]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Add pippenger_wnaf ecmult_multi
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
f0709ac5 19#include "testrand_impl.h"
a41f32e6 20
dd08f037
PW		 21#ifdef ENABLE_OPENSSL_TESTS
22#include "openssl/bn.h"
23#include "openssl/ec.h"
24#include "openssl/ecdsa.h"
25#include "openssl/obj_mac.h"
26#endif
27
eed87af1
AP		 28#include "contrib/lax_der_parsing.c"
29#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 30
67f7da40
GM		 31#if !defined(VG_CHECK)
32# if defined(VALGRIND)
33# include <valgrind/memcheck.h>
34# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
35# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
36# else
37# define VG_UNDEF(x,y)
38# define VG_CHECK(x,y)
39# endif
40#endif
41
79f599d3 42static int count = 64;
dd891e0e 43static secp256k1_context *ctx = NULL;
4adf6b2a 44
96be2046
GM		 45static void counting_illegal_callback_fn(const char* str, void* data) {
46 /* Dummy callback function that just counts. */
47 int32_t *p;
48 (void)str;
49 p = data;
50 (*p)++;
51}
52
53static void uncounting_illegal_callback_fn(const char* str, void* data) {
54 /* Dummy callback function that just counts (backwards). */
55 int32_t *p;
56 (void)str;
57 p = data;
58 (*p)--;
59}
60
dd891e0e 61void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 62 do {
63 unsigned char b32[32];
64 secp256k1_rand256_test(b32);
659b554d
PW		 65 if (secp256k1_fe_set_b32(fe, b32)) {
66 break;
67 }
9338dbf7
PW		 68 } while(1);
69}
70
dd891e0e
PW		 71void random_field_element_magnitude(secp256k1_fe *fe) {
72 secp256k1_fe zero;
fa57f1bd 73 int n = secp256k1_rand_int(9);
9338dbf7 74 secp256k1_fe_normalize(fe);
60571c6e
PW		 75 if (n == 0) {
76 return;
9338dbf7 77 }
60571c6e
PW		 78 secp256k1_fe_clear(&zero);
79 secp256k1_fe_negate(&zero, &zero, 0);
80 secp256k1_fe_mul_int(&zero, n - 1);
81 secp256k1_fe_add(fe, &zero);
3f3964e4 82 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 83}
84
dd891e0e
PW		 85void random_group_element_test(secp256k1_ge *ge) {
86 secp256k1_fe fe;
9338dbf7
PW		 87 do {
88 random_field_element_test(&fe);
fa57f1bd 89 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 90 secp256k1_fe_normalize(&ge->y);
9338dbf7 91 break;
26320197 92 }
9338dbf7
PW		 93 } while(1);
94}
95
dd891e0e
PW		 96void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
97 secp256k1_fe z2, z3;
9338dbf7
PW		 98 do {
99 random_field_element_test(&gej->z);
100 if (!secp256k1_fe_is_zero(&gej->z)) {
101 break;
102 }
103 } while(1);
bf2e1ac7
GM		 104 secp256k1_fe_sqr(&z2, &gej->z);
105 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 106 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
107 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
108 gej->infinity = ge->infinity;
109}
110
dd891e0e 111void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 112 do {
113 unsigned char b32[32];
a9f5c8b8 114 int overflow = 0;
bf2e1ac7 115 secp256k1_rand256_test(b32);
eca6cdb1 116 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 117 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 118 continue;
26320197 119 }
a9f5c8b8
PW		 120 break;
121 } while(1);
122}
123
dd891e0e 124void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 125 do {
126 unsigned char b32[32];
f24041d6 127 int overflow = 0;
bf2e1ac7 128 secp256k1_rand256(b32);
f24041d6 129 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 130 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 131 continue;
26320197 132 }
f24041d6
PW		 133 break;
134 } while(1);
135}
136
d899b5b6 137void run_context_tests(void) {
96be2046 138 secp256k1_pubkey pubkey;
8e48aa60 139 secp256k1_pubkey zero_pubkey;
96be2046
GM		 140 secp256k1_ecdsa_signature sig;
141 unsigned char ctmp[32];
142 int32_t ecount;
143 int32_t ecount2;
1a368980 144 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
dd891e0e
PW		 145 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
146 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
147 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
d899b5b6 148
dd891e0e
PW		 149 secp256k1_gej pubj;
150 secp256k1_ge pub;
151 secp256k1_scalar msg, key, nonce;
152 secp256k1_scalar sigr, sigs;
d899b5b6 153
8e48aa60
AP		 154 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
155
96be2046
GM		 156 ecount = 0;
157 ecount2 = 10;
158 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
159 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
160 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
161 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
162
d899b5b6
AP		 163 /*** clone and destroy all of them to make sure cloning was complete ***/
164 {
dd891e0e 165 secp256k1_context *ctx_tmp;
d899b5b6
AP		 166
167 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
168 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
169 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
170 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
171 }
172
96be2046
GM		 173 /* Verify that the error callback makes it across the clone. */
174 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
175 /* And that it resets back to default. */
176 secp256k1_context_set_error_callback(sign, NULL, NULL);
177 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
178
d899b5b6
AP		 179 /*** attempt to use them ***/
180 random_scalar_order_test(&msg);
181 random_scalar_order_test(&key);
182 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
183 secp256k1_ge_set_gej(&pub, &pubj);
184
96be2046
GM		 185 /* Verify context-type checking illegal-argument errors. */
186 memset(ctmp, 1, 32);
187 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
188 CHECK(ecount == 1);
189 VG_UNDEF(&pubkey, sizeof(pubkey));
190 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
191 VG_CHECK(&pubkey, sizeof(pubkey));
192 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
193 CHECK(ecount == 2);
194 VG_UNDEF(&sig, sizeof(sig));
195 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
196 VG_CHECK(&sig, sizeof(sig));
197 CHECK(ecount2 == 10);
198 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
199 CHECK(ecount2 == 11);
200 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
201 CHECK(ecount == 2);
202 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
203 CHECK(ecount2 == 12);
204 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
205 CHECK(ecount == 2);
206 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
207 CHECK(ecount2 == 13);
8e48aa60 208 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 209 CHECK(ecount == 2);
8e48aa60
AP		 210 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
211 CHECK(ecount == 2);
212 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
213 CHECK(ecount2 == 14);
214 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
215 CHECK(ecount == 3);
216 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 217 CHECK(ecount == 3);
8e48aa60
AP		 218 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
219 CHECK(ecount == 4);
96be2046 220 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 221 CHECK(ecount2 == 14);
96be2046
GM		 222 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
223 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
224
225 /* This shouldn't leak memory, due to already-set tests. */
226 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
227 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
228
d899b5b6
AP		 229 /* obtain a working nonce */
230 do {
231 random_scalar_order_test(&nonce);
18c329c5 232 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 233
234 /* try signing */
18c329c5
PW		 235 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
236 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 237
238 /* try verifying */
18c329c5
PW		 239 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
240 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 241
242 /* cleanup */
243 secp256k1_context_destroy(none);
244 secp256k1_context_destroy(sign);
245 secp256k1_context_destroy(vrfy);
246 secp256k1_context_destroy(both);
5b71a3f4
GM		 247 /* Defined as no-op. */
248 secp256k1_context_destroy(NULL);
d899b5b6
AP		 249}
250
548de42e
AP		 251void run_scratch_tests(void) {
252 int32_t ecount = 0;
253 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
254 secp256k1_scratch_space *scratch;
255
256 /* Test public API */
257 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
258 scratch = secp256k1_scratch_space_create(none, 100, 10);
259 CHECK(scratch == NULL);
260 CHECK(ecount == 1);
261
262 scratch = secp256k1_scratch_space_create(none, 100, 100);
263 CHECK(scratch != NULL);
264 CHECK(ecount == 1);
265 secp256k1_scratch_space_destroy(scratch);
266
267 scratch = secp256k1_scratch_space_create(none, 100, 1000);
268 CHECK(scratch != NULL);
269 CHECK(ecount == 1);
270
271 /* Test internal API */
272 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
273 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
274 CHECK(secp256k1_scratch_resize(scratch, 50, 1) == 1); /* no-op */
275 CHECK(secp256k1_scratch_resize(scratch, 200, 1) == 1);
276 CHECK(secp256k1_scratch_resize(scratch, 950, 1) == 1);
277 CHECK(secp256k1_scratch_resize(scratch, 1000, 1) == 0);
278 CHECK(secp256k1_scratch_resize(scratch, 2000, 1) == 0);
279 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
280
281 /* cleanup */
282 secp256k1_scratch_space_destroy(scratch);
283 secp256k1_context_destroy(none);
284}
285
b37fbc28
PW		 286/***** HASH TESTS *****/
287
288void run_sha256_tests(void) {
289 static const char *inputs[8] = {
290 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
291 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
292 "For this sample, this 63-byte string will be used as input data",
293 "This is exactly 64 bytes long, not counting the terminating byte"
294 };
295 static const unsigned char outputs[8][32] = {
296 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
297 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
298 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
299 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
300 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
301 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
302 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
303 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
304 };
bf2e1ac7
GM		 305 int i;
306 for (i = 0; i < 8; i++) {
307 unsigned char out[32];
d1dc9dfc 308 secp256k1_sha256 hasher;
b37fbc28
PW		 309 secp256k1_sha256_initialize(&hasher);
310 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 311 secp256k1_sha256_finalize(&hasher, out);
312 CHECK(memcmp(out, outputs[i], 32) == 0);
313 if (strlen(inputs[i]) > 0) {
fa57f1bd 314 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 315 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 316 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
317 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
318 secp256k1_sha256_finalize(&hasher, out);
319 CHECK(memcmp(out, outputs[i], 32) == 0);
320 }
321 }
322}
323
324void run_hmac_sha256_tests(void) {
325 static const char *keys[6] = {
326 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
327 "\x4a\x65\x66\x65",
328 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
329 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
330 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
331 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
332 };
333 static const char *inputs[6] = {
334 "\x48\x69\x20\x54\x68\x65\x72\x65",
335 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
336 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
337 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
338 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
339 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
340 };
341 static const unsigned char outputs[6][32] = {
342 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
343 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
344 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
345 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
346 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
347 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
348 };
bf2e1ac7
GM		 349 int i;
350 for (i = 0; i < 6; i++) {
d1dc9dfc 351 secp256k1_hmac_sha256 hasher;
bf2e1ac7 352 unsigned char out[32];
b37fbc28
PW		 353 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
354 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 355 secp256k1_hmac_sha256_finalize(&hasher, out);
356 CHECK(memcmp(out, outputs[i], 32) == 0);
357 if (strlen(inputs[i]) > 0) {
fa57f1bd 358 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 359 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 360 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
361 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
362 secp256k1_hmac_sha256_finalize(&hasher, out);
363 CHECK(memcmp(out, outputs[i], 32) == 0);
364 }
365 }
366}
367
368void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 369 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 370 static const unsigned char out1[3][32] = {
371 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
372 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
373 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
374 };
375
3e6f1e20 376 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 377 static const unsigned char out2[3][32] = {
378 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
379 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
380 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
381 };
382
d1dc9dfc 383 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 384 unsigned char out[32];
bf2e1ac7 385 int i;
b37fbc28 386
3e6f1e20 387 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 388 for (i = 0; i < 3; i++) {
b37fbc28
PW		 389 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
390 CHECK(memcmp(out, out1[i], 32) == 0);
391 }
392 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
393
3e6f1e20 394 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 395 for (i = 0; i < 3; i++) {
396 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
397 CHECK(memcmp(out, out1[i], 32) != 0);
398 }
399 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
400
3e6f1e20 401 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 402 for (i = 0; i < 3; i++) {
b37fbc28
PW		 403 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
404 CHECK(memcmp(out, out2[i], 32) == 0);
405 }
406 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
407}
408
49b37498
PW		 409/***** RANDOM TESTS *****/
410
411void test_rand_bits(int rand32, int bits) {
412 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
413 * get a false negative chance below once in a billion */
414 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
415 /* We try multiplying the results with various odd numbers, which shouldn't
416 * influence the uniform distribution modulo a power of 2. */
417 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
418 /* We only select up to 6 bits from the output to analyse */
419 unsigned int usebits = bits > 6 ? 6 : bits;
420 unsigned int maxshift = bits - usebits;
421 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
422 number, track all observed outcomes, one per bit in a uint64_t. */
423 uint64_t x[6][27] = {{0}};
424 unsigned int i, shift, m;
425 /* Multiply the output of all rand calls with the odd number m, which
426 should not change the uniformity of its distribution. */
427 for (i = 0; i < rounds[usebits]; i++) {
428 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
429 CHECK((((uint64_t)r) >> bits) == 0);
430 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
431 uint32_t rm = r * mults[m];
432 for (shift = 0; shift <= maxshift; shift++) {
433 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
434 }
435 }
436 }
437 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
438 for (shift = 0; shift <= maxshift; shift++) {
439 /* Test that the lower usebits bits of x[shift] are 1 */
440 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
441 }
442 }
443}
444
445/* Subrange must be a whole divisor of range, and at most 64 */
446void test_rand_int(uint32_t range, uint32_t subrange) {
447 /* (1-1/subrange)^rounds < 1/10^9 */
448 int rounds = (subrange * 2073) / 100;
449 int i;
450 uint64_t x = 0;
451 CHECK((range % subrange) == 0);
452 for (i = 0; i < rounds; i++) {
453 uint32_t r = secp256k1_rand_int(range);
454 CHECK(r < range);
455 r = r % subrange;
456 x |= (((uint64_t)1) << r);
457 }
458 /* Test that the lower subrange bits of x are 1. */
459 CHECK(((~x) << (64 - subrange)) == 0);
460}
461
462void run_rand_bits(void) {
463 size_t b;
464 test_rand_bits(1, 32);
465 for (b = 1; b <= 32; b++) {
466 test_rand_bits(0, b);
467 }
468}
469
470void run_rand_int(void) {
471 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
472 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
473 unsigned int m, s;
474 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
475 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
476 test_rand_int(ms[m] * ss[s], ss[s]);
477 }
478 }
479}
480
659b554d
PW		 481/***** NUM TESTS *****/
482
597128d3 483#ifndef USE_NUM_NONE
dd891e0e 484void random_num_negate(secp256k1_num *num) {
fa57f1bd 485 if (secp256k1_rand_bits(1)) {
659b554d 486 secp256k1_num_negate(num);
26320197 487 }
659b554d
PW		 488}
489
dd891e0e
PW		 490void random_num_order_test(secp256k1_num *num) {
491 secp256k1_scalar sc;
659b554d
PW		 492 random_scalar_order_test(&sc);
493 secp256k1_scalar_get_num(num, &sc);
494}
495
dd891e0e
PW		 496void random_num_order(secp256k1_num *num) {
497 secp256k1_scalar sc;
659b554d
PW		 498 random_scalar_order(&sc);
499 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 500}
501
2cad067a 502void test_num_negate(void) {
dd891e0e
PW		 503 secp256k1_num n1;
504 secp256k1_num n2;
71712b27 505 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 506 random_num_negate(&n1);
