]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
scratch: save a couple bytes of unnecessarily-allocated memory
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
238305fd 19#include "include/secp256k1_preallocated.h"
f0709ac5 20#include "testrand_impl.h"
a41f32e6 21
dd08f037
PW		 22#ifdef ENABLE_OPENSSL_TESTS
23#include "openssl/bn.h"
24#include "openssl/ec.h"
25#include "openssl/ecdsa.h"
26#include "openssl/obj_mac.h"
31abd3ab
AB		 27# if OPENSSL_VERSION_NUMBER < 0x10100000L
28void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29# endif
dd08f037
PW		 30#endif
31
eed87af1
AP		 32#include "contrib/lax_der_parsing.c"
33#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 34
67f7da40
GM		 35#if !defined(VG_CHECK)
36# if defined(VALGRIND)
37# include <valgrind/memcheck.h>
38# define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
39# define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
40# else
41# define VG_UNDEF(x,y)
42# define VG_CHECK(x,y)
43# endif
44#endif
45
79f599d3 46static int count = 64;
dd891e0e 47static secp256k1_context *ctx = NULL;
4adf6b2a 48
96be2046
GM		 49static void counting_illegal_callback_fn(const char* str, void* data) {
50 /* Dummy callback function that just counts. */
51 int32_t *p;
52 (void)str;
53 p = data;
54 (*p)++;
55}
56
57static void uncounting_illegal_callback_fn(const char* str, void* data) {
58 /* Dummy callback function that just counts (backwards). */
59 int32_t *p;
60 (void)str;
61 p = data;
62 (*p)--;
63}
64
dd891e0e 65void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 66 do {
67 unsigned char b32[32];
68 secp256k1_rand256_test(b32);
659b554d
PW		 69 if (secp256k1_fe_set_b32(fe, b32)) {
70 break;
71 }
9338dbf7
PW		 72 } while(1);
73}
74
dd891e0e
PW		 75void random_field_element_magnitude(secp256k1_fe *fe) {
76 secp256k1_fe zero;
fa57f1bd 77 int n = secp256k1_rand_int(9);
9338dbf7 78 secp256k1_fe_normalize(fe);
60571c6e
PW		 79 if (n == 0) {
80 return;
9338dbf7 81 }
60571c6e
PW		 82 secp256k1_fe_clear(&zero);
83 secp256k1_fe_negate(&zero, &zero, 0);
84 secp256k1_fe_mul_int(&zero, n - 1);
85 secp256k1_fe_add(fe, &zero);
3f3964e4 86 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 87}
88
dd891e0e
PW		 89void random_group_element_test(secp256k1_ge *ge) {
90 secp256k1_fe fe;
9338dbf7
PW		 91 do {
92 random_field_element_test(&fe);
fa57f1bd 93 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 94 secp256k1_fe_normalize(&ge->y);
9338dbf7 95 break;
26320197 96 }
9338dbf7
PW		 97 } while(1);
98}
99
dd891e0e
PW		 100void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
101 secp256k1_fe z2, z3;
9338dbf7
PW		 102 do {
103 random_field_element_test(&gej->z);
104 if (!secp256k1_fe_is_zero(&gej->z)) {
105 break;
106 }
107 } while(1);
bf2e1ac7
GM		 108 secp256k1_fe_sqr(&z2, &gej->z);
109 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 110 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
111 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
112 gej->infinity = ge->infinity;
113}
114
dd891e0e 115void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 116 do {
117 unsigned char b32[32];
a9f5c8b8 118 int overflow = 0;
bf2e1ac7 119 secp256k1_rand256_test(b32);
eca6cdb1 120 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 121 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 122 continue;
26320197 123 }
a9f5c8b8
PW		 124 break;
125 } while(1);
126}
127
dd891e0e 128void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 129 do {
130 unsigned char b32[32];
f24041d6 131 int overflow = 0;
bf2e1ac7 132 secp256k1_rand256(b32);
f24041d6 133 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 134 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 135 continue;
26320197 136 }
f24041d6
PW		 137 break;
138 } while(1);
139}
140
814cc78d 141void run_context_tests(int use_prealloc) {
96be2046 142 secp256k1_pubkey pubkey;
8e48aa60 143 secp256k1_pubkey zero_pubkey;
96be2046
GM		 144 secp256k1_ecdsa_signature sig;
145 unsigned char ctmp[32];
146 int32_t ecount;
147 int32_t ecount2;
814cc78d
TR		 148 secp256k1_context *none;
149 secp256k1_context *sign;
150 secp256k1_context *vrfy;
151 secp256k1_context *both;
152 void *none_prealloc = NULL;
153 void *sign_prealloc = NULL;
154 void *vrfy_prealloc = NULL;
155 void *both_prealloc = NULL;
d899b5b6 156
dd891e0e
PW		 157 secp256k1_gej pubj;
158 secp256k1_ge pub;
159 secp256k1_scalar msg, key, nonce;
160 secp256k1_scalar sigr, sigs;
d899b5b6 161
814cc78d
TR		 162 if (use_prealloc) {
163 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
164 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
165 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
166 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
167 CHECK(none_prealloc != NULL);
168 CHECK(sign_prealloc != NULL);
169 CHECK(vrfy_prealloc != NULL);
170 CHECK(both_prealloc != NULL);
171 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
172 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
173 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
174 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
175 } else {
176 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
177 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
178 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
179 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
180 }
181
8e48aa60
AP		 182 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
183
96be2046
GM		 184 ecount = 0;
185 ecount2 = 10;
186 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
187 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
188 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
189 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
190
814cc78d
TR		 191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196
d899b5b6
AP		 197 /*** clone and destroy all of them to make sure cloning was complete ***/
198 {
dd891e0e 199 secp256k1_context *ctx_tmp;
d899b5b6 200
814cc78d
TR		 201 if (use_prealloc) {
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 } else {
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
220 void *prealloc_tmp;
221
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225 free(prealloc_tmp);
226
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230 free(prealloc_tmp);
231
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235 free(prealloc_tmp);
236
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240 free(prealloc_tmp);
241 }
d899b5b6
AP		 242 }
243
96be2046
GM		 244 /* Verify that the error callback makes it across the clone. */
245 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
246 /* And that it resets back to default. */
247 secp256k1_context_set_error_callback(sign, NULL, NULL);
248 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
249
d899b5b6
AP		 250 /*** attempt to use them ***/
251 random_scalar_order_test(&msg);
252 random_scalar_order_test(&key);
253 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
254 secp256k1_ge_set_gej(&pub, &pubj);
255
96be2046
GM		 256 /* Verify context-type checking illegal-argument errors. */
257 memset(ctmp, 1, 32);
258 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
259 CHECK(ecount == 1);
260 VG_UNDEF(&pubkey, sizeof(pubkey));
261 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
262 VG_CHECK(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
264 CHECK(ecount == 2);
265 VG_UNDEF(&sig, sizeof(sig));
266 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
267 VG_CHECK(&sig, sizeof(sig));
268 CHECK(ecount2 == 10);
269 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
270 CHECK(ecount2 == 11);
271 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
272 CHECK(ecount == 2);
273 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
274 CHECK(ecount2 == 12);
275 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
276 CHECK(ecount == 2);
277 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
278 CHECK(ecount2 == 13);
8e48aa60 279 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 280 CHECK(ecount == 2);
8e48aa60
AP		 281 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
282 CHECK(ecount == 2);
283 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
284 CHECK(ecount2 == 14);
285 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
286 CHECK(ecount == 3);
287 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 288 CHECK(ecount == 3);
61983752
TR		 289 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
290 CHECK(ecount == 3);
291 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
294 CHECK(ecount2 == 14);
96be2046 295 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 296 CHECK(ecount2 == 14);
96be2046
GM		 297 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
298 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
299
d899b5b6
AP		 300 /* obtain a working nonce */
301 do {
302 random_scalar_order_test(&nonce);
18c329c5 303 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 304
305 /* try signing */
18c329c5
PW		 306 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 308
309 /* try verifying */
18c329c5
PW		 310 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
311 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 312
313 /* cleanup */
814cc78d
TR		 314 if (use_prealloc) {
315 secp256k1_context_preallocated_destroy(none);
316 secp256k1_context_preallocated_destroy(sign);
317 secp256k1_context_preallocated_destroy(vrfy);
318 secp256k1_context_preallocated_destroy(both);
319 free(none_prealloc);
320 free(sign_prealloc);
321 free(vrfy_prealloc);
322 free(both_prealloc);
323 } else {
324 secp256k1_context_destroy(none);
325 secp256k1_context_destroy(sign);
326 secp256k1_context_destroy(vrfy);
327 secp256k1_context_destroy(both);
328 }
5b71a3f4
GM		 329 /* Defined as no-op. */
330 secp256k1_context_destroy(NULL);
814cc78d
TR		 331 secp256k1_context_preallocated_destroy(NULL);
332
d899b5b6
AP		 333}
334
548de42e
AP		 335void run_scratch_tests(void) {
336 int32_t ecount = 0;
337 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
338 secp256k1_scratch_space *scratch;
c2b028a2 339 secp256k1_scratch_space local_scratch;
548de42e
AP		 340
341 /* Test public API */
342 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
c2b028a2 343 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
548de42e 344
6fe50439 345 scratch = secp256k1_scratch_space_create(none, 1000);
548de42e 346 CHECK(scratch != NULL);
6fe50439 347 CHECK(ecount == 0);
548de42e
AP		 348
349 /* Test internal API */
c2b028a2
AP		 350 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
351 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) < 1000);
6fe50439
AP		 352
353 /* Allocating 500 bytes with no frame fails */
c2b028a2
AP		 354 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
6fe50439
AP		 356
357 /* ...but pushing a new stack frame does affect the max allocation */
c2b028a2 358 CHECK(secp256k1_scratch_allocate_frame(&none->error_callback, scratch, 500, 1) == 1);
7623cf2b 359 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) < 500); /* 500 - (ALIGNMENT - 1) */
c2b028a2
AP		 360 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
361 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
6fe50439 362
c2b028a2 363 CHECK(secp256k1_scratch_allocate_frame(&none->error_callback, scratch, 500, 1) == 0);
6fe50439
AP		 364
365 /* ...and this effect is undone by popping the frame */
c2b028a2
AP		 366 secp256k1_scratch_deallocate_frame(&none->error_callback, scratch);
367 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
368 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
548de42e
AP		 369
370 /* cleanup */
c2b028a2
AP		 371 secp256k1_scratch_space_destroy(none, scratch);
372 CHECK(ecount == 0);
373
374 /* try to use badly initialized scratch space */
375 memset(&local_scratch, 0, sizeof(local_scratch));
376 scratch = &local_scratch;
377 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
378 CHECK(ecount == 1);
379 CHECK(secp256k1_scratch_allocate_frame(&none->error_callback, scratch, 500, 1) == 0);
380 CHECK(ecount == 2);
381 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
382 CHECK(ecount == 3);
383 secp256k1_scratch_deallocate_frame(&none->error_callback, scratch);
384 CHECK(ecount == 4);
385 secp256k1_scratch_space_destroy(none, scratch);
386 CHECK(ecount == 5);
387
548de42e
AP		 388 secp256k1_context_destroy(none);
389}
390
b37fbc28
PW		 391/***** HASH TESTS *****/
392
393void run_sha256_tests(void) {
394 static const char *inputs[8] = {
395 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
396 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
397 "For this sample, this 63-byte string will be used as input data",
398 "This is exactly 64 bytes long, not counting the terminating byte"
399 };
400 static const unsigned char outputs[8][32] = {
401 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
402 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
403 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
404 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
405 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
406 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
407 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
408 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
409 };
bf2e1ac7
GM		 410 int i;
411 for (i = 0; i < 8; i++) {
412 unsigned char out[32];
d1dc9dfc 413 secp256k1_sha256 hasher;
b37fbc28
PW		 414 secp256k1_sha256_initialize(&hasher);
415 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 416 secp256k1_sha256_finalize(&hasher, out);
417 CHECK(memcmp(out, outputs[i], 32) == 0);
418 if (strlen(inputs[i]) > 0) {
fa57f1bd 419 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 420 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 421 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
422 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
423 secp256k1_sha256_finalize(&hasher, out);
424 CHECK(memcmp(out, outputs[i], 32) == 0);
425 }
426 }
427}
428
429void run_hmac_sha256_tests(void) {
430 static const char *keys[6] = {
431 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
432 "\x4a\x65\x66\x65",
433 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
434 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
435 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
436 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
437 };
438 static const char *inputs[6] = {
439 "\x48\x69\x20\x54\x68\x65\x72\x65",
440 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
441 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
442 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
443 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
444 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
445 };
446 static const unsigned char outputs[6][32] = {
447 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
448 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
449 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
450 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
451 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
452 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
453 };
bf2e1ac7
GM		 454 int i;
455 for (i = 0; i < 6; i++) {
d1dc9dfc 456 secp256k1_hmac_sha256 hasher;
bf2e1ac7 457 unsigned char out[32];
b37fbc28
PW		 458 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
459 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 460 secp256k1_hmac_sha256_finalize(&hasher, out);
461 CHECK(memcmp(out, outputs[i], 32) == 0);
462 if (strlen(inputs[i]) > 0) {
fa57f1bd 463 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 464 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 465 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
466 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
467 secp256k1_hmac_sha256_finalize(&hasher, out);
468 CHECK(memcmp(out, outputs[i], 32) == 0);
469 }
470 }
471}
472
473void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 474 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 475 static const unsigned char out1[3][32] = {
476 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
477 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
478 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
479 };
480
3e6f1e20 481 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 482 static const unsigned char out2[3][32] = {
483 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
484 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
485 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
486 };
487
d1dc9dfc 488 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 489 unsigned char out[32];
bf2e1ac7 490 int i;
b37fbc28 491
3e6f1e20 492 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 493 for (i = 0; i < 3; i++) {
b37fbc28
PW		 494 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
495 CHECK(memcmp(out, out1[i], 32) == 0);
496 }
497 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
498
3e6f1e20 499 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 500 for (i = 0; i < 3; i++) {
501 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
502 CHECK(memcmp(out, out1[i], 32) != 0);
503 }
504 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
505
3e6f1e20 506 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 507 for (i = 0; i < 3; i++) {
b37fbc28
PW		 508 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
509 CHECK(memcmp(out, out2[i], 32) == 0);
510 }
511 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
512}
513
49b37498
PW		 514/***** RANDOM TESTS *****/
515
516void test_rand_bits(int rand32, int bits) {
517 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
518 * get a false negative chance below once in a billion */
519 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
520 /* We try multiplying the results with various odd numbers, which shouldn't
521 * influence the uniform distribution modulo a power of 2. */
522 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
523 /* We only select up to 6 bits from the output to analyse */
524 unsigned int usebits = bits > 6 ? 6 : bits;
525 unsigned int maxshift = bits - usebits;
526 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
527 number, track all observed outcomes, one per bit in a uint64_t. */
528 uint64_t x[6][27] = {{0}};
529 unsigned int i, shift, m;
530 /* Multiply the output of all rand calls with the odd number m, which
531 should not change the uniformity of its distribution. */
532 for (i = 0; i < rounds[usebits]; i++) {
533 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
534 CHECK((((uint64_t)r) >> bits) == 0);
535 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
536 uint32_t rm = r * mults[m];
537 for (shift = 0; shift <= maxshift; shift++) {
538 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
539 }
540 }
541 }
542 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
543 for (shift = 0; shift <= maxshift; shift++) {
544 /* Test that the lower usebits bits of x[shift] are 1 */
545 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
546 }
547 }
548}
549
550/* Subrange must be a whole divisor of range, and at most 64 */
551void test_rand_int(uint32_t range, uint32_t subrange) {
552 /* (1-1/subrange)^rounds < 1/10^9 */
553 int rounds = (subrange * 2073) / 100;
554 int i;
555 uint64_t x = 0;
556 CHECK((range % subrange) == 0);
557 for (i = 0; i < rounds; i++) {
558 uint32_t r = secp256k1_rand_int(range);
559 CHECK(r < range);
560 r = r % subrange;
561 x |= (((uint64_t)1) << r);
