]> Git Repo - secp256k1.git/blame_incremental - src/tests.c
projects / secp256k1.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
Add ability to pass extra entropy to rfc6979
[secp256k1.git] / src / tests.c
... / ...
CommitLineData
1/**********************************************************************
2 * Copyright (c) 2013, 2014 Pieter Wuille *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
11#include <stdio.h>
12#include <stdlib.h>
13
14#include <time.h>
15
16#include "secp256k1.c"
17#include "testrand_impl.h"
18
19#ifdef ENABLE_OPENSSL_TESTS
20#include "openssl/bn.h"
21#include "openssl/ec.h"
22#include "openssl/ecdsa.h"
23#include "openssl/obj_mac.h"
24#endif
25
26static int count = 64;
27
28void random_field_element_test(secp256k1_fe_t *fe) {
29 do {
30 unsigned char b32[32];
31 secp256k1_rand256_test(b32);
32 if (secp256k1_fe_set_b32(fe, b32)) {
33 break;
34 }
35 } while(1);
36}
37
38void random_field_element_magnitude(secp256k1_fe_t *fe) {
39 secp256k1_fe_t zero;
40 int n = secp256k1_rand32() % 9;
41 secp256k1_fe_normalize(fe);
42 if (n == 0) {
43 return;
44 }
45 secp256k1_fe_clear(&zero);
46 secp256k1_fe_negate(&zero, &zero, 0);
47 secp256k1_fe_mul_int(&zero, n - 1);
48 secp256k1_fe_add(fe, &zero);
49#ifdef VERIFY
50 CHECK(fe->magnitude == n);
51#endif
52}
53
54void random_group_element_test(secp256k1_ge_t *ge) {
55 secp256k1_fe_t fe;
56 do {
57 random_field_element_test(&fe);
58 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand32() & 1))
59 break;
60 } while(1);
61}
62
63void random_group_element_jacobian_test(secp256k1_gej_t *gej, const secp256k1_ge_t *ge) {
64 secp256k1_fe_t z2, z3;
65 do {
66 random_field_element_test(&gej->z);
67 if (!secp256k1_fe_is_zero(&gej->z)) {
68 break;
69 }
70 } while(1);
71 secp256k1_fe_sqr(&z2, &gej->z);
72 secp256k1_fe_mul(&z3, &z2, &gej->z);
73 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
74 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
75 gej->infinity = ge->infinity;
76}
77
78void random_scalar_order_test(secp256k1_scalar_t *num) {
79 do {
80 unsigned char b32[32];
81 int overflow = 0;
82 secp256k1_rand256_test(b32);
83 secp256k1_scalar_set_b32(num, b32, &overflow);
84 if (overflow || secp256k1_scalar_is_zero(num))
85 continue;
86 break;
87 } while(1);
88}
89
90void random_scalar_order(secp256k1_scalar_t *num) {
91 do {
92 unsigned char b32[32];
93 int overflow = 0;
94 secp256k1_rand256(b32);
95 secp256k1_scalar_set_b32(num, b32, &overflow);
96 if (overflow || secp256k1_scalar_is_zero(num))
97 continue;
98 break;
99 } while(1);
100}
101
102/***** HASH TESTS *****/
103
104void run_sha256_tests(void) {
105 static const char *inputs[8] = {
106 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
107 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
108 "For this sample, this 63-byte string will be used as input data",
109 "This is exactly 64 bytes long, not counting the terminating byte"
110 };
111 static const unsigned char outputs[8][32] = {
112 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
113 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
114 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
115 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
116 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
117 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
118 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
119 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
120 };
121 int i;
122 for (i = 0; i < 8; i++) {
123 unsigned char out[32];
124 secp256k1_sha256_t hasher;
125 secp256k1_sha256_initialize(&hasher);
126 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
127 secp256k1_sha256_finalize(&hasher, out);