71712b27
GM		 507 secp256k1_num_copy(&n2, &n1); /* n2 = R */
508 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 509 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 510 secp256k1_num_copy(&n1, &n2); /* n1 = R */
511 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 512 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 513 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 514 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 515 secp256k1_num_copy(&n1, &n2); /* n1 = R */
516 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 517 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 518 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 519 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 520}
521
2cad067a 522void test_num_add_sub(void) {
efd953a7
PD		 523 int i;
524 secp256k1_scalar s;
dd891e0e
PW		 525 secp256k1_num n1;
526 secp256k1_num n2;
527 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 528 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 529 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 530 random_num_negate(&n1);
531 }
71712b27 532 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 533 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 534 random_num_negate(&n2);
535 }
71712b27
GM		 536 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
537 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
538 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
539 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 540 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
541 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 542 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 543 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
544 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 545 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 546 CHECK(secp256k1_num_eq(&n2m1, &n1));
547 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 548 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 549 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 550
551 /* check is_one */
552 secp256k1_scalar_set_int(&s, 1);
553 secp256k1_scalar_get_num(&n1, &s);
554 CHECK(secp256k1_num_is_one(&n1));
555 /* check that 2^n + 1 is never 1 */
556 secp256k1_scalar_get_num(&n2, &s);
557 for (i = 0; i < 250; ++i) {
558 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
559 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
560 CHECK(!secp256k1_num_is_one(&n1p2));
561 }
562}
563
564void test_num_mod(void) {
565 int i;
566 secp256k1_scalar s;
567 secp256k1_num order, n;
568
569 /* check that 0 mod anything is 0 */
7d893f49 570 random_scalar_order_test(&s);
efd953a7
PD		 571 secp256k1_scalar_get_num(&order, &s);
572 secp256k1_scalar_set_int(&s, 0);
573 secp256k1_scalar_get_num(&n, &s);
574 secp256k1_num_mod(&n, &order);
575 CHECK(secp256k1_num_is_zero(&n));
576
577 /* check that anything mod 1 is 0 */
578 secp256k1_scalar_set_int(&s, 1);
579 secp256k1_scalar_get_num(&order, &s);
580 secp256k1_scalar_get_num(&n, &s);
581 secp256k1_num_mod(&n, &order);
582 CHECK(secp256k1_num_is_zero(&n));
583
584 /* check that increasing the number past 2^256 does not break this */
7d893f49 585 random_scalar_order_test(&s);
efd953a7
PD		 586 secp256k1_scalar_get_num(&n, &s);
587 /* multiply by 2^8, which'll test this case with high probability */
588 for (i = 0; i < 8; ++i) {
589 secp256k1_num_add(&n, &n, &n);
590 }
591 secp256k1_num_mod(&n, &order);
592 CHECK(secp256k1_num_is_zero(&n));
593}
594
595void test_num_jacobi(void) {
596 secp256k1_scalar sqr;
597 secp256k1_scalar small;
598 secp256k1_scalar five; /* five is not a quadratic residue */
599 secp256k1_num order, n;
600 int i;
601 /* squares mod 5 are 1, 4 */
602 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
603
604 /* check some small values with 5 as the order */
605 secp256k1_scalar_set_int(&five, 5);
606 secp256k1_scalar_get_num(&order, &five);
607 for (i = 0; i < 10; ++i) {
608 secp256k1_scalar_set_int(&small, i);
609 secp256k1_scalar_get_num(&n, &small);
610 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
611 }
612
613 /** test large values with 5 as group order */
614 secp256k1_scalar_get_num(&order, &five);
615 /* we first need a scalar which is not a multiple of 5 */
616 do {
617 secp256k1_num fiven;
7d893f49 618 random_scalar_order_test(&sqr);
efd953a7
PD		 619 secp256k1_scalar_get_num(&fiven, &five);
620 secp256k1_scalar_get_num(&n, &sqr);
621 secp256k1_num_mod(&n, &fiven);
622 } while (secp256k1_num_is_zero(&n));
623 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
624 * just multiply by two, i.e. add the number to itself */
625 if (secp256k1_num_jacobi(&n, &order) == -1) {
626 secp256k1_num_add(&n, &n, &n);
627 }
628
629 /* test residue */
630 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
631 /* test nonresidue */
632 secp256k1_num_add(&n, &n, &n);
633 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
634
635 /** test with secp group order as order */
636 secp256k1_scalar_order_get_num(&order);
7d893f49 637 random_scalar_order_test(&sqr);
efd953a7
PD		 638 secp256k1_scalar_sqr(&sqr, &sqr);
639 /* test residue */
640 secp256k1_scalar_get_num(&n, &sqr);
641 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
642 /* test nonresidue */
643 secp256k1_scalar_mul(&sqr, &sqr, &five);
644 secp256k1_scalar_get_num(&n, &sqr);
645 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
646 /* test multiple of the order*/
647 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
648
649 /* check one less than the order */
650 secp256k1_scalar_set_int(&small, 1);
651 secp256k1_scalar_get_num(&n, &small);
652 secp256k1_num_sub(&n, &order, &n);
653 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 654}
655
2cad067a 656void run_num_smalltests(void) {
bf2e1ac7
GM		 657 int i;
658 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 659 test_num_negate();
660 test_num_add_sub();
efd953a7
PD		 661 test_num_mod();
662 test_num_jacobi();
3f44e1ad 663 }
3f44e1ad 664}
597128d3 665#endif
3f44e1ad 666
79359302
PW		 667/***** SCALAR TESTS *****/
668
79359302 669void scalar_test(void) {
dd891e0e
PW		 670 secp256k1_scalar s;
671 secp256k1_scalar s1;
672 secp256k1_scalar s2;
bf2e1ac7 673#ifndef USE_NUM_NONE
dd891e0e
PW		 674 secp256k1_num snum, s1num, s2num;
675 secp256k1_num order, half_order;
bf2e1ac7 676#endif
79359302
PW		 677 unsigned char c[32];
678
71712b27 679 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 680 random_scalar_order_test(&s);
79359302 681
71712b27 682 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 683 random_scalar_order_test(&s1);
79359302 684
71712b27 685 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 686 random_scalar_order_test(&s2);
687 secp256k1_scalar_get_b32(c, &s2);
688
597128d3 689#ifndef USE_NUM_NONE
659b554d
PW		 690 secp256k1_scalar_get_num(&snum, &s);
691 secp256k1_scalar_get_num(&s1num, &s1);
692 secp256k1_scalar_get_num(&s2num, &s2);
693
659b554d 694 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 695 half_order = order;
659b554d 696 secp256k1_num_shift(&half_order, 1);
597128d3 697#endif
79359302
PW		 698
699 {
bf2e1ac7 700 int i;
71712b27 701 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 702 secp256k1_scalar n;
1e6c77c3 703 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 704 for (i = 0; i < 256; i += 4) {
dd891e0e 705 secp256k1_scalar t;
bf2e1ac7 706 int j;
1e6c77c3 707 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 708 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 709 secp256k1_scalar_add(&n, &n, &n);
710 }
711 secp256k1_scalar_add(&n, &n, &t);
79359302 712 }
1e6c77c3
PW		 713 CHECK(secp256k1_scalar_eq(&n, &s));
714 }
715
716 {
717 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 718 secp256k1_scalar n;
1e6c77c3 719 int i = 0;
bf2e1ac7 720 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 721 while (i < 256) {
dd891e0e 722 secp256k1_scalar t;
bf2e1ac7 723 int j;
fa57f1bd 724 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 725 if (now + i > 256) {
726 now = 256 - i;
727 }
1e6c77c3 728 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 729 for (j = 0; j < now; j++) {
1e6c77c3
PW		 730 secp256k1_scalar_add(&n, &n, &n);
731 }
732 secp256k1_scalar_add(&n, &n, &t);
733 i += now;
734 }
735 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 736 }
737
597128d3 738#ifndef USE_NUM_NONE
79359302 739 {
71712b27 740 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 741 secp256k1_num rnum;
742 secp256k1_num r2num;
743 secp256k1_scalar r;
79359302 744 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 745 secp256k1_num_mod(&rnum, &order);
79359302 746 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 747 secp256k1_scalar_get_num(&r2num, &r);
748 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 749 }
750
751 {
269d4227 752 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 753 secp256k1_scalar r;
754 secp256k1_num r2num;
755 secp256k1_num rnum;
79359302 756 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 757 secp256k1_num_mod(&rnum, &order);
79359302 758 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 759 secp256k1_scalar_get_num(&r2num, &r);
760 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 761 /* The result can only be zero if at least one of the factors was zero. */
79359302 762 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 763 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 764 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
765 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 766 }
767
768 {
dd891e0e
PW		 769 secp256k1_scalar neg;
770 secp256k1_num negnum;
771 secp256k1_num negnum2;
71712b27 772 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 773 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 774 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 775 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 776 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 777 secp256k1_num_sub(&negnum, &order, &snum);
778 secp256k1_num_mod(&negnum, &order);
71712b27 779 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 780 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 781 /* Negating should change the high property, unless the value was already zero. */
79359302 782 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 783 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 784 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 785 CHECK(secp256k1_num_eq(&negnum, &negnum2));
786 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 787 /* Adding a number to its negation should result in zero. */
79359302
PW		 788 CHECK(secp256k1_scalar_is_zero(&neg));
789 secp256k1_scalar_negate(&neg, &neg);
71712b27 790 /* Negating zero should still result in zero. */
79359302 791 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 792 }
ff8746d4
PW		 793
794 {
795 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 796 secp256k1_scalar r;
797 secp256k1_num one;
798 secp256k1_num rnum;
799 secp256k1_num rnum2;
bf2e1ac7 800 unsigned char cone[1] = {0x01};
fa57f1bd 801 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 802 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 803 secp256k1_num_mul(&rnum, &s1num, &s2num);
804 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 805 secp256k1_num_set_bin(&one, cone, 1);
806 secp256k1_num_add(&rnum, &rnum, &one);
807 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 808 secp256k1_scalar_get_num(&rnum2, &r);
809 CHECK(secp256k1_num_eq(&rnum, &rnum2));
810 }
44015000
AP		 811
812 {
813 /* test secp256k1_scalar_shr_int */
dd891e0e 814 secp256k1_scalar r;
44015000 815 int i;
44015000
AP		 816 random_scalar_order_test(&r);
817 for (i = 0; i < 100; ++i) {
cfe0ed91 818 int low;
fa57f1bd 819 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 820 int expected = r.d[0] % (1 << shift);
821 low = secp256k1_scalar_shr_int(&r, shift);
822 CHECK(expected == low);
823 }
824 }
597128d3 825#endif
79359302
PW		 826
827 {
71712b27 828 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 829 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 830 secp256k1_scalar inv;
597128d3 831#ifndef USE_NUM_NONE
dd891e0e
PW		 832 secp256k1_num invnum;
833 secp256k1_num invnum2;
bf2e1ac7
GM		 834#endif
835 secp256k1_scalar_inverse(&inv, &s);
836#ifndef USE_NUM_NONE
837 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 838 secp256k1_scalar_get_num(&invnum2, &inv);
839 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 840#endif
79359302 841 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 842 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 843 CHECK(secp256k1_scalar_is_one(&inv));
844 secp256k1_scalar_inverse(&inv, &inv);
71712b27 845 /* Inverting one must result in one. */
79359302 846 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 847#ifndef USE_NUM_NONE
848 secp256k1_scalar_get_num(&invnum, &inv);
849 CHECK(secp256k1_num_is_one(&invnum));
850#endif
79359302
PW		 851 }
852 }
853
854 {
71712b27 855 /* Test commutativity of add. */
dd891e0e 856 secp256k1_scalar r1, r2;
79359302
PW		 857 secp256k1_scalar_add(&r1, &s1, &s2);
858 secp256k1_scalar_add(&r2, &s2, &s1);
859 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 860 }
861
52132078 862 {
dd891e0e
PW		 863 secp256k1_scalar r1, r2;
864 secp256k1_scalar b;
bf2e1ac7 865 int i;
52132078 866 /* Test add_bit. */
fa57f1bd 867 int bit = secp256k1_rand_bits(8);
1e6c77c3 868 secp256k1_scalar_set_int(&b, 1);
52132078 869 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 870 for (i = 0; i < bit; i++) {
52132078
PW		 871 secp256k1_scalar_add(&b, &b, &b);
872 }
bf2e1ac7
GM		 873 r1 = s1;
874 r2 = s1;
29ae1310 875 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 876 /* No overflow happened. */
ed35d43a
AP		 877 secp256k1_scalar_cadd_bit(&r2, bit, 1);
878 CHECK(secp256k1_scalar_eq(&r1, &r2));
879 /* cadd is a noop when flag is zero */
880 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 881 CHECK(secp256k1_scalar_eq(&r1, &r2));
882 }
883 }
884
79359302 885 {
71712b27 886 /* Test commutativity of mul. */
dd891e0e 887 secp256k1_scalar r1, r2;
79359302
PW		 888 secp256k1_scalar_mul(&r1, &s1, &s2);
889 secp256k1_scalar_mul(&r2, &s2, &s1);
890 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 891 }
892
893 {
71712b27 894 /* Test associativity of add. */
dd891e0e 895 secp256k1_scalar r1, r2;
79359302
PW		 896 secp256k1_scalar_add(&r1, &s1, &s2);
897 secp256k1_scalar_add(&r1, &r1, &s);
898 secp256k1_scalar_add(&r2, &s2, &s);
899 secp256k1_scalar_add(&r2, &s1, &r2);
900 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 901 }
902
903 {
71712b27 904 /* Test associativity of mul. */
dd891e0e 905 secp256k1_scalar r1, r2;
79359302
PW		 906 secp256k1_scalar_mul(&r1, &s1, &s2);
907 secp256k1_scalar_mul(&r1, &r1, &s);
908 secp256k1_scalar_mul(&r2, &s2, &s);
909 secp256k1_scalar_mul(&r2, &s1, &r2);
910 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 911 }
912
913 {
71712b27 914 /* Test distributitivity of mul over add. */
dd891e0e 915 secp256k1_scalar r1, r2, t;
79359302
PW		 916 secp256k1_scalar_add(&r1, &s1, &s2);
917 secp256k1_scalar_mul(&r1, &r1, &s);
918 secp256k1_scalar_mul(&r2, &s1, &s);
919 secp256k1_scalar_mul(&t, &s2, &s);
920 secp256k1_scalar_add(&r2, &r2, &t);
921 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 922 }
1d52a8b1
PW		 923
924 {
71712b27 925 /* Test square. */
dd891e0e 926 secp256k1_scalar r1, r2;
1d52a8b1
PW		 927 secp256k1_scalar_sqr(&r1, &s1);
928 secp256k1_scalar_mul(&r2, &s1, &s1);
929 CHECK(secp256k1_scalar_eq(&r1, &r2));
930 }
ff8746d4 931
8d11164b
GM		 932 {
933 /* Test multiplicative identity. */
dd891e0e 934 secp256k1_scalar r1, v1;
8d11164b
GM		 935 secp256k1_scalar_set_int(&v1,1);
936 secp256k1_scalar_mul(&r1, &s1, &v1);
937 CHECK(secp256k1_scalar_eq(&r1, &s1));
938 }
939
940 {
941 /* Test additive identity. */
dd891e0e 942 secp256k1_scalar r1, v0;
8d11164b
GM		 943 secp256k1_scalar_set_int(&v0,0);
944 secp256k1_scalar_add(&r1, &s1, &v0);
945 CHECK(secp256k1_scalar_eq(&r1, &s1));
946 }
947
948 {
949 /* Test zero product property. */
dd891e0e 950 secp256k1_scalar r1, v0;
8d11164b
GM		 951 secp256k1_scalar_set_int(&v0,0);
952 secp256k1_scalar_mul(&r1, &s1, &v0);
953 CHECK(secp256k1_scalar_eq(&r1, &v0));
954 }
955
79359302
PW		 956}
957
958void run_scalar_tests(void) {
bf2e1ac7
GM		 959 int i;
960 for (i = 0; i < 128 * count; i++) {
79359302
PW		 961 scalar_test();
962 }
659b554d
PW		 963
964 {
ee3eb4be 965 /* (-1)+1 should be zero. */
dd891e0e 966 secp256k1_scalar s, o;
659b554d 967 secp256k1_scalar_set_int(&s, 1);
8d11164b 968 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 969 secp256k1_scalar_negate(&o, &s);
970 secp256k1_scalar_add(&o, &o, &s);
971 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 972 secp256k1_scalar_negate(&o, &o);
973 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 974 }
975
597128d3 976#ifndef USE_NUM_NONE
659b554d 977 {
ee3eb4be 978 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 979 secp256k1_num order;
980 secp256k1_scalar zero;
bf2e1ac7 981 unsigned char bin[32];
659b554d 982 int overflow = 0;
bf2e1ac7
GM		 983 secp256k1_scalar_order_get_num(&order);
984 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 985 secp256k1_scalar_set_b32(&zero, bin, &overflow);
986 CHECK(overflow == 1);
987 CHECK(secp256k1_scalar_is_zero(&zero));
988 }
597128d3 989#endif
26abce75
GM		 990
991 {
992 /* Does check_overflow check catch all ones? */
993 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
994 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
995 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
996 );
997 CHECK(secp256k1_scalar_check_overflow(&overflowed));
998 }
999
1000 {
1001 /* Static test vectors.
269d4227 1002 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1003 * and edge-case coverage on 32-bit and 64-bit implementations.
1004 * The responses were generated with Sage 5.9.