562 }
563 /* Test that the lower subrange bits of x are 1. */
564 CHECK(((~x) << (64 - subrange)) == 0);
565}
566
567void run_rand_bits(void) {
568 size_t b;
569 test_rand_bits(1, 32);
570 for (b = 1; b <= 32; b++) {
571 test_rand_bits(0, b);
572 }
573}
574
575void run_rand_int(void) {
576 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
577 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
578 unsigned int m, s;
579 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
580 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
581 test_rand_int(ms[m] * ss[s], ss[s]);
582 }
583 }
584}
585
659b554d
PW		 586/***** NUM TESTS *****/
587
597128d3 588#ifndef USE_NUM_NONE
dd891e0e 589void random_num_negate(secp256k1_num *num) {
fa57f1bd 590 if (secp256k1_rand_bits(1)) {
659b554d 591 secp256k1_num_negate(num);
26320197 592 }
659b554d
PW		 593}
594
dd891e0e
PW		 595void random_num_order_test(secp256k1_num *num) {
596 secp256k1_scalar sc;
659b554d
PW		 597 random_scalar_order_test(&sc);
598 secp256k1_scalar_get_num(num, &sc);
599}
600
dd891e0e
PW		 601void random_num_order(secp256k1_num *num) {
602 secp256k1_scalar sc;
659b554d
PW		 603 random_scalar_order(&sc);
604 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 605}
606
2cad067a 607void test_num_negate(void) {
dd891e0e
PW		 608 secp256k1_num n1;
609 secp256k1_num n2;
71712b27 610 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 611 random_num_negate(&n1);
71712b27
GM		 612 secp256k1_num_copy(&n2, &n1); /* n2 = R */
613 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 614 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 615 secp256k1_num_copy(&n1, &n2); /* n1 = R */
616 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 617 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 618 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 619 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 620 secp256k1_num_copy(&n1, &n2); /* n1 = R */
621 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 622 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 623 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 624 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 625}
626
2cad067a 627void test_num_add_sub(void) {
efd953a7
PD		 628 int i;
629 secp256k1_scalar s;
dd891e0e
PW		 630 secp256k1_num n1;
631 secp256k1_num n2;
632 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 633 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 634 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 635 random_num_negate(&n1);
636 }
71712b27 637 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 638 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 639 random_num_negate(&n2);
640 }
71712b27
GM		 641 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
642 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
643 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
644 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 645 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
646 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 647 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 648 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
649 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 650 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 651 CHECK(secp256k1_num_eq(&n2m1, &n1));
652 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 653 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 654 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 655
656 /* check is_one */
657 secp256k1_scalar_set_int(&s, 1);
658 secp256k1_scalar_get_num(&n1, &s);
659 CHECK(secp256k1_num_is_one(&n1));
660 /* check that 2^n + 1 is never 1 */
661 secp256k1_scalar_get_num(&n2, &s);
662 for (i = 0; i < 250; ++i) {
663 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
664 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
665 CHECK(!secp256k1_num_is_one(&n1p2));
666 }
667}
668
669void test_num_mod(void) {
670 int i;
671 secp256k1_scalar s;
672 secp256k1_num order, n;
673
674 /* check that 0 mod anything is 0 */
7d893f49 675 random_scalar_order_test(&s);
efd953a7
PD		 676 secp256k1_scalar_get_num(&order, &s);
677 secp256k1_scalar_set_int(&s, 0);
678 secp256k1_scalar_get_num(&n, &s);
679 secp256k1_num_mod(&n, &order);
680 CHECK(secp256k1_num_is_zero(&n));
681
682 /* check that anything mod 1 is 0 */
683 secp256k1_scalar_set_int(&s, 1);
684 secp256k1_scalar_get_num(&order, &s);
685 secp256k1_scalar_get_num(&n, &s);
686 secp256k1_num_mod(&n, &order);
687 CHECK(secp256k1_num_is_zero(&n));
688
689 /* check that increasing the number past 2^256 does not break this */
7d893f49 690 random_scalar_order_test(&s);
efd953a7
PD		 691 secp256k1_scalar_get_num(&n, &s);
692 /* multiply by 2^8, which'll test this case with high probability */
693 for (i = 0; i < 8; ++i) {
694 secp256k1_num_add(&n, &n, &n);
695 }
696 secp256k1_num_mod(&n, &order);
697 CHECK(secp256k1_num_is_zero(&n));
698}
699
700void test_num_jacobi(void) {
701 secp256k1_scalar sqr;
702 secp256k1_scalar small;
703 secp256k1_scalar five; /* five is not a quadratic residue */
704 secp256k1_num order, n;
705 int i;
706 /* squares mod 5 are 1, 4 */
707 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
708
709 /* check some small values with 5 as the order */
710 secp256k1_scalar_set_int(&five, 5);
711 secp256k1_scalar_get_num(&order, &five);
712 for (i = 0; i < 10; ++i) {
713 secp256k1_scalar_set_int(&small, i);
714 secp256k1_scalar_get_num(&n, &small);
715 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
716 }
717
718 /** test large values with 5 as group order */
719 secp256k1_scalar_get_num(&order, &five);
720 /* we first need a scalar which is not a multiple of 5 */
721 do {
722 secp256k1_num fiven;
7d893f49 723 random_scalar_order_test(&sqr);
efd953a7
PD		 724 secp256k1_scalar_get_num(&fiven, &five);
725 secp256k1_scalar_get_num(&n, &sqr);
726 secp256k1_num_mod(&n, &fiven);
727 } while (secp256k1_num_is_zero(&n));
728 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
729 * just multiply by two, i.e. add the number to itself */
730 if (secp256k1_num_jacobi(&n, &order) == -1) {
731 secp256k1_num_add(&n, &n, &n);
732 }
733
734 /* test residue */
735 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
736 /* test nonresidue */
737 secp256k1_num_add(&n, &n, &n);
738 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
739
740 /** test with secp group order as order */
741 secp256k1_scalar_order_get_num(&order);
7d893f49 742 random_scalar_order_test(&sqr);
efd953a7
PD		 743 secp256k1_scalar_sqr(&sqr, &sqr);
744 /* test residue */
745 secp256k1_scalar_get_num(&n, &sqr);
746 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
747 /* test nonresidue */
748 secp256k1_scalar_mul(&sqr, &sqr, &five);
749 secp256k1_scalar_get_num(&n, &sqr);
750 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
751 /* test multiple of the order*/
752 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
753
754 /* check one less than the order */
755 secp256k1_scalar_set_int(&small, 1);
756 secp256k1_scalar_get_num(&n, &small);
757 secp256k1_num_sub(&n, &order, &n);
758 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 759}
760
2cad067a 761void run_num_smalltests(void) {
bf2e1ac7
GM		 762 int i;
763 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 764 test_num_negate();
765 test_num_add_sub();
efd953a7
PD		 766 test_num_mod();
767 test_num_jacobi();
3f44e1ad 768 }
3f44e1ad 769}
597128d3 770#endif
3f44e1ad 771
79359302
PW		 772/***** SCALAR TESTS *****/
773
79359302 774void scalar_test(void) {
dd891e0e
PW		 775 secp256k1_scalar s;
776 secp256k1_scalar s1;
777 secp256k1_scalar s2;
bf2e1ac7 778#ifndef USE_NUM_NONE
dd891e0e
PW		 779 secp256k1_num snum, s1num, s2num;
780 secp256k1_num order, half_order;
bf2e1ac7 781#endif
79359302
PW		 782 unsigned char c[32];
783
71712b27 784 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 785 random_scalar_order_test(&s);
79359302 786
71712b27 787 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 788 random_scalar_order_test(&s1);
79359302 789
71712b27 790 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 791 random_scalar_order_test(&s2);
792 secp256k1_scalar_get_b32(c, &s2);
793
597128d3 794#ifndef USE_NUM_NONE
659b554d
PW		 795 secp256k1_scalar_get_num(&snum, &s);
796 secp256k1_scalar_get_num(&s1num, &s1);
797 secp256k1_scalar_get_num(&s2num, &s2);
798
659b554d 799 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 800 half_order = order;
659b554d 801 secp256k1_num_shift(&half_order, 1);
597128d3 802#endif
79359302
PW		 803
804 {
bf2e1ac7 805 int i;
71712b27 806 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 807 secp256k1_scalar n;
1e6c77c3 808 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 809 for (i = 0; i < 256; i += 4) {
dd891e0e 810 secp256k1_scalar t;
bf2e1ac7 811 int j;
1e6c77c3 812 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 813 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 814 secp256k1_scalar_add(&n, &n, &n);
815 }
816 secp256k1_scalar_add(&n, &n, &t);
79359302 817 }
1e6c77c3
PW		 818 CHECK(secp256k1_scalar_eq(&n, &s));
819 }
820
821 {
822 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 823 secp256k1_scalar n;
1e6c77c3 824 int i = 0;
bf2e1ac7 825 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 826 while (i < 256) {
dd891e0e 827 secp256k1_scalar t;
bf2e1ac7 828 int j;
fa57f1bd 829 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 830 if (now + i > 256) {
831 now = 256 - i;
832 }
1e6c77c3 833 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 834 for (j = 0; j < now; j++) {
1e6c77c3
PW		 835 secp256k1_scalar_add(&n, &n, &n);
836 }
837 secp256k1_scalar_add(&n, &n, &t);
838 i += now;
839 }
840 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 841 }
842
597128d3 843#ifndef USE_NUM_NONE
79359302 844 {
71712b27 845 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 846 secp256k1_num rnum;
847 secp256k1_num r2num;
848 secp256k1_scalar r;
79359302 849 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 850 secp256k1_num_mod(&rnum, &order);
79359302 851 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 852 secp256k1_scalar_get_num(&r2num, &r);
853 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 854 }
855
856 {
269d4227 857 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 858 secp256k1_scalar r;
859 secp256k1_num r2num;
860 secp256k1_num rnum;
79359302 861 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 862 secp256k1_num_mod(&rnum, &order);
79359302 863 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 864 secp256k1_scalar_get_num(&r2num, &r);
865 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 866 /* The result can only be zero if at least one of the factors was zero. */
79359302 867 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 868 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 869 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
870 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 871 }
872
873 {
dd891e0e
PW		 874 secp256k1_scalar neg;
875 secp256k1_num negnum;
876 secp256k1_num negnum2;
71712b27 877 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 878 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 879 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 880 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 881 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 882 secp256k1_num_sub(&negnum, &order, &snum);
883 secp256k1_num_mod(&negnum, &order);
71712b27 884 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 885 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 886 /* Negating should change the high property, unless the value was already zero. */
79359302 887 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 888 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 889 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 890 CHECK(secp256k1_num_eq(&negnum, &negnum2));
891 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 892 /* Adding a number to its negation should result in zero. */
79359302
PW		 893 CHECK(secp256k1_scalar_is_zero(&neg));
894 secp256k1_scalar_negate(&neg, &neg);
71712b27 895 /* Negating zero should still result in zero. */
79359302 896 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 897 }
ff8746d4
PW		 898
899 {
900 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 901 secp256k1_scalar r;
902 secp256k1_num one;
903 secp256k1_num rnum;
904 secp256k1_num rnum2;
bf2e1ac7 905 unsigned char cone[1] = {0x01};
fa57f1bd 906 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 907 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 908 secp256k1_num_mul(&rnum, &s1num, &s2num);
909 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 910 secp256k1_num_set_bin(&one, cone, 1);
911 secp256k1_num_add(&rnum, &rnum, &one);
912 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 913 secp256k1_scalar_get_num(&rnum2, &r);
914 CHECK(secp256k1_num_eq(&rnum, &rnum2));
915 }
44015000
AP		 916
917 {
918 /* test secp256k1_scalar_shr_int */
dd891e0e 919 secp256k1_scalar r;
44015000 920 int i;
44015000
AP		 921 random_scalar_order_test(&r);
922 for (i = 0; i < 100; ++i) {
cfe0ed91 923 int low;
fa57f1bd 924 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 925 int expected = r.d[0] % (1 << shift);
926 low = secp256k1_scalar_shr_int(&r, shift);
927 CHECK(expected == low);
928 }
929 }
597128d3 930#endif
79359302
PW		 931
932 {
71712b27 933 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 934 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 935 secp256k1_scalar inv;
597128d3 936#ifndef USE_NUM_NONE
dd891e0e
PW		 937 secp256k1_num invnum;
938 secp256k1_num invnum2;
bf2e1ac7
GM		 939#endif
940 secp256k1_scalar_inverse(&inv, &s);
941#ifndef USE_NUM_NONE
942 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 943 secp256k1_scalar_get_num(&invnum2, &inv);
944 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 945#endif
79359302 946 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 947 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 948 CHECK(secp256k1_scalar_is_one(&inv));
949 secp256k1_scalar_inverse(&inv, &inv);
71712b27 950 /* Inverting one must result in one. */
79359302 951 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 952#ifndef USE_NUM_NONE
953 secp256k1_scalar_get_num(&invnum, &inv);
954 CHECK(secp256k1_num_is_one(&invnum));
955#endif
79359302
PW		 956 }
957 }
958
959 {
71712b27 960 /* Test commutativity of add. */
dd891e0e 961 secp256k1_scalar r1, r2;
79359302
PW		 962 secp256k1_scalar_add(&r1, &s1, &s2);
963 secp256k1_scalar_add(&r2, &s2, &s1);
964 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 965 }
966
52132078 967 {
dd891e0e
PW		 968 secp256k1_scalar r1, r2;
969 secp256k1_scalar b;
bf2e1ac7 970 int i;
52132078 971 /* Test add_bit. */
fa57f1bd 972 int bit = secp256k1_rand_bits(8);
1e6c77c3 973 secp256k1_scalar_set_int(&b, 1);
52132078 974 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 975 for (i = 0; i < bit; i++) {
52132078
PW		 976 secp256k1_scalar_add(&b, &b, &b);
977 }
bf2e1ac7
GM		 978 r1 = s1;
979 r2 = s1;
29ae1310 980 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 981 /* No overflow happened. */
ed35d43a
AP		 982 secp256k1_scalar_cadd_bit(&r2, bit, 1);
983 CHECK(secp256k1_scalar_eq(&r1, &r2));
984 /* cadd is a noop when flag is zero */
985 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 986 CHECK(secp256k1_scalar_eq(&r1, &r2));
987 }
988 }
989
79359302 990 {
71712b27 991 /* Test commutativity of mul. */
dd891e0e 992 secp256k1_scalar r1, r2;
79359302
PW		 993 secp256k1_scalar_mul(&r1, &s1, &s2);
994 secp256k1_scalar_mul(&r2, &s2, &s1);
995 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 996 }
997
998 {
71712b27 999 /* Test associativity of add. */
dd891e0e 1000 secp256k1_scalar r1, r2;
79359302
PW		 1001 secp256k1_scalar_add(&r1, &s1, &s2);
1002 secp256k1_scalar_add(&r1, &r1, &s);
1003 secp256k1_scalar_add(&r2, &s2, &s);
1004 secp256k1_scalar_add(&r2, &s1, &r2);
1005 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1006 }
1007
1008 {
71712b27 1009 /* Test associativity of mul. */
dd891e0e 1010 secp256k1_scalar r1, r2;
79359302
PW		 1011 secp256k1_scalar_mul(&r1, &s1, &s2);
1012 secp256k1_scalar_mul(&r1, &r1, &s);
1013 secp256k1_scalar_mul(&r2, &s2, &s);
1014 secp256k1_scalar_mul(&r2, &s1, &r2);
1015 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1016 }
1017
1018 {
71712b27 1019 /* Test distributitivity of mul over add. */
dd891e0e 1020 secp256k1_scalar r1, r2, t;
79359302
PW		 1021 secp256k1_scalar_add(&r1, &s1, &s2);
1022 secp256k1_scalar_mul(&r1, &r1, &s);
1023 secp256k1_scalar_mul(&r2, &s1, &s);
1024 secp256k1_scalar_mul(&t, &s2, &s);
1025 secp256k1_scalar_add(&r2, &r2, &t);
1026 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 1027 }
1d52a8b1
PW		 1028
1029 {
71712b27 1030 /* Test square. */
dd891e0e 1031 secp256k1_scalar r1, r2;
1d52a8b1
PW		 1032 secp256k1_scalar_sqr(&r1, &s1);
1033 secp256k1_scalar_mul(&r2, &s1, &s1);
1034 CHECK(secp256k1_scalar_eq(&r1, &r2));
1035 }
ff8746d4 1036
8d11164b
GM		 1037 {
1038 /* Test multiplicative identity. */
dd891e0e 1039 secp256k1_scalar r1, v1;
8d11164b
GM		 1040 secp256k1_scalar_set_int(&v1,1);
1041 secp256k1_scalar_mul(&r1, &s1, &v1);
1042 CHECK(secp256k1_scalar_eq(&r1, &s1));
1043 }
1044
1045 {
1046 /* Test additive identity. */
dd891e0e 1047 secp256k1_scalar r1, v0;
8d11164b
GM		 1048 secp256k1_scalar_set_int(&v0,0);
1049 secp256k1_scalar_add(&r1, &s1, &v0);
1050 CHECK(secp256k1_scalar_eq(&r1, &s1));
1051 }
1052
1053 {
1054 /* Test zero product property. */
dd891e0e 1055 secp256k1_scalar r1, v0;
8d11164b
GM		 1056 secp256k1_scalar_set_int(&v0,0);
1057 secp256k1_scalar_mul(&r1, &s1, &v0);
1058 CHECK(secp256k1_scalar_eq(&r1, &v0));
1059 }
1060
79359302
PW		 1061}
1062
1063void run_scalar_tests(void) {
bf2e1ac7
GM		 1064 int i;
1065 for (i = 0; i < 128 * count; i++) {
79359302
PW		 1066 scalar_test();
1067 }
659b554d
PW		 1068
1069 {
ee3eb4be 1070 /* (-1)+1 should be zero. */
dd891e0e 1071 secp256k1_scalar s, o;
659b554d 1072 secp256k1_scalar_set_int(&s, 1);
8d11164b 1073 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 1074 secp256k1_scalar_negate(&o, &s);
1075 secp256k1_scalar_add(&o, &o, &s);
1076 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 1077 secp256k1_scalar_negate(&o, &o);
1078 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 1079 }
1080
597128d3 1081#ifndef USE_NUM_NONE
659b554d 1082 {
ee3eb4be 1083 /* A scalar with value of the curve order should be 0. */
dd891e0e
PW		 1084 secp256k1_num order;
1085 secp256k1_scalar zero;
bf2e1ac7 1086 unsigned char bin[32];
659b554d 1087 int overflow = 0;
bf2e1ac7
GM		 1088 secp256k1_scalar_order_get_num(&order);
1089 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 1090 secp256k1_scalar_set_b32(&zero, bin, &overflow);
1091 CHECK(overflow == 1);
1092 CHECK(secp256k1_scalar_is_zero(&zero));
1093 }
597128d3 1094#endif
26abce75
GM		 1095
1096 {
1097 /* Does check_overflow check catch all ones? */
1098 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1099 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1100 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1101 );
1102 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1103 }
1104
1105 {
1106 /* Static test vectors.
269d4227 1107 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1108 * and edge-case coverage on 32-bit and 64-bit implementations.
1109 * The responses were generated with Sage 5.9.
