]> Git Repo - secp256k1.git/blame - src/tests.c
projects / secp256k1.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
tests: add a couple tests
[secp256k1.git] / src / tests.c
CommitLineData
71712b27 1/**********************************************************************
9c4fb23d 2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
71712b27
GM		 3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
0a433ea2 6
78cd96b1
CF		 7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
5a9989c5 11#include <stdio.h>
0592d117 12#include <stdlib.h>
a41f32e6 13
e06a9244
PJ		 14#include <time.h>
15
74a2acdb 16#include "include/secp256k1.h"
25f4aec0 17#include "secp256k1.c"
f0709ac5 18#include "testrand_impl.h"
a41f32e6 19
dd08f037
PW		 20#ifdef ENABLE_OPENSSL_TESTS
21#include "openssl/bn.h"
22#include "openssl/ec.h"
23#include "openssl/ecdsa.h"
24#include "openssl/obj_mac.h"
25#endif
26
79f599d3 27static int count = 64;
a9b6595e 28static secp256k1_context_t *ctx = NULL;
4adf6b2a 29
9338dbf7
PW		 30void random_field_element_test(secp256k1_fe_t *fe) {
31 do {
32 unsigned char b32[32];
33 secp256k1_rand256_test(b32);
659b554d
PW		 34 if (secp256k1_fe_set_b32(fe, b32)) {
35 break;
36 }
9338dbf7
PW		 37 } while(1);
38}
39
40void random_field_element_magnitude(secp256k1_fe_t *fe) {
bf2e1ac7 41 secp256k1_fe_t zero;
60571c6e 42 int n = secp256k1_rand32() % 9;
9338dbf7 43 secp256k1_fe_normalize(fe);
60571c6e
PW		 44 if (n == 0) {
45 return;
9338dbf7 46 }
60571c6e
PW		 47 secp256k1_fe_clear(&zero);
48 secp256k1_fe_negate(&zero, &zero, 0);
49 secp256k1_fe_mul_int(&zero, n - 1);
50 secp256k1_fe_add(fe, &zero);
3f3964e4 51 VERIFY_CHECK(fe->magnitude == n);
9338dbf7
PW		 52}
53
54void random_group_element_test(secp256k1_ge_t *ge) {
55 secp256k1_fe_t fe;
56 do {
57 random_field_element_test(&fe);
26320197 58 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand32() & 1)) {
baa75da5 59 secp256k1_fe_normalize(&ge->y);
9338dbf7 60 break;
26320197 61 }
9338dbf7
PW		 62 } while(1);
63}
64
65void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
bf2e1ac7 66 secp256k1_fe_t z2, z3;
9338dbf7
PW		 67 do {
68 random_field_element_test(&gej->z);
69 if (!secp256k1_fe_is_zero(&gej->z)) {
70 break;
71 }
72 } while(1);
bf2e1ac7
GM		 73 secp256k1_fe_sqr(&z2, &gej->z);
74 secp256k1_fe_mul(&z3, &z2, &gej->z);
9338dbf7
PW		 75 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
76 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
77 gej->infinity = ge->infinity;
78}
79
a9f5c8b8
PW		 80void random_scalar_order_test(secp256k1_scalar_t *num) {
81 do {
82 unsigned char b32[32];
a9f5c8b8 83 int overflow = 0;
bf2e1ac7 84 secp256k1_rand256_test(b32);
eca6cdb1 85 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 86 if (overflow || secp256k1_scalar_is_zero(num)) {
a9f5c8b8 87 continue;
26320197 88 }
a9f5c8b8
PW		 89 break;
90 } while(1);
91}
92
f24041d6
PW		 93void random_scalar_order(secp256k1_scalar_t *num) {
94 do {
95 unsigned char b32[32];
f24041d6 96 int overflow = 0;
bf2e1ac7 97 secp256k1_rand256(b32);
f24041d6 98 secp256k1_scalar_set_b32(num, b32, &overflow);
26320197 99 if (overflow || secp256k1_scalar_is_zero(num)) {
f24041d6 100 continue;
26320197 101 }
f24041d6
PW		 102 break;
103 } while(1);
104}
105
d899b5b6
AP		 106void run_context_tests(void) {
107 secp256k1_context_t *none = secp256k1_context_create(0);
108 secp256k1_context_t *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
109 secp256k1_context_t *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
110 secp256k1_context_t *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
111
112 secp256k1_gej_t pubj;
113 secp256k1_ge_t pub;
114 secp256k1_scalar_t msg, key, nonce;
18c329c5 115 secp256k1_scalar_t sigr, sigs;
d899b5b6
AP		 116
117 /*** clone and destroy all of them to make sure cloning was complete ***/
118 {
119 secp256k1_context_t *ctx_tmp;
120
121 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
122 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
123 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
124 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
125 }
126
127 /*** attempt to use them ***/
128 random_scalar_order_test(&msg);
129 random_scalar_order_test(&key);
130 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
131 secp256k1_ge_set_gej(&pub, &pubj);
132
133 /* obtain a working nonce */
134 do {
135 random_scalar_order_test(&nonce);
18c329c5 136 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 137
138 /* try signing */
18c329c5
PW		 139 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
140 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
d899b5b6
AP		 141
142 /* try verifying */
18c329c5
PW		 143 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
144 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
5c2a4fad
AP		 145
146 /* cleanup */
147 secp256k1_context_destroy(none);
148 secp256k1_context_destroy(sign);
149 secp256k1_context_destroy(vrfy);
150 secp256k1_context_destroy(both);
d899b5b6
AP		 151}
152
b37fbc28
PW		 153/***** HASH TESTS *****/
154
155void run_sha256_tests(void) {
156 static const char *inputs[8] = {
157 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
158 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
159 "For this sample, this 63-byte string will be used as input data",
160 "This is exactly 64 bytes long, not counting the terminating byte"
161 };
162 static const unsigned char outputs[8][32] = {
163 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
164 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
165 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
166 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
167 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
168 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
169 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
170 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
171 };
bf2e1ac7
GM		 172 int i;
173 for (i = 0; i < 8; i++) {
174 unsigned char out[32];
b37fbc28
PW		 175 secp256k1_sha256_t hasher;
176 secp256k1_sha256_initialize(&hasher);
177 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 178 secp256k1_sha256_finalize(&hasher, out);
179 CHECK(memcmp(out, outputs[i], 32) == 0);
180 if (strlen(inputs[i]) > 0) {
b37fbc28 181 int split = secp256k1_rand32() % strlen(inputs[i]);
bf2e1ac7 182 secp256k1_sha256_initialize(&hasher);
b37fbc28
PW		 183 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
184 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
185 secp256k1_sha256_finalize(&hasher, out);
186 CHECK(memcmp(out, outputs[i], 32) == 0);
187 }
188 }
189}
190
191void run_hmac_sha256_tests(void) {
192 static const char *keys[6] = {
193 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
194 "\x4a\x65\x66\x65",
195 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
196 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
197 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
198 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
199 };
200 static const char *inputs[6] = {
201 "\x48\x69\x20\x54\x68\x65\x72\x65",
202 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
203 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
204 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
205 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
206 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
207 };
208 static const unsigned char outputs[6][32] = {
209 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
210 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
211 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
212 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
213 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
214 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
215 };
bf2e1ac7
GM		 216 int i;
217 for (i = 0; i < 6; i++) {
b37fbc28 218 secp256k1_hmac_sha256_t hasher;
bf2e1ac7 219 unsigned char out[32];
b37fbc28
PW		 220 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
221 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
b37fbc28
PW		 222 secp256k1_hmac_sha256_finalize(&hasher, out);
223 CHECK(memcmp(out, outputs[i], 32) == 0);
224 if (strlen(inputs[i]) > 0) {
b37fbc28 225 int split = secp256k1_rand32() % strlen(inputs[i]);
bf2e1ac7 226 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
b37fbc28
PW		 227 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
228 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
229 secp256k1_hmac_sha256_finalize(&hasher, out);
230 CHECK(memcmp(out, outputs[i], 32) == 0);
231 }
232 }
233}
234
235void run_rfc6979_hmac_sha256_tests(void) {
3e6f1e20 236 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
b37fbc28
PW		 237 static const unsigned char out1[3][32] = {
238 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
239 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
240 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
241 };
242
3e6f1e20 243 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
b37fbc28
PW		 244 static const unsigned char out2[3][32] = {
245 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
246 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
247 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
248 };
249
250 secp256k1_rfc6979_hmac_sha256_t rng;
251 unsigned char out[32];
bf2e1ac7 252 int i;
b37fbc28 253
3e6f1e20 254 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
bf2e1ac7 255 for (i = 0; i < 3; i++) {
b37fbc28
PW		 256 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
257 CHECK(memcmp(out, out1[i], 32) == 0);
258 }
259 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
260
3e6f1e20 261 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
1573a102
PW		 262 for (i = 0; i < 3; i++) {
263 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
264 CHECK(memcmp(out, out1[i], 32) != 0);
265 }
266 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
267
3e6f1e20 268 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
bf2e1ac7 269 for (i = 0; i < 3; i++) {
b37fbc28
PW		 270 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
271 CHECK(memcmp(out, out2[i], 32) == 0);
272 }
273 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
274}
275
659b554d
PW		 276/***** NUM TESTS *****/
277
597128d3 278#ifndef USE_NUM_NONE
659b554d 279void random_num_negate(secp256k1_num_t *num) {
26320197 280 if (secp256k1_rand32() & 1) {
659b554d 281 secp256k1_num_negate(num);
26320197 282 }
659b554d
PW		 283}
284
285void random_num_order_test(secp256k1_num_t *num) {
286 secp256k1_scalar_t sc;
287 random_scalar_order_test(&sc);
288 secp256k1_scalar_get_num(num, &sc);
289}
290
404c30a8 291void random_num_order(secp256k1_num_t *num) {
659b554d
PW		 292 secp256k1_scalar_t sc;
293 random_scalar_order(&sc);
294 secp256k1_scalar_get_num(num, &sc);
404c30a8
PW		 295}
296
2cad067a 297void test_num_negate(void) {
3f44e1ad
PW		 298 secp256k1_num_t n1;
299 secp256k1_num_t n2;
71712b27 300 random_num_order_test(&n1); /* n1 = R */
