]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
schnorrsig: Init empty experimental module
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
8e48aa60 13#include <string.h>
a41f32e6 14
e06a9244
PJ		 15#include <time.h>
16
25f4aec0 17#include "secp256k1.c"
67f7da40 18#include "include/secp256k1.h"
238305fd 19#include "include/secp256k1_preallocated.h"
f0709ac5 20#include "testrand_impl.h"
a41f32e6 21
dd08f037
PW		 22#ifdef ENABLE_OPENSSL_TESTS
23#include "openssl/bn.h"
24#include "openssl/ec.h"
25#include "openssl/ecdsa.h"
26#include "openssl/obj_mac.h"
31abd3ab
AB		 27# if OPENSSL_VERSION_NUMBER < 0x10100000L
28void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29# endif
dd08f037
PW		 30#endif
31
eed87af1
AP		 32#include "contrib/lax_der_parsing.c"
33#include "contrib/lax_der_privatekey_parsing.c"
fea19e7b 34
79f599d3 35static int count = 64;
dd891e0e 36static secp256k1_context *ctx = NULL;
4adf6b2a 37
96be2046
GM		 38static void counting_illegal_callback_fn(const char* str, void* data) {
39 /* Dummy callback function that just counts. */
40 int32_t *p;
41 (void)str;
42 p = data;
43 (*p)++;
44}
45
46static void uncounting_illegal_callback_fn(const char* str, void* data) {
47 /* Dummy callback function that just counts (backwards). */
48 int32_t *p;
49 (void)str;
50 p = data;
51 (*p)--;
52}
53
dd891e0e 54void random_field_element_test(secp256k1_fe *fe) {
9338dbf7
PW		 55 do {
56 unsigned char b32[32];
57 secp256k1_rand256_test(b32);
659b554d
PW		 58 if (secp256k1_fe_set_b32(fe, b32)) {
59 break;
60 }
9338dbf7
PW		 61 } while(1);
62}
63
dd891e0e
PW		 64void random_field_element_magnitude(secp256k1_fe *fe) {
65 secp256k1_fe zero;
fa57f1bd 66 int n = secp256k1_rand_int(9);
9338dbf7 67 secp256k1_fe_normalize(fe);
60571c6e
PW		 68 if (n == 0) {
69 return;
9338dbf7 70 }
60571c6e
PW		 71 secp256k1_fe_clear(&zero);
72 secp256k1_fe_negate(&zero, &zero, 0);
73 secp256k1_fe_mul_int(&zero, n - 1);
74 secp256k1_fe_add(fe, &zero);
dcf39202
GM		 75#ifdef VERIFY
76 CHECK(fe->magnitude == n);
77#endif
9338dbf7
PW		 78}
79
dd891e0e
PW		 80void random_group_element_test(secp256k1_ge *ge) {
81 secp256k1_fe fe;
9338dbf7
PW		 82 do {
83 random_field_element_test(&fe);
fa57f1bd 84 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
baa75da5 85 secp256k1_fe_normalize(&ge->y);
9338dbf7 86 break;
26320197 87 }
9338dbf7
PW		 88 } while(1);
89}
90
dd891e0e
PW		 91void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
92 secp256k1_fe z2, z3;
9338dbf7
PW		 93 do {
94 random_field_element_test(&gej->z);
95 if (!secp256k1_fe_is_zero(&gej->z)) {
96 break;
97 }
98 } while(1);
bf2e1ac7
GM		 99 secp256k1_fe_sqr(&z2, &gej->z);
100 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 101 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
102 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
103 gej->infinity = ge->infinity;
104}
105
dd891e0e 106void random_scalar_order_test(secp256k1_scalar *num) {
a9f5c8b8
PW		 107 do {
108 unsigned char b32[32];
a9f5c8b8 109 int overflow = 0;
bf2e1ac7 110 secp256k1_rand256_test(b32);
eca6cdb1 111 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 112 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 113 continue;
26320197 114 }
a9f5c8b8
PW		 115 break;
116 } while(1);
117}
118
dd891e0e 119void random_scalar_order(secp256k1_scalar *num) {
f24041d6
PW		 120 do {
121 unsigned char b32[32];
f24041d6 122 int overflow = 0;
bf2e1ac7 123 secp256k1_rand256(b32);
f24041d6 124 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 125 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 126 continue;
26320197 127 }
f24041d6
PW		 128 break;
129 } while(1);
130}
131
9ab2cbe0
JN		 132void random_scalar_order_b32(unsigned char *b32) {
133 secp256k1_scalar num;
134 random_scalar_order(&num);
135 secp256k1_scalar_get_b32(b32, &num);
136}
137
814cc78d 138void run_context_tests(int use_prealloc) {
96be2046 139 secp256k1_pubkey pubkey;
8e48aa60 140 secp256k1_pubkey zero_pubkey;
96be2046
GM		 141 secp256k1_ecdsa_signature sig;
142 unsigned char ctmp[32];
143 int32_t ecount;
144 int32_t ecount2;
814cc78d
TR		 145 secp256k1_context *none;
146 secp256k1_context *sign;
147 secp256k1_context *vrfy;
148 secp256k1_context *both;
149 void *none_prealloc = NULL;
150 void *sign_prealloc = NULL;
151 void *vrfy_prealloc = NULL;
152 void *both_prealloc = NULL;
d899b5b6 153
dd891e0e
PW		 154 secp256k1_gej pubj;
155 secp256k1_ge pub;
156 secp256k1_scalar msg, key, nonce;
157 secp256k1_scalar sigr, sigs;
d899b5b6 158
814cc78d
TR		 159 if (use_prealloc) {
160 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
161 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
162 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
163 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
164 CHECK(none_prealloc != NULL);
165 CHECK(sign_prealloc != NULL);
166 CHECK(vrfy_prealloc != NULL);
167 CHECK(both_prealloc != NULL);
168 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
169 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
170 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
171 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
172 } else {
173 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
174 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
175 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
176 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
177 }
178
8e48aa60
AP		 179 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
180
96be2046
GM		 181 ecount = 0;
182 ecount2 = 10;
183 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
184 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
2e1b9e04
TR		 185 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
186 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
187 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
188 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
96be2046 189
814cc78d
TR		 190 /* check if sizes for cloning are consistent */
191 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
192 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
193 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
194 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
195
d899b5b6
AP		 196 /*** clone and destroy all of them to make sure cloning was complete ***/
197 {
dd891e0e 198 secp256k1_context *ctx_tmp;
d899b5b6 199
814cc78d
TR		 200 if (use_prealloc) {
201 /* clone into a non-preallocated context and then again into a new preallocated one. */
202 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
203 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
204 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
205
206 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
207 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
208 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
209
210 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
211 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
212 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
213
214 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
215 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
216 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
217 } else {
218 /* clone into a preallocated context and then again into a new non-preallocated one. */
219 void *prealloc_tmp;
220
221 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
222 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
223 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
224 free(prealloc_tmp);
225
226 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
227 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
228 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
229 free(prealloc_tmp);
230
231 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
232 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
234 free(prealloc_tmp);
235
236 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
237 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
238 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
239 free(prealloc_tmp);
240 }
d899b5b6
AP		 241 }
242
96be2046 243 /* Verify that the error callback makes it across the clone. */
2e1b9e04
TR		 244 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
245 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
96be2046
GM		 246 /* And that it resets back to default. */
247 secp256k1_context_set_error_callback(sign, NULL, NULL);
248 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
249
d899b5b6
AP		 250 /*** attempt to use them ***/
251 random_scalar_order_test(&msg);
252 random_scalar_order_test(&key);
253 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
254 secp256k1_ge_set_gej(&pub, &pubj);
255
96be2046
GM		 256 /* Verify context-type checking illegal-argument errors. */
257 memset(ctmp, 1, 32);
258 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
259 CHECK(ecount == 1);
260 VG_UNDEF(&pubkey, sizeof(pubkey));
261 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
262 VG_CHECK(&pubkey, sizeof(pubkey));
263 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
264 CHECK(ecount == 2);
265 VG_UNDEF(&sig, sizeof(sig));
266 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
267 VG_CHECK(&sig, sizeof(sig));
268 CHECK(ecount2 == 10);
269 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
270 CHECK(ecount2 == 11);
271 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
272 CHECK(ecount == 2);
273 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
274 CHECK(ecount2 == 12);
275 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
276 CHECK(ecount == 2);
277 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
278 CHECK(ecount2 == 13);
8e48aa60 279 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
96be2046 280 CHECK(ecount == 2);
8e48aa60
AP		 281 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
282 CHECK(ecount == 2);
283 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
284 CHECK(ecount2 == 14);
285 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
286 CHECK(ecount == 3);
287 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
96be2046 288 CHECK(ecount == 3);
61983752
TR		 289 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
290 CHECK(ecount == 3);
291 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
292 CHECK(ecount == 3);
293 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
294 CHECK(ecount2 == 14);
96be2046 295 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
8e48aa60 296 CHECK(ecount2 == 14);
96be2046
GM		 297 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
298 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
299
d899b5b6
AP		 300 /* obtain a working nonce */
301 do {
302 random_scalar_order_test(&nonce);
18c329c5 303 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 304
305 /* try signing */
18c329c5
PW		 306 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
307 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 308
309 /* try verifying */
18c329c5
PW		 310 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
311 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 312
313 /* cleanup */
814cc78d
TR		 314 if (use_prealloc) {
315 secp256k1_context_preallocated_destroy(none);
316 secp256k1_context_preallocated_destroy(sign);
317 secp256k1_context_preallocated_destroy(vrfy);
318 secp256k1_context_preallocated_destroy(both);
319 free(none_prealloc);
320 free(sign_prealloc);
321 free(vrfy_prealloc);
322 free(both_prealloc);
323 } else {
324 secp256k1_context_destroy(none);
325 secp256k1_context_destroy(sign);
326 secp256k1_context_destroy(vrfy);
327 secp256k1_context_destroy(both);
328 }
5b71a3f4
GM		 329 /* Defined as no-op. */
330 secp256k1_context_destroy(NULL);
814cc78d
TR		 331 secp256k1_context_preallocated_destroy(NULL);
332
d899b5b6
AP		 333}
334
548de42e 335void run_scratch_tests(void) {
98836b11
AP		 336 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
337
548de42e 338 int32_t ecount = 0;
98836b11
AP		 339 size_t checkpoint;
340 size_t checkpoint_2;
548de42e
AP		 341 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
342 secp256k1_scratch_space *scratch;
c2b028a2 343 secp256k1_scratch_space local_scratch;
548de42e
AP		 344
345 /* Test public API */
346 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
c2b028a2 347 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
548de42e 348
6fe50439 349 scratch = secp256k1_scratch_space_create(none, 1000);
548de42e 350 CHECK(scratch != NULL);
6fe50439 351 CHECK(ecount == 0);
548de42e
AP		 352
353 /* Test internal API */
c2b028a2 354 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
98836b11
AP		 355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
356 CHECK(scratch->alloc_size == 0);
357 CHECK(scratch->alloc_size % ALIGNMENT == 0);
6fe50439 358
98836b11
AP		 359 /* Allocating 500 bytes succeeds */
360 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
c2b028a2 361 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
98836b11
AP		 362 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
363 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
364 CHECK(scratch->alloc_size != 0);
365 CHECK(scratch->alloc_size % ALIGNMENT == 0);
6fe50439 366
98836b11 367 /* Allocating another 500 bytes fails */
c2b028a2 368 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
98836b11
AP		 369 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
371 CHECK(scratch->alloc_size != 0);
372 CHECK(scratch->alloc_size % ALIGNMENT == 0);
373
374 /* ...but it succeeds once we apply the checkpoint to undo it */
375 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
376 CHECK(scratch->alloc_size == 0);
377 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
378 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
379 CHECK(scratch->alloc_size != 0);
548de42e 380
98836b11
AP		 381 /* try to apply a bad checkpoint */
382 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
383 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
c2b028a2 384 CHECK(ecount == 0);
98836b11
AP		 385 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
386 CHECK(ecount == 1);
387 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
388 CHECK(ecount == 2);
c2b028a2
AP		 389
390 /* try to use badly initialized scratch space */
98836b11 391 secp256k1_scratch_space_destroy(none, scratch);
c2b028a2
AP		 392 memset(&local_scratch, 0, sizeof(local_scratch));
393 scratch = &local_scratch;
394 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
c2b028a2 395 CHECK(ecount == 3);
98836b11 396 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
c2b028a2
AP		 397 CHECK(ecount == 4);
398 secp256k1_scratch_space_destroy(none, scratch);
399 CHECK(ecount == 5);
400
98836b11
AP		 401 /* cleanup */
402 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
548de42e
AP		 403 secp256k1_context_destroy(none);
404}
405
b37fbc28
PW		 406/***** HASH TESTS *****/
407
408void run_sha256_tests(void) {
409 static const char *inputs[8] = {
410 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
411 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
412 "For this sample, this 63-byte string will be used as input data",
413 "This is exactly 64 bytes long, not counting the terminating byte"
414 };
415 static const unsigned char outputs[8][32] = {
416 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
417 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
418 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
419 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
420 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
421 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
422 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
423 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
424 };
bf2e1ac7
GM		 425 int i;
426 for (i = 0; i < 8; i++) {
427 unsigned char out[32];
d1dc9dfc 428 secp256k1_sha256 hasher;
b37fbc28
PW		 429 secp256k1_sha256_initialize(&hasher);
430 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 431 secp256k1_sha256_finalize(&hasher, out);
432 CHECK(memcmp(out, outputs[i], 32) == 0);
433 if (strlen(inputs[i]) > 0) {
fa57f1bd 434 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 435 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 436 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
437 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
438 secp256k1_sha256_finalize(&hasher, out);
439 CHECK(memcmp(out, outputs[i], 32) == 0);
440 }
441 }
442}
443
444void run_hmac_sha256_tests(void) {
445 static const char *keys[6] = {
446 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
447 "\x4a\x65\x66\x65",
448 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
449 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
450 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
451 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
452 };
453 static const char *inputs[6] = {
454 "\x48\x69\x20\x54\x68\x65\x72\x65",
455 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
456 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
457 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
458 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
459 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
460 };
461 static const unsigned char outputs[6][32] = {
462 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
463 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
464 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
465 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
466 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
467 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
468 };
bf2e1ac7
GM		 469 int i;
470 for (i = 0; i < 6; i++) {
d1dc9dfc 471 secp256k1_hmac_sha256 hasher;
bf2e1ac7 472 unsigned char out[32];
b37fbc28
PW		 473 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
474 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 475 secp256k1_hmac_sha256_finalize(&hasher, out);
476 CHECK(memcmp(out, outputs[i], 32) == 0);
477 if (strlen(inputs[i]) > 0) {
fa57f1bd 478 int split = secp256k1_rand_int(strlen(inputs[i]));
bf2e1ac7 479 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 480 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
481 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
482 secp256k1_hmac_sha256_finalize(&hasher, out);
483 CHECK(memcmp(out, outputs[i], 32) == 0);
484 }
485 }
486}
487
488void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 489 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 490 static const unsigned char out1[3][32] = {
491 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
492 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
493 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
494 };
495
3e6f1e20 496 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 497 static const unsigned char out2[3][32] = {
498 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
499 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
500 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
501 };
502
d1dc9dfc 503 secp256k1_rfc6979_hmac_sha256 rng;
b37fbc28 504 unsigned char out[32];
bf2e1ac7 505 int i;
b37fbc28 506
3e6f1e20 507 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 508 for (i = 0; i < 3; i++) {
b37fbc28
PW		 509 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
510 CHECK(memcmp(out, out1[i], 32) == 0);
511 }
512 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
513
3e6f1e20 514 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 515 for (i = 0; i < 3; i++) {
516 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
517 CHECK(memcmp(out, out1[i], 32) != 0);
518 }
519 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
520
3e6f1e20 521 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 522 for (i = 0; i < 3; i++) {
b37fbc28
PW		 523 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
524 CHECK(memcmp(out, out2[i], 32) == 0);
525 }
526 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
527}
528
49b37498
PW		 529/***** RANDOM TESTS *****/
530
531void test_rand_bits(int rand32, int bits) {
532 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
533 * get a false negative chance below once in a billion */
534 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
535 /* We try multiplying the results with various odd numbers, which shouldn't
536 * influence the uniform distribution modulo a power of 2. */
537 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
538 /* We only select up to 6 bits from the output to analyse */
539 unsigned int usebits = bits > 6 ? 6 : bits;
540 unsigned int maxshift = bits - usebits;
541 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
542 number, track all observed outcomes, one per bit in a uint64_t. */
543 uint64_t x[6][27] = {{0}};
544 unsigned int i, shift, m;
545 /* Multiply the output of all rand calls with the odd number m, which
546 should not change the uniformity of its distribution. */
547 for (i = 0; i < rounds[usebits]; i++) {
548 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
549 CHECK((((uint64_t)r) >> bits) == 0);
550 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
551 uint32_t rm = r * mults[m];
552 for (shift = 0; shift <= maxshift; shift++) {
553 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
554 }
555 }
556 }
557 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
558 for (shift = 0; shift <= maxshift; shift++) {
559 /* Test that the lower usebits bits of x[shift] are 1 */
560 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
561 }
562 }
563}
564
565/* Subrange must be a whole divisor of range, and at most 64 */
566void test_rand_int(uint32_t range, uint32_t subrange) {