1005 */
1006 secp256k1_scalar x;
1007 secp256k1_scalar y;
1008 secp256k1_scalar z;
1009 secp256k1_scalar zz;
1010 secp256k1_scalar one;
1011 secp256k1_scalar r1;
1012 secp256k1_scalar r2;
1013#if defined(USE_SCALAR_INV_NUM)
1014 secp256k1_scalar zzv;
1015#endif
1016 int overflow;
093a497a 1017 unsigned char chal[33][2][32] = {
26abce75
GM		 1018 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1019 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1020 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1021 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1022 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1024 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1025 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1026 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1027 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1028 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1029 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1030 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1032 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1033 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1034 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1035 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1036 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1037 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1038 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1039 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1040 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1042 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1043 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1044 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1045 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1046 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1047 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1048 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1049 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1050 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1051 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1052 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1054 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1055 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1056 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1057 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1058 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1059 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1060 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1061 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1062 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1063 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1064 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1065 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1066 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1067 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1068 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1069 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1070 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1071 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1072 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1073 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1074 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1075 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1076 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1077 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1078 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1079 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1080 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1081 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1082 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1083 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1084 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1085 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1086 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1089 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1090 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1092 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1093 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1094 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1095 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1096 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1097 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1098 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1099 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1100 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1101 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1102 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1106 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1108 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1109 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1110 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1111 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1112 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1114 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1115 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1118 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1119 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1120 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1121 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1122 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1124 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1125 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1126 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1127 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1128 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1130 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1131 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1133 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1134 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1135 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1136 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1137 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1138 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1139 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1140 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1141 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1142 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1143 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1144 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1145 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1146 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1147 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1148 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1149 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1150 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1151 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1152 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1153 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1154 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1155 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1156 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1158 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1159 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1160 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1161 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1162 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1163 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1164 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1165 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1166 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1167 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1168 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1169 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1170 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1171 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1172 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1173 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1174 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1175 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1176 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1178 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1179 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1182 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1184 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1185 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1186 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1190 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1194 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1195 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1196 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1197 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1198 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1200 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1201 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1202 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1203 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1204 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1206 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1207 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1210 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1212 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1214 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1216 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1217 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1218 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1220 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1221 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1222 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1224 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1226 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1227 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1228 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1229 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1230 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1231 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1232 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1233 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1234 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1235 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1236 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1237 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1238 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1239 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1240 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1241 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1242 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1243 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1245 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1246 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1247 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1248 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1249 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1250 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1251 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1252 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1253 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1254 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1255 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1256 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1258 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1259 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1261 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1262 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1264 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1265 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1266 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1267 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1268 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1269 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1270 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1271 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1272 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1273 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1274 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1275 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1276 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1277 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1278 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1279 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1280 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1281 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1282 };
093a497a 1283 unsigned char res[33][2][32] = {
26abce75
GM		 1284 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1285 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1286 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1287 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1288 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1289 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1290 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1291 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1292 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1293 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1294 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1295 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1296 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1297 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1298 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1299 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1300 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1301 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1302 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1303 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1304 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1305 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1306 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1307 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1308 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1309 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1310 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1311 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1312 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1313 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1314 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1315 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1316 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1317 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1318 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1319 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1320 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1321 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1322 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1323 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1324 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1325 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1326 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1327 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1328 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1329 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1330 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1331 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1332 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1333 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1334 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1335 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1336 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1337 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1338 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1339 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1340 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1341 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1342 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1343 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1344 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1345 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1346 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1347 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1348 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1349 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1350 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1351 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1352 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1353 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1354 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1355 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1356 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1357 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1358 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1359 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1360 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1361 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1362 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1363 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1364 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1365 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1366 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1367 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1368 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1369 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1370 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1371 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1372 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1373 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1374 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1375 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1376 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1377 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1378 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1379 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1380 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1381 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1382 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1383 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1384 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1385 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1386 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1387 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1388 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1389 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1390 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1391 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1392 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1393 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1394 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1395 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1396 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1397 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1398 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1399 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1400 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1401 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1402 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1403 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1404 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1405 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1406 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1407 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1408 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1409 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1410 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1411 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1412 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1413 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1414 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1415 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1416 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1417 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1418 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1419 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1420 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1421 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1422 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1423 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1424 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1425 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1426 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1427 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1428 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1429 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1430 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1431 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1432 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1433 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1434 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1435 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1436 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1437 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1438 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1439 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1440 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1441 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1442 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1443 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1444 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1448 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1449 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1450 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1451 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1452 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1456 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1458 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1460 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1461 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1462 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1463 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1464 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1465 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1466 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1467 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1468 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1469 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1470 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1471 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1472 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1473 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1474 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1475 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1476 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1477 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1478 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1479 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1480 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1481 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1482 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1483 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1484 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1485 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1486 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1487 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1488 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1491 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1492 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1493 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1494 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1495 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1496 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1497 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1498 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1499 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1500 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1501 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1502 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1503 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1504 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1505 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1506 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1507 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1508 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1509 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1510 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1511 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1512 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1513 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1514 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1515 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1516 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1517 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1518 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1519 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1520 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1521 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1522 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1523 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1524 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1525 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1526 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1527 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1528 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1529 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1530 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1531 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1532 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1533 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1534 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1535 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1536 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1537 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1538 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1539 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1540 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1541 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1542 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1543 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1544 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1545 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1546 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1547 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1548 };
1549 secp256k1_scalar_set_int(&one, 1);
093a497a 1550 for (i = 0; i < 33; i++) {
26abce75
GM		 1551 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1552 CHECK(!overflow);
1553 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1554 CHECK(!overflow);
1555 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1556 CHECK(!overflow);
1557 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1558 CHECK(!overflow);
1559 secp256k1_scalar_mul(&z, &x, &y);
1560 CHECK(!secp256k1_scalar_check_overflow(&z));
1561 CHECK(secp256k1_scalar_eq(&r1, &z));
1562 if (!secp256k1_scalar_is_zero(&y)) {
1563 secp256k1_scalar_inverse(&zz, &y);
1564 CHECK(!secp256k1_scalar_check_overflow(&zz));
1565#if defined(USE_SCALAR_INV_NUM)
1566 secp256k1_scalar_inverse_var(&zzv, &y);
1567 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1568#endif
1569 secp256k1_scalar_mul(&z, &z, &zz);
1570 CHECK(!secp256k1_scalar_check_overflow(&z));
1571 CHECK(secp256k1_scalar_eq(&x, &z));
1572 secp256k1_scalar_mul(&zz, &zz, &y);
1573 CHECK(!secp256k1_scalar_check_overflow(&zz));
1574 CHECK(secp256k1_scalar_eq(&one, &zz));
1575 }
1576 secp256k1_scalar_mul(&z, &x, &x);
1577 CHECK(!secp256k1_scalar_check_overflow(&z));
1578 secp256k1_scalar_sqr(&zz, &x);
1579 CHECK(!secp256k1_scalar_check_overflow(&zz));
1580 CHECK(secp256k1_scalar_eq(&zz, &z));
1581 CHECK(secp256k1_scalar_eq(&r2, &zz));
1582 }
1583 }
79359302
PW		 1584}
1585
09ca4f32
PD		 1586/***** FIELD TESTS *****/
1587
dd891e0e 1588void random_fe(secp256k1_fe *x) {
09ca4f32 1589 unsigned char bin[32];
d907ebc0
PW		 1590 do {
1591 secp256k1_rand256(bin);
1592 if (secp256k1_fe_set_b32(x, bin)) {
1593 return;
1594 }
1595 } while(1);
09ca4f32
PD		 1596}
1597
64666251
PW		 1598void random_fe_test(secp256k1_fe *x) {
1599 unsigned char bin[32];
1600 do {
1601 secp256k1_rand256_test(bin);
1602 if (secp256k1_fe_set_b32(x, bin)) {
1603 return;
1604 }
1605 } while(1);
1606}
1607
dd891e0e 1608void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1609 int tries = 10;
09ca4f32 1610 while (--tries >= 0) {
6d6102fe
PD		 1611 random_fe(nz);
1612 secp256k1_fe_normalize(nz);
26320197 1613 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1614 break;
26320197 1615 }
09ca4f32 1616 }
71712b27 1617 /* Infinitesimal probability of spurious failure here */
0592d117 1618 CHECK(tries >= 0);
09ca4f32
PD		 1619}
1620
dd891e0e
PW		 1621void random_fe_non_square(secp256k1_fe *ns) {
1622 secp256k1_fe r;
bf2e1ac7 1623 random_fe_non_zero(ns);
926836ad 1624 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1625 secp256k1_fe_negate(ns, ns, 1);
1626 }
1627}
1628
dd891e0e
PW		 1629int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1630 secp256k1_fe an = *a;
1631 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1632 secp256k1_fe_normalize_weak(&an);
1633 secp256k1_fe_normalize_var(&bn);
d7174edf 1634 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1635}
1636
dd891e0e
PW		 1637int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1638 secp256k1_fe x;
1639 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1640 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1641 return check_fe_equal(&x, &one);
1642}
1643
ff889f7d
PW		 1644void run_field_convert(void) {
1645 static const unsigned char b32[32] = {
1646 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1647 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1648 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1649 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1650 };
dd891e0e 1651 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1652 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1653 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1654 );
dd891e0e 1655 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1656 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1657 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1658 );
dd891e0e 1659 secp256k1_fe fe2;
ff889f7d 1660 unsigned char b322[32];
dd891e0e 1661 secp256k1_fe_storage fes2;
ff889f7d
PW		 1662 /* Check conversions to fe. */
1663 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1664 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1665 secp256k1_fe_from_storage(&fe2, &fes);
1666 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1667 /* Check conversion from fe. */
1668 secp256k1_fe_get_b32(b322, &fe);
1669 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1670 secp256k1_fe_to_storage(&fes2, &fe);
1671 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1672}
1673
dd891e0e
PW		 1674int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1675 secp256k1_fe t = *b;
a0601cd7
PD		 1676#ifdef VERIFY
1677 t.magnitude = a->magnitude;
1678 t.normalized = a->normalized;
1679#endif
dd891e0e 1680 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1681}
1682
8d11164b 1683void run_field_misc(void) {
dd891e0e
PW		 1684 secp256k1_fe x;
1685 secp256k1_fe y;
1686 secp256k1_fe z;
1687 secp256k1_fe q;
1688 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1689 int i, j;
bf2e1ac7 1690 for (i = 0; i < 5*count; i++) {
dd891e0e 1691 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1692 random_fe(&x);
1693 random_fe_non_zero(&y);
1694 /* Test the fe equality and comparison operations. */
1695 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1696 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1697 z = x;
1698 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1699 /* Test fe conditional move; z is not normalized here. */
1700 q = x;
1701 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 1702 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 1703 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1704 CHECK(fe_memcmp(&x, &z) != 0);
1705 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1706 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 1707 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 1708 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1709 secp256k1_fe_normalize_var(&x);
1710 secp256k1_fe_normalize_var(&z);
9c4fb23d 1711 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1712 secp256k1_fe_normalize_var(&q);
1713 secp256k1_fe_cmov(&q, &z, (i&1));
1714 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1715 for (j = 0; j < 6; j++) {
1716 secp256k1_fe_negate(&z, &z, j+1);
1717 secp256k1_fe_normalize_var(&q);
1718 secp256k1_fe_cmov(&q, &z, (j&1));
1719 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1720 }
1721 secp256k1_fe_normalize_var(&z);
1722 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1723 secp256k1_fe_to_storage(&xs, &x);
1724 secp256k1_fe_to_storage(&ys, &y);
1725 secp256k1_fe_to_storage(&zs, &z);
1726 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1727 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1728 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1729 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1730 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1731 secp256k1_fe_from_storage(&x, &xs);
1732 secp256k1_fe_from_storage(&y, &ys);
1733 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1734 /* Test that mul_int, mul, and add agree. */
1735 secp256k1_fe_add(&y, &x);
1736 secp256k1_fe_add(&y, &x);
1737 z = x;
1738 secp256k1_fe_mul_int(&z, 3);
1739 CHECK(check_fe_equal(&y, &z));
1740 secp256k1_fe_add(&y, &x);
1741 secp256k1_fe_add(&z, &x);
1742 CHECK(check_fe_equal(&z, &y));
1743 z = x;
1744 secp256k1_fe_mul_int(&z, 5);
1745 secp256k1_fe_mul(&q, &x, &fe5);
1746 CHECK(check_fe_equal(&z, &q));
1747 secp256k1_fe_negate(&x, &x, 1);
1748 secp256k1_fe_add(&z, &x);
1749 secp256k1_fe_add(&q, &x);
1750 CHECK(check_fe_equal(&y, &z));
1751 CHECK(check_fe_equal(&q, &y));
1752 }
1753}
1754
2cad067a 1755void run_field_inv(void) {
dd891e0e 1756 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1757 int i;
1758 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1759 random_fe_non_zero(&x);
1760 secp256k1_fe_inv(&xi, &x);
1761 CHECK(check_fe_inverse(&x, &xi));
1762 secp256k1_fe_inv(&xii, &xi);
1763 CHECK(check_fe_equal(&x, &xii));
1764 }
1765}
1766
2cad067a 1767void run_field_inv_var(void) {
dd891e0e 1768 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1769 int i;
1770 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1771 random_fe_non_zero(&x);
1772 secp256k1_fe_inv_var(&xi, &x);
1773 CHECK(check_fe_inverse(&x, &xi));
1774 secp256k1_fe_inv_var(&xii, &xi);
1775 CHECK(check_fe_equal(&x, &xii));
1776 }
1777}
1778
2cad067a 1779void run_field_inv_all_var(void) {
dd891e0e 1780 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1781 int i;
71712b27 1782 /* Check it's safe to call for 0 elements */
7d893f49 1783 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1784 for (i = 0; i < count; i++) {
1785 size_t j;
fa57f1bd 1786 size_t len = secp256k1_rand_int(15) + 1;
26320197 1787 for (j = 0; j < len; j++) {
f16be77f 1788 random_fe_non_zero(&x[j]);
26320197 1789 }
7d893f49 1790 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1791 for (j = 0; j < len; j++) {
f16be77f 1792 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1793 }
7d893f49 1794 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1795 for (j = 0; j < len; j++) {
f16be77f 1796 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1797 }
f16be77f
PD		 1798 }
1799}
1800
2cad067a 1801void run_sqr(void) {
dd891e0e 1802 secp256k1_fe x, s;
59447da3 1803
59447da3 1804 {
bf2e1ac7 1805 int i;
59447da3
PD		 1806 secp256k1_fe_set_int(&x, 1);
1807 secp256k1_fe_negate(&x, &x, 1);
1808
bf2e1ac7 1809 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1810 secp256k1_fe_mul_int(&x, 2);
1811 secp256k1_fe_normalize(&x);
1812 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1813 }
1814 }
59447da3
PD		 1815}
1816
dd891e0e
PW		 1817void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1818 secp256k1_fe r1, r2;
926836ad 1819 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1820 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1821
1822 if (k != NULL) {
71712b27 1823 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1824 secp256k1_fe_negate(&r2, &r1, 1);
1825 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1826 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1827 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1828 }
1829}
1830
2cad067a 1831void run_sqrt(void) {
dd891e0e 1832 secp256k1_fe ns, x, s, t;
bf2e1ac7 1833 int i;
6d6102fe 1834
71712b27 1835 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1836 secp256k1_fe_set_int(&x, 0);
1837 secp256k1_fe_sqr(&s, &x);
1838 test_sqrt(&s, &x);
1839
71712b27 1840 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1841 for (i = 1; i <= 100; i++) {
6d6102fe 1842 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1843 secp256k1_fe_sqr(&s, &x);
1844 test_sqrt(&s, &x);
6d6102fe 1845 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1846 test_sqrt(&t, NULL);
1847 }
6d6102fe 1848
71712b27 1849 /* Consistency checks for large random values */
bf2e1ac7
GM		 1850 for (i = 0; i < 10; i++) {
1851 int j;
6d6102fe 1852 random_fe_non_square(&ns);
bf2e1ac7 1853 for (j = 0; j < count; j++) {
6d6102fe
PD		 1854 random_fe(&x);
1855 secp256k1_fe_sqr(&s, &x);
1856 test_sqrt(&s, &x);
1857 secp256k1_fe_negate(&t, &s, 1);
1858 test_sqrt(&t, NULL);
1859 secp256k1_fe_mul(&t, &s, &ns);
1860 test_sqrt(&t, NULL);
1861 }
1862 }
09ca4f32
PD		 1863}
1864
9338dbf7
PW		 1865/***** GROUP TESTS *****/
1866
dd891e0e 1867void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1868 CHECK(a->infinity == b->infinity);
26320197 1869 if (a->infinity) {
60571c6e 1870 return;
26320197 1871 }
60571c6e 1872 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 1873 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 1874}
1875
d2275795 1876/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 1877int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1878 secp256k1_gej a2;
1879 secp256k1_gej b2;
d2275795
GM		 1880 int ret = 1;
1881 ret &= a->infinity == b->infinity;
1882 if (ret && !a->infinity) {
1883 a2 = *a;
1884 b2 = *b;
1885 secp256k1_fe_normalize(&a2.x);
1886 secp256k1_fe_normalize(&a2.y);
1887 secp256k1_fe_normalize(&a2.z);
1888 secp256k1_fe_normalize(&b2.x);
1889 secp256k1_fe_normalize(&b2.y);
1890 secp256k1_fe_normalize(&b2.z);
1891 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1892 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1893 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1894 }
1895 return ret;
1896}
1897
dd891e0e
PW		 1898void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1899 secp256k1_fe z2s;
1900 secp256k1_fe u1, u2, s1, s2;
60571c6e 1901 CHECK(a->infinity == b->infinity);
26320197 1902 if (a->infinity) {
60571c6e 1903 return;
26320197 1904 }
60571c6e 1905 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 1906 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 1907 secp256k1_fe_mul(&u1, &a->x, &z2s);
1908 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1909 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1910 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1911 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1912 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 1913}
1914
2cad067a 1915void test_ge(void) {
bf2e1ac7 1916 int i, i1;
76574202
PW		 1917#ifdef USE_ENDOMORPHISM
1918 int runs = 6;
1919#else
60571c6e 1920 int runs = 4;
76574202 1921#endif
60571c6e
PW		 1922 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1923 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1924 * All magnitudes are randomized.
269d4227 1925 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 1926 *
1927 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 1928 */
5eb030ca
WL		 1929 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1930 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1931 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 1932 secp256k1_fe zf;
1933 secp256k1_fe zfi2, zfi3;
4f9791ab 1934
60571c6e
PW		 1935 secp256k1_gej_set_infinity(&gej[0]);
1936 secp256k1_ge_clear(&ge[0]);
1937 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 1938 for (i = 0; i < runs; i++) {
1939 int j;
dd891e0e 1940 secp256k1_ge g;
60571c6e 1941 random_group_element_test(&g);
76574202
PW		 1942#ifdef USE_ENDOMORPHISM
1943 if (i >= runs - 2) {
1944 secp256k1_ge_mul_lambda(&g, &ge[1]);
1945 }
1946 if (i >= runs - 1) {
1947 secp256k1_ge_mul_lambda(&g, &g);
1948 }
1949#endif
60571c6e
PW		 1950 ge[1 + 4 * i] = g;
1951 ge[2 + 4 * i] = g;
1952 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1953 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1954 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1955 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1956 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1957 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 1958 for (j = 0; j < 4; j++) {
60571c6e
PW		 1959 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1960 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1961 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1962 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1963 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1964 }
1965 }
1966
4f9791ab
PD		 1967 /* Compute z inverses. */
1968 {
5eb030ca 1969 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 1970 for (i = 0; i < 4 * runs + 1; i++) {
1971 if (i == 0) {
1972 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1973 do {
1974 random_field_element_test(&zs[i]);
1975 } while(secp256k1_fe_is_zero(&zs[i]));
1976 } else {
1977 zs[i] = gej[i].z;
1978 }
1979 }
7d893f49 1980 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 1981 free(zs);
1982 }
1983
1984 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1985 do {
1986 random_field_element_test(&zf);
1987 } while(secp256k1_fe_is_zero(&zf));
1988 random_field_element_magnitude(&zf);
1989 secp256k1_fe_inv_var(&zfi3, &zf);
1990 secp256k1_fe_sqr(&zfi2, &zfi3);
1991 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1992
bf2e1ac7
GM		 1993 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1994 int i2;
1995 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 1996 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 1997 secp256k1_gej refj, resj;
1998 secp256k1_ge ref;
1999 secp256k1_fe zr;
4f9791ab
PD		 2000 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2001 /* Check Z ratio. */
2002 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2003 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2004 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2005 }
60571c6e
PW		 2006 secp256k1_ge_set_gej_var(&ref, &refj);
2007
2d5a186c
PD		 2008 /* Test gej + ge with Z ratio result (var). */
2009 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2010 ge_equals_gej(&ref, &resj);
2d5a186c 2011 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2012 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2013 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2014 }
60571c6e 2015
4f9791ab
PD		 2016 /* Test gej + ge (var, with additional Z factor). */
2017 {
dd891e0e 2018 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2019 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2020 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2021 random_field_element_magnitude(&ge2_zfi.x);
2022 random_field_element_magnitude(&ge2_zfi.y);
2023 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2024 ge_equals_gej(&ref, &resj);
2025 }
2026
60571c6e
PW		 2027 /* Test gej + ge (const). */
2028 if (i2 != 0) {
2029 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2030 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2031 ge_equals_gej(&ref, &resj);
2032 }
2033
2034 /* Test doubling (var). */
2035 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2036 secp256k1_fe zr2;
4f9791ab
PD		 2037 /* Normal doubling with Z ratio result. */
2038 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2039 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2040 /* Check Z ratio. */
2041 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2042 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2043 /* Normal doubling. */
2044 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 2045 ge_equals_gej(&ref, &resj);
2046 }
2047
2048 /* Test adding opposites. */
2049 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2050 CHECK(secp256k1_ge_is_infinity(&ref));
2051 }
2052
2053 /* Test adding infinity. */
2054 if (i1 == 0) {
2055 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2056 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2057 ge_equals_gej(&ref, &gej[i2]);
2058 }
2059 if (i2 == 0) {
2060 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2061 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2062 ge_equals_gej(&ref, &gej[i1]);
2063 }
2064 }
2065 }
2066
9ab93355
PW		 2067 /* Test adding all points together in random order equals infinity. */
2068 {
dd891e0e 2069 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2070 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2071 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2072 gej_shuffled[i] = gej[i];
2073 }
bf2e1ac7 2074 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2075 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2076 if (swap != i) {
dd891e0e 2077 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2078 gej_shuffled[i] = gej_shuffled[swap];
2079 gej_shuffled[swap] = t;
2080 }
2081 }
bf2e1ac7 2082 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2083 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2084 }
2085 CHECK(secp256k1_gej_is_infinity(&sum));
2086 free(gej_shuffled);
2087 }
2088
4f9791ab 2089 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2090 {
5eb030ca
WL		 2091 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2092 secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2093 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2094 for (i = 0; i < 4 * runs + 1; i++) {
2095 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2096 if (i < 4 * runs) {
2097 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2098 }
2099 }
353c1bf0 2100 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
541b7839 2101 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
bf2e1ac7 2102 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2103 secp256k1_fe s;
d2275795
GM		 2104 random_fe_non_zero(&s);
2105 secp256k1_gej_rescale(&gej[i], &s);
4f9791ab 2106 ge_equals_gej(&ge_set_table[i], &gej[i]);
60571c6e
PW		 2107 ge_equals_gej(&ge_set_all[i], &gej[i]);
2108 }
4f9791ab 2109 free(ge_set_table);
60571c6e 2110 free(ge_set_all);
4f9791ab 2111 free(zr);
60571c6e
PW		 2112 }
2113
2114 free(ge);
2115 free(gej);
4f9791ab 2116 free(zinv);
9338dbf7
PW		 2117}
2118
8c5d5f7b
AP		 2119void test_add_neg_y_diff_x(void) {
2120 /* The point of this test is to check that we can add two points
2121 * whose y-coordinates are negatives of each other but whose x
2122 * coordinates differ. If the x-coordinates were the same, these
2123 * points would be negatives of each other and their sum is
2124 * infinity. This is cool because it "covers up" any degeneracy
2125 * in the addition algorithm that would cause the xy coordinates
2126 * of the sum to be wrong (since infinity has no xy coordinates).