3f44e1ad 301 random_num_negate(&n1);
71712b27
GM		 302 secp256k1_num_copy(&n2, &n1); /* n2 = R */
303 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
0592d117 304 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 305 secp256k1_num_copy(&n1, &n2); /* n1 = R */
306 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 307 CHECK(!secp256k1_num_is_zero(&n1));
71712b27 308 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
0592d117 309 CHECK(secp256k1_num_is_zero(&n1));
71712b27
GM		 310 secp256k1_num_copy(&n1, &n2); /* n1 = R */
311 secp256k1_num_negate(&n1); /* n1 = -R */
0592d117 312 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
71712b27 313 secp256k1_num_negate(&n1); /* n1 = R */
1a749b4a 314 CHECK(secp256k1_num_eq(&n1, &n2));
3f44e1ad
PW		 315}
316
2cad067a 317void test_num_add_sub(void) {
3f44e1ad
PW		 318 secp256k1_num_t n1;
319 secp256k1_num_t n2;
bf2e1ac7
GM		 320 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
321 int r = secp256k1_rand32();
71712b27 322 random_num_order_test(&n1); /* n1 = R1 */
1a749b4a
PW		 323 if (r & 1) {
324 random_num_negate(&n1);
325 }
71712b27 326 random_num_order_test(&n2); /* n2 = R2 */
1a749b4a
PW		 327 if (r & 2) {
328 random_num_negate(&n2);
329 }
71712b27
GM		 330 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
331 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
332 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
333 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
1a749b4a
PW		 334 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
335 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
71712b27 336 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
1a749b4a
PW		 337 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
338 CHECK(!secp256k1_num_eq(&n2m1, &n1));
71712b27 339 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
1a749b4a
PW		 340 CHECK(secp256k1_num_eq(&n2m1, &n1));
341 CHECK(!secp256k1_num_eq(&n2p1, &n1));
71712b27 342 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
1a749b4a 343 CHECK(secp256k1_num_eq(&n2p1, &n1));
3f44e1ad
PW		 344}
345
2cad067a 346void run_num_smalltests(void) {
bf2e1ac7
GM		 347 int i;
348 for (i = 0; i < 100*count; i++) {
3f44e1ad
PW		 349 test_num_negate();
350 test_num_add_sub();
351 }
3f44e1ad 352}
597128d3 353#endif
3f44e1ad 354
79359302
PW		 355/***** SCALAR TESTS *****/
356
79359302 357void scalar_test(void) {
bf2e1ac7
GM		 358 secp256k1_scalar_t s;
359 secp256k1_scalar_t s1;
360 secp256k1_scalar_t s2;
361#ifndef USE_NUM_NONE
362 secp256k1_num_t snum, s1num, s2num;
363 secp256k1_num_t order, half_order;
364#endif
79359302
PW		 365 unsigned char c[32];
366
71712b27 367 /* Set 's' to a random scalar, with value 'snum'. */
659b554d 368 random_scalar_order_test(&s);
79359302 369
71712b27 370 /* Set 's1' to a random scalar, with value 's1num'. */
659b554d 371 random_scalar_order_test(&s1);
79359302 372
71712b27 373 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
659b554d
PW		 374 random_scalar_order_test(&s2);
375 secp256k1_scalar_get_b32(c, &s2);
376
597128d3 377#ifndef USE_NUM_NONE
659b554d
PW		 378 secp256k1_scalar_get_num(&snum, &s);
379 secp256k1_scalar_get_num(&s1num, &s1);
380 secp256k1_scalar_get_num(&s2num, &s2);
381
659b554d 382 secp256k1_scalar_order_get_num(&order);
bf2e1ac7 383 half_order = order;
659b554d 384 secp256k1_num_shift(&half_order, 1);
597128d3 385#endif
79359302
PW		 386
387 {
bf2e1ac7 388 int i;
71712b27 389 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1e6c77c3
PW		 390 secp256k1_scalar_t n;
391 secp256k1_scalar_set_int(&n, 0);
bf2e1ac7 392 for (i = 0; i < 256; i += 4) {
1e6c77c3 393 secp256k1_scalar_t t;
bf2e1ac7 394 int j;
1e6c77c3 395 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
bf2e1ac7 396 for (j = 0; j < 4; j++) {
1e6c77c3
PW		 397 secp256k1_scalar_add(&n, &n, &n);
398 }
399 secp256k1_scalar_add(&n, &n, &t);
79359302 400 }
1e6c77c3
PW		 401 CHECK(secp256k1_scalar_eq(&n, &s));
402 }
403
404 {
405 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
406 secp256k1_scalar_t n;
1e6c77c3 407 int i = 0;
bf2e1ac7 408 secp256k1_scalar_set_int(&n, 0);
1e6c77c3 409 while (i < 256) {
bf2e1ac7
GM		 410 secp256k1_scalar_t t;
411 int j;
1e6c77c3
PW		 412 int now = (secp256k1_rand32() % 15) + 1;
413 if (now + i > 256) {
414 now = 256 - i;
415 }
1e6c77c3 416 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
bf2e1ac7 417 for (j = 0; j < now; j++) {
1e6c77c3
PW		 418 secp256k1_scalar_add(&n, &n, &n);
419 }
420 secp256k1_scalar_add(&n, &n, &t);
421 i += now;
422 }
423 CHECK(secp256k1_scalar_eq(&n, &s));
79359302
PW		 424 }
425
597128d3 426#ifndef USE_NUM_NONE
79359302 427 {
71712b27 428 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
79359302 429 secp256k1_num_t rnum;
bf2e1ac7
GM		 430 secp256k1_num_t r2num;
431 secp256k1_scalar_t r;
79359302 432 secp256k1_num_add(&rnum, &snum, &s2num);
659b554d 433 secp256k1_num_mod(&rnum, &order);
79359302 434 secp256k1_scalar_add(&r, &s, &s2);
79359302
PW		 435 secp256k1_scalar_get_num(&r2num, &r);
436 CHECK(secp256k1_num_eq(&rnum, &r2num));
79359302
PW		 437 }
438
439 {
71712b27 440 /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */
bf2e1ac7
GM		 441 secp256k1_scalar_t r;
442 secp256k1_num_t r2num;
79359302 443 secp256k1_num_t rnum;
79359302 444 secp256k1_num_mul(&rnum, &snum, &s2num);
659b554d 445 secp256k1_num_mod(&rnum, &order);
79359302 446 secp256k1_scalar_mul(&r, &s, &s2);
79359302
PW		 447 secp256k1_scalar_get_num(&r2num, &r);
448 CHECK(secp256k1_num_eq(&rnum, &r2num));
71712b27 449 /* The result can only be zero if at least one of the factors was zero. */
79359302 450 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
71712b27 451 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
79359302
PW		 452 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
453 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
79359302
PW		 454 }
455
456 {
bf2e1ac7
GM		 457 secp256k1_scalar_t neg;
458 secp256k1_num_t negnum;
459 secp256k1_num_t negnum2;
71712b27 460 /* Check that comparison with zero matches comparison with zero on the number. */
79359302 461 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
71712b27 462 /* Check that comparison with the half order is equal to testing for high scalar. */
659b554d 463 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
79359302 464 secp256k1_scalar_negate(&neg, &s);
659b554d
PW		 465 secp256k1_num_sub(&negnum, &order, &snum);
466 secp256k1_num_mod(&negnum, &order);
71712b27 467 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
659b554d 468 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
71712b27 469 /* Negating should change the high property, unless the value was already zero. */
79359302 470 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
79359302 471 secp256k1_scalar_get_num(&negnum2, &neg);
71712b27 472 /* Negating a scalar should be equal to (order - n) mod order on the number. */
79359302
PW		 473 CHECK(secp256k1_num_eq(&negnum, &negnum2));
474 secp256k1_scalar_add(&neg, &neg, &s);
71712b27 475 /* Adding a number to its negation should result in zero. */
79359302
PW		 476 CHECK(secp256k1_scalar_is_zero(&neg));
477 secp256k1_scalar_negate(&neg, &neg);
71712b27 478 /* Negating zero should still result in zero. */
79359302 479 CHECK(secp256k1_scalar_is_zero(&neg));
79359302 480 }
ff8746d4
PW		 481
482 {
483 /* Test secp256k1_scalar_mul_shift_var. */
484 secp256k1_scalar_t r;
bf2e1ac7
GM		 485 secp256k1_num_t one;
486 secp256k1_num_t rnum;
487 secp256k1_num_t rnum2;
488 unsigned char cone[1] = {0x01};
ff8746d4
PW		 489 unsigned int shift = 256 + (secp256k1_rand32() % 257);
490 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
ff8746d4
PW		 491 secp256k1_num_mul(&rnum, &s1num, &s2num);
492 secp256k1_num_shift(&rnum, shift - 1);
ff8746d4
PW		 493 secp256k1_num_set_bin(&one, cone, 1);
494 secp256k1_num_add(&rnum, &rnum, &one);
495 secp256k1_num_shift(&rnum, 1);
ff8746d4
PW		 496 secp256k1_scalar_get_num(&rnum2, &r);
497 CHECK(secp256k1_num_eq(&rnum, &rnum2));
498 }
597128d3 499#endif
79359302
PW		 500
501 {
71712b27 502 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
79359302
PW		 503 if (!secp256k1_scalar_is_zero(&s)) {
504 secp256k1_scalar_t inv;
597128d3 505#ifndef USE_NUM_NONE
79359302 506 secp256k1_num_t invnum;
79359302 507 secp256k1_num_t invnum2;
bf2e1ac7
GM		 508#endif
509 secp256k1_scalar_inverse(&inv, &s);
510#ifndef USE_NUM_NONE
511 secp256k1_num_mod_inverse(&invnum, &snum, &order);
79359302
PW		 512 secp256k1_scalar_get_num(&invnum2, &inv);
513 CHECK(secp256k1_num_eq(&invnum, &invnum2));
597128d3 514#endif
79359302 515 secp256k1_scalar_mul(&inv, &inv, &s);
71712b27 516 /* Multiplying a scalar with its inverse must result in one. */
79359302
PW		 517 CHECK(secp256k1_scalar_is_one(&inv));
518 secp256k1_scalar_inverse(&inv, &inv);
71712b27 519 /* Inverting one must result in one. */
79359302 520 CHECK(secp256k1_scalar_is_one(&inv));
79359302
PW		 521 }
522 }
523
524 {
71712b27 525 /* Test commutativity of add. */
79359302 526 secp256k1_scalar_t r1, r2;
79359302
PW		 527 secp256k1_scalar_add(&r1, &s1, &s2);
528 secp256k1_scalar_add(&r2, &s2, &s1);
529 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 530 }
531
52132078 532 {
bf2e1ac7
GM		 533 secp256k1_scalar_t r1, r2;
534 secp256k1_scalar_t b;
535 int i;
52132078
PW		 536 /* Test add_bit. */
537 int bit = secp256k1_rand32() % 256;
1e6c77c3 538 secp256k1_scalar_set_int(&b, 1);
52132078 539 CHECK(secp256k1_scalar_is_one(&b));
bf2e1ac7 540 for (i = 0; i < bit; i++) {
52132078
PW		 541 secp256k1_scalar_add(&b, &b, &b);
542 }
bf2e1ac7
GM		 543 r1 = s1;
544 r2 = s1;
29ae1310 545 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
52132078
PW		 546 /* No overflow happened. */
547 secp256k1_scalar_add_bit(&r2, bit);
548 CHECK(secp256k1_scalar_eq(&r1, &r2));
549 }
550 }
551
79359302 552 {
71712b27 553 /* Test commutativity of mul. */
79359302 554 secp256k1_scalar_t r1, r2;
79359302
PW		 555 secp256k1_scalar_mul(&r1, &s1, &s2);
556 secp256k1_scalar_mul(&r2, &s2, &s1);
557 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 558 }
559
560 {
71712b27 561 /* Test associativity of add. */
79359302 562 secp256k1_scalar_t r1, r2;
79359302
PW		 563 secp256k1_scalar_add(&r1, &s1, &s2);
564 secp256k1_scalar_add(&r1, &r1, &s);
565 secp256k1_scalar_add(&r2, &s2, &s);
566 secp256k1_scalar_add(&r2, &s1, &r2);
567 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 568 }
569
570 {
71712b27 571 /* Test associativity of mul. */
79359302 572 secp256k1_scalar_t r1, r2;
79359302
PW		 573 secp256k1_scalar_mul(&r1, &s1, &s2);
574 secp256k1_scalar_mul(&r1, &r1, &s);
575 secp256k1_scalar_mul(&r2, &s2, &s);
576 secp256k1_scalar_mul(&r2, &s1, &r2);
577 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302
PW		 578 }
579
580 {
71712b27 581 /* Test distributitivity of mul over add. */
79359302 582 secp256k1_scalar_t r1, r2, t;
79359302
PW		 583 secp256k1_scalar_add(&r1, &s1, &s2);