128 CHECK(memcmp(out, outputs[i], 32) == 0);
129 if (strlen(inputs[i]) > 0) {
130 int split = secp256k1_rand32() % strlen(inputs[i]);
131 secp256k1_sha256_initialize(&hasher);
132 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
133 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
134 secp256k1_sha256_finalize(&hasher, out);
135 CHECK(memcmp(out, outputs[i], 32) == 0);
136 }
137 }
138}
139
140void run_hmac_sha256_tests(void) {
141 static const char *keys[6] = {
142 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
143 "\x4a\x65\x66\x65",
144 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
145 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
146 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
147 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
148 };
149 static const char *inputs[6] = {
150 "\x48\x69\x20\x54\x68\x65\x72\x65",
151 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
152 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
153 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
154 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
155 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
156 };
157 static const unsigned char outputs[6][32] = {
158 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
159 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
160 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
161 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
162 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
163 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
164 };
165 int i;
166 for (i = 0; i < 6; i++) {
167 secp256k1_hmac_sha256_t hasher;
168 unsigned char out[32];
169 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
170 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
171 secp256k1_hmac_sha256_finalize(&hasher, out);
172 CHECK(memcmp(out, outputs[i], 32) == 0);
173 if (strlen(inputs[i]) > 0) {
174 int split = secp256k1_rand32() % strlen(inputs[i]);
175 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
176 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
177 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
178 secp256k1_hmac_sha256_finalize(&hasher, out);
179 CHECK(memcmp(out, outputs[i], 32) == 0);
180 }
181 }
182}
183
184void run_rfc6979_hmac_sha256_tests(void) {
185 static const unsigned char key1[32] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00};
186 static const unsigned char msg1[32] = {0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a};
187 static const unsigned char out1[3][32] = {
188 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
189 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
190 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
191 };
192
193 static const unsigned char key2[32] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff};
194 static const unsigned char msg2[32] = {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
195 static const unsigned char out2[3][32] = {
196 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
197 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
198 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
199 };
200
201 secp256k1_rfc6979_hmac_sha256_t rng;
202 unsigned char out[32];
203 unsigned char zero[1] = {0};
204 int i;
205
206 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, NULL, 1);
207 for (i = 0; i < 3; i++) {
208 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
209 CHECK(memcmp(out, out1[i], 32) == 0);
210 }
211 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
212
213 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 32, msg1, 32, zero, 1);
214 for (i = 0; i < 3; i++) {
215 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
