num_eq(&n2m1, &n1));
500 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 501 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 502 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 503
504 /* check is_one */
505 secp256k1_scalar_set_int(&s, 1);
506 secp256k1_scalar_get_num(&n1, &s);
507 CHECK(secp256k1_num_is_one(&n1));
508 /* check that 2^n + 1 is never 1 */
509 secp256k1_scalar_get_num(&n2, &s);
510 for (i = 0; i < 250; ++i) {
511 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
512 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
513 CHECK(!secp256k1_num_is_one(&n1p2));
514 }
515}
516
517void test_num_mod(void) {
518 int i;
519 secp256k1_scalar s;
520 secp256k1_num order, n;
521
522 /* check that 0 mod anything is 0 */
7d893f49 523 random_scalar_order_test(&s);
efd953a7
PD		 524 secp256k1_scalar_get_num(&order, &s);
525 secp256k1_scalar_set_int(&s, 0);
526 secp256k1_scalar_get_num(&n, &s);
527 secp256k1_num_mod(&n, &order);
528 CHECK(secp256k1_num_is_zero(&n));
529
530 /* check that anything mod 1 is 0 */
531 secp256k1_scalar_set_int(&s, 1);
532 secp256k1_scalar_get_num(&order, &s);
533 secp256k1_scalar_get_num(&n, &s);
534 secp256k1_num_mod(&n, &order);
535 CHECK(secp256k1_num_is_zero(&n));
536
537 /* check that increasing the number past 2^256 does not break this */
7d893f49 538 random_scalar_order_test(&s);
efd953a7
PD		 539 secp256k1_scalar_get_num(&n, &s);
540 /* multiply by 2^8, which'll test this case with high probability */
541 for (i = 0; i < 8; ++i) {
542 secp256k1_num_add(&n, &n, &n);
543 }
544 secp256k1_num_mod(&n, &order);
545 CHECK(secp256k1_num_is_zero(&n));
546}
547
548void test_num_jacobi(void) {
549 secp256k1_scalar sqr;
550 secp256k1_scalar small;
551 secp256k1_scalar five; /* five is not a quadratic residue */
552 secp256k1_num order, n;
553 int i;
554 /* squares mod 5 are 1, 4 */
555 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
556
557 /* check some small values with 5 as the order */
558 secp256k1_scalar_set_int(&five, 5);
559 secp256k1_scalar_get_num(&order, &five);
560 for (i = 0; i < 10; ++i) {
561 secp256k1_scalar_set_int(&small, i);
562 secp256k1_scalar_get_num(&n, &small);
563 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
564 }
565
566 /** test large values with 5 as group order */
567 secp256k1_scalar_get_num(&order, &five);
568 /* we first need a scalar which is not a multiple of 5 */
569 do {
570 secp256k1_num fiven;
7d893f49 571 random_scalar_order_test(&sqr);
efd953a7
PD		 572 secp256k1_scalar_get_num(&fiven, &five);
573 secp256k1_scalar_get_num(&n, &sqr);
574 secp256k1_num_mod(&n, &fiven);
575 } while (secp256k1_num_is_zero(&n));
576 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
577 * just multiply by two, i.e. add the number to itself */
578 if (secp256k1_num_jacobi(&n, &order) == -1) {
579 secp256k1_num_add(&n, &n, &n);
580 }
581
582 /* test residue */
583 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
584 /* test nonresidue */
585 secp256k1_num_add(&n, &n, &n);
586 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
587
588 /** test with secp group order as order */
589 secp256k1_scalar_order_get_num(&order);
7d893f49 590 random_scalar_order_test(&sqr);
efd953a7
PD		 591 secp256k1_scalar_sqr(&sqr, &sqr);
592 /* test residue */
593 secp256k1_scalar_get_num(&n, &sqr);
594 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
595 /* test nonresidue */
596 secp256k1_scalar_mul(&sqr, &sqr, &five);
597 secp256k1_scalar_get_num(&n, &sqr);
598 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
599 /* test multiple of the order*/
600 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
601
602 /* check one less than the order */
603 secp256k1_scalar_set_int(&small, 1);
604 secp256k1_scalar_get_num(&n, &small);
605 secp256k1_num_sub(&n, &order, &n);
606 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 607}
608
2cad067a 609void run_num_smalltests(void) {
bf2e1ac7
GM		 610 int i;
611 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 612 test_num_negate();
613 test_num_add_sub();
efd953a7
PD		 614 test_num_mod();
615 test_num_jacobi();
3f44e1ad 616 }
3f44e1ad 617}
597128d3 618#endif
3f44e1ad 619
79359302
PW		 620/***** SCALAR TESTS *****/
621
79359302 622void scalar_test(void) {
dd891e0e
PW		 623 secp256k1_scalar s;
624 secp256k1_scalar s1;
625 secp256k1_scalar s2;
bf2e1ac7 626#ifndef USE_NUM_NONE
dd891e0e
PW		 627 secp256k1_num snum, s1num, s2num;
628 secp256k1_num order, half_order;
bf2e1ac7 629#endif
79359302
PW		 630 unsigned char c[32];
631
71712b27 632 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 633 random_scalar_order_test(&s);
79359302 634
71712b27 635 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 636 random_scalar_order_test(&s1);
79359302 637
71712b27 638 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 639 random_scalar_order_test(&s2);
640 secp256k1_scalar_get_b32(c, &s2);
641
597128d3 642#ifndef USE_NUM_NONE
659b554d
PW		 643 secp256k1_scalar_get_num(&snum, &s);
644 secp256k1_scalar_get_num(&s1num, &s1);
645 secp256k1_scalar_get_num(&s2num, &s2);
646
659b554d 647 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 648 half_order = order;
659b554d 649 secp256k1_num_shift(&half_order, 1);
597128d3 650#endif
79359302
PW		 651
652 {
bf2e1ac7 653 int i;
71712b27 654 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 655 secp256k1_scalar n;
1e6c77c3 656 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 657 for (i = 0; i < 256; i += 4) {
dd891e0e 658 secp256k1_scalar t;
bf2e1ac7 659 int j;
1e6c77c3 660 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 661 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 662 secp256k1_scalar_add(&n, &n, &n);
663 }
664 secp256k1_scalar_add(&n, &n, &t);
79359302 665 }
1e6c77c3
PW		 666 CHECK(secp256k1_scalar_eq(&n, &s));
667 }
668
669 {
670 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 671 secp256k1_scalar n;
1e6c77c3 672 int i = 0;
bf2e1ac7 673 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 674 while (i < 256) {
dd891e0e 675 secp256k1_scalar t;
bf2e1ac7 676 int j;
fa57f1bd 677 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 678 if (now + i > 256) {
679 now = 256 - i;
680 }
1e6c77c3 681 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 682 for (j = 0; j < now; j++) {
1e6c77c3
PW		 683 secp256k1_scalar_add(&n, &n, &n);
684 }
685 secp256k1_scalar_add(&n, &n, &t);
686 i += now;
687 }
688 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 689 }
690
597128d3 691#ifndef USE_NUM_NONE
79359302 692 {
71712b27 693 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 694 secp256k1_num rnum;
695 secp256k1_num r2num;
696 secp256k1_scalar r;
79359302 697 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 698 secp256k1_num_mod(&rnum, &order);
79359302 699 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 700 secp256k1_scalar_get_num(&r2num, &r);
701 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 702 }
703
704 {
269d4227 705 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 706 secp256k1_scalar r;
707 secp256k1_num r2num;
708 secp256k1_num rnum;
79359302 709 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 710 secp256k1_num_mod(&rnum, &order);
79359302 711 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 712 secp256k1_scalar_get_num(&r2num, &r);
713 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 714 /* The result can only be zero if at least one of the factors was zero. */
79359302 715 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 716 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 717 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
718 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 719 }
720
721 {
dd891e0e
PW		 722 secp256k1_scalar neg;
723 secp256k1_num negnum;
724 secp256k1_num negnum2;
71712b27 725 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 726 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 727 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 728 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 729 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 730 secp256k1_num_sub(&negnum, &order, &snum);
731 secp256k1_num_mod(&negnum, &order);
71712b27 732 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 733 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 734 /* Negating should change the high property, unless the value was already zero. */
79359302 735 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 736 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 737 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 738 CHECK(secp256k1_num_eq(&negnum, &negnum2));
739 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 740 /* Adding a number to its negation should result in zero. */
79359302
PW		 741 CHECK(secp256k1_scalar_is_zero(&neg));
742 secp256k1_scalar_negate(&neg, &neg);
71712b27 743 /* Negating zero should still result in zero. */
79359302 744 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 745 }
ff8746d4
PW		 746
747 {
748 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 749 secp256k1_scalar r;
750 secp256k1_num one;
751 secp256k1_num rnum;
752 secp256k1_num rnum2;
bf2e1ac7 753 unsigned char cone[1] = {0x01};
fa57f1bd 754 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 755 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 756 secp256k1_num_mul(&rnum, &s1num, &s2num);
757 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 758 secp256k1_num_set_bin(&one, cone, 1);
759 secp256k1_num_add(&rnum, &rnum, &one);
760 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 761 secp256k1_scalar_get_num(&rnum2, &r);
762 CHECK(secp256k1_num_eq(&rnum, &rnum2));
763 }
44015000
AP		 764
765 {
766 /* test secp256k1_scalar_shr_int */
dd891e0e 767 secp256k1_scalar r;
44015000 768 int i;
44015000
AP		 769 random_scalar_order_test(&r);
770 for (i = 0; i < 100; ++i) {
cfe0ed91 771 int low;
fa57f1bd 772 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 773 int expected = r.d[0] % (1 << shift);
774 low = secp256k1_scalar_shr_int(&r, shift);
775 CHECK(expected == low);
776 }
777 }
597128d3 778#endif
79359302
PW		 779
780 {
71712b27 781 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 782 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 783 secp256k1_scalar inv;
597128d3 784#ifndef USE_NUM_NONE
dd891e0e
PW		 785 secp256k1_num invnum;
786 secp256k1_num invnum2;
bf2e1ac7
GM		 787#endif
788 secp256k1_scalar_inverse(&inv, &s);
789#ifndef USE_NUM_NONE
790 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 791 secp256k1_scalar_get_num(&invnum2, &inv);
792 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 793#endif
79359302 794 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 795 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 796 CHECK(secp256k1_scalar_is_one(&inv));
797 secp256k1_scalar_inverse(&inv, &inv);
71712b27 798 /* Inverting one must result in one. */
79359302 799 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 800#ifndef USE_NUM_NONE
801 secp256k1_scalar_get_num(&invnum, &inv);
802 CHECK(secp256k1_num_is_one(&invnum));
803#endif
79359302
PW		 804 }
805 }
806
807 {
71712b27 808 /* Test commutativity of add. */
dd891e0e 809 secp256k1_scalar r1, r2;
79359302
PW		 810 secp256k1_scalar_add(&r1, &s1, &s2);
811 secp256k1_scalar_add(&r2, &s2, &s1);
812 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 813 }
814
52132078 815 {
dd891e0e
PW		 816 secp256k1_scalar r1, r2;
817 secp256k1_scalar b;
bf2e1ac7 818 int i;
52132078 819 /* Test add_bit. */
fa57f1bd 820 int bit = secp256k1_rand_bits(8);
1e6c77c3 821 secp256k1_scalar_set_int(&b, 1);
52132078 822 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 823 for (i = 0; i < bit; i++) {
52132078
PW		 824 secp256k1_scalar_add(&b, &b, &b);
825 }
bf2e1ac7
GM		 826 r1 = s1;
827 r2 = s1;
29ae1310 828 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 829 /* No overflow happened. */
ed35d43a
AP		 830 secp256k1_scalar_cadd_bit(&r2, bit, 1);
831 CHECK(secp256k1_scalar_eq(&r1, &r2));
832 /* cadd is a noop when flag is zero */
833 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 834 CHECK(secp256k1_scalar_eq(&r1, &r2));
835 }
836 }
837
79359302 838 {
71712b27 839 /* Test commutativity of mul. */
dd891e0e 840 secp256k1_scalar r1, r2;
79359302
PW		 841 secp256k1_scalar_mul(&r1, &s1, &s2);
842 secp256k1_scalar_mul(&r2, &s2, &s1);
843 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 844 }
845
846 {
71712b27 847 /* Test associativity of add. */
dd891e0e 848 secp256k1_scalar r1, r2;
79359302
PW		 849 secp256k1_scalar_add(&r1, &s1, &s2);
850 secp256k1_scalar_add(&r1, &r1, &s);
851 secp256k1_scalar_add(&r2, &s2, &s);
852 secp256k1_scalar_add(&r2, &s1, &r2);
853 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 854 }
855
856 {
71712b27 857 /* Test associativity of mul. */
dd891e0e 858 secp256k1_scalar r1, r2;
79359302
PW		 859 secp256k1_scalar_mul(&r1, &s1, &s2);
860 secp256k1_scalar_mul(&r1, &r1, &s);
861 secp256k1_scalar_mul(&r2, &s2, &s);
862 secp256k1_scalar_mul(&r2, &s1, &r2);
863 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 864 }
865
866 {
71712b27 867 /* Test distributitivity of mul over add. */
dd891e0e 868 secp256k1_scalar r1, r2, t;
79359302
PW		 869 secp256k1_scalar_add(&r1, &s1, &s2);
870 secp256k1_scalar_mul(&r1, &r1, &s);
871 secp256k1_scalar_mul(&r2, &s1, &s);
872 secp256k1_scalar_mul(&t, &s2, &s);
873 secp256k1_scalar_add(&r2, &r2, &t);
874 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 875 }
1d52a8b1
PW		 876
877 {
71712b27 878 /* Test square. */
dd891e0e 879 secp256k1_scalar r1, r2;
1d52a8b1
PW		 880 secp256k1_scalar_sqr(&r1, &s1);
881 secp256k1_scalar_mul(&r2, &s1, &s1);
882 CHECK(secp256k1_scalar_eq(&r1, &r2));
883 }
ff8746d4 884
8d11164b
GM		 885 {
886 /* Test multiplicative identity. */
dd891e0e 887 secp256k1_scalar r1, v1;
8d11164b
GM		 888 secp256k1_scalar_set_int(&v1,1);
889 secp256k1_scalar_mul(&r1, &s1, &v1);
890 CHECK(secp256k1_scalar_eq(&r1, &s1));
891 }
892
893 {
894 /* Test additive identity. */
dd891e0e 895 secp256k1_scalar r1, v0;
8d11164b
GM		 896 secp256k1_scalar_set_int(&v0,0);
897 secp256k1_scalar_add(&r1, &s1, &v0);
898 CHECK(secp256k1_scalar_eq(&r1, &s1));
899 }
900
901 {
902 /* Test zero product property. */
dd891e0e 903 secp256k1_scalar r1, v0;
8d11164b
GM		 904 secp256k1_scalar_set_int(&v0,0);
905 secp256k1_scalar_mul(&r1, &s1, &v0);
906 CHECK(secp256k1_scalar_eq(&r1, &v0));
907 }
908
79359302
PW		 909}
910
911void run_scalar_tests(void) {
bf2e1ac7
GM		 912 int i;
913 for (i = 0; i < 128 * count; i++) {
79359302
PW		 914 scalar_test();
915 }
659b554d
PW		 916
917 {
ee3eb4be 918 /* (-1)+1 should be zero. */
dd891e0e 919 secp256k1_scalar s, o;
659b554d 920 secp256k1_scalar_set_int(&s, 1);
8d11164b 921 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 922 secp256k1_scalar_negate(&o, &s);
923 secp256k1_scalar_add(&o, &o, &s);
924 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 925 secp256k1_scalar_negate(&o, &o);
926 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 927 }
928
597128d3 929#ifndef USE_NUM_NONE
659b554d 930 {
ee3eb4be 931 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 932 secp256k1_num order;
933 secp256k1_scalar zero;
bf2e1ac7 934 unsigned char bin[32];
659b554d 935 int overflow = 0;
bf2e1ac7
GM		 936 secp256k1_scalar_order_get_num(&order);
937 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 938 secp256k1_scalar_set_b32(&zero, bin, &overflow);
939 CHECK(overflow == 1);
940 CHECK(secp256k1_scalar_is_zero(&zero));
941 }
597128d3 942#endif
26abce75
GM		 943
944 {
945 /* Does check_overflow check catch all ones? */
946 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
947 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
948 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
949 );
950 CHECK(secp256k1_scalar_check_overflow(&overflowed));
951 }
952
953 {
954 /* Static test vectors.