567 /* (1-1/subrange)^rounds < 1/10^9 */
568 int rounds = (subrange * 2073) / 100;
569 int i;
570 uint64_t x = 0;
571 CHECK((range % subrange) == 0);
572 for (i = 0; i < rounds; i++) {
573 uint32_t r = secp256k1_rand_int(range);
574 CHECK(r < range);
575 r = r % subrange;
576 x |= (((uint64_t)1) << r);
577 }
578 /* Test that the lower subrange bits of x are 1. */
579 CHECK(((~x) << (64 - subrange)) == 0);
580}
581
582void run_rand_bits(void) {
583 size_t b;
584 test_rand_bits(1, 32);
585 for (b = 1; b <= 32; b++) {
586 test_rand_bits(0, b);
587 }
588}
589
590void run_rand_int(void) {
591 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
592 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
593 unsigned int m, s;
594 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
595 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
596 test_rand_int(ms[m] * ss[s], ss[s]);
597 }
598 }
599}
600
659b554d
PW		 601/***** NUM TESTS *****/
602
597128d3 603#ifndef USE_NUM_NONE
dd891e0e 604void random_num_negate(secp256k1_num *num) {
fa57f1bd 605 if (secp256k1_rand_bits(1)) {
659b554d 606 secp256k1_num_negate(num);
26320197 607 }
659b554d
PW		 608}
609
dd891e0e
PW		 610void random_num_order_test(secp256k1_num *num) {
611 secp256k1_scalar sc;
659b554d
PW		 612 random_scalar_order_test(&sc);
613 secp256k1_scalar_get_num(num, &sc);
614}
615
dd891e0e
PW		 616void random_num_order(secp256k1_num *num) {
617 secp256k1_scalar sc;
659b554d
PW		 618 random_scalar_order(&sc);
619 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 620}
621
2cad067a 622void test_num_negate(void) {
dd891e0e
PW		 623 secp256k1_num n1;
624 secp256k1_num n2;
71712b27 625 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 626 random_num_negate(&n1);
71712b27
GM		 627 secp256k1_num_copy(&n2, &n1); /* n2 = R */
628 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 629 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 630 secp256k1_num_copy(&n1, &n2); /* n1 = R */
631 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 632 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 633 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 634 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 635 secp256k1_num_copy(&n1, &n2); /* n1 = R */
636 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 637 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 638 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 639 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 640}
641
2cad067a 642void test_num_add_sub(void) {
efd953a7
PD		 643 int i;
644 secp256k1_scalar s;
dd891e0e
PW		 645 secp256k1_num n1;
646 secp256k1_num n2;
647 secp256k1_num n1p2, n2p1, n1m2, n2m1;
71712b27 648 random_num_order_test(&n1); /* n1 = R1 */
fa57f1bd 649 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 650 random_num_negate(&n1);
651 }
71712b27 652 random_num_order_test(&n2); /* n2 = R2 */
fa57f1bd 653 if (secp256k1_rand_bits(1)) {
1a749b4a
PW		 654 random_num_negate(&n2);
655 }
71712b27
GM		 656 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
657 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
658 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
659 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 660 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
661 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 662 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 663 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
664 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 665 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 666 CHECK(secp256k1_num_eq(&n2m1, &n1));
667 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 668 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 669 CHECK(secp256k1_num_eq(&n2p1, &n1));
efd953a7
PD		 670
671 /* check is_one */
672 secp256k1_scalar_set_int(&s, 1);
673 secp256k1_scalar_get_num(&n1, &s);
674 CHECK(secp256k1_num_is_one(&n1));
675 /* check that 2^n + 1 is never 1 */
676 secp256k1_scalar_get_num(&n2, &s);
677 for (i = 0; i < 250; ++i) {
678 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
679 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
680 CHECK(!secp256k1_num_is_one(&n1p2));
681 }
682}
683
684void test_num_mod(void) {
685 int i;
686 secp256k1_scalar s;
687 secp256k1_num order, n;
688
689 /* check that 0 mod anything is 0 */
7d893f49 690 random_scalar_order_test(&s);
efd953a7
PD		 691 secp256k1_scalar_get_num(&order, &s);
692 secp256k1_scalar_set_int(&s, 0);
693 secp256k1_scalar_get_num(&n, &s);
694 secp256k1_num_mod(&n, &order);
695 CHECK(secp256k1_num_is_zero(&n));
696
697 /* check that anything mod 1 is 0 */
698 secp256k1_scalar_set_int(&s, 1);
699 secp256k1_scalar_get_num(&order, &s);
700 secp256k1_scalar_get_num(&n, &s);
701 secp256k1_num_mod(&n, &order);
702 CHECK(secp256k1_num_is_zero(&n));
703
704 /* check that increasing the number past 2^256 does not break this */
7d893f49 705 random_scalar_order_test(&s);
efd953a7
PD		 706 secp256k1_scalar_get_num(&n, &s);
707 /* multiply by 2^8, which'll test this case with high probability */
708 for (i = 0; i < 8; ++i) {
709 secp256k1_num_add(&n, &n, &n);
710 }
711 secp256k1_num_mod(&n, &order);
712 CHECK(secp256k1_num_is_zero(&n));
713}
714
715void test_num_jacobi(void) {
716 secp256k1_scalar sqr;
717 secp256k1_scalar small;
718 secp256k1_scalar five; /* five is not a quadratic residue */
719 secp256k1_num order, n;
720 int i;
721 /* squares mod 5 are 1, 4 */
722 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
723
724 /* check some small values with 5 as the order */
725 secp256k1_scalar_set_int(&five, 5);
726 secp256k1_scalar_get_num(&order, &five);
727 for (i = 0; i < 10; ++i) {
728 secp256k1_scalar_set_int(&small, i);
729 secp256k1_scalar_get_num(&n, &small);
730 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
731 }
732
733 /** test large values with 5 as group order */
734 secp256k1_scalar_get_num(&order, &five);
735 /* we first need a scalar which is not a multiple of 5 */
736 do {
737 secp256k1_num fiven;
7d893f49 738 random_scalar_order_test(&sqr);
efd953a7
PD		 739 secp256k1_scalar_get_num(&fiven, &five);
740 secp256k1_scalar_get_num(&n, &sqr);
741 secp256k1_num_mod(&n, &fiven);
742 } while (secp256k1_num_is_zero(&n));
743 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
744 * just multiply by two, i.e. add the number to itself */
745 if (secp256k1_num_jacobi(&n, &order) == -1) {
746 secp256k1_num_add(&n, &n, &n);
747 }
748
749 /* test residue */
750 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
751 /* test nonresidue */
752 secp256k1_num_add(&n, &n, &n);
753 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
754
755 /** test with secp group order as order */
756 secp256k1_scalar_order_get_num(&order);
7d893f49 757 random_scalar_order_test(&sqr);
efd953a7
PD		 758 secp256k1_scalar_sqr(&sqr, &sqr);
759 /* test residue */
760 secp256k1_scalar_get_num(&n, &sqr);
761 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
762 /* test nonresidue */
763 secp256k1_scalar_mul(&sqr, &sqr, &five);
764 secp256k1_scalar_get_num(&n, &sqr);
765 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
766 /* test multiple of the order*/
767 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
768
769 /* check one less than the order */
770 secp256k1_scalar_set_int(&small, 1);
771 secp256k1_scalar_get_num(&n, &small);
772 secp256k1_num_sub(&n, &order, &n);
773 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
3f44e1ad
PW		 774}
775
2cad067a 776void run_num_smalltests(void) {
bf2e1ac7
GM		 777 int i;
778 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 779 test_num_negate();
780 test_num_add_sub();
efd953a7
PD		 781 test_num_mod();
782 test_num_jacobi();
3f44e1ad 783 }
3f44e1ad 784}
597128d3 785#endif
3f44e1ad 786
79359302
PW		 787/***** SCALAR TESTS *****/
788
79359302 789void scalar_test(void) {
dd891e0e
PW		 790 secp256k1_scalar s;
791 secp256k1_scalar s1;
792 secp256k1_scalar s2;
bf2e1ac7 793#ifndef USE_NUM_NONE
dd891e0e
PW		 794 secp256k1_num snum, s1num, s2num;
795 secp256k1_num order, half_order;
bf2e1ac7 796#endif
79359302
PW		 797 unsigned char c[32];
798
71712b27 799 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 800 random_scalar_order_test(&s);
79359302 801
71712b27 802 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 803 random_scalar_order_test(&s1);
79359302 804
71712b27 805 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 806 random_scalar_order_test(&s2);
807 secp256k1_scalar_get_b32(c, &s2);
808
597128d3 809#ifndef USE_NUM_NONE
659b554d
PW		 810 secp256k1_scalar_get_num(&snum, &s);
811 secp256k1_scalar_get_num(&s1num, &s1);
812 secp256k1_scalar_get_num(&s2num, &s2);
813
659b554d 814 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 815 half_order = order;
659b554d 816 secp256k1_num_shift(&half_order, 1);
597128d3 817#endif
79359302
PW		 818
819 {
bf2e1ac7 820 int i;
71712b27 821 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
dd891e0e 822 secp256k1_scalar n;
1e6c77c3 823 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 824 for (i = 0; i < 256; i += 4) {
dd891e0e 825 secp256k1_scalar t;
bf2e1ac7 826 int j;
1e6c77c3 827 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 828 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 829 secp256k1_scalar_add(&n, &n, &n);
830 }
831 secp256k1_scalar_add(&n, &n, &t);
79359302 832 }
1e6c77c3
PW		 833 CHECK(secp256k1_scalar_eq(&n, &s));
834 }
835
836 {
837 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
dd891e0e 838 secp256k1_scalar n;
1e6c77c3 839 int i = 0;
bf2e1ac7 840 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 841 while (i < 256) {
dd891e0e 842 secp256k1_scalar t;
bf2e1ac7 843 int j;
fa57f1bd 844 int now = secp256k1_rand_int(15) + 1;
1e6c77c3
PW		 845 if (now + i > 256) {
846 now = 256 - i;
847 }
1e6c77c3 848 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 849 for (j = 0; j < now; j++) {
1e6c77c3
PW		 850 secp256k1_scalar_add(&n, &n, &n);
851 }
852 secp256k1_scalar_add(&n, &n, &t);
853 i += now;
854 }
855 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 856 }
857
597128d3 858#ifndef USE_NUM_NONE
79359302 859 {
71712b27 860 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
dd891e0e
PW		 861 secp256k1_num rnum;
862 secp256k1_num r2num;
863 secp256k1_scalar r;
79359302 864 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 865 secp256k1_num_mod(&rnum, &order);
79359302 866 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 867 secp256k1_scalar_get_num(&r2num, &r);
868 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 869 }
870
871 {
269d4227 872 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
dd891e0e
PW		 873 secp256k1_scalar r;
874 secp256k1_num r2num;
875 secp256k1_num rnum;
79359302 876 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 877 secp256k1_num_mod(&rnum, &order);
79359302 878 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 879 secp256k1_scalar_get_num(&r2num, &r);
880 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 881 /* The result can only be zero if at least one of the factors was zero. */
79359302 882 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 883 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 884 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
885 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 886 }
887
888 {
dd891e0e
PW		 889 secp256k1_scalar neg;
890 secp256k1_num negnum;
891 secp256k1_num negnum2;
71712b27 892 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 893 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 894 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 895 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 896 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 897 secp256k1_num_sub(&negnum, &order, &snum);
898 secp256k1_num_mod(&negnum, &order);
71712b27 899 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 900 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 901 /* Negating should change the high property, unless the value was already zero. */
79359302 902 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 903 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 904 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 905 CHECK(secp256k1_num_eq(&negnum, &negnum2));
906 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 907 /* Adding a number to its negation should result in zero. */
79359302
PW		 908 CHECK(secp256k1_scalar_is_zero(&neg));
909 secp256k1_scalar_negate(&neg, &neg);
71712b27 910 /* Negating zero should still result in zero. */
79359302 911 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 912 }
ff8746d4
PW		 913
914 {
915 /* Test secp256k1_scalar_mul_shift_var. */
dd891e0e
PW		 916 secp256k1_scalar r;
917 secp256k1_num one;
918 secp256k1_num rnum;
919 secp256k1_num rnum2;
bf2e1ac7 920 unsigned char cone[1] = {0x01};
fa57f1bd 921 unsigned int shift = 256 + secp256k1_rand_int(257);
ff8746d4 922 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 923 secp256k1_num_mul(&rnum, &s1num, &s2num);
924 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 925 secp256k1_num_set_bin(&one, cone, 1);
926 secp256k1_num_add(&rnum, &rnum, &one);
927 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 928 secp256k1_scalar_get_num(&rnum2, &r);
929 CHECK(secp256k1_num_eq(&rnum, &rnum2));
930 }
44015000
AP		 931
932 {
933 /* test secp256k1_scalar_shr_int */
dd891e0e 934 secp256k1_scalar r;
44015000 935 int i;
44015000
AP		 936 random_scalar_order_test(&r);
937 for (i = 0; i < 100; ++i) {
cfe0ed91 938 int low;
fa57f1bd 939 int shift = 1 + secp256k1_rand_int(15);
44015000
AP		 940 int expected = r.d[0] % (1 << shift);
941 low = secp256k1_scalar_shr_int(&r, shift);
942 CHECK(expected == low);
943 }
944 }
597128d3 945#endif
79359302
PW		 946
947 {
71712b27 948 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302 949 if (!secp256k1_scalar_is_zero(&s)) {
dd891e0e 950 secp256k1_scalar inv;
597128d3 951#ifndef USE_NUM_NONE
dd891e0e
PW		 952 secp256k1_num invnum;
953 secp256k1_num invnum2;
bf2e1ac7
GM		 954#endif
955 secp256k1_scalar_inverse(&inv, &s);
956#ifndef USE_NUM_NONE
957 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 958 secp256k1_scalar_get_num(&invnum2, &inv);
959 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 960#endif
79359302 961 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 962 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 963 CHECK(secp256k1_scalar_is_one(&inv));
964 secp256k1_scalar_inverse(&inv, &inv);
71712b27 965 /* Inverting one must result in one. */
79359302 966 CHECK(secp256k1_scalar_is_one(&inv));
efd953a7
PD		 967#ifndef USE_NUM_NONE
968 secp256k1_scalar_get_num(&invnum, &inv);
969 CHECK(secp256k1_num_is_one(&invnum));
970#endif
79359302
PW		 971 }
972 }
973
974 {
71712b27 975 /* Test commutativity of add. */
dd891e0e 976 secp256k1_scalar r1, r2;
79359302
PW		 977 secp256k1_scalar_add(&r1, &s1, &s2);
978 secp256k1_scalar_add(&r2, &s2, &s1);
979 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 980 }
981
52132078 982 {
dd891e0e
PW		 983 secp256k1_scalar r1, r2;
984 secp256k1_scalar b;
bf2e1ac7 985 int i;
52132078 986 /* Test add_bit. */
fa57f1bd 987 int bit = secp256k1_rand_bits(8);
1e6c77c3 988 secp256k1_scalar_set_int(&b, 1);
52132078 989 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 990 for (i = 0; i < bit; i++) {
52132078
PW		 991 secp256k1_scalar_add(&b, &b, &b);
992 }
bf2e1ac7
GM		 993 r1 = s1;
994 r2 = s1;
29ae1310 995 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078 996 /* No overflow happened. */
ed35d43a
AP		 997 secp256k1_scalar_cadd_bit(&r2, bit, 1);
998 CHECK(secp256k1_scalar_eq(&r1, &r2));
999 /* cadd is a noop when flag is zero */
1000 secp256k1_scalar_cadd_bit(&r2, bit, 0);
52132078
PW		 1001 CHECK(secp256k1_scalar_eq(&r1, &r2));
1002 }
1003 }
1004
79359302 1005 {
71712b27 1006 /* Test commutativity of mul. */
dd891e0e 1007 secp256k1_scalar r1, r2;
79359302
PW		 1008 secp256k1_scalar_mul(&r1, &s1, &s2);
1009 secp256k1_scalar_mul(&r2, &s2, &s1);
1010 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1011 }
1012
1013 {
71712b27 1014 /* Test associativity of add. */
dd891e0e 1015 secp256k1_scalar r1, r2;
79359302
PW		 1016 secp256k1_scalar_add(&r1, &s1, &s2);
1017 secp256k1_scalar_add(&r1, &r1, &s);
1018 secp256k1_scalar_add(&r2, &s2, &s);
1019 secp256k1_scalar_add(&r2, &s1, &r2);
1020 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1021 }
1022
1023 {
71712b27 1024 /* Test associativity of mul. */
dd891e0e 1025 secp256k1_scalar r1, r2;
79359302
PW		 1026 secp256k1_scalar_mul(&r1, &s1, &s2);
1027 secp256k1_scalar_mul(&r1, &r1, &s);
1028 secp256k1_scalar_mul(&r2, &s2, &s);
1029 secp256k1_scalar_mul(&r2, &s1, &r2);
1030 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 1031 }
1032
1033 {
71712b27 1034 /* Test distributitivity of mul over add. */
dd891e0e 1035 secp256k1_scalar r1, r2, t;
79359302
PW		 1036 secp256k1_scalar_add(&r1, &s1, &s2);
1037 secp256k1_scalar_mul(&r1, &r1, &s);
1038 secp256k1_scalar_mul(&r2, &s1, &s);
1039 secp256k1_scalar_mul(&t, &s2, &s);
1040 secp256k1_scalar_add(&r2, &r2, &t);
1041 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 1042 }
1d52a8b1
PW		 1043
1044 {
71712b27 1045 /* Test square. */
dd891e0e 1046 secp256k1_scalar r1, r2;
1d52a8b1
PW		 1047 secp256k1_scalar_sqr(&r1, &s1);
1048 secp256k1_scalar_mul(&r2, &s1, &s1);
1049 CHECK(secp256k1_scalar_eq(&r1, &r2));
1050 }
ff8746d4 1051
8d11164b
GM		 1052 {
1053 /* Test multiplicative identity. */
dd891e0e 1054 secp256k1_scalar r1, v1;
8d11164b
GM		 1055 secp256k1_scalar_set_int(&v1,1);
1056 secp256k1_scalar_mul(&r1, &s1, &v1);
1057 CHECK(secp256k1_scalar_eq(&r1, &s1));
1058 }
1059
1060 {
1061 /* Test additive identity. */
dd891e0e 1062 secp256k1_scalar r1, v0;
8d11164b
GM		 1063 secp256k1_scalar_set_int(&v0,0);
1064 secp256k1_scalar_add(&r1, &s1, &v0);
1065 CHECK(secp256k1_scalar_eq(&r1, &s1));
1066 }
1067
1068 {
1069 /* Test zero product property. */
dd891e0e 1070 secp256k1_scalar r1, v0;
8d11164b
GM		 1071 secp256k1_scalar_set_int(&v0,0);
1072 secp256k1_scalar_mul(&r1, &s1, &v0);
1073 CHECK(secp256k1_scalar_eq(&r1, &v0));
1074 }
1075
79359302
PW		 1076}
1077
9ab2cbe0
JN		 1078void run_scalar_set_b32_seckey_tests(void) {
1079 unsigned char b32[32];
1080 secp256k1_scalar s1;
1081 secp256k1_scalar s2;
1082
1083 /* Usually set_b32 and set_b32_seckey give the same result */
1084 random_scalar_order_b32(b32);
1085 secp256k1_scalar_set_b32(&s1, b32, NULL);
1086 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1087 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1088
1089 memset(b32, 0, sizeof(b32));
1090 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1091 memset(b32, 0xFF, sizeof(b32));
1092 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1093}
1094
79359302 1095void run_scalar_tests(void) {
bf2e1ac7
GM		 1096 int i;
1097 for (i = 0; i < 128 * count; i++) {
79359302
PW		 1098 scalar_test();
1099 }
9ab2cbe0
JN		 1100 for (i = 0; i < count; i++) {
1101 run_scalar_set_b32_seckey_tests();
1102 }
659b554d
PW		 1103
1104 {
ee3eb4be 1105 /* (-1)+1 should be zero. */
dd891e0e 1106 secp256k1_scalar s, o;
659b554d 1107 secp256k1_scalar_set_int(&s, 1);
8d11164b 1108 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 1109 secp256k1_scalar_negate(&o, &s);
1110 secp256k1_scalar_add(&o, &o, &s);
1111 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 1112 secp256k1_scalar_negate(&o, &o);
1113 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 1114 }
1115
597128d3 1116#ifndef USE_NUM_NONE
659b554d 1117 {
8f814cdd 1118 /* Test secp256k1_scalar_set_b32 boundary conditions */
dd891e0e 1119 secp256k1_num order;
8f814cdd 1120 secp256k1_scalar scalar;
bf2e1ac7 1121 unsigned char bin[32];
8f814cdd 1122 unsigned char bin_tmp[32];
659b554d 1123 int overflow = 0;
8f814cdd
JN		 1124 /* 2^256-1 - order */
1125 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1126 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1127 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1128 );
1129
1130 /* A scalar set to 0s should be 0. */
1131 memset(bin, 0, 32);
1132 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1133 CHECK(overflow == 0);
1134 CHECK(secp256k1_scalar_is_zero(&scalar));
1135
1136 /* A scalar with value of the curve order should be 0. */
bf2e1ac7
GM		 1137 secp256k1_scalar_order_get_num(&order);
1138 secp256k1_num_get_bin(bin, 32, &order);
8f814cdd
JN		 1139 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1140 CHECK(overflow == 1);
1141 CHECK(secp256k1_scalar_is_zero(&scalar));
1142
1143 /* A scalar with value of the curve order minus one should not overflow. */
1144 bin[31] -= 1;
1145 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146 CHECK(overflow == 0);
1147 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1148 CHECK(memcmp(bin, bin_tmp, 32) == 0);
1149
1150 /* A scalar set to all 1s should overflow. */
1151 memset(bin, 0xFF, 32);
1152 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
659b554d 1153 CHECK(overflow == 1);
8f814cdd 1154 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
659b554d 1155 }
597128d3 1156#endif
26abce75
GM		 1157
1158 {
1159 /* Does check_overflow check catch all ones? */
1160 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1161 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1162 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1163 );
1164 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1165 }
1166
1167 {
1168 /* Static test vectors.
269d4227 1169 * These were reduced from ~10^12 random vectors based on comparison-decision
26abce75
GM		 1170 * and edge-case coverage on 32-bit and 64-bit implementations.
1171 * The responses were generated with Sage 5.9.