584 secp256k1_scalar_mul(&r1, &r1, &s);
585 secp256k1_scalar_mul(&r2, &s1, &s);
586 secp256k1_scalar_mul(&t, &s2, &s);
587 secp256k1_scalar_add(&r2, &r2, &t);
588 CHECK(secp256k1_scalar_eq(&r1, &r2));
79359302 589 }
1d52a8b1
PW		 590
591 {
71712b27 592 /* Test square. */
1d52a8b1
PW		 593 secp256k1_scalar_t r1, r2;
594 secp256k1_scalar_sqr(&r1, &s1);
595 secp256k1_scalar_mul(&r2, &s1, &s1);
596 CHECK(secp256k1_scalar_eq(&r1, &r2));
597 }
ff8746d4 598
8d11164b
GM		 599 {
600 /* Test multiplicative identity. */
601 secp256k1_scalar_t r1, v1;
602 secp256k1_scalar_set_int(&v1,1);
603 secp256k1_scalar_mul(&r1, &s1, &v1);
604 CHECK(secp256k1_scalar_eq(&r1, &s1));
605 }
606
607 {
608 /* Test additive identity. */
609 secp256k1_scalar_t r1, v0;
610 secp256k1_scalar_set_int(&v0,0);
611 secp256k1_scalar_add(&r1, &s1, &v0);
612 CHECK(secp256k1_scalar_eq(&r1, &s1));
613 }
614
615 {
616 /* Test zero product property. */
617 secp256k1_scalar_t r1, v0;
618 secp256k1_scalar_set_int(&v0,0);
619 secp256k1_scalar_mul(&r1, &s1, &v0);
620 CHECK(secp256k1_scalar_eq(&r1, &v0));
621 }
622
79359302
PW		 623}
624
625void run_scalar_tests(void) {
bf2e1ac7
GM		 626 int i;
627 for (i = 0; i < 128 * count; i++) {
79359302
PW		 628 scalar_test();
629 }
659b554d
PW		 630
631 {
ee3eb4be 632 /* (-1)+1 should be zero. */
659b554d
PW		 633 secp256k1_scalar_t s, o;
634 secp256k1_scalar_set_int(&s, 1);
8d11164b 635 CHECK(secp256k1_scalar_is_one(&s));
659b554d
PW		 636 secp256k1_scalar_negate(&o, &s);
637 secp256k1_scalar_add(&o, &o, &s);
638 CHECK(secp256k1_scalar_is_zero(&o));
8d11164b
GM		 639 secp256k1_scalar_negate(&o, &o);
640 CHECK(secp256k1_scalar_is_zero(&o));
659b554d
PW		 641 }
642
597128d3 643#ifndef USE_NUM_NONE
659b554d 644 {
ee3eb4be 645 /* A scalar with value of the curve order should be 0. */
659b554d 646 secp256k1_num_t order;
659b554d 647 secp256k1_scalar_t zero;
bf2e1ac7 648 unsigned char bin[32];
659b554d 649 int overflow = 0;
bf2e1ac7
GM		 650 secp256k1_scalar_order_get_num(&order);
651 secp256k1_num_get_bin(bin, 32, &order);
659b554d
PW		 652 secp256k1_scalar_set_b32(&zero, bin, &overflow);
653 CHECK(overflow == 1);
654 CHECK(secp256k1_scalar_is_zero(&zero));
655 }
597128d3 656#endif
79359302
PW		 657}
658
09ca4f32
PD		 659/***** FIELD TESTS *****/
660
661void random_fe(secp256k1_fe_t *x) {
662 unsigned char bin[32];
d907ebc0
PW		 663 do {
664 secp256k1_rand256(bin);
665 if (secp256k1_fe_set_b32(x, bin)) {
666 return;
667 }
668 } while(1);
09ca4f32
PD		 669}
670
6d6102fe
PD		 671void random_fe_non_zero(secp256k1_fe_t *nz) {
672 int tries = 10;
09ca4f32 673 while (--tries >= 0) {
6d6102fe
PD		 674 random_fe(nz);
675 secp256k1_fe_normalize(nz);
26320197 676 if (!secp256k1_fe_is_zero(nz)) {
09ca4f32 677 break;
26320197 678 }
09ca4f32 679 }
71712b27 680 /* Infinitesimal probability of spurious failure here */
0592d117 681 CHECK(tries >= 0);
09ca4f32
PD		 682}
683
6d6102fe 684void random_fe_non_square(secp256k1_fe_t *ns) {
6d6102fe 685 secp256k1_fe_t r;
bf2e1ac7 686 random_fe_non_zero(ns);
39bd94d8 687 if (secp256k1_fe_sqrt_var(&r, ns)) {
6d6102fe
PD		 688 secp256k1_fe_negate(ns, ns, 1);
689 }
690}
691
f16be77f 692int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
bf2e1ac7
GM		 693 secp256k1_fe_t an = *a;
694 secp256k1_fe_t bn = *b;
695 secp256k1_fe_normalize_weak(&an);
696 secp256k1_fe_normalize_var(&bn);
d7174edf 697 return secp256k1_fe_equal_var(&an, &bn);
f16be77f
PD		 698}
699
700int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
bf2e1ac7 701 secp256k1_fe_t x;
443cd4b8 702 secp256k1_fe_t one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
bf2e1ac7 703 secp256k1_fe_mul(&x, a, ai);
f16be77f
PD		 704 return check_fe_equal(&x, &one);
705}
706
ff889f7d
PW		 707void run_field_convert(void) {
708 static const unsigned char b32[32] = {
709 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
710 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
711 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
712 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
713 };
ff889f7d
PW		 714 static const secp256k1_fe_storage_t fes = SECP256K1_FE_STORAGE_CONST(
715 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
716 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
717 );
718 static const secp256k1_fe_t fe = SECP256K1_FE_CONST(
719 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
720 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
721 );
722 secp256k1_fe_t fe2;
723 unsigned char b322[32];
ff889f7d
PW		 724 secp256k1_fe_storage_t fes2;
725 /* Check conversions to fe. */
726 CHECK(secp256k1_fe_set_b32(&fe2, b32));
727 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
ff889f7d
PW		 728 secp256k1_fe_from_storage(&fe2, &fes);
729 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
730 /* Check conversion from fe. */
731 secp256k1_fe_get_b32(b322, &fe);
732 CHECK(memcmp(b322, b32, 32) == 0);
ff889f7d
PW		 733 secp256k1_fe_to_storage(&fes2, &fe);
734 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
735}
736
a0601cd7
PD		 737int fe_memcmp(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
738 secp256k1_fe_t t = *b;
739#ifdef VERIFY
740 t.magnitude = a->magnitude;
741 t.normalized = a->normalized;
742#endif
743 return memcmp(a, &t, sizeof(secp256k1_fe_t));
744}
745
8d11164b 746void run_field_misc(void) {
8d11164b
GM		 747 secp256k1_fe_t x;
748 secp256k1_fe_t y;
749 secp256k1_fe_t z;
750 secp256k1_fe_t q;
443cd4b8 751 secp256k1_fe_t fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
3f3964e4 752 int i, j;
bf2e1ac7
GM		 753 for (i = 0; i < 5*count; i++) {
754 secp256k1_fe_storage_t xs, ys, zs;
8d11164b
GM		 755 random_fe(&x);
756 random_fe_non_zero(&y);
757 /* Test the fe equality and comparison operations. */
758 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
d7174edf 759 CHECK(secp256k1_fe_equal_var(&x, &x));
8d11164b
GM		 760 z = x;
761 secp256k1_fe_add(&z,&y);
9c4fb23d
GM		 762 /* Test fe conditional move; z is not normalized here. */
763 q = x;
764 secp256k1_fe_cmov(&x, &z, 0);
3f3964e4 765 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
9c4fb23d 766 secp256k1_fe_cmov(&x, &x, 1);
a0601cd7
PD		 767 CHECK(fe_memcmp(&x, &z) != 0);
768 CHECK(fe_memcmp(&x, &q) == 0);
9c4fb23d 769 secp256k1_fe_cmov(&q, &z, 1);
3f3964e4 770 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
a0601cd7 771 CHECK(fe_memcmp(&q, &z) == 0);
a0601cd7
PD		 772 secp256k1_fe_normalize_var(&x);
773 secp256k1_fe_normalize_var(&z);
9c4fb23d 774 CHECK(!secp256k1_fe_equal_var(&x, &z));
3f3964e4
PD		 775 secp256k1_fe_normalize_var(&q);
776 secp256k1_fe_cmov(&q, &z, (i&1));
777 VERIFY_CHECK(q.normalized && q.magnitude == 1);
778 for (j = 0; j < 6; j++) {
779 secp256k1_fe_negate(&z, &z, j+1);
780 secp256k1_fe_normalize_var(&q);
781 secp256k1_fe_cmov(&q, &z, (j&1));
782 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
783 }
784 secp256k1_fe_normalize_var(&z);
785 /* Test storage conversion and conditional moves. */
fcc48c45
PW		 786 secp256k1_fe_to_storage(&xs, &x);
787 secp256k1_fe_to_storage(&ys, &y);
788 secp256k1_fe_to_storage(&zs, &z);
789 secp256k1_fe_storage_cmov(&zs, &xs, 0);
9c4fb23d 790 secp256k1_fe_storage_cmov(&zs, &zs, 1);
fcc48c45
PW		 791 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
792 secp256k1_fe_storage_cmov(&ys, &xs, 1);
793 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
794 secp256k1_fe_from_storage(&x, &xs);
795 secp256k1_fe_from_storage(&y, &ys);
796 secp256k1_fe_from_storage(&z, &zs);
8d11164b
GM		 797 /* Test that mul_int, mul, and add agree. */
798 secp256k1_fe_add(&y, &x);
799 secp256k1_fe_add(&y, &x);
800 z = x;
801 secp256k1_fe_mul_int(&z, 3);
802 CHECK(check_fe_equal(&y, &z));
803 secp256k1_fe_add(&y, &x);
804 secp256k1_fe_add(&z, &x);
805 CHECK(check_fe_equal(&z, &y));
806 z = x;
807 secp256k1_fe_mul_int(&z, 5);
808 secp256k1_fe_mul(&q, &x, &fe5);
809 CHECK(check_fe_equal(&z, &q));
810 secp256k1_fe_negate(&x, &x, 1);
811 secp256k1_fe_add(&z, &x);
812 secp256k1_fe_add(&q, &x);
813 CHECK(check_fe_equal(&y, &z));
814 CHECK(check_fe_equal(&q, &y));
815 }
816}
817
2cad067a 818void run_field_inv(void) {
f16be77f 819 secp256k1_fe_t x, xi, xii;
bf2e1ac7
GM		 820 int i;
821 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 822 random_fe_non_zero(&x);
823 secp256k1_fe_inv(&xi, &x);
824 CHECK(check_fe_inverse(&x, &xi));
825 secp256k1_fe_inv(&xii, &xi);
826 CHECK(check_fe_equal(&x, &xii));
827 }
828}
829
2cad067a 830void run_field_inv_var(void) {
f16be77f 831 secp256k1_fe_t x, xi, xii;
bf2e1ac7
GM		 832 int i;
833 for (i = 0; i < 10*count; i++) {
f16be77f
PD		 834 random_fe_non_zero(&x);
835 secp256k1_fe_inv_var(&xi, &x);
836 CHECK(check_fe_inverse(&x, &xi));
837 secp256k1_fe_inv_var(&xii, &xi);
838 CHECK(check_fe_equal(&x, &xii));
839 }
840}
841
2cad067a 842void run_field_inv_all_var(void) {
f16be77f 843 secp256k1_fe_t x[16], xi[16], xii[16];
bf2e1ac7 844 int i;
71712b27 845 /* Check it's safe to call for 0 elements */
f16be77f 846 secp256k1_fe_inv_all_var(0, xi, x);
bf2e1ac7
GM		 847 for (i = 0; i < count; i++) {
848 size_t j;
f16be77f 849 size_t len = (secp256k1_rand32() & 15) + 1;
26320197 850 for (j = 0; j < len; j++) {
f16be77f 851 random_fe_non_zero(&x[j]);
26320197 852 }
f16be77f 853 secp256k1_fe_inv_all_var(len, xi, x);
26320197 854 for (j = 0; j < len; j++) {
f16be77f 855 CHECK(check_fe_inverse(&x[j], &xi[j]));
26320197 856 }
f16be77f 857 secp256k1_fe_inv_all_var(len, xii, xi);
26320197 858 for (j = 0; j < len; j++) {
f16be77f 859 CHECK(check_fe_equal(&x[j], &xii[j]));
26320197 860 }
f16be77f
PD		 861 }
862}
863
2cad067a 864void run_sqr(void) {
59447da3
PD		 865 secp256k1_fe_t x, s;
866
59447da3 867 {
bf2e1ac7 868 int i;
59447da3
PD		 869 secp256k1_fe_set_int(&x, 1);
870 secp256k1_fe_negate(&x, &x, 1);
871
bf2e1ac7 872 for (i = 1; i <= 512; ++i) {
59447da3
PD		 873 secp256k1_fe_mul_int(&x, 2);
874 secp256k1_fe_normalize(&x);
875 secp256k1_fe_sqr(&s, &x);
59447da3
PD		 876 }
877 }
59447da3
PD		 878}
879
09ca4f32
PD		 880void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
881 secp256k1_fe_t r1, r2;
39bd94d8 882 int v = secp256k1_fe_sqrt_var(&r1, a);
0592d117 883 CHECK((v == 0) == (k == NULL));
09ca4f32
PD		 884
885 if (k != NULL) {
71712b27 886 /* Check that the returned root is +/- the given known answer */
09ca4f32
PD		 887 secp256k1_fe_negate(&r2, &r1, 1);
888 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
889 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
0592d117 890 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
09ca4f32
PD		 891 }
892}
893
2cad067a 894void run_sqrt(void) {
09ca4f32 895 secp256k1_fe_t ns, x, s, t;
bf2e1ac7 896 int i;
6d6102fe 897
71712b27 898 /* Check sqrt(0) is 0 */
6d6102fe
PD		 899 secp256k1_fe_set_int(&x, 0);
900 secp256k1_fe_sqr(&s, &x);
901 test_sqrt(&s, &x);
902
71712b27 903 /* Check sqrt of small squares (and their negatives) */
bf2e1ac7 904 for (i = 1; i <= 100; i++) {
6d6102fe 905 secp256k1_fe_set_int(&x, i);
09ca4f32
PD		 906 secp256k1_fe_sqr(&s, &x);