216 CHECK(memcmp(out, out1[i], 32) != 0);
217 }
218 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
219
220 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 32, msg2, 32, zero, 0);
221 for (i = 0; i < 3; i++) {
222 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
223 CHECK(memcmp(out, out2[i], 32) == 0);
224 }
225 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
226}
227
228/***** NUM TESTS *****/
229
230#ifndef USE_NUM_NONE
231void random_num_negate(secp256k1_num_t *num) {
232 if (secp256k1_rand32() & 1)
233 secp256k1_num_negate(num);
234}
235
236void random_num_order_test(secp256k1_num_t *num) {
237 secp256k1_scalar_t sc;
238 random_scalar_order_test(&sc);
239 secp256k1_scalar_get_num(num, &sc);
240}
241
242void random_num_order(secp256k1_num_t *num) {
243 secp256k1_scalar_t sc;
244 random_scalar_order(&sc);
245 secp256k1_scalar_get_num(num, &sc);
246}
247
248void test_num_negate(void) {
249 secp256k1_num_t n1;
250 secp256k1_num_t n2;
251 random_num_order_test(&n1); /* n1 = R */
252 random_num_negate(&n1);
253 secp256k1_num_copy(&n2, &n1); /* n2 = R */
254 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
255 CHECK(secp256k1_num_is_zero(&n1));
256 secp256k1_num_copy(&n1, &n2); /* n1 = R */
257 secp256k1_num_negate(&n1); /* n1 = -R */
258 CHECK(!secp256k1_num_is_zero(&n1));
259 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
260 CHECK(secp256k1_num_is_zero(&n1));
261 secp256k1_num_copy(&n1, &n2); /* n1 = R */
262 secp256k1_num_negate(&n1); /* n1 = -R */
263 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
264 secp256k1_num_negate(&n1); /* n1 = R */
265 CHECK(secp256k1_num_eq(&n1, &n2));
266}
267
268void test_num_add_sub(void) {
269 secp256k1_num_t n1;
270 secp256k1_num_t n2;
271 secp256k1_num_t n1p2, n2p1, n1m2, n2m1;
272 int r = secp256k1_rand32();
273 random_num_order_test(&n1); /* n1 = R1 */
274 if (r & 1) {
275 random_num_negate(&n1);
276 }
277 random_num_order_test(&n2); /* n2 = R2 */
278 if (r & 2) {
279 random_num_negate(&n2);
280 }
281 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
282 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
283 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
284 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
285 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
286 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
287 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
288 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
289 CHECK(!secp256k1_num_eq(&n2m1, &n1));
290 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
291 CHECK(secp256k1_num_eq(&n2m1, &n1));
292 CHECK(!secp256k1_num_eq(&n2p1, &n1));
293 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
294 CHECK(secp256k1_num_eq(&n2p1, &n1));
295}
296
297void run_num_smalltests(void) {
298 int i;
299 for (i = 0; i < 100*count; i++) {
300 test_num_negate();
301 test_num_add_sub();
302 }
303}
304#endif
305
306/***** SCALAR TESTS *****/
307
308void scalar_test(void) {
309 secp256k1_scalar_t s;
310 secp256k1_scalar_t s1;
311 secp256k1_scalar_t s2;
312#ifndef USE_NUM_NONE
313 secp256k1_num_t snum, s1num, s2num;
314 secp256k1_num_t order, half_order;
315#endif
316 unsigned char c[32];
317
318 /* Set 's' to a random scalar, with value 'snum'. */
319 random_scalar_order_test(&s);
320
321 /* Set 's1' to a random scalar, with value 's1num'. */
322 random_scalar_order_test(&s1);
323
324 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
325 random_scalar_order_test(&s2);
326 secp256k1_scalar_get_b32(c, &s2);
327
328#ifndef USE_NUM_NONE
329 secp256k1_scalar_get_num(&snum, &s);
330 secp256k1_scalar_get_num(&s1num, &s1);
331 secp256k1_scalar_get_num(&s2num, &s2);