1172 */
1173 secp256k1_scalar x;
1174 secp256k1_scalar y;
1175 secp256k1_scalar z;
1176 secp256k1_scalar zz;
1177 secp256k1_scalar one;
1178 secp256k1_scalar r1;
1179 secp256k1_scalar r2;
1180#if defined(USE_SCALAR_INV_NUM)
1181 secp256k1_scalar zzv;
1182#endif
1183 int overflow;
093a497a 1184 unsigned char chal[33][2][32] = {
26abce75
GM		 1185 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1187 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1188 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1189 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1191 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1193 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1194 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1197 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1199 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1200 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1201 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1203 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1204 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1205 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1209 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1210 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1212 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1213 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1214 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1215 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1216 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1217 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1218 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1220 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1221 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1222 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1224 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1225 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1226 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1227 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1228 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1229 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1230 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1231 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1233 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1234 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1235 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1236 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1237 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1238 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1239 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1240 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1241 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1242 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1243 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1244 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1245 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1246 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1247 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1248 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1249 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1250 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1251 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1252 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1253 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1256 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1257 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1258 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1259 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1260 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1261 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1262 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1263 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1264 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1265 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1266 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1267 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1268 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1269 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1270 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1271 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1272 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1273 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1274 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1275 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1276 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1277 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1278 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1279 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1280 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1281 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1282 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1285 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1286 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1287 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1288 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1289 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1290 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1291 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1292 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1293 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1294 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1297 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1298 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1299 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1300 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1301 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1302 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1303 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1304 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1305 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1306 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1309 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1312 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1313 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1314 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1315 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1316 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1317 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1318 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1320 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1321 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1322 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1324 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1325 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1326 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1327 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1328 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1329 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1330 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1331 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1332 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1333 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1335 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1336 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1337 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1338 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1339 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1341 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1342 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1344 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1345 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1347 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1348 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1349 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1350 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1351 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1352 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1353 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1354 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1355 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1356 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1357 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1358 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1361 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1362 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1364 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1365 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1366 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1367 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1368 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1369 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1370 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1372 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1373 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1374 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1375 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1377 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1378 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1381 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1382 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1383 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1385 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1386 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1387 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1388 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1389 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1390 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1393 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1394 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1395 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1396 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1397 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1398 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1399 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1401 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1402 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1403 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1404 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1405 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1406 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1407 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1408 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1409 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1411 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1413 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1415 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1416 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1417 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1418 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1419 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1421 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1422 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1423 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1425 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1426 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1427 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1428 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1429 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1430 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1431 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1432 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1433 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1434 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1435 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1436 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1437 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1438 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1439 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
093a497a
JN		 1440 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1441 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1442 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1443 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1444 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1445 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1446 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1447 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1448 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
26abce75 1449 };
093a497a 1450 unsigned char res[33][2][32] = {
26abce75
GM		 1451 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1452 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1453 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1454 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1455 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1456 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1457 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1458 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1459 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1460 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1461 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1462 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1463 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1464 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1465 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1466 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1467 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1468 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1469 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1470 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1471 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1472 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1473 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1474 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1475 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1476 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1477 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1478 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1479 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1480 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1481 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1482 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1483 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1484 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1485 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1486 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1487 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1488 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1489 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1490 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1491 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1492 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1493 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1494 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1495 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1496 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1497 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1498 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1499 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1500 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1501 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1502 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1503 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1504 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1505 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1506 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1507 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1508 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1509 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1510 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1511 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1512 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1513 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1514 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1515 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1516 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1517 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1518 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1519 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1520 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1521 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1522 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1523 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1524 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1525 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1526 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1527 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1528 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1529 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1530 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1531 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1532 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1533 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1534 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1535 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1536 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1537 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1538 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1539 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1540 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1541 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1542 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1543 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1544 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1545 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1546 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1547 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1548 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1549 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1550 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1551 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1552 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1553 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1554 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1555 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1556 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1557 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1558 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1559 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1560 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1561 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1562 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1563 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1564 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1565 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1566 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1567 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1568 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1569 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1570 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1571 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1572 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1573 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1574 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1575 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1576 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1577 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1578 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1579 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1580 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1581 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1582 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1583 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1584 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1585 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1586 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1587 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1588 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1589 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1590 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1591 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1592 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1593 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1594 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1595 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1596 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1597 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1598 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1599 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1600 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1601 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1602 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1603 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1604 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1605 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1606 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1607 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1608 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1609 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1610 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1611 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1612 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1613 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1614 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1615 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1616 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1617 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1618 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1619 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1621 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1622 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1623 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1624 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1627 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1628 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1629 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1630 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1631 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1632 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1633 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1634 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1635 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1636 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1637 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1638 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1639 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1640 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1641 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1642 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1643 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1645 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1646 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1647 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1648 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1649 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1650 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1651 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1652 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1653 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1654 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1655 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1656 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1658 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1659 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1660 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1661 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1662 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1663 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1664 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1665 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1666 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1667 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1668 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1669 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1670 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1671 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1672 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1673 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1674 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1675 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1676 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1677 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1678 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1679 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1680 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1681 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1682 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1683 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1684 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1685 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1686 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1687 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1688 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1689 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1690 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1691 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1692 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1693 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1694 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1695 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1696 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1697 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1698 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1699 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1700 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1701 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1702 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1703 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1704 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1705 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
093a497a
JN		 1706 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1707 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1708 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1709 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1710 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1711 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1712 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1713 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1714 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
26abce75
GM		 1715 };
1716 secp256k1_scalar_set_int(&one, 1);
093a497a 1717 for (i = 0; i < 33; i++) {
26abce75
GM		 1718 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1719 CHECK(!overflow);
1720 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1721 CHECK(!overflow);
1722 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1723 CHECK(!overflow);
1724 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1725 CHECK(!overflow);
1726 secp256k1_scalar_mul(&z, &x, &y);
1727 CHECK(!secp256k1_scalar_check_overflow(&z));
1728 CHECK(secp256k1_scalar_eq(&r1, &z));
1729 if (!secp256k1_scalar_is_zero(&y)) {
1730 secp256k1_scalar_inverse(&zz, &y);
1731 CHECK(!secp256k1_scalar_check_overflow(&zz));
1732#if defined(USE_SCALAR_INV_NUM)
1733 secp256k1_scalar_inverse_var(&zzv, &y);
1734 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1735#endif
1736 secp256k1_scalar_mul(&z, &z, &zz);
1737 CHECK(!secp256k1_scalar_check_overflow(&z));
1738 CHECK(secp256k1_scalar_eq(&x, &z));
1739 secp256k1_scalar_mul(&zz, &zz, &y);
1740 CHECK(!secp256k1_scalar_check_overflow(&zz));
1741 CHECK(secp256k1_scalar_eq(&one, &zz));
1742 }
1743 secp256k1_scalar_mul(&z, &x, &x);
1744 CHECK(!secp256k1_scalar_check_overflow(&z));
1745 secp256k1_scalar_sqr(&zz, &x);
1746 CHECK(!secp256k1_scalar_check_overflow(&zz));
1747 CHECK(secp256k1_scalar_eq(&zz, &z));
1748 CHECK(secp256k1_scalar_eq(&r2, &zz));
1749 }
1750 }
79359302
PW		 1751}
1752
09ca4f32
PD		 1753/***** FIELD TESTS *****/
1754
dd891e0e 1755void random_fe(secp256k1_fe *x) {
09ca4f32 1756 unsigned char bin[32];
d907ebc0
PW		 1757 do {
1758 secp256k1_rand256(bin);
1759 if (secp256k1_fe_set_b32(x, bin)) {
1760 return;
1761 }
1762 } while(1);
09ca4f32
PD		 1763}
1764
64666251
PW		 1765void random_fe_test(secp256k1_fe *x) {
1766 unsigned char bin[32];
1767 do {
1768 secp256k1_rand256_test(bin);
1769 if (secp256k1_fe_set_b32(x, bin)) {
1770 return;
1771 }
1772 } while(1);
1773}
1774
dd891e0e 1775void random_fe_non_zero(secp256k1_fe *nz) {
6d6102fe 1776 int tries = 10;
09ca4f32 1777 while (--tries >= 0) {
6d6102fe
PD		 1778 random_fe(nz);
1779 secp256k1_fe_normalize(nz);
26320197 1780 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 1781 break;
26320197 1782 }
09ca4f32 1783 }
71712b27 1784 /* Infinitesimal probability of spurious failure here */
0592d117 1785 CHECK(tries >= 0);
09ca4f32
PD		 1786}
1787
dd891e0e
PW		 1788void random_fe_non_square(secp256k1_fe *ns) {
1789 secp256k1_fe r;
bf2e1ac7 1790 random_fe_non_zero(ns);
926836ad 1791 if (secp256k1_fe_sqrt(&r, ns)) {
6d6102fe
PD		 1792 secp256k1_fe_negate(ns, ns, 1);
1793 }
1794}
1795
dd891e0e
PW		 1796int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1797 secp256k1_fe an = *a;
1798 secp256k1_fe bn = *b;
bf2e1ac7
GM		 1799 secp256k1_fe_normalize_weak(&an);
1800 secp256k1_fe_normalize_var(&bn);
d7174edf 1801 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 1802}
1803
dd891e0e
PW		 1804int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1805 secp256k1_fe x;
1806 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 1807 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 1808 return check_fe_equal(&x, &one);
1809}
1810
ff889f7d
PW		 1811void run_field_convert(void) {
1812 static const unsigned char b32[32] = {
1813 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1814 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1815 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1816 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1817 };
dd891e0e 1818 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
ff889f7d
PW		 1819 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1820 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1821 );
dd891e0e 1822 static const secp256k1_fe fe = SECP256K1_FE_CONST(
ff889f7d
PW		 1823 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1824 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1825 );
dd891e0e 1826 secp256k1_fe fe2;
ff889f7d 1827 unsigned char b322[32];
dd891e0e 1828 secp256k1_fe_storage fes2;
ff889f7d
PW		 1829 /* Check conversions to fe. */
1830 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1831 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 1832 secp256k1_fe_from_storage(&fe2, &fes);
1833 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1834 /* Check conversion from fe. */
1835 secp256k1_fe_get_b32(b322, &fe);
1836 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 1837 secp256k1_fe_to_storage(&fes2, &fe);
1838 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1839}
1840
dd891e0e
PW		 1841int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1842 secp256k1_fe t = *b;
a0601cd7
PD		 1843#ifdef VERIFY
1844 t.magnitude = a->magnitude;
1845 t.normalized = a->normalized;
1846#endif
dd891e0e 1847 return memcmp(a, &t, sizeof(secp256k1_fe));
a0601cd7
PD		 1848}
1849
8d11164b 1850void run_field_misc(void) {
dd891e0e
PW		 1851 secp256k1_fe x;
1852 secp256k1_fe y;
1853 secp256k1_fe z;
1854 secp256k1_fe q;
1855 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 1856 int i, j;
bf2e1ac7 1857 for (i = 0; i < 5*count; i++) {
dd891e0e 1858 secp256k1_fe_storage xs, ys, zs;
8d11164b
GM		 1859 random_fe(&x);
1860 random_fe_non_zero(&y);
1861 /* Test the fe equality and comparison operations. */
1862 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 1863 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 1864 z = x;
1865 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 1866 /* Test fe conditional move; z is not normalized here. */
1867 q = x;
1868 secp256k1_fe_cmov(&x, &z, 0);
dcf39202 1869#ifdef VERIFY
34a67c77 1870 CHECK(x.normalized && x.magnitude == 1);
dcf39202 1871#endif
9c4fb23d 1872 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 1873 CHECK(fe_memcmp(&x, &z) != 0);
1874 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 1875 secp256k1_fe_cmov(&q, &z, 1);
dcf39202
GM		 1876#ifdef VERIFY
1877 CHECK(!q.normalized && q.magnitude == z.magnitude);
1878#endif
a0601cd7 1879 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 1880 secp256k1_fe_normalize_var(&x);
1881 secp256k1_fe_normalize_var(&z);
9c4fb23d 1882 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 1883 secp256k1_fe_normalize_var(&q);
1884 secp256k1_fe_cmov(&q, &z, (i&1));
dcf39202
GM		 1885#ifdef VERIFY
1886 CHECK(q.normalized && q.magnitude == 1);
1887#endif
3f3964e4
PD		 1888 for (j = 0; j < 6; j++) {
1889 secp256k1_fe_negate(&z, &z, j+1);
1890 secp256k1_fe_normalize_var(&q);
1891 secp256k1_fe_cmov(&q, &z, (j&1));
dcf39202 1892#ifdef VERIFY
34a67c77 1893 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
dcf39202 1894#endif
3f3964e4
PD		 1895 }
1896 secp256k1_fe_normalize_var(&z);
1897 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 1898 secp256k1_fe_to_storage(&xs, &x);
1899 secp256k1_fe_to_storage(&ys, &y);
1900 secp256k1_fe_to_storage(&zs, &z);
1901 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 1902 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 1903 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1904 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1905 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1906 secp256k1_fe_from_storage(&x, &xs);
1907 secp256k1_fe_from_storage(&y, &ys);
1908 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 1909 /* Test that mul_int, mul, and add agree. */
1910 secp256k1_fe_add(&y, &x);
1911 secp256k1_fe_add(&y, &x);
1912 z = x;
1913 secp256k1_fe_mul_int(&z, 3);
1914 CHECK(check_fe_equal(&y, &z));
1915 secp256k1_fe_add(&y, &x);
1916 secp256k1_fe_add(&z, &x);
1917 CHECK(check_fe_equal(&z, &y));
1918 z = x;
1919 secp256k1_fe_mul_int(&z, 5);
1920 secp256k1_fe_mul(&q, &x, &fe5);
1921 CHECK(check_fe_equal(&z, &q));
1922 secp256k1_fe_negate(&x, &x, 1);
1923 secp256k1_fe_add(&z, &x);
1924 secp256k1_fe_add(&q, &x);
1925 CHECK(check_fe_equal(&y, &z));
1926 CHECK(check_fe_equal(&q, &y));
1927 }
1928}
1929
2cad067a 1930void run_field_inv(void) {
dd891e0e 1931 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1932 int i;
1933 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1934 random_fe_non_zero(&x);
1935 secp256k1_fe_inv(&xi, &x);
1936 CHECK(check_fe_inverse(&x, &xi));
1937 secp256k1_fe_inv(&xii, &xi);
1938 CHECK(check_fe_equal(&x, &xii));
1939 }
1940}
1941
2cad067a 1942void run_field_inv_var(void) {
dd891e0e 1943 secp256k1_fe x, xi, xii;
bf2e1ac7
GM		 1944 int i;
1945 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 1946 random_fe_non_zero(&x);
1947 secp256k1_fe_inv_var(&xi, &x);
1948 CHECK(check_fe_inverse(&x, &xi));
1949 secp256k1_fe_inv_var(&xii, &xi);
1950 CHECK(check_fe_equal(&x, &xii));
1951 }
1952}
1953
2cad067a 1954void run_field_inv_all_var(void) {
dd891e0e 1955 secp256k1_fe x[16], xi[16], xii[16];
bf2e1ac7 1956 int i;
71712b27 1957 /* Check it's safe to call for 0 elements */
7d893f49 1958 secp256k1_fe_inv_all_var(xi, x, 0);
bf2e1ac7
GM		 1959 for (i = 0; i < count; i++) {
1960 size_t j;
fa57f1bd 1961 size_t len = secp256k1_rand_int(15) + 1;
26320197 1962 for (j = 0; j < len; j++) {
f16be77f 1963 random_fe_non_zero(&x[j]);
26320197 1964 }
7d893f49 1965 secp256k1_fe_inv_all_var(xi, x, len);
26320197 1966 for (j = 0; j < len; j++) {
f16be77f 1967 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 1968 }
7d893f49 1969 secp256k1_fe_inv_all_var(xii, xi, len);
26320197 1970 for (j = 0; j < len; j++) {
f16be77f 1971 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 1972 }
f16be77f
PD		 1973 }
1974}
1975
2cad067a 1976void run_sqr(void) {
dd891e0e 1977 secp256k1_fe x, s;
59447da3 1978
59447da3 1979 {
bf2e1ac7 1980 int i;
59447da3
PD		 1981 secp256k1_fe_set_int(&x, 1);
1982 secp256k1_fe_negate(&x, &x, 1);
1983
bf2e1ac7 1984 for (i = 1; i <= 512; ++i) {
59447da3
PD		 1985 secp256k1_fe_mul_int(&x, 2);
1986 secp256k1_fe_normalize(&x);
1987 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 1988 }
1989 }
59447da3
PD		 1990}
1991
dd891e0e
PW		 1992void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1993 secp256k1_fe r1, r2;
926836ad 1994 int v = secp256k1_fe_sqrt(&r1, a);
0592d117 1995 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 1996
1997 if (k != NULL) {
71712b27 1998 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 1999 secp256k1_fe_negate(&r2, &r1, 1);
2000 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2001 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 2002 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 2003 }
2004}
2005
2cad067a 2006void run_sqrt(void) {
dd891e0e 2007 secp256k1_fe ns, x, s, t;
bf2e1ac7 2008 int i;
6d6102fe 2009
71712b27 2010 /* Check sqrt(0) is 0 */
6d6102fe
PD		 2011 secp256k1_fe_set_int(&x, 0);
2012 secp256k1_fe_sqr(&s, &x);
2013 test_sqrt(&s, &x);
2014
71712b27 2015 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 2016 for (i = 1; i <= 100; i++) {
6d6102fe 2017 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 2018 secp256k1_fe_sqr(&s, &x);
2019 test_sqrt(&s, &x);
6d6102fe 2020 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 2021 test_sqrt(&t, NULL);
2022 }
6d6102fe 2023
71712b27 2024 /* Consistency checks for large random values */
bf2e1ac7
GM		 2025 for (i = 0; i < 10; i++) {
2026 int j;
6d6102fe 2027 random_fe_non_square(&ns);
bf2e1ac7 2028 for (j = 0; j < count; j++) {
6d6102fe
PD		 2029 random_fe(&x);
2030 secp256k1_fe_sqr(&s, &x);
2031 test_sqrt(&s, &x);
2032 secp256k1_fe_negate(&t, &s, 1);
2033 test_sqrt(&t, NULL);
2034 secp256k1_fe_mul(&t, &s, &ns);
2035 test_sqrt(&t, NULL);
2036 }
2037 }
09ca4f32
PD		 2038}
2039
9338dbf7
PW		 2040/***** GROUP TESTS *****/
2041
dd891e0e 2042void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
60571c6e 2043 CHECK(a->infinity == b->infinity);
26320197 2044 if (a->infinity) {
60571c6e 2045 return;
26320197 2046 }
60571c6e 2047 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 2048 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 2049}
2050
d2275795 2051/* This compares jacobian points including their Z, not just their geometric meaning. */
dd891e0e
PW		 2052int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2053 secp256k1_gej a2;
2054 secp256k1_gej b2;
d2275795
GM		 2055 int ret = 1;
2056 ret &= a->infinity == b->infinity;
2057 if (ret && !a->infinity) {
2058 a2 = *a;
2059 b2 = *b;
2060 secp256k1_fe_normalize(&a2.x);
2061 secp256k1_fe_normalize(&a2.y);
2062 secp256k1_fe_normalize(&a2.z);
2063 secp256k1_fe_normalize(&b2.x);
2064 secp256k1_fe_normalize(&b2.y);
2065 secp256k1_fe_normalize(&b2.z);
2066 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2067 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2068 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2069 }
2070 return ret;
2071}
2072
dd891e0e
PW		 2073void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2074 secp256k1_fe z2s;
2075 secp256k1_fe u1, u2, s1, s2;
60571c6e 2076 CHECK(a->infinity == b->infinity);
26320197 2077 if (a->infinity) {
60571c6e 2078 return;
26320197 2079 }
60571c6e 2080 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 2081 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 2082 secp256k1_fe_mul(&u1, &a->x, &z2s);
2083 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2084 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2085 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2086 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2087 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 2088}
2089
2cad067a 2090void test_ge(void) {
bf2e1ac7 2091 int i, i1;
76574202
PW		 2092#ifdef USE_ENDOMORPHISM
2093 int runs = 6;
2094#else
60571c6e 2095 int runs = 4;
76574202 2096#endif
60571c6e
PW		 2097 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
2098 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
2099 * All magnitudes are randomized.
269d4227 2100 * All 17*17 combinations of points are added to each other, using all applicable methods.
76574202
PW		 2101 *
2102 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 2103 */
5eb030ca
WL		 2104 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2105 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2106 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
dd891e0e
PW		 2107 secp256k1_fe zf;
2108 secp256k1_fe zfi2, zfi3;
4f9791ab 2109
60571c6e
PW		 2110 secp256k1_gej_set_infinity(&gej[0]);
2111 secp256k1_ge_clear(&ge[0]);
2112 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 2113 for (i = 0; i < runs; i++) {
2114 int j;
dd891e0e 2115 secp256k1_ge g;
60571c6e 2116 random_group_element_test(&g);
76574202
PW		 2117#ifdef USE_ENDOMORPHISM
2118 if (i >= runs - 2) {
2119 secp256k1_ge_mul_lambda(&g, &ge[1]);
2120 }
2121 if (i >= runs - 1) {
2122 secp256k1_ge_mul_lambda(&g, &g);
2123 }
2124#endif
60571c6e
PW		 2125 ge[1 + 4 * i] = g;
2126 ge[2 + 4 * i] = g;
2127 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2128 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2129 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2130 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2131 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2132 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 2133 for (j = 0; j < 4; j++) {
60571c6e
PW		 2134 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2135 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2136 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2137 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2138 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2139 }
2140 }
2141
4f9791ab
PD		 2142 /* Compute z inverses. */
2143 {
5eb030ca 2144 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
4f9791ab
PD		 2145 for (i = 0; i < 4 * runs + 1; i++) {
2146 if (i == 0) {
2147 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2148 do {
2149 random_field_element_test(&zs[i]);
2150 } while(secp256k1_fe_is_zero(&zs[i]));
2151 } else {
2152 zs[i] = gej[i].z;
2153 }
2154 }
7d893f49 2155 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
4f9791ab
PD		 2156 free(zs);
2157 }
2158
2159 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2160 do {
2161 random_field_element_test(&zf);
2162 } while(secp256k1_fe_is_zero(&zf));
2163 random_field_element_magnitude(&zf);
2164 secp256k1_fe_inv_var(&zfi3, &zf);
2165 secp256k1_fe_sqr(&zfi2, &zfi3);
2166 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2167
bf2e1ac7
GM		 2168 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2169 int i2;
2170 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e 2171 /* Compute reference result using gej + gej (var). */
dd891e0e
PW		 2172 secp256k1_gej refj, resj;
2173 secp256k1_ge ref;
2174 secp256k1_fe zr;
4f9791ab
PD		 2175 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2176 /* Check Z ratio. */
2177 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
dd891e0e 2178 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
4f9791ab
PD		 2179 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2180 }
60571c6e
PW		 2181 secp256k1_ge_set_gej_var(&ref, &refj);
2182
2d5a186c
PD		 2183 /* Test gej + ge with Z ratio result (var). */
2184 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 2185 ge_equals_gej(&ref, &resj);
2d5a186c 2186 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
dd891e0e 2187 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2d5a186c
PD		 2188 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2189 }
60571c6e 2190
4f9791ab
PD		 2191 /* Test gej + ge (var, with additional Z factor). */
2192 {
dd891e0e 2193 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
4f9791ab
PD		 2194 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2195 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2196 random_field_element_magnitude(&ge2_zfi.x);
2197 random_field_element_magnitude(&ge2_zfi.y);
2198 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2199 ge_equals_gej(&ref, &resj);
2200 }
2201
60571c6e
PW		 2202 /* Test gej + ge (const). */
2203 if (i2 != 0) {
2204 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2205 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2206 ge_equals_gej(&ref, &resj);
2207 }
2208
2209 /* Test doubling (var). */
2210 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
dd891e0e 2211 secp256k1_fe zr2;
4f9791ab
PD		 2212 /* Normal doubling with Z ratio result. */
2213 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 2214 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 2215 /* Check Z ratio. */
2216 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2217 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2218 /* Normal doubling. */
2219 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e 2220 ge_equals_gej(&ref, &resj);
18d36327
PW		 2221 /* Constant-time doubling. */
2222 secp256k1_gej_double(&resj, &gej[i2]);
2223 ge_equals_gej(&ref, &resj);
60571c6e
PW		 2224 }
2225
2226 /* Test adding opposites. */
2227 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2228 CHECK(secp256k1_ge_is_infinity(&ref));
2229 }
2230
2231 /* Test adding infinity. */
2232 if (i1 == 0) {
2233 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2234 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2235 ge_equals_gej(&ref, &gej[i2]);
2236 }
2237 if (i2 == 0) {
2238 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2239 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2240 ge_equals_gej(&ref, &gej[i1]);
2241 }
2242 }
2243 }
2244
9ab93355
PW		 2245 /* Test adding all points together in random order equals infinity. */
2246 {
dd891e0e 2247 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
5eb030ca 2248 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
bf2e1ac7 2249 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 2250 gej_shuffled[i] = gej[i];
2251 }
bf2e1ac7 2252 for (i = 0; i < 4 * runs + 1; i++) {
fa57f1bd 2253 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
9ab93355 2254 if (swap != i) {
dd891e0e 2255 secp256k1_gej t = gej_shuffled[i];
9ab93355
PW		 2256 gej_shuffled[i] = gej_shuffled[swap];
2257 gej_shuffled[swap] = t;
2258 }
2259 }
bf2e1ac7 2260 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 2261 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 2262 }
2263 CHECK(secp256k1_gej_is_infinity(&sum));
2264 free(gej_shuffled);
2265 }
2266
4f9791ab 2267 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 2268 {
5eb030ca 2269 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
5eb030ca 2270 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
4f9791ab
PD		 2271 for (i = 0; i < 4 * runs + 1; i++) {
2272 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2273 if (i < 4 * runs) {
2274 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2275 }
2276 }
7f7a2ed3 2277 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
bf2e1ac7 2278 for (i = 0; i < 4 * runs + 1; i++) {
dd891e0e 2279 secp256k1_fe s;
d2275795
GM		 2280 random_fe_non_zero(&s);
2281 secp256k1_gej_rescale(&gej[i], &s);
60571c6e
PW		 2282 ge_equals_gej(&ge_set_all[i], &gej[i]);
2283 }
2284 free(ge_set_all);
4f9791ab 2285 free(zr);
60571c6e
PW		 2286 }
2287
ffd3b346
AP		 2288 /* Test batch gej -> ge conversion with many infinities. */
2289 for (i = 0; i < 4 * runs + 1; i++) {
2290 random_group_element_test(&ge[i]);
271582b3 2291 /* randomly set half the points to infinity */
ffd3b346
AP		 2292 if(secp256k1_fe_is_odd(&ge[i].x)) {
2293 secp256k1_ge_set_infinity(&ge[i]);
2294 }
2295 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2296 }
2297 /* batch invert */
2298 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2299 /* check result */
2300 for (i = 0; i < 4 * runs + 1; i++) {
2301 ge_equals_gej(&ge[i], &gej[i]);
2302 }
2303
60571c6e
PW		 2304 free(ge);
2305 free(gej);
4f9791ab 2306 free(zinv);
9338dbf7
PW		 2307}
2308
8c5d5f7b
AP		 2309void test_add_neg_y_diff_x(void) {
2310 /* The point of this test is to check that we can add two points
2311 * whose y-coordinates are negatives of each other but whose x
2312 * coordinates differ. If the x-coordinates were the same, these
2313 * points would be negatives of each other and their sum is
2314 * infinity. This is cool because it "covers up" any degeneracy
2315 * in the addition algorithm that would cause the xy coordinates
2316 * of the sum to be wrong (since infinity has no xy coordinates).