907 test_sqrt(&s, &x);
6d6102fe 908 secp256k1_fe_negate(&t, &s, 1);
09ca4f32
PD		 909 test_sqrt(&t, NULL);
910 }
6d6102fe 911
71712b27 912 /* Consistency checks for large random values */
bf2e1ac7
GM		 913 for (i = 0; i < 10; i++) {
914 int j;
6d6102fe 915 random_fe_non_square(&ns);
bf2e1ac7 916 for (j = 0; j < count; j++) {
6d6102fe
PD		 917 random_fe(&x);
918 secp256k1_fe_sqr(&s, &x);
919 test_sqrt(&s, &x);
920 secp256k1_fe_negate(&t, &s, 1);
921 test_sqrt(&t, NULL);
922 secp256k1_fe_mul(&t, &s, &ns);
923 test_sqrt(&t, NULL);
924 }
925 }
09ca4f32
PD		 926}
927
9338dbf7
PW		 928/***** GROUP TESTS *****/
929
60571c6e
PW		 930void ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
931 CHECK(a->infinity == b->infinity);
26320197 932 if (a->infinity) {
60571c6e 933 return;
26320197 934 }
60571c6e 935 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
baa75da5 936 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
9338dbf7
PW		 937}
938
d2275795
GM		 939/* This compares jacobian points including their Z, not just their geometric meaning. */
940int gej_xyz_equals_gej(const secp256k1_gej_t *a, const secp256k1_gej_t *b) {
941 secp256k1_gej_t a2;
942 secp256k1_gej_t b2;
943 int ret = 1;
944 ret &= a->infinity == b->infinity;
945 if (ret && !a->infinity) {
946 a2 = *a;
947 b2 = *b;
948 secp256k1_fe_normalize(&a2.x);
949 secp256k1_fe_normalize(&a2.y);
950 secp256k1_fe_normalize(&a2.z);
951 secp256k1_fe_normalize(&b2.x);
952 secp256k1_fe_normalize(&b2.y);
953 secp256k1_fe_normalize(&b2.z);
954 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
955 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
956 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
957 }
958 return ret;
959}
960
9338dbf7 961void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
bf2e1ac7
GM		 962 secp256k1_fe_t z2s;
963 secp256k1_fe_t u1, u2, s1, s2;
60571c6e 964 CHECK(a->infinity == b->infinity);
26320197 965 if (a->infinity) {
60571c6e 966 return;
26320197 967 }
60571c6e 968 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
60571c6e 969 secp256k1_fe_sqr(&z2s, &b->z);
60571c6e
PW		 970 secp256k1_fe_mul(&u1, &a->x, &z2s);
971 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
972 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
973 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
974 CHECK(secp256k1_fe_equal_var(&u1, &u2));
975 CHECK(secp256k1_fe_equal_var(&s1, &s2));
9338dbf7
PW		 976}
977
2cad067a 978void test_ge(void) {
bf2e1ac7 979 int i, i1;
76574202
PW		 980#ifdef USE_ENDOMORPHISM
981 int runs = 6;
982#else
60571c6e 983 int runs = 4;
76574202 984#endif
60571c6e
PW		 985 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
986 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
987 * All magnitudes are randomized.
988 * All 17*17 combinations of points are added to eachother, using all applicable methods.
76574202
PW		 989 *
990 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
60571c6e 991 */
c01df1ad
GM		 992 secp256k1_ge_t *ge = (secp256k1_ge_t *)malloc(sizeof(secp256k1_ge_t) * (1 + 4 * runs));
993 secp256k1_gej_t *gej = (secp256k1_gej_t *)malloc(sizeof(secp256k1_gej_t) * (1 + 4 * runs));
4f9791ab
PD		 994 secp256k1_fe_t *zinv = (secp256k1_fe_t *)malloc(sizeof(secp256k1_fe_t) * (1 + 4 * runs));
995 secp256k1_fe_t zf;
996 secp256k1_fe_t zfi2, zfi3;
997
60571c6e
PW		 998 secp256k1_gej_set_infinity(&gej[0]);
999 secp256k1_ge_clear(&ge[0]);
1000 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
bf2e1ac7
GM		 1001 for (i = 0; i < runs; i++) {
1002 int j;
60571c6e
PW		 1003 secp256k1_ge_t g;
1004 random_group_element_test(&g);
76574202
PW		 1005#ifdef USE_ENDOMORPHISM
1006 if (i >= runs - 2) {
1007 secp256k1_ge_mul_lambda(&g, &ge[1]);
1008 }
1009 if (i >= runs - 1) {
1010 secp256k1_ge_mul_lambda(&g, &g);
1011 }
1012#endif
60571c6e
PW		 1013 ge[1 + 4 * i] = g;
1014 ge[2 + 4 * i] = g;
1015 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1016 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1017 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1018 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1019 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1020 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
bf2e1ac7 1021 for (j = 0; j < 4; j++) {
60571c6e
PW		 1022 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1023 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1024 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1025 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1026 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1027 }
1028 }
1029
4f9791ab
PD		 1030 /* Compute z inverses. */
1031 {
1032 secp256k1_fe_t *zs = malloc(sizeof(secp256k1_fe_t) * (1 + 4 * runs));
1033 for (i = 0; i < 4 * runs + 1; i++) {
1034 if (i == 0) {
1035 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1036 do {
1037 random_field_element_test(&zs[i]);
1038 } while(secp256k1_fe_is_zero(&zs[i]));
1039 } else {
1040 zs[i] = gej[i].z;
1041 }
1042 }
1043 secp256k1_fe_inv_all_var(4 * runs + 1, zinv, zs);
1044 free(zs);
1045 }
1046
1047 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1048 do {
1049 random_field_element_test(&zf);
1050 } while(secp256k1_fe_is_zero(&zf));
1051 random_field_element_magnitude(&zf);
1052 secp256k1_fe_inv_var(&zfi3, &zf);
1053 secp256k1_fe_sqr(&zfi2, &zfi3);
1054 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1055
bf2e1ac7
GM		 1056 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1057 int i2;
1058 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
60571c6e
PW		 1059 /* Compute reference result using gej + gej (var). */
1060 secp256k1_gej_t refj, resj;
1061 secp256k1_ge_t ref;
4f9791ab
PD		 1062 secp256k1_fe_t zr;
1063 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1064 /* Check Z ratio. */
1065 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
1066 secp256k1_fe_t zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1067 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1068 }
60571c6e
PW		 1069 secp256k1_ge_set_gej_var(&ref, &refj);
1070
2d5a186c
PD		 1071 /* Test gej + ge with Z ratio result (var). */
1072 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
60571c6e 1073 ge_equals_gej(&ref, &resj);
2d5a186c
PD		 1074 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
1075 secp256k1_fe_t zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1076 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1077 }
60571c6e 1078
4f9791ab
PD		 1079 /* Test gej + ge (var, with additional Z factor). */
1080 {
1081 secp256k1_ge_t ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
1082 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1083 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1084 random_field_element_magnitude(&ge2_zfi.x);
1085 random_field_element_magnitude(&ge2_zfi.y);
1086 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1087 ge_equals_gej(&ref, &resj);
1088 }
1089
60571c6e
PW		 1090 /* Test gej + ge (const). */
1091 if (i2 != 0) {
1092 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1093 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1094 ge_equals_gej(&ref, &resj);
1095 }
1096
1097 /* Test doubling (var). */
1098 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
4f9791ab
PD		 1099 secp256k1_fe_t zr2;
1100 /* Normal doubling with Z ratio result. */
1101 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
60571c6e 1102 ge_equals_gej(&ref, &resj);
4f9791ab
PD		 1103 /* Check Z ratio. */
1104 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
1105 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
1106 /* Normal doubling. */
1107 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
60571c6e
PW		 1108 ge_equals_gej(&ref, &resj);
1109 }
1110
1111 /* Test adding opposites. */
1112 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
1113 CHECK(secp256k1_ge_is_infinity(&ref));
1114 }
1115
1116 /* Test adding infinity. */
1117 if (i1 == 0) {
1118 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
1119 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
1120 ge_equals_gej(&ref, &gej[i2]);
1121 }
1122 if (i2 == 0) {
1123 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
1124 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
1125 ge_equals_gej(&ref, &gej[i1]);
1126 }
1127 }
1128 }
1129
9ab93355
PW		 1130 /* Test adding all points together in random order equals infinity. */
1131 {
443cd4b8 1132 secp256k1_gej_t sum = SECP256K1_GEJ_CONST_INFINITY;
c01df1ad 1133 secp256k1_gej_t *gej_shuffled = (secp256k1_gej_t *)malloc((4 * runs + 1) * sizeof(secp256k1_gej_t));
bf2e1ac7 1134 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 1135 gej_shuffled[i] = gej[i];
1136 }
bf2e1ac7 1137 for (i = 0; i < 4 * runs + 1; i++) {
9ab93355
PW		 1138 int swap = i + secp256k1_rand32() % (4 * runs + 1 - i);
1139 if (swap != i) {
1140 secp256k1_gej_t t = gej_shuffled[i];
1141 gej_shuffled[i] = gej_shuffled[swap];
1142 gej_shuffled[swap] = t;
1143 }
1144 }
bf2e1ac7 1145 for (i = 0; i < 4 * runs + 1; i++) {
4f9791ab 1146 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
9ab93355
PW		 1147 }
1148 CHECK(secp256k1_gej_is_infinity(&sum));
1149 free(gej_shuffled);
1150 }
1151
4f9791ab 1152 /* Test batch gej -> ge conversion with and without known z ratios. */
60571c6e 1153 {
4f9791ab
PD		 1154 secp256k1_fe_t *zr = (secp256k1_fe_t *)malloc((4 * runs + 1) * sizeof(secp256k1_fe_t));
1155 secp256k1_ge_t *ge_set_table = (secp256k1_ge_t *)malloc((4 * runs + 1) * sizeof(secp256k1_ge_t));
c01df1ad 1156 secp256k1_ge_t *ge_set_all = (secp256k1_ge_t *)malloc((4 * runs + 1) * sizeof(secp256k1_ge_t));
4f9791ab
PD		 1157 for (i = 0; i < 4 * runs + 1; i++) {
1158 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
1159 if (i < 4 * runs) {
1160 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
1161 }
1162 }
1163 secp256k1_ge_set_table_gej_var(4 * runs + 1, ge_set_table, gej, zr);
995c5487 1164 secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej, &ctx->error_callback);
bf2e1ac7 1165 for (i = 0; i < 4 * runs + 1; i++) {
d2275795
GM		 1166 secp256k1_fe_t s;
1167 random_fe_non_zero(&s);
1168 secp256k1_gej_rescale(&gej[i], &s);
4f9791ab 1169 ge_equals_gej(&ge_set_table[i], &gej[i]);
60571c6e
PW		 1170 ge_equals_gej(&ge_set_all[i], &gej[i]);
1171 }
4f9791ab 1172 free(ge_set_table);
60571c6e 1173 free(ge_set_all);
4f9791ab 1174 free(zr);
60571c6e
PW		 1175 }
1176
1177 free(ge);
1178 free(gej);
4f9791ab 1179 free(zinv);
9338dbf7
PW		 1180}
1181
8c5d5f7b
AP		 1182void test_add_neg_y_diff_x(void) {
1183 /* The point of this test is to check that we can add two points
1184 * whose y-coordinates are negatives of each other but whose x
1185 * coordinates differ. If the x-coordinates were the same, these
1186 * points would be negatives of each other and their sum is
1187 * infinity. This is cool because it "covers up" any degeneracy
1188 * in the addition algorithm that would cause the xy coordinates
1189 * of the sum to be wrong (since infinity has no xy coordinates).