332
333 secp256k1_scalar_order_get_num(&order);
334 half_order = order;
335 secp256k1_num_shift(&half_order, 1);
336#endif
337
338 {
339 int i;
340 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
341 secp256k1_scalar_t n;
342 secp256k1_scalar_set_int(&n, 0);
343 for (i = 0; i < 256; i += 4) {
344 secp256k1_scalar_t t;
345 int j;
346 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
347 for (j = 0; j < 4; j++) {
348 secp256k1_scalar_add(&n, &n, &n);
349 }
350 secp256k1_scalar_add(&n, &n, &t);
351 }
352 CHECK(secp256k1_scalar_eq(&n, &s));
353 }
354
355 {
356 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
357 secp256k1_scalar_t n;
358 int i = 0;
359 secp256k1_scalar_set_int(&n, 0);
360 while (i < 256) {
361 secp256k1_scalar_t t;
362 int j;
363 int now = (secp256k1_rand32() % 15) + 1;
364 if (now + i > 256) {
365 now = 256 - i;
366 }
367 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
368 for (j = 0; j < now; j++) {
369 secp256k1_scalar_add(&n, &n, &n);
370 }
371 secp256k1_scalar_add(&n, &n, &t);
372 i += now;
373 }
374 CHECK(secp256k1_scalar_eq(&n, &s));
375 }
376
377#ifndef USE_NUM_NONE
378 {
379 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
380 secp256k1_num_t rnum;
381 secp256k1_num_t r2num;
382 secp256k1_scalar_t r;
383 secp256k1_num_add(&rnum, &snum, &s2num);
384 secp256k1_num_mod(&rnum, &order);
385 secp256k1_scalar_add(&r, &s, &s2);
386 secp256k1_scalar_get_num(&r2num, &r);
387 CHECK(secp256k1_num_eq(&rnum, &r2num));
388 }
389
390 {
391 /* Test that multipying the scalars is equal to multiplying their numbers modulo the order. */
392 secp256k1_scalar_t r;
393 secp256k1_num_t r2num;
394 secp256k1_num_t rnum;
395 secp256k1_num_mul(&rnum, &snum, &s2num);
396 secp256k1_num_mod(&rnum, &order);
397 secp256k1_scalar_mul(&r, &s, &s2);
398 secp256k1_scalar_get_num(&r2num, &r);
399 CHECK(secp256k1_num_eq(&rnum, &r2num));
400 /* The result can only be zero if at least one of the factors was zero. */
401 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
402 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
403 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
404 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
405 }
406
407 {
408 secp256k1_scalar_t neg;
409 secp256k1_num_t negnum;
410 secp256k1_num_t negnum2;
411 /* Check that comparison with zero matches comparison with zero on the number. */
412 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
413 /* Check that comparison with the half order is equal to testing for high scalar. */
414 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
415 secp256k1_scalar_negate(&neg, &s);
416 secp256k1_num_sub(&negnum, &order, &snum);
417 secp256k1_num_mod(&negnum, &order);
418 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
419 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
420 /* Negating should change the high property, unless the value was already zero. */
421 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
422 secp256k1_scalar_get_num(&negnum2, &neg);
423 /* Negating a scalar should be equal to (order - n) mod order on the number. */
424 CHECK(secp256k1_num_eq(&negnum, &negnum2));
425 secp256k1_scalar_add(&neg, &neg, &s);
426 /* Adding a number to its negation should result in zero. */
427 CHECK(secp256k1_scalar_is_zero(&neg));
428 secp256k1_scalar_negate(&neg, &neg);
429 /* Negating zero should still result in zero. */
430 CHECK(secp256k1_scalar_is_zero(&neg));
431 }
432
433 {
434 /* Test secp256k1_scalar_mul_shift_var. */
435 secp256k1_scalar_t r;
436 secp256k1_num_t one;
437 secp256k1_num_t rnum;
438 secp256k1_num_t rnum2;
439 unsigned char cone[1] = {0x01};
440 unsigned int shift = 256 + (secp256k1_rand32() % 257);