269d4227 955 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 956 * and edge-case coverage on 32-bit and 64-bit implementations.
957 * The responses were generated with Sage 5.9.
958 */
959 secp256k1_scalar x;
960 secp256k1_scalar y;
961 secp256k1_scalar z;
962 secp256k1_scalar zz;
963 secp256k1_scalar one;
964 secp256k1_scalar r1;
965 secp256k1_scalar r2;
966#if defined(USE_SCALAR_INV_NUM)
967 secp256k1_scalar zzv;
968#endif
969 int overflow;
093a497a 970 unsigned char chal[33][2][32] = {
26abce75
GM		 971 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
972 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
973 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
974 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
975 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
977 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
978 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
979 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
980 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
983 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
984 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
985 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
986 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
987 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
989 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
990 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
991 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
992 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
993 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
994 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
995 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
996 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
998 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
999 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1000 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1001 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1002 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1003 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1004 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1005 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1006 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1007 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1008 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1009 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1010 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1011 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1012 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1013 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1014 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1015 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1016 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1017 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1018 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1019 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1020 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1021 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1022 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1023 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1024 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1025 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1027 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1028 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1029 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1030 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1031 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1032 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1033 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1035 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1036 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1037 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1039 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1040 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1042 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1043 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1044 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1045 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1046 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1047 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1048 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1049 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1050 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1051 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1052 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1053 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1054 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1055 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1058 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1059 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1060 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1061 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1062 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1063 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1065 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1066 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1067 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1068 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1071 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1072 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1073 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1074 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1075 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1076 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1077 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1078 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1079 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1081 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1083 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1084 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1086 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1087 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1088 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1091 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1092 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1095 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1096 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1098 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1099 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1100 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1101 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1102 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1103 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1104 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1107 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1108 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1109 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1111 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1112 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1113 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1114 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1115 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1116 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1117 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1118 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1119 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1120 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1121 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1122 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1123 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1124 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1125 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1126 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1127 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1128 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1129 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1131 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1135 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1136 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1137 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1138 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1139 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1143 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1147 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1148 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1151 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1152 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1155 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1156 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1159 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1160 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1163 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1165 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1167 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1171 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1172 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1173 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1174 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1175 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1177 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1179 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1180 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1181 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1182 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1183 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1184 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1185 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1187 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1188 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1189 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1190 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1191 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1192 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1194 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1195 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1197 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1199 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1201 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1202 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1203 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1204 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1205 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1207 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1208 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1209 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1210 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1211 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1212 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1214 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1215 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1216 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1217 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1218 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1219 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1220 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1221 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1222 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1223 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1224 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1225 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1226 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1227 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1228 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1230 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1231 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1232 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1233 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1234 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1235 };
093a497a 1236 unsigned char res[33][2][32] = {
26abce75
GM		 1237 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1238 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1239 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1240 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1241 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1242 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1243 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1244 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1245 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1246 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1247 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1248 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1249 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1250 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1251 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1252 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1253 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1254 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1255 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1256 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1257 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1258 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1259 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1260 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1261 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1262 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1263 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1264 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1265 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1266 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1267 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1268 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1269 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1270 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1271 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1272 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1273 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1274 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1275 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1276 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1277 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1278 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1279 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1280 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1281 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1282 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1283 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1284 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1285 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1286 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1287 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1288 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1289 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1290 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1291 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1292 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1293 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1294 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1295 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1296 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1297 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1298 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1299 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1300 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1301 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1302 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1303 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1304 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1305 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1306 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1307 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1308 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1309 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1310 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1311 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1312 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1313 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1314 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1315 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1316 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1317 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1318 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1319 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1320 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1321 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1322 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1323 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1324 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1325 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1326 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1327 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1328 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1329 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1330 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1331 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1332 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1333 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1334 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1335 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1336 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1337 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1338 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1339 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1340 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1341 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1342 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1343 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1344 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1345 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1346 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1347 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1348 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1349 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1350 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1351 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1352 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1353 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1354 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1355 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1356 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1357 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1358 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1359 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1360 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1361 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1362 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1363 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1364 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1365 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1366 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1367 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1368 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1369 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1370 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1371 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1372 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1373 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1374 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1375 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1376 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1377 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1378 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1379 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1380 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1381 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1382 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1383 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1384 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1385 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1386 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1387 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1388 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1389 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1390 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1391 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1392 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1393 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1394 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1395 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1396 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1397 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1401 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1402 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1405 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1407 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1408 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1409 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1413 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1414 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1415 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1416 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1417 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1418 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1419 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1420 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1421 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1422 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1423 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1424 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1425 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1426 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1427 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1428 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1429 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1431 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1432 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1433 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1434 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1435 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1436 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1437 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1438 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1439 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1440 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1441 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1445 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1446 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1447 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1448 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1449 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1450 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1451 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1452 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1453 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1454 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1455 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1456 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1457 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1458 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1459 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1460 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1461 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1462 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1463 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1464 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1465 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1466 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1467 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1468 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1469 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1470 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1471 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1472 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1473 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1474 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1475 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1476 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1477 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1478 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1479 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1480 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1481 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1482 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1483 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1484 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1485 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1486 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1487 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1488 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1489 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1490 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1491 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1492 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1493 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1494 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1495 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1496 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1497 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1498 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1499 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1500 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1501 };