2317 * HOWEVER, if the x-coordinates are different, infinity is the
2318 * wrong answer, and such degeneracies are exposed. This is the
faa2a11c
M		 2319 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2320 * which this test is a regression test for.
8c5d5f7b
AP		 2321 *
2322 * These points were generated in sage as
2323 * # secp256k1 params
2324 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2325 * C = EllipticCurve ([F (0), F (7)])
2326 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2327 * N = FiniteField(G.order())
2328 *
2329 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2330 * x = polygen(N)
2331 * lam = (1 - x^3).roots()[1][0]
2332 *
2333 * # random "bad pair"
2334 * P = C.random_element()
2335 * Q = -int(lam) * P
2336 * print " P: %x %x" % P.xy()
2337 * print " Q: %x %x" % Q.xy()
2338 * print "P + Q: %x %x" % (P + Q).xy()
2339 */
dd891e0e 2340 secp256k1_gej aj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2341 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2342 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2343 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2344 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2345 );
dd891e0e 2346 secp256k1_gej bj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2347 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2348 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2349 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2350 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2351 );
dd891e0e 2352 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
8c5d5f7b
AP		 2353 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2354 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2355 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2356 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2357 );
dd891e0e
PW		 2358 secp256k1_ge b;
2359 secp256k1_gej resj;
2360 secp256k1_ge res;
8c5d5f7b
AP		 2361 secp256k1_ge_set_gej(&b, &bj);
2362
2363 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2364 secp256k1_ge_set_gej(&res, &resj);
2365 ge_equals_gej(&res, &sumj);
2366
2367 secp256k1_gej_add_ge(&resj, &aj, &b);
2368 secp256k1_ge_set_gej(&res, &resj);
2369 ge_equals_gej(&res, &sumj);
2370
2371 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2372 secp256k1_ge_set_gej(&res, &resj);
2373 ge_equals_gej(&res, &sumj);
2374}
2375
2cad067a 2376void run_ge(void) {
bf2e1ac7
GM		 2377 int i;
2378 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 2379 test_ge();
2380 }
8c5d5f7b 2381 test_add_neg_y_diff_x();
9338dbf7
PW		 2382}
2383
a5a66c70 2384void test_ec_combine(void) {
dd891e0e
PW		 2385 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2386 secp256k1_pubkey data[6];
2387 const secp256k1_pubkey* d[6];
2388 secp256k1_pubkey sd;
2389 secp256k1_pubkey sd2;
2390 secp256k1_gej Qj;
2391 secp256k1_ge Q;
a5a66c70
PW		 2392 int i;
2393 for (i = 1; i <= 6; i++) {
dd891e0e 2394 secp256k1_scalar s;
a5a66c70
PW		 2395 random_scalar_order_test(&s);
2396 secp256k1_scalar_add(&sum, &sum, &s);
2397 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2398 secp256k1_ge_set_gej(&Q, &Qj);
2399 secp256k1_pubkey_save(&data[i - 1], &Q);
2400 d[i - 1] = &data[i - 1];
2401 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2402 secp256k1_ge_set_gej(&Q, &Qj);
2403 secp256k1_pubkey_save(&sd, &Q);
dc0ce9fc 2404 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
a5a66c70
PW		 2405 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2406 }
2407}
2408
2409void run_ec_combine(void) {
2410 int i;
2411 for (i = 0; i < count * 8; i++) {
2412 test_ec_combine();
2413 }
2414}
2415
64666251
PW		 2416void test_group_decompress(const secp256k1_fe* x) {
2417 /* The input itself, normalized. */
2418 secp256k1_fe fex = *x;
e6e9805f 2419 secp256k1_fe fez;
64666251
PW		 2420 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2421 secp256k1_ge ge_quad, ge_even, ge_odd;
e6e9805f 2422 secp256k1_gej gej_quad;
64666251
PW		 2423 /* Return values of the above calls. */
2424 int res_quad, res_even, res_odd;
2425
2426 secp256k1_fe_normalize_var(&fex);
2427
926836ad 2428 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
64666251
PW		 2429 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2430 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2431
2432 CHECK(res_quad == res_even);
2433 CHECK(res_quad == res_odd);
2434
2435 if (res_quad) {
2436 secp256k1_fe_normalize_var(&ge_quad.x);
2437 secp256k1_fe_normalize_var(&ge_odd.x);
2438 secp256k1_fe_normalize_var(&ge_even.x);
2439 secp256k1_fe_normalize_var(&ge_quad.y);
2440 secp256k1_fe_normalize_var(&ge_odd.y);
2441 secp256k1_fe_normalize_var(&ge_even.y);
2442
2443 /* No infinity allowed. */
2444 CHECK(!ge_quad.infinity);
2445 CHECK(!ge_even.infinity);
2446 CHECK(!ge_odd.infinity);
2447
2448 /* Check that the x coordinates check out. */
2449 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2450 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2451 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2452
2453 /* Check that the Y coordinate result in ge_quad is a square. */
e6e9805f 2454 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
64666251
PW		 2455
2456 /* Check odd/even Y in ge_odd, ge_even. */
2457 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2458 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
e6e9805f
PW		 2459
2460 /* Check secp256k1_gej_has_quad_y_var. */
2461 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2462 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2463 do {
2464 random_fe_test(&fez);
2465 } while (secp256k1_fe_is_zero(&fez));
2466 secp256k1_gej_rescale(&gej_quad, &fez);
2467 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2468 secp256k1_gej_neg(&gej_quad, &gej_quad);
2469 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2470 do {
2471 random_fe_test(&fez);
2472 } while (secp256k1_fe_is_zero(&fez));
2473 secp256k1_gej_rescale(&gej_quad, &fez);
2474 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2475 secp256k1_gej_neg(&gej_quad, &gej_quad);
2476 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
64666251
PW		 2477 }
2478}
2479
2480void run_group_decompress(void) {
2481 int i;
2482 for (i = 0; i < count * 4; i++) {
2483 secp256k1_fe fe;
2484 random_fe_test(&fe);
2485 test_group_decompress(&fe);
2486 }
2487}
2488
09ca4f32
PD		 2489/***** ECMULT TESTS *****/
2490
2cad067a 2491void run_ecmult_chain(void) {
443cd4b8 2492 /* random starting point A (on the curve) */
dd891e0e 2493 secp256k1_gej a = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2494 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2495 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2496 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2497 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2498 );
71712b27 2499 /* two random initial factors xn and gn */
dd891e0e 2500 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2501 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2502 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2503 );
dd891e0e 2504 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
443cd4b8
PW		 2505 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2506 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2507 );
71712b27 2508 /* two small multipliers to be applied to xn and gn in every iteration: */
dd891e0e
PW		 2509 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2510 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 2511 /* accumulators with the resulting coefficients to A and G */
dd891e0e
PW		 2512 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2513 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
443cd4b8 2514 /* actual points */
cfe0ed91 2515 secp256k1_gej x;
dd891e0e 2516 secp256k1_gej x2;
443cd4b8
PW		 2517 int i;
2518
71712b27 2519 /* the point being computed */
bf2e1ac7
GM		 2520 x = a;
2521 for (i = 0; i < 200*count; i++) {
71712b27 2522 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 2523 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 2524 /* also compute ae and ge: the actual accumulated factors for A and G */
2525 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 2526 secp256k1_scalar_mul(&ae, &ae, &xn);
2527 secp256k1_scalar_mul(&ge, &ge, &xn);
2528 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 2529 /* modify xn and gn */
f24041d6
PW		 2530 secp256k1_scalar_mul(&xn, &xn, &xf);
2531 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 2532
71712b27 2533 /* verify */
404c30a8 2534 if (i == 19999) {
443cd4b8 2535 /* expected result after 19999 iterations */
dd891e0e 2536 secp256k1_gej rp = SECP256K1_GEJ_CONST(
443cd4b8
PW		 2537 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2538 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2539 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2540 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2541 );
2542
2543 secp256k1_gej_neg(&rp, &rp);
4f9791ab 2544 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 2545 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 2546 }
4adf6b2a 2547 }
71712b27 2548 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 2549 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 2550 secp256k1_gej_neg(&x2, &x2);
4f9791ab 2551 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 2552 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 2553}
2554
dd891e0e 2555void test_point_times_order(const secp256k1_gej *point) {
b5c9ee75 2556 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
dd891e0e
PW		 2557 secp256k1_scalar x;
2558 secp256k1_scalar nx;
2559 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2560 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2561 secp256k1_gej res1, res2;
2562 secp256k1_ge res3;
bf2e1ac7 2563 unsigned char pub[65];
788038d3 2564 size_t psize = 65;
bf2e1ac7
GM		 2565 random_scalar_order_test(&x);
2566 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 2567 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2568 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 2569 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 2570 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 2571 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 2572 secp256k1_ge_set_gej(&res3, &res1);
2573 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 2574 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
9234391e 2575 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
8d11164b 2576 psize = 65;
9234391e 2577 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 2578 /* check zero/one edge cases */
2579 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2580 secp256k1_ge_set_gej(&res3, &res1);
2581 CHECK(secp256k1_ge_is_infinity(&res3));
2582 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2583 secp256k1_ge_set_gej(&res3, &res1);
2584 ge_equals_gej(&res3, point);
2585 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2586 secp256k1_ge_set_gej(&res3, &res1);
2587 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 2588}
2589
2cad067a 2590void run_point_times_order(void) {
bf2e1ac7 2591 int i;
dd891e0e
PW		 2592 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2593 static const secp256k1_fe xr = SECP256K1_FE_CONST(
443cd4b8
PW		 2594 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2595 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2596 );
bf2e1ac7 2597 for (i = 0; i < 500; i++) {
dd891e0e 2598 secp256k1_ge p;
39bd94d8 2599 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
dd891e0e 2600 secp256k1_gej j;
bf2e1ac7 2601 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 2602 secp256k1_gej_set_ge(&j, &p);
39bd94d8 2603 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 2604 test_point_times_order(&j);
2605 }
910d0de4 2606 secp256k1_fe_sqr(&x, &x);
4e0ed539 2607 }
443cd4b8
PW		 2608 secp256k1_fe_normalize_var(&x);
2609 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 2610}
2611
44015000
AP		 2612void ecmult_const_random_mult(void) {
2613 /* random starting point A (on the curve) */
dd891e0e 2614 secp256k1_ge a = SECP256K1_GE_CONST(
44015000
AP		 2615 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2616 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2617 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2618 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2619 );
2620 /* random initial factor xn */
dd891e0e 2621 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
44015000
AP		 2622 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2623 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2624 );
2625 /* expected xn * A (from sage) */
dd891e0e 2626 secp256k1_ge expected_b = SECP256K1_GE_CONST(
44015000
AP		 2627 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2628 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2629 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2630 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2631 );
dd891e0e 2632 secp256k1_gej b;
7c1b91ba 2633 secp256k1_ecmult_const(&b, &a, &xn, 256);
44015000
AP		 2634
2635 CHECK(secp256k1_ge_is_valid_var(&a));
2636 ge_equals_gej(&expected_b, &b);
2637}
2638
2639void ecmult_const_commutativity(void) {
dd891e0e
PW		 2640 secp256k1_scalar a;
2641 secp256k1_scalar b;
2642 secp256k1_gej res1;
2643 secp256k1_gej res2;
2644 secp256k1_ge mid1;
2645 secp256k1_ge mid2;
44015000
AP		 2646 random_scalar_order_test(&a);
2647 random_scalar_order_test(&b);
2648
7c1b91ba
AP		 2649 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2650 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
44015000
AP		 2651 secp256k1_ge_set_gej(&mid1, &res1);
2652 secp256k1_ge_set_gej(&mid2, &res2);
7c1b91ba
AP		 2653 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2654 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
44015000
AP		 2655 secp256k1_ge_set_gej(&mid1, &res1);
2656 secp256k1_ge_set_gej(&mid2, &res2);
2657 ge_equals_ge(&mid1, &mid2);
2658}
2659
2660void ecmult_const_mult_zero_one(void) {
dd891e0e
PW		 2661 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2662 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2663 secp256k1_scalar negone;
2664 secp256k1_gej res1;
2665 secp256k1_ge res2;
2666 secp256k1_ge point;
44015000
AP		 2667 secp256k1_scalar_negate(&negone, &one);
2668
2669 random_group_element_test(&point);
7c1b91ba 2670 secp256k1_ecmult_const(&res1, &point, &zero, 3);
44015000
AP		 2671 secp256k1_ge_set_gej(&res2, &res1);
2672 CHECK(secp256k1_ge_is_infinity(&res2));
7c1b91ba 2673 secp256k1_ecmult_const(&res1, &point, &one, 2);
44015000
AP		 2674 secp256k1_ge_set_gej(&res2, &res1);
2675 ge_equals_ge(&res2, &point);
7c1b91ba 2676 secp256k1_ecmult_const(&res1, &point, &negone, 256);
44015000
AP		 2677 secp256k1_gej_neg(&res1, &res1);
2678 secp256k1_ge_set_gej(&res2, &res1);
2679 ge_equals_ge(&res2, &point);
2680}
2681
2682void ecmult_const_chain_multiply(void) {
2683 /* Check known result (randomly generated test problem from sage) */
dd891e0e 2684 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
44015000
AP		 2685 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2686 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2687 );
dd891e0e 2688 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
44015000
AP		 2689 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2690 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2691 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2692 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2693 );
dd891e0e
PW		 2694 secp256k1_gej point;
2695 secp256k1_ge res;
44015000
AP		 2696 int i;
2697
2698 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2699 for (i = 0; i < 100; ++i) {
dd891e0e 2700 secp256k1_ge tmp;
44015000 2701 secp256k1_ge_set_gej(&tmp, &point);
7c1b91ba 2702 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
44015000
AP		 2703 }
2704 secp256k1_ge_set_gej(&res, &point);
2705 ge_equals_gej(&res, &expected_point);
2706}
2707
2708void run_ecmult_const_tests(void) {
2709 ecmult_const_mult_zero_one();
2710 ecmult_const_random_mult();
2711 ecmult_const_commutativity();
2712 ecmult_const_chain_multiply();
2713}
2714
dba5471b
AP		 2715typedef struct {
2716 secp256k1_scalar *sc;
2717 secp256k1_ge *pt;
2718} ecmult_multi_data;
2719
2720static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2721 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2722 *sc = data->sc[idx];
2723 *pt = data->pt[idx];
2724 return 1;
2725}
2726
355a38f1
JN		 2727static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2728 (void)sc;
2729 (void)pt;
2730 (void)idx;
2731 (void)cbdata;
2732 return 0;
2733}
2734
2735void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
dba5471b
AP		 2736 int ncount;
2737 secp256k1_scalar szero;
2738 secp256k1_scalar sc[32];
2739 secp256k1_ge pt[32];
2740 secp256k1_gej r;
2741 secp256k1_gej r2;
2742 ecmult_multi_data data;
dba5471b
AP		 2743
2744 data.sc = sc;
2745 data.pt = pt;
dba5471b 2746 secp256k1_scalar_set_int(&szero, 0);
355a38f1
JN		 2747
2748 /* No points to multiply */
c2b028a2 2749 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
dba5471b
AP		 2750
2751 /* Check 1- and 2-point multiplies against ecmult */
2752 for (ncount = 0; ncount < count; ncount++) {
2753 secp256k1_ge ptg;
2754 secp256k1_gej ptgj;
2755 random_scalar_order(&sc[0]);
2756 random_scalar_order(&sc[1]);
2757
2758 random_group_element_test(&ptg);
2759 secp256k1_gej_set_ge(&ptgj, &ptg);
2760 pt[0] = ptg;
2761 pt[1] = secp256k1_ge_const_g;
2762
355a38f1
JN		 2763 /* only G scalar */
2764 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
c2b028a2 2765 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
355a38f1
JN		 2766 secp256k1_gej_neg(&r2, &r2);
2767 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2768 CHECK(secp256k1_gej_is_infinity(&r));
2769
dba5471b
AP		 2770 /* 1-point */
2771 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
c2b028a2 2772 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
dba5471b
AP		 2773 secp256k1_gej_neg(&r2, &r2);
2774 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2775 CHECK(secp256k1_gej_is_infinity(&r));
2776
355a38f1 2777 /* Try to multiply 1 point, but callback returns false */
c2b028a2 2778 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
355a38f1 2779
dba5471b
AP		 2780 /* 2-point */
2781 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2782 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2783 secp256k1_gej_neg(&r2, &r2);
2784 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2785 CHECK(secp256k1_gej_is_infinity(&r));
2786
2787 /* 2-point with G scalar */
2788 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
c2b028a2 2789 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
dba5471b
AP		 2790 secp256k1_gej_neg(&r2, &r2);
2791 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2792 CHECK(secp256k1_gej_is_infinity(&r));
2793 }
2794
2795 /* Check infinite outputs of various forms */
2796 for (ncount = 0; ncount < count; ncount++) {
2797 secp256k1_ge ptg;
2798 size_t i, j;
2799 size_t sizes[] = { 2, 10, 32 };
2800
2801 for (j = 0; j < 3; j++) {
2802 for (i = 0; i < 32; i++) {
2803 random_scalar_order(&sc[i]);
2804 secp256k1_ge_set_infinity(&pt[i]);
2805 }
c2b028a2 2806 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2807 CHECK(secp256k1_gej_is_infinity(&r));
2808 }
2809
2810 for (j = 0; j < 3; j++) {
2811 for (i = 0; i < 32; i++) {
2812 random_group_element_test(&ptg);
2813 pt[i] = ptg;
2814 secp256k1_scalar_set_int(&sc[i], 0);
2815 }
c2b028a2 2816 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2817 CHECK(secp256k1_gej_is_infinity(&r));
2818 }
2819
2820 for (j = 0; j < 3; j++) {
2821 random_group_element_test(&ptg);
2822 for (i = 0; i < 16; i++) {
2823 random_scalar_order(&sc[2*i]);
2824 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2825 pt[2 * i] = ptg;
2826 pt[2 * i + 1] = ptg;
2827 }
2828
c2b028a2 2829 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2830 CHECK(secp256k1_gej_is_infinity(&r));
2831
2832 random_scalar_order(&sc[0]);
2833 for (i = 0; i < 16; i++) {
2834 random_group_element_test(&ptg);
2835
2836 sc[2*i] = sc[0];
2837 sc[2*i+1] = sc[0];
2838 pt[2 * i] = ptg;
2839 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2840 }
2841
c2b028a2 2842 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
dba5471b
AP		 2843 CHECK(secp256k1_gej_is_infinity(&r));
2844 }
2845
2846 random_group_element_test(&ptg);
2847 secp256k1_scalar_set_int(&sc[0], 0);
2848 pt[0] = ptg;
2849 for (i = 1; i < 32; i++) {
2850 pt[i] = ptg;
2851
2852 random_scalar_order(&sc[i]);
2853 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2854 secp256k1_scalar_negate(&sc[i], &sc[i]);
2855 }
2856
c2b028a2 2857 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
dba5471b
AP		 2858 CHECK(secp256k1_gej_is_infinity(&r));
2859 }
2860
2861 /* Check random points, constant scalar */
2862 for (ncount = 0; ncount < count; ncount++) {
2863 size_t i;
2864 secp256k1_gej_set_infinity(&r);
2865
2866 random_scalar_order(&sc[0]);
2867 for (i = 0; i < 20; i++) {
2868 secp256k1_ge ptg;
2869 sc[i] = sc[0];
2870 random_group_element_test(&ptg);
2871 pt[i] = ptg;
2872 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2873 }
2874
2875 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
c2b028a2 2876 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2877 secp256k1_gej_neg(&r2, &r2);
2878 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2879 CHECK(secp256k1_gej_is_infinity(&r));
2880 }
2881
2882 /* Check random scalars, constant point */
2883 for (ncount = 0; ncount < count; ncount++) {
2884 size_t i;
2885 secp256k1_ge ptg;
2886 secp256k1_gej p0j;
2887 secp256k1_scalar rs;
2888 secp256k1_scalar_set_int(&rs, 0);
2889
2890 random_group_element_test(&ptg);
2891 for (i = 0; i < 20; i++) {
2892 random_scalar_order(&sc[i]);
2893 pt[i] = ptg;
2894 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2895 }
2896
2897 secp256k1_gej_set_ge(&p0j, &pt[0]);
2898 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
c2b028a2 2899 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2900 secp256k1_gej_neg(&r2, &r2);
2901 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2902 CHECK(secp256k1_gej_is_infinity(&r));
2903 }
2904
2905 /* Sanity check that zero scalars don't cause problems */
95e99f19
AP		 2906 for (ncount = 0; ncount < 20; ncount++) {
2907 random_scalar_order(&sc[ncount]);
2908 random_group_element_test(&pt[ncount]);
2909 }
2910
dba5471b 2911 secp256k1_scalar_clear(&sc[0]);
c2b028a2 2912 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
dba5471b
AP		 2913 secp256k1_scalar_clear(&sc[1]);
2914 secp256k1_scalar_clear(&sc[2]);
2915 secp256k1_scalar_clear(&sc[3]);
2916 secp256k1_scalar_clear(&sc[4]);
c2b028a2
AP		 2917 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2918 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
dba5471b
AP		 2919 CHECK(secp256k1_gej_is_infinity(&r));
2920
2921 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2922 {
2923 const size_t TOP = 8;
2924 size_t s0i, s1i;
2925 size_t t0i, t1i;
2926 secp256k1_ge ptg;
2927 secp256k1_gej ptgj;
2928
2929 random_group_element_test(&ptg);
2930 secp256k1_gej_set_ge(&ptgj, &ptg);
2931
2932 for(t0i = 0; t0i < TOP; t0i++) {
2933 for(t1i = 0; t1i < TOP; t1i++) {
2934 secp256k1_gej t0p, t1p;
2935 secp256k1_scalar t0, t1;
2936
2937 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2938 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2939 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2940 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2941
2942 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2943 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2944
2945 for(s0i = 0; s0i < TOP; s0i++) {
2946 for(s1i = 0; s1i < TOP; s1i++) {
2947 secp256k1_scalar tmp1, tmp2;
2948 secp256k1_gej expected, actual;
2949
2950 secp256k1_ge_set_gej(&pt[0], &t0p);
2951 secp256k1_ge_set_gej(&pt[1], &t1p);
2952
2953 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2954 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2955 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2956 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2957
2958 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2959 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2960 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2961
2962 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
c2b028a2 2963 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
dba5471b
AP		 2964 secp256k1_gej_neg(&expected, &expected);
2965 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2966 CHECK(secp256k1_gej_is_infinity(&actual));
2967 }
2968 }
2969 }
2970 }
2971 }
355a38f1
JN		 2972}
2973
9ab96f7b
JN		 2974void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
2975 secp256k1_scalar szero;
2e7fc5b5
JN		 2976 secp256k1_scalar sc;
2977 secp256k1_ge pt;
9ab96f7b
JN		 2978 secp256k1_gej r;
2979 ecmult_multi_data data;
2980 secp256k1_scratch *scratch_empty;
2981
2e7fc5b5
JN		 2982 random_group_element_test(&pt);
2983 random_scalar_order(&sc);
2984 data.sc = &sc;
2985 data.pt = &pt;
9ab96f7b
JN		 2986 secp256k1_scalar_set_int(&szero, 0);
2987
2988 /* Try to multiply 1 point, but scratch space is empty.*/
2989 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2
AP		 2990 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2991 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
9ab96f7b
JN		 2992}
2993
36b22c93
JN		 2994void test_secp256k1_pippenger_bucket_window_inv(void) {
2995 int i;
2996
2997 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2998 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2999#ifdef USE_ENDOMORPHISM
3000 /* Bucket_window of 8 is not used with endo */
3001 if (i == 8) {
3002 continue;
3003 }
3004#endif
3005 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3006 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3007 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3008 }
3009 }
3010}
3011
3012/**
3013 * Probabilistically test the function returning the maximum number of possible points
3014 * for a given scratch space.