441 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
442 secp256k1_num_mul(&rnum, &s1num, &s2num);
443 secp256k1_num_shift(&rnum, shift - 1);
444 secp256k1_num_set_bin(&one, cone, 1);
445 secp256k1_num_add(&rnum, &rnum, &one);
446 secp256k1_num_shift(&rnum, 1);
447 secp256k1_scalar_get_num(&rnum2, &r);
448 CHECK(secp256k1_num_eq(&rnum, &rnum2));
449 }
450#endif
451
452 {
453 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
454 if (!secp256k1_scalar_is_zero(&s)) {
455 secp256k1_scalar_t inv;
456#ifndef USE_NUM_NONE
457 secp256k1_num_t invnum;
458 secp256k1_num_t invnum2;
459#endif
460 secp256k1_scalar_inverse(&inv, &s);
461#ifndef USE_NUM_NONE
462 secp256k1_num_mod_inverse(&invnum, &snum, &order);
463 secp256k1_scalar_get_num(&invnum2, &inv);
464 CHECK(secp256k1_num_eq(&invnum, &invnum2));
465#endif
466 secp256k1_scalar_mul(&inv, &inv, &s);
467 /* Multiplying a scalar with its inverse must result in one. */
468 CHECK(secp256k1_scalar_is_one(&inv));
469 secp256k1_scalar_inverse(&inv, &inv);
470 /* Inverting one must result in one. */
471 CHECK(secp256k1_scalar_is_one(&inv));
472 }
473 }
474
475 {
476 /* Test commutativity of add. */
477 secp256k1_scalar_t r1, r2;
478 secp256k1_scalar_add(&r1, &s1, &s2);
479 secp256k1_scalar_add(&r2, &s2, &s1);
480 CHECK(secp256k1_scalar_eq(&r1, &r2));
481 }
482
483 {
484 secp256k1_scalar_t r1, r2;
485 secp256k1_scalar_t b;
486 int i;
487 /* Test add_bit. */
488 int bit = secp256k1_rand32() % 256;
489 secp256k1_scalar_set_int(&b, 1);
490 CHECK(secp256k1_scalar_is_one(&b));
491 for (i = 0; i < bit; i++) {
492 secp256k1_scalar_add(&b, &b, &b);
493 }
494 r1 = s1;
495 r2 = s1;
496 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
497 /* No overflow happened. */
498 secp256k1_scalar_add_bit(&r2, bit);
499 CHECK(secp256k1_scalar_eq(&r1, &r2));
500 }
501 }
502
503 {
504 /* Test commutativity of mul. */
505 secp256k1_scalar_t r1, r2;
506 secp256k1_scalar_mul(&r1, &s1, &s2);
507 secp256k1_scalar_mul(&r2, &s2, &s1);
508 CHECK(secp256k1_scalar_eq(&r1, &r2));
509 }
510
511 {
512 /* Test associativity of add. */
513 secp256k1_scalar_t r1, r2;
514 secp256k1_scalar_add(&r1, &s1, &s2);
515 secp256k1_scalar_add(&r1, &r1, &s);
516 secp256k1_scalar_add(&r2, &s2, &s);
517 secp256k1_scalar_add(&r2, &s1, &r2);
518 CHECK(secp256k1_scalar_eq(&r1, &r2));
519 }
520
521 {
522 /* Test associativity of mul. */
523 secp256k1_scalar_t r1, r2;
524 secp256k1_scalar_mul(&r1, &s1, &s2);
525 secp256k1_scalar_mul(&r1, &r1, &s);
526 secp256k1_scalar_mul(&r2, &s2, &s);
527 secp256k1_scalar_mul(&r2, &s1, &r2);
528 CHECK(secp256k1_scalar_eq(&r1, &r2));
529 }
530
531 {
532 /* Test distributitivity of mul over add. */
533 secp256k1_scalar_t r1, r2, t;
534 secp256k1_scalar_add(&r1, &s1, &s2);
535 secp256k1_scalar_mul(&r1, &r1, &s);
536 secp256k1_scalar_mul(&r2, &s1, &s);
537 secp256k1_scalar_mul(&t, &s2, &s);
538 secp256k1_scalar_add(&r2, &r2, &t);
539 CHECK(secp256k1_scalar_eq(&r1, &r2));
540 }
541
542 {
543 /* Test square. */
544 secp256k1_scalar_t r1, r2;
545 secp256k1_scalar_sqr(&r1, &s1);
546 secp256k1_scalar_mul(&r2, &s1, &s1);
547 CHECK(secp256k1_scalar_eq(&r1, &r2));
548 }
549
550 {
551 /* Test multiplicative identity. */
552 secp256k1_scalar_t r1, v1;
553 secp256k1_scalar_set_int(&v1,1);
554 secp256k1_scalar_mul(&r1, &s1, &v1);
555 CHECK(secp256k1_scalar_eq(&r1, &s1));
556 }
557
558 {
559 /* Test additive identity. */
560 secp256k1_scalar_t r1, v0;
561 secp256k1_scalar_set_int(&v0,0);
562 secp256k1_scalar_add(&r1, &s1, &v0);
563 CHECK(secp256k1_scalar_eq(&r1, &s1));
564 }
565
566 {
567 /* Test zero product property. */
568 secp256k1_scalar_t r1, v0;
569 secp256k1_scalar_set_int(&v0,0);
570 secp256k1_scalar_mul(&r1, &s1, &v0);