1110 */
1111 secp256k1_scalar x;
1112 secp256k1_scalar y;
1113 secp256k1_scalar z;
1114 secp256k1_scalar zz;
1115 secp256k1_scalar one;
1116 secp256k1_scalar r1;
1117 secp256k1_scalar r2;
1118#if defined(USE_SCALAR_INV_NUM)
1119 secp256k1_scalar zzv;
1120#endif
1121 int overflow;
093a497a 1122 unsigned char chal[33][2][32] = {
26abce75
GM		 1123 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1124 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1125 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1126 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1127 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1129 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1130 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1131 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1132 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1135 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1136 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1137 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1138 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1139 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1140 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1141 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1142 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1143 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1144 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1147 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1148 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1150 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1151 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1152 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1153 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1154 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1155 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1156 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1157 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1158 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1159 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1160 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1161 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1162 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1163 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1164 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1165 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1166 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1167 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1168 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1169 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1170 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1171 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1172 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1173 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1174 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1175 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1176 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1177 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1178 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1179 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1180 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1181 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1182 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1183 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1184 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1185 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1187 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1189 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1190 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1191 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1195 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1196 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1197 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1198 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1199 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1200 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1201 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1203 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1204 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1206 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1207 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1211 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1212 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1213 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1214 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1215 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1216 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1217 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1219 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1220 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1222 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1223 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1224 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1225 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1226 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1227 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1228 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1230 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1231 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1233 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1235 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1236 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1237 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1238 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1239 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1240 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1242 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1243 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1245 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1246 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1247 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1248 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1249 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1250 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1251 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1252 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1253 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1254 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1255 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1257 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1258 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1259 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1260 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1262 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1263 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1264 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1266 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1267 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1268 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1271 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1273 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1274 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1275 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1276 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1277 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1278 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1279 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1280 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1281 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1282 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1283 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1285 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1286 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1287 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1289 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1290 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1291 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1292 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1294 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1295 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1298 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1299 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1300 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1301 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1303 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1304 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1307 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1308 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1311 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1312 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1313 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1314 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1315 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1318 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1319 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1321 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1323 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1324 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1325 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1326 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1327 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1329 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1330 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1331 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1332 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1333 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1334 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1335 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1336 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1337 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1338 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1339 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1340 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1342 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1343 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1344 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1346 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1347 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1348 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1349 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1350 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1351 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1352 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1353 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1354 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1355 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1356 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1357 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1358 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1359 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1360 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1361 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1363 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1364 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1365 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1366 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1367 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1368 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1369 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1370 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1371 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1372 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1373 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1374 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1375 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1377 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1378 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1379 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1380 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1381 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1382 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1383 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1384 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1386 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1387 };
093a497a 1388 unsigned char res[33][2][32] = {
26abce75
GM		 1389 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1390 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1391 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1392 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1393 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1394 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1395 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1396 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1397 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1398 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1399 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1400 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1401 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1402 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1403 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1404 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1405 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1406 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1407 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1408 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1409 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1410 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1411 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1412 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1413 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1414 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1415 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1416 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1417 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1418 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1419 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1420 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1421 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1422 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1423 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1424 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1425 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1426 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1427 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1428 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1429 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1430 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1431 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1432 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1433 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1434 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1435 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1436 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1437 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1438 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1439 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1440 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1441 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1442 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1443 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1444 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1445 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1446 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1447 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1448 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1449 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1450 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1451 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1452 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1453 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1454 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1455 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1456 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1457 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1458 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1459 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1460 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1461 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1462 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1463 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1464 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1465 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1466 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1467 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1468 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1469 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1470 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1471 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1472 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1473 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1474 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1475 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1476 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1477 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1478 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1479 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1480 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1481 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1482 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1483 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1484 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1485 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1486 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1487 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1488 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1489 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1490 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1491 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1492 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1493 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1494 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1495 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1496 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1497 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1498 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1499 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1500 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1501 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1502 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1503 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1504 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1505 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1506 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1507 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1508 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1509 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1510 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1511 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1512 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1513 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1514 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1515 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1516 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1517 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1518 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1519 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1520 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1521 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1522 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1523 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1524 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1525 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1526 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1527 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1528 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1529 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1530 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1531 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1532 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1533 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1534 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1535 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1536 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1537 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1538 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1539 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1540 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1541 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1542 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1543 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1544 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1545 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1546 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1547 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1548 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1549 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1550 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1551 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1553 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1554 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1555 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1556 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1557 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1560 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1561 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1562 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1565 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1566 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1567 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1568 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1569 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1570 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1571 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1572 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1573 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1574 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1575 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1576 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1577 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1578 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1579 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1580 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1581 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1582 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1583 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1584 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1585 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1586 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1587 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1588 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1589 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1590 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1591 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1592 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1593 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1594 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1595 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1596 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1597 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1598 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1599 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1600 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1601 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1602 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1603 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1604 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1605 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1606 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1607 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1608 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1609 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1610 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1611 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1612 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1613 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1614 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1615 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1616 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1617 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1618 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1619 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1620 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1621 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1622 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1623 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1624 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1625 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1626 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1627 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1628 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1629 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1630 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1631 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1632 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1633 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1634 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1635 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1636 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1637 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1638 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1639 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1640 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1641 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1642 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1643 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1644 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1645 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1646 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1647 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1648 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1649 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1650 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1651 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1652 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1653 };
1654 secp256k1_scalar_set_int(&one, 1);
093a497a 1655 for (i = 0; i < 33; i++) {
26abce75
GM		 1656 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1657 CHECK(!overflow);
1658 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1659 CHECK(!overflow);
1660 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1661 CHECK(!overflow);
1662 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1663 CHECK(!overflow);
1664 secp256k1_scalar_mul(&z, &x, &y);
1665 CHECK(!secp256k1_scalar_check_overflow(&z));
1666 CHECK(secp256k1_scalar_eq(&r1, &z));
1667 if (!secp256k1_scalar_is_zero(&y)) {
1668 secp256k1_scalar_inverse(&zz, &y);
1669 CHECK(!secp256k1_scalar_check_overflow(&zz));
1670#if defined(USE_SCALAR_INV_NUM)
1671 secp256k1_scalar_inverse_var(&zzv, &y);
1672 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1673#endif
1674 secp256k1_scalar_mul(&z, &z, &zz);
1675 CHECK(!secp256k1_scalar_check_overflow(&z));
1676 CHECK(secp256k1_scalar_eq(&x, &z));
1677 secp256k1_scalar_mul(&zz, &zz, &y);
1678 CHECK(!secp256k1_scalar_check_overflow(&zz));
1679 CHECK(secp256k1_scalar_eq(&one, &zz));
1680 }
1681 secp256k1_scalar_mul(&z, &x, &x);
1682 CHECK(!secp256k1_scalar_check_overflow(&z));
1683 secp256k1_scalar_sqr(&zz, &x);
1684 CHECK(!secp256k1_scalar_check_overflow(&zz));
1685 CHECK(secp256k1_scalar_eq(&zz, &z));
1686 CHECK(secp256k1_scalar_eq(&r2, &zz));
1687 }
1688 }
79359302
PW		 1689}
1690
09ca4f32
PD		 1691/***** FIELD TESTS *****/
1692
dd891e0e 1693void random_fe(secp256k1_fe *x) {
09ca4f32 1694 unsigned char bin[32];
d907ebc0
PW		 1695 do {
1696 secp256k1_rand256(bin);
1697 if (secp256k1_fe_set_b32(x, bin)) {
1698 return;
1699 }
1700 } while(1);
09ca4f32
PD		 1701}
1702
64666251
PW		 1703void random_fe_test(secp256k1_fe *x) {
1704 unsigned char bin[32];
1705 do {
1706 secp256k1_rand256_test(bin);
1707 if (secp256k1_fe_set_b32(x, bin)) {
1708 return;
1709 }
1710 } while(1);
1711}
1712
dd891e0e 1713void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1714 int tries = 10;
09ca4f32 1715 while (--tries >= 0) {
6d6102fe
PD		 1716 random_fe(nz);
1717 secp256k1_fe_normalize(nz);
26320197 1718 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1719 break;
26320197 1720 }
09ca4f32 1721 }
71712b27 1722 /* Infinitesimal probability of spurious failure here */
0592d117 1723 CHECK(tries >= 0);
09ca4f32
PD		 1724}
1725
dd891e0e
PW		 1726void random_fe_non_square(secp256k1_fe *ns) {
1727 secp256k1_fe r;
bf2e1ac7 1728 random_fe_non_zero(ns);
926836ad 1729 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1730 secp256k1_fe_negate(ns, ns, 1);
1731 }
1732}
1733
dd891e0e
PW		 1734int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1735 secp256k1_fe an = *a;
1736 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1737 secp256k1_fe_normalize_weak(&an);
1738 secp256k1_fe_normalize_var(&bn);
d7174edf 1739 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1740}
1741
dd891e0e
PW		 1742int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1743 secp256k1_fe x;
1744 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1745 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1746 return check_fe_equal(&x, &one);
1747}
1748
ff889f7d
PW		 1749void run_field_convert(void) {
1750 static const unsigned char b32[32] = {
1751 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1752 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1753 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1754 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1755 };
dd891e0e 1756 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1757 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1758 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1759 );
dd891e0e 1760 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1761 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1762 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1763 );
dd891e0e 1764 secp256k1_fe fe2;
ff889f7d 1765 unsigned char b322[32];
dd891e0e 1766 secp256k1_fe_storage fes2;
ff889f7d
PW		 1767 /* Check conversions to fe. */
1768 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1769 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1770 secp256k1_fe_from_storage(&fe2, &fes);
1771 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1772 /* Check conversion from fe. */
1773 secp256k1_fe_get_b32(b322, &fe);
1774 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1775 secp256k1_fe_to_storage(&fes2, &fe);
1776 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1777}
1778
dd891e0e
PW		 1779int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1780 secp256k1_fe t = *b;
a0601cd7
PD		 1781#ifdef VERIFY
1782 t.magnitude = a->magnitude;
1783 t.normalized = a->normalized;
1784#endif
dd891e0e 1785 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1786}
1787
8d11164b 1788void run_field_misc(void) {
dd891e0e
PW		 1789 secp256k1_fe x;
1790 secp256k1_fe y;
1791 secp256k1_fe z;
1792 secp256k1_fe q;
1793 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1794 int i, j;
bf2e1ac7 1795 for (i = 0; i < 5*count; i++) {
dd891e0e 1796 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1797 random_fe(&x);
1798 random_fe_non_zero(&y);
1799 /* Test the fe equality and comparison operations. */
1800 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1801 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1802 z = x;
1803 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1804 /* Test fe conditional move; z is not normalized here. */
1805 q = x;
1806 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 1807 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 1808 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1809 CHECK(fe_memcmp(&x, &z) != 0);
1810 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1811 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 1812 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 1813 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1814 secp256k1_fe_normalize_var(&x);
1815 secp256k1_fe_normalize_var(&z);
9c4fb23d 1816 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1817 secp256k1_fe_normalize_var(&q);
1818 secp256k1_fe_cmov(&q, &z, (i&1));
1819 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1820 for (j = 0; j < 6; j++) {
1821 secp256k1_fe_negate(&z, &z, j+1);
1822 secp256k1_fe_normalize_var(&q);
1823 secp256k1_fe_cmov(&q, &z, (j&1));
1824 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1825 }
1826 secp256k1_fe_normalize_var(&z);
1827 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1828 secp256k1_fe_to_storage(&xs, &x);
1829 secp256k1_fe_to_storage(&ys, &y);
1830 secp256k1_fe_to_storage(&zs, &z);
1831 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1832 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1833 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1834 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1835 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1836 secp256k1_fe_from_storage(&x, &xs);
1837 secp256k1_fe_from_storage(&y, &ys);
1838 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1839 /* Test that mul_int, mul, and add agree. */
1840 secp256k1_fe_add(&y, &x);
1841 secp256k1_fe_add(&y, &x);
1842 z = x;
1843 secp256k1_fe_mul_int(&z, 3);
1844 CHECK(check_fe_equal(&y, &z));
1845 secp256k1_fe_add(&y, &x);
1846 secp256k1_fe_add(&z, &x);
1847 CHECK(check_fe_equal(&z, &y));
1848 z = x;
1849 secp256k1_fe_mul_int(&z, 5);
1850 secp256k1_fe_mul(&q, &x, &fe5);
1851 CHECK(check_fe_equal(&z, &q));
1852 secp256k1_fe_negate(&x, &x, 1);
1853 secp256k1_fe_add(&z, &x);
1854 secp256k1_fe_add(&q, &x);
1855 CHECK(check_fe_equal(&y, &z));
1856 CHECK(check_fe_equal(&q, &y));
1857 }
1858}
1859
2cad067a 1860void run_field_inv(void) {
dd891e0e 1861 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1862 int i;
1863 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1864 random_fe_non_zero(&x);
1865 secp256k1_fe_inv(&xi, &x);
1866 CHECK(check_fe_inverse(&x, &xi));
1867 secp256k1_fe_inv(&xii, &xi);
1868 CHECK(check_fe_equal(&x, &xii));
1869 }
1870}
1871
2cad067a 1872void run_field_inv_var(void) {
dd891e0e 1873 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1874 int i;
1875 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1876 random_fe_non_zero(&x);
1877 secp256k1_fe_inv_var(&xi, &x);
1878 CHECK(check_fe_inverse(&x, &xi));
1879 secp256k1_fe_inv_var(&xii, &xi);
1880 CHECK(check_fe_equal(&x, &xii));
1881 }
1882}
1883
2cad067a 1884void run_field_inv_all_var(void) {
dd891e0e 1885 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1886 int i;
71712b27 1887 /* Check it's safe to call for 0 elements */
7d893f49 1888 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1889 for (i = 0; i < count; i++) {
1890 size_t j;
fa57f1bd 1891 size_t len = secp256k1_rand_int(15) + 1;
26320197 1892 for (j = 0; j < len; j++) {
f16be77f 1893 random_fe_non_zero(&x[j]);
26320197 1894 }
7d893f49 1895 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1896 for (j = 0; j < len; j++) {
f16be77f 1897 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1898 }
7d893f49 1899 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1900 for (j = 0; j < len; j++) {
f16be77f 1901 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1902 }
f16be77f
PD		 1903 }
1904}
1905
2cad067a 1906void run_sqr(void) {
dd891e0e 1907 secp256k1_fe x, s;
59447da3 1908
59447da3 1909 {
bf2e1ac7 1910 int i;
59447da3
PD		 1911 secp256k1_fe_set_int(&x, 1);
1912 secp256k1_fe_negate(&x, &x, 1);
1913
bf2e1ac7 1914 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1915 secp256k1_fe_mul_int(&x, 2);
1916 secp256k1_fe_normalize(&x);
1917 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1918 }
1919 }
59447da3
PD		 1920}
1921
dd891e0e
PW		 1922void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1923 secp256k1_fe r1, r2;
926836ad 1924 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1925 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1926
1927 if (k != NULL) {
71712b27 1928 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1929 secp256k1_fe_negate(&r2, &r1, 1);
1930 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1931 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 1932 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 1933 }
1934}
1935
2cad067a 1936void run_sqrt(void) {
dd891e0e 1937 secp256k1_fe ns, x, s, t;
bf2e1ac7 1938 int i;
6d6102fe 1939
71712b27 1940 /* Check sqrt(0) is 0 */
6d6102fe
PD		 1941 secp256k1_fe_set_int(&x, 0);
1942 secp256k1_fe_sqr(&s, &x);
1943 test_sqrt(&s, &x);
1944
71712b27 1945 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 1946 for (i = 1; i <= 100; i++) {
6d6102fe 1947 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 1948 secp256k1_fe_sqr(&s, &x);
1949 test_sqrt(&s, &x);
6d6102fe 1950 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 1951 test_sqrt(&t, NULL);
1952 }
6d6102fe 1953
71712b27 1954 /* Consistency checks for large random values */
bf2e1ac7
GM		 1955 for (i = 0; i < 10; i++) {
1956 int j;
6d6102fe 1957 random_fe_non_square(&ns);
bf2e1ac7 1958 for (j = 0; j < count; j++) {
6d6102fe
PD		 1959 random_fe(&x);
1960 secp256k1_fe_sqr(&s, &x);
1961 test_sqrt(&s, &x);
1962 secp256k1_fe_negate(&t, &s, 1);
1963 test_sqrt(&t, NULL);
1964 secp256k1_fe_mul(&t, &s, &ns);
1965 test_sqrt(&t, NULL);
1966 }
1967 }
09ca4f32
PD		 1968}
1969
9338dbf7
PW		 1970/***** GROUP TESTS *****/
1971
dd891e0e 1972void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 1973 CHECK(a->infinity == b->infinity);
26320197 1974 if (a->infinity) {
60571c6e 1975 return;
26320197 1976 }
60571c6e 1977 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 1978 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 1979}
1980
d2275795 1981/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 1982int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1983 secp256k1_gej a2;
1984 secp256k1_gej b2;
d2275795
GM		 1985 int ret = 1;
1986 ret &= a->infinity == b->infinity;
1987 if (ret && !a->infinity) {
1988 a2 = *a;
1989 b2 = *b;
1990 secp256k1_fe_normalize(&a2.x);
1991 secp256k1_fe_normalize(&a2.y);
1992 secp256k1_fe_normalize(&a2.z);
1993 secp256k1_fe_normalize(&b2.x);
1994 secp256k1_fe_normalize(&b2.y);
1995 secp256k1_fe_normalize(&b2.z);
1996 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1997 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1998 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1999 }
2000 return ret;
2001}
2002
dd891e0e
PW		 2003void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2004 secp256k1_fe z2s;
2005 secp256k1_fe u1, u2, s1, s2;
60571c6e 2006 CHECK(a->infinity == b->infinity);
26320197 2007 if (a->infinity) {
60571c6e 2008 return;
26320197 2009 }
60571c6e 2010 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 2011 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 2012 secp256k1_fe_mul(&u1, &a->x, &z2s);
2013 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2014 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2015 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2016 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2017 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 2018}
2019
2cad067a 2020void test_ge(void) {
bf2e1ac7 2021 int i, i1;
76574202
PW		 2022#ifdef USE_ENDOMORPHISM
2023 int runs = 6;
2024#else
60571c6e 2025 int runs = 4;
76574202 2026#endif
60571c6e
PW		 2027 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2028 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2029 * All magnitudes are randomized.