1502 secp256k1_scalar_set_int(&one, 1);
093a497a 1503 for (i = 0; i < 33; i++) {
26abce75
GM		 1504 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1505 CHECK(!overflow);
1506 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1507 CHECK(!overflow);
1508 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1509 CHECK(!overflow);
1510 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1511 CHECK(!overflow);
1512 secp256k1_scalar_mul(&z, &x, &y);
1513 CHECK(!secp256k1_scalar_check_overflow(&z));
1514 CHECK(secp256k1_scalar_eq(&r1, &z));
1515 if (!secp256k1_scalar_is_zero(&y)) {
1516 secp256k1_scalar_inverse(&zz, &y);
1517 CHECK(!secp256k1_scalar_check_overflow(&zz));
1518#if defined(USE_SCALAR_INV_NUM)
1519 secp256k1_scalar_inverse_var(&zzv, &y);
1520 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1521#endif
1522 secp256k1_scalar_mul(&z, &z, &zz);
1523 CHECK(!secp256k1_scalar_check_overflow(&z));
1524 CHECK(secp256k1_scalar_eq(&x, &z));
1525 secp256k1_scalar_mul(&zz, &zz, &y);
1526 CHECK(!secp256k1_scalar_check_overflow(&zz));
1527 CHECK(secp256k1_scalar_eq(&one, &zz));
1528 }
1529 secp256k1_scalar_mul(&z, &x, &x);
1530 CHECK(!secp256k1_scalar_check_overflow(&z));
1531 secp256k1_scalar_sqr(&zz, &x);
1532 CHECK(!secp256k1_scalar_check_overflow(&zz));
1533 CHECK(secp256k1_scalar_eq(&zz, &z));
1534 CHECK(secp256k1_scalar_eq(&r2, &zz));
1535 }
1536 }
79359302
PW		 1537}
1538
09ca4f32
PD		 1539/***** FIELD TESTS *****/
1540
dd891e0e 1541void random_fe(secp256k1_fe *x) {
09ca4f32 1542 unsigned char bin[32];
d907ebc0
PW		 1543 do {
1544 secp256k1_rand256(bin);
1545 if (secp256k1_fe_set_b32(x, bin)) {
1546 return;
1547 }
1548 } while(1);
09ca4f32
PD		 1549}
1550
64666251
PW		 1551void random_fe_test(secp256k1_fe *x) {
1552 unsigned char bin[32];
1553 do {
1554 secp256k1_rand256_test(bin);
1555 if (secp256k1_fe_set_b32(x, bin)) {
1556 return;
1557 }
1558 } while(1);
1559}
1560
dd891e0e 1561void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1562 int tries = 10;
09ca4f32 1563 while (--tries >= 0) {
6d6102fe
PD		 1564 random_fe(nz);
1565 secp256k1_fe_normalize(nz);
26320197 1566 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1567 break;
26320197 1568 }
09ca4f32 1569 }
71712b27 1570 /* Infinitesimal probability of spurious failure here */
0592d117 1571 CHECK(tries >= 0);
09ca4f32
PD		 1572}
1573
dd891e0e
PW		 1574void random_fe_non_square(secp256k1_fe *ns) {
1575 secp256k1_fe r;
bf2e1ac7 1576 random_fe_non_zero(ns);
926836ad 1577 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1578 secp256k1_fe_negate(ns, ns, 1);
1579 }
1580}
1581
dd891e0e
PW		 1582int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1583 secp256k1_fe an = *a;
1584 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1585 secp256k1_fe_normalize_weak(&an);
1586 secp256k1_fe_normalize_var(&bn);
d7174edf 1587 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1588}
1589
dd891e0e
PW		 1590int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1591 secp256k1_fe x;
1592 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1593 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1594 return check_fe_equal(&x, &one);
1595}
1596
ff889f7d
PW		 1597void run_field_convert(void) {
1598 static const unsigned char b32[32] = {
1599 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1600 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1601 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1602 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1603 };
dd891e0e 1604 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1605 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1606 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1607 );
dd891e0e 1608 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1609 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1610 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1611 );
dd891e0e 1612 secp256k1_fe fe2;
ff889f7d 1613 unsigned char b322[32];
dd891e0e 1614 secp256k1_fe_storage fes2;
ff889f7d
PW		 1615 /* Check conversions to fe. */
1616 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1617 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1618 secp256k1_fe_from_storage(&fe2, &fes);
1619 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1620 /* Check conversion from fe. */
1621 secp256k1_fe_get_b32(b322, &fe);
1622 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1623 secp256k1_fe_to_storage(&fes2, &fe);
1624 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1625}
1626
dd891e0e
PW		 1627int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1628 secp256k1_fe t = *b;
a0601cd7
PD		 1629#ifdef VERIFY
1630 t.magnitude = a->magnitude;
1631 t.normalized = a->normalized;
1632#endif
dd891e0e 1633 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1634}
1635
8d11164b 1636void run_field_misc(void) {
dd891e0e
PW		 1637 secp256k1_fe x;
1638 secp256k1_fe y;
1639 secp256k1_fe z;
1640 secp256k1_fe q;
1641 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1642 int i, j;
bf2e1ac7 1643 for (i = 0; i < 5*count; i++) {
dd891e0e 1644 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1645 random_fe(&x);
1646 random_fe_non_zero(&y);
1647 /* Test the fe equality and comparison operations. */
1648 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1649 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1650 z = x;
1651 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1652 /* Test fe conditional move; z is not normalized here. */
1653 q = x;
1654 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 1655 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 1656 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1657 CHECK(fe_memcmp(&x, &z) != 0);
1658 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1659 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 1660 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 1661 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1662 secp256k1_fe_normalize_var(&x);
1663 secp256k1_fe_normalize_var(&z);
9c4fb23d 1664 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1665 secp256k1_fe_normalize_var(&q);
1666 secp256k1_fe_cmov(&q, &z, (i&1));
1667 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1668 for (j = 0; j < 6; j++) {
1669 secp256k1_fe_negate(&z, &z, j+1);
1670 secp256k1_fe_normalize_var(&q);
1671 secp256k1_fe_cmov(&q, &z, (j&1));
1672 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1673 }
1674 secp256k1_fe_normalize_var(&z);
1675 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1676 secp256k1_fe_to_storage(&xs, &x);
1677 secp256k1_fe_to_storage(&ys, &y);
1678 secp256k1_fe_to_storage(&zs, &z);
1679 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1680 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1681 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1682 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1683 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1684 secp256k1_fe_from_storage(&x, &xs);
1685 secp256k1_fe_from_storage(&y, &ys);
1686 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1687 /* Test that mul_int, mul, and add agree. */
1688 secp256k1_fe_add(&y, &x);
1689 secp256k1_fe_add(&y, &x);
1690 z = x;
1691 secp256k1_fe_mul_int(&z, 3);
1692 CHECK(check_fe_equal(&y, &z));
1693 secp256k1_fe_add(&y, &x);
1694 secp256k1_fe_add(&z, &x);
1695 CHECK(check_fe_equal(&z, &y));
1696 z = x;
1697 secp256k1_fe_mul_int(&z, 5);
1698 secp256k1_fe_mul(&q, &x, &fe5);
1699 CHECK(check_fe_equal(&z, &q));
1700 secp256k1_fe_negate(&x, &x, 1);
1701 secp256k1_fe_add(&z, &x);
1702 secp256k1_fe_add(&q, &x);
1703 CHECK(check_fe_equal(&y, &z));
1704 CHECK(check_fe_equal(&q, &y));
1705 }
1706}
1707
2cad067a 1708void run_field_inv(void) {
dd891e0e 1709 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1710 int i;
1711 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1712 random_fe_non_zero(&x);
1713 secp256k1_fe_inv(&xi, &x);
1714 CHECK(check_fe_inverse(&x, &xi));
1715 secp256k1_fe_inv(&xii, &xi);
1716 CHECK(check_fe_equal(&x, &xii));
1717 }
1718}
1719
2cad067a 1720void run_field_inv_var(void) {
dd891e0e 1721 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1722 int i;
1723 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1724 random_fe_non_zero(&x);
1725 secp256k1_fe_inv_var(&xi, &x);
1726 CHECK(check_fe_inverse(&x, &xi));
1727 secp256k1_fe_inv_var(&xii, &xi);
1728 CHECK(check_fe_equal(&x, &xii));
1729 }
1730}
1731
2cad067a 1732void run_field_inv_all_var(void) {
dd891e0e 1733 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1734 int i;
71712b27 1735 /* Check it's safe to call for 0 elements */
7d893f49 1736 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1737 for (i = 0; i < count; i++) {
1738 size_t j;
fa57f1bd 1739 size_t len = secp256k1_rand_int(15) + 1;
26320197 1740 for (j = 0; j < len; j++) {
f16be77f 1741 random_fe_non_zero(&x[j]);
26320197 1742 }
7d893f49 1743 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1744 for (j = 0; j < len; j++) {
f16be77f 1745 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1746 }
7d893f49 1747 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1748 for (j = 0; j < len; j++) {
f16be77f 1749 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1750 }
f16be77f
PD		 1751 }
1752}
1753
2cad067a 1754void run_sqr(void) {
dd891e0e 1755 secp256k1_fe x, s;
59447da3 1756
59447da3 1757 {
bf2e1ac7 1758 int i;
59447da3
PD		 1759 secp256k1_fe_set_int(&x, 1);
1760 secp256k1_fe_negate(&x, &x, 1);
1761
bf2e1ac7 1762 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1763 secp256k1_fe_mul_int(&x, 2);
1764 secp256k1_fe_normalize(&x);
1765 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1766 }
1767 }
59447da3
PD		 1768}
1769
dd891e0e
PW		 1770void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1771 secp256k1_fe r1, r2;
926836ad 1772 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1773 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1774
1775 if (k != NULL) {
71712b27 1776 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1777 secp256k1_fe_negate(&r2, &r1, 1);
1778 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1779 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1780 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1781 }
1782}
1783
2cad067a 1784void run_sqrt(void) {
dd891e0e 1785 secp256k1_fe ns, x, s, t;
bf2e1ac7 1786 int i;
6d6102fe 1787
71712b27 1788 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1789 secp256k1_fe_set_int(&x, 0);
1790 secp256k1_fe_sqr(&s, &x);
1791 test_sqrt(&s, &x);
1792
71712b27 1793 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1794 for (i = 1; i <= 100; i++) {
6d6102fe 1795 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1796 secp256k1_fe_sqr(&s, &x);
1797 test_sqrt(&s, &x);
6d6102fe 1798 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1799 test_sqrt(&t, NULL);
1800 }
6d6102fe 1801
71712b27 1802 /* Consistency checks for large random values */
bf2e1ac7
GM		 1803 for (i = 0; i < 10; i++) {
1804 int j;
6d6102fe 1805 random_fe_non_square(&ns);
bf2e1ac7 1806 for (j = 0; j < count; j++) {
6d6102fe
PD		 1807 random_fe(&x);
1808 secp256k1_fe_sqr(&s, &x);
1809 test_sqrt(&s, &x);
1810 secp256k1_fe_negate(&t, &s, 1);
1811 test_sqrt(&t, NULL);
1812 secp256k1_fe_mul(&t, &s, &ns);
1813 test_sqrt(&t, NULL);
1814 }
1815 }
09ca4f32
PD		 1816}
1817
9338dbf7
PW		 1818/***** GROUP TESTS *****/
1819
dd891e0e 1820void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1821 CHECK(a->infinity == b->infinity);
26320197 1822 if (a->infinity) {
60571c6e 1823 return;
26320197 1824 }
60571c6e 1825 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 1826 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 1827}
1828
d2275795 1829/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 1830int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1831 secp256k1_gej a2;
1832 secp256k1_gej b2;
d2275795
GM		 1833 int ret = 1;
1834 ret &= a->infinity == b->infinity;
1835 if (ret && !a->infinity) {
1836 a2 = *a;
1837 b2 = *b;
1838 secp256k1_fe_normalize(&a2.x);
1839 secp256k1_fe_normalize(&a2.y);
1840 secp256k1_fe_normalize(&a2.z);
1841 secp256k1_fe_normalize(&b2.x);
1842 secp256k1_fe_normalize(&b2.y);
1843 secp256k1_fe_normalize(&b2.z);
1844 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1845 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1846 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1847 }
1848 return ret;
1849}
1850
dd891e0e
PW		 1851void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1852 secp256k1_fe z2s;
1853 secp256k1_fe u1, u2, s1, s2;
60571c6e 1854 CHECK(a->infinity == b->infinity);
26320197 1855 if (a->infinity) {
60571c6e 1856 return;
26320197 1857 }
60571c6e 1858 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 1859 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 1860 secp256k1_fe_mul(&u1, &a->x, &z2s);
1861 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1862 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1863 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1864 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1865 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 1866}
1867
2cad067a 1868void test_ge(void) {
bf2e1ac7 1869 int i, i1;
76574202
PW		 1870#ifdef USE_ENDOMORPHISM
1871 int runs = 6;
1872#else
60571c6e 1873 int runs = 4;
76574202 1874#endif
60571c6e
PW		 1875 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1876 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1877 * All magnitudes are randomized.
269d4227 1878 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 1879 *
1880 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 1881 */
dd891e0e
PW		 1882 secp256k1_ge *ge = (secp256k1_ge *)malloc(sizeof(secp256k1_ge) * (1 + 4 * runs));
1883 secp256k1_gej *gej = (secp256k1_gej *)malloc(sizeof(secp256k1_gej) * (1 + 4 * runs));
1884 secp256k1_fe *zinv = (secp256k1_fe *)malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
1885 secp256k1_fe zf;
1886 secp256k1_fe zfi2, zfi3;
4f9791ab 1887
60571c6e
PW		 1888 secp256k1_gej_set_infinity(&gej[0]);
1889 secp256k1_ge_clear(&ge[0]);
1890 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 1891 for (i = 0; i < runs; i++) {
1892 int j;
dd891e0e 1893 secp256k1_ge g;
60571c6e 1894 random_group_element_test(&g);
76574202
PW		 1895#ifdef USE_ENDOMORPHISM
1896 if (i >= runs - 2) {
1897 secp256k1_ge_mul_lambda(&g, &ge[1]);
1898 }
1899 if (i >= runs - 1) {
1900 secp256k1_ge_mul_lambda(&g, &g);
1901 }
1902#endif
60571c6e
PW		 1903 ge[1 + 4 * i] = g;
1904 ge[2 + 4 * i] = g;
1905 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1906 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1907 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1908 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1909 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1910 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 1911 for (j = 0; j < 4; j++) {
60571c6e
PW		 1912 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1913 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1914 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1915 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1916 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1917 }
1918 }
1919
4f9791ab
PD		 1920 /* Compute z inverses. */
1921 {
dd891e0e 1922 secp256k1_fe *zs = malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 1923 for (i = 0; i < 4 * runs + 1; i++) {
1924 if (i == 0) {
1925 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1926 do {
1927 random_field_element_test(&zs[i]);
1928 } while(secp256k1_fe_is_zero(&zs[i]));
1929 } else {
1930 zs[i] = gej[i].z;
1931 }
1932 }
7d893f49 1933 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 1934 free(zs);
1935 }
1936
1937 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1938 do {
1939 random_field_element_test(&zf);
1940 } while(secp256k1_fe_is_zero(&zf));
1941 random_field_element_magnitude(&zf);
1942 secp256k1_fe_inv_var(&zfi3, &zf);
1943 secp256k1_fe_sqr(&zfi2, &zfi3);
1944 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1945
bf2e1ac7
GM		 1946 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1947 int i2;
1948 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 1949 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 1950 secp256k1_gej refj, resj;
1951 secp256k1_ge ref;
1952 secp256k1_fe zr;
4f9791ab
PD		 1953 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1954 /* Check Z ratio. */
1955 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 1956 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 1957 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1958 }
60571c6e
PW		 1959 secp256k1_ge_set_gej_var(&ref, &refj);
1960
2d5a186c
PD		 1961 /* Test gej + ge with Z ratio result (var). */
1962 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 1963 ge_equals_gej(&ref, &resj);
2d5a186c 1964 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 1965 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 1966 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1967 }
60571c6e 1968
4f9791ab
PD		 1969 /* Test gej + ge (var, with additional Z factor). */
1970 {
dd891e0e 1971 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 1972 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1973 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1974 random_field_element_magnitude(&ge2_zfi.x);
1975 random_field_element_magnitude(&ge2_zfi.y);
1976 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1977 ge_equals_gej(&ref, &resj);
1978 }
1979
60571c6e
PW		 1980 /* Test gej + ge (const). */
1981 if (i2 != 0) {
1982 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1983 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1984 ge_equals_gej(&ref, &resj);
1985 }
1986
1987 /* Test doubling (var). */
1988 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 1989 secp256k1_fe zr2;
4f9791ab
PD		 1990 /* Normal doubling with Z ratio result. */
1991 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 1992 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 1993 /* Check Z ratio. */
1994 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
1995 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
1996 /* Normal doubling. */
1997 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 1998 ge_equals_gej(&ref, &resj);
1999 }
2000
2001 /* Test adding opposites. */
2002 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2003 CHECK(secp256k1_ge_is_infinity(&ref));
2004 }
2005
2006 /* Test adding infinity. */
2007 if (i1 == 0) {
2008 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2009 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2010 ge_equals_gej(&ref, &gej[i2]);
2011 }
2012 if (i2 == 0) {
2013 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2014 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2015 ge_equals_gej(&ref, &gej[i1]);
2016 }
2017 }
2018 }
2019
9ab93355
PW		 2020 /* Test adding all points together in random order equals infinity. */
2021 {
dd891e0e
PW		 2022 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2023 secp256k1_gej *gej_shuffled = (secp256k1_gej *)malloc((4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2024 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2025 gej_shuffled[i] = gej[i];
2026 }
bf2e1ac7 2027 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2028 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2029 if (swap != i) {
dd891e0e 2030 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2031 gej_shuffled[i] = gej_shuffled[swap];
2032 gej_shuffled[swap] = t;
2033 }
2034 }
bf2e1ac7 2035 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2036 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2037 }
2038 CHECK(secp256k1_gej_is_infinity(&sum));
2039 free(gej_shuffled);
2040 }
2041
4f9791ab 2042 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2043 {
dd891e0e
PW		 2044 secp256k1_fe *zr = (secp256k1_fe *)malloc((4 * runs + 1) * sizeof(secp256k1_fe));
2045 secp256k1_ge *ge_set_table = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
2046 secp256k1_ge *ge_set_all = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2047 for (i = 0; i < 4 * runs + 1; i++) {
2048 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2049 if (i < 4 * runs) {
2050 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2051 }
2052 }
353c1bf0 2053 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
541b7839 2054 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
bf2e1ac7 2055 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2056 secp256k1_fe s;
d2275795
GM		 2057 random_fe_non_zero(&s);
2058 secp256k1_gej_rescale(&gej[i], &s);
4f9791ab 2059 ge_equals_gej(&ge_set_table[i], &gej[i]);
60571c6e
PW		 2060 ge_equals_gej(&ge_set_all[i], &gej[i]);
2061 }
4f9791ab 2062 free(ge_set_table);
60571c6e 2063 free(ge_set_all);
4f9791ab 2064 free(zr);
60571c6e
PW		 2065 }
2066
2067 free(ge);
2068 free(gej);
4f9791ab 2069 free(zinv);
9338dbf7
PW		 2070}
2071
8c5d5f7b
AP		 2072void test_add_neg_y_diff_x(void) {
2073 /* The point of this test is to check that we can add two points
2074 * whose y-coordinates are negatives of each other but whose x
2075 * coordinates differ. If the x-coordinates were the same, these
2076 * points would be negatives of each other and their sum is
2077 * infinity. This is cool because it "covers up" any degeneracy
2078 * in the addition algorithm that would cause the xy coordinates
2079 * of the sum to be wrong (since infinity has no xy coordinates).
2080 * HOWEVER, if the x-coordinates are different, infinity is the
2081 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2082 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2083 * which this test is a regression test for.