571 CHECK(secp256k1_scalar_eq(&r1, &v0));
572 }
573
574}
575
576void run_scalar_tests(void) {
577 int i;
578 for (i = 0; i < 128 * count; i++) {
579 scalar_test();
580 }
581
582 {
583 /* (-1)+1 should be zero. */
584 secp256k1_scalar_t s, o;
585 secp256k1_scalar_set_int(&s, 1);
586 CHECK(secp256k1_scalar_is_one(&s));
587 secp256k1_scalar_negate(&o, &s);
588 secp256k1_scalar_add(&o, &o, &s);
589 CHECK(secp256k1_scalar_is_zero(&o));
590 secp256k1_scalar_negate(&o, &o);
591 CHECK(secp256k1_scalar_is_zero(&o));
592 }
593
594#ifndef USE_NUM_NONE
595 {
596 /* A scalar with value of the curve order should be 0. */
597 secp256k1_num_t order;
598 secp256k1_scalar_t zero;
599 unsigned char bin[32];
600 int overflow = 0;
601 secp256k1_scalar_order_get_num(&order);
602 secp256k1_num_get_bin(bin, 32, &order);
603 secp256k1_scalar_set_b32(&zero, bin, &overflow);
604 CHECK(overflow == 1);
605 CHECK(secp256k1_scalar_is_zero(&zero));
606 }
607#endif
608}
609
610/***** FIELD TESTS *****/
611
612void random_fe(secp256k1_fe_t *x) {
613 unsigned char bin[32];
614 do {
615 secp256k1_rand256(bin);
616 if (secp256k1_fe_set_b32(x, bin)) {
617 return;
618 }
619 } while(1);
620}
621
622void random_fe_non_zero(secp256k1_fe_t *nz) {
623 int tries = 10;
624 while (--tries >= 0) {
625 random_fe(nz);
626 secp256k1_fe_normalize(nz);
627 if (!secp256k1_fe_is_zero(nz))
628 break;
629 }
630 /* Infinitesimal probability of spurious failure here */
631 CHECK(tries >= 0);
632}
633
634void random_fe_non_square(secp256k1_fe_t *ns) {
635 secp256k1_fe_t r;
636 random_fe_non_zero(ns);
637 if (secp256k1_fe_sqrt_var(&r, ns)) {
638 secp256k1_fe_negate(ns, ns, 1);
639 }
640}
641
642int check_fe_equal(const secp256k1_fe_t *a, const secp256k1_fe_t *b) {
643 secp256k1_fe_t an = *a;
644 secp256k1_fe_t bn = *b;
645 secp256k1_fe_normalize_weak(&an);
646 secp256k1_fe_normalize_var(&bn);
647 return secp256k1_fe_equal_var(&an, &bn);
648}
649
650int check_fe_inverse(const secp256k1_fe_t *a, const secp256k1_fe_t *ai) {
651 secp256k1_fe_t x;
652 secp256k1_fe_t one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
653 secp256k1_fe_mul(&x, a, ai);
654 return check_fe_equal(&x, &one);
655}
656
657void run_field_convert(void) {
658 static const unsigned char b32[32] = {
659 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
660 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
661 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
662 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
663 };
664 static const secp256k1_fe_storage_t fes = SECP256K1_FE_STORAGE_CONST(
665 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
666 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
667 );
668 static const secp256k1_fe_t fe = SECP256K1_FE_CONST(
669 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
670 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
671 );
672 secp256k1_fe_t fe2;
673 unsigned char b322[32];
674 secp256k1_fe_storage_t fes2;
675 /* Check conversions to fe. */
676 CHECK(secp256k1_fe_set_b32(&fe2, b32));
677 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
678 secp256k1_fe_from_storage(&fe2, &fes);
679 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
680 /* Check conversion from fe. */
681 secp256k1_fe_get_b32(b322, &fe);
682 CHECK(memcmp(b322, b32, 32) == 0);
683 secp256k1_fe_to_storage(&fes2, &fe);
684 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
685}
686
687void run_field_misc(void) {
688 secp256k1_fe_t x;
689 secp256k1_fe_t y;
690 secp256k1_fe_t z;
691 secp256k1_fe_t q;
692 secp256k1_fe_t fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
693 int i;
694 for (i = 0; i < 5*count; i++) {
695 secp256k1_fe_storage_t xs, ys, zs;