2127 * HOWEVER, if the x-coordinates are different, infinity is the
2128 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2129 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2130 * which this test is a regression test for.
8c5d5f7b
AP		 2131 *
2132 * These points were generated in sage as
2133 * # secp256k1 params
2134 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2135 * C = EllipticCurve ([F (0), F (7)])
2136 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2137 * N = FiniteField(G.order())
2138 *
2139 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2140 * x = polygen(N)
2141 * lam = (1 - x^3).roots()[1][0]
2142 *
2143 * # random "bad pair"
2144 * P = C.random_element()
2145 * Q = -int(lam) * P
2146 * print " P: %x %x" % P.xy()
2147 * print " Q: %x %x" % Q.xy()
2148 * print "P + Q: %x %x" % (P + Q).xy()
2149 */
dd891e0e 2150 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2151 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2152 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2153 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2154 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2155 );
dd891e0e 2156 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2157 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2158 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2159 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2160 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2161 );
dd891e0e 2162 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2163 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2164 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2165 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2166 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2167 );
dd891e0e
PW		 2168 secp256k1_ge b;
2169 secp256k1_gej resj;
2170 secp256k1_ge res;
8c5d5f7b
AP		 2171 secp256k1_ge_set_gej(&b, &bj);
2172
2173 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2174 secp256k1_ge_set_gej(&res, &resj);
2175 ge_equals_gej(&res, &sumj);
2176
2177 secp256k1_gej_add_ge(&resj, &aj, &b);
2178 secp256k1_ge_set_gej(&res, &resj);
2179 ge_equals_gej(&res, &sumj);
2180
2181 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2182 secp256k1_ge_set_gej(&res, &resj);
2183 ge_equals_gej(&res, &sumj);
2184}
2185
2cad067a 2186void run_ge(void) {
bf2e1ac7
GM		 2187 int i;
2188 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2189 test_ge();
2190 }
8c5d5f7b 2191 test_add_neg_y_diff_x();
9338dbf7
PW		 2192}
2193
a5a66c70 2194void test_ec_combine(void) {
dd891e0e
PW		 2195 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2196 secp256k1_pubkey data[6];
2197 const secp256k1_pubkey* d[6];
2198 secp256k1_pubkey sd;
2199 secp256k1_pubkey sd2;
2200 secp256k1_gej Qj;
2201 secp256k1_ge Q;
a5a66c70
PW		 2202 int i;
2203 for (i = 1; i <= 6; i++) {
dd891e0e 2204 secp256k1_scalar s;
a5a66c70
PW		 2205 random_scalar_order_test(&s);
2206 secp256k1_scalar_add(&sum, &sum, &s);
2207 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2208 secp256k1_ge_set_gej(&Q, &Qj);
2209 secp256k1_pubkey_save(&data[i - 1], &Q);
2210 d[i - 1] = &data[i - 1];
2211 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2212 secp256k1_ge_set_gej(&Q, &Qj);
2213 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2214 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2215 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2216 }
2217}
2218
2219void run_ec_combine(void) {
2220 int i;
2221 for (i = 0; i < count * 8; i++) {
2222 test_ec_combine();
2223 }
2224}
2225
64666251
PW		 2226void test_group_decompress(const secp256k1_fe* x) {
2227 /* The input itself, normalized. */
2228 secp256k1_fe fex = *x;
e6e9805f 2229 secp256k1_fe fez;
64666251
PW		 2230 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2231 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2232 secp256k1_gej gej_quad;
64666251
PW		 2233 /* Return values of the above calls. */
2234 int res_quad, res_even, res_odd;
2235
2236 secp256k1_fe_normalize_var(&fex);
2237
926836ad 2238 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2239 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2240 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2241
2242 CHECK(res_quad == res_even);
2243 CHECK(res_quad == res_odd);
2244
2245 if (res_quad) {
2246 secp256k1_fe_normalize_var(&ge_quad.x);
2247 secp256k1_fe_normalize_var(&ge_odd.x);
2248 secp256k1_fe_normalize_var(&ge_even.x);
2249 secp256k1_fe_normalize_var(&ge_quad.y);
2250 secp256k1_fe_normalize_var(&ge_odd.y);
2251 secp256k1_fe_normalize_var(&ge_even.y);
2252
2253 /* No infinity allowed. */
2254 CHECK(!ge_quad.infinity);
2255 CHECK(!ge_even.infinity);
2256 CHECK(!ge_odd.infinity);
2257
2258 /* Check that the x coordinates check out. */
2259 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2260 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2261 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2262
2263 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2264 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2265
2266 /* Check odd/even Y in ge_odd, ge_even. */
2267 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2268 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2269
2270 /* Check secp256k1_gej_has_quad_y_var. */
2271 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2272 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2273 do {
2274 random_fe_test(&fez);
2275 } while (secp256k1_fe_is_zero(&fez));
2276 secp256k1_gej_rescale(&gej_quad, &fez);
2277 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2278 secp256k1_gej_neg(&gej_quad, &gej_quad);
2279 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2280 do {
2281 random_fe_test(&fez);
2282 } while (secp256k1_fe_is_zero(&fez));
2283 secp256k1_gej_rescale(&gej_quad, &fez);
2284 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2285 secp256k1_gej_neg(&gej_quad, &gej_quad);
2286 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2287 }
2288}
2289
2290void run_group_decompress(void) {
2291 int i;
2292 for (i = 0; i < count * 4; i++) {
2293 secp256k1_fe fe;
2294 random_fe_test(&fe);
2295 test_group_decompress(&fe);
2296 }
2297}
2298
09ca4f32
PD		 2299/***** ECMULT TESTS *****/
2300
2cad067a 2301void run_ecmult_chain(void) {
443cd4b8 2302 /* random starting point A (on the curve) */
dd891e0e 2303 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2304 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2305 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2306 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2307 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2308 );
71712b27 2309 /* two random initial factors xn and gn */
dd891e0e 2310 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2311 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2312 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2313 );
dd891e0e 2314 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2315 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2316 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2317 );
71712b27 2318 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2319 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2320 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2321 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2322 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2323 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2324 /* actual points */
cfe0ed91 2325 secp256k1_gej x;
dd891e0e 2326 secp256k1_gej x2;
443cd4b8
PW		 2327 int i;
2328
71712b27 2329 /* the point being computed */
bf2e1ac7
GM		 2330 x = a;
2331 for (i = 0; i < 200*count; i++) {
71712b27 2332 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2333 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2334 /* also compute ae and ge: the actual accumulated factors for A and G */
2335 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2336 secp256k1_scalar_mul(&ae, &ae, &xn);
2337 secp256k1_scalar_mul(&ge, &ge, &xn);
2338 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2339 /* modify xn and gn */
f24041d6
PW		 2340 secp256k1_scalar_mul(&xn, &xn, &xf);
2341 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2342
71712b27 2343 /* verify */
404c30a8 2344 if (i == 19999) {
443cd4b8 2345 /* expected result after 19999 iterations */
dd891e0e 2346 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2347 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2348 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2349 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2350 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2351 );
2352
2353 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2354 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2355 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2356 }
4adf6b2a 2357 }
71712b27 2358 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2359 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2360 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2361 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2362 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2363}
2364
dd891e0e 2365void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2366 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2367 secp256k1_scalar x;
2368 secp256k1_scalar nx;
2369 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2370 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2371 secp256k1_gej res1, res2;
2372 secp256k1_ge res3;
bf2e1ac7 2373 unsigned char pub[65];
788038d3 2374 size_t psize = 65;
bf2e1ac7
GM		 2375 random_scalar_order_test(&x);
2376 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2377 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2378 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2379 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2380 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2381 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2382 secp256k1_ge_set_gej(&res3, &res1);
2383 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2384 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2385 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2386 psize = 65;
9234391e 2387 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2388 /* check zero/one edge cases */
2389 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2390 secp256k1_ge_set_gej(&res3, &res1);
2391 CHECK(secp256k1_ge_is_infinity(&res3));
2392 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2393 secp256k1_ge_set_gej(&res3, &res1);
2394 ge_equals_gej(&res3, point);
2395 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2396 secp256k1_ge_set_gej(&res3, &res1);
2397 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2398}
2399
2cad067a 2400void run_point_times_order(void) {
bf2e1ac7 2401 int i;
dd891e0e
PW		 2402 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2403 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2404 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2405 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2406 );
bf2e1ac7 2407 for (i = 0; i < 500; i++) {
dd891e0e 2408 secp256k1_ge p;
39bd94d8 2409 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2410 secp256k1_gej j;
bf2e1ac7 2411 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2412 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2413 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2414 test_point_times_order(&j);
2415 }
910d0de4 2416 secp256k1_fe_sqr(&x, &x);
4e0ed539 2417 }
443cd4b8
PW		 2418 secp256k1_fe_normalize_var(&x);
2419 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2420}
2421
44015000
AP		 2422void ecmult_const_random_mult(void) {
2423 /* random starting point A (on the curve) */
dd891e0e 2424 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2425 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2426 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2427 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2428 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2429 );
2430 /* random initial factor xn */
dd891e0e 2431 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2432 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2433 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2434 );
2435 /* expected xn * A (from sage) */
dd891e0e 2436 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2437 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2438 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2439 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2440 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2441 );
dd891e0e 2442 secp256k1_gej b;
44015000
AP		 2443 secp256k1_ecmult_const(&b, &a, &xn);
2444
2445 CHECK(secp256k1_ge_is_valid_var(&a));
2446 ge_equals_gej(&expected_b, &b);
2447}
2448
2449void ecmult_const_commutativity(void) {
dd891e0e
PW		 2450 secp256k1_scalar a;
2451 secp256k1_scalar b;
2452 secp256k1_gej res1;
2453 secp256k1_gej res2;
2454 secp256k1_ge mid1;
2455 secp256k1_ge mid2;
44015000
AP		 2456 random_scalar_order_test(&a);
2457 random_scalar_order_test(&b);
2458
2459 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2460 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2461 secp256k1_ge_set_gej(&mid1, &res1);
2462 secp256k1_ge_set_gej(&mid2, &res2);
2463 secp256k1_ecmult_const(&res1, &mid1, &b);
2464 secp256k1_ecmult_const(&res2, &mid2, &a);
2465 secp256k1_ge_set_gej(&mid1, &res1);
2466 secp256k1_ge_set_gej(&mid2, &res2);
2467 ge_equals_ge(&mid1, &mid2);
2468}
2469
2470void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2471 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2472 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2473 secp256k1_scalar negone;
2474 secp256k1_gej res1;
2475 secp256k1_ge res2;
2476 secp256k1_ge point;
44015000
AP		 2477 secp256k1_scalar_negate(&negone, &one);
2478
2479 random_group_element_test(&point);
2480 secp256k1_ecmult_const(&res1, &point, &zero);
2481 secp256k1_ge_set_gej(&res2, &res1);
2482 CHECK(secp256k1_ge_is_infinity(&res2));
2483 secp256k1_ecmult_const(&res1, &point, &one);
2484 secp256k1_ge_set_gej(&res2, &res1);
2485 ge_equals_ge(&res2, &point);
2486 secp256k1_ecmult_const(&res1, &point, &negone);
2487 secp256k1_gej_neg(&res1, &res1);
2488 secp256k1_ge_set_gej(&res2, &res1);
2489 ge_equals_ge(&res2, &point);
2490}
2491
2492void ecmult_const_chain_multiply(void) {
2493 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2494 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2495 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2496 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2497 );
dd891e0e 2498 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2499 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2500 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2501 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2502 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2503 );
dd891e0e
PW		 2504 secp256k1_gej point;
2505 secp256k1_ge res;
44015000
AP		 2506 int i;
2507
2508 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2509 for (i = 0; i < 100; ++i) {
dd891e0e 2510 secp256k1_ge tmp;
44015000
AP		 2511 secp256k1_ge_set_gej(&tmp, &point);
2512 secp256k1_ecmult_const(&point, &tmp, &scalar);
2513 }
2514 secp256k1_ge_set_gej(&res, &point);
2515 ge_equals_gej(&res, &expected_point);
2516}
2517
2518void run_ecmult_const_tests(void) {
2519 ecmult_const_mult_zero_one();
2520 ecmult_const_random_mult();
2521 ecmult_const_commutativity();
2522 ecmult_const_chain_multiply();
2523}
2524
dba5471b
AP		 2525typedef struct {
2526 secp256k1_scalar *sc;
2527 secp256k1_ge *pt;
2528} ecmult_multi_data;
2529
2530static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2531 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2532 *sc = data->sc[idx];
2533 *pt = data->pt[idx];
2534 return 1;
2535}
2536
355a38f1
JN		 2537static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2538 (void)sc;
2539 (void)pt;
2540 (void)idx;
2541 (void)cbdata;
2542 return 0;
2543}
2544
2545void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2546 int ncount;
2547 secp256k1_scalar szero;
2548 secp256k1_scalar sc[32];
2549 secp256k1_ge pt[32];
2550 secp256k1_gej r;
2551 secp256k1_gej r2;
2552 ecmult_multi_data data;
355a38f1 2553 secp256k1_scratch *scratch_empty;
dba5471b
AP		 2554
2555 data.sc = sc;
2556 data.pt = pt;
dba5471b 2557 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2558 secp256k1_scratch_reset(scratch);
2559
2560 /* No points to multiply */
2561 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2562
2563 /* Check 1- and 2-point multiplies against ecmult */
2564 for (ncount = 0; ncount < count; ncount++) {
2565 secp256k1_ge ptg;
2566 secp256k1_gej ptgj;
2567 random_scalar_order(&sc[0]);
2568 random_scalar_order(&sc[1]);
2569
2570 random_group_element_test(&ptg);
2571 secp256k1_gej_set_ge(&ptgj, &ptg);
2572 pt[0] = ptg;
2573 pt[1] = secp256k1_ge_const_g;
2574
355a38f1
JN		 2575 /* only G scalar */
2576 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2577 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2578 secp256k1_gej_neg(&r2, &r2);
2579 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2580 CHECK(secp256k1_gej_is_infinity(&r));
2581
dba5471b
AP		 2582 /* 1-point */
2583 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
355a38f1 2584 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2585 secp256k1_gej_neg(&r2, &r2);
2586 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2587 CHECK(secp256k1_gej_is_infinity(&r));
2588
355a38f1
JN		 2589 /* Try to multiply 1 point, but scratch space is empty */
2590 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2591 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2592 secp256k1_scratch_destroy(scratch_empty);
2593
2594 /* Try to multiply 1 point, but callback returns false */
2595 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2596
dba5471b
AP		 2597 /* 2-point */
2598 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2599 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2600 secp256k1_gej_neg(&r2, &r2);
2601 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2602 CHECK(secp256k1_gej_is_infinity(&r));
2603
2604 /* 2-point with G scalar */
2605 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
355a38f1 2606 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2607 secp256k1_gej_neg(&r2, &r2);
2608 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2609 CHECK(secp256k1_gej_is_infinity(&r));
2610 }
2611
2612 /* Check infinite outputs of various forms */
2613 for (ncount = 0; ncount < count; ncount++) {
2614 secp256k1_ge ptg;
2615 size_t i, j;
2616 size_t sizes[] = { 2, 10, 32 };
2617
2618 for (j = 0; j < 3; j++) {
2619 for (i = 0; i < 32; i++) {
2620 random_scalar_order(&sc[i]);
2621 secp256k1_ge_set_infinity(&pt[i]);
2622 }
355a38f1 2623 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2624 CHECK(secp256k1_gej_is_infinity(&r));
2625 }
2626
2627 for (j = 0; j < 3; j++) {
2628 for (i = 0; i < 32; i++) {
2629 random_group_element_test(&ptg);
2630 pt[i] = ptg;
2631 secp256k1_scalar_set_int(&sc[i], 0);
2632 }
355a38f1 2633 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2634 CHECK(secp256k1_gej_is_infinity(&r));
2635 }
2636
2637 for (j = 0; j < 3; j++) {
2638 random_group_element_test(&ptg);
2639 for (i = 0; i < 16; i++) {
2640 random_scalar_order(&sc[2*i]);
2641 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2642 pt[2 * i] = ptg;
2643 pt[2 * i + 1] = ptg;
2644 }
2645
355a38f1 2646 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2647 CHECK(secp256k1_gej_is_infinity(&r));
2648
2649 random_scalar_order(&sc[0]);
2650 for (i = 0; i < 16; i++) {
2651 random_group_element_test(&ptg);
2652
2653 sc[2*i] = sc[0];
2654 sc[2*i+1] = sc[0];
2655 pt[2 * i] = ptg;
2656 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2657 }
2658
355a38f1 2659 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2660 CHECK(secp256k1_gej_is_infinity(&r));
2661 }
2662
2663 random_group_element_test(&ptg);
2664 secp256k1_scalar_set_int(&sc[0], 0);
2665 pt[0] = ptg;
2666 for (i = 1; i < 32; i++) {
2667 pt[i] = ptg;
2668
2669 random_scalar_order(&sc[i]);
2670 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2671 secp256k1_scalar_negate(&sc[i], &sc[i]);
2672 }
2673
355a38f1 2674 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2675 CHECK(secp256k1_gej_is_infinity(&r));
2676 }
2677
2678 /* Check random points, constant scalar */
2679 for (ncount = 0; ncount < count; ncount++) {
2680 size_t i;
2681 secp256k1_gej_set_infinity(&r);
2682
2683 random_scalar_order(&sc[0]);
2684 for (i = 0; i < 20; i++) {
2685 secp256k1_ge ptg;
2686 sc[i] = sc[0];
2687 random_group_element_test(&ptg);
2688 pt[i] = ptg;
2689 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2690 }
2691
2692 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
355a38f1 2693 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2694 secp256k1_gej_neg(&r2, &r2);