1190 * HOWEVER, if the x-coordinates are different, infinity is the
1191 * wrong answer, and such degeneracies are exposed. This is the
1192 * root of https://github.com/bitcoin/secp256k1/issues/257 which
1193 * this test is a regression test for.
1194 *
1195 * These points were generated in sage as
1196 * # secp256k1 params
1197 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
1198 * C = EllipticCurve ([F (0), F (7)])
1199 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
1200 * N = FiniteField(G.order())
1201 *
1202 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
1203 * x = polygen(N)
1204 * lam = (1 - x^3).roots()[1][0]
1205 *
1206 * # random "bad pair"
1207 * P = C.random_element()
1208 * Q = -int(lam) * P
1209 * print " P: %x %x" % P.xy()
1210 * print " Q: %x %x" % Q.xy()
1211 * print "P + Q: %x %x" % (P + Q).xy()
1212 */
1213 secp256k1_gej_t aj = SECP256K1_GEJ_CONST(
1214 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
1215 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
1216 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
1217 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
1218 );
1219 secp256k1_gej_t bj = SECP256K1_GEJ_CONST(
1220 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
1221 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
1222 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
1223 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
1224 );
1225 secp256k1_gej_t sumj = SECP256K1_GEJ_CONST(
1226 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
1227 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
1228 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
1229 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
1230 );
1231 secp256k1_ge_t b;
1232 secp256k1_gej_t resj;
1233 secp256k1_ge_t res;
1234 secp256k1_ge_set_gej(&b, &bj);
1235
1236 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
1237 secp256k1_ge_set_gej(&res, &resj);
1238 ge_equals_gej(&res, &sumj);
1239
1240 secp256k1_gej_add_ge(&resj, &aj, &b);
1241 secp256k1_ge_set_gej(&res, &resj);
1242 ge_equals_gej(&res, &sumj);
1243
1244 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
1245 secp256k1_ge_set_gej(&res, &resj);
1246 ge_equals_gej(&res, &sumj);
1247}
1248
2cad067a 1249void run_ge(void) {
bf2e1ac7
GM		 1250 int i;
1251 for (i = 0; i < count * 32; i++) {
9338dbf7
PW		 1252 test_ge();
1253 }
8c5d5f7b 1254 test_add_neg_y_diff_x();
9338dbf7
PW		 1255}
1256
09ca4f32
PD		 1257/***** ECMULT TESTS *****/
1258
2cad067a 1259void run_ecmult_chain(void) {
443cd4b8
PW		 1260 /* random starting point A (on the curve) */
1261 secp256k1_gej_t a = SECP256K1_GEJ_CONST(
1262 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
1263 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
1264 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
1265 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
1266 );
71712b27 1267 /* two random initial factors xn and gn */
443cd4b8
PW		 1268 secp256k1_scalar_t xn = SECP256K1_SCALAR_CONST(
1269 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
1270 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
1271 );
1272 secp256k1_scalar_t gn = SECP256K1_SCALAR_CONST(
1273 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
1274 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
1275 );
71712b27 1276 /* two small multipliers to be applied to xn and gn in every iteration: */
443cd4b8
PW		 1277 static const secp256k1_scalar_t xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
1278 static const secp256k1_scalar_t gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
71712b27 1279 /* accumulators with the resulting coefficients to A and G */
443cd4b8
PW		 1280 secp256k1_scalar_t ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1281 secp256k1_scalar_t ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
1282 /* actual points */
1283 secp256k1_gej_t x = a;
1284 secp256k1_gej_t x2;
1285 int i;
1286
71712b27 1287 /* the point being computed */
bf2e1ac7
GM		 1288 x = a;
1289 for (i = 0; i < 200*count; i++) {
71712b27 1290 /* in each iteration, compute X = xn*X + gn*G; */
a9b6595e 1291 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
71712b27
GM		 1292 /* also compute ae and ge: the actual accumulated factors for A and G */
1293 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
f24041d6
PW		 1294 secp256k1_scalar_mul(&ae, &ae, &xn);
1295 secp256k1_scalar_mul(&ge, &ge, &xn);
1296 secp256k1_scalar_add(&ge, &ge, &gn);
71712b27 1297 /* modify xn and gn */
f24041d6
PW		 1298 secp256k1_scalar_mul(&xn, &xn, &xf);
1299 secp256k1_scalar_mul(&gn, &gn, &gf);
404c30a8 1300
71712b27 1301 /* verify */
404c30a8 1302 if (i == 19999) {
443cd4b8
PW		 1303 /* expected result after 19999 iterations */
1304 secp256k1_gej_t rp = SECP256K1_GEJ_CONST(
1305 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
1306 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
1307 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
1308 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
1309 );
1310
1311 secp256k1_gej_neg(&rp, &rp);
4f9791ab 1312 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
443cd4b8 1313 CHECK(secp256k1_gej_is_infinity(&rp));
404c30a8 1314 }
4adf6b2a 1315 }
71712b27 1316 /* redo the computation, but directly with the resulting ae and ge coefficients: */
a9b6595e 1317 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
443cd4b8 1318 secp256k1_gej_neg(&x2, &x2);
4f9791ab 1319 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
443cd4b8 1320 CHECK(secp256k1_gej_is_infinity(&x2));
a41f32e6
PW		 1321}
1322
eb0be8ee 1323void test_point_times_order(const secp256k1_gej_t *point) {
b5c9ee75 1324 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
f24041d6 1325 secp256k1_scalar_t x;
f24041d6 1326 secp256k1_scalar_t nx;
baa75da5
AP		 1327 secp256k1_scalar_t zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
1328 secp256k1_scalar_t one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
b5c9ee75 1329 secp256k1_gej_t res1, res2;
bf2e1ac7
GM		 1330 secp256k1_ge_t res3;
1331 unsigned char pub[65];
1332 int psize = 65;
1333 random_scalar_order_test(&x);
1334 secp256k1_scalar_negate(&nx, &x);
a9b6595e
PW		 1335 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
1336 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
4f9791ab 1337 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
b5c9ee75 1338 CHECK(secp256k1_gej_is_infinity(&res1));
39bd94d8 1339 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
ee3eb4be
GM		 1340 secp256k1_ge_set_gej(&res3, &res1);
1341 CHECK(secp256k1_ge_is_infinity(&res3));
39bd94d8 1342 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
8d11164b
GM		 1343 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
1344 psize = 65;
1345 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
baa75da5
AP		 1346 /* check zero/one edge cases */
1347 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
1348 secp256k1_ge_set_gej(&res3, &res1);
1349 CHECK(secp256k1_ge_is_infinity(&res3));
1350 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
1351 secp256k1_ge_set_gej(&res3, &res1);
1352 ge_equals_gej(&res3, point);
1353 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
1354 secp256k1_ge_set_gej(&res3, &res1);
1355 ge_equals_ge(&res3, &secp256k1_ge_const_g);
4e0ed539
PW		 1356}
1357
2cad067a 1358void run_point_times_order(void) {
bf2e1ac7 1359 int i;
443cd4b8
PW		 1360 secp256k1_fe_t x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
1361 static const secp256k1_fe_t xr = SECP256K1_FE_CONST(
1362 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
1363 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
1364 );
bf2e1ac7 1365 for (i = 0; i < 500; i++) {
09ca4f32 1366 secp256k1_ge_t p;
39bd94d8 1367 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
09ca4f32 1368 secp256k1_gej_t j;
bf2e1ac7 1369 CHECK(secp256k1_ge_is_valid_var(&p));
09ca4f32 1370 secp256k1_gej_set_ge(&j, &p);
39bd94d8 1371 CHECK(secp256k1_gej_is_valid_var(&j));
09ca4f32
PD		 1372 test_point_times_order(&j);
1373 }
910d0de4 1374 secp256k1_fe_sqr(&x, &x);
4e0ed539 1375 }
443cd4b8
PW		 1376 secp256k1_fe_normalize_var(&x);
1377 CHECK(secp256k1_fe_equal_var(&x, &xr));
4e0ed539
PW		 1378}
1379
f24041d6
PW		 1380void test_wnaf(const secp256k1_scalar_t *number, int w) {
1381 secp256k1_scalar_t x, two, t;
bf2e1ac7
GM		 1382 int wnaf[256];
1383 int zeroes = -1;
1384 int i;
1385 int bits;
f24041d6
PW		 1386 secp256k1_scalar_set_int(&x, 0);
1387 secp256k1_scalar_set_int(&two, 2);
55399c23 1388 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
0b730597 1389 CHECK(bits <= 256);
bf2e1ac7 1390 for (i = bits-1; i >= 0; i--) {
b1483f87 1391 int v = wnaf[i];
bf2e1ac7 1392 secp256k1_scalar_mul(&x, &x, &two);
4e0ed539 1393 if (v) {
71712b27 1394 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
4e0ed539 1395 zeroes=0;
71712b27
GM		 1396 CHECK((v & 1) == 1); /* check non-zero elements are odd */
1397 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
1398 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
4e0ed539 1399 } else {
71712b27 1400 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
4e0ed539
PW		 1401 zeroes++;
1402 }
f24041d6
PW		 1403 if (v >= 0) {
1404 secp256k1_scalar_set_int(&t, v);
1405 } else {
1406 secp256k1_scalar_set_int(&t, -v);
1407 secp256k1_scalar_negate(&t, &t);
1408 }
1409 secp256k1_scalar_add(&x, &x, &t);
4e0ed539 1410 }
f24041d6 1411 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
4e0ed539
PW		 1412}
1413
2cad067a 1414void run_wnaf(void) {
bf2e1ac7 1415 int i;
f24041d6 1416 secp256k1_scalar_t n;
bf2e1ac7 1417 for (i = 0; i < count; i++) {
f24041d6 1418 random_scalar_order(&n);
eb0be8ee 1419 test_wnaf(&n, 4+(i%10));
4e0ed539
PW		 1420 }
1421}
a41f32e6 1422
d2275795
GM		 1423void test_ecmult_constants(void) {
1424 /* Test ecmult_gen() for [0..36) and [order-36..0). */
1425 secp256k1_scalar_t x;
1426 secp256k1_gej_t r;
1427 secp256k1_ge_t ng;
1428 int i;
1429 int j;
1430 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
1431 for (i = 0; i < 36; i++ ) {
1432 secp256k1_scalar_set_int(&x, i);
1433 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
1434 for (j = 0; j < i; j++) {
1435 if (j == i - 1) {
1436 ge_equals_gej(&secp256k1_ge_const_g, &r);
1437 }
1438 secp256k1_gej_add_ge(&r, &r, &ng);
1439 }
1440 CHECK(secp256k1_gej_is_infinity(&r));
1441 }
1442 for (i = 1; i <= 36; i++ ) {
1443 secp256k1_scalar_set_int(&x, i);
1444 secp256k1_scalar_negate(&x, &x);
1445 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
1446 for (j = 0; j < i; j++) {
1447 if (j == i - 1) {
1448 ge_equals_gej(&ng, &r);
1449 }
1450 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
1451 }
1452 CHECK(secp256k1_gej_is_infinity(&r));
1453 }
1454}
1455
1456void run_ecmult_constants(void) {
1457 test_ecmult_constants();
1458}
1459
1460void test_ecmult_gen_blind(void) {
1461 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affline points match, and the z's don't match. */
1462 secp256k1_scalar_t key;
1463 secp256k1_scalar_t b;
1464 unsigned char seed32[32];
1465 secp256k1_gej_t pgej;
1466 secp256k1_gej_t pgej2;
1467 secp256k1_gej_t i;
1468 secp256k1_ge_t pge;
1469 random_scalar_order_test(&key);
1470 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
1471 secp256k1_rand256(seed32);
1472 b = ctx->ecmult_gen_ctx.blind;
1473 i = ctx->ecmult_gen_ctx.initial;
1474 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