3015 */
3016void test_ecmult_multi_pippenger_max_points(void) {
3017 size_t scratch_size = secp256k1_rand_int(256);
3018 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3019 secp256k1_scratch *scratch;
3020 size_t n_points_supported;
3021 int bucket_window = 0;
3022
3023 for(; scratch_size < max_size; scratch_size+=256) {
98836b11
AP		 3024 size_t i;
3025 size_t total_alloc;
3026 size_t checkpoint;
6fe50439 3027 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
36b22c93 3028 CHECK(scratch != NULL);
98836b11 3029 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
c2b028a2 3030 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
36b22c93 3031 if (n_points_supported == 0) {
c2b028a2 3032 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 3033 continue;
3034 }
3035 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
98836b11
AP		 3036 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3037 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3038 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3039 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3040 total_alloc--;
3041 }
3042 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3043 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
c2b028a2 3044 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 3045 }
3046 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3047}
3048
2277af5f
JN		 3049void test_ecmult_multi_batch_size_helper(void) {
3050 size_t n_batches, n_batch_points, max_n_batch_points, n;
3051
3052 max_n_batch_points = 0;
3053 n = 1;
3054 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3055
3056 max_n_batch_points = 1;
3057 n = 0;
3058 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3059 CHECK(n_batches == 0);
3060 CHECK(n_batch_points == 0);
3061
3062 max_n_batch_points = 2;
3063 n = 5;
3064 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3065 CHECK(n_batches == 3);
3066 CHECK(n_batch_points == 2);
3067
3068 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3069 n = ECMULT_MAX_POINTS_PER_BATCH;
3070 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3071 CHECK(n_batches == 1);
3072 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3073
3074 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3075 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3076 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3077 CHECK(n_batches == 2);
3078 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3079
3080 max_n_batch_points = 1;
3081 n = SIZE_MAX;
3082 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3083 CHECK(n_batches == SIZE_MAX);
3084 CHECK(n_batch_points == 1);
3085
3086 max_n_batch_points = 2;
3087 n = SIZE_MAX;
3088 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3089 CHECK(n_batches == SIZE_MAX/2 + 1);
3090 CHECK(n_batch_points == 2);
3091}
3092
36b22c93
JN		 3093/**
3094 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3095 * 1 <= i <= num points.
3096 */
355a38f1 3097void test_ecmult_multi_batching(void) {
36b22c93 3098 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
355a38f1
JN		 3099 secp256k1_scalar scG;
3100 secp256k1_scalar szero;
3101 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3102 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3103 secp256k1_gej r;
3104 secp256k1_gej r2;
3105 ecmult_multi_data data;
3106 int i;
3107 secp256k1_scratch *scratch;
3108
355a38f1
JN		 3109 secp256k1_gej_set_infinity(&r2);
3110 secp256k1_scalar_set_int(&szero, 0);
3111
36b22c93 3112 /* Get random scalars and group elements and compute result */
355a38f1
JN		 3113 random_scalar_order(&scG);
3114 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3115 for(i = 0; i < n_points; i++) {
3116 secp256k1_ge ptg;
36b22c93 3117 secp256k1_gej ptgj;
355a38f1 3118 random_group_element_test(&ptg);
36b22c93 3119 secp256k1_gej_set_ge(&ptgj, &ptg);
355a38f1
JN		 3120 pt[i] = ptg;
3121 random_scalar_order(&sc[i]);
36b22c93
JN		 3122 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3123 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
355a38f1
JN		 3124 }
3125 data.sc = sc;
3126 data.pt = pt;
9ab96f7b 3127 secp256k1_gej_neg(&r2, &r2);
355a38f1 3128
28609507 3129 /* Test with empty scratch space. It should compute the correct result using
9ab96f7b 3130 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
6fe50439 3131 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
c2b028a2 3132 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3133 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3134 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3135 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1
JN		 3136
3137 /* Test with space for 1 point in pippenger. That's not enough because
9ab96f7b
JN		 3138 * ecmult_multi selects strauss which requires more memory. It should
3139 * therefore select the simple algorithm. */
6fe50439 3140 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
c2b028a2 3141 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
9ab96f7b
JN		 3142 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3143 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3144 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3145
36b22c93 3146 for(i = 1; i <= n_points; i++) {
355a38f1
JN		 3147 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3148 int bucket_window = secp256k1_pippenger_bucket_window(i);
3149 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
6fe50439 3150 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1
JN		 3151 } else {
3152 size_t scratch_size = secp256k1_strauss_scratch_size(i);
6fe50439 3153 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
355a38f1 3154 }
c2b028a2 3155 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
355a38f1
JN		 3156 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3157 CHECK(secp256k1_gej_is_infinity(&r));
c2b028a2 3158 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3159 }
355a38f1
JN		 3160 free(sc);
3161 free(pt);
3162}
3163
3164void run_ecmult_multi_tests(void) {
3165 secp256k1_scratch *scratch;
dba5471b 3166
36b22c93
JN		 3167 test_secp256k1_pippenger_bucket_window_inv();
3168 test_ecmult_multi_pippenger_max_points();
6fe50439 3169 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
36b22c93 3170 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
bade6174 3171 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
36b22c93 3172 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
9ab96f7b 3173 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
36b22c93 3174 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
9ab96f7b 3175 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
c2b028a2 3176 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
36b22c93
JN		 3177
3178 /* Run test_ecmult_multi with space for exactly one point */
6fe50439 3179 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
36b22c93 3180 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
c2b028a2 3181 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
355a38f1 3182
2277af5f 3183 test_ecmult_multi_batch_size_helper();
355a38f1 3184 test_ecmult_multi_batching();
dba5471b
AP		 3185}
3186
dd891e0e
PW		 3187void test_wnaf(const secp256k1_scalar *number, int w) {
3188 secp256k1_scalar x, two, t;
bf2e1ac7
GM		 3189 int wnaf[256];
3190 int zeroes = -1;
3191 int i;
3192 int bits;
f24041d6
PW		 3193 secp256k1_scalar_set_int(&x, 0);
3194 secp256k1_scalar_set_int(&two, 2);
55399c23 3195 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 3196 CHECK(bits <= 256);
bf2e1ac7 3197 for (i = bits-1; i >= 0; i--) {
b1483f87 3198 int v = wnaf[i];
bf2e1ac7 3199 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 3200 if (v) {
71712b27 3201 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 3202 zeroes=0;
71712b27
GM		 3203 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3204 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3205 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 3206 } else {
71712b27 3207 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 3208 zeroes++;
3209 }
f24041d6
PW		 3210 if (v >= 0) {
3211 secp256k1_scalar_set_int(&t, v);
3212 } else {
3213 secp256k1_scalar_set_int(&t, -v);
3214 secp256k1_scalar_negate(&t, &t);
3215 }
3216 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 3217 }
f24041d6 3218 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 3219}
3220
dd891e0e
PW		 3221void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3222 secp256k1_scalar neg1 = *number;
3223 secp256k1_scalar neg2 = *number;
44015000
AP		 3224 int sign1 = 1;
3225 int sign2 = 1;
3226
3227 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3228 secp256k1_scalar_negate(&neg1, &neg1);
3229 sign1 = -1;
3230 }
3231 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3232 CHECK(sign1 == sign2);
3233 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3234}
3235
dd891e0e
PW		 3236void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3237 secp256k1_scalar x, shift;
44015000
AP		 3238 int wnaf[256] = {0};
3239 int i;
92e53fc4 3240 int skew;
7c1b91ba 3241 int bits = 256;
dd891e0e 3242 secp256k1_scalar num = *number;
6bb0b77e 3243 secp256k1_scalar scalar_skew;
44015000
AP		 3244
3245 secp256k1_scalar_set_int(&x, 0);
3246 secp256k1_scalar_set_int(&shift, 1 << w);
92e53fc4
AP		 3247 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3248#ifdef USE_ENDOMORPHISM
912f203f 3249 for (i = 0; i < 16; ++i) {
92e53fc4 3250 secp256k1_scalar_shr_int(&num, 8);
912f203f 3251 }
7c1b91ba 3252 bits = 128;
92e53fc4 3253#endif
8979ec0d 3254 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
44015000 3255
7c1b91ba 3256 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
dd891e0e 3257 secp256k1_scalar t;
44015000
AP		 3258 int v = wnaf[i];
3259 CHECK(v != 0); /* check nonzero */
3260 CHECK(v & 1); /* check parity */
3261 CHECK(v > -(1 << w)); /* check range above */
3262 CHECK(v < (1 << w)); /* check range below */
3263
3264 secp256k1_scalar_mul(&x, &x, &shift);
3265 if (v >= 0) {
3266 secp256k1_scalar_set_int(&t, v);
3267 } else {
3268 secp256k1_scalar_set_int(&t, -v);
3269 secp256k1_scalar_negate(&t, &t);
3270 }
3271 secp256k1_scalar_add(&x, &x, &t);
3272 }
c6191fde 3273 /* Skew num because when encoding numbers as odd we use an offset */
6bb0b77e
JN		 3274 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3275 secp256k1_scalar_add(&num, &num, &scalar_skew);
92e53fc4 3276 CHECK(secp256k1_scalar_eq(&x, &num));
44015000
AP		 3277}
3278
355a38f1
JN		 3279void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3280 secp256k1_scalar x, shift;
3281 int wnaf[256] = {0};
3282 int i;
3283 int skew;
3284 secp256k1_scalar num = *number;
3285
3286 secp256k1_scalar_set_int(&x, 0);
3287 secp256k1_scalar_set_int(&shift, 1 << w);
3288 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3289#ifdef USE_ENDOMORPHISM
3290 for (i = 0; i < 16; ++i) {
3291 secp256k1_scalar_shr_int(&num, 8);
3292 }
3293#endif
3294 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3295
3296 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3297 secp256k1_scalar t;
3298 int v = wnaf[i];
6dbb0078 3299 CHECK(v == 0 || v & 1); /* check parity */
355a38f1
JN		 3300 CHECK(v > -(1 << w)); /* check range above */
3301 CHECK(v < (1 << w)); /* check range below */
3302
3303 secp256k1_scalar_mul(&x, &x, &shift);
3304 if (v >= 0) {
3305 secp256k1_scalar_set_int(&t, v);
3306 } else {
3307 secp256k1_scalar_set_int(&t, -v);
3308 secp256k1_scalar_negate(&t, &t);
3309 }
3310 secp256k1_scalar_add(&x, &x, &t);
3311 }
3312 /* If skew is 1 then add 1 to num */
3313 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3314 CHECK(secp256k1_scalar_eq(&x, &num));
3315}
3316
ec0a7b3a
JN		 3317/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3318 * rest is 0.*/
3319void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3320 int i;
3321 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3322 CHECK(wnaf[i] == 0);
3323 }
3324 for (i = 7; i >= 0; --i) {
3325 CHECK(wnaf[i] == wnaf_expected[i]);
3326 }
3327}
3328
3329void test_fixed_wnaf_small(void) {
3330 int w = 4;
355a38f1
JN		 3331 int wnaf[256] = {0};
3332 int i;
3333 int skew;
3334 secp256k1_scalar num;
3335
3336 secp256k1_scalar_set_int(&num, 0);
3337 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
355a38f1
JN		 3338 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3339 int v = wnaf[i];
3340 CHECK(v == 0);
3341 }
3342 CHECK(skew == 0);
ec0a7b3a
JN		 3343
3344 secp256k1_scalar_set_int(&num, 1);
3345 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3346 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3347 int v = wnaf[i];
3348 CHECK(v == 0);
3349 }
3350 CHECK(wnaf[0] == 1);
3351 CHECK(skew == 0);
3352
3353 {
3354 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3355 secp256k1_scalar_set_int(&num, 0xffffffff);
3356 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3357 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3358 CHECK(skew == 0);
3359 }
3360 {
3361 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3362 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3363 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3364 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3365 CHECK(skew == 1);
3366 }
3367 {
3368 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3369 secp256k1_scalar_set_int(&num, 0x01010101);
3370 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3371 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3372 CHECK(skew == 0);
3373 }
3374 {
3375 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3376 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3377 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3378 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3379 CHECK(skew == 0);
3380 }
355a38f1
JN		 3381}
3382
2cad067a 3383void run_wnaf(void) {
bf2e1ac7 3384 int i;
dd891e0e 3385 secp256k1_scalar n = {{0}};
44015000 3386
6bb0b77e 3387 test_constant_wnaf(&n, 4);
44015000
AP		 3388 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3389 * have easier-to-diagnose failure modes */
3390 n.d[0] = 1;
3391 test_constant_wnaf(&n, 4);
3392 n.d[0] = 2;
3393 test_constant_wnaf(&n, 4);
6bb0b77e
JN		 3394 /* Test -1, because it's a special case in wnaf_const */
3395 n = secp256k1_scalar_one;
3396 secp256k1_scalar_negate(&n, &n);
3397 test_constant_wnaf(&n, 4);
3398
3399 /* Test -2, which may not lead to overflows in wnaf_const */
3400 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3401 secp256k1_scalar_negate(&n, &n);
3402 test_constant_wnaf(&n, 4);
3403
3404 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3405 as corner cases of negation handling in wnaf_const */
3406 secp256k1_scalar_inverse(&n, &n);
3407 test_constant_wnaf(&n, 4);
3408
3409 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3410 test_constant_wnaf(&n, 4);
3411
3412 /* Test 0 for fixed wnaf */
ec0a7b3a 3413 test_fixed_wnaf_small();
44015000 3414 /* Random tests */
bf2e1ac7 3415 for (i = 0; i < count; i++) {
f24041d6 3416 random_scalar_order(&n);
eb0be8ee 3417 test_wnaf(&n, 4+(i%10));
44015000
AP		 3418 test_constant_wnaf_negate(&n);
3419 test_constant_wnaf(&n, 4 + (i % 10));
355a38f1 3420 test_fixed_wnaf(&n, 4 + (i % 10));
4e0ed539 3421 }
96be2046
GM		 3422 secp256k1_scalar_set_int(&n, 0);
3423 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3424 CHECK(secp256k1_scalar_is_zero(&n));
3425 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3426 CHECK(secp256k1_scalar_is_zero(&n));
4e0ed539 3427}
a41f32e6 3428
d2275795
GM		 3429void test_ecmult_constants(void) {
3430 /* Test ecmult_gen() for [0..36) and [order-36..0). */
dd891e0e
PW		 3431 secp256k1_scalar x;
3432 secp256k1_gej r;
3433 secp256k1_ge ng;
d2275795
GM		 3434 int i;
3435 int j;
3436 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3437 for (i = 0; i < 36; i++ ) {
3438 secp256k1_scalar_set_int(&x, i);
3439 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3440 for (j = 0; j < i; j++) {
3441 if (j == i - 1) {
3442 ge_equals_gej(&secp256k1_ge_const_g, &r);
3443 }
3444 secp256k1_gej_add_ge(&r, &r, &ng);
3445 }
3446 CHECK(secp256k1_gej_is_infinity(&r));
3447 }
3448 for (i = 1; i <= 36; i++ ) {
3449 secp256k1_scalar_set_int(&x, i);
3450 secp256k1_scalar_negate(&x, &x);
3451 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3452 for (j = 0; j < i; j++) {
3453 if (j == i - 1) {
3454 ge_equals_gej(&ng, &r);
3455 }
3456 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3457 }
3458 CHECK(secp256k1_gej_is_infinity(&r));
3459 }
3460}
3461
3462void run_ecmult_constants(void) {
3463 test_ecmult_constants();
3464}
3465
3466void test_ecmult_gen_blind(void) {
269d4227 3467 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
dd891e0e
PW		 3468 secp256k1_scalar key;
3469 secp256k1_scalar b;
d2275795 3470 unsigned char seed32[32];
dd891e0e
PW		 3471 secp256k1_gej pgej;
3472 secp256k1_gej pgej2;
3473 secp256k1_gej i;
3474 secp256k1_ge pge;
d2275795
GM		 3475 random_scalar_order_test(&key);
3476 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3477 secp256k1_rand256(seed32);
3478 b = ctx->ecmult_gen_ctx.blind;
3479 i = ctx->ecmult_gen_ctx.initial;
3480 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3481 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3482 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3483 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3484 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3485 secp256k1_ge_set_gej(&pge, &pgej);
3486 ge_equals_gej(&pge, &pgej2);
3487}
3488
3489void test_ecmult_gen_blind_reset(void) {
3490 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
dd891e0e
PW		 3491 secp256k1_scalar b;
3492 secp256k1_gej initial;
d2275795
GM		 3493 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3494 b = ctx->ecmult_gen_ctx.blind;
3495 initial = ctx->ecmult_gen_ctx.initial;
3496 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3497 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3498 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3499}
3500
3501void run_ecmult_gen_blind(void) {
3502 int i;
3503 test_ecmult_gen_blind_reset();
3504 for (i = 0; i < 10; i++) {
3505 test_ecmult_gen_blind();
3506 }
3507}
3508
baa75da5
AP		 3509#ifdef USE_ENDOMORPHISM
3510/***** ENDOMORPHISH TESTS *****/
3511void test_scalar_split(void) {
dd891e0e
PW		 3512 secp256k1_scalar full;
3513 secp256k1_scalar s1, slam;
baa75da5
AP		 3514 const unsigned char zero[32] = {0};
3515 unsigned char tmp[32];
3516
3517 random_scalar_order_test(&full);
ed35d43a 3518 secp256k1_scalar_split_lambda(&s1, &slam, &full);
baa75da5
AP		 3519
3520 /* check that both are <= 128 bits in size */
912f203f 3521 if (secp256k1_scalar_is_high(&s1)) {
baa75da5 3522 secp256k1_scalar_negate(&s1, &s1);
912f203f
GM		 3523 }
3524 if (secp256k1_scalar_is_high(&slam)) {
baa75da5 3525 secp256k1_scalar_negate(&slam, &slam);
912f203f 3526 }
baa75da5
AP		 3527
3528 secp256k1_scalar_get_b32(tmp, &s1);
3529 CHECK(memcmp(zero, tmp, 16) == 0);
3530 secp256k1_scalar_get_b32(tmp, &slam);
3531 CHECK(memcmp(zero, tmp, 16) == 0);
3532}
3533
3534void run_endomorphism_tests(void) {
3535 test_scalar_split();
3536}
3537#endif
d2275795 3538
67f7da40
GM		 3539void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3540 unsigned char pubkeyc[65];
3541 secp256k1_pubkey pubkey;
3542 secp256k1_ge ge;
3543 size_t pubkeyclen;
3544 int32_t ecount;
3545 ecount = 0;
3546 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3547 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3548 /* Smaller sizes are tested exhaustively elsewhere. */
3549 int32_t i;
3550 memcpy(&pubkeyc[1], input, 64);
3551 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3552 for (i = 0; i < 256; i++) {
3553 /* Try all type bytes. */
3554 int xpass;
3555 int ypass;
3556 int ysign;
3557 pubkeyc[0] = i;
3558 /* What sign does this point have? */
3559 ysign = (input[63] & 1) + 2;
3560 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3561 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3562 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3563 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3564 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3565 if (xpass || ypass) {
3566 /* These cases must parse. */
3567 unsigned char pubkeyo[65];
3568 size_t outl;
3569 memset(&pubkey, 0, sizeof(pubkey));
3570 VG_UNDEF(&pubkey, sizeof(pubkey));
3571 ecount = 0;
3572 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3573 VG_CHECK(&pubkey, sizeof(pubkey));
3574 outl = 65;
3575 VG_UNDEF(pubkeyo, 65);
3576 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3577 VG_CHECK(pubkeyo, outl);
3578 CHECK(outl == 33);
3579 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3580 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3581 if (ypass) {
3582 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3583 CHECK(pubkeyo[0] == ysign);
3584 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3585 memset(&pubkey, 0, sizeof(pubkey));
3586 VG_UNDEF(&pubkey, sizeof(pubkey));
3587 secp256k1_pubkey_save(&pubkey, &ge);
3588 VG_CHECK(&pubkey, sizeof(pubkey));
3589 outl = 65;
3590 VG_UNDEF(pubkeyo, 65);
1a368980 3591 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
67f7da40
GM		 3592 VG_CHECK(pubkeyo, outl);
3593 CHECK(outl == 65);
3594 CHECK(pubkeyo[0] == 4);
3595 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3596 }
3597 CHECK(ecount == 0);
3598 } else {
3599 /* These cases must fail to parse. */
3600 memset(&pubkey, 0xfe, sizeof(pubkey));
3601 ecount = 0;
3602 VG_UNDEF(&pubkey, sizeof(pubkey));
3603 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3604 VG_CHECK(&pubkey, sizeof(pubkey));
3605 CHECK(ecount == 0);
3606 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3607 CHECK(ecount == 1);
3608 }
3609 }
3610 }
3611 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3612}
3613
3614void run_ec_pubkey_parse_test(void) {
3615#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3616 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3617 {
3618 /* Point with leading and trailing zeros in x and y serialization. */
3619 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3620 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3621 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3622 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3623 },
3624 {
3625 /* Point with x equal to a 3rd root of unity.*/
3626 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3627 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3628 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3629 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3630 },
3631 {
3632 /* Point with largest x. (1/2) */
3633 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3634 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3635 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3636 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3637 },
3638 {
3639 /* Point with largest x. (2/2) */
3640 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3641 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3642 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3643 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3644 },
3645 {
3646 /* Point with smallest x. (1/2) */
3647 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3648 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3649 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3650 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3651 },
3652 {
3653 /* Point with smallest x. (2/2) */
3654 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3655 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3656 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3657 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3658 },
3659 {
3660 /* Point with largest y. (1/3) */
3661 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3662 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3663 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3664 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3665 },
3666 {
3667 /* Point with largest y. (2/3) */
3668 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3669 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3670 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3671 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3672 },
3673 {
3674 /* Point with largest y. (3/3) */
3675 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3676 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3677 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3678 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3679 },
3680 {
3681 /* Point with smallest y. (1/3) */