2695 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2696 CHECK(secp256k1_gej_is_infinity(&r));
2697 }
2698
2699 /* Check random scalars, constant point */
2700 for (ncount = 0; ncount < count; ncount++) {
2701 size_t i;
2702 secp256k1_ge ptg;
2703 secp256k1_gej p0j;
2704 secp256k1_scalar rs;
2705 secp256k1_scalar_set_int(&rs, 0);
2706
2707 random_group_element_test(&ptg);
2708 for (i = 0; i < 20; i++) {
2709 random_scalar_order(&sc[i]);
2710 pt[i] = ptg;
2711 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2712 }
2713
2714 secp256k1_gej_set_ge(&p0j, &pt[0]);
2715 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
355a38f1 2716 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2717 secp256k1_gej_neg(&r2, &r2);
2718 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2719 CHECK(secp256k1_gej_is_infinity(&r));
2720 }
2721
2722 /* Sanity check that zero scalars don't cause problems */
2723 secp256k1_scalar_clear(&sc[0]);
355a38f1 2724 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2725 secp256k1_scalar_clear(&sc[1]);
2726 secp256k1_scalar_clear(&sc[2]);
2727 secp256k1_scalar_clear(&sc[3]);
2728 secp256k1_scalar_clear(&sc[4]);
355a38f1
JN		 2729 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2730 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2731 CHECK(secp256k1_gej_is_infinity(&r));
2732
2733 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2734 {
2735 const size_t TOP = 8;
2736 size_t s0i, s1i;
2737 size_t t0i, t1i;
2738 secp256k1_ge ptg;
2739 secp256k1_gej ptgj;
2740
2741 random_group_element_test(&ptg);
2742 secp256k1_gej_set_ge(&ptgj, &ptg);
2743
2744 for(t0i = 0; t0i < TOP; t0i++) {
2745 for(t1i = 0; t1i < TOP; t1i++) {
2746 secp256k1_gej t0p, t1p;
2747 secp256k1_scalar t0, t1;
2748
2749 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2750 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2751 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2752 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2753
2754 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2755 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2756
2757 for(s0i = 0; s0i < TOP; s0i++) {
2758 for(s1i = 0; s1i < TOP; s1i++) {
2759 secp256k1_scalar tmp1, tmp2;
2760 secp256k1_gej expected, actual;
2761
2762 secp256k1_ge_set_gej(&pt[0], &t0p);
2763 secp256k1_ge_set_gej(&pt[1], &t1p);
2764
2765 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2766 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2767 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2768 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2769
2770 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2771 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2772 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2773
2774 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
355a38f1 2775 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2776 secp256k1_gej_neg(&expected, &expected);
2777 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2778 CHECK(secp256k1_gej_is_infinity(&actual));
2779 }
2780 }
2781 }
2782 }
2783 }
355a38f1
JN		 2784}
2785
2786void test_ecmult_multi_batching(void) {
2787 static const int n_points = 3*MAX_BATCH_SIZE;
2788 secp256k1_scalar scG;
2789 secp256k1_scalar szero;
2790 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2791 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2792 secp256k1_gej r;
2793 secp256k1_gej r2;
2794 ecmult_multi_data data;
2795 int i;
2796 secp256k1_scratch *scratch;
2797
2798 int test_n_points[] = { MAX_BATCH_SIZE, MAX_BATCH_SIZE + 1, MAX_BATCH_SIZE + 2, 2*MAX_BATCH_SIZE, 2*MAX_BATCH_SIZE+1, 3*MAX_BATCH_SIZE };
2799 secp256k1_gej_set_infinity(&r2);
2800 secp256k1_scalar_set_int(&szero, 0);
2801
2802 /* Get random scalars and group elements */
2803 random_scalar_order(&scG);
2804 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2805 for(i = 0; i < n_points; i++) {
2806 secp256k1_ge ptg;
2807 random_group_element_test(&ptg);
2808 pt[i] = ptg;
2809 random_scalar_order(&sc[i]);
2810 }
2811 data.sc = sc;
2812 data.pt = pt;
2813
2814 /* Test with empty scratch space */
2815 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 0);
2816 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2817 secp256k1_scratch_destroy(scratch);
2818
2819 /* Test with space for 1 point in pippenger. That's not enough because
2820 * ecmult_multi selects strauss which requires more memory. */
2821 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2822 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2823 secp256k1_scratch_destroy(scratch);
2824
2825 /* Run secp256k1_ecmult_multi_var with i points and a scratch space
2826 * restricted to i points. */
2827 for(i = 1; i <= ECMULT_PIPPENGER_THRESHOLD+2; i++) {
2828 secp256k1_gej ptgj;
2829 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2830 int bucket_window = secp256k1_pippenger_bucket_window(i);
2831 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2832 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2833 } else {
2834 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2835 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2836 }
2837 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, i));
2838
2839 /* compute running result */
2840 secp256k1_gej_set_ge(&ptgj, &pt[i-1]);
2841 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i-1], NULL);
2842 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2843
2844 secp256k1_gej_neg(&r, &r);
2845 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2846 CHECK(secp256k1_gej_is_infinity(&r));
2847 secp256k1_scratch_destroy(scratch);
2848 }
2849
2850 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, secp256k1_strauss_scratch_size(n_points) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2851
2852 for(i = 0; i < (int)(sizeof(test_n_points) / sizeof(test_n_points[0])); i++) {
2853 secp256k1_gej ptgj;
2854 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, test_n_points[i]-1));
2855 secp256k1_gej_set_infinity(&r2);
2856 secp256k1_gej_add_var(&r2, &r2, &r, NULL);
2857 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, test_n_points[i]));
2858 secp256k1_gej_set_ge(&ptgj, &pt[test_n_points[i]-1]);
2859 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[test_n_points[i]-1], NULL);
2860 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2861
2862 secp256k1_gej_neg(&r, &r);
2863 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2864 CHECK(secp256k1_gej_is_infinity(&r));
2865 }
2866
2867 secp256k1_scratch_destroy(scratch);
2868 free(sc);
2869 free(pt);
2870}
2871
2872void run_ecmult_multi_tests(void) {
2873 secp256k1_scratch *scratch;
dba5471b 2874
355a38f1
JN		 2875 scratch = secp256k1_scratch_create(&ctx->error_callback, 0, 819200);
2876 test_ecmult_multi(scratch, &secp256k1_ecmult_multi_var);
2877 test_ecmult_multi(scratch, &secp256k1_ecmult_pippenger_batch_single);
2878 test_ecmult_multi(scratch, &secp256k1_ecmult_strauss_batch_single);
dba5471b 2879 secp256k1_scratch_destroy(scratch);
355a38f1
JN		 2880
2881 test_ecmult_multi_batching();
dba5471b
AP		 2882}
2883
dd891e0e
PW		 2884void test_wnaf(const secp256k1_scalar *number, int w) {
2885 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 2886 int wnaf[256];
2887 int zeroes = -1;
2888 int i;
2889 int bits;
f24041d6
PW		 2890 secp256k1_scalar_set_int(&x, 0);
2891 secp256k1_scalar_set_int(&two, 2);
55399c23 2892 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 2893 CHECK(bits <= 256);
bf2e1ac7 2894 for (i = bits-1; i >= 0; i--) {
b1483f87 2895 int v = wnaf[i];
bf2e1ac7 2896 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 2897 if (v) {
71712b27 2898 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 2899 zeroes=0;
71712b27
GM		 2900 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2901 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2902 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 2903 } else {
71712b27 2904 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 2905 zeroes++;
2906 }
f24041d6
PW		 2907 if (v >= 0) {
2908 secp256k1_scalar_set_int(&t, v);
2909 } else {
2910 secp256k1_scalar_set_int(&t, -v);
2911 secp256k1_scalar_negate(&t, &t);
2912 }
2913 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 2914 }
f24041d6 2915 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 2916}
2917
dd891e0e
PW		 2918void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2919 secp256k1_scalar neg1 = *number;
2920 secp256k1_scalar neg2 = *number;
44015000
AP		 2921 int sign1 = 1;
2922 int sign2 = 1;
2923
2924 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2925 secp256k1_scalar_negate(&neg1, &neg1);
2926 sign1 = -1;
2927 }
2928 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2929 CHECK(sign1 == sign2);
2930 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2931}
2932
dd891e0e
PW		 2933void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2934 secp256k1_scalar x, shift;
44015000
AP		 2935 int wnaf[256] = {0};
2936 int i;
92e53fc4 2937 int skew;
dd891e0e 2938 secp256k1_scalar num = *number;
44015000
AP		 2939
2940 secp256k1_scalar_set_int(&x, 0);
2941 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 2942 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2943#ifdef USE_ENDOMORPHISM
912f203f 2944 for (i = 0; i < 16; ++i) {
92e53fc4 2945 secp256k1_scalar_shr_int(&num, 8);
912f203f 2946 }
92e53fc4 2947#endif
c6191fde 2948 skew = secp256k1_wnaf_const(wnaf, num, w);
44015000
AP		 2949
2950 for (i = WNAF_SIZE(w); i >= 0; --i) {
dd891e0e 2951 secp256k1_scalar t;
44015000
AP		 2952 int v = wnaf[i];
2953 CHECK(v != 0); /* check nonzero */
2954 CHECK(v & 1); /* check parity */
2955 CHECK(v > -(1 << w)); /* check range above */
2956 CHECK(v < (1 << w)); /* check range below */
2957
2958 secp256k1_scalar_mul(&x, &x, &shift);
2959 if (v >= 0) {
2960 secp256k1_scalar_set_int(&t, v);
2961 } else {
2962 secp256k1_scalar_set_int(&t, -v);
2963 secp256k1_scalar_negate(&t, &t);
2964 }
2965 secp256k1_scalar_add(&x, &x, &t);
2966 }
c6191fde 2967 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 2968 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 2969 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 2970}
2971
355a38f1
JN		 2972void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
2973 secp256k1_scalar x, shift;
2974 int wnaf[256] = {0};
2975 int i;
2976 int skew;
2977 secp256k1_scalar num = *number;
2978
2979 secp256k1_scalar_set_int(&x, 0);
2980 secp256k1_scalar_set_int(&shift, 1 << w);
2981 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2982#ifdef USE_ENDOMORPHISM
2983 for (i = 0; i < 16; ++i) {
2984 secp256k1_scalar_shr_int(&num, 8);
2985 }
2986#endif
2987 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
2988
2989 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
2990 secp256k1_scalar t;
2991 int v = wnaf[i];
2992 CHECK(v != 0); /* check nonzero */
2993 CHECK(v & 1); /* check parity */
2994 CHECK(v > -(1 << w)); /* check range above */
2995 CHECK(v < (1 << w)); /* check range below */
2996
2997 secp256k1_scalar_mul(&x, &x, &shift);
2998 if (v >= 0) {
2999 secp256k1_scalar_set_int(&t, v);
3000 } else {
3001 secp256k1_scalar_set_int(&t, -v);
3002 secp256k1_scalar_negate(&t, &t);
3003 }
3004 secp256k1_scalar_add(&x, &x, &t);
3005 }
3006 /* If skew is 1 then add 1 to num */
3007 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3008 CHECK(secp256k1_scalar_eq(&x, &num));
3009}
3010
3011void test_fixed_wnaf_zero(int w) {
3012 int wnaf[256] = {0};
3013 int i;
3014 int skew;
3015 secp256k1_scalar num;
3016
3017 secp256k1_scalar_set_int(&num, 0);
3018 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3019
3020 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3021 int v = wnaf[i];
3022 CHECK(v == 0);
3023 }
3024 CHECK(skew == 0);
3025}
3026
2cad067a 3027void run_wnaf(void) {
bf2e1ac7 3028 int i;
dd891e0e 3029 secp256k1_scalar n = {{0}};
44015000
AP		 3030
3031 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3032 * have easier-to-diagnose failure modes */
3033 n.d[0] = 1;
3034 test_constant_wnaf(&n, 4);
3035 n.d[0] = 2;
3036 test_constant_wnaf(&n, 4);
355a38f1
JN		 3037 /* Test 0 */
3038 test_fixed_wnaf_zero(4);
44015000 3039 /* Random tests */
bf2e1ac7 3040 for (i = 0; i < count; i++) {
f24041d6 3041 random_scalar_order(&n);
eb0be8ee 3042 test_wnaf(&n, 4+(i%10));
44015000
AP		 3043 test_constant_wnaf_negate(&n);
3044 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3045 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3046 }
96be2046
GM		 3047 secp256k1_scalar_set_int(&n, 0);
3048 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3049 CHECK(secp256k1_scalar_is_zero(&n));
3050 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3051 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3052}
a41f32e6 3053
d2275795
GM		 3054void test_ecmult_constants(void) {
3055 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3056 secp256k1_scalar x;
3057 secp256k1_gej r;
3058 secp256k1_ge ng;
d2275795
GM		 3059 int i;
3060 int j;
3061 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3062 for (i = 0; i < 36; i++ ) {
3063 secp256k1_scalar_set_int(&x, i);
3064 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3065 for (j = 0; j < i; j++) {
3066 if (j == i - 1) {
3067 ge_equals_gej(&secp256k1_ge_const_g, &r);
3068 }
3069 secp256k1_gej_add_ge(&r, &r, &ng);
3070 }
3071 CHECK(secp256k1_gej_is_infinity(&r));
3072 }
3073 for (i = 1; i <= 36; i++ ) {
3074 secp256k1_scalar_set_int(&x, i);
3075 secp256k1_scalar_negate(&x, &x);
3076 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3077 for (j = 0; j < i; j++) {
3078 if (j == i - 1) {
3079 ge_equals_gej(&ng, &r);
3080 }
3081 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3082 }
3083 CHECK(secp256k1_gej_is_infinity(&r));
3084 }
3085}
3086
3087void run_ecmult_constants(void) {
3088 test_ecmult_constants();
3089}
3090
3091void test_ecmult_gen_blind(void) {
269d4227 3092 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3093 secp256k1_scalar key;
3094 secp256k1_scalar b;
d2275795 3095 unsigned char seed32[32];
dd891e0e
PW		 3096 secp256k1_gej pgej;
3097 secp256k1_gej pgej2;
3098 secp256k1_gej i;
3099 secp256k1_ge pge;
d2275795
GM		 3100 random_scalar_order_test(&key);
3101 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3102 secp256k1_rand256(seed32);
3103 b = ctx->ecmult_gen_ctx.blind;
3104 i = ctx->ecmult_gen_ctx.initial;
3105 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3106 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3107 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3108 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3109 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3110 secp256k1_ge_set_gej(&pge, &pgej);
3111 ge_equals_gej(&pge, &pgej2);
3112}
3113
3114void test_ecmult_gen_blind_reset(void) {
3115 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3116 secp256k1_scalar b;
3117 secp256k1_gej initial;
d2275795
GM		 3118 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3119 b = ctx->ecmult_gen_ctx.blind;
3120 initial = ctx->ecmult_gen_ctx.initial;
3121 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3122 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3123 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3124}
3125
3126void run_ecmult_gen_blind(void) {
3127 int i;
3128 test_ecmult_gen_blind_reset();
3129 for (i = 0; i < 10; i++) {
3130 test_ecmult_gen_blind();
3131 }
3132}
3133
baa75da5
AP		 3134#ifdef USE_ENDOMORPHISM
3135/***** ENDOMORPHISH TESTS *****/
3136void test_scalar_split(void) {
dd891e0e
PW		 3137 secp256k1_scalar full;
3138 secp256k1_scalar s1, slam;
baa75da5
AP		 3139 const unsigned char zero[32] = {0};
3140 unsigned char tmp[32];
3141
3142 random_scalar_order_test(&full);
ed35d43a 3143 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3144
3145 /* check that both are <= 128 bits in size */
912f203f 3146 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3147 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3148 }
3149 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3150 secp256k1_scalar_negate(&slam, &slam);
912f203f 3151 }
baa75da5
AP		 3152
3153 secp256k1_scalar_get_b32(tmp, &s1);
3154 CHECK(memcmp(zero, tmp, 16) == 0);
3155 secp256k1_scalar_get_b32(tmp, &slam);
3156 CHECK(memcmp(zero, tmp, 16) == 0);
3157}
3158
3159void run_endomorphism_tests(void) {
3160 test_scalar_split();
3161}
3162#endif
d2275795 3163
67f7da40
GM		 3164void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3165 unsigned char pubkeyc[65];
3166 secp256k1_pubkey pubkey;
3167 secp256k1_ge ge;
3168 size_t pubkeyclen;
3169 int32_t ecount;
3170 ecount = 0;
3171 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3172 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3173 /* Smaller sizes are tested exhaustively elsewhere. */
3174 int32_t i;
3175 memcpy(&pubkeyc[1], input, 64);
3176 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3177 for (i = 0; i < 256; i++) {
3178 /* Try all type bytes. */
3179 int xpass;
3180 int ypass;
3181 int ysign;
3182 pubkeyc[0] = i;
3183 /* What sign does this point have? */
3184 ysign = (input[63] & 1) + 2;
3185 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3186 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3187 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3188 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3189 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3190 if (xpass || ypass) {
3191 /* These cases must parse. */
3192 unsigned char pubkeyo[65];
3193 size_t outl;
3194 memset(&pubkey, 0, sizeof(pubkey));
3195 VG_UNDEF(&pubkey, sizeof(pubkey));
3196 ecount = 0;
3197 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3198 VG_CHECK(&pubkey, sizeof(pubkey));
3199 outl = 65;
3200 VG_UNDEF(pubkeyo, 65);
3201 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3202 VG_CHECK(pubkeyo, outl);
3203 CHECK(outl == 33);
3204 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3205 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3206 if (ypass) {
3207 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3208 CHECK(pubkeyo[0] == ysign);
3209 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3210 memset(&pubkey, 0, sizeof(pubkey));
3211 VG_UNDEF(&pubkey, sizeof(pubkey));
3212 secp256k1_pubkey_save(&pubkey, &ge);
3213 VG_CHECK(&pubkey, sizeof(pubkey));
3214 outl = 65;
3215 VG_UNDEF(pubkeyo, 65);
1a368980 3216 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3217 VG_CHECK(pubkeyo, outl);
3218 CHECK(outl == 65);
3219 CHECK(pubkeyo[0] == 4);
3220 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3221 }
3222 CHECK(ecount == 0);
3223 } else {
3224 /* These cases must fail to parse. */
3225 memset(&pubkey, 0xfe, sizeof(pubkey));
3226 ecount = 0;
3227 VG_UNDEF(&pubkey, sizeof(pubkey));
3228 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3229 VG_CHECK(&pubkey, sizeof(pubkey));
3230 CHECK(ecount == 0);
3231 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3232 CHECK(ecount == 1);
3233 }
3234 }
3235 }
3236 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3237}
3238
3239void run_ec_pubkey_parse_test(void) {
3240#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3241 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3242 {
3243 /* Point with leading and trailing zeros in x and y serialization. */
3244 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3245 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3246 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3247 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3248 },
3249 {
3250 /* Point with x equal to a 3rd root of unity.*/
3251 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3252 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3253 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3254 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3255 },
3256 {
3257 /* Point with largest x. (1/2) */
3258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3259 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3260 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3261 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3262 },
3263 {
3264 /* Point with largest x. (2/2) */
3265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3266 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3267 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3268 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3269 },
3270 {
3271 /* Point with smallest x. (1/2) */
3272 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3273 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3274 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3275 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3276 },
3277 {
3278 /* Point with smallest x. (2/2) */
3279 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3281 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3282 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3283 },
3284 {