1475 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
1476 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
1477 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
1478 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
1479 secp256k1_ge_set_gej(&pge, &pgej);
1480 ge_equals_gej(&pge, &pgej2);
1481}
1482
1483void test_ecmult_gen_blind_reset(void) {
1484 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
1485 secp256k1_scalar_t b;
1486 secp256k1_gej_t initial;
1487 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
1488 b = ctx->ecmult_gen_ctx.blind;
1489 initial = ctx->ecmult_gen_ctx.initial;
1490 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
1491 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
1492 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
1493}
1494
1495void run_ecmult_gen_blind(void) {
1496 int i;
1497 test_ecmult_gen_blind_reset();
1498 for (i = 0; i < 10; i++) {
1499 test_ecmult_gen_blind();
1500 }
1501}
1502
baa75da5
AP		 1503#ifdef USE_ENDOMORPHISM
1504/***** ENDOMORPHISH TESTS *****/
1505void test_scalar_split(void) {
1506 secp256k1_scalar_t full;
1507 secp256k1_scalar_t s1, slam;
1508 const unsigned char zero[32] = {0};
1509 unsigned char tmp[32];
1510
1511 random_scalar_order_test(&full);
1512 secp256k1_scalar_split_lambda_var(&s1, &slam, &full);
1513
1514 /* check that both are <= 128 bits in size */
1515 if (secp256k1_scalar_is_high(&s1))
1516 secp256k1_scalar_negate(&s1, &s1);
1517 if (secp256k1_scalar_is_high(&slam))
1518 secp256k1_scalar_negate(&slam, &slam);
1519
1520 secp256k1_scalar_get_b32(tmp, &s1);
1521 CHECK(memcmp(zero, tmp, 16) == 0);
1522 secp256k1_scalar_get_b32(tmp, &slam);
1523 CHECK(memcmp(zero, tmp, 16) == 0);
1524}
1525
1526void run_endomorphism_tests(void) {
1527 test_scalar_split();
1528}
1529#endif
d2275795 1530
18c329c5 1531void random_sign(secp256k1_scalar_t *sigr, secp256k1_scalar_t *sigs, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
a9f5c8b8 1532 secp256k1_scalar_t nonce;
dd08f037 1533 do {
a9f5c8b8 1534 random_scalar_order_test(&nonce);
18c329c5 1535 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
dd08f037
PW		 1536}
1537
2cad067a 1538void test_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 1539 secp256k1_gej_t pubj;
1540 secp256k1_ge_t pub;
1541 secp256k1_scalar_t one;
1542 secp256k1_scalar_t msg, key;
18c329c5 1543 secp256k1_scalar_t sigr, sigs;
ee3eb4be
GM		 1544 int recid;
1545 int getrec;
a9f5c8b8 1546 random_scalar_order_test(&msg);
a9f5c8b8 1547 random_scalar_order_test(&key);
a9b6595e 1548 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
bf2e1ac7 1549 secp256k1_ge_set_gej(&pub, &pubj);
ee3eb4be 1550 getrec = secp256k1_rand32()&1;
18c329c5 1551 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
26320197
GM		 1552 if (getrec) {
1553 CHECK(recid >= 0 && recid < 4);
1554 }
18c329c5 1555 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
f24041d6
PW		 1556 secp256k1_scalar_set_int(&one, 1);
1557 secp256k1_scalar_add(&msg, &msg, &one);
18c329c5 1558 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
0a07e62f
PW		 1559}
1560
2cad067a 1561void run_ecdsa_sign_verify(void) {
bf2e1ac7
GM		 1562 int i;
1563 for (i = 0; i < 10*count; i++) {
0a07e62f
PW		 1564 test_ecdsa_sign_verify();
1565 }
1566}
1567
c6e7f4e8
PW		 1568/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
1569static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1570 (void)msg32;
1571 (void)key32;
1572 memcpy(nonce32, data, 32);
1573 return (counter == 0);
1574}
1575
941e221f
GM		 1576static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1577 /* Dummy nonce generator that has a fatal error on the first counter value. */
26320197
GM		 1578 if (counter == 0) {
1579 return 0;
1580 }
941e221f
GM		 1581 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 1, data);
1582}
1583
1584static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1585 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
1586 if (counter < 3) {
1587 memset(nonce32, counter==0 ? 0 : 255, 32);
26320197
GM		 1588 if (counter == 2) {
1589 nonce32[31]--;
1590 }
941e221f
GM		 1591 return 1;
1592 }
1593 if (counter < 5) {
1594 static const unsigned char order[] = {
1595 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
1596 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
1597 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
1598 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
1599 };
1600 memcpy(nonce32, order, 32);
26320197
GM		 1601 if (counter == 4) {
1602 nonce32[31]++;
1603 }
941e221f
GM		 1604 return 1;
1605 }
1606 /* Retry rate of 6979 is negligible esp. as we only call this in determinstic tests. */
1607 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
26320197
GM		 1608 if (counter > 5) {
1609 return 0;
1610 }
941e221f
GM		 1611 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 5, data);
1612}
1613
74a2acdb
PW		 1614int is_empty_signature(const secp256k1_ecdsa_signature_t *sig) {
1615 static const unsigned char res[sizeof(secp256k1_ecdsa_signature_t)] = {0};
1616 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature_t)) == 0;
8030d7c0
PW		 1617}
1618
2cad067a 1619void test_ecdsa_end_to_end(void) {
efc571ce 1620 unsigned char extra[32] = {0x00};
25f4aec0
PW		 1621 unsigned char privkey[32];
1622 unsigned char message[32];
bf2e1ac7 1623 unsigned char privkey2[32];
74a2acdb
PW		 1624 secp256k1_ecdsa_signature_t signature[5];
1625 unsigned char sig[74];
1626 int siglen = 74;
23cfa914
PW		 1627 unsigned char pubkeyc[65];
1628 int pubkeyclen = 65;
1629 secp256k1_pubkey_t pubkey;
1630 secp256k1_pubkey_t recpubkey;
bf2e1ac7 1631 unsigned char seckey[300];
bf2e1ac7 1632 int recid = 0;
bf2e1ac7 1633 int seckeylen = 300;
25f4aec0 1634
71712b27 1635 /* Generate a random key and message. */
25f4aec0 1636 {
659b554d
PW		 1637 secp256k1_scalar_t msg, key;
1638 random_scalar_order_test(&msg);
1639 random_scalar_order_test(&key);
1640 secp256k1_scalar_get_b32(privkey, &key);
1641 secp256k1_scalar_get_b32(message, &msg);
25f4aec0
PW		 1642 }
1643
71712b27 1644 /* Construct and verify corresponding public key. */
a9b6595e 1645 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
23cfa914 1646 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
99fd963b 1647
23cfa914
PW		 1648 /* Verify exporting and importing public key. */
1649 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand32() % 2) == 1);
1650 memset(&pubkey, 0, sizeof(pubkey));
1651 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
25f4aec0 1652
71712b27 1653 /* Verify private key import and export. */
a9b6595e
PW		 1654 CHECK(secp256k1_ec_privkey_export(ctx, privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
1655 CHECK(secp256k1_ec_privkey_import(ctx, privkey2, seckey, seckeylen) == 1);
25f4aec0
PW		 1656 CHECK(memcmp(privkey, privkey2, 32) == 0);
1657
71712b27 1658 /* Optionally tweak the keys using addition. */
25f4aec0 1659 if (secp256k1_rand32() % 3 == 0) {
bf2e1ac7
GM		 1660 int ret1;
1661 int ret2;
25f4aec0 1662 unsigned char rnd[32];
23cfa914 1663 secp256k1_pubkey_t pubkey2;
25f4aec0 1664 secp256k1_rand256_test(rnd);
a9b6595e 1665 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
23cfa914 1666 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
25f4aec0 1667 CHECK(ret1 == ret2);
26320197
GM		 1668 if (ret1 == 0) {
1669 return;
1670 }
23cfa914
PW		 1671 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
1672 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 1673 }
1674
71712b27 1675 /* Optionally tweak the keys using multiplication. */
25f4aec0 1676 if (secp256k1_rand32() % 3 == 0) {
bf2e1ac7
GM		 1677 int ret1;
1678 int ret2;
25f4aec0 1679 unsigned char rnd[32];
23cfa914 1680 secp256k1_pubkey_t pubkey2;
25f4aec0 1681 secp256k1_rand256_test(rnd);
a9b6595e 1682 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
23cfa914 1683 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
25f4aec0 1684 CHECK(ret1 == ret2);
26320197
GM		 1685 if (ret1 == 0) {
1686 return;
1687 }
23cfa914
PW		 1688 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
1689 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
25f4aec0
PW		 1690 }
1691
71712b27 1692 /* Sign. */
74a2acdb
PW		 1693 CHECK(secp256k1_ecdsa_sign(ctx, message, &signature[0], privkey, NULL, NULL) == 1);
1694 CHECK(secp256k1_ecdsa_sign(ctx, message, &signature[4], privkey, NULL, NULL) == 1);
1695 CHECK(secp256k1_ecdsa_sign(ctx, message, &signature[1], privkey, NULL, extra) == 1);
efc571ce 1696 extra[31] = 1;
74a2acdb 1697 CHECK(secp256k1_ecdsa_sign(ctx, message, &signature[2], privkey, NULL, extra) == 1);
efc571ce
GM		 1698 extra[31] = 0;
1699 extra[0] = 1;
74a2acdb
PW		 1700 CHECK(secp256k1_ecdsa_sign(ctx, message, &signature[3], privkey, NULL, extra) == 1);
1701 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
1702 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
1703 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
1704 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
1705 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
1706 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
1707 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
71712b27 1708 /* Verify. */
74a2acdb
PW		 1709 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[0], &pubkey) == 1);
1710 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[1], &pubkey) == 1);
1711 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[2], &pubkey) == 1);
1712 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[3], &pubkey) == 1);
1713
1714 /* Serialize/parse DER and verify again */
1715 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
1716 memset(&signature[0], 0, sizeof(signature[0]));
1717 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
1718 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[0], &pubkey) == 1);
1719 /* Serialize/destroy/parse DER and verify again. */
1720 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
1721 sig[secp256k1_rand32() % siglen] += 1 + (secp256k1_rand32() % 255);
1722 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
1723 secp256k1_ecdsa_verify(ctx, message, &signature[0], &pubkey) == 0);
1724
1725 /* Serialize/parse compact (without recovery id) and verify again. */
1726 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sig, &recid, &signature[4]) == 1);
1727 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sig, NULL, &signature[4]) == 1);
1728 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[4], &pubkey) == 1);
1729 memset(&signature[4], 0, sizeof(signature[4]));
1730 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature[4], sig, -1) == 1);
1731 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[4], &pubkey) == 1);
1732 /* Parse compact (with recovery id) and recover. */
1733 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature[4], sig, recid) == 1);
1734 CHECK(secp256k1_ecdsa_recover(ctx, message, &signature[4], &recpubkey) == 1);
23cfa914 1735 CHECK(memcmp(&pubkey, &recpubkey, sizeof(pubkey)) == 0);
74a2acdb
PW		 1736 /* Serialize/destroy/parse signature and verify again. */
1737 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, sig, &recid, &signature[4]) == 1);
1738 sig[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
1739 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &signature[4], sig, recid) == 1);
1740 CHECK(secp256k1_ecdsa_verify(ctx, message, &signature[4], &pubkey) == 0);