3682 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3683 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3684 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3685 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3686 },
3687 {
3688 /* Point with smallest y. (2/3) */
3689 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3690 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3691 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3693 },
3694 {
3695 /* Point with smallest y. (3/3) */
3696 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3697 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3698 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3699 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3700 }
3701 };
3702#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3703 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3704 {
3705 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3706 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3707 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3708 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3709 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3710 },
3711 {
3712 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3713 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3714 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3715 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3716 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3717 },
3718 {
3719 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3720 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3721 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3722 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3724 },
3725 {
3726 /* x on curve, y is from y^2 = x^3 + 8. */
3727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3729 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3730 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3731 }
3732 };
3733#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3734 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3735 {
3736 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3737 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3738 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3739 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3740 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3741 },
3742 {
3743 /* Valid if x overflow ignored (x = 1 mod p). */
3744 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3745 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3746 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3747 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3748 },
3749 {
3750 /* Valid if x overflow ignored (x = 1 mod p). */
3751 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3752 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3753 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3754 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3755 },
3756 {
3757 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3758 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3759 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3760 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3761 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3762 },
3763 {
3764 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3765 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3766 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3767 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3768 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3769 },
3770 {
3771 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3772 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3773 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3774 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3775 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3776 },
3777 {
3778 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3779 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3781 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3782 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3783 }
3784 };
3785 const unsigned char pubkeyc[66] = {
3786 /* Serialization of G. */
3787 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3788 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3789 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3790 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3791 0xB8, 0x00
3792 };
5b71a3f4 3793 unsigned char sout[65];
67f7da40
GM		 3794 unsigned char shortkey[2];
3795 secp256k1_ge ge;
3796 secp256k1_pubkey pubkey;
5b71a3f4 3797 size_t len;
67f7da40
GM		 3798 int32_t i;
3799 int32_t ecount;
3800 int32_t ecount2;
3801 ecount = 0;
3802 /* Nothing should be reading this far into pubkeyc. */
3803 VG_UNDEF(&pubkeyc[65], 1);
3804 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3805 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3806 memset(&pubkey, 0xfe, sizeof(pubkey));
3807 ecount = 0;
3808 VG_UNDEF(shortkey, 2);
3809 VG_UNDEF(&pubkey, sizeof(pubkey));
3810 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3811 VG_CHECK(&pubkey, sizeof(pubkey));
3812 CHECK(ecount == 0);
3813 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3814 CHECK(ecount == 1);
3815 /* Length one claimed, fail, zeroize, no illegal arg error. */
3816 for (i = 0; i < 256 ; i++) {
3817 memset(&pubkey, 0xfe, sizeof(pubkey));
3818 ecount = 0;
3819 shortkey[0] = i;
3820 VG_UNDEF(&shortkey[1], 1);
3821 VG_UNDEF(&pubkey, sizeof(pubkey));
3822 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3823 VG_CHECK(&pubkey, sizeof(pubkey));
3824 CHECK(ecount == 0);
3825 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3826 CHECK(ecount == 1);
3827 }
3828 /* Length two claimed, fail, zeroize, no illegal arg error. */
3829 for (i = 0; i < 65536 ; i++) {
3830 memset(&pubkey, 0xfe, sizeof(pubkey));
3831 ecount = 0;
3832 shortkey[0] = i & 255;
3833 shortkey[1] = i >> 8;
3834 VG_UNDEF(&pubkey, sizeof(pubkey));
3835 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3836 VG_CHECK(&pubkey, sizeof(pubkey));
3837 CHECK(ecount == 0);
3838 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3839 CHECK(ecount == 1);
3840 }
3841 memset(&pubkey, 0xfe, sizeof(pubkey));
3842 ecount = 0;
3843 VG_UNDEF(&pubkey, sizeof(pubkey));
3844 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3845 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3846 VG_CHECK(&pubkey, sizeof(pubkey));
3847 CHECK(ecount == 0);
3848 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3849 CHECK(ecount == 1);
3850 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3851 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3852 CHECK(ecount == 2);
3853 /* NULL input string. Illegal arg and zeroize output. */
3854 memset(&pubkey, 0xfe, sizeof(pubkey));
3855 ecount = 0;
3856 VG_UNDEF(&pubkey, sizeof(pubkey));
3857 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3858 VG_CHECK(&pubkey, sizeof(pubkey));
3859 CHECK(ecount == 1);
3860 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3861 CHECK(ecount == 2);
3862 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3863 memset(&pubkey, 0xfe, sizeof(pubkey));
3864 ecount = 0;
3865 VG_UNDEF(&pubkey, sizeof(pubkey));
3866 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3867 VG_CHECK(&pubkey, sizeof(pubkey));
3868 CHECK(ecount == 0);
3869 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3870 CHECK(ecount == 1);
3871 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3872 memset(&pubkey, 0xfe, sizeof(pubkey));
3873 ecount = 0;
3874 VG_UNDEF(&pubkey, sizeof(pubkey));
3875 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3876 VG_CHECK(&pubkey, sizeof(pubkey));
3877 CHECK(ecount == 0);
3878 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3879 CHECK(ecount == 1);
3880 /* Valid parse. */
3881 memset(&pubkey, 0, sizeof(pubkey));
3882 ecount = 0;
3883 VG_UNDEF(&pubkey, sizeof(pubkey));
3884 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
ed7c0841 3885 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
67f7da40
GM		 3886 VG_CHECK(&pubkey, sizeof(pubkey));
3887 CHECK(ecount == 0);
3888 VG_UNDEF(&ge, sizeof(ge));
3889 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3890 VG_CHECK(&ge.x, sizeof(ge.x));
3891 VG_CHECK(&ge.y, sizeof(ge.y));
3892 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3893 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3894 CHECK(ecount == 0);
5b71a3f4
GM		 3895 /* secp256k1_ec_pubkey_serialize illegal args. */
3896 ecount = 0;
3897 len = 65;
3898 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3899 CHECK(ecount == 1);
3900 CHECK(len == 0);
3901 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3902 CHECK(ecount == 2);
3903 len = 65;
3904 VG_UNDEF(sout, 65);
3905 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3906 VG_CHECK(sout, 65);
3907 CHECK(ecount == 3);
3908 CHECK(len == 0);
3909 len = 65;
3910 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3911 CHECK(ecount == 4);
3912 CHECK(len == 0);
3913 len = 65;
3914 VG_UNDEF(sout, 65);
3915 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3916 VG_CHECK(sout, 65);
3917 CHECK(ecount == 4);
3918 CHECK(len == 65);
67f7da40
GM		 3919 /* Multiple illegal args. Should still set arg error only once. */
3920 ecount = 0;
3921 ecount2 = 11;
3922 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3923 CHECK(ecount == 1);
3924 /* Does the illegal arg callback actually change the behavior? */
3925 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3926 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3927 CHECK(ecount == 1);
3928 CHECK(ecount2 == 10);
3929 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3930 /* Try a bunch of prefabbed points with all possible encodings. */
3931 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3932 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3933 }
3934 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3935 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3936 }
3937 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3938 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3939 }
3940}
3941
96be2046
GM		 3942void run_eckey_edge_case_test(void) {
3943 const unsigned char orderc[32] = {
3944 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3945 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3946 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3947 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3948 };
3949 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
c69dea02
GM		 3950 unsigned char ctmp[33];
3951 unsigned char ctmp2[33];
96be2046
GM		 3952 secp256k1_pubkey pubkey;
3953 secp256k1_pubkey pubkey2;
c69dea02
GM		 3954 secp256k1_pubkey pubkey_one;
3955 secp256k1_pubkey pubkey_negone;
3956 const secp256k1_pubkey *pubkeys[3];
3957 size_t len;
96be2046
GM		 3958 int32_t ecount;
3959 /* Group order is too large, reject. */
3960 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3961 VG_UNDEF(&pubkey, sizeof(pubkey));
3962 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3963 VG_CHECK(&pubkey, sizeof(pubkey));
3964 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3965 /* Maximum value is too large, reject. */
3966 memset(ctmp, 255, 32);
3967 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3968 memset(&pubkey, 1, sizeof(pubkey));
3969 VG_UNDEF(&pubkey, sizeof(pubkey));
3970 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3971 VG_CHECK(&pubkey, sizeof(pubkey));
3972 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3973 /* Zero is too small, reject. */
3974 memset(ctmp, 0, 32);
3975 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3976 memset(&pubkey, 1, sizeof(pubkey));
3977 VG_UNDEF(&pubkey, sizeof(pubkey));
3978 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3979 VG_CHECK(&pubkey, sizeof(pubkey));
3980 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3981 /* One must be accepted. */
3982 ctmp[31] = 0x01;
3983 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3984 memset(&pubkey, 0, sizeof(pubkey));
3985 VG_UNDEF(&pubkey, sizeof(pubkey));
3986 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3987 VG_CHECK(&pubkey, sizeof(pubkey));
3988 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 3989 pubkey_one = pubkey;
96be2046
GM		 3990 /* Group order + 1 is too large, reject. */
3991 memcpy(ctmp, orderc, 32);
3992 ctmp[31] = 0x42;
3993 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3994 memset(&pubkey, 1, sizeof(pubkey));
3995 VG_UNDEF(&pubkey, sizeof(pubkey));
3996 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3997 VG_CHECK(&pubkey, sizeof(pubkey));
3998 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3999 /* -1 must be accepted. */
4000 ctmp[31] = 0x40;
4001 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4002 memset(&pubkey, 0, sizeof(pubkey));
4003 VG_UNDEF(&pubkey, sizeof(pubkey));
4004 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4005 VG_CHECK(&pubkey, sizeof(pubkey));
4006 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
c69dea02 4007 pubkey_negone = pubkey;
0e96cdc6 4008 /* Tweak of zero leaves the value unchanged. */
96be2046 4009 memset(ctmp2, 0, 32);
41fc7856 4010 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
96be2046
GM		 4011 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4012 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4013 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4014 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4015 /* Multiply tweak of zero zeroizes the output. */
41fc7856 4016 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
96be2046
GM		 4017 CHECK(memcmp(zeros, ctmp, 32) == 0);
4018 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4019 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4020 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5894e1f1
JN		 4021 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4022 seckey, the seckey is zeroized. */
4023 memcpy(ctmp, orderc, 32);
4024 memset(ctmp2, 0, 32);
4025 ctmp2[31] = 0x01;
4026 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4027 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
41fc7856 4028 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
5894e1f1
JN		 4029 CHECK(memcmp(zeros, ctmp, 32) == 0);
4030 memcpy(ctmp, orderc, 32);
41fc7856 4031 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
5894e1f1
JN		 4032 CHECK(memcmp(zeros, ctmp, 32) == 0);
4033 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4034 tweak, the seckey is zeroized. */
96be2046
GM		 4035 memcpy(ctmp, orderc, 32);
4036 ctmp[31] = 0x40;
41fc7856 4037 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
96be2046
GM		 4038 CHECK(memcmp(zeros, ctmp, 32) == 0);
4039 memcpy(ctmp, orderc, 32);
4040 ctmp[31] = 0x40;
41fc7856 4041 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
96be2046
GM		 4042 CHECK(memcmp(zeros, ctmp, 32) == 0);
4043 memcpy(ctmp, orderc, 32);
4044 ctmp[31] = 0x40;
5894e1f1
JN		 4045 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4046 tweak, the pubkey is zeroized. */
96be2046
GM		 4047 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4048 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4049 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4050 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4051 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4052 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
5894e1f1
JN		 4053 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4054 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4055 * case the pubkey is zeroized. */
4056 memcpy(ctmp, orderc, 32);
4057 ctmp[31] = 0x40;
4058 memset(ctmp2, 0, 32);
96be2046 4059 ctmp2[31] = 1;
41fc7856 4060 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
96be2046
GM		 4061 CHECK(memcmp(zeros, ctmp2, 32) == 0);
4062 ctmp2[31] = 1;
4063 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4064 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4065 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4066 /* Tweak computation wraps and results in a key of 1. */
4067 ctmp2[31] = 2;
41fc7856 4068 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
96be2046
GM		 4069 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4070 ctmp2[31] = 2;
4071 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4072 ctmp2[31] = 1;
4073 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4074 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4075 /* Tweak mul * 2 = 1+1. */
4076 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4077 ctmp2[31] = 2;
4078 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4079 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4080 /* Test argument errors. */
4081 ecount = 0;
4082 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4083 CHECK(ecount == 0);
4084 /* Zeroize pubkey on parse error. */
4085 memset(&pubkey, 0, 32);
4086 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4087 CHECK(ecount == 1);
4088 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
4089 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4090 memset(&pubkey2, 0, 32);
4091 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4092 CHECK(ecount == 2);
4093 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4094 /* Plain argument errors. */
4095 ecount = 0;
4096 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4097 CHECK(ecount == 0);
4098 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4099 CHECK(ecount == 1);
4100 ecount = 0;
4101 memset(ctmp2, 0, 32);
4102 ctmp2[31] = 4;
4103 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4104 CHECK(ecount == 1);
4105 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4106 CHECK(ecount == 2);
4107 ecount = 0;
4108 memset(ctmp2, 0, 32);
4109 ctmp2[31] = 4;
4110 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4111 CHECK(ecount == 1);
4112 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4113 CHECK(ecount == 2);
4114 ecount = 0;
4115 memset(ctmp2, 0, 32);
41fc7856 4116 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
96be2046 4117 CHECK(ecount == 1);
41fc7856 4118 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
96be2046
GM		 4119 CHECK(ecount == 2);
4120 ecount = 0;
4121 memset(ctmp2, 0, 32);
4122 ctmp2[31] = 1;
41fc7856 4123 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
96be2046 4124 CHECK(ecount == 1);
41fc7856 4125 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
96be2046
GM		 4126 CHECK(ecount == 2);
4127 ecount = 0;
4128 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4129 CHECK(ecount == 1);
4130 memset(&pubkey, 1, sizeof(pubkey));
4131 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4132 CHECK(ecount == 2);
5b71a3f4 4133 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
c69dea02
GM		 4134 /* secp256k1_ec_pubkey_combine tests. */
4135 ecount = 0;
4136 pubkeys[0] = &pubkey_one;
4137 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4138 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4139 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4140 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4141 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4142 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4143 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4144 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4145 CHECK(ecount == 1);
c69dea02
GM		 4146 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4147 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4148 CHECK(ecount == 2);
c69dea02
GM		 4149 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4150 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4151 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4152 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4153 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4154 CHECK(ecount == 3);
c69dea02
GM		 4155 pubkeys[0] = &pubkey_negone;
4156 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4157 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4158 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4159 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4160 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4161 CHECK(ecount == 3);
c69dea02
GM		 4162 len = 33;
4163 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4164 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4165 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4166 /* Result is infinity. */
4167 pubkeys[0] = &pubkey_one;
4168 pubkeys[1] = &pubkey_negone;
4169 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4170 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4171 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4172 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4173 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
8e48787d 4174 CHECK(ecount == 3);
c69dea02
GM		 4175 /* Passes through infinity but comes out one. */
4176 pubkeys[2] = &pubkey_one;
4177 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4178 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4179 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4180 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4181 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4182 CHECK(ecount == 3);
c69dea02
GM		 4183 len = 33;
4184 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4185 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4186 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
4187 /* Adds to two. */
4188 pubkeys[1] = &pubkey_one;
4189 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4190 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4191 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4192 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4193 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
8e48787d 4194 CHECK(ecount == 3);
96be2046
GM		 4195 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4196}
4197
5894e1f1
JN		 4198void run_eckey_negate_test(void) {
4199 unsigned char seckey[32];
4200 unsigned char seckey_tmp[32];
4201
4202 random_scalar_order_b32(seckey);
4203 memcpy(seckey_tmp, seckey, 32);
4204
41fc7856
JN		 4205 /* Verify negation changes the key and changes it back */
4206 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
5894e1f1 4207 CHECK(memcmp(seckey, seckey_tmp, 32) != 0);
41fc7856
JN		 4208 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4209 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4210
4211 /* Check that privkey alias gives same result */
4212 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4213 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
5894e1f1
JN		 4214 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4215
41fc7856 4216 /* Negating all 0s fails */
5894e1f1
JN		 4217 memset(seckey, 0, 32);
4218 memset(seckey_tmp, 0, 32);
41fc7856 4219 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5894e1f1
JN		 4220 /* Check that seckey is not modified */
4221 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4222
4223 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
41fc7856 4224 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
5894e1f1
JN		 4225 * doesn't just set seckey to a constant value in case of failure. */
4226 random_scalar_order_b32(seckey);
4227 memset(seckey, 0xFF, 16);
4228 memset(seckey_tmp, 0, 32);
41fc7856 4229 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
5894e1f1
JN		 4230 CHECK(memcmp(seckey, seckey_tmp, 32) == 0);
4231}
4232
dd891e0e
PW		 4233void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4234 secp256k1_scalar nonce;
dd08f037 4235 do {
a9f5c8b8 4236 random_scalar_order_test(&nonce);
18c329c5 4237 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 4238}
4239
2cad067a 4240void test_ecdsa_sign_verify(void) {
dd891e0e
PW		 4241 secp256k1_gej pubj;
4242 secp256k1_ge pub;
4243 secp256k1_scalar one;
4244 secp256k1_scalar msg, key;
4245 secp256k1_scalar sigr, sigs;
ee3eb4be
GM		 4246 int recid;
4247 int getrec;
a9f5c8b8 4248 random_scalar_order_test(&msg);
a9f5c8b8 4249 random_scalar_order_test(&key);
a9b6595e 4250 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 4251 secp256k1_ge_set_gej(&pub, &pubj);
fa57f1bd 4252 getrec = secp256k1_rand_bits(1);
18c329c5 4253 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 4254 if (getrec) {
4255 CHECK(recid >= 0 && recid < 4);
4256 }
18c329c5 4257 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 4258 secp256k1_scalar_set_int(&one, 1);
4259 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 4260 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 4261}
4262