3285 /* Point with largest y. (1/3) */
3286 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3287 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3289 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3290 },
3291 {
3292 /* Point with largest y. (2/3) */
3293 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3294 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3295 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3296 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3297 },
3298 {
3299 /* Point with largest y. (3/3) */
3300 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3301 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3303 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3304 },
3305 {
3306 /* Point with smallest y. (1/3) */
3307 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3308 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3310 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3311 },
3312 {
3313 /* Point with smallest y. (2/3) */
3314 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3315 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3316 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3317 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3318 },
3319 {
3320 /* Point with smallest y. (3/3) */
3321 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3322 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3323 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3325 }
3326 };
3327#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3328 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3329 {
3330 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3331 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3332 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3334 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3335 },
3336 {
3337 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3338 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3339 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3341 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3342 },
3343 {
3344 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3345 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3346 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3347 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3348 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3349 },
3350 {
3351 /* x on curve, y is from y^2 = x^3 + 8. */
3352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3353 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3356 }
3357 };
3358#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3359 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3360 {
3361 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3362 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3363 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3364 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3365 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3366 },
3367 {
3368 /* Valid if x overflow ignored (x = 1 mod p). */
3369 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3371 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3372 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3373 },
3374 {
3375 /* Valid if x overflow ignored (x = 1 mod p). */
3376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3378 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3379 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3380 },
3381 {
3382 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3383 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3384 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3385 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3386 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3387 },
3388 {
3389 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3392 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3393 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3394 },
3395 {
3396 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3399 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3400 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3401 },
3402 {
3403 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3406 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3407 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3408 }
3409 };
3410 const unsigned char pubkeyc[66] = {
3411 /* Serialization of G. */
3412 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3413 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3414 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3415 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3416 0xB8, 0x00
3417 };
5b71a3f4 3418 unsigned char sout[65];
67f7da40
GM		 3419 unsigned char shortkey[2];
3420 secp256k1_ge ge;
3421 secp256k1_pubkey pubkey;
5b71a3f4 3422 size_t len;
67f7da40
GM		 3423 int32_t i;
3424 int32_t ecount;
3425 int32_t ecount2;
3426 ecount = 0;
3427 /* Nothing should be reading this far into pubkeyc. */
3428 VG_UNDEF(&pubkeyc[65], 1);
3429 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3430 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3431 memset(&pubkey, 0xfe, sizeof(pubkey));
3432 ecount = 0;
3433 VG_UNDEF(shortkey, 2);
3434 VG_UNDEF(&pubkey, sizeof(pubkey));
3435 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3436 VG_CHECK(&pubkey, sizeof(pubkey));
3437 CHECK(ecount == 0);
3438 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3439 CHECK(ecount == 1);
3440 /* Length one claimed, fail, zeroize, no illegal arg error. */
3441 for (i = 0; i < 256 ; i++) {
3442 memset(&pubkey, 0xfe, sizeof(pubkey));
3443 ecount = 0;
3444 shortkey[0] = i;
3445 VG_UNDEF(&shortkey[1], 1);
3446 VG_UNDEF(&pubkey, sizeof(pubkey));
3447 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3448 VG_CHECK(&pubkey, sizeof(pubkey));
3449 CHECK(ecount == 0);
3450 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3451 CHECK(ecount == 1);
3452 }
3453 /* Length two claimed, fail, zeroize, no illegal arg error. */
3454 for (i = 0; i < 65536 ; i++) {
3455 memset(&pubkey, 0xfe, sizeof(pubkey));
3456 ecount = 0;
3457 shortkey[0] = i & 255;
3458 shortkey[1] = i >> 8;
3459 VG_UNDEF(&pubkey, sizeof(pubkey));
3460 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3461 VG_CHECK(&pubkey, sizeof(pubkey));
3462 CHECK(ecount == 0);
3463 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3464 CHECK(ecount == 1);
3465 }
3466 memset(&pubkey, 0xfe, sizeof(pubkey));
3467 ecount = 0;
3468 VG_UNDEF(&pubkey, sizeof(pubkey));
3469 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3470 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3471 VG_CHECK(&pubkey, sizeof(pubkey));
3472 CHECK(ecount == 0);
3473 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3474 CHECK(ecount == 1);
3475 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3476 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3477 CHECK(ecount == 2);
3478 /* NULL input string. Illegal arg and zeroize output. */
3479 memset(&pubkey, 0xfe, sizeof(pubkey));
3480 ecount = 0;
3481 VG_UNDEF(&pubkey, sizeof(pubkey));
3482 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3483 VG_CHECK(&pubkey, sizeof(pubkey));
3484 CHECK(ecount == 1);
3485 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3486 CHECK(ecount == 2);
3487 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3488 memset(&pubkey, 0xfe, sizeof(pubkey));
3489 ecount = 0;
3490 VG_UNDEF(&pubkey, sizeof(pubkey));
3491 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3492 VG_CHECK(&pubkey, sizeof(pubkey));
3493 CHECK(ecount == 0);
3494 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3495 CHECK(ecount == 1);
3496 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3497 memset(&pubkey, 0xfe, sizeof(pubkey));
3498 ecount = 0;
3499 VG_UNDEF(&pubkey, sizeof(pubkey));
3500 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3501 VG_CHECK(&pubkey, sizeof(pubkey));
3502 CHECK(ecount == 0);
3503 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3504 CHECK(ecount == 1);
3505 /* Valid parse. */
3506 memset(&pubkey, 0, sizeof(pubkey));
3507 ecount = 0;
3508 VG_UNDEF(&pubkey, sizeof(pubkey));
3509 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3510 VG_CHECK(&pubkey, sizeof(pubkey));
3511 CHECK(ecount == 0);
3512 VG_UNDEF(&ge, sizeof(ge));
3513 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3514 VG_CHECK(&ge.x, sizeof(ge.x));
3515 VG_CHECK(&ge.y, sizeof(ge.y));
3516 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3517 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3518 CHECK(ecount == 0);
5b71a3f4
GM		 3519 /* secp256k1_ec_pubkey_serialize illegal args. */
3520 ecount = 0;
3521 len = 65;
3522 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3523 CHECK(ecount == 1);
3524 CHECK(len == 0);
3525 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3526 CHECK(ecount == 2);
3527 len = 65;
3528 VG_UNDEF(sout, 65);
3529 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3530 VG_CHECK(sout, 65);
3531 CHECK(ecount == 3);
3532 CHECK(len == 0);
3533 len = 65;
3534 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3535 CHECK(ecount == 4);
3536 CHECK(len == 0);
3537 len = 65;
3538 VG_UNDEF(sout, 65);
3539 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3540 VG_CHECK(sout, 65);
3541 CHECK(ecount == 4);
3542 CHECK(len == 65);
67f7da40
GM		 3543 /* Multiple illegal args. Should still set arg error only once. */
3544 ecount = 0;
3545 ecount2 = 11;
3546 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3547 CHECK(ecount == 1);
3548 /* Does the illegal arg callback actually change the behavior? */
3549 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3550 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3551 CHECK(ecount == 1);
3552 CHECK(ecount2 == 10);
3553 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3554 /* Try a bunch of prefabbed points with all possible encodings. */
3555 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3556 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3557 }
3558 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3559 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3560 }
3561 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3562 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3563 }
3564}
3565
96be2046
GM		 3566void run_eckey_edge_case_test(void) {
3567 const unsigned char orderc[32] = {
3568 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3570 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3571 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3572 };
3573 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3574 unsigned char ctmp[33];
3575 unsigned char ctmp2[33];
96be2046
GM		 3576 secp256k1_pubkey pubkey;
3577 secp256k1_pubkey pubkey2;
c69dea02
GM		 3578 secp256k1_pubkey pubkey_one;
3579 secp256k1_pubkey pubkey_negone;
3580 const secp256k1_pubkey *pubkeys[3];
3581 size_t len;
96be2046
GM		 3582 int32_t ecount;
3583 /* Group order is too large, reject. */
3584 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3585 VG_UNDEF(&pubkey, sizeof(pubkey));
3586 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3587 VG_CHECK(&pubkey, sizeof(pubkey));
3588 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3589 /* Maximum value is too large, reject. */
3590 memset(ctmp, 255, 32);
3591 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3592 memset(&pubkey, 1, sizeof(pubkey));
3593 VG_UNDEF(&pubkey, sizeof(pubkey));
3594 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3595 VG_CHECK(&pubkey, sizeof(pubkey));
3596 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3597 /* Zero is too small, reject. */
3598 memset(ctmp, 0, 32);
3599 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3600 memset(&pubkey, 1, sizeof(pubkey));
3601 VG_UNDEF(&pubkey, sizeof(pubkey));
3602 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3603 VG_CHECK(&pubkey, sizeof(pubkey));
3604 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3605 /* One must be accepted. */
3606 ctmp[31] = 0x01;
3607 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3608 memset(&pubkey, 0, sizeof(pubkey));
3609 VG_UNDEF(&pubkey, sizeof(pubkey));
3610 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3611 VG_CHECK(&pubkey, sizeof(pubkey));
3612 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3613 pubkey_one = pubkey;
96be2046
GM		 3614 /* Group order + 1 is too large, reject. */
3615 memcpy(ctmp, orderc, 32);
3616 ctmp[31] = 0x42;
3617 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3618 memset(&pubkey, 1, sizeof(pubkey));
3619 VG_UNDEF(&pubkey, sizeof(pubkey));
3620 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3621 VG_CHECK(&pubkey, sizeof(pubkey));
3622 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3623 /* -1 must be accepted. */
3624 ctmp[31] = 0x40;
3625 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3626 memset(&pubkey, 0, sizeof(pubkey));
3627 VG_UNDEF(&pubkey, sizeof(pubkey));
3628 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3629 VG_CHECK(&pubkey, sizeof(pubkey));
3630 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3631 pubkey_negone = pubkey;
96be2046
GM		 3632 /* Tweak of zero leaves the value changed. */
3633 memset(ctmp2, 0, 32);
3634 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3635 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3636 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3637 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3638 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3639 /* Multiply tweak of zero zeroizes the output. */
3640 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3641 CHECK(memcmp(zeros, ctmp, 32) == 0);
3642 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3643 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3644 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3645 /* Overflowing key tweak zeroizes. */
3646 memcpy(ctmp, orderc, 32);
3647 ctmp[31] = 0x40;
3648 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3649 CHECK(memcmp(zeros, ctmp, 32) == 0);
3650 memcpy(ctmp, orderc, 32);
3651 ctmp[31] = 0x40;
3652 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3653 CHECK(memcmp(zeros, ctmp, 32) == 0);
3654 memcpy(ctmp, orderc, 32);
3655 ctmp[31] = 0x40;
3656 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3657 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3658 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3659 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3660 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3661 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3662 /* Private key tweaks results in a key of zero. */
3663 ctmp2[31] = 1;
3664 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3665 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3666 ctmp2[31] = 1;
3667 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3668 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3669 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3670 /* Tweak computation wraps and results in a key of 1. */
3671 ctmp2[31] = 2;
3672 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3673 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3674 ctmp2[31] = 2;
3675 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3676 ctmp2[31] = 1;
3677 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3678 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3679 /* Tweak mul * 2 = 1+1. */
3680 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3681 ctmp2[31] = 2;
3682 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3683 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3684 /* Test argument errors. */
3685 ecount = 0;
3686 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3687 CHECK(ecount == 0);
3688 /* Zeroize pubkey on parse error. */
3689 memset(&pubkey, 0, 32);
3690 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3691 CHECK(ecount == 1);
3692 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3693 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3694 memset(&pubkey2, 0, 32);
3695 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3696 CHECK(ecount == 2);
3697 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3698 /* Plain argument errors. */
3699 ecount = 0;
3700 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3701 CHECK(ecount == 0);
3702 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3703 CHECK(ecount == 1);
3704 ecount = 0;
3705 memset(ctmp2, 0, 32);
3706 ctmp2[31] = 4;
3707 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3708 CHECK(ecount == 1);
3709 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3710 CHECK(ecount == 2);
3711 ecount = 0;
3712 memset(ctmp2, 0, 32);
3713 ctmp2[31] = 4;
3714 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3715 CHECK(ecount == 1);
3716 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3717 CHECK(ecount == 2);
3718 ecount = 0;
3719 memset(ctmp2, 0, 32);
3720 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3721 CHECK(ecount == 1);
3722 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3723 CHECK(ecount == 2);
3724 ecount = 0;
3725 memset(ctmp2, 0, 32);
3726 ctmp2[31] = 1;
3727 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3728 CHECK(ecount == 1);
3729 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3730 CHECK(ecount == 2);
3731 ecount = 0;
3732 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3733 CHECK(ecount == 1);
3734 memset(&pubkey, 1, sizeof(pubkey));
3735 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3736 CHECK(ecount == 2);
5b71a3f4 3737 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 3738 /* secp256k1_ec_pubkey_combine tests. */
3739 ecount = 0;
3740 pubkeys[0] = &pubkey_one;
3741 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3742 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3743 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3744 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3745 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3746 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3747 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3748 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3749 CHECK(ecount == 1);
c69dea02
GM		 3750 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3751 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3752 CHECK(ecount == 2);
c69dea02
GM		 3753 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3754 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3755 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3756 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3757 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3758 CHECK(ecount == 3);
c69dea02
GM		 3759 pubkeys[0] = &pubkey_negone;
3760 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3761 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3762 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3763 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3764 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3765 CHECK(ecount == 3);
c69dea02
GM		 3766 len = 33;
3767 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3768 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3769 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3770 /* Result is infinity. */
3771 pubkeys[0] = &pubkey_one;
3772 pubkeys[1] = &pubkey_negone;
3773 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3774 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3775 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3776 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3777 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 3778 CHECK(ecount == 3);
c69dea02
GM		 3779 /* Passes through infinity but comes out one. */
3780 pubkeys[2] = &pubkey_one;
3781 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3782 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3783 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3784 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3785 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3786 CHECK(ecount == 3);
c69dea02
GM		 3787 len = 33;
3788 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3789 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3790 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3791 /* Adds to two. */
3792 pubkeys[1] = &pubkey_one;
3793 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3794 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3795 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3796 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3797 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 3798 CHECK(ecount == 3);
96be2046
GM		 3799 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3800}
3801
dd891e0e
PW		 3802void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3803 secp256k1_scalar nonce;
dd08f037 3804 do {
a9f5c8b8 3805 random_scalar_order_test(&nonce);