269d4227 2030 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 2031 *
2032 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 2033 */
5eb030ca
WL		 2034 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2035 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2036 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 2037 secp256k1_fe zf;
2038 secp256k1_fe zfi2, zfi3;
4f9791ab 2039
60571c6e
PW		 2040 secp256k1_gej_set_infinity(&gej[0]);
2041 secp256k1_ge_clear(&ge[0]);
2042 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 2043 for (i = 0; i < runs; i++) {
2044 int j;
dd891e0e 2045 secp256k1_ge g;
60571c6e 2046 random_group_element_test(&g);
76574202
PW		 2047#ifdef USE_ENDOMORPHISM
2048 if (i >= runs - 2) {
2049 secp256k1_ge_mul_lambda(&g, &ge[1]);
2050 }
2051 if (i >= runs - 1) {
2052 secp256k1_ge_mul_lambda(&g, &g);
2053 }
2054#endif
60571c6e
PW		 2055 ge[1 + 4 * i] = g;
2056 ge[2 + 4 * i] = g;
2057 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2058 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2059 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2060 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2061 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2062 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 2063 for (j = 0; j < 4; j++) {
60571c6e
PW		 2064 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2065 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2066 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2067 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2068 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2069 }
2070 }
2071
4f9791ab
PD		 2072 /* Compute z inverses. */
2073 {
5eb030ca 2074 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 2075 for (i = 0; i < 4 * runs + 1; i++) {
2076 if (i == 0) {
2077 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2078 do {
2079 random_field_element_test(&zs[i]);
2080 } while(secp256k1_fe_is_zero(&zs[i]));
2081 } else {
2082 zs[i] = gej[i].z;
2083 }
2084 }
7d893f49 2085 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 2086 free(zs);
2087 }
2088
2089 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2090 do {
2091 random_field_element_test(&zf);
2092 } while(secp256k1_fe_is_zero(&zf));
2093 random_field_element_magnitude(&zf);
2094 secp256k1_fe_inv_var(&zfi3, &zf);
2095 secp256k1_fe_sqr(&zfi2, &zfi3);
2096 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2097
bf2e1ac7
GM		 2098 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2099 int i2;
2100 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 2101 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 2102 secp256k1_gej refj, resj;
2103 secp256k1_ge ref;
2104 secp256k1_fe zr;
4f9791ab
PD		 2105 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2106 /* Check Z ratio. */
2107 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2108 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2109 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2110 }
60571c6e
PW		 2111 secp256k1_ge_set_gej_var(&ref, &refj);
2112
2d5a186c
PD		 2113 /* Test gej + ge with Z ratio result (var). */
2114 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2115 ge_equals_gej(&ref, &resj);
2d5a186c 2116 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2117 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2118 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2119 }
60571c6e 2120
4f9791ab
PD		 2121 /* Test gej + ge (var, with additional Z factor). */
2122 {
dd891e0e 2123 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2124 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2125 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2126 random_field_element_magnitude(&ge2_zfi.x);
2127 random_field_element_magnitude(&ge2_zfi.y);
2128 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2129 ge_equals_gej(&ref, &resj);
2130 }
2131
60571c6e
PW		 2132 /* Test gej + ge (const). */
2133 if (i2 != 0) {
2134 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2135 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2136 ge_equals_gej(&ref, &resj);
2137 }
2138
2139 /* Test doubling (var). */
2140 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2141 secp256k1_fe zr2;
4f9791ab
PD		 2142 /* Normal doubling with Z ratio result. */
2143 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2144 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2145 /* Check Z ratio. */
2146 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2147 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2148 /* Normal doubling. */
2149 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 2150 ge_equals_gej(&ref, &resj);
2151 }
2152
2153 /* Test adding opposites. */
2154 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2155 CHECK(secp256k1_ge_is_infinity(&ref));
2156 }
2157
2158 /* Test adding infinity. */
2159 if (i1 == 0) {
2160 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2161 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2162 ge_equals_gej(&ref, &gej[i2]);
2163 }
2164 if (i2 == 0) {
2165 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2166 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2167 ge_equals_gej(&ref, &gej[i1]);
2168 }
2169 }
2170 }
2171
9ab93355
PW		 2172 /* Test adding all points together in random order equals infinity. */
2173 {
dd891e0e 2174 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2175 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2176 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2177 gej_shuffled[i] = gej[i];
2178 }
bf2e1ac7 2179 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2180 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2181 if (swap != i) {
dd891e0e 2182 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2183 gej_shuffled[i] = gej_shuffled[swap];
2184 gej_shuffled[swap] = t;
2185 }
2186 }
bf2e1ac7 2187 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2188 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2189 }
2190 CHECK(secp256k1_gej_is_infinity(&sum));
2191 free(gej_shuffled);
2192 }
2193
4f9791ab 2194 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2195 {
5eb030ca 2196 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
5eb030ca 2197 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2198 for (i = 0; i < 4 * runs + 1; i++) {
2199 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2200 if (i < 4 * runs) {
2201 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2202 }
2203 }
7f7a2ed3 2204 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
bf2e1ac7 2205 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2206 secp256k1_fe s;
d2275795
GM		 2207 random_fe_non_zero(&s);
2208 secp256k1_gej_rescale(&gej[i], &s);
60571c6e
PW		 2209 ge_equals_gej(&ge_set_all[i], &gej[i]);
2210 }
2211 free(ge_set_all);
4f9791ab 2212 free(zr);
60571c6e
PW		 2213 }
2214
ffd3b346
AP		 2215 /* Test batch gej -> ge conversion with many infinities. */
2216 for (i = 0; i < 4 * runs + 1; i++) {
2217 random_group_element_test(&ge[i]);
2218 /* randomly set half the points to infinitiy */
2219 if(secp256k1_fe_is_odd(&ge[i].x)) {
2220 secp256k1_ge_set_infinity(&ge[i]);
2221 }
2222 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2223 }
2224 /* batch invert */
2225 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2226 /* check result */
2227 for (i = 0; i < 4 * runs + 1; i++) {
2228 ge_equals_gej(&ge[i], &gej[i]);
2229 }
2230
60571c6e
PW		 2231 free(ge);
2232 free(gej);
4f9791ab 2233 free(zinv);
9338dbf7
PW		 2234}
2235
8c5d5f7b
AP		 2236void test_add_neg_y_diff_x(void) {
2237 /* The point of this test is to check that we can add two points
2238 * whose y-coordinates are negatives of each other but whose x
2239 * coordinates differ. If the x-coordinates were the same, these
2240 * points would be negatives of each other and their sum is
2241 * infinity. This is cool because it "covers up" any degeneracy
2242 * in the addition algorithm that would cause the xy coordinates
2243 * of the sum to be wrong (since infinity has no xy coordinates).
2244 * HOWEVER, if the x-coordinates are different, infinity is the
2245 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2246 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2247 * which this test is a regression test for.
8c5d5f7b
AP		 2248 *
2249 * These points were generated in sage as
2250 * # secp256k1 params
2251 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2252 * C = EllipticCurve ([F (0), F (7)])
2253 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2254 * N = FiniteField(G.order())
2255 *
2256 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2257 * x = polygen(N)
2258 * lam = (1 - x^3).roots()[1][0]
2259 *
2260 * # random "bad pair"
2261 * P = C.random_element()
2262 * Q = -int(lam) * P
2263 * print " P: %x %x" % P.xy()
2264 * print " Q: %x %x" % Q.xy()
2265 * print "P + Q: %x %x" % (P + Q).xy()
2266 */
dd891e0e 2267 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2268 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2269 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2270 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2271 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2272 );
dd891e0e 2273 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2274 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2275 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2276 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2277 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2278 );
dd891e0e 2279 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2280 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2281 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2282 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2283 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2284 );
dd891e0e
PW		 2285 secp256k1_ge b;
2286 secp256k1_gej resj;
2287 secp256k1_ge res;
8c5d5f7b
AP		 2288 secp256k1_ge_set_gej(&b, &bj);
2289
2290 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2291 secp256k1_ge_set_gej(&res, &resj);
2292 ge_equals_gej(&res, &sumj);
2293
2294 secp256k1_gej_add_ge(&resj, &aj, &b);
2295 secp256k1_ge_set_gej(&res, &resj);
2296 ge_equals_gej(&res, &sumj);
2297
2298 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2299 secp256k1_ge_set_gej(&res, &resj);
2300 ge_equals_gej(&res, &sumj);
2301}
2302
2cad067a 2303void run_ge(void) {
bf2e1ac7
GM		 2304 int i;
2305 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2306 test_ge();
2307 }
8c5d5f7b 2308 test_add_neg_y_diff_x();
9338dbf7
PW		 2309}
2310
a5a66c70 2311void test_ec_combine(void) {
dd891e0e
PW		 2312 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2313 secp256k1_pubkey data[6];
2314 const secp256k1_pubkey* d[6];
2315 secp256k1_pubkey sd;
2316 secp256k1_pubkey sd2;
2317 secp256k1_gej Qj;
2318 secp256k1_ge Q;
a5a66c70
PW		 2319 int i;
2320 for (i = 1; i <= 6; i++) {
dd891e0e 2321 secp256k1_scalar s;
a5a66c70
PW		 2322 random_scalar_order_test(&s);
2323 secp256k1_scalar_add(&sum, &sum, &s);
2324 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2325 secp256k1_ge_set_gej(&Q, &Qj);
2326 secp256k1_pubkey_save(&data[i - 1], &Q);
2327 d[i - 1] = &data[i - 1];
2328 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2329 secp256k1_ge_set_gej(&Q, &Qj);
2330 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2331 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2332 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2333 }
2334}
2335
2336void run_ec_combine(void) {
2337 int i;
2338 for (i = 0; i < count * 8; i++) {
2339 test_ec_combine();
2340 }
2341}
2342
64666251
PW		 2343void test_group_decompress(const secp256k1_fe* x) {
2344 /* The input itself, normalized. */
2345 secp256k1_fe fex = *x;
e6e9805f 2346 secp256k1_fe fez;
64666251
PW		 2347 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2348 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2349 secp256k1_gej gej_quad;
64666251
PW		 2350 /* Return values of the above calls. */
2351 int res_quad, res_even, res_odd;
2352
2353 secp256k1_fe_normalize_var(&fex);
2354
926836ad 2355 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2356 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2357 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2358
2359 CHECK(res_quad == res_even);
2360 CHECK(res_quad == res_odd);
2361
2362 if (res_quad) {
2363 secp256k1_fe_normalize_var(&ge_quad.x);
2364 secp256k1_fe_normalize_var(&ge_odd.x);
2365 secp256k1_fe_normalize_var(&ge_even.x);
2366 secp256k1_fe_normalize_var(&ge_quad.y);
2367 secp256k1_fe_normalize_var(&ge_odd.y);
2368 secp256k1_fe_normalize_var(&ge_even.y);
2369
2370 /* No infinity allowed. */
2371 CHECK(!ge_quad.infinity);
2372 CHECK(!ge_even.infinity);
2373 CHECK(!ge_odd.infinity);
2374
2375 /* Check that the x coordinates check out. */
2376 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2377 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2378 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2379
2380 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2381 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2382
2383 /* Check odd/even Y in ge_odd, ge_even. */
2384 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2385 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2386
2387 /* Check secp256k1_gej_has_quad_y_var. */
2388 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2389 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2390 do {
2391 random_fe_test(&fez);
2392 } while (secp256k1_fe_is_zero(&fez));
2393 secp256k1_gej_rescale(&gej_quad, &fez);
2394 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2395 secp256k1_gej_neg(&gej_quad, &gej_quad);
2396 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2397 do {
2398 random_fe_test(&fez);
2399 } while (secp256k1_fe_is_zero(&fez));
2400 secp256k1_gej_rescale(&gej_quad, &fez);
2401 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2402 secp256k1_gej_neg(&gej_quad, &gej_quad);
2403 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2404 }
2405}
2406
2407void run_group_decompress(void) {
2408 int i;
2409 for (i = 0; i < count * 4; i++) {
2410 secp256k1_fe fe;
2411 random_fe_test(&fe);
2412 test_group_decompress(&fe);
2413 }
2414}
2415
09ca4f32
PD		 2416/***** ECMULT TESTS *****/
2417
2cad067a 2418void run_ecmult_chain(void) {
443cd4b8 2419 /* random starting point A (on the curve) */
dd891e0e 2420 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2421 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2422 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2423 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2424 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2425 );
71712b27 2426 /* two random initial factors xn and gn */
dd891e0e 2427 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2428 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2429 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2430 );
dd891e0e 2431 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2432 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2433 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2434 );
71712b27 2435 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2436 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2437 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2438 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2439 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2440 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2441 /* actual points */
cfe0ed91 2442 secp256k1_gej x;
dd891e0e 2443 secp256k1_gej x2;
443cd4b8
PW		 2444 int i;
2445
71712b27 2446 /* the point being computed */
bf2e1ac7
GM		 2447 x = a;
2448 for (i = 0; i < 200*count; i++) {
71712b27 2449 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2450 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2451 /* also compute ae and ge: the actual accumulated factors for A and G */
2452 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2453 secp256k1_scalar_mul(&ae, &ae, &xn);
2454 secp256k1_scalar_mul(&ge, &ge, &xn);
2455 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2456 /* modify xn and gn */
f24041d6
PW		 2457 secp256k1_scalar_mul(&xn, &xn, &xf);
2458 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2459
71712b27 2460 /* verify */
404c30a8 2461 if (i == 19999) {
443cd4b8 2462 /* expected result after 19999 iterations */
dd891e0e 2463 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2464 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2465 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2466 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2467 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2468 );
2469
2470 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2471 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2472 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2473 }
4adf6b2a 2474 }
71712b27 2475 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2476 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2477 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2478 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2479 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2480}
2481
dd891e0e 2482void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2483 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2484 secp256k1_scalar x;
2485 secp256k1_scalar nx;
2486 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2487 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2488 secp256k1_gej res1, res2;
2489 secp256k1_ge res3;
bf2e1ac7 2490 unsigned char pub[65];
788038d3 2491 size_t psize = 65;
bf2e1ac7
GM		 2492 random_scalar_order_test(&x);
2493 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2494 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2495 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2496 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2497 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2498 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2499 secp256k1_ge_set_gej(&res3, &res1);
2500 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2501 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2502 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2503 psize = 65;
9234391e 2504 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2505 /* check zero/one edge cases */
2506 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2507 secp256k1_ge_set_gej(&res3, &res1);
2508 CHECK(secp256k1_ge_is_infinity(&res3));
2509 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2510 secp256k1_ge_set_gej(&res3, &res1);
2511 ge_equals_gej(&res3, point);
2512 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2513 secp256k1_ge_set_gej(&res3, &res1);
2514 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2515}
2516
2cad067a 2517void run_point_times_order(void) {
bf2e1ac7 2518 int i;
dd891e0e
PW		 2519 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2520 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2521 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2522 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2523 );
bf2e1ac7 2524 for (i = 0; i < 500; i++) {
dd891e0e 2525 secp256k1_ge p;
39bd94d8 2526 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2527 secp256k1_gej j;
bf2e1ac7 2528 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2529 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2530 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2531 test_point_times_order(&j);
2532 }
910d0de4 2533 secp256k1_fe_sqr(&x, &x);
4e0ed539 2534 }
443cd4b8
PW		 2535 secp256k1_fe_normalize_var(&x);
2536 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2537}
2538
44015000
AP		 2539void ecmult_const_random_mult(void) {
2540 /* random starting point A (on the curve) */
dd891e0e 2541 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2542 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2543 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2544 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2545 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2546 );
2547 /* random initial factor xn */
dd891e0e 2548 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2549 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2550 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2551 );
2552 /* expected xn * A (from sage) */
dd891e0e 2553 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2554 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2555 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2556 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2557 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2558 );
dd891e0e 2559 secp256k1_gej b;
7c1b91ba 2560 secp256k1_ecmult_const(&b, &a, &xn, 256);
44015000
AP		 2561
2562 CHECK(secp256k1_ge_is_valid_var(&a));
2563 ge_equals_gej(&expected_b, &b);
2564}
2565
2566void ecmult_const_commutativity(void) {
dd891e0e
PW		 2567 secp256k1_scalar a;
2568 secp256k1_scalar b;
2569 secp256k1_gej res1;
2570 secp256k1_gej res2;
2571 secp256k1_ge mid1;
2572 secp256k1_ge mid2;
44015000
AP		 2573 random_scalar_order_test(&a);
2574 random_scalar_order_test(&b);
2575
7c1b91ba
AP		 2576 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2577 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
44015000
AP		 2578 secp256k1_ge_set_gej(&mid1, &res1);
2579 secp256k1_ge_set_gej(&mid2, &res2);
7c1b91ba
AP		 2580 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2581 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
44015000
AP		 2582 secp256k1_ge_set_gej(&mid1, &res1);
2583 secp256k1_ge_set_gej(&mid2, &res2);
2584 ge_equals_ge(&mid1, &mid2);
2585}
2586
2587void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2588 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2589 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2590 secp256k1_scalar negone;
2591 secp256k1_gej res1;
2592 secp256k1_ge res2;
2593 secp256k1_ge point;
44015000
AP		 2594 secp256k1_scalar_negate(&negone, &one);
2595
2596 random_group_element_test(&point);
7c1b91ba 2597 secp256k1_ecmult_const(&res1, &point, &zero, 3);
44015000
AP		 2598 secp256k1_ge_set_gej(&res2, &res1);
2599 CHECK(secp256k1_ge_is_infinity(&res2));
7c1b91ba 2600 secp256k1_ecmult_const(&res1, &point, &one, 2);
44015000
AP		 2601 secp256k1_ge_set_gej(&res2, &res1);
2602 ge_equals_ge(&res2, &point);
7c1b91ba 2603 secp256k1_ecmult_const(&res1, &point, &negone, 256);
44015000
AP		 2604 secp256k1_gej_neg(&res1, &res1);
2605 secp256k1_ge_set_gej(&res2, &res1);
2606 ge_equals_ge(&res2, &point);
2607}
2608
2609void ecmult_const_chain_multiply(void) {
2610 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2611 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2612 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2613 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2614 );
dd891e0e 2615 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2616 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2617 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2618 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2619 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2620 );
dd891e0e
PW		 2621 secp256k1_gej point;
2622 secp256k1_ge res;
44015000
AP		 2623 int i;
2624
2625 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2626 for (i = 0; i < 100; ++i) {
dd891e0e 2627 secp256k1_ge tmp;
44015000 2628 secp256k1_ge_set_gej(&tmp, &point);
7c1b91ba 2629 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
44015000
AP		 2630 }
2631 secp256k1_ge_set_gej(&res, &point);
2632 ge_equals_gej(&res, &expected_point);
2633}
2634
2635void run_ecmult_const_tests(void) {
2636 ecmult_const_mult_zero_one();
2637 ecmult_const_random_mult();
2638 ecmult_const_commutativity();
2639 ecmult_const_chain_multiply();
2640}
2641
dba5471b
AP		 2642typedef struct {
2643 secp256k1_scalar *sc;
2644 secp256k1_ge *pt;
2645} ecmult_multi_data;
2646
2647static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2648 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2649 *sc = data->sc[idx];