8c5d5f7b
AP		 2084 *
2085 * These points were generated in sage as
2086 * # secp256k1 params
2087 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2088 * C = EllipticCurve ([F (0), F (7)])
2089 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2090 * N = FiniteField(G.order())
2091 *
2092 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2093 * x = polygen(N)
2094 * lam = (1 - x^3).roots()[1][0]
2095 *
2096 * # random "bad pair"
2097 * P = C.random_element()
2098 * Q = -int(lam) * P
2099 * print " P: %x %x" % P.xy()
2100 * print " Q: %x %x" % Q.xy()
2101 * print "P + Q: %x %x" % (P + Q).xy()
2102 */
dd891e0e 2103 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2104 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2105 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2106 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2107 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2108 );
dd891e0e 2109 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2110 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2111 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2112 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2113 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2114 );
dd891e0e 2115 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2116 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2117 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2118 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2119 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2120 );
dd891e0e
PW		 2121 secp256k1_ge b;
2122 secp256k1_gej resj;
2123 secp256k1_ge res;
8c5d5f7b
AP		 2124 secp256k1_ge_set_gej(&b, &bj);
2125
2126 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2127 secp256k1_ge_set_gej(&res, &resj);
2128 ge_equals_gej(&res, &sumj);
2129
2130 secp256k1_gej_add_ge(&resj, &aj, &b);
2131 secp256k1_ge_set_gej(&res, &resj);
2132 ge_equals_gej(&res, &sumj);
2133
2134 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2135 secp256k1_ge_set_gej(&res, &resj);
2136 ge_equals_gej(&res, &sumj);
2137}
2138
2cad067a 2139void run_ge(void) {
bf2e1ac7
GM		 2140 int i;
2141 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2142 test_ge();
2143 }
8c5d5f7b 2144 test_add_neg_y_diff_x();
9338dbf7
PW		 2145}
2146
a5a66c70 2147void test_ec_combine(void) {
dd891e0e
PW		 2148 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2149 secp256k1_pubkey data[6];
2150 const secp256k1_pubkey* d[6];
2151 secp256k1_pubkey sd;
2152 secp256k1_pubkey sd2;
2153 secp256k1_gej Qj;
2154 secp256k1_ge Q;
a5a66c70
PW		 2155 int i;
2156 for (i = 1; i <= 6; i++) {
dd891e0e 2157 secp256k1_scalar s;
a5a66c70
PW		 2158 random_scalar_order_test(&s);
2159 secp256k1_scalar_add(&sum, &sum, &s);
2160 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2161 secp256k1_ge_set_gej(&Q, &Qj);
2162 secp256k1_pubkey_save(&data[i - 1], &Q);
2163 d[i - 1] = &data[i - 1];
2164 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2165 secp256k1_ge_set_gej(&Q, &Qj);
2166 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2167 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2168 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2169 }
2170}
2171
2172void run_ec_combine(void) {
2173 int i;
2174 for (i = 0; i < count * 8; i++) {
2175 test_ec_combine();
2176 }
2177}
2178
64666251
PW		 2179void test_group_decompress(const secp256k1_fe* x) {
2180 /* The input itself, normalized. */
2181 secp256k1_fe fex = *x;
e6e9805f 2182 secp256k1_fe fez;
64666251
PW		 2183 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2184 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2185 secp256k1_gej gej_quad;
64666251
PW		 2186 /* Return values of the above calls. */
2187 int res_quad, res_even, res_odd;
2188
2189 secp256k1_fe_normalize_var(&fex);
2190
926836ad 2191 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2192 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2193 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2194
2195 CHECK(res_quad == res_even);
2196 CHECK(res_quad == res_odd);
2197
2198 if (res_quad) {
2199 secp256k1_fe_normalize_var(&ge_quad.x);
2200 secp256k1_fe_normalize_var(&ge_odd.x);
2201 secp256k1_fe_normalize_var(&ge_even.x);
2202 secp256k1_fe_normalize_var(&ge_quad.y);
2203 secp256k1_fe_normalize_var(&ge_odd.y);
2204 secp256k1_fe_normalize_var(&ge_even.y);
2205
2206 /* No infinity allowed. */
2207 CHECK(!ge_quad.infinity);
2208 CHECK(!ge_even.infinity);
2209 CHECK(!ge_odd.infinity);
2210
2211 /* Check that the x coordinates check out. */
2212 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2213 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2214 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2215
2216 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2217 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2218
2219 /* Check odd/even Y in ge_odd, ge_even. */
2220 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2221 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2222
2223 /* Check secp256k1_gej_has_quad_y_var. */
2224 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2225 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2226 do {
2227 random_fe_test(&fez);
2228 } while (secp256k1_fe_is_zero(&fez));
2229 secp256k1_gej_rescale(&gej_quad, &fez);
2230 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2231 secp256k1_gej_neg(&gej_quad, &gej_quad);
2232 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2233 do {
2234 random_fe_test(&fez);
2235 } while (secp256k1_fe_is_zero(&fez));
2236 secp256k1_gej_rescale(&gej_quad, &fez);
2237 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2238 secp256k1_gej_neg(&gej_quad, &gej_quad);
2239 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2240 }
2241}
2242
2243void run_group_decompress(void) {
2244 int i;
2245 for (i = 0; i < count * 4; i++) {
2246 secp256k1_fe fe;
2247 random_fe_test(&fe);
2248 test_group_decompress(&fe);
2249 }
2250}
2251
09ca4f32
PD		 2252/***** ECMULT TESTS *****/
2253
2cad067a 2254void run_ecmult_chain(void) {
443cd4b8 2255 /* random starting point A (on the curve) */
dd891e0e 2256 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2257 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2258 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2259 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2260 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2261 );
71712b27 2262 /* two random initial factors xn and gn */
dd891e0e 2263 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2264 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2265 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2266 );
dd891e0e 2267 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2268 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2269 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2270 );
71712b27 2271 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2272 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2273 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2274 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2275 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2276 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2277 /* actual points */
cfe0ed91 2278 secp256k1_gej x;
dd891e0e 2279 secp256k1_gej x2;
443cd4b8
PW		 2280 int i;
2281
71712b27 2282 /* the point being computed */
bf2e1ac7
GM		 2283 x = a;
2284 for (i = 0; i < 200*count; i++) {
71712b27 2285 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2286 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2287 /* also compute ae and ge: the actual accumulated factors for A and G */
2288 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2289 secp256k1_scalar_mul(&ae, &ae, &xn);
2290 secp256k1_scalar_mul(&ge, &ge, &xn);
2291 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2292 /* modify xn and gn */
f24041d6
PW		 2293 secp256k1_scalar_mul(&xn, &xn, &xf);
2294 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2295
71712b27 2296 /* verify */
404c30a8 2297 if (i == 19999) {
443cd4b8 2298 /* expected result after 19999 iterations */
dd891e0e 2299 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2300 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2301 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2302 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2303 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2304 );
2305
2306 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2307 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2308 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2309 }
4adf6b2a 2310 }
71712b27 2311 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2312 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2313 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2314 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2315 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2316}
2317
dd891e0e 2318void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2319 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2320 secp256k1_scalar x;
2321 secp256k1_scalar nx;
2322 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2323 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2324 secp256k1_gej res1, res2;
2325 secp256k1_ge res3;
bf2e1ac7 2326 unsigned char pub[65];
788038d3 2327 size_t psize = 65;
bf2e1ac7
GM		 2328 random_scalar_order_test(&x);
2329 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2330 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2331 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2332 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2333 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2334 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2335 secp256k1_ge_set_gej(&res3, &res1);
2336 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2337 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2338 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2339 psize = 65;
9234391e 2340 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2341 /* check zero/one edge cases */
2342 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2343 secp256k1_ge_set_gej(&res3, &res1);
2344 CHECK(secp256k1_ge_is_infinity(&res3));
2345 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2346 secp256k1_ge_set_gej(&res3, &res1);
2347 ge_equals_gej(&res3, point);
2348 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2349 secp256k1_ge_set_gej(&res3, &res1);
2350 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2351}
2352
2cad067a 2353void run_point_times_order(void) {
bf2e1ac7 2354 int i;
dd891e0e
PW		 2355 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2356 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2357 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2358 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2359 );
bf2e1ac7 2360 for (i = 0; i < 500; i++) {
dd891e0e 2361 secp256k1_ge p;
39bd94d8 2362 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2363 secp256k1_gej j;
bf2e1ac7 2364 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2365 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2366 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2367 test_point_times_order(&j);
2368 }
910d0de4 2369 secp256k1_fe_sqr(&x, &x);
4e0ed539 2370 }
443cd4b8
PW		 2371 secp256k1_fe_normalize_var(&x);
2372 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2373}
2374
44015000
AP		 2375void ecmult_const_random_mult(void) {
2376 /* random starting point A (on the curve) */
dd891e0e 2377 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2378 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2379 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2380 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2381 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2382 );
2383 /* random initial factor xn */
dd891e0e 2384 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2385 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2386 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2387 );
2388 /* expected xn * A (from sage) */
dd891e0e 2389 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2390 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2391 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2392 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2393 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2394 );
dd891e0e 2395 secp256k1_gej b;
44015000
AP		 2396 secp256k1_ecmult_const(&b, &a, &xn);
2397
2398 CHECK(secp256k1_ge_is_valid_var(&a));
2399 ge_equals_gej(&expected_b, &b);
2400}
2401
2402void ecmult_const_commutativity(void) {
dd891e0e
PW		 2403 secp256k1_scalar a;
2404 secp256k1_scalar b;
2405 secp256k1_gej res1;
2406 secp256k1_gej res2;
2407 secp256k1_ge mid1;
2408 secp256k1_ge mid2;
44015000
AP		 2409 random_scalar_order_test(&a);
2410 random_scalar_order_test(&b);
2411
2412 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2413 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2414 secp256k1_ge_set_gej(&mid1, &res1);
2415 secp256k1_ge_set_gej(&mid2, &res2);
2416 secp256k1_ecmult_const(&res1, &mid1, &b);
2417 secp256k1_ecmult_const(&res2, &mid2, &a);
2418 secp256k1_ge_set_gej(&mid1, &res1);
2419 secp256k1_ge_set_gej(&mid2, &res2);
2420 ge_equals_ge(&mid1, &mid2);
2421}
2422
2423void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2424 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2425 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2426 secp256k1_scalar negone;
2427 secp256k1_gej res1;
2428 secp256k1_ge res2;
2429 secp256k1_ge point;
44015000
AP		 2430 secp256k1_scalar_negate(&negone, &one);
2431
2432 random_group_element_test(&point);
2433 secp256k1_ecmult_const(&res1, &point, &zero);
2434 secp256k1_ge_set_gej(&res2, &res1);
2435 CHECK(secp256k1_ge_is_infinity(&res2));
2436 secp256k1_ecmult_const(&res1, &point, &one);
2437 secp256k1_ge_set_gej(&res2, &res1);
2438 ge_equals_ge(&res2, &point);
2439 secp256k1_ecmult_const(&res1, &point, &negone);
2440 secp256k1_gej_neg(&res1, &res1);
2441 secp256k1_ge_set_gej(&res2, &res1);
2442 ge_equals_ge(&res2, &point);
2443}
2444
2445void ecmult_const_chain_multiply(void) {
2446 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2447 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2448 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2449 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2450 );
dd891e0e 2451 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2452 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2453 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2454 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2455 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2456 );
dd891e0e
PW		 2457 secp256k1_gej point;
2458 secp256k1_ge res;
44015000
AP		 2459 int i;
2460
2461 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2462 for (i = 0; i < 100; ++i) {
dd891e0e 2463 secp256k1_ge tmp;
44015000
AP		 2464 secp256k1_ge_set_gej(&tmp, &point);
2465 secp256k1_ecmult_const(&point, &tmp, &scalar);
2466 }
2467 secp256k1_ge_set_gej(&res, &point);
2468 ge_equals_gej(&res, &expected_point);
2469}
2470
2471void run_ecmult_const_tests(void) {
2472 ecmult_const_mult_zero_one();
2473 ecmult_const_random_mult();
2474 ecmult_const_commutativity();
2475 ecmult_const_chain_multiply();
2476}
2477
dd891e0e
PW		 2478void test_wnaf(const secp256k1_scalar *number, int w) {
2479 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 2480 int wnaf[256];
2481 int zeroes = -1;
2482 int i;
2483 int bits;
f24041d6
PW		 2484 secp256k1_scalar_set_int(&x, 0);
2485 secp256k1_scalar_set_int(&two, 2);
55399c23 2486 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 2487 CHECK(bits <= 256);
bf2e1ac7 2488 for (i = bits-1; i >= 0; i--) {
b1483f87 2489 int v = wnaf[i];
bf2e1ac7 2490 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 2491 if (v) {
71712b27 2492 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 2493 zeroes=0;
71712b27
GM		 2494 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2495 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2496 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 2497 } else {
71712b27 2498 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 2499 zeroes++;
2500 }
f24041d6
PW		 2501 if (v >= 0) {
2502 secp256k1_scalar_set_int(&t, v);
2503 } else {
2504 secp256k1_scalar_set_int(&t, -v);
2505 secp256k1_scalar_negate(&t, &t);
2506 }
2507 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 2508 }
f24041d6 2509 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 2510}
2511
dd891e0e
PW		 2512void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2513 secp256k1_scalar neg1 = *number;
2514 secp256k1_scalar neg2 = *number;
44015000
AP		 2515 int sign1 = 1;
2516 int sign2 = 1;
2517
2518 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2519 secp256k1_scalar_negate(&neg1, &neg1);
2520 sign1 = -1;
2521 }
2522 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2523 CHECK(sign1 == sign2);
2524 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2525}
2526
dd891e0e
PW		 2527void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2528 secp256k1_scalar x, shift;
44015000
AP		 2529 int wnaf[256] = {0};
2530 int i;
92e53fc4 2531 int skew;
dd891e0e 2532 secp256k1_scalar num = *number;
44015000
AP		 2533
2534 secp256k1_scalar_set_int(&x, 0);
2535 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 2536 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2537#ifdef USE_ENDOMORPHISM
912f203f 2538 for (i = 0; i < 16; ++i) {
92e53fc4 2539 secp256k1_scalar_shr_int(&num, 8);
912f203f 2540 }
92e53fc4 2541#endif
c6191fde 2542 skew = secp256k1_wnaf_const(wnaf, num, w);
44015000
AP		 2543
2544 for (i = WNAF_SIZE(w); i >= 0; --i) {
dd891e0e 2545 secp256k1_scalar t;
44015000
AP		 2546 int v = wnaf[i];
2547 CHECK(v != 0); /* check nonzero */
2548 CHECK(v & 1); /* check parity */
2549 CHECK(v > -(1 << w)); /* check range above */