18c329c5 3806 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 3807}
3808
2cad067a 3809void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 3810 secp256k1_gej pubj;
3811 secp256k1_ge pub;
3812 secp256k1_scalar one;
3813 secp256k1_scalar msg, key;
3814 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 3815 int recid;
3816 int getrec;
a9f5c8b8 3817 random_scalar_order_test(&msg);
a9f5c8b8 3818 random_scalar_order_test(&key);
a9b6595e 3819 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 3820 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 3821 getrec = secp256k1_rand_bits(1);
18c329c5 3822 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 3823 if (getrec) {
3824 CHECK(recid >= 0 && recid < 4);
3825 }
18c329c5 3826 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 3827 secp256k1_scalar_set_int(&one, 1);
3828 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 3829 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 3830}
3831
2cad067a 3832void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 3833 int i;
3834 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 3835 test_ecdsa_sign_verify();
3836 }
3837}
3838
c6e7f4e8 3839/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 3840static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 3841 (void)msg32;
3842 (void)key32;
a5a66c70 3843 (void)algo16;
c6e7f4e8
PW		 3844 memcpy(nonce32, data, 32);
3845 return (counter == 0);
3846}
3847
05732c5a 3848static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 3849 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 3850 if (counter == 0) {
3851 return 0;
3852 }
dc0ce9fc 3853 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 3854}
3855
05732c5a 3856static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 3857 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3858 if (counter < 3) {
3859 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 3860 if (counter == 2) {
3861 nonce32[31]--;
3862 }
941e221f
GM		 3863 return 1;
3864 }
3865 if (counter < 5) {
3866 static const unsigned char order[] = {
3867 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3868 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3869 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3870 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3871 };
3872 memcpy(nonce32, order, 32);
26320197
GM		 3873 if (counter == 4) {
3874 nonce32[31]++;
3875 }
941e221f
GM		 3876 return 1;
3877 }
269d4227 3878 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 3879 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 3880 if (counter > 5) {
3881 return 0;
3882 }
dc0ce9fc 3883 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 3884}
3885
dd891e0e
PW		 3886int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3887 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3888 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 3889}
3890
2cad067a 3891void test_ecdsa_end_to_end(void) {
efc571ce 3892 unsigned char extra[32] = {0x00};
25f4aec0
PW		 3893 unsigned char privkey[32];
3894 unsigned char message[32];
bf2e1ac7 3895 unsigned char privkey2[32];
0c6ab2ff
PW		 3896 secp256k1_ecdsa_signature signature[6];
3897 secp256k1_scalar r, s;
74a2acdb 3898 unsigned char sig[74];
788038d3 3899 size_t siglen = 74;
23cfa914 3900 unsigned char pubkeyc[65];
788038d3 3901 size_t pubkeyclen = 65;
dd891e0e 3902 secp256k1_pubkey pubkey;
8e48aa60 3903 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 3904 unsigned char seckey[300];
788038d3 3905 size_t seckeylen = 300;
25f4aec0 3906
71712b27 3907 /* Generate a random key and message. */
25f4aec0 3908 {
dd891e0e 3909 secp256k1_scalar msg, key;
659b554d
PW		 3910 random_scalar_order_test(&msg);
3911 random_scalar_order_test(&key);
3912 secp256k1_scalar_get_b32(privkey, &key);
3913 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 3914 }
3915
71712b27 3916 /* Construct and verify corresponding public key. */
a9b6595e 3917 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 3918 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 3919
23cfa914 3920 /* Verify exporting and importing public key. */
1a368980 3921 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 3922 memset(&pubkey, 0, sizeof(pubkey));
3923 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 3924
8e48aa60
AP		 3925 /* Verify negation changes the key and changes it back */
3926 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
3927 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3928 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
3929 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3930 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
3931
71712b27 3932 /* Verify private key import and export. */
eed87af1
AP		 3933 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3934 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 3935 CHECK(memcmp(privkey, privkey2, 32) == 0);
3936
71712b27 3937 /* Optionally tweak the keys using addition. */
fa57f1bd 3938 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 3939 int ret1;
3940 int ret2;
25f4aec0 3941 unsigned char rnd[32];
dd891e0e 3942 secp256k1_pubkey pubkey2;
25f4aec0 3943 secp256k1_rand256_test(rnd);
a9b6595e 3944 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 3945 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 3946 CHECK(ret1 == ret2);
26320197
GM		 3947 if (ret1 == 0) {
3948 return;
3949 }
23cfa914
PW		 3950 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3951 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 3952 }
3953
71712b27 3954 /* Optionally tweak the keys using multiplication. */
fa57f1bd 3955 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 3956 int ret1;
3957 int ret2;
25f4aec0 3958 unsigned char rnd[32];
dd891e0e 3959 secp256k1_pubkey pubkey2;
25f4aec0 3960 secp256k1_rand256_test(rnd);
a9b6595e 3961 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 3962 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 3963 CHECK(ret1 == ret2);
26320197
GM		 3964 if (ret1 == 0) {
3965 return;
3966 }
23cfa914
PW		 3967 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3968 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 3969 }
3970
71712b27 3971 /* Sign. */
dc0ce9fc
PW		 3972 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3973 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3974 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 3975 extra[31] = 1;
dc0ce9fc 3976 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 3977 extra[31] = 0;
3978 extra[0] = 1;
dc0ce9fc 3979 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 3980 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3981 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3982 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3983 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3984 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3985 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3986 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 3987 /* Verify. */
dc0ce9fc
PW		 3988 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3989 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3990 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3991 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 3992 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3993 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3994 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3995 secp256k1_scalar_negate(&s, &s);
3996 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3997 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3998 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3999 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4000 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4001 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4002 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4003 secp256k1_scalar_negate(&s, &s);
4004 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4005 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4006 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4007 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4008
4009 /* Serialize/parse DER and verify again */
4010 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4011 memset(&signature[0], 0, sizeof(signature[0]));
4012 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4013 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4014 /* Serialize/destroy/parse DER and verify again. */
1973c737 4015 siglen = 74;
74a2acdb 4016 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4017 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4018 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4019 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4020}
4021
7c6fed28 4022void test_random_pubkeys(void) {
dd891e0e
PW		 4023 secp256k1_ge elem;
4024 secp256k1_ge elem2;
7c6fed28
GM		 4025 unsigned char in[65];
4026 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4027 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4028 if (secp256k1_rand_bits(2) == 0) {
4029 len = secp256k1_rand_bits(6);
26320197 4030 }
7c6fed28 4031 if (len == 65) {
fa57f1bd 4032 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4033 } else {
fa57f1bd 4034 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4035 }
fa57f1bd
PW		 4036 if (secp256k1_rand_bits(3) == 0) {
4037 in[0] = secp256k1_rand_bits(8);
26320197 4038 }
26320197
GM		 4039 if (len > 1) {
4040 secp256k1_rand256(&in[1]);
4041 }
4042 if (len > 33) {
4043 secp256k1_rand256(&in[33]);
4044 }
7c6fed28
GM		 4045 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4046 unsigned char out[65];
4047 unsigned char firstb;
4048 int res;
788038d3 4049 size_t size = len;
7c6fed28
GM		 4050 firstb = in[0];
4051 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4052 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4053 CHECK(size == len);
4054 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4055 /* ... except for the type of hybrid inputs. */
26320197
GM		 4056 if ((in[0] != 6) && (in[0] != 7)) {
4057 CHECK(in[0] == out[0]);
4058 }
7c6fed28 4059 size = 65;
9234391e 4060 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4061 CHECK(size == 65);
4062 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4063 ge_equals_ge(&elem,&elem2);
7c6fed28 4064 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4065 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4066 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4067 if (firstb == 2 || firstb == 3) {
26320197
GM		 4068 if (in[0] == firstb + 4) {
4069 CHECK(res);
4070 } else {
4071 CHECK(!res);
4072 }
7c6fed28
GM		 4073 }
4074 if (res) {
60571c6e 4075 ge_equals_ge(&elem,&elem2);
9234391e 4076 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4077 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4078 }
4079 }
4080}
4081
4082void run_random_pubkeys(void) {
bf2e1ac7
GM		 4083 int i;
4084 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4085 test_random_pubkeys();
4086 }
4087}
4088
2cad067a 4089void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4090 int i;
4091 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4092 test_ecdsa_end_to_end();
4093 }
4094}
4095
3bb9c447
PW		 4096int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4097 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4098#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4099 static const unsigned char max_scalar[32] = {
4100 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4102 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4103 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4104 };
a9b2a5d8 4105#endif
3bb9c447
PW		 4106
4107 int ret = 0;
4108
4109 secp256k1_ecdsa_signature sig_der;
4110 unsigned char roundtrip_der[2048];
4111 unsigned char compact_der[64];
4112 size_t len_der = 2048;
4113 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4114
fea19e7b
PW		 4115 secp256k1_ecdsa_signature sig_der_lax;
4116 unsigned char roundtrip_der_lax[2048];
4117 unsigned char compact_der_lax[64];
4118 size_t len_der_lax = 2048;
4119 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4120
3bb9c447
PW		 4121#ifdef ENABLE_OPENSSL_TESTS
4122 ECDSA_SIG *sig_openssl;
4123 const unsigned char *sigptr;
4124 unsigned char roundtrip_openssl[2048];
4125 int len_openssl = 2048;
4126 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4127#endif
4128
4129 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4130 if (parsed_der) {
4131 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4132 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4133 }
4134 if (valid_der) {
4135 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4136 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4137 }
4138
eed87af1 4139 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4140 if (parsed_der_lax) {
4141 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4142 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4143 }
4144 if (valid_der_lax) {
4145 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4146 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4147 }
4148
3bb9c447
PW		 4149 if (certainly_der) {
4150 ret |= (!parsed_der) << 2;
4151 }
4152 if (certainly_not_der) {
4153 ret |= (parsed_der) << 17;
4154 }
4155 if (valid_der) {
4156 ret |= (!roundtrips_der) << 3;
4157 }
4158
fea19e7b
PW		 4159 if (valid_der) {
4160 ret |= (!roundtrips_der_lax) << 12;
4161 ret |= (len_der != len_der_lax) << 13;
4162 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4163 }
4164 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4165 if (parsed_der) {
4166 ret |= (!parsed_der_lax) << 16;
4167 }
4168
3bb9c447
PW		 4169#ifdef ENABLE_OPENSSL_TESTS
4170 sig_openssl = ECDSA_SIG_new();
4171 sigptr = sig;
4172 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4173 if (parsed_openssl) {
4174 valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
4175 if (valid_openssl) {
4176 unsigned char tmp[32] = {0};
4177 BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
4178 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4179 }
4180 if (valid_openssl) {
4181 unsigned char tmp[32] = {0};
4182 BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
4183 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4184 }
4185 }
4186 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4187 if (len_openssl <= 2048) {
4188 unsigned char *ptr = roundtrip_openssl;
4189 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4190 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4191 } else {
4192 len_openssl = 0;
4193 }
4194 ECDSA_SIG_free(sig_openssl);
4195
4196 ret |= (parsed_der && !parsed_openssl) << 4;
4197 ret |= (valid_der && !valid_openssl) << 5;
4198 ret |= (roundtrips_openssl && !parsed_der) << 6;
4199 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4200 if (roundtrips_openssl) {
4201 ret |= (len_der != (size_t)len_openssl) << 8;
4202 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4203 }
4204#endif
4205 return ret;
4206}
4207
4208static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4209 size_t i;
4210 for (i = 0; i < ptrlen; i++) {
4211 int shift = ptrlen - 1 - i;
4212 if (shift >= 4) {
4213 ptr[i] = 0;
4214 } else {
4215 ptr[i] = (val >> shift) & 0xFF;
4216 }
4217 }
4218}
4219
4220static void damage_array(unsigned char *sig, size_t *len) {
4221 int pos;
4222 int action = secp256k1_rand_bits(3);
5d4c5a31 4223 if (action < 1 && *len > 3) {
3bb9c447
PW		 4224 /* Delete a byte. */
4225 pos = secp256k1_rand_int(*len);
4226 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4227 (*len)--;
4228 return;
5d4c5a31 4229 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4230 /* Insert a byte. */
4231 pos = secp256k1_rand_int(1 + *len);
4232 memmove(sig + pos + 1, sig + pos, *len - pos);
4233 sig[pos] = secp256k1_rand_bits(8);
4234 (*len)++;
4235 return;
4236 } else if (action < 4) {
4237 /* Modify a byte. */
4238 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4239 return;
4240 } else { /* action < 8 */
4241 /* Modify a bit. */
4242 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4243 return;
4244 }
4245}
4246
4247static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4248 int der;
4249 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4250 size_t tlen, elen, glen;
4251 int indet;
4252 int n;
4253
4254 *len = 0;
4255 der = secp256k1_rand_bits(2) == 0;
4256 *certainly_der = der;
4257 *certainly_not_der = 0;
4258 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4259
4260 for (n = 0; n < 2; n++) {
4261 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4262 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4263 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4264 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4265 CHECK(nlen[n] <= 232);
4266 /* The top bit of the number. */
4267 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4268 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4269 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4270 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4271 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4272 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4273 *certainly_not_der = 1;
4274 }
4275 CHECK(nlen[n] + nzlen[n] <= 300);
4276 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4277 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4278 if (!der) {
4279 /* nlenlen[n] max 127 bytes */
4280 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4281 nlenlen[n] += add;
4282 if (add != 0) {
4283 *certainly_not_der = 1;
4284 }
4285 }
4286 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4287 }
4288
4289 /* The total length of the data to go, so far */
4290 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4291 CHECK(tlen <= 856);
4292
4293 /* The length of the garbage inside the tuple. */
4294 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4295 if (elen != 0) {
4296 *certainly_not_der = 1;
4297 }
4298 tlen += elen;
4299 CHECK(tlen <= 980);
4300
4301 /* The length of the garbage after the end of the tuple. */
4302 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4303 if (glen != 0) {
4304 *certainly_not_der = 1;
4305 }
4306 CHECK(tlen + glen <= 990);
4307
4308 /* Write the tuple header. */
4309 sig[(*len)++] = 0x30;
4310 if (indet) {
4311 /* Indeterminate length */
4312 sig[(*len)++] = 0x80;
4313 *certainly_not_der = 1;
4314 } else {
4315 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4316 if (!der) {
4317 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4318 tlenlen += add;
4319 if (add != 0) {
4320 *certainly_not_der = 1;
4321 }
4322 }
4323 if (tlenlen == 0) {
4324 /* Short length notation */
4325 sig[(*len)++] = tlen;
4326 } else {
4327 /* Long length notation */
4328 sig[(*len)++] = 128 + tlenlen;
4329 assign_big_endian(sig + *len, tlenlen, tlen);
4330 *len += tlenlen;
4331 }
4332 tlen += tlenlen;
4333 }
4334 tlen += 2;
4335 CHECK(tlen + glen <= 1119);
4336
4337 for (n = 0; n < 2; n++) {
4338 /* Write the integer header. */
4339 sig[(*len)++] = 0x02;
4340 if (nlenlen[n] == 0) {
4341 /* Short length notation */
4342 sig[(*len)++] = nlen[n] + nzlen[n];
4343 } else {
4344 /* Long length notation. */
4345 sig[(*len)++] = 128 + nlenlen[n];
4346 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4347 *len += nlenlen[n];
4348 }
4349 /* Write zero padding */
4350 while (nzlen[n] > 0) {
4351 sig[(*len)++] = 0x00;
4352 nzlen[n]--;
4353 }
4354 if (nlen[n] == 32 && !nlow[n]) {
4355 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4356 int i;
4357 for (i = 0; i < 16; i++) {
4358 sig[(*len)++] = 0xFF;
4359 }
4360 nlen[n] -= 16;
4361 }
4362 /* Write first byte of number */
4363 if (nlen[n] > 0) {
4364 sig[(*len)++] = nhbyte[n];
4365 nlen[n]--;
4366 }
4367 /* Generate remaining random bytes of number */
4368 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4369 *len += nlen[n];
4370 nlen[n] = 0;
4371 }
4372
4373 /* Generate random garbage inside tuple. */
4374 secp256k1_rand_bytes_test(sig + *len, elen);
4375 *len += elen;
4376
4377 /* Generate end-of-contents bytes. */
4378 if (indet) {
4379 sig[(*len)++] = 0;
4380 sig[(*len)++] = 0;
4381 tlen += 2;
4382 }
4383 CHECK(tlen + glen <= 1121);
4384
4385 /* Generate random garbage outside tuple. */
4386 secp256k1_rand_bytes_test(sig + *len, glen);
4387 *len += glen;
4388 tlen += glen;
4389 CHECK(tlen <= 1121);
4390 CHECK(tlen == *len);
4391}
4392
4393void run_ecdsa_der_parse(void) {
4394 int i,j;
4395 for (i = 0; i < 200 * count; i++) {
4396 unsigned char buffer[2048];
4397 size_t buflen = 0;
4398 int certainly_der = 0;
4399 int certainly_not_der = 0;
4400 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4401 CHECK(buflen <= 2048);
3bb9c447
PW		 4402 for (j = 0; j < 16; j++) {
4403 int ret = 0;
4404 if (j > 0) {
4405 damage_array(buffer, &buflen);
4406 /* We don't know anything anymore about the DERness of the result */
4407 certainly_der = 0;
4408 certainly_not_der = 0;