2650 *pt = data->pt[idx];
2651 return 1;
2652}
2653
355a38f1
JN		 2654static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2655 (void)sc;
2656 (void)pt;
2657 (void)idx;
2658 (void)cbdata;
2659 return 0;
2660}
2661
2662void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2663 int ncount;
2664 secp256k1_scalar szero;
2665 secp256k1_scalar sc[32];
2666 secp256k1_ge pt[32];
2667 secp256k1_gej r;
2668 secp256k1_gej r2;
2669 ecmult_multi_data data;
dba5471b
AP		 2670
2671 data.sc = sc;
2672 data.pt = pt;
dba5471b 2673 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2674
2675 /* No points to multiply */
c2b028a2 2676 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2677
2678 /* Check 1- and 2-point multiplies against ecmult */
2679 for (ncount = 0; ncount < count; ncount++) {
2680 secp256k1_ge ptg;
2681 secp256k1_gej ptgj;
2682 random_scalar_order(&sc[0]);
2683 random_scalar_order(&sc[1]);
2684
2685 random_group_element_test(&ptg);
2686 secp256k1_gej_set_ge(&ptgj, &ptg);
2687 pt[0] = ptg;
2688 pt[1] = secp256k1_ge_const_g;
2689
355a38f1
JN		 2690 /* only G scalar */
2691 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
c2b028a2 2692 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
355a38f1
JN		 2693 secp256k1_gej_neg(&r2, &r2);
2694 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2695 CHECK(secp256k1_gej_is_infinity(&r));
2696
dba5471b
AP		 2697 /* 1-point */
2698 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
c2b028a2 2699 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2700 secp256k1_gej_neg(&r2, &r2);
2701 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2702 CHECK(secp256k1_gej_is_infinity(&r));
2703
355a38f1 2704 /* Try to multiply 1 point, but callback returns false */
c2b028a2 2705 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
355a38f1 2706
dba5471b
AP		 2707 /* 2-point */
2708 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2709 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2710 secp256k1_gej_neg(&r2, &r2);
2711 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2712 CHECK(secp256k1_gej_is_infinity(&r));
2713
2714 /* 2-point with G scalar */
2715 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2716 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2717 secp256k1_gej_neg(&r2, &r2);
2718 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2719 CHECK(secp256k1_gej_is_infinity(&r));
2720 }
2721
2722 /* Check infinite outputs of various forms */
2723 for (ncount = 0; ncount < count; ncount++) {
2724 secp256k1_ge ptg;
2725 size_t i, j;
2726 size_t sizes[] = { 2, 10, 32 };
2727
2728 for (j = 0; j < 3; j++) {
2729 for (i = 0; i < 32; i++) {
2730 random_scalar_order(&sc[i]);
2731 secp256k1_ge_set_infinity(&pt[i]);
2732 }
c2b028a2 2733 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2734 CHECK(secp256k1_gej_is_infinity(&r));
2735 }
2736
2737 for (j = 0; j < 3; j++) {
2738 for (i = 0; i < 32; i++) {
2739 random_group_element_test(&ptg);
2740 pt[i] = ptg;
2741 secp256k1_scalar_set_int(&sc[i], 0);
2742 }
c2b028a2 2743 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2744 CHECK(secp256k1_gej_is_infinity(&r));
2745 }
2746
2747 for (j = 0; j < 3; j++) {
2748 random_group_element_test(&ptg);
2749 for (i = 0; i < 16; i++) {
2750 random_scalar_order(&sc[2*i]);
2751 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2752 pt[2 * i] = ptg;
2753 pt[2 * i + 1] = ptg;
2754 }
2755
c2b028a2 2756 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2757 CHECK(secp256k1_gej_is_infinity(&r));
2758
2759 random_scalar_order(&sc[0]);
2760 for (i = 0; i < 16; i++) {
2761 random_group_element_test(&ptg);
2762
2763 sc[2*i] = sc[0];
2764 sc[2*i+1] = sc[0];
2765 pt[2 * i] = ptg;
2766 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2767 }
2768
c2b028a2 2769 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2770 CHECK(secp256k1_gej_is_infinity(&r));
2771 }
2772
2773 random_group_element_test(&ptg);
2774 secp256k1_scalar_set_int(&sc[0], 0);
2775 pt[0] = ptg;
2776 for (i = 1; i < 32; i++) {
2777 pt[i] = ptg;
2778
2779 random_scalar_order(&sc[i]);
2780 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2781 secp256k1_scalar_negate(&sc[i], &sc[i]);
2782 }
2783
c2b028a2 2784 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2785 CHECK(secp256k1_gej_is_infinity(&r));
2786 }
2787
2788 /* Check random points, constant scalar */
2789 for (ncount = 0; ncount < count; ncount++) {
2790 size_t i;
2791 secp256k1_gej_set_infinity(&r);
2792
2793 random_scalar_order(&sc[0]);
2794 for (i = 0; i < 20; i++) {
2795 secp256k1_ge ptg;
2796 sc[i] = sc[0];
2797 random_group_element_test(&ptg);
2798 pt[i] = ptg;
2799 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2800 }
2801
2802 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
c2b028a2 2803 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2804 secp256k1_gej_neg(&r2, &r2);
2805 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2806 CHECK(secp256k1_gej_is_infinity(&r));
2807 }
2808
2809 /* Check random scalars, constant point */
2810 for (ncount = 0; ncount < count; ncount++) {
2811 size_t i;
2812 secp256k1_ge ptg;
2813 secp256k1_gej p0j;
2814 secp256k1_scalar rs;
2815 secp256k1_scalar_set_int(&rs, 0);
2816
2817 random_group_element_test(&ptg);
2818 for (i = 0; i < 20; i++) {
2819 random_scalar_order(&sc[i]);
2820 pt[i] = ptg;
2821 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2822 }
2823
2824 secp256k1_gej_set_ge(&p0j, &pt[0]);
2825 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
c2b028a2 2826 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2827 secp256k1_gej_neg(&r2, &r2);
2828 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2829 CHECK(secp256k1_gej_is_infinity(&r));
2830 }
2831
2832 /* Sanity check that zero scalars don't cause problems */
95e99f19
AP		 2833 for (ncount = 0; ncount < 20; ncount++) {
2834 random_scalar_order(&sc[ncount]);
2835 random_group_element_test(&pt[ncount]);
2836 }
2837
dba5471b 2838 secp256k1_scalar_clear(&sc[0]);
c2b028a2 2839 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2840 secp256k1_scalar_clear(&sc[1]);
2841 secp256k1_scalar_clear(&sc[2]);
2842 secp256k1_scalar_clear(&sc[3]);
2843 secp256k1_scalar_clear(&sc[4]);
c2b028a2
AP		 2844 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2845 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2846 CHECK(secp256k1_gej_is_infinity(&r));
2847
2848 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2849 {
2850 const size_t TOP = 8;
2851 size_t s0i, s1i;
2852 size_t t0i, t1i;
2853 secp256k1_ge ptg;
2854 secp256k1_gej ptgj;
2855
2856 random_group_element_test(&ptg);
2857 secp256k1_gej_set_ge(&ptgj, &ptg);
2858
2859 for(t0i = 0; t0i < TOP; t0i++) {
2860 for(t1i = 0; t1i < TOP; t1i++) {
2861 secp256k1_gej t0p, t1p;
2862 secp256k1_scalar t0, t1;
2863
2864 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2865 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2866 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2867 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2868
2869 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2870 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2871
2872 for(s0i = 0; s0i < TOP; s0i++) {
2873 for(s1i = 0; s1i < TOP; s1i++) {
2874 secp256k1_scalar tmp1, tmp2;
2875 secp256k1_gej expected, actual;
2876
2877 secp256k1_ge_set_gej(&pt[0], &t0p);
2878 secp256k1_ge_set_gej(&pt[1], &t1p);
2879
2880 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2881 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2882 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2883 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2884
2885 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2886 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2887 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2888
2889 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
c2b028a2 2890 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2891 secp256k1_gej_neg(&expected, &expected);
2892 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2893 CHECK(secp256k1_gej_is_infinity(&actual));
2894 }
2895 }
2896 }
2897 }
2898 }
355a38f1
JN		 2899}
2900
9ab96f7b
JN		 2901void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2902 secp256k1_scalar szero;
2903 secp256k1_scalar sc[32];
2904 secp256k1_ge pt[32];
2905 secp256k1_gej r;
2906 ecmult_multi_data data;
2907 secp256k1_scratch *scratch_empty;
2908
2909 data.sc = sc;
2910 data.pt = pt;
2911 secp256k1_scalar_set_int(&szero, 0);
2912
2913 /* Try to multiply 1 point, but scratch space is empty.*/
2914 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2
AP		 2915 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2916 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
9ab96f7b
JN		 2917}
2918
36b22c93
JN		 2919void test_secp256k1_pippenger_bucket_window_inv(void) {
2920 int i;
2921
2922 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2923 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2924#ifdef USE_ENDOMORPHISM
2925 /* Bucket_window of 8 is not used with endo */
2926 if (i == 8) {
2927 continue;
2928 }
2929#endif
2930 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2931 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2932 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2933 }
2934 }
2935}
2936
2937/**
2938 * Probabilistically test the function returning the maximum number of possible points
2939 * for a given scratch space.
2940 */
2941void test_ecmult_multi_pippenger_max_points(void) {
2942 size_t scratch_size = secp256k1_rand_int(256);
2943 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2944 secp256k1_scratch *scratch;
2945 size_t n_points_supported;
2946 int bucket_window = 0;
2947
2948 for(; scratch_size < max_size; scratch_size+=256) {
6fe50439 2949 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
36b22c93 2950 CHECK(scratch != NULL);
c2b028a2 2951 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
36b22c93 2952 if (n_points_supported == 0) {
c2b028a2 2953 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 2954 continue;
2955 }
2956 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
c2b028a2
AP		 2957 CHECK(secp256k1_scratch_allocate_frame(&ctx->error_callback, scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2958 secp256k1_scratch_deallocate_frame(&ctx->error_callback, scratch);
2959 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 2960 }
2961 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2962}
2963
2277af5f
JN		 2964void test_ecmult_multi_batch_size_helper(void) {
2965 size_t n_batches, n_batch_points, max_n_batch_points, n;
2966
2967 max_n_batch_points = 0;
2968 n = 1;
2969 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2970
2971 max_n_batch_points = 1;
2972 n = 0;
2973 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2974 CHECK(n_batches == 0);
2975 CHECK(n_batch_points == 0);
2976
2977 max_n_batch_points = 2;
2978 n = 5;
2979 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2980 CHECK(n_batches == 3);
2981 CHECK(n_batch_points == 2);
2982
2983 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2984 n = ECMULT_MAX_POINTS_PER_BATCH;
2985 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2986 CHECK(n_batches == 1);
2987 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2988
2989 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2990 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2991 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2992 CHECK(n_batches == 2);
2993 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2994
2995 max_n_batch_points = 1;
2996 n = SIZE_MAX;
2997 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2998 CHECK(n_batches == SIZE_MAX);
2999 CHECK(n_batch_points == 1);
3000
3001 max_n_batch_points = 2;
3002 n = SIZE_MAX;
3003 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3004 CHECK(n_batches == SIZE_MAX/2 + 1);
3005 CHECK(n_batch_points == 2);
3006}
3007
36b22c93
JN		 3008/**
3009 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3010 * 1 <= i <= num points.
3011 */
355a38f1 3012void test_ecmult_multi_batching(void) {
36b22c93 3013 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
355a38f1
JN		 3014 secp256k1_scalar scG;
3015 secp256k1_scalar szero;
3016 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3017 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3018 secp256k1_gej r;
3019 secp256k1_gej r2;
3020 ecmult_multi_data data;
3021 int i;
3022 secp256k1_scratch *scratch;
3023
355a38f1
JN		 3024 secp256k1_gej_set_infinity(&r2);
3025 secp256k1_scalar_set_int(&szero, 0);
3026
36b22c93 3027 /* Get random scalars and group elements and compute result */
355a38f1
JN		 3028 random_scalar_order(&scG);
3029 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3030 for(i = 0; i < n_points; i++) {
3031 secp256k1_ge ptg;
36b22c93 3032 secp256k1_gej ptgj;
355a38f1 3033 random_group_element_test(&ptg);
36b22c93 3034 secp256k1_gej_set_ge(&ptgj, &ptg);
355a38f1
JN		 3035 pt[i] = ptg;
3036 random_scalar_order(&sc[i]);
36b22c93
JN		 3037 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3038 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
355a38f1
JN		 3039 }
3040 data.sc = sc;
3041 data.pt = pt;
9ab96f7b 3042 secp256k1_gej_neg(&r2, &r2);
355a38f1 3043
9ab96f7b
JN		 3044 /* Test with empty scratch space. It should compute the correct result using
3045 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
6fe50439 3046 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2 3047 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3048 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3049 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3050 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1
JN		 3051
3052 /* Test with space for 1 point in pippenger. That's not enough because
9ab96f7b
JN		 3053 * ecmult_multi selects strauss which requires more memory. It should
3054 * therefore select the simple algorithm. */
6fe50439 3055 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
c2b028a2 3056 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3057 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3058 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3059 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3060
36b22c93 3061 for(i = 1; i <= n_points; i++) {
355a38f1
JN		 3062 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3063 int bucket_window = secp256k1_pippenger_bucket_window(i);
3064 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
6fe50439 3065 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3066 } else {
3067 size_t scratch_size = secp256k1_strauss_scratch_size(i);
6fe50439 3068 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1 3069 }
c2b028a2 3070 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
355a38f1
JN		 3071 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3072 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3073 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3074 }
355a38f1
JN		 3075 free(sc);
3076 free(pt);
3077}
3078
3079void run_ecmult_multi_tests(void) {
3080 secp256k1_scratch *scratch;
dba5471b 3081
36b22c93
JN		 3082 test_secp256k1_pippenger_bucket_window_inv();
3083 test_ecmult_multi_pippenger_max_points();
6fe50439 3084 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
36b22c93 3085 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
bade6174 3086 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
36b22c93 3087 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
9ab96f7b 3088 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
36b22c93 3089 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
9ab96f7b 3090 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
c2b028a2 3091 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 3092
3093 /* Run test_ecmult_multi with space for exactly one point */
6fe50439 3094 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
36b22c93 3095 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
c2b028a2 3096 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3097
2277af5f 3098 test_ecmult_multi_batch_size_helper();
355a38f1 3099 test_ecmult_multi_batching();
dba5471b
AP		 3100}
3101
dd891e0e
PW		 3102void test_wnaf(const secp256k1_scalar *number, int w) {
3103 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 3104 int wnaf[256];
3105 int zeroes = -1;
3106 int i;
3107 int bits;
f24041d6
PW		 3108 secp256k1_scalar_set_int(&x, 0);
3109 secp256k1_scalar_set_int(&two, 2);
55399c23 3110 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 3111 CHECK(bits <= 256);
bf2e1ac7 3112 for (i = bits-1; i >= 0; i--) {
b1483f87 3113 int v = wnaf[i];
bf2e1ac7 3114 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 3115 if (v) {
71712b27 3116 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 3117 zeroes=0;
71712b27
GM		 3118 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3119 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3120 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 3121 } else {
71712b27 3122 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 3123 zeroes++;
3124 }
f24041d6
PW		 3125 if (v >= 0) {
3126 secp256k1_scalar_set_int(&t, v);
3127 } else {
3128 secp256k1_scalar_set_int(&t, -v);
3129 secp256k1_scalar_negate(&t, &t);
3130 }
3131 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 3132 }
f24041d6 3133 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 3134}
3135
dd891e0e
PW		 3136void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3137 secp256k1_scalar neg1 = *number;
3138 secp256k1_scalar neg2 = *number;
44015000
AP		 3139 int sign1 = 1;
3140 int sign2 = 1;
3141
3142 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3143 secp256k1_scalar_negate(&neg1, &neg1);
3144 sign1 = -1;
3145 }
3146 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3147 CHECK(sign1 == sign2);
3148 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3149}
3150
dd891e0e
PW		 3151void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3152 secp256k1_scalar x, shift;
44015000
AP		 3153 int wnaf[256] = {0};
3154 int i;
92e53fc4 3155 int skew;
7c1b91ba 3156 int bits = 256;
dd891e0e 3157 secp256k1_scalar num = *number;
44015000
AP		 3158
3159 secp256k1_scalar_set_int(&x, 0);
3160 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 3161 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3162#ifdef USE_ENDOMORPHISM
912f203f 3163 for (i = 0; i < 16; ++i) {
92e53fc4 3164 secp256k1_scalar_shr_int(&num, 8);
912f203f 3165 }
7c1b91ba 3166 bits = 128;
92e53fc4 3167#endif
8979ec0d 3168 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
44015000 3169
7c1b91ba 3170 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
dd891e0e 3171 secp256k1_scalar t;
44015000
AP		 3172 int v = wnaf[i];
3173 CHECK(v != 0); /* check nonzero */
3174 CHECK(v & 1); /* check parity */
3175 CHECK(v > -(1 << w)); /* check range above */
3176 CHECK(v < (1 << w)); /* check range below */
3177
3178 secp256k1_scalar_mul(&x, &x, &shift);
3179 if (v >= 0) {
3180 secp256k1_scalar_set_int(&t, v);
3181 } else {
3182 secp256k1_scalar_set_int(&t, -v);
3183 secp256k1_scalar_negate(&t, &t);
3184 }
3185 secp256k1_scalar_add(&x, &x, &t);
3186 }
c6191fde 3187 /* Skew num because when encoding numbers as odd we use an offset */
92e53fc4 3188 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
92e53fc4 3189 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 3190}
3191
355a38f1
JN		 3192void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3193 secp256k1_scalar x, shift;
3194 int wnaf[256] = {0};
3195 int i;
3196 int skew;
3197 secp256k1_scalar num = *number;
3198
3199 secp256k1_scalar_set_int(&x, 0);
3200 secp256k1_scalar_set_int(&shift, 1 << w);
3201 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3202#ifdef USE_ENDOMORPHISM
3203 for (i = 0; i < 16; ++i) {
3204 secp256k1_scalar_shr_int(&num, 8);
3205 }
3206#endif
3207 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3208
3209 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3210 secp256k1_scalar t;
3211 int v = wnaf[i];
6dbb0078 3212 CHECK(v == 0 || v & 1); /* check parity */
355a38f1
JN		 3213 CHECK(v > -(1 << w)); /* check range above */
3214 CHECK(v < (1 << w)); /* check range below */
3215
3216 secp256k1_scalar_mul(&x, &x, &shift);
3217 if (v >= 0) {
3218 secp256k1_scalar_set_int(&t, v);
3219 } else {
3220 secp256k1_scalar_set_int(&t, -v);
3221 secp256k1_scalar_negate(&t, &t);
3222 }
3223 secp256k1_scalar_add(&x, &x, &t);
3224 }
3225 /* If skew is 1 then add 1 to num */
3226 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3227 CHECK(secp256k1_scalar_eq(&x, &num));
3228}
3229
ec0a7b3a
JN		 3230/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3231 * rest is 0.*/
3232void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3233 int i;
3234 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3235 CHECK(wnaf[i] == 0);
3236 }
3237 for (i = 7; i >= 0; --i) {
3238 CHECK(wnaf[i] == wnaf_expected[i]);
3239 }
3240}
3241
3242void test_fixed_wnaf_small(void) {
3243 int w = 4;
355a38f1
JN		 3244 int wnaf[256] = {0};
3245 int i;
3246 int skew;
3247 secp256k1_scalar num;
3248
3249 secp256k1_scalar_set_int(&num, 0);
3250 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
355a38f1
JN		 3251 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3252 int v = wnaf[i];
3253 CHECK(v == 0);
3254 }
3255 CHECK(skew == 0);
ec0a7b3a
JN		 3256
3257 secp256k1_scalar_set_int(&num, 1);
3258 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3259 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3260 int v = wnaf[i];
3261 CHECK(v == 0);
3262 }
3263 CHECK(wnaf[0] == 1);
3264 CHECK(skew == 0);
3265
3266 {
3267 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3268 secp256k1_scalar_set_int(&num, 0xffffffff);
3269 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3270 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3271 CHECK(skew == 0);
3272 }
3273 {
3274 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3275 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3276 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3277 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3278 CHECK(skew == 1);
3279 }
3280 {
3281 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3282 secp256k1_scalar_set_int(&num, 0x01010101);
3283 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3284 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3285 CHECK(skew == 0);
3286 }
3287 {
3288 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3289 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3290 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3291 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3292 CHECK(skew == 0);
3293 }
355a38f1
JN		 3294}
3295
2cad067a 3296void run_wnaf(void) {
bf2e1ac7 3297 int i;
dd891e0e 3298 secp256k1_scalar n = {{0}};
44015000
AP		 3299
3300 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3301 * have easier-to-diagnose failure modes */
3302 n.d[0] = 1;
3303 test_constant_wnaf(&n, 4);
3304 n.d[0] = 2;
3305 test_constant_wnaf(&n, 4);
355a38f1 3306 /* Test 0 */
ec0a7b3a 3307 test_fixed_wnaf_small();
44015000 3308 /* Random tests */
bf2e1ac7 3309 for (i = 0; i < count; i++) {
f24041d6 3310 random_scalar_order(&n);
eb0be8ee 3311 test_wnaf(&n, 4+(i%10));
44015000
AP		 3312 test_constant_wnaf_negate(&n);
3313 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3314 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3315 }
96be2046
GM		 3316 secp256k1_scalar_set_int(&n, 0);
3317 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3318 CHECK(secp256k1_scalar_is_zero(&n));
3319 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3320 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3321}
a41f32e6 3322
d2275795
GM		 3323void test_ecmult_constants(void) {
3324 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3325 secp256k1_scalar x;
3326 secp256k1_gej r;
3327 secp256k1_ge ng;
d2275795
GM		 3328 int i;
3329 int j;
3330 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3331 for (i = 0; i < 36; i++ ) {
3332 secp256k1_scalar_set_int(&x, i);