1741 /* Recover again */
1742 CHECK(secp256k1_ecdsa_recover(ctx, message, &signature[4], &recpubkey) == 0 ||
23cfa914 1743 memcmp(&pubkey, &recpubkey, sizeof(pubkey)) != 0);
25f4aec0
PW		 1744}
1745
7c6fed28 1746void test_random_pubkeys(void) {
bf2e1ac7
GM		 1747 secp256k1_ge_t elem;
1748 secp256k1_ge_t elem2;
7c6fed28
GM		 1749 unsigned char in[65];
1750 /* Generate some randomly sized pubkeys. */
1751 uint32_t r = secp256k1_rand32();
1752 int len = (r & 3) == 0 ? 65 : 33;
1753 r>>=2;
26320197
GM		 1754 if ((r & 3) == 0) {
1755 len = (r & 252) >> 3;
1756 }
7c6fed28
GM		 1757 r>>=8;
1758 if (len == 65) {
1759 in[0] = (r & 2) ? 4 : (r & 1? 6 : 7);
1760 } else {
1761 in[0] = (r & 1) ? 2 : 3;
1762 }
1763 r>>=2;
26320197
GM		 1764 if ((r & 7) == 0) {
1765 in[0] = (r & 2040) >> 3;
1766 }
7c6fed28 1767 r>>=11;
26320197
GM		 1768 if (len > 1) {
1769 secp256k1_rand256(&in[1]);
1770 }
1771 if (len > 33) {
1772 secp256k1_rand256(&in[33]);
1773 }
7c6fed28
GM		 1774 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
1775 unsigned char out[65];
1776 unsigned char firstb;
1777 int res;
1778 int size = len;
1779 firstb = in[0];
1780 /* If the pubkey can be parsed, it should round-trip... */
1781 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
1782 CHECK(size == len);
1783 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
1784 /* ... except for the type of hybrid inputs. */
26320197
GM		 1785 if ((in[0] != 6) && (in[0] != 7)) {
1786 CHECK(in[0] == out[0]);
1787 }
7c6fed28
GM		 1788 size = 65;
1789 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
1790 CHECK(size == 65);
1791 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
60571c6e 1792 ge_equals_ge(&elem,&elem2);
7c6fed28
GM		 1793 /* Check that the X9.62 hybrid type is checked. */
1794 in[0] = (r & 1) ? 6 : 7;
1795 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
1796 if (firstb == 2 || firstb == 3) {
26320197
GM		 1797 if (in[0] == firstb + 4) {
1798 CHECK(res);
1799 } else {
1800 CHECK(!res);
1801 }
7c6fed28
GM		 1802 }
1803 if (res) {
60571c6e 1804 ge_equals_ge(&elem,&elem2);
7c6fed28
GM		 1805 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
1806 CHECK(memcmp(&in[1], &out[1], 64) == 0);
1807 }
1808 }
1809}
1810
1811void run_random_pubkeys(void) {
bf2e1ac7
GM		 1812 int i;
1813 for (i = 0; i < 10*count; i++) {
7c6fed28
GM		 1814 test_random_pubkeys();
1815 }
1816}
1817
2cad067a 1818void run_ecdsa_end_to_end(void) {
bf2e1ac7
GM		 1819 int i;
1820 for (i = 0; i < 64*count; i++) {
25f4aec0
PW		 1821 test_ecdsa_end_to_end();
1822 }
1823}
1824
6e052878
PW		 1825/* Tests several edge cases. */
1826void test_ecdsa_edge_cases(void) {
3bf029d6
PW		 1827 const unsigned char msg32[32] = {
1828 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
1829 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
1830 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
1831 's', 's', 'a', 'g', 'e', '.', '.', '.'
1832 };
1833 const unsigned char sig64[64] = {
6e052878
PW		 1834 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
1835 * and secret key 0 (which is not valid), resulting in recid 0. */
3bf029d6
PW		 1836 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
1837 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
1838 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
1839 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
1840 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
1841 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
1842 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
1843 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
1844 };
23cfa914 1845 secp256k1_pubkey_t pubkey;
efc571ce 1846 int t;
6e052878
PW		 1847 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
1848 const unsigned char sigb64[64] = {
1849 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1850 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1851 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1854 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1855 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1856 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1857 };
23cfa914 1858 secp256k1_pubkey_t pubkeyb;
74a2acdb 1859 secp256k1_ecdsa_signature_t sig;
bf2e1ac7
GM		 1860 int recid;
1861
74a2acdb
PW		 1862 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sig64, 0));
1863 CHECK(!secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkey));
1864 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sig64, 1));
1865 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkey));
1866 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sig64, 2));
1867 CHECK(!secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkey));
1868 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sig64, 3));
1869 CHECK(!secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkey));
bf2e1ac7
GM		 1870
1871 for (recid = 0; recid < 4; recid++) {
1872 int i;
1873 int recid2;
ee3eb4be 1874 /* (4,4) encoded in DER. */
6e052878 1875 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
8d11164b
GM		 1876 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
1877 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
1878 unsigned char sigbderalt1[39] = {
1879 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
1880 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1881 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1882 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1883 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1884 };
1885 unsigned char sigbderalt2[39] = {
1886 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
1887 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1891 };
1892 unsigned char sigbderalt3[40] = {
1893 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
1894 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1895 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1896 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1897 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1898 };
1899 unsigned char sigbderalt4[40] = {
1900 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
1901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1902 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1903 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1904 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1905 };
ee3eb4be 1906 /* (order + r,4) encoded in DER. */
32600e50
PW		 1907 unsigned char sigbderlong[40] = {
1908 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1909 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1910 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1911 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1912 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1913 };
74a2acdb
PW		 1914 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigb64, recid) == 1);
1915 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkeyb) == 1);
1916 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
1917 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 1);
bf2e1ac7 1918 for (recid2 = 0; recid2 < 4; recid2++) {
23cfa914 1919 secp256k1_pubkey_t pubkey2b;
74a2acdb
PW		 1920 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigb64, recid2) == 1);
1921 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkey2b) == 1);
ee3eb4be 1922 /* Verifying with (order + r,4) should always fail. */
74a2acdb 1923 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderlong, sizeof(sigbderlong)) == 0);
32600e50 1924 }
8d11164b
GM		 1925 /* DER parsing tests. */
1926 /* Zero length r/s. */
74a2acdb
PW		 1927 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zr, sizeof(sigcder_zr)) == 0);
1928 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder_zs, sizeof(sigcder_zs)) == 0);
8d11164b 1929 /* Leading zeros. */
74a2acdb
PW		 1930 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt1, sizeof(sigbderalt1)) == 1);
1931 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 1);
1932 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt2, sizeof(sigbderalt2)) == 1);
1933 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 1);
1934 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 1);
1935 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 1);
1936 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 1);
1937 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 1);
8d11164b 1938 sigbderalt3[4] = 1;
74a2acdb 1939 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt3, sizeof(sigbderalt3)) == 0);
8d11164b 1940 sigbderalt4[7] = 1;
74a2acdb 1941 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbderalt4, sizeof(sigbderalt4)) == 0);
6e052878
PW		 1942 /* Damage signature. */
1943 sigbder[7]++;
74a2acdb
PW		 1944 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 1);
1945 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 0);
8d11164b 1946 sigbder[7]--;
74a2acdb
PW		 1947 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, 6) == 0);
1948 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder) - 1) == 0);
bf2e1ac7
GM		 1949 for(i = 0; i < 8; i++) {
1950 int c;
8d11164b
GM		 1951 unsigned char orig = sigbder[i];
1952 /*Try every single-byte change.*/
bf2e1ac7 1953 for (c = 0; c < 256; c++) {
26320197
GM		 1954 if (c == orig ) {
1955 continue;
1956 }
8d11164b 1957 sigbder[i] = c;
74a2acdb 1958 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigbder, sizeof(sigbder)) == 0 || secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyb) == 0);
8d11164b
GM		 1959 }
1960 sigbder[i] = orig;
1961 }
6e052878 1962 }
24b3c65e
PW		 1963
1964 /* Test the case where ECDSA recomputes a point that is infinity. */
1965 {
bf2e1ac7
GM		 1966 secp256k1_gej_t keyj;
1967 secp256k1_ge_t key;
1968 secp256k1_scalar_t msg;
18c329c5
PW		 1969 secp256k1_scalar_t sr, ss;
1970 secp256k1_scalar_set_int(&ss, 1);
1971 secp256k1_scalar_negate(&ss, &ss);
1972 secp256k1_scalar_inverse(&ss, &ss);
1973 secp256k1_scalar_set_int(&sr, 1);
1974 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
24b3c65e 1975 secp256k1_ge_set_gej(&key, &keyj);
18c329c5
PW		 1976 msg = ss;
1977 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
24b3c65e 1978 }
ee3eb4be
GM		 1979
1980 /* Test r/s equal to zero */
1981 {
1982 /* (1,1) encoded in DER. */
1983 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
1984 unsigned char sigc64[64] = {
1985 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1986 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1989 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1990 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1991 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1992 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1993 };
23cfa914 1994 secp256k1_pubkey_t pubkeyc;
74a2acdb
PW		 1995 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigc64, 0) == 1);
1996 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkeyc) == 1);
1997 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
1998 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyc) == 1);
ee3eb4be
GM		 1999 sigcder[4] = 0;
2000 sigc64[31] = 0;
74a2acdb
PW		 2001 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigc64, 0) == 1);
2002 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkeyb) == 0);
2003 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
2004 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyc) == 0);
ee3eb4be
GM		 2005 sigcder[4] = 1;