2cad067a 4263void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 4264 int i;
4265 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 4266 test_ecdsa_sign_verify();
4267 }
4268}
4269
c6e7f4e8 4270/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
05732c5a 4271static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
c6e7f4e8
PW		 4272 (void)msg32;
4273 (void)key32;
a5a66c70 4274 (void)algo16;
c6e7f4e8
PW		 4275 memcpy(nonce32, data, 32);
4276 return (counter == 0);
4277}
4278
05732c5a 4279static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f 4280 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 4281 if (counter == 0) {
4282 return 0;
4283 }
dc0ce9fc 4284 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
941e221f
GM		 4285}
4286
05732c5a 4287static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
941e221f
GM		 4288 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4289 if (counter < 3) {
4290 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 4291 if (counter == 2) {
4292 nonce32[31]--;
4293 }
941e221f
GM		 4294 return 1;
4295 }
4296 if (counter < 5) {
4297 static const unsigned char order[] = {
4298 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4299 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4300 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4301 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4302 };
4303 memcpy(nonce32, order, 32);
26320197
GM		 4304 if (counter == 4) {
4305 nonce32[31]++;
4306 }
941e221f
GM		 4307 return 1;
4308 }
269d4227 4309 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
941e221f 4310 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 4311 if (counter > 5) {
4312 return 0;
4313 }
dc0ce9fc 4314 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
941e221f
GM		 4315}
4316
dd891e0e
PW		 4317int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4318 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4319 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
8030d7c0
PW		 4320}
4321
2cad067a 4322void test_ecdsa_end_to_end(void) {
efc571ce 4323 unsigned char extra[32] = {0x00};
25f4aec0
PW		 4324 unsigned char privkey[32];
4325 unsigned char message[32];
bf2e1ac7 4326 unsigned char privkey2[32];
0c6ab2ff
PW		 4327 secp256k1_ecdsa_signature signature[6];
4328 secp256k1_scalar r, s;
74a2acdb 4329 unsigned char sig[74];
788038d3 4330 size_t siglen = 74;
23cfa914 4331 unsigned char pubkeyc[65];
788038d3 4332 size_t pubkeyclen = 65;
dd891e0e 4333 secp256k1_pubkey pubkey;
8e48aa60 4334 secp256k1_pubkey pubkey_tmp;
bf2e1ac7 4335 unsigned char seckey[300];
788038d3 4336 size_t seckeylen = 300;
25f4aec0 4337
71712b27 4338 /* Generate a random key and message. */
25f4aec0 4339 {
dd891e0e 4340 secp256k1_scalar msg, key;
659b554d
PW		 4341 random_scalar_order_test(&msg);
4342 random_scalar_order_test(&key);
4343 secp256k1_scalar_get_b32(privkey, &key);
4344 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 4345 }
4346
71712b27 4347 /* Construct and verify corresponding public key. */
a9b6595e 4348 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 4349 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 4350
23cfa914 4351 /* Verify exporting and importing public key. */
1a368980 4352 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
23cfa914
PW		 4353 memset(&pubkey, 0, sizeof(pubkey));
4354 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 4355
8e48aa60
AP		 4356 /* Verify negation changes the key and changes it back */
4357 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4358 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4359 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4360 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4361 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4362
71712b27 4363 /* Verify private key import and export. */
eed87af1
AP		 4364 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4365 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 4366 CHECK(memcmp(privkey, privkey2, 32) == 0);
4367
71712b27 4368 /* Optionally tweak the keys using addition. */
fa57f1bd 4369 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4370 int ret1;
4371 int ret2;
41fc7856 4372 int ret3;
25f4aec0 4373 unsigned char rnd[32];
41fc7856 4374 unsigned char privkey_tmp[32];
dd891e0e 4375 secp256k1_pubkey pubkey2;
25f4aec0 4376 secp256k1_rand256_test(rnd);
41fc7856
JN		 4377 memcpy(privkey_tmp, privkey, 32);
4378 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
23cfa914 4379 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
41fc7856
JN		 4380 /* Check that privkey alias gives same result */
4381 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
25f4aec0 4382 CHECK(ret1 == ret2);
41fc7856 4383 CHECK(ret2 == ret3);
26320197
GM		 4384 if (ret1 == 0) {
4385 return;
4386 }
41fc7856 4387 CHECK(memcmp(privkey, privkey_tmp, 32) == 0);
23cfa914
PW		 4388 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4389 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4390 }
4391
71712b27 4392 /* Optionally tweak the keys using multiplication. */
fa57f1bd 4393 if (secp256k1_rand_int(3) == 0) {
bf2e1ac7
GM		 4394 int ret1;
4395 int ret2;
41fc7856 4396 int ret3;
25f4aec0 4397 unsigned char rnd[32];
41fc7856 4398 unsigned char privkey_tmp[32];
dd891e0e 4399 secp256k1_pubkey pubkey2;
25f4aec0 4400 secp256k1_rand256_test(rnd);
41fc7856
JN		 4401 memcpy(privkey_tmp, privkey, 32);
4402 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
23cfa914 4403 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
41fc7856
JN		 4404 /* Check that privkey alias gives same result */
4405 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
25f4aec0 4406 CHECK(ret1 == ret2);
41fc7856 4407 CHECK(ret2 == ret3);
26320197
GM		 4408 if (ret1 == 0) {
4409 return;
4410 }
41fc7856 4411 CHECK(memcmp(privkey, privkey_tmp, 32) == 0);
23cfa914
PW		 4412 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4413 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 4414 }
4415
71712b27 4416 /* Sign. */
dc0ce9fc
PW		 4417 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4418 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4419 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
efc571ce 4420 extra[31] = 1;
dc0ce9fc 4421 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
efc571ce
GM		 4422 extra[31] = 0;
4423 extra[0] = 1;
dc0ce9fc 4424 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
74a2acdb
PW		 4425 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4426 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4427 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4428 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4429 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4430 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4431 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 4432 /* Verify. */
dc0ce9fc
PW		 4433 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4434 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4435 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4436 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
0c6ab2ff
PW		 4437 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4438 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4439 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4440 secp256k1_scalar_negate(&s, &s);
4441 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4442 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4443 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4444 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4445 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
5b71a3f4 4446 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
0c6ab2ff
PW		 4447 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4448 secp256k1_scalar_negate(&s, &s);
4449 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4450 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4451 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4452 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
74a2acdb
PW		 4453
4454 /* Serialize/parse DER and verify again */
4455 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4456 memset(&signature[0], 0, sizeof(signature[0]));
4457 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
dc0ce9fc 4458 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
74a2acdb 4459 /* Serialize/destroy/parse DER and verify again. */
1973c737 4460 siglen = 74;
74a2acdb 4461 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
fa57f1bd 4462 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
74a2acdb 4463 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
dc0ce9fc 4464 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
d49abbd5
PW		 4465}
4466
7c6fed28 4467void test_random_pubkeys(void) {
dd891e0e
PW		 4468 secp256k1_ge elem;
4469 secp256k1_ge elem2;
7c6fed28
GM		 4470 unsigned char in[65];
4471 /* Generate some randomly sized pubkeys. */
fa57f1bd
PW		 4472 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4473 if (secp256k1_rand_bits(2) == 0) {
4474 len = secp256k1_rand_bits(6);
26320197 4475 }
7c6fed28 4476 if (len == 65) {
fa57f1bd 4477 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
7c6fed28 4478 } else {
fa57f1bd 4479 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
7c6fed28 4480 }
fa57f1bd
PW		 4481 if (secp256k1_rand_bits(3) == 0) {
4482 in[0] = secp256k1_rand_bits(8);
26320197 4483 }
26320197
GM		 4484 if (len > 1) {
4485 secp256k1_rand256(&in[1]);
4486 }
4487 if (len > 33) {
4488 secp256k1_rand256(&in[33]);
4489 }
7c6fed28
GM		 4490 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4491 unsigned char out[65];
4492 unsigned char firstb;
4493 int res;
788038d3 4494 size_t size = len;
7c6fed28
GM		 4495 firstb = in[0];
4496 /* If the pubkey can be parsed, it should round-trip... */
9234391e 4497 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
7c6fed28
GM		 4498 CHECK(size == len);
4499 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4500 /* ... except for the type of hybrid inputs. */
26320197
GM		 4501 if ((in[0] != 6) && (in[0] != 7)) {
4502 CHECK(in[0] == out[0]);
4503 }
7c6fed28 4504 size = 65;
9234391e 4505 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
7c6fed28
GM		 4506 CHECK(size == 65);
4507 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 4508 ge_equals_ge(&elem,&elem2);
7c6fed28 4509 /* Check that the X9.62 hybrid type is checked. */
fa57f1bd 4510 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
7c6fed28
GM		 4511 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4512 if (firstb == 2 || firstb == 3) {
26320197
GM		 4513 if (in[0] == firstb + 4) {
4514 CHECK(res);
4515 } else {
4516 CHECK(!res);
4517 }
7c6fed28
GM		 4518 }
4519 if (res) {
60571c6e 4520 ge_equals_ge(&elem,&elem2);
9234391e 4521 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
7c6fed28
GM		 4522 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4523 }
4524 }
4525}
4526
4527void run_random_pubkeys(void) {
bf2e1ac7
GM		 4528 int i;
4529 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 4530 test_random_pubkeys();
4531 }
4532}
4533
2cad067a 4534void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 4535 int i;
4536 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 4537 test_ecdsa_end_to_end();
4538 }
4539}
4540
3bb9c447
PW		 4541int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4542 static const unsigned char zeroes[32] = {0};
a9b2a5d8 4543#ifdef ENABLE_OPENSSL_TESTS
3bb9c447
PW		 4544 static const unsigned char max_scalar[32] = {
4545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4546 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4547 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4548 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4549 };
a9b2a5d8 4550#endif
3bb9c447
PW		 4551
4552 int ret = 0;
4553
4554 secp256k1_ecdsa_signature sig_der;
4555 unsigned char roundtrip_der[2048];
4556 unsigned char compact_der[64];
4557 size_t len_der = 2048;
4558 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4559
fea19e7b
PW		 4560 secp256k1_ecdsa_signature sig_der_lax;
4561 unsigned char roundtrip_der_lax[2048];
4562 unsigned char compact_der_lax[64];
4563 size_t len_der_lax = 2048;
4564 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4565
3bb9c447
PW		 4566#ifdef ENABLE_OPENSSL_TESTS
4567 ECDSA_SIG *sig_openssl;
31abd3ab 4568 const BIGNUM *r = NULL, *s = NULL;
3bb9c447
PW		 4569 const unsigned char *sigptr;
4570 unsigned char roundtrip_openssl[2048];
4571 int len_openssl = 2048;
4572 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4573#endif
4574
4575 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4576 if (parsed_der) {
4577 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4578 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4579 }
4580 if (valid_der) {
4581 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4582 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4583 }
4584
eed87af1 4585 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
fea19e7b
PW		 4586 if (parsed_der_lax) {
4587 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4588 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4589 }
4590 if (valid_der_lax) {
4591 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4592 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4593 }
4594
3bb9c447
PW		 4595 if (certainly_der) {
4596 ret |= (!parsed_der) << 2;
4597 }
4598 if (certainly_not_der) {
4599 ret |= (parsed_der) << 17;
4600 }
4601 if (valid_der) {
4602 ret |= (!roundtrips_der) << 3;
4603 }
4604
fea19e7b
PW		 4605 if (valid_der) {
4606 ret |= (!roundtrips_der_lax) << 12;
4607 ret |= (len_der != len_der_lax) << 13;
248bffb0 4608 ret |= ((len_der != len_der_lax) || (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
fea19e7b
PW		 4609 }
4610 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4611 if (parsed_der) {
4612 ret |= (!parsed_der_lax) << 16;
4613 }
4614
3bb9c447
PW		 4615#ifdef ENABLE_OPENSSL_TESTS
4616 sig_openssl = ECDSA_SIG_new();
4617 sigptr = sig;
4618 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4619 if (parsed_openssl) {
31abd3ab
AB		 4620 ECDSA_SIG_get0(sig_openssl, &r, &s);
4621 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
3bb9c447
PW		 4622 if (valid_openssl) {
4623 unsigned char tmp[32] = {0};
31abd3ab 4624 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
3bb9c447
PW		 4625 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4626 }
4627 if (valid_openssl) {
4628 unsigned char tmp[32] = {0};
31abd3ab 4629 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
3bb9c447
PW		 4630 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4631 }
4632 }
4633 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4634 if (len_openssl <= 2048) {
4635 unsigned char *ptr = roundtrip_openssl;
4636 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4637 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4638 } else {
4639 len_openssl = 0;
4640 }
4641 ECDSA_SIG_free(sig_openssl);
4642
4643 ret |= (parsed_der && !parsed_openssl) << 4;
4644 ret |= (valid_der && !valid_openssl) << 5;
4645 ret |= (roundtrips_openssl && !parsed_der) << 6;
4646 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4647 if (roundtrips_openssl) {
4648 ret |= (len_der != (size_t)len_openssl) << 8;
248bffb0 4649 ret |= ((len_der != (size_t)len_openssl) || (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
3bb9c447
PW		 4650 }
4651#endif
4652 return ret;
4653}
4654
4655static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4656 size_t i;
4657 for (i = 0; i < ptrlen; i++) {
4658 int shift = ptrlen - 1 - i;
4659 if (shift >= 4) {
4660 ptr[i] = 0;
4661 } else {
4662 ptr[i] = (val >> shift) & 0xFF;
4663 }
4664 }
4665}
4666
4667static void damage_array(unsigned char *sig, size_t *len) {
4668 int pos;
4669 int action = secp256k1_rand_bits(3);
5d4c5a31 4670 if (action < 1 && *len > 3) {
3bb9c447
PW		 4671 /* Delete a byte. */
4672 pos = secp256k1_rand_int(*len);
4673 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4674 (*len)--;
4675 return;
5d4c5a31 4676 } else if (action < 2 && *len < 2048) {
3bb9c447
PW		 4677 /* Insert a byte. */
4678 pos = secp256k1_rand_int(1 + *len);
4679 memmove(sig + pos + 1, sig + pos, *len - pos);
4680 sig[pos] = secp256k1_rand_bits(8);
4681 (*len)++;
4682 return;
4683 } else if (action < 4) {
4684 /* Modify a byte. */
4685 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4686 return;
4687 } else { /* action < 8 */
4688 /* Modify a bit. */
4689 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4690 return;
4691 }
4692}
4693
4694static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4695 int der;
4696 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4697 size_t tlen, elen, glen;
4698 int indet;
4699 int n;
4700
4701 *len = 0;
4702 der = secp256k1_rand_bits(2) == 0;
4703 *certainly_der = der;
4704 *certainly_not_der = 0;
4705 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4706
4707 for (n = 0; n < 2; n++) {
4708 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4709 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4710 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4711 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4712 CHECK(nlen[n] <= 232);
4713 /* The top bit of the number. */
4714 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4715 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4716 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4717 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4718 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4719 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4720 *certainly_not_der = 1;
4721 }
4722 CHECK(nlen[n] + nzlen[n] <= 300);
4723 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4724 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4725 if (!der) {
4726 /* nlenlen[n] max 127 bytes */
4727 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4728 nlenlen[n] += add;
4729 if (add != 0) {
4730 *certainly_not_der = 1;
4731 }
4732 }
4733 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4734 }
4735
4736 /* The total length of the data to go, so far */
4737 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4738 CHECK(tlen <= 856);
4739
4740 /* The length of the garbage inside the tuple. */
4741 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4742 if (elen != 0) {
4743 *certainly_not_der = 1;
4744 }
4745 tlen += elen;
4746 CHECK(tlen <= 980);
4747
4748 /* The length of the garbage after the end of the tuple. */
4749 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4750 if (glen != 0) {
4751 *certainly_not_der = 1;
4752 }
4753 CHECK(tlen + glen <= 990);
4754
4755 /* Write the tuple header. */
4756 sig[(*len)++] = 0x30;
4757 if (indet) {
4758 /* Indeterminate length */
4759 sig[(*len)++] = 0x80;
4760 *certainly_not_der = 1;
4761 } else {
4762 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4763 if (!der) {
4764 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4765 tlenlen += add;
4766 if (add != 0) {
4767 *certainly_not_der = 1;
4768 }
4769 }
4770 if (tlenlen == 0) {
4771 /* Short length notation */
4772 sig[(*len)++] = tlen;
4773 } else {
4774 /* Long length notation */
4775 sig[(*len)++] = 128 + tlenlen;
4776 assign_big_endian(sig + *len, tlenlen, tlen);
4777 *len += tlenlen;
4778 }
4779 tlen += tlenlen;
4780 }
4781 tlen += 2;
4782 CHECK(tlen + glen <= 1119);
4783
4784 for (n = 0; n < 2; n++) {
4785 /* Write the integer header. */
4786 sig[(*len)++] = 0x02;
4787 if (nlenlen[n] == 0) {
4788 /* Short length notation */
4789 sig[(*len)++] = nlen[n] + nzlen[n];
4790 } else {
4791 /* Long length notation. */
4792 sig[(*len)++] = 128 + nlenlen[n];
4793 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4794 *len += nlenlen[n];
4795 }
4796 /* Write zero padding */
4797 while (nzlen[n] > 0) {
4798 sig[(*len)++] = 0x00;
4799 nzlen[n]--;
4800 }
4801 if (nlen[n] == 32 && !nlow[n]) {
4802 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4803 int i;
4804 for (i = 0; i < 16; i++) {
4805 sig[(*len)++] = 0xFF;
4806 }
4807 nlen[n] -= 16;
4808 }
4809 /* Write first byte of number */
4810 if (nlen[n] > 0) {
4811 sig[(*len)++] = nhbyte[n];
4812 nlen[n]--;
4813 }
4814 /* Generate remaining random bytes of number */
4815 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4816 *len += nlen[n];
4817 nlen[n] = 0;
4818 }
4819
4820 /* Generate random garbage inside tuple. */
4821 secp256k1_rand_bytes_test(sig + *len, elen);
4822 *len += elen;
4823
4824 /* Generate end-of-contents bytes. */
4825 if (indet) {
4826 sig[(*len)++] = 0;
4827 sig[(*len)++] = 0;
4828 tlen += 2;
4829 }
4830 CHECK(tlen + glen <= 1121);
4831
4832 /* Generate random garbage outside tuple. */
4833 secp256k1_rand_bytes_test(sig + *len, glen);
4834 *len += glen;
4835 tlen += glen;
4836 CHECK(tlen <= 1121);
4837 CHECK(tlen == *len);
4838}
4839
4840void run_ecdsa_der_parse(void) {
4841 int i,j;
4842 for (i = 0; i < 200 * count; i++) {
4843 unsigned char buffer[2048];
4844 size_t buflen = 0;
4845 int certainly_der = 0;
4846 int certainly_not_der = 0;
4847 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5d4c5a31 4848 CHECK(buflen <= 2048);
3bb9c447
PW		 4849 for (j = 0; j < 16; j++) {
4850 int ret = 0;
4851 if (j > 0) {
4852 damage_array(buffer, &buflen);
4853 /* We don't know anything anymore about the DERness of the result */
4854 certainly_der = 0;
4855 certainly_not_der = 0;
4856 }
4857 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4858 if (ret != 0) {
4859 size_t k;
4860 fprintf(stderr, "Failure %x on ", ret);
4861 for (k = 0; k < buflen; k++) {
4862 fprintf(stderr, "%02x ", buffer[k]);
4863 }
4864 fprintf(stderr, "\n");
4865 }
4866 CHECK(ret == 0);
4867 }
4868 }
4869}
4870
6e052878
PW		 4871/* Tests several edge cases. */
4872void test_ecdsa_edge_cases(void) {
d49abbd5 4873 int t;
dd891e0e 4874 secp256k1_ecdsa_signature sig;
d49abbd5
PW		 4875
4876 /* Test the case where ECDSA recomputes a point that is infinity. */
4877 {
dd891e0e
PW		 4878 secp256k1_gej keyj;
4879 secp256k1_ge key;
4880 secp256k1_scalar msg;
4881 secp256k1_scalar sr, ss;
d49abbd5
PW		 4882 secp256k1_scalar_set_int(&ss, 1);
4883 secp256k1_scalar_negate(&ss, &ss);
4884 secp256k1_scalar_inverse(&ss, &ss);
4885 secp256k1_scalar_set_int(&sr, 1);
4886 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4887 secp256k1_ge_set_gej(&key, &keyj);
4888 msg = ss;
4889 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4890 }
4891
96be2046 4892 /* Verify signature with r of zero fails. */
d49abbd5 4893 {
96be2046
GM		 4894 const unsigned char pubkey_mods_zero[33] = {
4895 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4897 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4898 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4899 0x41
4900 };
4901 secp256k1_ge key;
4902 secp256k1_scalar msg;
4903 secp256k1_scalar sr, ss;
4904 secp256k1_scalar_set_int(&ss, 1);
4905 secp256k1_scalar_set_int(&msg, 0);
4906 secp256k1_scalar_set_int(&sr, 0);
4907 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4908 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4909 }
4910
4911 /* Verify signature with s of zero fails. */
4912 {
4913 const unsigned char pubkey[33] = {
4914 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4915 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4916 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4917 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4918 0x01
4919 };
4920 secp256k1_ge key;
4921 secp256k1_scalar msg;
4922 secp256k1_scalar sr, ss;
4923 secp256k1_scalar_set_int(&ss, 0);
4924 secp256k1_scalar_set_int(&msg, 0);
4925 secp256k1_scalar_set_int(&sr, 1);
4926 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4927 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4928 }
4929
4930 /* Verify signature with message 0 passes. */
4931 {
4932 const unsigned char pubkey[33] = {
4933 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4935 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4936 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4937 0x02
4938 };
4939 const unsigned char pubkey2[33] = {
4940 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4941 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4942 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4943 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4944 0x43
4945 };
4946 secp256k1_ge key;
4947 secp256k1_ge key2;
4948 secp256k1_scalar msg;
4949 secp256k1_scalar sr, ss;
4950 secp256k1_scalar_set_int(&ss, 2);
4951 secp256k1_scalar_set_int(&msg, 0);
4952 secp256k1_scalar_set_int(&sr, 2);