3333 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3334 for (j = 0; j < i; j++) {
3335 if (j == i - 1) {
3336 ge_equals_gej(&secp256k1_ge_const_g, &r);
3337 }
3338 secp256k1_gej_add_ge(&r, &r, &ng);
3339 }
3340 CHECK(secp256k1_gej_is_infinity(&r));
3341 }
3342 for (i = 1; i <= 36; i++ ) {
3343 secp256k1_scalar_set_int(&x, i);
3344 secp256k1_scalar_negate(&x, &x);
3345 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3346 for (j = 0; j < i; j++) {
3347 if (j == i - 1) {
3348 ge_equals_gej(&ng, &r);
3349 }
3350 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3351 }
3352 CHECK(secp256k1_gej_is_infinity(&r));
3353 }
3354}
3355
3356void run_ecmult_constants(void) {
3357 test_ecmult_constants();
3358}
3359
3360void test_ecmult_gen_blind(void) {
269d4227 3361 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3362 secp256k1_scalar key;
3363 secp256k1_scalar b;
d2275795 3364 unsigned char seed32[32];
dd891e0e
PW		 3365 secp256k1_gej pgej;
3366 secp256k1_gej pgej2;
3367 secp256k1_gej i;
3368 secp256k1_ge pge;
d2275795
GM		 3369 random_scalar_order_test(&key);
3370 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3371 secp256k1_rand256(seed32);
3372 b = ctx->ecmult_gen_ctx.blind;
3373 i = ctx->ecmult_gen_ctx.initial;
3374 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3375 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3376 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3377 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3378 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3379 secp256k1_ge_set_gej(&pge, &pgej);
3380 ge_equals_gej(&pge, &pgej2);
3381}
3382
3383void test_ecmult_gen_blind_reset(void) {
3384 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3385 secp256k1_scalar b;
3386 secp256k1_gej initial;
d2275795
GM		 3387 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3388 b = ctx->ecmult_gen_ctx.blind;
3389 initial = ctx->ecmult_gen_ctx.initial;
3390 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3391 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3392 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3393}
3394
3395void run_ecmult_gen_blind(void) {
3396 int i;
3397 test_ecmult_gen_blind_reset();
3398 for (i = 0; i < 10; i++) {
3399 test_ecmult_gen_blind();
3400 }
3401}
3402
baa75da5
AP		 3403#ifdef USE_ENDOMORPHISM
3404/***** ENDOMORPHISH TESTS *****/
3405void test_scalar_split(void) {
dd891e0e
PW		 3406 secp256k1_scalar full;
3407 secp256k1_scalar s1, slam;
baa75da5
AP		 3408 const unsigned char zero[32] = {0};
3409 unsigned char tmp[32];
3410
3411 random_scalar_order_test(&full);
ed35d43a 3412 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3413
3414 /* check that both are <= 128 bits in size */
912f203f 3415 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3416 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3417 }
3418 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3419 secp256k1_scalar_negate(&slam, &slam);
912f203f 3420 }
baa75da5
AP		 3421
3422 secp256k1_scalar_get_b32(tmp, &s1);
3423 CHECK(memcmp(zero, tmp, 16) == 0);
3424 secp256k1_scalar_get_b32(tmp, &slam);
3425 CHECK(memcmp(zero, tmp, 16) == 0);
3426}
3427
3428void run_endomorphism_tests(void) {
3429 test_scalar_split();
3430}
3431#endif
d2275795 3432
67f7da40
GM		 3433void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3434 unsigned char pubkeyc[65];
3435 secp256k1_pubkey pubkey;
3436 secp256k1_ge ge;
3437 size_t pubkeyclen;
3438 int32_t ecount;
3439 ecount = 0;
3440 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3441 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3442 /* Smaller sizes are tested exhaustively elsewhere. */
3443 int32_t i;
3444 memcpy(&pubkeyc[1], input, 64);
3445 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3446 for (i = 0; i < 256; i++) {
3447 /* Try all type bytes. */
3448 int xpass;
3449 int ypass;
3450 int ysign;
3451 pubkeyc[0] = i;
3452 /* What sign does this point have? */
3453 ysign = (input[63] & 1) + 2;
3454 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3455 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3456 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3457 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3458 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3459 if (xpass || ypass) {
3460 /* These cases must parse. */
3461 unsigned char pubkeyo[65];
3462 size_t outl;
3463 memset(&pubkey, 0, sizeof(pubkey));
3464 VG_UNDEF(&pubkey, sizeof(pubkey));
3465 ecount = 0;
3466 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3467 VG_CHECK(&pubkey, sizeof(pubkey));
3468 outl = 65;
3469 VG_UNDEF(pubkeyo, 65);
3470 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3471 VG_CHECK(pubkeyo, outl);
3472 CHECK(outl == 33);
3473 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3474 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3475 if (ypass) {
3476 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3477 CHECK(pubkeyo[0] == ysign);
3478 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3479 memset(&pubkey, 0, sizeof(pubkey));
3480 VG_UNDEF(&pubkey, sizeof(pubkey));
3481 secp256k1_pubkey_save(&pubkey, &ge);
3482 VG_CHECK(&pubkey, sizeof(pubkey));
3483 outl = 65;
3484 VG_UNDEF(pubkeyo, 65);
1a368980 3485 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3486 VG_CHECK(pubkeyo, outl);
3487 CHECK(outl == 65);
3488 CHECK(pubkeyo[0] == 4);
3489 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3490 }
3491 CHECK(ecount == 0);
3492 } else {
3493 /* These cases must fail to parse. */
3494 memset(&pubkey, 0xfe, sizeof(pubkey));
3495 ecount = 0;
3496 VG_UNDEF(&pubkey, sizeof(pubkey));
3497 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3498 VG_CHECK(&pubkey, sizeof(pubkey));
3499 CHECK(ecount == 0);
3500 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3501 CHECK(ecount == 1);
3502 }
3503 }
3504 }
3505 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3506}
3507
3508void run_ec_pubkey_parse_test(void) {
3509#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3510 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3511 {
3512 /* Point with leading and trailing zeros in x and y serialization. */
3513 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3514 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3515 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3516 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3517 },
3518 {
3519 /* Point with x equal to a 3rd root of unity.*/
3520 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3521 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3522 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3523 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3524 },
3525 {
3526 /* Point with largest x. (1/2) */
3527 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3528 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3529 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3530 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3531 },
3532 {
3533 /* Point with largest x. (2/2) */
3534 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3535 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3536 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3537 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3538 },
3539 {
3540 /* Point with smallest x. (1/2) */
3541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3543 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3544 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3545 },
3546 {
3547 /* Point with smallest x. (2/2) */
3548 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3549 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3550 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3551 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3552 },
3553 {
3554 /* Point with largest y. (1/3) */
3555 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3556 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3557 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3558 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3559 },
3560 {
3561 /* Point with largest y. (2/3) */
3562 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3563 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3564 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3565 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3566 },
3567 {
3568 /* Point with largest y. (3/3) */
3569 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3570 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3571 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3572 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3573 },
3574 {
3575 /* Point with smallest y. (1/3) */
3576 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3577 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3579 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3580 },
3581 {
3582 /* Point with smallest y. (2/3) */
3583 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3584 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3585 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3586 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3587 },
3588 {
3589 /* Point with smallest y. (3/3) */
3590 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3591 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3592 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3593 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3594 }
3595 };
3596#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3597 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3598 {
3599 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3600 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3601 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3602 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3603 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3604 },
3605 {
3606 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3607 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3608 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3609 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3610 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3611 },
3612 {
3613 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3614 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3615 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3616 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3617 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3618 },
3619 {
3620 /* x on curve, y is from y^2 = x^3 + 8. */
3621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3622 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3623 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3625 }
3626 };
3627#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3628 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3629 {
3630 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3631 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3632 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3635 },
3636 {
3637 /* Valid if x overflow ignored (x = 1 mod p). */
3638 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3639 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3640 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3641 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3642 },
3643 {
3644 /* Valid if x overflow ignored (x = 1 mod p). */
3645 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3646 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3647 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3648 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3649 },
3650 {
3651 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3652 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3653 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3654 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3655 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3656 },
3657 {
3658 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3659 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3660 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3661 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3662 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3663 },
3664 {
3665 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3666 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3667 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3668 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3669 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3670 },
3671 {
3672 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3673 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3674 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3675 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3676 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3677 }
3678 };
3679 const unsigned char pubkeyc[66] = {
3680 /* Serialization of G. */
3681 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3682 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3683 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3684 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3685 0xB8, 0x00
3686 };
5b71a3f4 3687 unsigned char sout[65];
67f7da40
GM		 3688 unsigned char shortkey[2];
3689 secp256k1_ge ge;
3690 secp256k1_pubkey pubkey;
5b71a3f4 3691 size_t len;
67f7da40
GM		 3692 int32_t i;
3693 int32_t ecount;
3694 int32_t ecount2;
3695 ecount = 0;
3696 /* Nothing should be reading this far into pubkeyc. */
3697 VG_UNDEF(&pubkeyc[65], 1);
3698 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3699 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3700 memset(&pubkey, 0xfe, sizeof(pubkey));
3701 ecount = 0;
3702 VG_UNDEF(shortkey, 2);
3703 VG_UNDEF(&pubkey, sizeof(pubkey));
3704 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3705 VG_CHECK(&pubkey, sizeof(pubkey));
3706 CHECK(ecount == 0);
3707 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3708 CHECK(ecount == 1);
3709 /* Length one claimed, fail, zeroize, no illegal arg error. */
3710 for (i = 0; i < 256 ; i++) {
3711 memset(&pubkey, 0xfe, sizeof(pubkey));
3712 ecount = 0;
3713 shortkey[0] = i;
3714 VG_UNDEF(&shortkey[1], 1);
3715 VG_UNDEF(&pubkey, sizeof(pubkey));
3716 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3717 VG_CHECK(&pubkey, sizeof(pubkey));
3718 CHECK(ecount == 0);
3719 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3720 CHECK(ecount == 1);
3721 }
3722 /* Length two claimed, fail, zeroize, no illegal arg error. */
3723 for (i = 0; i < 65536 ; i++) {
3724 memset(&pubkey, 0xfe, sizeof(pubkey));
3725 ecount = 0;
3726 shortkey[0] = i & 255;
3727 shortkey[1] = i >> 8;
3728 VG_UNDEF(&pubkey, sizeof(pubkey));
3729 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3730 VG_CHECK(&pubkey, sizeof(pubkey));
3731 CHECK(ecount == 0);
3732 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3733 CHECK(ecount == 1);
3734 }
3735 memset(&pubkey, 0xfe, sizeof(pubkey));
3736 ecount = 0;
3737 VG_UNDEF(&pubkey, sizeof(pubkey));
3738 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3739 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3740 VG_CHECK(&pubkey, sizeof(pubkey));
3741 CHECK(ecount == 0);
3742 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3743 CHECK(ecount == 1);
3744 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3745 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3746 CHECK(ecount == 2);
3747 /* NULL input string. Illegal arg and zeroize output. */
3748 memset(&pubkey, 0xfe, sizeof(pubkey));
3749 ecount = 0;
3750 VG_UNDEF(&pubkey, sizeof(pubkey));
3751 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3752 VG_CHECK(&pubkey, sizeof(pubkey));
3753 CHECK(ecount == 1);
3754 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3755 CHECK(ecount == 2);
3756 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3757 memset(&pubkey, 0xfe, sizeof(pubkey));
3758 ecount = 0;
3759 VG_UNDEF(&pubkey, sizeof(pubkey));
3760 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3761 VG_CHECK(&pubkey, sizeof(pubkey));
3762 CHECK(ecount == 0);
3763 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3764 CHECK(ecount == 1);
3765 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3766 memset(&pubkey, 0xfe, sizeof(pubkey));
3767 ecount = 0;
3768 VG_UNDEF(&pubkey, sizeof(pubkey));
3769 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3770 VG_CHECK(&pubkey, sizeof(pubkey));
3771 CHECK(ecount == 0);
3772 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3773 CHECK(ecount == 1);
3774 /* Valid parse. */
3775 memset(&pubkey, 0, sizeof(pubkey));
3776 ecount = 0;
3777 VG_UNDEF(&pubkey, sizeof(pubkey));
3778 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
ed7c0841 3779 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
67f7da40
GM		 3780 VG_CHECK(&pubkey, sizeof(pubkey));
3781 CHECK(ecount == 0);
3782 VG_UNDEF(&ge, sizeof(ge));
3783 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3784 VG_CHECK(&ge.x, sizeof(ge.x));
3785 VG_CHECK(&ge.y, sizeof(ge.y));
3786 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3787 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3788 CHECK(ecount == 0);
5b71a3f4
GM		 3789 /* secp256k1_ec_pubkey_serialize illegal args. */
3790 ecount = 0;
3791 len = 65;
3792 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3793 CHECK(ecount == 1);
3794 CHECK(len == 0);
3795 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3796 CHECK(ecount == 2);
3797 len = 65;
3798 VG_UNDEF(sout, 65);
3799 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3800 VG_CHECK(sout, 65);
3801 CHECK(ecount == 3);
3802 CHECK(len == 0);
3803 len = 65;
3804 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3805 CHECK(ecount == 4);
3806 CHECK(len == 0);
3807 len = 65;
3808 VG_UNDEF(sout, 65);
3809 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3810 VG_CHECK(sout, 65);
3811 CHECK(ecount == 4);
3812 CHECK(len == 65);
67f7da40
GM		 3813 /* Multiple illegal args. Should still set arg error only once. */
3814 ecount = 0;
3815 ecount2 = 11;
3816 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3817 CHECK(ecount == 1);
3818 /* Does the illegal arg callback actually change the behavior? */
3819 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3820 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3821 CHECK(ecount == 1);
3822 CHECK(ecount2 == 10);
3823 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3824 /* Try a bunch of prefabbed points with all possible encodings. */
3825 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3826 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3827 }
3828 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3829 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3830 }
3831 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3832 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3833 }
3834}
3835
96be2046
GM		 3836void run_eckey_edge_case_test(void) {
3837 const unsigned char orderc[32] = {
3838 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3840 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3841 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3842 };
3843 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3844 unsigned char ctmp[33];
3845 unsigned char ctmp2[33];
96be2046
GM		 3846 secp256k1_pubkey pubkey;
3847 secp256k1_pubkey pubkey2;
c69dea02
GM		 3848 secp256k1_pubkey pubkey_one;
3849 secp256k1_pubkey pubkey_negone;
3850 const secp256k1_pubkey *pubkeys[3];
3851 size_t len;
96be2046
GM		 3852 int32_t ecount;
3853 /* Group order is too large, reject. */
3854 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3855 VG_UNDEF(&pubkey, sizeof(pubkey));
3856 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3857 VG_CHECK(&pubkey, sizeof(pubkey));
3858 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3859 /* Maximum value is too large, reject. */
3860 memset(ctmp, 255, 32);
3861 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3862 memset(&pubkey, 1, sizeof(pubkey));
3863 VG_UNDEF(&pubkey, sizeof(pubkey));
3864 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3865 VG_CHECK(&pubkey, sizeof(pubkey));
3866 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3867 /* Zero is too small, reject. */
3868 memset(ctmp, 0, 32);
3869 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3870 memset(&pubkey, 1, sizeof(pubkey));
3871 VG_UNDEF(&pubkey, sizeof(pubkey));
3872 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3873 VG_CHECK(&pubkey, sizeof(pubkey));
3874 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3875 /* One must be accepted. */
3876 ctmp[31] = 0x01;
3877 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3878 memset(&pubkey, 0, sizeof(pubkey));
3879 VG_UNDEF(&pubkey, sizeof(pubkey));
3880 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3881 VG_CHECK(&pubkey, sizeof(pubkey));
3882 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3883 pubkey_one = pubkey;
96be2046
GM		 3884 /* Group order + 1 is too large, reject. */
3885 memcpy(ctmp, orderc, 32);
3886 ctmp[31] = 0x42;
3887 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3888 memset(&pubkey, 1, sizeof(pubkey));
3889 VG_UNDEF(&pubkey, sizeof(pubkey));
3890 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3891 VG_CHECK(&pubkey, sizeof(pubkey));
3892 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3893 /* -1 must be accepted. */
3894 ctmp[31] = 0x40;
3895 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3896 memset(&pubkey, 0, sizeof(pubkey));
3897 VG_UNDEF(&pubkey, sizeof(pubkey));
3898 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3899 VG_CHECK(&pubkey, sizeof(pubkey));
3900 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3901 pubkey_negone = pubkey;
0e96cdc6 3902 /* Tweak of zero leaves the value unchanged. */
96be2046
GM		 3903 memset(ctmp2, 0, 32);
3904 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3905 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3906 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3907 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3908 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3909 /* Multiply tweak of zero zeroizes the output. */
3910 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3911 CHECK(memcmp(zeros, ctmp, 32) == 0);
3912 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3913 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3914 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3915 /* Overflowing key tweak zeroizes. */
3916 memcpy(ctmp, orderc, 32);
3917 ctmp[31] = 0x40;
3918 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3919 CHECK(memcmp(zeros, ctmp, 32) == 0);
3920 memcpy(ctmp, orderc, 32);
3921 ctmp[31] = 0x40;
3922 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3923 CHECK(memcmp(zeros, ctmp, 32) == 0);
3924 memcpy(ctmp, orderc, 32);
3925 ctmp[31] = 0x40;
3926 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3927 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3928 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3929 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3930 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3931 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3932 /* Private key tweaks results in a key of zero. */
3933 ctmp2[31] = 1;
3934 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3935 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3936 ctmp2[31] = 1;
3937 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3938 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3939 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3940 /* Tweak computation wraps and results in a key of 1. */
3941 ctmp2[31] = 2;
3942 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3943 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3944 ctmp2[31] = 2;
3945 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3946 ctmp2[31] = 1;
3947 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3948 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3949 /* Tweak mul * 2 = 1+1. */