2006 sigcder[7] = 0;
2007 sigc64[31] = 1;
2008 sigc64[63] = 0;
74a2acdb
PW		 2009 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, sigc64, 0) == 1);
2010 CHECK(secp256k1_ecdsa_recover(ctx, msg32, &sig, &pubkeyb) == 0);
2011 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, sigcder, sizeof(sigcder)) == 1);
2012 CHECK(secp256k1_ecdsa_verify(ctx, msg32, &sig, &pubkeyc) == 0);
ee3eb4be 2013 }
8d11164b
GM		 2014
2015 /*Signature where s would be zero.*/
2016 {
74a2acdb
PW		 2017 unsigned char signature[72];
2018 int siglen;
8d11164b
GM		 2019 const unsigned char nonce[32] = {
2020 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2021 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2022 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2023 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2024 };
941e221f
GM		 2025 static const unsigned char nonce2[32] = {
2026 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
2027 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
2028 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
2029 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
2030 };
8d11164b
GM		 2031 const unsigned char key[32] = {
2032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2034 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2035 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2036 };
2037 unsigned char msg[32] = {
2038 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
2039 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
2040 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
2041 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
2042 };
74a2acdb
PW		 2043 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, precomputed_nonce_function, nonce) == 0);
2044 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, precomputed_nonce_function, nonce2) == 0);
8d11164b 2045 msg[31] = 0xaa;
74a2acdb
PW		 2046 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, precomputed_nonce_function, nonce) == 1);
2047 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, precomputed_nonce_function, nonce2) == 1);
8d11164b 2048 siglen = 72;
74a2acdb 2049 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
603c33bc 2050 siglen = 10;
74a2acdb 2051 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
8d11164b 2052 }
7c6fed28 2053
941e221f 2054 /* Nonce function corner cases. */
efc571ce
GM		 2055 for (t = 0; t < 2; t++) {
2056 static const unsigned char zero[32] = {0x00};
bf2e1ac7 2057 int i;
941e221f
GM		 2058 unsigned char key[32];
2059 unsigned char msg[32];
74a2acdb 2060 secp256k1_ecdsa_signature_t sig2;
18c329c5 2061 secp256k1_scalar_t sr[512], ss;
efc571ce
GM		 2062 const unsigned char *extra;
2063 extra = t == 0 ? NULL : zero;
941e221f 2064 memset(msg, 0, 32);
941e221f 2065 msg[31] = 1;
8030d7c0
PW		 2066 /* High key results in signature failure. */
2067 memset(key, 0xFF, 32);
74a2acdb
PW		 2068 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, NULL, extra) == 0);
2069 CHECK(is_empty_signature(&sig));
8030d7c0
PW		 2070 /* Zero key results in signature failure. */
2071 memset(key, 0, 32);
74a2acdb
PW		 2072 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, NULL, extra) == 0);
2073 CHECK(is_empty_signature(&sig));
941e221f 2074 /* Nonce function failure results in signature failure. */
8030d7c0 2075 key[31] = 1;
74a2acdb
PW		 2076 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, nonce_function_test_fail, extra) == 0);
2077 CHECK(is_empty_signature(&sig));
941e221f 2078 /* The retry loop successfully makes its way to the first good value. */
74a2acdb
PW		 2079 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig, key, nonce_function_test_retry, extra) == 1);
2080 CHECK(!is_empty_signature(&sig));
2081 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, nonce_function_rfc6979, extra) == 1);
2082 CHECK(!is_empty_signature(&sig2));
2083 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
941e221f 2084 /* The default nonce function is determinstic. */
74a2acdb
PW		 2085 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, NULL, extra) == 1);
2086 CHECK(!is_empty_signature(&sig2));
2087 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
941e221f 2088 /* The default nonce function changes output with different messages. */
bf2e1ac7
GM		 2089 for(i = 0; i < 256; i++) {
2090 int j;
941e221f 2091 msg[0] = i;
74a2acdb
PW		 2092 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, NULL, extra) == 1);
2093 CHECK(!is_empty_signature(&sig2));
995c5487 2094 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, NULL, &sig2);
bf2e1ac7 2095 for (j = 0; j < i; j++) {
18c329c5 2096 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
941e221f
GM		 2097 }
2098 }
2099 msg[0] = 0;
2100 msg[31] = 2;
2101 /* The default nonce function changes output with different keys. */
bf2e1ac7
GM		 2102 for(i = 256; i < 512; i++) {
2103 int j;
941e221f 2104 key[0] = i - 256;
74a2acdb
PW		 2105 CHECK(secp256k1_ecdsa_sign(ctx, msg, &sig2, key, NULL, extra) == 1);
2106 CHECK(!is_empty_signature(&sig2));
995c5487 2107 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, NULL, &sig2);
bf2e1ac7 2108 for (j = 0; j < i; j++) {
18c329c5 2109 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
941e221f
GM		 2110 }
2111 }
2112 key[0] = 0;
2113 }
2114
7c6fed28
GM		 2115 /* Privkey export where pubkey is the point at infinity. */
2116 {
2117 unsigned char privkey[300];
2118 unsigned char seckey[32] = {
2119 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2120 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
2121 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
2122 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
2123 };
2124 int outlen = 300;
a9b6595e
PW		 2125 CHECK(!secp256k1_ec_privkey_export(ctx, seckey, privkey, &outlen, 0));
2126 CHECK(!secp256k1_ec_privkey_export(ctx, seckey, privkey, &outlen, 1));
7c6fed28 2127 }
3bf029d6
PW		 2128}
2129
6e052878
PW		 2130void run_ecdsa_edge_cases(void) {
2131 test_ecdsa_edge_cases();
3bf029d6 2132}
25f4aec0 2133
dd08f037 2134#ifdef ENABLE_OPENSSL_TESTS
a9f5c8b8 2135EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
12e29b32
PW		 2136 unsigned char privkey[300];
2137 int privkeylen;
12e29b32 2138 const unsigned char* pbegin = privkey;
bf2e1ac7 2139 int compr = secp256k1_rand32() & 1;
dd08f037 2140 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
a9b6595e 2141 CHECK(secp256k1_eckey_privkey_serialize(&ctx->ecmult_gen_ctx, privkey, &privkeylen, key, compr));
0592d117
PW		 2142 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
2143 CHECK(EC_KEY_check_key(ec_key));
dd08f037
PW		 2144 return ec_key;
2145}
2146
2cad067a 2147void test_ecdsa_openssl(void) {
bf2e1ac7
GM		 2148 secp256k1_gej_t qj;
2149 secp256k1_ge_t q;
18c329c5 2150 secp256k1_scalar_t sigr, sigs;
bf2e1ac7
GM		 2151 secp256k1_scalar_t one;
2152 secp256k1_scalar_t msg2;
a9f5c8b8 2153 secp256k1_scalar_t key, msg;
bf2e1ac7
GM		 2154 EC_KEY *ec_key;
2155 unsigned int sigsize = 80;
2156 int secp_sigsize = 80;
dd08f037 2157 unsigned char message[32];
bf2e1ac7 2158 unsigned char signature[80];
dd08f037 2159 secp256k1_rand256_test(message);
eca6cdb1 2160 secp256k1_scalar_set_b32(&msg, message, NULL);
a9f5c8b8 2161 random_scalar_order_test(&key);
a9b6595e 2162 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
dd08f037 2163 secp256k1_ge_set_gej(&q, &qj);
bf2e1ac7 2164 ec_key = get_openssl_key(&key);
0592d117 2165 CHECK(ec_key);
0592d117 2166 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
18c329c5
PW		 2167 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
2168 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
f24041d6 2169 secp256k1_scalar_set_int(&one, 1);
f24041d6 2170 secp256k1_scalar_add(&msg2, &msg, &one);
18c329c5 2171 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
dd08f037 2172
18c329c5
PW		 2173 random_sign(&sigr, &sigs, &key, &msg, NULL);
2174 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
9974d869 2175 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
dd08f037 2176
dd08f037 2177 EC_KEY_free(ec_key);
dd08f037
PW		 2178}
2179
2cad067a 2180void run_ecdsa_openssl(void) {
bf2e1ac7
GM		 2181 int i;
2182 for (i = 0; i < 10*count; i++) {
dd08f037
PW		 2183 test_ecdsa_openssl();
2184 }
2185}
2186#endif
2187
404c30a8 2188int main(int argc, char **argv) {
89561118
PW		 2189 unsigned char seed16[16] = {0};
2190 unsigned char run32[32] = {0};
71712b27 2191 /* find iteration count */
3fd6253e
PW		 2192 if (argc > 1) {
2193 count = strtol(argv[1], NULL, 0);
2194 }
2195
71712b27 2196 /* find random seed */
3fd6253e 2197 if (argc > 2) {
89561118
PW		 2198 int pos = 0;
2199 const char* ch = argv[2];
2200 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
2201 unsigned short sh;
2202 if (sscanf(ch, "%2hx", &sh)) {
2203 seed16[pos] = sh;
2204 } else {
2205 break;
2206 }
2207 ch += 2;
2208 pos++;
2209 }
3fd6253e
PW		 2210 } else {
2211 FILE *frand = fopen("/dev/urandom", "r");
89561118
PW		 2212 if (!frand || !fread(&seed16, sizeof(seed16), 1, frand)) {
2213 uint64_t t = time(NULL) * (uint64_t)1337;
2214 seed16[0] ^= t;
2215 seed16[1] ^= t >> 8;
2216 seed16[2] ^= t >> 16;
2217 seed16[3] ^= t >> 24;
2218 seed16[4] ^= t >> 32;
2219 seed16[5] ^= t >> 40;
2220 seed16[6] ^= t >> 48;
2221 seed16[7] ^= t >> 56;
3fd6253e
PW		 2222 }
2223 fclose(frand);
2224 }
89561118 2225 secp256k1_rand_seed(seed16);
404c30a8 2226
dd08f037 2227 printf("test count = %i\n", count);
89561118 2228 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
dd08f037 2229
71712b27 2230 /* initialize */
d899b5b6 2231 run_context_tests();
a9b6595e 2232 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
ee3eb4be 2233
d2275795
GM		 2234 if (secp256k1_rand32() & 1) {
2235 secp256k1_rand256(run32);
2236 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand32() & 1 ? run32 : NULL));
2237 }
2238
b37fbc28
PW		 2239 run_sha256_tests();
2240 run_hmac_sha256_tests();
2241 run_rfc6979_hmac_sha256_tests();
2242
597128d3 2243#ifndef USE_NUM_NONE
71712b27 2244 /* num tests */
3f44e1ad 2245 run_num_smalltests();
597128d3 2246#endif
404c30a8 2247
71712b27 2248 /* scalar tests */
79359302
PW		 2249 run_scalar_tests();
2250
71712b27 2251 /* field tests */
f16be77f
PD		 2252 run_field_inv();
2253 run_field_inv_var();
f16be77f 2254 run_field_inv_all_var();
8d11164b 2255 run_field_misc();
ff889f7d 2256 run_field_convert();
59447da3 2257 run_sqr();
09ca4f32
PD		 2258 run_sqrt();
2259
71712b27 2260 /* group tests */
9338dbf7
PW		 2261 run_ge();
2262
71712b27 2263 /* ecmult tests */
404c30a8
PW		 2264 run_wnaf();
2265 run_point_times_order();
2266 run_ecmult_chain();
d2275795
GM		 2267 run_ecmult_constants();
2268 run_ecmult_gen_blind();
404c30a8 2269
baa75da5
AP		 2270 /* endomorphism tests */
2271#ifdef USE_ENDOMORPHISM
2272 run_endomorphism_tests();
2273#endif
2274
71712b27 2275 /* ecdsa tests */
7c6fed28 2276 run_random_pubkeys();
404c30a8 2277 run_ecdsa_sign_verify();
25f4aec0 2278 run_ecdsa_end_to_end();
6e052878 2279 run_ecdsa_edge_cases();
dd08f037
PW		 2280#ifdef ENABLE_OPENSSL_TESTS
2281 run_ecdsa_openssl();
2282#endif
910d0de4 2283
89561118
PW		 2284 secp256k1_rand256(run32);
2285 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
bff11e91 2286
71712b27 2287 /* shutdown */
a9b6595e 2288 secp256k1_context_destroy(ctx);
a41f32e6
PW		 2289 return 0;
2290}
Empty description
This page took 0.371824 seconds and 4 git commands to generate.