2550 CHECK(v < (1 << w)); /* check range below */
2551
2552 secp256k1_scalar_mul(&x, &x, &shift);
2553 if (v >= 0) {
2554 secp256k1_scalar_set_int(&t, v);
2555 } else {
2556 secp256k1_scalar_set_int(&t, -v);
2557 secp256k1_scalar_negate(&t, &t);
2558 }
2559 secp256k1_scalar_add(&x, &x, &t);
2560 }
c6191fde 2561 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 2562 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 2563 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 2564}
2565
2cad067a 2566void run_wnaf(void) {
bf2e1ac7 2567 int i;
dd891e0e 2568 secp256k1_scalar n = {{0}};
44015000
AP		 2569
2570 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2571 * have easier-to-diagnose failure modes */
2572 n.d[0] = 1;
2573 test_constant_wnaf(&n, 4);
2574 n.d[0] = 2;
2575 test_constant_wnaf(&n, 4);
2576 /* Random tests */
bf2e1ac7 2577 for (i = 0; i < count; i++) {
f24041d6 2578 random_scalar_order(&n);
eb0be8ee 2579 test_wnaf(&n, 4+(i%10));
44015000
AP		 2580 test_constant_wnaf_negate(&n);
2581 test_constant_wnaf(&n, 4 + (i % 10));
4e0ed539 2582 }
96be2046
GM		 2583 secp256k1_scalar_set_int(&n, 0);
2584 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
2585 CHECK(secp256k1_scalar_is_zero(&n));
2586 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
2587 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 2588}
a41f32e6 2589
d2275795
GM		 2590void test_ecmult_constants(void) {
2591 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 2592 secp256k1_scalar x;
2593 secp256k1_gej r;
2594 secp256k1_ge ng;
d2275795
GM		 2595 int i;
2596 int j;
2597 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
2598 for (i = 0; i < 36; i++ ) {
2599 secp256k1_scalar_set_int(&x, i);
2600 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2601 for (j = 0; j < i; j++) {
2602 if (j == i - 1) {
2603 ge_equals_gej(&secp256k1_ge_const_g, &r);
2604 }
2605 secp256k1_gej_add_ge(&r, &r, &ng);
2606 }
2607 CHECK(secp256k1_gej_is_infinity(&r));
2608 }
2609 for (i = 1; i <= 36; i++ ) {
2610 secp256k1_scalar_set_int(&x, i);
2611 secp256k1_scalar_negate(&x, &x);
2612 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2613 for (j = 0; j < i; j++) {
2614 if (j == i - 1) {
2615 ge_equals_gej(&ng, &r);
2616 }
2617 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
2618 }
2619 CHECK(secp256k1_gej_is_infinity(&r));
2620 }
2621}
2622
2623void run_ecmult_constants(void) {
2624 test_ecmult_constants();
2625}
2626
2627void test_ecmult_gen_blind(void) {
269d4227 2628 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 2629 secp256k1_scalar key;
2630 secp256k1_scalar b;
d2275795 2631 unsigned char seed32[32];
dd891e0e
PW		 2632 secp256k1_gej pgej;
2633 secp256k1_gej pgej2;
2634 secp256k1_gej i;
2635 secp256k1_ge pge;
d2275795
GM		 2636 random_scalar_order_test(&key);
2637 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
2638 secp256k1_rand256(seed32);
2639 b = ctx->ecmult_gen_ctx.blind;
2640 i = ctx->ecmult_gen_ctx.initial;
2641 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
2642 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2643 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
2644 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
2645 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
2646 secp256k1_ge_set_gej(&pge, &pgej);
2647 ge_equals_gej(&pge, &pgej2);
2648}
2649
2650void test_ecmult_gen_blind_reset(void) {
2651 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 2652 secp256k1_scalar b;
2653 secp256k1_gej initial;
d2275795
GM		 2654 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2655 b = ctx->ecmult_gen_ctx.blind;
2656 initial = ctx->ecmult_gen_ctx.initial;
2657 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2658 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2659 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
2660}
2661
2662void run_ecmult_gen_blind(void) {
2663 int i;
2664 test_ecmult_gen_blind_reset();
2665 for (i = 0; i < 10; i++) {
2666 test_ecmult_gen_blind();
2667 }
2668}
2669
baa75da5
AP		 2670#ifdef USE_ENDOMORPHISM
2671/***** ENDOMORPHISH TESTS *****/
2672void test_scalar_split(void) {
dd891e0e
PW		 2673 secp256k1_scalar full;
2674 secp256k1_scalar s1, slam;
baa75da5
AP		 2675 const unsigned char zero[32] = {0};
2676 unsigned char tmp[32];
2677
2678 random_scalar_order_test(&full);
ed35d43a 2679 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 2680
2681 /* check that both are <= 128 bits in size */
912f203f 2682 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 2683 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 2684 }
2685 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 2686 secp256k1_scalar_negate(&slam, &slam);
912f203f 2687 }
baa75da5
AP		 2688
2689 secp256k1_scalar_get_b32(tmp, &s1);
2690 CHECK(memcmp(zero, tmp, 16) == 0);
2691 secp256k1_scalar_get_b32(tmp, &slam);
2692 CHECK(memcmp(zero, tmp, 16) == 0);
2693}
2694
2695void run_endomorphism_tests(void) {
2696 test_scalar_split();
2697}
2698#endif
d2275795 2699
67f7da40
GM		 2700void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
2701 unsigned char pubkeyc[65];
2702 secp256k1_pubkey pubkey;
2703 secp256k1_ge ge;
2704 size_t pubkeyclen;
2705 int32_t ecount;
2706 ecount = 0;
2707 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2708 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
2709 /* Smaller sizes are tested exhaustively elsewhere. */
2710 int32_t i;
2711 memcpy(&pubkeyc[1], input, 64);
2712 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
2713 for (i = 0; i < 256; i++) {
2714 /* Try all type bytes. */
2715 int xpass;
2716 int ypass;
2717 int ysign;
2718 pubkeyc[0] = i;
2719 /* What sign does this point have? */
2720 ysign = (input[63] & 1) + 2;
2721 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2722 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
2723 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2724 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
2725 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
2726 if (xpass || ypass) {
2727 /* These cases must parse. */
2728 unsigned char pubkeyo[65];
2729 size_t outl;
2730 memset(&pubkey, 0, sizeof(pubkey));
2731 VG_UNDEF(&pubkey, sizeof(pubkey));
2732 ecount = 0;
2733 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
2734 VG_CHECK(&pubkey, sizeof(pubkey));
2735 outl = 65;
2736 VG_UNDEF(pubkeyo, 65);
2737 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
2738 VG_CHECK(pubkeyo, outl);
2739 CHECK(outl == 33);
2740 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
2741 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
2742 if (ypass) {
2743 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2744 CHECK(pubkeyo[0] == ysign);
2745 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2746 memset(&pubkey, 0, sizeof(pubkey));
2747 VG_UNDEF(&pubkey, sizeof(pubkey));
2748 secp256k1_pubkey_save(&pubkey, &ge);
2749 VG_CHECK(&pubkey, sizeof(pubkey));
2750 outl = 65;
2751 VG_UNDEF(pubkeyo, 65);
1a368980 2752 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 2753 VG_CHECK(pubkeyo, outl);
2754 CHECK(outl == 65);
2755 CHECK(pubkeyo[0] == 4);
2756 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
2757 }
2758 CHECK(ecount == 0);
2759 } else {
2760 /* These cases must fail to parse. */
2761 memset(&pubkey, 0xfe, sizeof(pubkey));
2762 ecount = 0;
2763 VG_UNDEF(&pubkey, sizeof(pubkey));
2764 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
2765 VG_CHECK(&pubkey, sizeof(pubkey));
2766 CHECK(ecount == 0);
2767 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2768 CHECK(ecount == 1);
2769 }
2770 }
2771 }
2772 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2773}
2774
2775void run_ec_pubkey_parse_test(void) {
2776#define SECP256K1_EC_PARSE_TEST_NVALID (12)
2777 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
2778 {
2779 /* Point with leading and trailing zeros in x and y serialization. */
2780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2782 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2783 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2784 },
2785 {
2786 /* Point with x equal to a 3rd root of unity.*/
2787 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2788 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2789 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2790 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2791 },
2792 {
2793 /* Point with largest x. (1/2) */
2794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2795 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2796 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2797 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2798 },
2799 {
2800 /* Point with largest x. (2/2) */
2801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2802 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2803 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2804 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2805 },
2806 {
2807 /* Point with smallest x. (1/2) */
2808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2810 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2811 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2812 },
2813 {
2814 /* Point with smallest x. (2/2) */
2815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2817 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2818 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2819 },
2820 {
2821 /* Point with largest y. (1/3) */
2822 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2823 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2824 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2826 },
2827 {
2828 /* Point with largest y. (2/3) */
2829 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2830 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2831 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2832 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2833 },
2834 {
2835 /* Point with largest y. (3/3) */
2836 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2837 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2838 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2840 },
2841 {
2842 /* Point with smallest y. (1/3) */
2843 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2844 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2847 },
2848 {
2849 /* Point with smallest y. (2/3) */
2850 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2851 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2854 },
2855 {
2856 /* Point with smallest y. (3/3) */
2857 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2858 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2859 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2861 }
2862 };
2863#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2864 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
2865 {
2866 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2867 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2868 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2870 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2871 },
2872 {
2873 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2874 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2875 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2878 },
2879 {
2880 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2881 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2882 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2884 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2885 },
2886 {
2887 /* x on curve, y is from y^2 = x^3 + 8. */
2888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2891 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2892 }
2893 };
2894#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2895 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
2896 {
2897 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2898 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2899 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2902 },
2903 {
2904 /* Valid if x overflow ignored (x = 1 mod p). */
2905 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2906 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2907 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2908 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2909 },
2910 {
2911 /* Valid if x overflow ignored (x = 1 mod p). */
2912 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2913 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2914 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2915 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2916 },
2917 {
2918 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2919 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2920 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2921 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2922 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2923 },
2924 {
2925 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2926 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2927 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2928 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2929 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2930 },
2931 {
2932 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2933 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2935 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2936 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2937 },
2938 {
2939 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2942 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2943 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2944 }
2945 };
2946 const unsigned char pubkeyc[66] = {
2947 /* Serialization of G. */
2948 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2949 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2950 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2951 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2952 0xB8, 0x00
2953 };
5b71a3f4 2954 unsigned char sout[65];
67f7da40
GM		 2955 unsigned char shortkey[2];
2956 secp256k1_ge ge;
2957 secp256k1_pubkey pubkey;
5b71a3f4 2958 size_t len;
67f7da40
GM		 2959 int32_t i;
2960 int32_t ecount;
2961 int32_t ecount2;
2962 ecount = 0;
2963 /* Nothing should be reading this far into pubkeyc. */
2964 VG_UNDEF(&pubkeyc[65], 1);
2965 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2966 /* Zero length claimed, fail, zeroize, no illegal arg error. */
2967 memset(&pubkey, 0xfe, sizeof(pubkey));
2968 ecount = 0;
2969 VG_UNDEF(shortkey, 2);
2970 VG_UNDEF(&pubkey, sizeof(pubkey));
2971 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
2972 VG_CHECK(&pubkey, sizeof(pubkey));
2973 CHECK(ecount == 0);
2974 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2975 CHECK(ecount == 1);
2976 /* Length one claimed, fail, zeroize, no illegal arg error. */
2977 for (i = 0; i < 256 ; i++) {
2978 memset(&pubkey, 0xfe, sizeof(pubkey));
2979 ecount = 0;
2980 shortkey[0] = i;
2981 VG_UNDEF(&shortkey[1], 1);
2982 VG_UNDEF(&pubkey, sizeof(pubkey));
2983 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
2984 VG_CHECK(&pubkey, sizeof(pubkey));
2985 CHECK(ecount == 0);
2986 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2987 CHECK(ecount == 1);
2988 }
2989 /* Length two claimed, fail, zeroize, no illegal arg error. */
2990 for (i = 0; i < 65536 ; i++) {
2991 memset(&pubkey, 0xfe, sizeof(pubkey));
2992 ecount = 0;
2993 shortkey[0] = i & 255;
2994 shortkey[1] = i >> 8;
2995 VG_UNDEF(&pubkey, sizeof(pubkey));
2996 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
2997 VG_CHECK(&pubkey, sizeof(pubkey));
2998 CHECK(ecount == 0);
2999 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3000 CHECK(ecount == 1);
3001 }
3002 memset(&pubkey, 0xfe, sizeof(pubkey));
3003 ecount = 0;
3004 VG_UNDEF(&pubkey, sizeof(pubkey));
3005 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3006 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3007 VG_CHECK(&pubkey, sizeof(pubkey));
3008 CHECK(ecount == 0);
3009 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3010 CHECK(ecount == 1);
3011 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3012 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3013 CHECK(ecount == 2);
3014 /* NULL input string. Illegal arg and zeroize output. */
3015 memset(&pubkey, 0xfe, sizeof(pubkey));
3016 ecount = 0;
3017 VG_UNDEF(&pubkey, sizeof(pubkey));
3018 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3019 VG_CHECK(&pubkey, sizeof(pubkey));
3020 CHECK(ecount == 1);
3021 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3022 CHECK(ecount == 2);
3023 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3024 memset(&pubkey, 0xfe, sizeof(pubkey));
3025 ecount = 0;
3026 VG_UNDEF(&pubkey, sizeof(pubkey));
3027 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3028 VG_CHECK(&pubkey, sizeof(pubkey));
3029 CHECK(ecount == 0);
3030 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3031 CHECK(ecount == 1);
3032 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3033 memset(&pubkey, 0xfe, sizeof(pubkey));
3034 ecount = 0;
3035 VG_UNDEF(&pubkey, sizeof(pubkey));
3036 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3037 VG_CHECK(&pubkey, sizeof(pubkey));
3038 CHECK(ecount == 0);
3039 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3040 CHECK(ecount == 1);
3041 /* Valid parse. */
3042 memset(&pubkey, 0, sizeof(pubkey));
3043 ecount = 0;
3044 VG_UNDEF(&pubkey, sizeof(pubkey));
3045 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3046 VG_CHECK(&pubkey, sizeof(pubkey));
3047 CHECK(ecount == 0);
3048 VG_UNDEF(&ge, sizeof(ge));
3049 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3050 VG_CHECK(&ge.x, sizeof(ge.x));
3051 VG_CHECK(&ge.y, sizeof(ge.y));
3052 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3053 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3054 CHECK(ecount == 0);
5b71a3f4
GM		 3055 /* secp256k1_ec_pubkey_serialize illegal args. */