4409 }
4410 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4411 if (ret != 0) {
4412 size_t k;
4413 fprintf(stderr, "Failure %x on ", ret);
4414 for (k = 0; k < buflen; k++) {
4415 fprintf(stderr, "%02x ", buffer[k]);
4416 }
4417 fprintf(stderr, "\n");
4418 }
4419 CHECK(ret == 0);
4420 }
4421 }
4422}
4423
6e052878
PW		 4424/* Tests several edge cases. */
4425void test_ecdsa_edge_cases(void) {
d49abbd5 4426 int t;
dd891e0e 4427 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4428
4429 /* Test the case where ECDSA recomputes a point that is infinity. */
4430 {
dd891e0e
PW		 4431 secp256k1_gej keyj;
4432 secp256k1_ge key;
4433 secp256k1_scalar msg;
4434 secp256k1_scalar sr, ss;
d49abbd5
PW		 4435 secp256k1_scalar_set_int(&ss, 1);
4436 secp256k1_scalar_negate(&ss, &ss);
4437 secp256k1_scalar_inverse(&ss, &ss);
4438 secp256k1_scalar_set_int(&sr, 1);
4439 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4440 secp256k1_ge_set_gej(&key, &keyj);
4441 msg = ss;
4442 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4443 }
4444
96be2046 4445 /* Verify signature with r of zero fails. */
d49abbd5 4446 {
96be2046
GM		 4447 const unsigned char pubkey_mods_zero[33] = {
4448 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4450 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4451 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4452 0x41
4453 };
4454 secp256k1_ge key;
4455 secp256k1_scalar msg;
4456 secp256k1_scalar sr, ss;
4457 secp256k1_scalar_set_int(&ss, 1);
4458 secp256k1_scalar_set_int(&msg, 0);
4459 secp256k1_scalar_set_int(&sr, 0);
4460 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4461 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4462 }
4463
4464 /* Verify signature with s of zero fails. */
4465 {
4466 const unsigned char pubkey[33] = {
4467 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4470 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4471 0x01
4472 };
4473 secp256k1_ge key;
4474 secp256k1_scalar msg;
4475 secp256k1_scalar sr, ss;
4476 secp256k1_scalar_set_int(&ss, 0);
4477 secp256k1_scalar_set_int(&msg, 0);
4478 secp256k1_scalar_set_int(&sr, 1);
4479 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4480 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4481 }
4482
4483 /* Verify signature with message 0 passes. */
4484 {
4485 const unsigned char pubkey[33] = {
4486 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4490 0x02
4491 };
4492 const unsigned char pubkey2[33] = {
4493 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4494 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4495 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4496 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4497 0x43
4498 };
4499 secp256k1_ge key;
4500 secp256k1_ge key2;
4501 secp256k1_scalar msg;
4502 secp256k1_scalar sr, ss;
4503 secp256k1_scalar_set_int(&ss, 2);
4504 secp256k1_scalar_set_int(&msg, 0);
4505 secp256k1_scalar_set_int(&sr, 2);
4506 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4507 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4508 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4509 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4510 secp256k1_scalar_negate(&ss, &ss);
4511 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4512 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4513 secp256k1_scalar_set_int(&ss, 1);
4514 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4515 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4516 }
4517
4518 /* Verify signature with message 1 passes. */
4519 {
4520 const unsigned char pubkey[33] = {
4521 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4522 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4523 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4524 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4525 0x25
4526 };
4527 const unsigned char pubkey2[33] = {
4528 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4529 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4530 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4531 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4532 0x62
4533 };
4534 const unsigned char csr[32] = {
4535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4537 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4538 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4539 };
4540 secp256k1_ge key;
4541 secp256k1_ge key2;
4542 secp256k1_scalar msg;
4543 secp256k1_scalar sr, ss;
4544 secp256k1_scalar_set_int(&ss, 1);
4545 secp256k1_scalar_set_int(&msg, 1);
4546 secp256k1_scalar_set_b32(&sr, csr, NULL);
4547 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4548 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4549 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4550 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4551 secp256k1_scalar_negate(&ss, &ss);
4552 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4553 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4554 secp256k1_scalar_set_int(&ss, 2);
4555 secp256k1_scalar_inverse_var(&ss, &ss);
4556 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4557 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4558 }
4559
4560 /* Verify signature with message -1 passes. */
4561 {
4562 const unsigned char pubkey[33] = {
4563 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4564 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4565 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4566 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4567 0xf1
4568 };
4569 const unsigned char csr[32] = {
4570 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4571 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4572 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4573 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4574 };
4575 secp256k1_ge key;
4576 secp256k1_scalar msg;
4577 secp256k1_scalar sr, ss;
4578 secp256k1_scalar_set_int(&ss, 1);
4579 secp256k1_scalar_set_int(&msg, 1);
4580 secp256k1_scalar_negate(&msg, &msg);
4581 secp256k1_scalar_set_b32(&sr, csr, NULL);
4582 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4583 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4584 secp256k1_scalar_negate(&ss, &ss);
4585 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4586 secp256k1_scalar_set_int(&ss, 3);
4587 secp256k1_scalar_inverse_var(&ss, &ss);
4588 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4589 }
4590
4591 /* Signature where s would be zero. */
4592 {
4593 secp256k1_pubkey pubkey;
788038d3 4594 size_t siglen;
96be2046
GM		 4595 int32_t ecount;
4596 unsigned char signature[72];
4597 static const unsigned char nonce[32] = {
d49abbd5
PW		 4598 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4599 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4600 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4601 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4602 };
4603 static const unsigned char nonce2[32] = {
4604 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4605 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4606 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4607 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4608 };
4609 const unsigned char key[32] = {
4610 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4611 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4614 };
4615 unsigned char msg[32] = {
4616 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4617 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4618 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4619 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4620 };
96be2046
GM		 4621 ecount = 0;
4622 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4623 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4624 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4625 msg[31] = 0xaa;
dc0ce9fc 4626 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4627 CHECK(ecount == 0);
4628 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4629 CHECK(ecount == 1);
4630 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4631 CHECK(ecount == 2);
4632 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4633 CHECK(ecount == 3);
dc0ce9fc 4634 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4635 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4636 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4637 CHECK(ecount == 4);
4638 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4639 CHECK(ecount == 5);
4640 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4641 CHECK(ecount == 6);
4642 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4643 CHECK(ecount == 6);
4644 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4645 CHECK(ecount == 7);
4646 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4647 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4648 CHECK(ecount == 8);
d49abbd5 4649 siglen = 72;
96be2046 4650 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4651 CHECK(ecount == 9);
96be2046 4652 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4653 CHECK(ecount == 10);
96be2046 4654 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4655 CHECK(ecount == 11);
d49abbd5 4656 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4657 CHECK(ecount == 11);
4658 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4659 CHECK(ecount == 12);
4660 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4661 CHECK(ecount == 13);
4662 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4663 CHECK(ecount == 13);
d49abbd5 4664 siglen = 10;
5b71a3f4 4665 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4666 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4667 CHECK(ecount == 13);
4668 ecount = 0;
4669 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4670 CHECK(ecount == 1);
4671 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4672 CHECK(ecount == 2);
4673 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4674 CHECK(ecount == 3);
4675 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4676 CHECK(ecount == 3);
4677 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4678 CHECK(ecount == 4);
4679 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4680 CHECK(ecount == 5);
4681 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4682 CHECK(ecount == 5);
c69dea02
GM		 4683 memset(signature, 255, 64);
4684 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4685 CHECK(ecount == 5);
96be2046 4686 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4687 }
4688
4689 /* Nonce function corner cases. */
4690 for (t = 0; t < 2; t++) {
4691 static const unsigned char zero[32] = {0x00};
4692 int i;
4693 unsigned char key[32];
4694 unsigned char msg[32];
dd891e0e
PW		 4695 secp256k1_ecdsa_signature sig2;
4696 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 4697 const unsigned char *extra;
4698 extra = t == 0 ? NULL : zero;
4699 memset(msg, 0, 32);
4700 msg[31] = 1;
4701 /* High key results in signature failure. */
4702 memset(key, 0xFF, 32);
dc0ce9fc 4703 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4704 CHECK(is_empty_signature(&sig));
4705 /* Zero key results in signature failure. */
4706 memset(key, 0, 32);
dc0ce9fc 4707 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4708 CHECK(is_empty_signature(&sig));
4709 /* Nonce function failure results in signature failure. */
4710 key[31] = 1;
dc0ce9fc 4711 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 4712 CHECK(is_empty_signature(&sig));
4713 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 4714 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 4715 CHECK(!is_empty_signature(&sig));
dc0ce9fc 4716 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 4717 CHECK(!is_empty_signature(&sig2));
4718 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 4719 /* The default nonce function is deterministic. */
dc0ce9fc 4720 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4721 CHECK(!is_empty_signature(&sig2));
4722 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4723 /* The default nonce function changes output with different messages. */
4724 for(i = 0; i < 256; i++) {
4725 int j;
4726 msg[0] = i;
dc0ce9fc 4727 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4728 CHECK(!is_empty_signature(&sig2));
4729 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4730 for (j = 0; j < i; j++) {
4731 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4732 }
4733 }
4734 msg[0] = 0;
4735 msg[31] = 2;
4736 /* The default nonce function changes output with different keys. */
4737 for(i = 256; i < 512; i++) {
4738 int j;
4739 key[0] = i - 256;
dc0ce9fc 4740 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4741 CHECK(!is_empty_signature(&sig2));
4742 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4743 for (j = 0; j < i; j++) {
4744 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4745 }
4746 }
4747 key[0] = 0;
4748 }
4749
b30fc85c 4750 {
269d4227 4751 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 4752 const unsigned char zeros[32] = {0};
4753 unsigned char nonce[32];
4754 unsigned char nonce2[32];
4755 unsigned char nonce3[32];
4756 unsigned char nonce4[32];
4757 VG_UNDEF(nonce,32);
4758 VG_UNDEF(nonce2,32);
4759 VG_UNDEF(nonce3,32);
4760 VG_UNDEF(nonce4,32);
4761 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4762 VG_CHECK(nonce,32);
4763 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4764 VG_CHECK(nonce2,32);
4765 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4766 VG_CHECK(nonce3,32);
4767 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4768 VG_CHECK(nonce4,32);
4769 CHECK(memcmp(nonce, nonce2, 32) != 0);
4770 CHECK(memcmp(nonce, nonce3, 32) != 0);
4771 CHECK(memcmp(nonce, nonce4, 32) != 0);
4772 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4773 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4774 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4775 }
4776
4777
d49abbd5
PW		 4778 /* Privkey export where pubkey is the point at infinity. */
4779 {
4780 unsigned char privkey[300];
4781 unsigned char seckey[32] = {
4782 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4783 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4784 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4785 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4786 };
788038d3 4787 size_t outlen = 300;
eed87af1 4788 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 4789 outlen = 300;
eed87af1 4790 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 4791 }
4792}
4793
6e052878
PW		 4794void run_ecdsa_edge_cases(void) {
4795 test_ecdsa_edge_cases();
3bf029d6 4796}
25f4aec0 4797
dd08f037 4798#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 4799EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 4800 unsigned char privkey[300];
788038d3 4801 size_t privkeylen;
12e29b32 4802 const unsigned char* pbegin = privkey;
fa57f1bd 4803 int compr = secp256k1_rand_bits(1);
dd08f037 4804 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 4805 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 4806 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4807 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 4808 return ec_key;
4809}
4810
2cad067a 4811void test_ecdsa_openssl(void) {
dd891e0e
PW		 4812 secp256k1_gej qj;
4813 secp256k1_ge q;
4814 secp256k1_scalar sigr, sigs;
4815 secp256k1_scalar one;
4816 secp256k1_scalar msg2;
4817 secp256k1_scalar key, msg;
bf2e1ac7
GM		 4818 EC_KEY *ec_key;
4819 unsigned int sigsize = 80;
788038d3 4820 size_t secp_sigsize = 80;
dd08f037 4821 unsigned char message[32];
bf2e1ac7 4822 unsigned char signature[80];
7914a6eb 4823 unsigned char key32[32];
dd08f037 4824 secp256k1_rand256_test(message);
eca6cdb1 4825 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 4826 random_scalar_order_test(&key);
7914a6eb 4827 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 4828 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 4829 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 4830 ec_key = get_openssl_key(key32);
2b199de8 4831 CHECK(ec_key != NULL);
0592d117 4832 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 4833 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4834 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 4835 secp256k1_scalar_set_int(&one, 1);
f24041d6 4836 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 4837 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 4838
18c329c5
PW		 4839 random_sign(&sigr, &sigs, &key, &msg, NULL);
4840 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 4841 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 4842
dd08f037 4843 EC_KEY_free(ec_key);
dd08f037
PW		 4844}
4845
2cad067a 4846void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 4847 int i;
4848 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 4849 test_ecdsa_openssl();
4850 }
4851}
4852#endif
4853
0739bbb6
AP		 4854#ifdef ENABLE_MODULE_ECDH
4855# include "modules/ecdh/tests_impl.h"
4856#endif
4857
9f443be0
PW		 4858#ifdef ENABLE_MODULE_RECOVERY
4859# include "modules/recovery/tests_impl.h"
4860#endif
4861
404c30a8 4862int main(int argc, char **argv) {
89561118
PW		 4863 unsigned char seed16[16] = {0};
4864 unsigned char run32[32] = {0};
71712b27 4865 /* find iteration count */
3fd6253e
PW		 4866 if (argc > 1) {
4867 count = strtol(argv[1], NULL, 0);
4868 }
4869
71712b27 4870 /* find random seed */
3fd6253e 4871 if (argc > 2) {
89561118
PW		 4872 int pos = 0;
4873 const char* ch = argv[2];
4874 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4875 unsigned short sh;
4876 if (sscanf(ch, "%2hx", &sh)) {
4877 seed16[pos] = sh;
4878 } else {
4879 break;
4880 }
4881 ch += 2;
4882 pos++;
4883 }
3fd6253e
PW		 4884 } else {
4885 FILE *frand = fopen("/dev/urandom", "r");
2b199de8 4886 if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
89561118
PW		 4887 uint64_t t = time(NULL) * (uint64_t)1337;
4888 seed16[0] ^= t;
4889 seed16[1] ^= t >> 8;
4890 seed16[2] ^= t >> 16;
4891 seed16[3] ^= t >> 24;
4892 seed16[4] ^= t >> 32;
4893 seed16[5] ^= t >> 40;
4894 seed16[6] ^= t >> 48;
4895 seed16[7] ^= t >> 56;
3fd6253e
PW		 4896 }
4897 fclose(frand);
4898 }
89561118 4899 secp256k1_rand_seed(seed16);
404c30a8 4900
dd08f037 4901 printf("test count = %i\n", count);
89561118 4902 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 4903
71712b27 4904 /* initialize */
d899b5b6 4905 run_context_tests();
548de42e 4906 run_scratch_tests();
a9b6595e 4907 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 4908 if (secp256k1_rand_bits(1)) {
d2275795 4909 secp256k1_rand256(run32);
fa57f1bd 4910 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 4911 }
49b37498
PW		 4912
4913 run_rand_bits();
4914 run_rand_int();
4915
b37fbc28
PW		 4916 run_sha256_tests();
4917 run_hmac_sha256_tests();
4918 run_rfc6979_hmac_sha256_tests();
4919
597128d3 4920#ifndef USE_NUM_NONE
71712b27 4921 /* num tests */
3f44e1ad 4922 run_num_smalltests();
597128d3 4923#endif
404c30a8 4924
71712b27 4925 /* scalar tests */
79359302
PW		 4926 run_scalar_tests();
4927
71712b27 4928 /* field tests */
f16be77f
PD		 4929 run_field_inv();
4930 run_field_inv_var();
f16be77f 4931 run_field_inv_all_var();
8d11164b 4932 run_field_misc();
ff889f7d 4933 run_field_convert();
59447da3 4934 run_sqr();
09ca4f32
PD		 4935 run_sqrt();
4936
71712b27 4937 /* group tests */
9338dbf7 4938 run_ge();
64666251 4939 run_group_decompress();
9338dbf7 4940
71712b27 4941 /* ecmult tests */
404c30a8
PW		 4942 run_wnaf();
4943 run_point_times_order();
4944 run_ecmult_chain();
d2275795
GM		 4945 run_ecmult_constants();
4946 run_ecmult_gen_blind();
44015000 4947 run_ecmult_const_tests();
dba5471b 4948 run_ecmult_multi_tests();
a5a66c70 4949 run_ec_combine();
404c30a8 4950
baa75da5
AP		 4951 /* endomorphism tests */
4952#ifdef USE_ENDOMORPHISM
4953 run_endomorphism_tests();
4954#endif
4955
96be2046 4956 /* EC point parser test */
67f7da40
GM		 4957 run_ec_pubkey_parse_test();
4958
96be2046
GM		 4959 /* EC key edge cases */
4960 run_eckey_edge_case_test();
4961
0739bbb6
AP		 4962#ifdef ENABLE_MODULE_ECDH
4963 /* ecdh tests */
4964 run_ecdh_tests();
4965#endif
4966
71712b27 4967 /* ecdsa tests */
7c6fed28 4968 run_random_pubkeys();
3bb9c447 4969 run_ecdsa_der_parse();
404c30a8 4970 run_ecdsa_sign_verify();
25f4aec0 4971 run_ecdsa_end_to_end();
6e052878 4972 run_ecdsa_edge_cases();
dd08f037
PW		 4973#ifdef ENABLE_OPENSSL_TESTS
4974 run_ecdsa_openssl();
4975#endif
910d0de4 4976
9f443be0
PW		 4977#ifdef ENABLE_MODULE_RECOVERY
4978 /* ECDSA pubkey recovery tests */
4979 run_recovery_tests();
4980#endif
4981
89561118
PW		 4982 secp256k1_rand256(run32);
4983 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 4984
71712b27 4985 /* shutdown */
a9b6595e 4986 secp256k1_context_destroy(ctx);
c996d53a
PW		 4987
4988 printf("no problems found\n");
a41f32e6
PW		 4989 return 0;
4990}
Empty description
This page took 0.762973 seconds and 4 git commands to generate.