3950 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3951 ctmp2[31] = 2;
3952 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3953 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3954 /* Test argument errors. */
3955 ecount = 0;
3956 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3957 CHECK(ecount == 0);
3958 /* Zeroize pubkey on parse error. */
3959 memset(&pubkey, 0, 32);
3960 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3961 CHECK(ecount == 1);
3962 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3963 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3964 memset(&pubkey2, 0, 32);
3965 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3966 CHECK(ecount == 2);
3967 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3968 /* Plain argument errors. */
3969 ecount = 0;
3970 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3971 CHECK(ecount == 0);
3972 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3973 CHECK(ecount == 1);
3974 ecount = 0;
3975 memset(ctmp2, 0, 32);
3976 ctmp2[31] = 4;
3977 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3978 CHECK(ecount == 1);
3979 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3980 CHECK(ecount == 2);
3981 ecount = 0;
3982 memset(ctmp2, 0, 32);
3983 ctmp2[31] = 4;
3984 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3985 CHECK(ecount == 1);
3986 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3987 CHECK(ecount == 2);
3988 ecount = 0;
3989 memset(ctmp2, 0, 32);
3990 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3991 CHECK(ecount == 1);
3992 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3993 CHECK(ecount == 2);
3994 ecount = 0;
3995 memset(ctmp2, 0, 32);
3996 ctmp2[31] = 1;
3997 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3998 CHECK(ecount == 1);
3999 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
4000 CHECK(ecount == 2);
4001 ecount = 0;
4002 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4003 CHECK(ecount == 1);
4004 memset(&pubkey, 1, sizeof(pubkey));
4005 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4006 CHECK(ecount == 2);
5b71a3f4 4007 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 4008 /* secp256k1_ec_pubkey_combine tests. */
4009 ecount = 0;
4010 pubkeys[0] = &pubkey_one;
4011 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4012 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4013 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4014 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4015 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4016 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4017 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4018 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4019 CHECK(ecount == 1);
c69dea02
GM		 4020 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4021 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4022 CHECK(ecount == 2);
c69dea02
GM		 4023 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4024 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4025 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4026 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4027 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4028 CHECK(ecount == 3);
c69dea02
GM		 4029 pubkeys[0] = &pubkey_negone;
4030 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4031 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4032 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4033 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4034 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4035 CHECK(ecount == 3);
c69dea02
GM		 4036 len = 33;
4037 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4038 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4039 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4040 /* Result is infinity. */
4041 pubkeys[0] = &pubkey_one;
4042 pubkeys[1] = &pubkey_negone;
4043 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4044 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4045 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4046 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4047 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4048 CHECK(ecount == 3);
c69dea02
GM		 4049 /* Passes through infinity but comes out one. */
4050 pubkeys[2] = &pubkey_one;
4051 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4052 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4053 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4054 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4055 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4056 CHECK(ecount == 3);
c69dea02
GM		 4057 len = 33;
4058 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4059 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4060 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4061 /* Adds to two. */
4062 pubkeys[1] = &pubkey_one;
4063 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4064 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4065 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4066 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4067 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4068 CHECK(ecount == 3);
96be2046
GM		 4069 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4070}
4071
dd891e0e
PW		 4072void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4073 secp256k1_scalar nonce;
dd08f037 4074 do {
a9f5c8b8 4075 random_scalar_order_test(&nonce);
18c329c5 4076 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 4077}
4078
2cad067a 4079void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 4080 secp256k1_gej pubj;
4081 secp256k1_ge pub;
4082 secp256k1_scalar one;
4083 secp256k1_scalar msg, key;
4084 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 4085 int recid;
4086 int getrec;
a9f5c8b8 4087 random_scalar_order_test(&msg);
a9f5c8b8 4088 random_scalar_order_test(&key);
a9b6595e 4089 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 4090 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 4091 getrec = secp256k1_rand_bits(1);
18c329c5 4092 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 4093 if (getrec) {
4094 CHECK(recid >= 0 && recid < 4);
4095 }
18c329c5 4096 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 4097 secp256k1_scalar_set_int(&one, 1);
4098 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 4099 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 4100}
4101
2cad067a 4102void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 4103 int i;
4104 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 4105 test_ecdsa_sign_verify();
4106 }
4107}
4108
c6e7f4e8 4109/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 4110static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 4111 (void)msg32;
4112 (void)key32;
a5a66c70 4113 (void)algo16;
c6e7f4e8
PW		 4114 memcpy(nonce32, data, 32);
4115 return (counter == 0);
4116}
4117
05732c5a 4118static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 4119 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 4120 if (counter == 0) {
4121 return 0;
4122 }
dc0ce9fc 4123 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 4124}
4125
05732c5a 4126static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 4127 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4128 if (counter < 3) {
4129 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 4130 if (counter == 2) {
4131 nonce32[31]--;
4132 }
941e221f
GM		 4133 return 1;
4134 }
4135 if (counter < 5) {
4136 static const unsigned char order[] = {
4137 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4138 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4139 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4140 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4141 };
4142 memcpy(nonce32, order, 32);
26320197
GM		 4143 if (counter == 4) {
4144 nonce32[31]++;
4145 }
941e221f
GM		 4146 return 1;
4147 }
269d4227 4148 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 4149 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 4150 if (counter > 5) {
4151 return 0;
4152 }
dc0ce9fc 4153 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 4154}
4155
dd891e0e
PW		 4156int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4157 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4158 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 4159}
4160
2cad067a 4161void test_ecdsa_end_to_end(void) {
efc571ce 4162 unsigned char extra[32] = {0x00};
25f4aec0
PW		 4163 unsigned char privkey[32];
4164 unsigned char message[32];
bf2e1ac7 4165 unsigned char privkey2[32];
0c6ab2ff
PW		 4166 secp256k1_ecdsa_signature signature[6];
4167 secp256k1_scalar r, s;
74a2acdb 4168 unsigned char sig[74];
788038d3 4169 size_t siglen = 74;
23cfa914 4170 unsigned char pubkeyc[65];
788038d3 4171 size_t pubkeyclen = 65;
dd891e0e 4172 secp256k1_pubkey pubkey;
8e48aa60 4173 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 4174 unsigned char seckey[300];
788038d3 4175 size_t seckeylen = 300;
25f4aec0 4176
71712b27 4177 /* Generate a random key and message. */
25f4aec0 4178 {
dd891e0e 4179 secp256k1_scalar msg, key;
659b554d
PW		 4180 random_scalar_order_test(&msg);
4181 random_scalar_order_test(&key);
4182 secp256k1_scalar_get_b32(privkey, &key);
4183 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 4184 }
4185
71712b27 4186 /* Construct and verify corresponding public key. */
a9b6595e 4187 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 4188 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 4189
23cfa914 4190 /* Verify exporting and importing public key. */
1a368980 4191 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 4192 memset(&pubkey, 0, sizeof(pubkey));
4193 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 4194
8e48aa60
AP		 4195 /* Verify negation changes the key and changes it back */
4196 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4197 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4198 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4199 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4200 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4201
71712b27 4202 /* Verify private key import and export. */
eed87af1
AP		 4203 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4204 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 4205 CHECK(memcmp(privkey, privkey2, 32) == 0);
4206
71712b27 4207 /* Optionally tweak the keys using addition. */
fa57f1bd 4208 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4209 int ret1;
4210 int ret2;
25f4aec0 4211 unsigned char rnd[32];
dd891e0e 4212 secp256k1_pubkey pubkey2;
25f4aec0 4213 secp256k1_rand256_test(rnd);
a9b6595e 4214 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 4215 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 4216 CHECK(ret1 == ret2);
26320197
GM		 4217 if (ret1 == 0) {
4218 return;
4219 }
23cfa914
PW		 4220 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4221 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4222 }
4223
71712b27 4224 /* Optionally tweak the keys using multiplication. */
fa57f1bd 4225 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4226 int ret1;
4227 int ret2;
25f4aec0 4228 unsigned char rnd[32];
dd891e0e 4229 secp256k1_pubkey pubkey2;
25f4aec0 4230 secp256k1_rand256_test(rnd);
a9b6595e 4231 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 4232 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 4233 CHECK(ret1 == ret2);
26320197
GM		 4234 if (ret1 == 0) {
4235 return;
4236 }
23cfa914
PW		 4237 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4238 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4239 }
4240
71712b27 4241 /* Sign. */
dc0ce9fc
PW		 4242 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4243 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4244 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 4245 extra[31] = 1;
dc0ce9fc 4246 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 4247 extra[31] = 0;
4248 extra[0] = 1;
dc0ce9fc 4249 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 4250 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4251 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4252 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4253 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4254 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4255 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4256 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 4257 /* Verify. */
dc0ce9fc
PW		 4258 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4259 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4260 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4261 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 4262 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4263 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4264 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4265 secp256k1_scalar_negate(&s, &s);
4266 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4267 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4268 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4269 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4270 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4271 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4272 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4273 secp256k1_scalar_negate(&s, &s);
4274 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4275 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4276 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4277 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4278
4279 /* Serialize/parse DER and verify again */
4280 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4281 memset(&signature[0], 0, sizeof(signature[0]));
4282 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4283 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4284 /* Serialize/destroy/parse DER and verify again. */
1973c737 4285 siglen = 74;
74a2acdb 4286 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4287 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4288 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4289 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4290}
4291
7c6fed28 4292void test_random_pubkeys(void) {
dd891e0e
PW		 4293 secp256k1_ge elem;
4294 secp256k1_ge elem2;
7c6fed28
GM		 4295 unsigned char in[65];
4296 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4297 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4298 if (secp256k1_rand_bits(2) == 0) {
4299 len = secp256k1_rand_bits(6);
26320197 4300 }
7c6fed28 4301 if (len == 65) {
fa57f1bd 4302 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4303 } else {
fa57f1bd 4304 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4305 }
fa57f1bd
PW		 4306 if (secp256k1_rand_bits(3) == 0) {
4307 in[0] = secp256k1_rand_bits(8);
26320197 4308 }
26320197
GM		 4309 if (len > 1) {
4310 secp256k1_rand256(&in[1]);
4311 }
4312 if (len > 33) {
4313 secp256k1_rand256(&in[33]);
4314 }
7c6fed28
GM		 4315 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4316 unsigned char out[65];
4317 unsigned char firstb;
4318 int res;
788038d3 4319 size_t size = len;
7c6fed28
GM		 4320 firstb = in[0];
4321 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4322 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4323 CHECK(size == len);
4324 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4325 /* ... except for the type of hybrid inputs. */
26320197
GM		 4326 if ((in[0] != 6) && (in[0] != 7)) {
4327 CHECK(in[0] == out[0]);
4328 }
7c6fed28 4329 size = 65;
9234391e 4330 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4331 CHECK(size == 65);
4332 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4333 ge_equals_ge(&elem,&elem2);
7c6fed28 4334 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4335 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4336 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4337 if (firstb == 2 || firstb == 3) {
26320197
GM		 4338 if (in[0] == firstb + 4) {
4339 CHECK(res);
4340 } else {
4341 CHECK(!res);
4342 }
7c6fed28
GM		 4343 }
4344 if (res) {
60571c6e 4345 ge_equals_ge(&elem,&elem2);
9234391e 4346 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4347 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4348 }
4349 }
4350}
4351
4352void run_random_pubkeys(void) {
bf2e1ac7
GM		 4353 int i;
4354 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4355 test_random_pubkeys();
4356 }
4357}
4358
2cad067a 4359void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4360 int i;
4361 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4362 test_ecdsa_end_to_end();
4363 }
4364}
4365
3bb9c447
PW		 4366int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4367 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4368#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4369 static const unsigned char max_scalar[32] = {
4370 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4371 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4372 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4373 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4374 };
a9b2a5d8 4375#endif
3bb9c447
PW		 4376
4377 int ret = 0;
4378
4379 secp256k1_ecdsa_signature sig_der;
4380 unsigned char roundtrip_der[2048];
4381 unsigned char compact_der[64];
4382 size_t len_der = 2048;
4383 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4384
fea19e7b
PW		 4385 secp256k1_ecdsa_signature sig_der_lax;
4386 unsigned char roundtrip_der_lax[2048];
4387 unsigned char compact_der_lax[64];
4388 size_t len_der_lax = 2048;
4389 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4390
3bb9c447
PW		 4391#ifdef ENABLE_OPENSSL_TESTS
4392 ECDSA_SIG *sig_openssl;
31abd3ab 4393 const BIGNUM *r = NULL, *s = NULL;
3bb9c447
PW		 4394 const unsigned char *sigptr;
4395 unsigned char roundtrip_openssl[2048];
4396 int len_openssl = 2048;
4397 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4398#endif
4399
4400 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4401 if (parsed_der) {
4402 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4403 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4404 }
4405 if (valid_der) {
4406 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4407 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4408 }
4409
eed87af1 4410 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4411 if (parsed_der_lax) {
4412 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4413 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4414 }
4415 if (valid_der_lax) {
4416 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4417 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4418 }
4419
3bb9c447
PW		 4420 if (certainly_der) {
4421 ret |= (!parsed_der) << 2;
4422 }
4423 if (certainly_not_der) {
4424 ret |= (parsed_der) << 17;
4425 }
4426 if (valid_der) {
4427 ret |= (!roundtrips_der) << 3;
4428 }
4429
fea19e7b
PW		 4430 if (valid_der) {
4431 ret |= (!roundtrips_der_lax) << 12;
4432 ret |= (len_der != len_der_lax) << 13;
4433 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4434 }
4435 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4436 if (parsed_der) {
4437 ret |= (!parsed_der_lax) << 16;
4438 }
4439
3bb9c447
PW		 4440#ifdef ENABLE_OPENSSL_TESTS
4441 sig_openssl = ECDSA_SIG_new();
4442 sigptr = sig;
4443 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4444 if (parsed_openssl) {
31abd3ab
AB		 4445 ECDSA_SIG_get0(sig_openssl, &r, &s);
4446 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
3bb9c447
PW		 4447 if (valid_openssl) {
4448 unsigned char tmp[32] = {0};
31abd3ab 4449 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
3bb9c447
PW		 4450 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4451 }
4452 if (valid_openssl) {
4453 unsigned char tmp[32] = {0};
31abd3ab 4454 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
3bb9c447
PW		 4455 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4456 }
4457 }
4458 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4459 if (len_openssl <= 2048) {
4460 unsigned char *ptr = roundtrip_openssl;
4461 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4462 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4463 } else {
4464 len_openssl = 0;
4465 }
4466 ECDSA_SIG_free(sig_openssl);
4467
4468 ret |= (parsed_der && !parsed_openssl) << 4;
4469 ret |= (valid_der && !valid_openssl) << 5;
4470 ret |= (roundtrips_openssl && !parsed_der) << 6;
4471 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4472 if (roundtrips_openssl) {
4473 ret |= (len_der != (size_t)len_openssl) << 8;
4474 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4475 }
4476#endif
4477 return ret;
4478}
4479
4480static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4481 size_t i;
4482 for (i = 0; i < ptrlen; i++) {
4483 int shift = ptrlen - 1 - i;
4484 if (shift >= 4) {
4485 ptr[i] = 0;
4486 } else {
4487 ptr[i] = (val >> shift) & 0xFF;
4488 }
4489 }
4490}
4491
4492static void damage_array(unsigned char *sig, size_t *len) {
4493 int pos;
4494 int action = secp256k1_rand_bits(3);
5d4c5a31 4495 if (action < 1 && *len > 3) {
3bb9c447
PW		 4496 /* Delete a byte. */
4497 pos = secp256k1_rand_int(*len);
4498 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4499 (*len)--;
4500 return;
5d4c5a31 4501 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4502 /* Insert a byte. */
4503 pos = secp256k1_rand_int(1 + *len);
4504 memmove(sig + pos + 1, sig + pos, *len - pos);
4505 sig[pos] = secp256k1_rand_bits(8);
4506 (*len)++;
4507 return;
4508 } else if (action < 4) {
4509 /* Modify a byte. */
4510 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4511 return;
4512 } else { /* action < 8 */
4513 /* Modify a bit. */
4514 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4515 return;
4516 }
4517}
4518
4519static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4520 int der;
4521 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4522 size_t tlen, elen, glen;
4523 int indet;
4524 int n;
4525
4526 *len = 0;
4527 der = secp256k1_rand_bits(2) == 0;
4528 *certainly_der = der;
4529 *certainly_not_der = 0;
4530 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4531
4532 for (n = 0; n < 2; n++) {
4533 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4534 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4535 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4536 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4537 CHECK(nlen[n] <= 232);
4538 /* The top bit of the number. */
4539 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4540 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4541 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4542 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4543 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4544 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4545 *certainly_not_der = 1;
4546 }
4547 CHECK(nlen[n] + nzlen[n] <= 300);
4548 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4549 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4550 if (!der) {
4551 /* nlenlen[n] max 127 bytes */
4552 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4553 nlenlen[n] += add;
4554 if (add != 0) {
4555 *certainly_not_der = 1;
4556 }
4557 }
4558 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4559 }
4560
4561 /* The total length of the data to go, so far */
4562 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4563 CHECK(tlen <= 856);
4564
4565 /* The length of the garbage inside the tuple. */
4566 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4567 if (elen != 0) {
4568 *certainly_not_der = 1;
4569 }
4570 tlen += elen;
4571 CHECK(tlen <= 980);
4572
4573 /* The length of the garbage after the end of the tuple. */
4574 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4575 if (glen != 0) {
4576 *certainly_not_der = 1;
4577 }
4578 CHECK(tlen + glen <= 990);
4579
4580 /* Write the tuple header. */
4581 sig[(*len)++] = 0x30;
4582 if (indet) {
4583 /* Indeterminate length */