4953 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4954 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4955 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4956 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4957 secp256k1_scalar_negate(&ss, &ss);
4958 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4959 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4960 secp256k1_scalar_set_int(&ss, 1);
4961 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4962 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4963 }
4964
4965 /* Verify signature with message 1 passes. */
4966 {
4967 const unsigned char pubkey[33] = {
4968 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4969 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4970 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4971 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4972 0x25
4973 };
4974 const unsigned char pubkey2[33] = {
4975 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4976 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4977 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4978 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4979 0x62
4980 };
4981 const unsigned char csr[32] = {
4982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4983 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4984 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4985 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4986 };
4987 secp256k1_ge key;
4988 secp256k1_ge key2;
4989 secp256k1_scalar msg;
4990 secp256k1_scalar sr, ss;
4991 secp256k1_scalar_set_int(&ss, 1);
4992 secp256k1_scalar_set_int(&msg, 1);
4993 secp256k1_scalar_set_b32(&sr, csr, NULL);
4994 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4995 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4996 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4997 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4998 secp256k1_scalar_negate(&ss, &ss);
4999 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5000 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5001 secp256k1_scalar_set_int(&ss, 2);
5002 secp256k1_scalar_inverse_var(&ss, &ss);
5003 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5004 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5005 }
5006
5007 /* Verify signature with message -1 passes. */
5008 {
5009 const unsigned char pubkey[33] = {
5010 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5011 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5012 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5013 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5014 0xf1
5015 };
5016 const unsigned char csr[32] = {
5017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5019 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5020 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5021 };
5022 secp256k1_ge key;
5023 secp256k1_scalar msg;
5024 secp256k1_scalar sr, ss;
5025 secp256k1_scalar_set_int(&ss, 1);
5026 secp256k1_scalar_set_int(&msg, 1);
5027 secp256k1_scalar_negate(&msg, &msg);
5028 secp256k1_scalar_set_b32(&sr, csr, NULL);
5029 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5030 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5031 secp256k1_scalar_negate(&ss, &ss);
5032 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5033 secp256k1_scalar_set_int(&ss, 3);
5034 secp256k1_scalar_inverse_var(&ss, &ss);
5035 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5036 }
5037
5038 /* Signature where s would be zero. */
5039 {
5040 secp256k1_pubkey pubkey;
788038d3 5041 size_t siglen;
96be2046
GM		 5042 int32_t ecount;
5043 unsigned char signature[72];
5044 static const unsigned char nonce[32] = {
d49abbd5
PW		 5045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5048 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5049 };
5050 static const unsigned char nonce2[32] = {
5051 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5052 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5053 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5054 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5055 };
5056 const unsigned char key[32] = {
5057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5058 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5059 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5061 };
5062 unsigned char msg[32] = {
5063 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5064 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5065 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5066 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5067 };
96be2046
GM		 5068 ecount = 0;
5069 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
dc0ce9fc
PW		 5070 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5071 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
d49abbd5 5072 msg[31] = 0xaa;
dc0ce9fc 5073 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
96be2046
GM		 5074 CHECK(ecount == 0);
5075 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5076 CHECK(ecount == 1);
5077 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5078 CHECK(ecount == 2);
5079 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5080 CHECK(ecount == 3);
dc0ce9fc 5081 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
96be2046
GM		 5082 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5083 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5084 CHECK(ecount == 4);
5085 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5086 CHECK(ecount == 5);
5087 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5088 CHECK(ecount == 6);
5089 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5b71a3f4
GM		 5090 CHECK(ecount == 6);
5091 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5092 CHECK(ecount == 7);
5093 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5094 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5095 CHECK(ecount == 8);
d49abbd5 5096 siglen = 72;
96be2046 5097 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5b71a3f4 5098 CHECK(ecount == 9);
96be2046 5099 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5b71a3f4 5100 CHECK(ecount == 10);
96be2046 5101 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5b71a3f4 5102 CHECK(ecount == 11);
d49abbd5 5103 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5b71a3f4
GM		 5104 CHECK(ecount == 11);
5105 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5106 CHECK(ecount == 12);
5107 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5108 CHECK(ecount == 13);
5109 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5110 CHECK(ecount == 13);
d49abbd5 5111 siglen = 10;
5b71a3f4 5112 /* Too little room for a signature does not fail via ARGCHECK. */
d49abbd5 5113 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5b71a3f4
GM		 5114 CHECK(ecount == 13);
5115 ecount = 0;
5116 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5117 CHECK(ecount == 1);
5118 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5119 CHECK(ecount == 2);
5120 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5121 CHECK(ecount == 3);
5122 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5123 CHECK(ecount == 3);
5124 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5125 CHECK(ecount == 4);
5126 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5127 CHECK(ecount == 5);
5128 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5129 CHECK(ecount == 5);
c69dea02
GM		 5130 memset(signature, 255, 64);
5131 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5132 CHECK(ecount == 5);
96be2046 5133 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
d49abbd5
PW		 5134 }
5135
5136 /* Nonce function corner cases. */
5137 for (t = 0; t < 2; t++) {
5138 static const unsigned char zero[32] = {0x00};
5139 int i;
5140 unsigned char key[32];
5141 unsigned char msg[32];
dd891e0e
PW		 5142 secp256k1_ecdsa_signature sig2;
5143 secp256k1_scalar sr[512], ss;
d49abbd5
PW		 5144 const unsigned char *extra;
5145 extra = t == 0 ? NULL : zero;
5146 memset(msg, 0, 32);
5147 msg[31] = 1;
5148 /* High key results in signature failure. */
5149 memset(key, 0xFF, 32);
dc0ce9fc 5150 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 5151 CHECK(is_empty_signature(&sig));
5152 /* Zero key results in signature failure. */
5153 memset(key, 0, 32);
dc0ce9fc 5154 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
d49abbd5
PW		 5155 CHECK(is_empty_signature(&sig));
5156 /* Nonce function failure results in signature failure. */
5157 key[31] = 1;
dc0ce9fc 5158 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
d49abbd5
PW		 5159 CHECK(is_empty_signature(&sig));
5160 /* The retry loop successfully makes its way to the first good value. */
dc0ce9fc 5161 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
d49abbd5 5162 CHECK(!is_empty_signature(&sig));
dc0ce9fc 5163 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
d49abbd5
PW		 5164 CHECK(!is_empty_signature(&sig2));
5165 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
269d4227 5166 /* The default nonce function is deterministic. */
dc0ce9fc 5167 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5168 CHECK(!is_empty_signature(&sig2));
5169 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
5170 /* The default nonce function changes output with different messages. */
5171 for(i = 0; i < 256; i++) {
5172 int j;
5173 msg[0] = i;
dc0ce9fc 5174 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5175 CHECK(!is_empty_signature(&sig2));
5176 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5177 for (j = 0; j < i; j++) {
5178 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5179 }
5180 }
5181 msg[0] = 0;
5182 msg[31] = 2;
5183 /* The default nonce function changes output with different keys. */
5184 for(i = 256; i < 512; i++) {
5185 int j;
5186 key[0] = i - 256;
dc0ce9fc 5187 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
d49abbd5
PW		 5188 CHECK(!is_empty_signature(&sig2));
5189 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5190 for (j = 0; j < i; j++) {
5191 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5192 }
5193 }
5194 key[0] = 0;
5195 }
5196
b30fc85c 5197 {
269d4227 5198 /* Check that optional nonce arguments do not have equivalent effect. */
b30fc85c
GM		 5199 const unsigned char zeros[32] = {0};
5200 unsigned char nonce[32];
5201 unsigned char nonce2[32];
5202 unsigned char nonce3[32];
5203 unsigned char nonce4[32];
5204 VG_UNDEF(nonce,32);
5205 VG_UNDEF(nonce2,32);
5206 VG_UNDEF(nonce3,32);
5207 VG_UNDEF(nonce4,32);
5208 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5209 VG_CHECK(nonce,32);
5210 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5211 VG_CHECK(nonce2,32);
5212 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5213 VG_CHECK(nonce3,32);
5214 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5215 VG_CHECK(nonce4,32);
5216 CHECK(memcmp(nonce, nonce2, 32) != 0);
5217 CHECK(memcmp(nonce, nonce3, 32) != 0);
5218 CHECK(memcmp(nonce, nonce4, 32) != 0);
5219 CHECK(memcmp(nonce2, nonce3, 32) != 0);
5220 CHECK(memcmp(nonce2, nonce4, 32) != 0);
5221 CHECK(memcmp(nonce3, nonce4, 32) != 0);
5222 }
5223
5224
d49abbd5
PW		 5225 /* Privkey export where pubkey is the point at infinity. */
5226 {
5227 unsigned char privkey[300];
5228 unsigned char seckey[32] = {
5229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5230 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5231 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5232 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5233 };
788038d3 5234 size_t outlen = 300;
eed87af1 5235 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
1973c737 5236 outlen = 300;
eed87af1 5237 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
d49abbd5
PW		 5238 }
5239}
5240
6e052878
PW		 5241void run_ecdsa_edge_cases(void) {
5242 test_ecdsa_edge_cases();
3bf029d6 5243}
25f4aec0 5244
dd08f037 5245#ifdef ENABLE_OPENSSL_TESTS
7914a6eb 5246EC_KEY *get_openssl_key(const unsigned char *key32) {
12e29b32 5247 unsigned char privkey[300];
788038d3 5248 size_t privkeylen;
12e29b32 5249 const unsigned char* pbegin = privkey;
fa57f1bd 5250 int compr = secp256k1_rand_bits(1);
dd08f037 5251 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
eed87af1 5252 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
0592d117
PW		 5253 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5254 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 5255 return ec_key;
5256}
5257
2cad067a 5258void test_ecdsa_openssl(void) {
dd891e0e
PW		 5259 secp256k1_gej qj;
5260 secp256k1_ge q;
5261 secp256k1_scalar sigr, sigs;
5262 secp256k1_scalar one;
5263 secp256k1_scalar msg2;
5264 secp256k1_scalar key, msg;
bf2e1ac7
GM		 5265 EC_KEY *ec_key;
5266 unsigned int sigsize = 80;
788038d3 5267 size_t secp_sigsize = 80;
dd08f037 5268 unsigned char message[32];
bf2e1ac7 5269 unsigned char signature[80];
7914a6eb 5270 unsigned char key32[32];
dd08f037 5271 secp256k1_rand256_test(message);
eca6cdb1 5272 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 5273 random_scalar_order_test(&key);
7914a6eb 5274 secp256k1_scalar_get_b32(key32, &key);
a9b6595e 5275 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 5276 secp256k1_ge_set_gej(&q, &qj);
7914a6eb 5277 ec_key = get_openssl_key(key32);
2b199de8 5278 CHECK(ec_key != NULL);
0592d117 5279 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 5280 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5281 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 5282 secp256k1_scalar_set_int(&one, 1);
f24041d6 5283 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 5284 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 5285
18c329c5
PW		 5286 random_sign(&sigr, &sigs, &key, &msg, NULL);
5287 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 5288 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 5289
dd08f037 5290 EC_KEY_free(ec_key);
dd08f037
PW		 5291}
5292
2cad067a 5293void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 5294 int i;
5295 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 5296 test_ecdsa_openssl();
5297 }
5298}
5299#endif
5300
0739bbb6
AP		 5301#ifdef ENABLE_MODULE_ECDH
5302# include "modules/ecdh/tests_impl.h"
5303#endif
5304
9f443be0
PW		 5305#ifdef ENABLE_MODULE_RECOVERY
5306# include "modules/recovery/tests_impl.h"
5307#endif
5308
47e6618e
JN		 5309#ifdef ENABLE_MODULE_EXTRAKEYS
5310# include "modules/extrakeys/tests_impl.h"
5311#endif
5312
7a703fd9
JN		 5313#ifdef ENABLE_MODULE_SCHNORRSIG
5314# include "modules/schnorrsig/tests_impl.h"
5315#endif
5316
01993878
TR		 5317void run_memczero_test(void) {
5318 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5319 unsigned char buf2[sizeof(buf1)];
5320
5321 /* memczero(..., ..., 0) is a noop. */
5322 memcpy(buf2, buf1, sizeof(buf1));
5323 memczero(buf1, sizeof(buf1), 0);
5324 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5325
5326 /* memczero(..., ..., 1) zeros the buffer. */
5327 memset(buf2, 0, sizeof(buf2));
5328 memczero(buf1, sizeof(buf1) , 1);
5329 CHECK(memcmp(buf1, buf2, sizeof(buf1)) == 0);
5330}
5331
28609507
ET		 5332void int_cmov_test(void) {
5333 int r = INT_MAX;
5334 int a = 0;
5335
5336 secp256k1_int_cmov(&r, &a, 0);
5337 CHECK(r == INT_MAX);
5338
5339 r = 0; a = INT_MAX;
5340 secp256k1_int_cmov(&r, &a, 1);
5341 CHECK(r == INT_MAX);
5342
5343 a = 0;
5344 secp256k1_int_cmov(&r, &a, 1);
5345 CHECK(r == 0);
5346
5347 a = 1;
5348 secp256k1_int_cmov(&r, &a, 1);
5349 CHECK(r == 1);
5350
5351 r = 1; a = 0;
5352 secp256k1_int_cmov(&r, &a, 0);
5353 CHECK(r == 1);
5354
5355}
5356
5357void fe_cmov_test(void) {
5358 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5359 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5360 static const secp256k1_fe max = SECP256K1_FE_CONST(
5361 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5362 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5363 );
5364 secp256k1_fe r = max;
5365 secp256k1_fe a = zero;
5366
5367 secp256k1_fe_cmov(&r, &a, 0);
5368 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5369
5370 r = zero; a = max;
5371 secp256k1_fe_cmov(&r, &a, 1);
5372 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5373
5374 a = zero;
5375 secp256k1_fe_cmov(&r, &a, 1);
5376 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5377
5378 a = one;
5379 secp256k1_fe_cmov(&r, &a, 1);
5380 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5381
5382 r = one; a = zero;
5383 secp256k1_fe_cmov(&r, &a, 0);
5384 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5385}
5386
5387void fe_storage_cmov_test(void) {
5388 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5389 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5390 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5391 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5392 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5393 );
5394 secp256k1_fe_storage r = max;
5395 secp256k1_fe_storage a = zero;
5396
5397 secp256k1_fe_storage_cmov(&r, &a, 0);
5398 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5399
5400 r = zero; a = max;
5401 secp256k1_fe_storage_cmov(&r, &a, 1);
5402 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5403
5404 a = zero;
5405 secp256k1_fe_storage_cmov(&r, &a, 1);
5406 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5407
5408 a = one;
5409 secp256k1_fe_storage_cmov(&r, &a, 1);
5410 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5411
5412 r = one; a = zero;
5413 secp256k1_fe_storage_cmov(&r, &a, 0);
5414 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5415}
5416
5417void scalar_cmov_test(void) {
5418 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5419 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5420 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5421 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5422 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5423 );
5424 secp256k1_scalar r = max;
5425 secp256k1_scalar a = zero;
5426
5427 secp256k1_scalar_cmov(&r, &a, 0);
5428 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5429
5430 r = zero; a = max;
5431 secp256k1_scalar_cmov(&r, &a, 1);
5432 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5433
5434 a = zero;
5435 secp256k1_scalar_cmov(&r, &a, 1);
5436 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5437
5438 a = one;
5439 secp256k1_scalar_cmov(&r, &a, 1);
5440 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5441
5442 r = one; a = zero;
5443 secp256k1_scalar_cmov(&r, &a, 0);
5444 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5445}
5446
5447void ge_storage_cmov_test(void) {
5448 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5449 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5450 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5451 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5452 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5453 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5454 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5455 );
5456 secp256k1_ge_storage r = max;
5457 secp256k1_ge_storage a = zero;
5458
5459 secp256k1_ge_storage_cmov(&r, &a, 0);
5460 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5461
5462 r = zero; a = max;
5463 secp256k1_ge_storage_cmov(&r, &a, 1);
5464 CHECK(memcmp(&r, &max, sizeof(r)) == 0);
5465
5466 a = zero;
5467 secp256k1_ge_storage_cmov(&r, &a, 1);
5468 CHECK(memcmp(&r, &zero, sizeof(r)) == 0);
5469
5470 a = one;
5471 secp256k1_ge_storage_cmov(&r, &a, 1);
5472 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5473
5474 r = one; a = zero;
5475 secp256k1_ge_storage_cmov(&r, &a, 0);
5476 CHECK(memcmp(&r, &one, sizeof(r)) == 0);
5477}
5478
5479void run_cmov_tests(void) {
5480 int_cmov_test();
5481 fe_cmov_test();
5482 fe_storage_cmov_test();
5483 scalar_cmov_test();
5484 ge_storage_cmov_test();
5485}
5486
404c30a8 5487int main(int argc, char **argv) {
89561118
PW		 5488 unsigned char seed16[16] = {0};
5489 unsigned char run32[32] = {0};
fb424fbb
JN		 5490
5491 /* Disable buffering for stdout to improve reliability of getting
5492 * diagnostic information. Happens right at the start of main because
5493 * setbuf must be used before any other operation on the stream. */
5494 setbuf(stdout, NULL);
a0771d15
JN		 5495 /* Also disable buffering for stderr because it's not guaranteed that it's
5496 * unbuffered on all systems. */
5497 setbuf(stderr, NULL);
fb424fbb 5498
71712b27 5499 /* find iteration count */
3fd6253e
PW		 5500 if (argc > 1) {
5501 count = strtol(argv[1], NULL, 0);
5502 }
5503
71712b27 5504 /* find random seed */
3fd6253e 5505 if (argc > 2) {
89561118
PW		 5506 int pos = 0;
5507 const char* ch = argv[2];
5508 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5509 unsigned short sh;
a11c76c5 5510 if ((sscanf(ch, "%2hx", &sh)) == 1) {
89561118
PW		 5511 seed16[pos] = sh;
5512 } else {
5513 break;
5514 }
5515 ch += 2;
5516 pos++;
5517 }
3fd6253e
PW		 5518 } else {
5519 FILE *frand = fopen("/dev/urandom", "r");
8b3841c9 5520 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
89561118 5521 uint64_t t = time(NULL) * (uint64_t)1337;
be40c4d0 5522 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
89561118
PW		 5523 seed16[0] ^= t;
5524 seed16[1] ^= t >> 8;
5525 seed16[2] ^= t >> 16;
5526 seed16[3] ^= t >> 24;
5527 seed16[4] ^= t >> 32;
5528 seed16[5] ^= t >> 40;
5529 seed16[6] ^= t >> 48;
5530 seed16[7] ^= t >> 56;
3fd6253e 5531 }
5aae5b5b 5532 if (frand) {
5533 fclose(frand);
5534 }
3fd6253e 5535 }
89561118 5536 secp256k1_rand_seed(seed16);
404c30a8 5537
dd08f037 5538 printf("test count = %i\n", count);
89561118 5539 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 5540
71712b27 5541 /* initialize */
814cc78d
TR		 5542 run_context_tests(0);
5543 run_context_tests(1);
548de42e 5544 run_scratch_tests();
a9b6595e 5545 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
fa57f1bd 5546 if (secp256k1_rand_bits(1)) {
d2275795 5547 secp256k1_rand256(run32);
fa57f1bd 5548 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
d2275795 5549 }
49b37498
PW		 5550
5551 run_rand_bits();
5552 run_rand_int();
5553
b37fbc28
PW		 5554 run_sha256_tests();
5555 run_hmac_sha256_tests();
5556 run_rfc6979_hmac_sha256_tests();
5557
597128d3 5558#ifndef USE_NUM_NONE
71712b27 5559 /* num tests */
3f44e1ad 5560 run_num_smalltests();
597128d3 5561#endif
404c30a8 5562
71712b27 5563 /* scalar tests */
79359302
PW		 5564 run_scalar_tests();
5565
71712b27 5566 /* field tests */
f16be77f
PD		 5567 run_field_inv();
5568 run_field_inv_var();
f16be77f 5569 run_field_inv_all_var();
8d11164b 5570 run_field_misc();
ff889f7d 5571 run_field_convert();
59447da3 5572 run_sqr();
09ca4f32
PD		 5573 run_sqrt();
5574
71712b27 5575 /* group tests */
9338dbf7 5576 run_ge();
64666251 5577 run_group_decompress();
9338dbf7 5578
71712b27 5579 /* ecmult tests */
404c30a8
PW		 5580 run_wnaf();
5581 run_point_times_order();
5582 run_ecmult_chain();
d2275795
GM		 5583 run_ecmult_constants();
5584 run_ecmult_gen_blind();
44015000 5585 run_ecmult_const_tests();
dba5471b 5586 run_ecmult_multi_tests();
a5a66c70 5587 run_ec_combine();
404c30a8 5588
baa75da5
AP		 5589 /* endomorphism tests */
5590#ifdef USE_ENDOMORPHISM
5591 run_endomorphism_tests();
5592#endif
5593
96be2046 5594 /* EC point parser test */
67f7da40
GM		 5595 run_ec_pubkey_parse_test();
5596
96be2046
GM		 5597 /* EC key edge cases */
5598 run_eckey_edge_case_test();
5599
5894e1f1
JN		 5600 /* EC key arithmetic test */
5601 run_eckey_negate_test();
5602
0739bbb6
AP		 5603#ifdef ENABLE_MODULE_ECDH
5604 /* ecdh tests */
5605 run_ecdh_tests();
5606#endif
5607
71712b27 5608 /* ecdsa tests */
7c6fed28 5609 run_random_pubkeys();
3bb9c447 5610 run_ecdsa_der_parse();
404c30a8 5611 run_ecdsa_sign_verify();
25f4aec0 5612 run_ecdsa_end_to_end();
6e052878 5613 run_ecdsa_edge_cases();
dd08f037
PW		 5614#ifdef ENABLE_OPENSSL_TESTS
5615 run_ecdsa_openssl();
5616#endif
910d0de4 5617
9f443be0
PW		 5618#ifdef ENABLE_MODULE_RECOVERY
5619 /* ECDSA pubkey recovery tests */
5620 run_recovery_tests();
5621#endif
5622
47e6618e
JN		 5623#ifdef ENABLE_MODULE_EXTRAKEYS
5624 run_extrakeys_tests();
5625#endif
5626
7a703fd9
JN		 5627#ifdef ENABLE_MODULE_SCHNORRSIG
5628 run_schnorrsig_tests();
5629#endif
5630
01993878
TR		 5631 /* util tests */
5632 run_memczero_test();
5633
28609507
ET		 5634 run_cmov_tests();
5635
89561118
PW		 5636 secp256k1_rand256(run32);
5637 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 5638
71712b27 5639 /* shutdown */
a9b6595e 5640 secp256k1_context_destroy(ctx);
c996d53a
PW		 5641
5642 printf("no problems found\n");
a41f32e6
PW		 5643 return 0;
5644}
Empty description
This page took 0.959124 seconds and 4 git commands to generate.