3056 ecount = 0;
3057 len = 65;
3058 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3059 CHECK(ecount == 1);
3060 CHECK(len == 0);
3061 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3062 CHECK(ecount == 2);
3063 len = 65;
3064 VG_UNDEF(sout, 65);
3065 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3066 VG_CHECK(sout, 65);
3067 CHECK(ecount == 3);
3068 CHECK(len == 0);
3069 len = 65;
3070 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3071 CHECK(ecount == 4);
3072 CHECK(len == 0);
3073 len = 65;
3074 VG_UNDEF(sout, 65);
3075 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3076 VG_CHECK(sout, 65);
3077 CHECK(ecount == 4);
3078 CHECK(len == 65);
67f7da40
GM		 3079 /* Multiple illegal args. Should still set arg error only once. */
3080 ecount = 0;
3081 ecount2 = 11;
3082 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3083 CHECK(ecount == 1);
3084 /* Does the illegal arg callback actually change the behavior? */
3085 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3086 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3087 CHECK(ecount == 1);
3088 CHECK(ecount2 == 10);
3089 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3090 /* Try a bunch of prefabbed points with all possible encodings. */
3091 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3092 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3093 }
3094 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3095 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3096 }
3097 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3098 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3099 }
3100}
3101
96be2046
GM		 3102void run_eckey_edge_case_test(void) {
3103 const unsigned char orderc[32] = {
3104 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3106 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3107 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3108 };
3109 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3110 unsigned char ctmp[33];
3111 unsigned char ctmp2[33];
96be2046
GM		 3112 secp256k1_pubkey pubkey;
3113 secp256k1_pubkey pubkey2;
c69dea02
GM		 3114 secp256k1_pubkey pubkey_one;
3115 secp256k1_pubkey pubkey_negone;
3116 const secp256k1_pubkey *pubkeys[3];
3117 size_t len;
96be2046
GM		 3118 int32_t ecount;
3119 /* Group order is too large, reject. */
3120 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3121 VG_UNDEF(&pubkey, sizeof(pubkey));
3122 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3123 VG_CHECK(&pubkey, sizeof(pubkey));
3124 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3125 /* Maximum value is too large, reject. */
3126 memset(ctmp, 255, 32);
3127 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3128 memset(&pubkey, 1, sizeof(pubkey));
3129 VG_UNDEF(&pubkey, sizeof(pubkey));
3130 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3131 VG_CHECK(&pubkey, sizeof(pubkey));
3132 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3133 /* Zero is too small, reject. */
3134 memset(ctmp, 0, 32);
3135 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3136 memset(&pubkey, 1, sizeof(pubkey));
3137 VG_UNDEF(&pubkey, sizeof(pubkey));
3138 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3139 VG_CHECK(&pubkey, sizeof(pubkey));
3140 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3141 /* One must be accepted. */
3142 ctmp[31] = 0x01;
3143 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3144 memset(&pubkey, 0, sizeof(pubkey));
3145 VG_UNDEF(&pubkey, sizeof(pubkey));
3146 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3147 VG_CHECK(&pubkey, sizeof(pubkey));
3148 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3149 pubkey_one = pubkey;
96be2046
GM		 3150 /* Group order + 1 is too large, reject. */
3151 memcpy(ctmp, orderc, 32);
3152 ctmp[31] = 0x42;
3153 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3154 memset(&pubkey, 1, sizeof(pubkey));
3155 VG_UNDEF(&pubkey, sizeof(pubkey));
3156 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3157 VG_CHECK(&pubkey, sizeof(pubkey));
3158 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3159 /* -1 must be accepted. */
3160 ctmp[31] = 0x40;
3161 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3162 memset(&pubkey, 0, sizeof(pubkey));
3163 VG_UNDEF(&pubkey, sizeof(pubkey));
3164 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3165 VG_CHECK(&pubkey, sizeof(pubkey));
3166 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3167 pubkey_negone = pubkey;
96be2046
GM		 3168 /* Tweak of zero leaves the value changed. */
3169 memset(ctmp2, 0, 32);
3170 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3171 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3172 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3173 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3174 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3175 /* Multiply tweak of zero zeroizes the output. */
3176 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3177 CHECK(memcmp(zeros, ctmp, 32) == 0);
3178 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3179 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3180 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3181 /* Overflowing key tweak zeroizes. */
3182 memcpy(ctmp, orderc, 32);
3183 ctmp[31] = 0x40;
3184 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3185 CHECK(memcmp(zeros, ctmp, 32) == 0);
3186 memcpy(ctmp, orderc, 32);
3187 ctmp[31] = 0x40;
3188 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3189 CHECK(memcmp(zeros, ctmp, 32) == 0);
3190 memcpy(ctmp, orderc, 32);
3191 ctmp[31] = 0x40;
3192 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3193 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3194 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3195 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3196 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3197 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3198 /* Private key tweaks results in a key of zero. */
3199 ctmp2[31] = 1;
3200 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3201 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3202 ctmp2[31] = 1;
3203 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3204 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3205 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3206 /* Tweak computation wraps and results in a key of 1. */
3207 ctmp2[31] = 2;
3208 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3209 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3210 ctmp2[31] = 2;
3211 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3212 ctmp2[31] = 1;
3213 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3214 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3215 /* Tweak mul * 2 = 1+1. */
3216 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3217 ctmp2[31] = 2;
3218 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3219 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3220 /* Test argument errors. */
3221 ecount = 0;
3222 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3223 CHECK(ecount == 0);
3224 /* Zeroize pubkey on parse error. */
3225 memset(&pubkey, 0, 32);
3226 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3227 CHECK(ecount == 1);
3228 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3229 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3230 memset(&pubkey2, 0, 32);
3231 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3232 CHECK(ecount == 2);
3233 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3234 /* Plain argument errors. */
3235 ecount = 0;
3236 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3237 CHECK(ecount == 0);
3238 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3239 CHECK(ecount == 1);
3240 ecount = 0;
3241 memset(ctmp2, 0, 32);
3242 ctmp2[31] = 4;
3243 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3244 CHECK(ecount == 1);
3245 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3246 CHECK(ecount == 2);
3247 ecount = 0;
3248 memset(ctmp2, 0, 32);
3249 ctmp2[31] = 4;
3250 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3251 CHECK(ecount == 1);
3252 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3253 CHECK(ecount == 2);
3254 ecount = 0;
3255 memset(ctmp2, 0, 32);
3256 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3257 CHECK(ecount == 1);
3258 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3259 CHECK(ecount == 2);
3260 ecount = 0;
3261 memset(ctmp2, 0, 32);
3262 ctmp2[31] = 1;
3263 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3264 CHECK(ecount == 1);
3265 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3266 CHECK(ecount == 2);
3267 ecount = 0;
3268 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3269 CHECK(ecount == 1);
3270 memset(&pubkey, 1, sizeof(pubkey));
3271 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3272 CHECK(ecount == 2);
5b71a3f4 3273 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 3274 /* secp256k1_ec_pubkey_combine tests. */
3275 ecount = 0;
3276 pubkeys[0] = &pubkey_one;
3277 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3278 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3279 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3280 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3281 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3282 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3283 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3284 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3285 CHECK(ecount == 1);
c69dea02
GM		 3286 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3287 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3288 CHECK(ecount == 2);
c69dea02
GM		 3289 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3290 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3291 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3292 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3293 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3294 CHECK(ecount == 3);
c69dea02
GM		 3295 pubkeys[0] = &pubkey_negone;
3296 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3297 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3298 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3299 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3300 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3301 CHECK(ecount == 3);
c69dea02
GM		 3302 len = 33;
3303 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3304 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3305 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3306 /* Result is infinity. */
3307 pubkeys[0] = &pubkey_one;
3308 pubkeys[1] = &pubkey_negone;
3309 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3310 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3311 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3312 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3313 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3314 CHECK(ecount == 3);
c69dea02
GM		 3315 /* Passes through infinity but comes out one. */
3316 pubkeys[2] = &pubkey_one;
3317 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3318 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3319 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3320 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3321 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3322 CHECK(ecount == 3);
c69dea02
GM		 3323 len = 33;
3324 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3325 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3326 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3327 /* Adds to two. */
3328 pubkeys[1] = &pubkey_one;
3329 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3330 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3331 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3332 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3333 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3334 CHECK(ecount == 3);
96be2046
GM		 3335 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3336}
3337
dd891e0e
PW		 3338void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3339 secp256k1_scalar nonce;
dd08f037 3340 do {
a9f5c8b8 3341 random_scalar_order_test(&nonce);
18c329c5 3342 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 3343}
3344
2cad067a 3345void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 3346 secp256k1_gej pubj;
3347 secp256k1_ge pub;
3348 secp256k1_scalar one;
3349 secp256k1_scalar msg, key;
3350 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 3351 int recid;
3352 int getrec;
a9f5c8b8 3353 random_scalar_order_test(&msg);
a9f5c8b8 3354 random_scalar_order_test(&key);
a9b6595e 3355 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 3356 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 3357 getrec = secp256k1_rand_bits(1);
18c329c5 3358 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 3359 if (getrec) {
3360 CHECK(recid >= 0 && recid < 4);
3361 }
18c329c5 3362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 3363 secp256k1_scalar_set_int(&one, 1);
3364 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 3365 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 3366}
3367
2cad067a 3368void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 3369 int i;
3370 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 3371 test_ecdsa_sign_verify();
3372 }
3373}
3374
c6e7f4e8 3375/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 3376static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 3377 (void)msg32;
3378 (void)key32;
a5a66c70 3379 (void)algo16;
c6e7f4e8
PW		 3380 memcpy(nonce32, data, 32);
3381 return (counter == 0);
3382}
3383
05732c5a 3384static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 3385 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 3386 if (counter == 0) {
3387 return 0;
3388 }
dc0ce9fc 3389 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 3390}
3391
05732c5a 3392static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 3393 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3394 if (counter < 3) {
3395 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 3396 if (counter == 2) {
3397 nonce32[31]--;
3398 }
941e221f
GM		 3399 return 1;
3400 }
3401 if (counter < 5) {
3402 static const unsigned char order[] = {
3403 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3404 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3405 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3406 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3407 };
3408 memcpy(nonce32, order, 32);
26320197
GM		 3409 if (counter == 4) {
3410 nonce32[31]++;
3411 }
941e221f
GM		 3412 return 1;
3413 }
269d4227 3414 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 3415 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 3416 if (counter > 5) {
3417 return 0;
3418 }
dc0ce9fc 3419 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 3420}
3421
dd891e0e
PW		 3422int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3423 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3424 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 3425}
3426
2cad067a 3427void test_ecdsa_end_to_end(void) {
efc571ce 3428 unsigned char extra[32] = {0x00};
25f4aec0
PW		 3429 unsigned char privkey[32];
3430 unsigned char message[32];
bf2e1ac7 3431 unsigned char privkey2[32];
0c6ab2ff
PW		 3432 secp256k1_ecdsa_signature signature[6];
3433 secp256k1_scalar r, s;
74a2acdb 3434 unsigned char sig[74];
788038d3 3435 size_t siglen = 74;
23cfa914 3436 unsigned char pubkeyc[65];
788038d3 3437 size_t pubkeyclen = 65;
dd891e0e 3438 secp256k1_pubkey pubkey;
bf2e1ac7 3439 unsigned char seckey[300];
788038d3 3440 size_t seckeylen = 300;
25f4aec0 3441
71712b27 3442 /* Generate a random key and message. */
25f4aec0 3443 {
dd891e0e 3444 secp256k1_scalar msg, key;
659b554d
PW		 3445 random_scalar_order_test(&msg);
3446 random_scalar_order_test(&key);
3447 secp256k1_scalar_get_b32(privkey, &key);
3448 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 3449 }
3450
71712b27 3451 /* Construct and verify corresponding public key. */
a9b6595e 3452 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 3453 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 3454
23cfa914 3455 /* Verify exporting and importing public key. */
1a368980 3456 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 3457 memset(&pubkey, 0, sizeof(pubkey));
3458 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 3459
71712b27 3460 /* Verify private key import and export. */
eed87af1
AP		 3461 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3462 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 3463 CHECK(memcmp(privkey, privkey2, 32) == 0);
3464
71712b27 3465 /* Optionally tweak the keys using addition. */
fa57f1bd 3466 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 3467 int ret1;
3468 int ret2;
25f4aec0 3469 unsigned char rnd[32];
dd891e0e 3470 secp256k1_pubkey pubkey2;
25f4aec0 3471 secp256k1_rand256_test(rnd);
a9b6595e 3472 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 3473 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 3474 CHECK(ret1 == ret2);
26320197
GM		 3475 if (ret1 == 0) {
3476 return;
3477 }
23cfa914
PW		 3478 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3479 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 3480 }
3481
71712b27 3482 /* Optionally tweak the keys using multiplication. */
fa57f1bd 3483 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 3484 int ret1;
3485 int ret2;
25f4aec0 3486 unsigned char rnd[32];
dd891e0e 3487 secp256k1_pubkey pubkey2;
25f4aec0 3488 secp256k1_rand256_test(rnd);
a9b6595e 3489 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 3490 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 3491 CHECK(ret1 == ret2);
26320197
GM		 3492 if (ret1 == 0) {
3493 return;
3494 }
23cfa914