4584 sig[(*len)++] = 0x80;
4585 *certainly_not_der = 1;
4586 } else {
4587 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4588 if (!der) {
4589 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4590 tlenlen += add;
4591 if (add != 0) {
4592 *certainly_not_der = 1;
4593 }
4594 }
4595 if (tlenlen == 0) {
4596 /* Short length notation */
4597 sig[(*len)++] = tlen;
4598 } else {
4599 /* Long length notation */
4600 sig[(*len)++] = 128 + tlenlen;
4601 assign_big_endian(sig + *len, tlenlen, tlen);
4602 *len += tlenlen;
4603 }
4604 tlen += tlenlen;
4605 }
4606 tlen += 2;
4607 CHECK(tlen + glen <= 1119);
4608
4609 for (n = 0; n < 2; n++) {
4610 /* Write the integer header. */
4611 sig[(*len)++] = 0x02;
4612 if (nlenlen[n] == 0) {
4613 /* Short length notation */
4614 sig[(*len)++] = nlen[n] + nzlen[n];
4615 } else {
4616 /* Long length notation. */
4617 sig[(*len)++] = 128 + nlenlen[n];
4618 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4619 *len += nlenlen[n];
4620 }
4621 /* Write zero padding */
4622 while (nzlen[n] > 0) {
4623 sig[(*len)++] = 0x00;
4624 nzlen[n]--;
4625 }
4626 if (nlen[n] == 32 && !nlow[n]) {
4627 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4628 int i;
4629 for (i = 0; i < 16; i++) {
4630 sig[(*len)++] = 0xFF;
4631 }
4632 nlen[n] -= 16;
4633 }
4634 /* Write first byte of number */
4635 if (nlen[n] > 0) {
4636 sig[(*len)++] = nhbyte[n];
4637 nlen[n]--;
4638 }
4639 /* Generate remaining random bytes of number */
4640 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4641 *len += nlen[n];
4642 nlen[n] = 0;
4643 }
4644
4645 /* Generate random garbage inside tuple. */
4646 secp256k1_rand_bytes_test(sig + *len, elen);
4647 *len += elen;
4648
4649 /* Generate end-of-contents bytes. */
4650 if (indet) {
4651 sig[(*len)++] = 0;
4652 sig[(*len)++] = 0;
4653 tlen += 2;
4654 }
4655 CHECK(tlen + glen <= 1121);
4656
4657 /* Generate random garbage outside tuple. */
4658 secp256k1_rand_bytes_test(sig + *len, glen);
4659 *len += glen;
4660 tlen += glen;
4661 CHECK(tlen <= 1121);
4662 CHECK(tlen == *len);
4663}
4664
4665void run_ecdsa_der_parse(void) {
4666 int i,j;
4667 for (i = 0; i < 200 * count; i++) {
4668 unsigned char buffer[2048];
4669 size_t buflen = 0;
4670 int certainly_der = 0;
4671 int certainly_not_der = 0;
4672 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4673 CHECK(buflen <= 2048);
3bb9c447
PW		 4674 for (j = 0; j < 16; j++) {
4675 int ret = 0;
4676 if (j > 0) {
4677 damage_array(buffer, &buflen);
4678 /* We don't know anything anymore about the DERness of the result */
4679 certainly_der = 0;
4680 certainly_not_der = 0;
4681 }
4682 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4683 if (ret != 0) {
4684 size_t k;
4685 fprintf(stderr, "Failure %x on ", ret);
4686 for (k = 0; k < buflen; k++) {
4687 fprintf(stderr, "%02x ", buffer[k]);
4688 }
4689 fprintf(stderr, "\n");
4690 }
4691 CHECK(ret == 0);
4692 }
4693 }
4694}
4695
6e052878
PW		 4696/* Tests several edge cases. */
4697void test_ecdsa_edge_cases(void) {
d49abbd5 4698 int t;
dd891e0e 4699 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4700
4701 /* Test the case where ECDSA recomputes a point that is infinity. */
4702 {
dd891e0e
PW		 4703 secp256k1_gej keyj;
4704 secp256k1_ge key;
4705 secp256k1_scalar msg;
4706 secp256k1_scalar sr, ss;
d49abbd5
PW		 4707 secp256k1_scalar_set_int(&ss, 1);
4708 secp256k1_scalar_negate(&ss, &ss);
4709 secp256k1_scalar_inverse(&ss, &ss);
4710 secp256k1_scalar_set_int(&sr, 1);
4711 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4712 secp256k1_ge_set_gej(&key, &keyj);
4713 msg = ss;
4714 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4715 }
4716
96be2046 4717 /* Verify signature with r of zero fails. */
d49abbd5 4718 {
96be2046
GM		 4719 const unsigned char pubkey_mods_zero[33] = {
4720 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4721 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4722 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4723 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4724 0x41
4725 };
4726 secp256k1_ge key;
4727 secp256k1_scalar msg;
4728 secp256k1_scalar sr, ss;
4729 secp256k1_scalar_set_int(&ss, 1);
4730 secp256k1_scalar_set_int(&msg, 0);
4731 secp256k1_scalar_set_int(&sr, 0);
4732 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4733 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4734 }
4735
4736 /* Verify signature with s of zero fails. */
4737 {
4738 const unsigned char pubkey[33] = {
4739 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4741 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4742 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4743 0x01
4744 };
4745 secp256k1_ge key;
4746 secp256k1_scalar msg;
4747 secp256k1_scalar sr, ss;
4748 secp256k1_scalar_set_int(&ss, 0);
4749 secp256k1_scalar_set_int(&msg, 0);
4750 secp256k1_scalar_set_int(&sr, 1);
4751 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4752 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4753 }
4754
4755 /* Verify signature with message 0 passes. */
4756 {
4757 const unsigned char pubkey[33] = {
4758 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4759 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4761 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4762 0x02
4763 };
4764 const unsigned char pubkey2[33] = {
4765 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4766 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4767 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4768 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4769 0x43
4770 };
4771 secp256k1_ge key;
4772 secp256k1_ge key2;
4773 secp256k1_scalar msg;
4774 secp256k1_scalar sr, ss;
4775 secp256k1_scalar_set_int(&ss, 2);
4776 secp256k1_scalar_set_int(&msg, 0);
4777 secp256k1_scalar_set_int(&sr, 2);
4778 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4779 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4780 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4781 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4782 secp256k1_scalar_negate(&ss, &ss);
4783 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4784 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4785 secp256k1_scalar_set_int(&ss, 1);
4786 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4787 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4788 }
4789
4790 /* Verify signature with message 1 passes. */
4791 {
4792 const unsigned char pubkey[33] = {
4793 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4794 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4795 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4796 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4797 0x25
4798 };
4799 const unsigned char pubkey2[33] = {
4800 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4801 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4802 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4803 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4804 0x62
4805 };
4806 const unsigned char csr[32] = {
4807 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4809 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4810 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4811 };
4812 secp256k1_ge key;
4813 secp256k1_ge key2;
4814 secp256k1_scalar msg;
4815 secp256k1_scalar sr, ss;
4816 secp256k1_scalar_set_int(&ss, 1);
4817 secp256k1_scalar_set_int(&msg, 1);
4818 secp256k1_scalar_set_b32(&sr, csr, NULL);
4819 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4820 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4821 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4822 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4823 secp256k1_scalar_negate(&ss, &ss);
4824 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4825 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4826 secp256k1_scalar_set_int(&ss, 2);
4827 secp256k1_scalar_inverse_var(&ss, &ss);
4828 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4829 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4830 }
4831
4832 /* Verify signature with message -1 passes. */
4833 {
4834 const unsigned char pubkey[33] = {
4835 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4836 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4837 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4838 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4839 0xf1
4840 };
4841 const unsigned char csr[32] = {
4842 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4843 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4844 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4845 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4846 };
4847 secp256k1_ge key;
4848 secp256k1_scalar msg;
4849 secp256k1_scalar sr, ss;
4850 secp256k1_scalar_set_int(&ss, 1);
4851 secp256k1_scalar_set_int(&msg, 1);
4852 secp256k1_scalar_negate(&msg, &msg);
4853 secp256k1_scalar_set_b32(&sr, csr, NULL);
4854 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4855 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4856 secp256k1_scalar_negate(&ss, &ss);
4857 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4858 secp256k1_scalar_set_int(&ss, 3);
4859 secp256k1_scalar_inverse_var(&ss, &ss);
4860 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4861 }
4862
4863 /* Signature where s would be zero. */
4864 {
4865 secp256k1_pubkey pubkey;
788038d3 4866 size_t siglen;
96be2046
GM		 4867 int32_t ecount;
4868 unsigned char signature[72];
4869 static const unsigned char nonce[32] = {
d49abbd5
PW		 4870 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4871 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4872 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4873 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4874 };
4875 static const unsigned char nonce2[32] = {
4876 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4877 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4878 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4879 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4880 };
4881 const unsigned char key[32] = {
4882 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4883 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4884 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4885 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4886 };
4887 unsigned char msg[32] = {
4888 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4889 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4890 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4891 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4892 };
96be2046
GM		 4893 ecount = 0;
4894 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 4895 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4896 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 4897 msg[31] = 0xaa;
dc0ce9fc 4898 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 4899 CHECK(ecount == 0);
4900 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4901 CHECK(ecount == 1);
4902 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4903 CHECK(ecount == 2);
4904 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4905 CHECK(ecount == 3);
dc0ce9fc 4906 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 4907 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4908 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4909 CHECK(ecount == 4);
4910 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4911 CHECK(ecount == 5);
4912 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4913 CHECK(ecount == 6);
4914 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 4915 CHECK(ecount == 6);
4916 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4917 CHECK(ecount == 7);
4918 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4919 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4920 CHECK(ecount == 8);
d49abbd5 4921 siglen = 72;
96be2046 4922 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 4923 CHECK(ecount == 9);
96be2046 4924 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 4925 CHECK(ecount == 10);
96be2046 4926 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 4927 CHECK(ecount == 11);
d49abbd5 4928 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 4929 CHECK(ecount == 11);
4930 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4931 CHECK(ecount == 12);
4932 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4933 CHECK(ecount == 13);
4934 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4935 CHECK(ecount == 13);
d49abbd5 4936 siglen = 10;
5b71a3f4 4937 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 4938 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 4939 CHECK(ecount == 13);
4940 ecount = 0;
4941 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4942 CHECK(ecount == 1);
4943 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4944 CHECK(ecount == 2);
4945 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4946 CHECK(ecount == 3);
4947 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4948 CHECK(ecount == 3);
4949 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4950 CHECK(ecount == 4);
4951 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4952 CHECK(ecount == 5);
4953 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4954 CHECK(ecount == 5);
c69dea02
GM		 4955 memset(signature, 255, 64);
4956 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4957 CHECK(ecount == 5);
96be2046 4958 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 4959 }
4960
4961 /* Nonce function corner cases. */
4962 for (t = 0; t < 2; t++) {
4963 static const unsigned char zero[32] = {0x00};
4964 int i;
4965 unsigned char key[32];
4966 unsigned char msg[32];
dd891e0e
PW		 4967 secp256k1_ecdsa_signature sig2;
4968 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 4969 const unsigned char *extra;
4970 extra = t == 0 ? NULL : zero;
4971 memset(msg, 0, 32);
4972 msg[31] = 1;
4973 /* High key results in signature failure. */
4974 memset(key, 0xFF, 32);
dc0ce9fc 4975 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4976 CHECK(is_empty_signature(&sig));
4977 /* Zero key results in signature failure. */
4978 memset(key, 0, 32);
dc0ce9fc 4979 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 4980 CHECK(is_empty_signature(&sig));
4981 /* Nonce function failure results in signature failure. */
4982 key[31] = 1;
dc0ce9fc 4983 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 4984 CHECK(is_empty_signature(&sig));
4985 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 4986 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 4987 CHECK(!is_empty_signature(&sig));
dc0ce9fc 4988 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 4989 CHECK(!is_empty_signature(&sig2));
4990 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 4991 /* The default nonce function is deterministic. */
dc0ce9fc 4992 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 4993 CHECK(!is_empty_signature(&sig2));
4994 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4995 /* The default nonce function changes output with different messages. */
4996 for(i = 0; i < 256; i++) {
4997 int j;
4998 msg[0] = i;
dc0ce9fc 4999 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5000 CHECK(!is_empty_signature(&sig2));
5001 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5002 for (j = 0; j < i; j++) {
5003 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5004 }
5005 }
5006 msg[0] = 0;
5007 msg[31] = 2;
5008 /* The default nonce function changes output with different keys. */
5009 for(i = 256; i < 512; i++) {
5010 int j;
5011 key[0] = i - 256;
dc0ce9fc 5012 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5013 CHECK(!is_empty_signature(&sig2));
5014 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5015 for (j = 0; j < i; j++) {
5016 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5017 }
5018 }
5019 key[0] = 0;
5020 }
5021
b30fc85c 5022 {
269d4227 5023 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 5024 const unsigned char zeros[32] = {0};
5025 unsigned char nonce[32];
5026 unsigned char nonce2[32];
5027 unsigned char nonce3[32];
5028 unsigned char nonce4[32];
5029 VG_UNDEF(nonce,32);
5030 VG_UNDEF(nonce2,32);
5031 VG_UNDEF(nonce3,32);
5032 VG_UNDEF(nonce4,32);
5033 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5034 VG_CHECK(nonce,32);
5035 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5036 VG_CHECK(nonce2,32);
5037 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5038 VG_CHECK(nonce3,32);
5039 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5040 VG_CHECK(nonce4,32);
5041 CHECK(memcmp(nonce, nonce2, 32) != 0);
5042 CHECK(memcmp(nonce, nonce3, 32) != 0);
5043 CHECK(memcmp(nonce, nonce4, 32) != 0);
5044 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5045 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5046 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5047 }
5048
5049
d49abbd5
PW		 5050 /* Privkey export where pubkey is the point at infinity. */
5051 {
5052 unsigned char privkey[300];
5053 unsigned char seckey[32] = {
5054 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5055 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5056 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5057 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5058 };
788038d3 5059 size_t outlen = 300;
eed87af1 5060 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 5061 outlen = 300;
eed87af1 5062 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 5063 }
5064}
5065
6e052878
PW		 5066void run_ecdsa_edge_cases(void) {
5067 test_ecdsa_edge_cases();
3bf029d6 5068}
25f4aec0 5069
dd08f037 5070#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 5071EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 5072 unsigned char privkey[300];
788038d3 5073 size_t privkeylen;
12e29b32 5074 const unsigned char* pbegin = privkey;
fa57f1bd 5075 int compr = secp256k1_rand_bits(1);
dd08f037 5076 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 5077 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 5078 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5079 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 5080 return ec_key;
5081}
5082
2cad067a 5083void test_ecdsa_openssl(void) {
dd891e0e
PW		 5084 secp256k1_gej qj;
5085 secp256k1_ge q;
5086 secp256k1_scalar sigr, sigs;
5087 secp256k1_scalar one;
5088 secp256k1_scalar msg2;
5089 secp256k1_scalar key, msg;
bf2e1ac7
GM		 5090 EC_KEY *ec_key;
5091 unsigned int sigsize = 80;
788038d3 5092 size_t secp_sigsize = 80;
dd08f037 5093 unsigned char message[32];
bf2e1ac7 5094 unsigned char signature[80];
7914a6eb 5095 unsigned char key32[32];
dd08f037 5096 secp256k1_rand256_test(message);
eca6cdb1 5097 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 5098 random_scalar_order_test(&key);
7914a6eb 5099 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 5100 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 5101 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 5102 ec_key = get_openssl_key(key32);
2b199de8 5103 CHECK(ec_key != NULL);
0592d117 5104 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 5105 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5106 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 5107 secp256k1_scalar_set_int(&one, 1);
f24041d6 5108 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 5109 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 5110
18c329c5
PW		 5111 random_sign(&sigr, &sigs, &key, &msg, NULL);
5112 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 5113 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 5114
dd08f037 5115 EC_KEY_free(ec_key);
dd08f037
PW		 5116}
5117
2cad067a 5118void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 5119 int i;
5120 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 5121 test_ecdsa_openssl();
5122 }
5123}
5124#endif
5125
0739bbb6
AP		 5126#ifdef ENABLE_MODULE_ECDH
5127# include "modules/ecdh/tests_impl.h"
5128#endif
5129
9f443be0
PW		 5130#ifdef ENABLE_MODULE_RECOVERY
5131# include "modules/recovery/tests_impl.h"
5132#endif
5133
404c30a8 5134int main(int argc, char **argv) {
89561118
PW		 5135 unsigned char seed16[16] = {0};
5136 unsigned char run32[32] = {0};
71712b27 5137 /* find iteration count */
3fd6253e
PW		 5138 if (argc > 1) {
5139 count = strtol(argv[1], NULL, 0);
5140 }
5141
71712b27 5142 /* find random seed */
3fd6253e 5143 if (argc > 2) {
89561118
PW		 5144 int pos = 0;
5145 const char* ch = argv[2];
5146 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5147 unsigned short sh;
5148 if (sscanf(ch, "%2hx", &sh)) {
5149 seed16[pos] = sh;
5150 } else {
5151 break;
5152 }
5153 ch += 2;
5154 pos++;
5155 }
3fd6253e
PW		 5156 } else {
5157 FILE *frand = fopen("/dev/urandom", "r");
8b3841c9 5158 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
89561118 5159 uint64_t t = time(NULL) * (uint64_t)1337;
be40c4d0 5160 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
89561118
PW		 5161 seed16[0] ^= t;
5162 seed16[1] ^= t >> 8;
5163 seed16[2] ^= t >> 16;
5164 seed16[3] ^= t >> 24;
5165 seed16[4] ^= t >> 32;
5166 seed16[5] ^= t >> 40;
5167 seed16[6] ^= t >> 48;
5168 seed16[7] ^= t >> 56;
3fd6253e 5169 }
5aae5b5b 5170 if (frand) {
5171 fclose(frand);
5172 }
3fd6253e 5173 }
89561118 5174 secp256k1_rand_seed(seed16);
404c30a8 5175
dd08f037 5176 printf("test count = %i\n", count);
89561118 5177 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 5178
71712b27 5179 /* initialize */
814cc78d
TR		 5180 run_context_tests(0);
5181 run_context_tests(1);
548de42e 5182 run_scratch_tests();
a9b6595e 5183 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 5184 if (secp256k1_rand_bits(1)) {
d2275795 5185 secp256k1_rand256(run32);
fa57f1bd 5186 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 5187 }
49b37498
PW		 5188
5189 run_rand_bits();
5190 run_rand_int();
5191
b37fbc28
PW		 5192 run_sha256_tests();
5193 run_hmac_sha256_tests();
5194 run_rfc6979_hmac_sha256_tests();
5195
597128d3 5196#ifndef USE_NUM_NONE
71712b27 5197 /* num tests */
3f44e1ad 5198 run_num_smalltests();
597128d3 5199#endif
404c30a8 5200
71712b27 5201 /* scalar tests */
79359302
PW		 5202 run_scalar_tests();
5203
71712b27 5204 /* field tests */
f16be77f
PD		 5205 run_field_inv();
5206 run_field_inv_var();
f16be77f 5207 run_field_inv_all_var();
8d11164b 5208 run_field_misc();
ff889f7d 5209 run_field_convert();
59447da3 5210 run_sqr();
09ca4f32
PD		 5211 run_sqrt();
5212
71712b27 5213 /* group tests */
9338dbf7 5214 run_ge();
64666251 5215 run_group_decompress();
9338dbf7 5216
71712b27 5217 /* ecmult tests */
404c30a8
PW		 5218 run_wnaf();
5219 run_point_times_order();
5220 run_ecmult_chain();
d2275795
GM		 5221 run_ecmult_constants();
5222 run_ecmult_gen_blind();
44015000 5223 run_ecmult_const_tests();
dba5471b 5224 run_ecmult_multi_tests();
a5a66c70 5225 run_ec_combine();
404c30a8 5226
baa75da5
AP		 5227 /* endomorphism tests */
5228#ifdef USE_ENDOMORPHISM
5229 run_endomorphism_tests();
5230#endif
5231
96be2046 5232 /* EC point parser test */
67f7da40
GM		 5233 run_ec_pubkey_parse_test();
5234
96be2046
GM		 5235 /* EC key edge cases */
5236 run_eckey_edge_case_test();
5237
0739bbb6
AP		 5238#ifdef ENABLE_MODULE_ECDH
5239 /* ecdh tests */
5240 run_ecdh_tests();
5241#endif
5242
71712b27 5243 /* ecdsa tests */
7c6fed28 5244 run_random_pubkeys();
3bb9c447 5245 run_ecdsa_der_parse();
404c30a8 5246 run_ecdsa_sign_verify();
25f4aec0 5247 run_ecdsa_end_to_end();
6e052878 5248 run_ecdsa_edge_cases();
dd08f037
PW		 5249#ifdef ENABLE_OPENSSL_TESTS
5250 run_ecdsa_openssl();
5251#endif
910d0de4 5252
9f443be0
PW		 5253#ifdef ENABLE_MODULE_RECOVERY
5254 /* ECDSA pubkey recovery tests */
5255 run_recovery_tests();
5256#endif
5257
89561118
PW		 5258 secp256k1_rand256(run32);
5259 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 5260
71712b27 5261 /* shutdown */
a9b6595e 5262 secp256k1_context_destroy(ctx);
c996d53a
PW		 5263
5264 printf("no problems found\n");
a41f32e6
PW		 5265 return 0;
5266}
Empty description
This page took 0.825665 seconds and 4 git commands to generate.