PW		 3495 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3496 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 3497 }
3498
71712b27 3499 /* Sign. */
dc0ce9fc
PW		 3500 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3501 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3502 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 3503 extra[31] = 1;
dc0ce9fc 3504 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 3505 extra[31] = 0;
3506 extra[0] = 1;
dc0ce9fc 3507 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 3508 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3509 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3510 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3511 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3512 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3513 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3514 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 3515 /* Verify. */
dc0ce9fc
PW		 3516 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3517 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3518 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3519 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 3520 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3521 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3522 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3523 secp256k1_scalar_negate(&s, &s);
3524 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3525 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3526 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3527 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3528 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 3529 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 3530 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3531 secp256k1_scalar_negate(&s, &s);
3532 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3533 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3534 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3535 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 3536
3537 /* Serialize/parse DER and verify again */
3538 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3539 memset(&signature[0], 0, sizeof(signature[0]));
3540 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 3541 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 3542 /* Serialize/destroy/parse DER and verify again. */
1973c737 3543 siglen = 74;
74a2acdb 3544 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 3545 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 3546 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 3547 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 3548}
3549
7c6fed28 3550void test_random_pubkeys(void) {
dd891e0e
PW		 3551 secp256k1_ge elem;
3552 secp256k1_ge elem2;
7c6fed28
GM		 3553 unsigned char in[65];
3554 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 3555 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
3556 if (secp256k1_rand_bits(2) == 0) {
3557 len = secp256k1_rand_bits(6);
26320197 3558 }
7c6fed28 3559 if (len == 65) {
fa57f1bd 3560 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 3561 } else {
fa57f1bd 3562 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 3563 }
fa57f1bd
PW		 3564 if (secp256k1_rand_bits(3) == 0) {
3565 in[0] = secp256k1_rand_bits(8);
26320197 3566 }
26320197
GM		 3567 if (len > 1) {
3568 secp256k1_rand256(&in[1]);
3569 }
3570 if (len > 33) {
3571 secp256k1_rand256(&in[33]);
3572 }
7c6fed28
GM		 3573 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
3574 unsigned char out[65];
3575 unsigned char firstb;
3576 int res;
788038d3 3577 size_t size = len;
7c6fed28
GM		 3578 firstb = in[0];
3579 /* If the pubkey can be parsed, it should round-trip... */
9234391e 3580 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 3581 CHECK(size == len);
3582 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
3583 /* ... except for the type of hybrid inputs. */
26320197
GM		 3584 if ((in[0] != 6) && (in[0] != 7)) {
3585 CHECK(in[0] == out[0]);
3586 }
7c6fed28 3587 size = 65;
9234391e 3588 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 3589 CHECK(size == 65);
3590 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 3591 ge_equals_ge(&elem,&elem2);
7c6fed28 3592 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 3593 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 3594 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
3595 if (firstb == 2 || firstb == 3) {
26320197
GM		 3596 if (in[0] == firstb + 4) {
3597 CHECK(res);
3598 } else {
3599 CHECK(!res);
3600 }
7c6fed28
GM		 3601 }
3602 if (res) {
60571c6e 3603 ge_equals_ge(&elem,&elem2);
9234391e 3604 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 3605 CHECK(memcmp(&in[1], &out[1], 64) == 0);
3606 }
3607 }
3608}
3609
3610void run_random_pubkeys(void) {
bf2e1ac7
GM		 3611 int i;
3612 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 3613 test_random_pubkeys();
3614 }
3615}
3616
2cad067a 3617void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 3618 int i;
3619 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 3620 test_ecdsa_end_to_end();
3621 }
3622}
3623
3bb9c447
PW		 3624int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
3625 static const unsigned char zeroes[32] = {0};
a9b2a5d8 3626#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 3627 static const unsigned char max_scalar[32] = {
3628 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3629 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3630 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3631 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3632 };
a9b2a5d8 3633#endif
3bb9c447
PW		 3634
3635 int ret = 0;
3636
3637 secp256k1_ecdsa_signature sig_der;
3638 unsigned char roundtrip_der[2048];
3639 unsigned char compact_der[64];
3640 size_t len_der = 2048;
3641 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
3642
fea19e7b
PW		 3643 secp256k1_ecdsa_signature sig_der_lax;
3644 unsigned char roundtrip_der_lax[2048];
3645 unsigned char compact_der_lax[64];
3646 size_t len_der_lax = 2048;
3647 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
3648
3bb9c447
PW		 3649#ifdef ENABLE_OPENSSL_TESTS
3650 ECDSA_SIG *sig_openssl;
3651 const unsigned char *sigptr;
3652 unsigned char roundtrip_openssl[2048];
3653 int len_openssl = 2048;
3654 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
3655#endif
3656
3657 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
3658 if (parsed_der) {
3659 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
3660 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
3661 }
3662 if (valid_der) {
3663 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
3664 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
3665 }
3666
eed87af1 3667 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 3668 if (parsed_der_lax) {
3669 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
3670 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
3671 }
3672 if (valid_der_lax) {
3673 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
3674 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
3675 }
3676
3bb9c447
PW		 3677 if (certainly_der) {
3678 ret |= (!parsed_der) << 2;
3679 }
3680 if (certainly_not_der) {
3681 ret |= (parsed_der) << 17;
3682 }
3683 if (valid_der) {
3684 ret |= (!roundtrips_der) << 3;
3685 }
3686
fea19e7b
PW		 3687 if (valid_der) {
3688 ret |= (!roundtrips_der_lax) << 12;
3689 ret |= (len_der != len_der_lax) << 13;
3690 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
3691 }
3692 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
3693 if (parsed_der) {
3694 ret |= (!parsed_der_lax) << 16;
3695 }
3696
3bb9c447
PW		 3697#ifdef ENABLE_OPENSSL_TESTS
3698 sig_openssl = ECDSA_SIG_new();
3699 sigptr = sig;
3700 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
3701 if (parsed_openssl) {
3702 valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
3703 if (valid_openssl) {
3704 unsigned char tmp[32] = {0};
3705 BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
3706 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3707 }
3708 if (valid_openssl) {
3709 unsigned char tmp[32] = {0};
3710 BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
3711 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3712 }
3713 }
3714 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
3715 if (len_openssl <= 2048) {
3716 unsigned char *ptr = roundtrip_openssl;
3717 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
3718 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
3719 } else {
3720 len_openssl = 0;
3721 }
3722 ECDSA_SIG_free(sig_openssl);
3723
3724 ret |= (parsed_der && !parsed_openssl) << 4;
3725 ret |= (valid_der && !valid_openssl) << 5;
3726 ret |= (roundtrips_openssl && !parsed_der) << 6;
3727 ret |= (roundtrips_der != roundtrips_openssl) << 7;
3728 if (roundtrips_openssl) {
3729 ret |= (len_der != (size_t)len_openssl) << 8;
3730 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
3731 }
3732#endif
3733 return ret;
3734}
3735
3736static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
3737 size_t i;
3738 for (i = 0; i < ptrlen; i++) {
3739 int shift = ptrlen - 1 - i;
3740 if (shift >= 4) {
3741 ptr[i] = 0;
3742 } else {
3743 ptr[i] = (val >> shift) & 0xFF;
3744 }
3745 }
3746}
3747
3748static void damage_array(unsigned char *sig, size_t *len) {
3749 int pos;
3750 int action = secp256k1_rand_bits(3);
5d4c5a31 3751 if (action < 1 && *len > 3) {
3bb9c447
PW		 3752 /* Delete a byte. */
3753 pos = secp256k1_rand_int(*len);
3754 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
3755 (*len)--;
3756 return;
5d4c5a31 3757 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 3758 /* Insert a byte. */
3759 pos = secp256k1_rand_int(1 + *len);
3760 memmove(sig + pos + 1, sig + pos, *len - pos);
3761 sig[pos] = secp256k1_rand_bits(8);
3762 (*len)++;
3763 return;
3764 } else if (action < 4) {
3765 /* Modify a byte. */
3766 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
3767 return;
3768 } else { /* action < 8 */
3769 /* Modify a bit. */
3770 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
3771 return;
3772 }
3773}
3774
3775static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
3776 int der;
3777 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
3778 size_t tlen, elen, glen;
3779 int indet;
3780 int n;
3781
3782 *len = 0;
3783 der = secp256k1_rand_bits(2) == 0;
3784 *certainly_der = der;
3785 *certainly_not_der = 0;
3786 indet = der ? 0 : secp256k1_rand_int(10) == 0;
3787
3788 for (n = 0; n < 2; n++) {
3789 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3790 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
3791 /* The length of the number in bytes (the first byte of which will always be nonzero) */
3792 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3793 CHECK(nlen[n] <= 232);
3794 /* The top bit of the number. */
3795 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
3796 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3797 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3798 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3799 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
3800 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
3801 *certainly_not_der = 1;
3802 }
3803 CHECK(nlen[n] + nzlen[n] <= 300);
3804 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3805 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
3806 if (!der) {
3807 /* nlenlen[n] max 127 bytes */
3808 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3809 nlenlen[n] += add;
3810 if (add != 0) {
3811 *certainly_not_der = 1;
3812 }
3813 }
3814 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
3815 }
3816
3817 /* The total length of the data to go, so far */
3818 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
3819 CHECK(tlen <= 856);
3820
3821 /* The length of the garbage inside the tuple. */
3822 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
3823 if (elen != 0) {
3824 *certainly_not_der = 1;
3825 }
3826 tlen += elen;
3827 CHECK(tlen <= 980);
3828
3829 /* The length of the garbage after the end of the tuple. */
3830 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
3831 if (glen != 0) {
3832 *certainly_not_der = 1;
3833 }
3834 CHECK(tlen + glen <= 990);
3835
3836 /* Write the tuple header. */
3837 sig[(*len)++] = 0x30;
3838 if (indet) {
3839 /* Indeterminate length */
3840 sig[(*len)++] = 0x80;
3841 *certainly_not_der = 1;
3842 } else {
3843 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
3844 if (!der) {
3845 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3846 tlenlen += add;
3847 if (add != 0) {
3848 *certainly_not_der = 1;
3849 }
3850 }
3851 if (tlenlen == 0) {
3852 /* Short length notation */
3853 sig[(*len)++] = tlen;
3854 } else {
3855 /* Long length notation */
3856 sig[(*len)++] = 128 + tlenlen;
3857 assign_big_endian(sig + *len, tlenlen, tlen);
3858 *len += tlenlen;
3859 }
3860 tlen += tlenlen;
3861 }
3862 tlen += 2;
3863 CHECK(tlen + glen <= 1119);
3864
3865 for (n = 0; n < 2; n++) {
3866 /* Write the integer header. */
3867 sig[(*len)++] = 0x02;
3868 if (nlenlen[n] == 0) {
3869 /* Short length notation */
3870 sig[(*len)++] = nlen[n] + nzlen[n];
3871 } else {
3872 /* Long length notation. */
3873 sig[(*len)++] = 128 + nlenlen[n];
3874 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
3875 *len += nlenlen[n];
3876 }
3877 /* Write zero padding */
3878 while (nzlen[n] > 0) {
3879 sig[(*len)++] = 0x00;
3880 nzlen[n]--;
3881 }
3882 if (nlen[n] == 32 && !nlow[n]) {
3883 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3884 int i;
3885 for (i = 0; i < 16; i++) {
3886 sig[(*len)++] = 0xFF;
3887 }
3888 nlen[n] -= 16;
3889 }
3890 /* Write first byte of number */
3891 if (nlen[n] > 0) {
3892 sig[(*len)++] = nhbyte[n];
3893 nlen[n]--;
3894 }
3895 /* Generate remaining random bytes of number */
3896 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
3897 *len += nlen[n];
3898 nlen[n] = 0;
3899 }
3900
3901 /* Generate random garbage inside tuple. */
3902 secp256k1_rand_bytes_test(sig + *len, elen);
3903 *len += elen;
3904
3905 /* Generate end-of-contents bytes. */
3906 if (indet) {
3907 sig[(*len)++] = 0;
3908 sig[(*len)++] = 0;
3909 tlen += 2;
3910 }
3911 CHECK(tlen + glen <= 1121);
3912
3913 /* Generate random garbage outside tuple. */
3914 secp256k1_rand_bytes_test(sig + *len, glen);
3915 *len += glen;
3916 tlen += glen;
3917 CHECK(tlen <= 1121);
3918 CHECK(tlen == *len);
3919}
3920
3921void run_ecdsa_der_parse(void) {
3922 int i,j;
3923 for (i = 0; i < 200 * count; i++) {
3924 unsigned char buffer[2048];
3925 size_t buflen = 0;
3926 int certainly_der = 0;
3927 int certainly_not_der = 0;
3928 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 3929 CHECK(buflen <= 2048);
3bb9c447
PW		 3930 for (j = 0; j < 16; j++) {
3931 int ret = 0;
3932 if (j > 0) {
3933 damage_array(buffer, &buflen);
3934 /* We don't know anything anymore about the DERness of the result */
3935 certainly_der = 0;
3936 certainly_not_der = 0;
3937 }
3938 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
3939 if (ret != 0) {
3940 size_t k;
3941 fprintf(stderr, "Failure %x on ", ret);
3942 for (k = 0; k < buflen; k++) {
3943 fprintf(stderr, "%02x ", buffer[k]);
3944 }
3945 fprintf(stderr, "\n");
3946 }
3947 CHECK(ret == 0);
3948 }
3949 }
3950}
3951
6e052878
PW		 3952/* Tests several edge cases. */
3953void test_ecdsa_edge_cases(void) {
d49abbd5 3954 int t;
dd891e0e 3955 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 3956
3957 /* Test the case where ECDSA recomputes a point that is infinity. */
3958 {
dd891e0e
PW		 3959 secp256k1_gej keyj;
3960 secp256k1_ge key;
3961 secp256k1_scalar msg;
3962 secp256k1_scalar sr, ss;
d49abbd5
PW		 3963 secp256k1_scalar_set_int(&ss, 1);
3964 secp256k1_scalar_negate(&ss, &ss);
3965 secp256k1_scalar_inverse(&ss, &ss);
3966 secp256k1_scalar_set_int(&sr, 1);
3967 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
3968 secp256k1_ge_set_gej(&key, &keyj);
3969 msg = ss;
3970 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3971 }
3972
96be2046 3973 /* Verify signature with r of zero fails. */
d49abbd5 3974 {
96be2046
GM		 3975 const unsigned char pubkey_mods_zero[33] = {
3976 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3977 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3978 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3979 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
3980 0x41
3981 };
3982 secp256k1_ge key;
3983 secp256k1_scalar msg;
3984 secp256k1_scalar sr, ss;
3985 secp256k1_scalar_set_int(&ss, 1);
3986 secp256k1_scalar_set_int(&msg, 0);
3987 secp256k1_scalar_set_int(&sr, 0);
3988 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
3989 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3990 }
3991
3992 /* Verify signature with s of zero fails. */
3993 {
3994 const unsigned char pubkey[33] = {
3995 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3997 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3998 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3999 0x01
4000 };
4001 secp256k1_ge key;
4002 secp256k1_scalar msg;
4003 secp256k1_scalar sr, ss;
4004 secp256k1_scalar_set_int(&ss, 0);
4005 secp256k1_scalar_set_int(&msg, 0);
4006 secp256k1_scalar_set_int(&sr, 1);
4007 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4008 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4009 }
4010
4011 /* Verify signature with message 0 passes. */
4012 {
4013 const unsigned char pubkey[33] = {
4014 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018 0x02
4019 };
4020 const unsigned char pubkey2[33] = {
4021 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4022 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4023 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4024 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4025 0x43
4026 };
4027 secp256k1_ge key;
4028 secp256k1_ge key2;
4029 secp256k1_scalar msg;
4030 secp256k1_scalar sr, ss;
4031 secp256k1_scalar_set_int(&ss, 2);
4032 secp256k1_scalar_set_int(&msg, 0);
4033 secp256k1_scalar_set_int(&sr, 2);
4034 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4035 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4036 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4037 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4038 secp256k1_scalar_negate(&ss, &ss);
4039 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4040 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4041 secp256k1_scalar_set_int(&ss, 1);
4042 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4043 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4044 }
4045
4046 /* Verify signature with message 1 passes. */
4047 {
4048 const unsigned char pubkey[33] = {
4049 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4050 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4051 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4052 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4053 0x25
4054 };
4055 const unsigned char pubkey2[33] = {
4056 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4057 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4058 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4059 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4060 0x62
4061 };
4062 const unsigned char csr[32] = {
4063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4064 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4065 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4066 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4067 };
4068 secp256k1_ge key;
4069 secp256k1_ge key2;
4070 secp256k1_scalar msg;
4071 secp256k1_scalar sr, ss;
4072 secp256k1_scalar_set_int(&ss, 1);
4073 secp256k1_scalar_set_int(&msg, 1);
4074 secp256k1_scalar_set_b32(&sr, csr, NULL);
4075 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4076 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4077 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4078 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4079 secp256k1_scalar_negate(&ss, &ss);
4080 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4081 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4082 secp256k1_scalar_set_int(&ss, 2);
4083 secp256k1_scalar_inverse_var(&ss, &ss);
4084 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4085 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4086 }
4087
4088 /* Verify signature with message -1 passes. */
4089 {
4090 const unsigned char pubkey[33] = {
4091 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4092 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4093 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4094 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4095 0xf1
4096 };
4097 const unsigned char csr[32] = {
4098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4100 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4101 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4102 };
4103 secp256k1_ge key;
4104 secp256k1_scalar msg;
4105 secp256k1_scalar sr, ss;
4106 secp256k1_scalar_set_int(&ss, 1);
4107 secp256k1_scalar_set_int(&msg, 1);
4108 secp256k1_scalar_negate(&msg, &msg);
4109 secp256k1_scalar_set_b32(&sr, csr, NULL);
4110 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4111 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4112 secp256k1_scalar_negate(&ss, &ss);
4113 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4114 secp256k1_scalar_set_int(&ss, 3);
4115 secp256k1_scalar_inverse_var(&ss, &ss);
4116 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4117 }
4118
4119 /* Signature where s would be zero. */
4120 {
4121 secp256k1_pubkey pubkey;
788038d3 4122 size_t siglen;
96be2046
GM		 4123 int32_t ecount;
4124 unsigned char signature[72];
4125 static const unsigned char nonce[32] = {
d49abbd5
PW		 4126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4130 };
4131 static const unsigned char nonce2[32] = {
4132 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4133 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4134 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4135 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4136 };
4137 const unsigned char key[32] = {
4138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4142 };
4143 unsigned char msg[32] = {
4144 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4145 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4146 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4147 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4148 };
96be2046
GM		 4149 ecount = 0;
4150 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4151 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4152 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4153 msg[31] = 0xaa;
dc0ce9fc 4154 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4155 CHECK(ecount == 0);
4156 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4157 CHECK(ecount == 1);
4158 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4159 CHECK(ecount == 2);
4160 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4161 CHECK(ecount == 3);
dc0ce9fc 4162 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4163 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4164 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4165 CHECK(ecount == 4);
4166 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4167 CHECK(ecount == 5);
4168 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4169 CHECK(ecount == 6);
4170 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4171 CHECK(ecount == 6);
4172 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4173 CHECK(ecount == 7);
4174 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4175 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4176 CHECK(ecount == 8);
d49abbd5 4177 siglen = 72;
96be2046 4178 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4179 CHECK(ecount == 9);
96be2046 4180 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4181 CHECK(ecount == 10);
96be2046 4182 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4183 CHECK(ecount == 11);
d49abbd5 4184 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4185 CHECK(ecount == 11);
4186 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4187 CHECK(ecount == 12);
4188 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4189 CHECK(ecount == 13);
4190 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4191 CHECK(ecount == 13);
d49abbd5 4192 siglen = 10;
5b71a3f4 4193 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4194 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4195 CHECK(ecount == 13);
4196 ecount = 0;
4197 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4198 CHECK(ecount == 1);
4199 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4200 CHECK(ecount == 2);
4201 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4202 CHECK(ecount == 3);
4203 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4204 CHECK(ecount == 3);
4205 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4206 CHECK(ecount == 4);
4207 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4208 CHECK(ecount == 5);
4209 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4210 CHECK(ecount == 5);
c69dea02
GM		 4211 memset(signature, 255, 64);
4212 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4213 CHECK(ecount == 5);
96be2046 4214 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4215 }
4216
4217 /* Nonce function corner cases. */
4218 for (t = 0; t < 2; t++) {
4219 static const unsigned char zero[32] = {0x00};
4220 int i;
4221 unsigned char key[32];
4222 unsigned char msg[32];
dd891e0e
PW		 4223 secp256k1_ecdsa_signature sig2;
4224 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 4225 const unsigned char *extra;
4226 extra = t == 0 ? NULL : zero;
4227 memset(msg, 0, 32);
4228 msg[31] = 1;
4229 /* High key results in signature failure. */
4230 memset(key, 0xFF, 32);
dc0ce9fc 4231 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4232 CHECK(is_empty_signature(&sig));
4233 /* Zero key results in signature failure. */
4234 memset(key, 0, 32);
dc0ce9fc 4235 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4236 CHECK(is_empty_signature(&sig));
4237 /* Nonce function failure results in signature failure. */
4238 key[31] = 1;
dc0ce9fc 4239 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 4240 CHECK(is_empty_signature(&sig));
4241 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 4242 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 4243 CHECK(!is_empty_signature(&sig));
dc0ce9fc 4244 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 4245 CHECK(!is_empty_signature(&sig2));
4246 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 4247 /* The default nonce function is deterministic. */
dc0ce9fc 4248 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4249 CHECK(!is_empty_signature(&sig2));
4250 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4251 /* The default nonce function changes output with different messages. */
4252 for(i = 0; i < 256; i++) {
4253 int j;
4254 msg[0] = i;
dc0ce9fc 4255 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4256 CHECK(!is_empty_signature(&sig2));
4257 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4258 for (j = 0; j < i; j++) {
4259 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4260 }
4261 }
4262 msg[0] = 0;
4263 msg[31] = 2;
4264 /* The default nonce function changes output with different keys. */
4265 for(i = 256; i < 512; i++) {
4266 int j;
4267 key[0] = i - 256;
dc0ce9fc 4268 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4269 CHECK(!is_empty_signature(&sig2));
4270 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4271 for (j = 0; j < i; j++) {
4272 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4273 }
4274 }
4275 key[0] = 0;
4276 }
4277
b30fc85c 4278 {
269d4227 4279 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 4280 const unsigned char zeros[32] = {0};
4281 unsigned char nonce[32];
4282 unsigned char nonce2[32];
4283 unsigned char nonce3[32];
4284 unsigned char nonce4[32];
4285 VG_UNDEF(nonce,32);
4286 VG_UNDEF(nonce2,32);
4287 VG_UNDEF(nonce3,32);
4288 VG_UNDEF(nonce4,32);
4289 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4290 VG_CHECK(nonce,32);
4291 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4292 VG_CHECK(nonce2,32);
4293 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4294 VG_CHECK(nonce3,32);
4295 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4296 VG_CHECK(nonce4,32);
4297 CHECK(memcmp(nonce, nonce2, 32) != 0);
4298 CHECK(memcmp(nonce, nonce3, 32) != 0);
4299 CHECK(memcmp(nonce, nonce4, 32) != 0);
4300 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4301 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4302 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4303 }
4304
4305
d49abbd5
PW		 4306 /* Privkey export where pubkey is the point at infinity. */
4307 {
4308 unsigned char privkey[300];
4309 unsigned char seckey[32] = {
4310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4312 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4313 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4314 };
788038d3 4315 size_t outlen = 300;
eed87af1 4316 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 4317 outlen = 300;
eed87af1 4318 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 4319 }
4320}
4321
6e052878
PW		 4322void run_ecdsa_edge_cases(void) {
4323 test_ecdsa_edge_cases();
3bf029d6 4324}
25f4aec0 4325
dd08f037 4326#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 4327EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 4328 unsigned char privkey[300];
788038d3 4329 size_t privkeylen;
12e29b32 4330 const unsigned char* pbegin = privkey;
fa57f1bd 4331 int compr = secp256k1_rand_bits(1);
dd08f037 4332 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 4333 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 4334 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4335 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 4336 return ec_key;
4337}
4338
2cad067a 4339void test_ecdsa_openssl(void) {
dd891e0e
PW		 4340 secp256k1_gej qj;
4341 secp256k1_ge q;
4342 secp256k1_scalar sigr, sigs;
4343 secp256k1_scalar one;
4344 secp256k1_scalar msg2;
4345 secp256k1_scalar key, msg;
bf2e1ac7
GM		 4346 EC_KEY *ec_key;
4347 unsigned int sigsize = 80;
788038d3 4348 size_t secp_sigsize = 80;
dd08f037 4349 unsigned char message[32];
bf2e1ac7 4350 unsigned char signature[80];
7914a6eb 4351 unsigned char key32[32];
dd08f037 4352 secp256k1_rand256_test(message);
eca6cdb1 4353 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 4354 random_scalar_order_test(&key);
7914a6eb 4355 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 4356 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 4357 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 4358 ec_key = get_openssl_key(key32);
2b199de8 4359 CHECK(ec_key != NULL);
0592d117 4360 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 4361 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 4363 secp256k1_scalar_set_int(&one, 1);
f24041d6 4364 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 4365 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 4366
18c329c5
PW		 4367 random_sign(&sigr, &sigs, &key, &msg, NULL);
4368 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 4369 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 4370
dd08f037 4371 EC_KEY_free(ec_key);
dd08f037
PW		 4372}
4373
2cad067a 4374void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 4375 int i;
4376 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 4377 test_ecdsa_openssl();
4378 }
4379}
4380#endif
4381
0739bbb6
AP		 4382#ifdef ENABLE_MODULE_ECDH
4383# include "modules/ecdh/tests_impl.h"
4384#endif
4385
a5a66c70
PW		 4386#ifdef ENABLE_MODULE_SCHNORR
4387# include "modules/schnorr/tests_impl.h"
4388#endif
4389
9f443be0
PW		 4390#ifdef ENABLE_MODULE_RECOVERY
4391# include "modules/recovery/tests_impl.h"
4392#endif
4393
404c30a8 4394int main(int argc, char **argv) {
89561118
PW		 4395 unsigned char seed16[16] = {0};
4396 unsigned char run32[32] = {0};
71712b27 4397 /* find iteration count */
3fd6253e
PW		 4398 if (argc > 1) {
4399 count = strtol(argv[1], NULL, 0);
4400 }
4401
71712b27 4402 /* find random seed */
3fd6253e 4403 if (argc > 2) {
89561118
PW		 4404 int pos = 0;
4405 const char* ch = argv[2];
4406 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4407 unsigned short sh;
4408 if (sscanf(ch, "%2hx", &sh)) {
4409 seed16[pos] = sh;
4410 } else {
4411 break;
4412 }
4413 ch += 2;
4414 pos++;
4415 }
3fd6253e
PW		 4416 } else {
4417 FILE *frand = fopen("/dev/urandom", "r");
2b199de8 4418 if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
89561118
PW		 4419 uint64_t t = time(NULL) * (uint64_t)1337;
4420 seed16[0] ^= t;
4421 seed16[1] ^= t >> 8;
4422 seed16[2] ^= t >> 16;
4423 seed16[3] ^= t >> 24;
4424 seed16[4] ^= t >> 32;
4425 seed16[5] ^= t >> 40;
4426 seed16[6] ^= t >> 48;
4427 seed16[7] ^= t >> 56;
3fd6253e
PW		 4428 }
4429 fclose(frand);
4430 }
89561118 4431 secp256k1_rand_seed(seed16);
404c30a8 4432
dd08f037 4433 printf("test count = %i\n", count);
89561118 4434 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 4435
71712b27 4436 /* initialize */
d899b5b6 4437 run_context_tests();
a9b6595e 4438 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 4439 if (secp256k1_rand_bits(1)) {
d2275795 4440 secp256k1_rand256(run32);
fa57f1bd 4441 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 4442 }
49b37498
PW		 4443
4444 run_rand_bits();
4445 run_rand_int();
4446
b37fbc28
PW		 4447 run_sha256_tests();
4448 run_hmac_sha256_tests();
4449 run_rfc6979_hmac_sha256_tests();
4450
597128d3 4451#ifndef USE_NUM_NONE
71712b27 4452 /* num tests */
3f44e1ad 4453 run_num_smalltests();
597128d3 4454#endif
404c30a8 4455
71712b27 4456 /* scalar tests */
79359302
PW		 4457 run_scalar_tests();
4458
71712b27 4459 /* field tests */
f16be77f
PD		 4460 run_field_inv();
4461 run_field_inv_var();
f16be77f 4462 run_field_inv_all_var();
8d11164b 4463 run_field_misc();
ff889f7d 4464 run_field_convert();
59447da3 4465 run_sqr();
09ca4f32
PD		 4466 run_sqrt();
4467
71712b27 4468 /* group tests */
9338dbf7 4469 run_ge();
64666251 4470 run_group_decompress();
9338dbf7 4471
71712b27 4472 /* ecmult tests */
404c30a8
PW		 4473 run_wnaf();
4474 run_point_times_order();
4475 run_ecmult_chain();
d2275795
GM		 4476 run_ecmult_constants();
4477 run_ecmult_gen_blind();
44015000 4478 run_ecmult_const_tests();
a5a66c70 4479 run_ec_combine();
404c30a8 4480
baa75da5
AP		 4481 /* endomorphism tests */
4482#ifdef USE_ENDOMORPHISM
4483 run_endomorphism_tests();
4484#endif
4485
96be2046 4486 /* EC point parser test */
67f7da40
GM		 4487 run_ec_pubkey_parse_test();
4488
96be2046
GM		 4489 /* EC key edge cases */
4490 run_eckey_edge_case_test();
4491
0739bbb6
AP		 4492#ifdef ENABLE_MODULE_ECDH
4493 /* ecdh tests */
4494 run_ecdh_tests();
4495#endif
4496
71712b27 4497 /* ecdsa tests */
7c6fed28 4498 run_random_pubkeys();
3bb9c447 4499 run_ecdsa_der_parse();
404c30a8 4500 run_ecdsa_sign_verify();
25f4aec0 4501 run_ecdsa_end_to_end();
6e052878 4502 run_ecdsa_edge_cases();
dd08f037
PW		 4503#ifdef ENABLE_OPENSSL_TESTS
4504 run_ecdsa_openssl();
4505#endif
910d0de4 4506
a5a66c70
PW		 4507#ifdef ENABLE_MODULE_SCHNORR
4508 /* Schnorr tests */
4509 run_schnorr_tests();
4510#endif
4511
9f443be0
PW		 4512#ifdef ENABLE_MODULE_RECOVERY
4513 /* ECDSA pubkey recovery tests */
4514 run_recovery_tests();
4515#endif
4516
89561118
PW		 4517 secp256k1_rand256(run32);
4518 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 4519
71712b27 4520 /* shutdown */
a9b6595e 4521 secp256k1_context_destroy(ctx);
c996d53a
PW		 4522
4523 printf("no problems found\n");
a41f32e6
PW		 4524 return 0;
4525}
Empty description
This page took 0.728371 seconds and 4 git commands to generate.