696 random_fe(&x);
697 random_fe_non_zero(&y);
698 /* Test the fe equality and comparison operations. */
699 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
700 CHECK(secp256k1_fe_equal_var(&x, &x));
701 z = x;
702 secp256k1_fe_add(&z,&y);
703 secp256k1_fe_normalize(&z);
704 /* Test storage conversion and conditional moves. */
705 secp256k1_fe_to_storage(&xs, &x);
706 secp256k1_fe_to_storage(&ys, &y);
707 secp256k1_fe_to_storage(&zs, &z);
708 secp256k1_fe_storage_cmov(&zs, &xs, 0);
709 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
710 secp256k1_fe_storage_cmov(&ys, &xs, 1);
711 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
712 secp256k1_fe_from_storage(&x, &xs);
713 secp256k1_fe_from_storage(&y, &ys);
714 secp256k1_fe_from_storage(&z, &zs);
715 /* Test that mul_int, mul, and add agree. */
716 secp256k1_fe_add(&y, &x);
717 secp256k1_fe_add(&y, &x);
718 z = x;
719 secp256k1_fe_mul_int(&z, 3);
720 CHECK(check_fe_equal(&y, &z));
721 secp256k1_fe_add(&y, &x);
722 secp256k1_fe_add(&z, &x);
723 CHECK(check_fe_equal(&z, &y));
724 z = x;
725 secp256k1_fe_mul_int(&z, 5);
726 secp256k1_fe_mul(&q, &x, &fe5);
727 CHECK(check_fe_equal(&z, &q));
728 secp256k1_fe_negate(&x, &x, 1);
729 secp256k1_fe_add(&z, &x);
730 secp256k1_fe_add(&q, &x);
731 CHECK(check_fe_equal(&y, &z));
732 CHECK(check_fe_equal(&q, &y));
733 }
734}
735
736void run_field_inv(void) {
737 secp256k1_fe_t x, xi, xii;
738 int i;
739 for (i = 0; i < 10*count; i++) {
740 random_fe_non_zero(&x);
741 secp256k1_fe_inv(&xi, &x);
742 CHECK(check_fe_inverse(&x, &xi));
743 secp256k1_fe_inv(&xii, &xi);
744 CHECK(check_fe_equal(&x, &xii));
745 }
746}
747
748void run_field_inv_var(void) {
749 secp256k1_fe_t x, xi, xii;
750 int i;
751 for (i = 0; i < 10*count; i++) {
752 random_fe_non_zero(&x);
753 secp256k1_fe_inv_var(&xi, &x);
754 CHECK(check_fe_inverse(&x, &xi));
755 secp256k1_fe_inv_var(&xii, &xi);
756 CHECK(check_fe_equal(&x, &xii));
757 }
758}
759
760void run_field_inv_all_var(void) {
761 secp256k1_fe_t x[16], xi[16], xii[16];
762 int i;
763 /* Check it's safe to call for 0 elements */
764 secp256k1_fe_inv_all_var(0, xi, x);
765 for (i = 0; i < count; i++) {
766 size_t j;
767 size_t len = (secp256k1_rand32() & 15) + 1;
768 for (j = 0; j < len; j++)
769 random_fe_non_zero(&x[j]);
770 secp256k1_fe_inv_all_var(len, xi, x);
771 for (j = 0; j < len; j++)
772 CHECK(check_fe_inverse(&x[j], &xi[j]));
773 secp256k1_fe_inv_all_var(len, xii, xi);
774 for (j = 0; j < len; j++)
775 CHECK(check_fe_equal(&x[j], &xii[j]));
776 }
777}
778
779void run_sqr(void) {
780 secp256k1_fe_t x, s;
781
782 {
783 int i;
784 secp256k1_fe_set_int(&x, 1);
785 secp256k1_fe_negate(&x, &x, 1);
786
787 for (i = 1; i <= 512; ++i) {
788 secp256k1_fe_mul_int(&x, 2);
789 secp256k1_fe_normalize(&x);
790 secp256k1_fe_sqr(&s, &x);
791 }
792 }
793}
794
795void test_sqrt(const secp256k1_fe_t *a, const secp256k1_fe_t *k) {
796 secp256k1_fe_t r1, r2;
797 int v = secp256k1_fe_sqrt_var(&r1, a);
798 CHECK((v == 0) == (k == NULL));
799
800 if (k != NULL) {
801 /* Check that the returned root is +/- the given known answer */
802 secp256k1_fe_negate(&r2, &r1, 1);
803 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
804 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
805 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
806 }
807}
808
809void run_sqrt(void) {
810 secp256k1_fe_t ns, x, s, t;
811 int i;
812
813 /* Check sqrt(0) is 0 */
814 secp256k1_fe_set_int(&x, 0);
815 secp256k1_fe_sqr(&s, &x);
816 test_sqrt(&s, &x);
817
818 /* Check sqrt of small squares (and their negatives) */
819 for (i = 1; i <= 100; i++) {
820 secp256k1_fe_set_int(&x, i);
821 secp256k1_fe_sqr(&s, &x);
822 test_sqrt(&s, &x);
823 secp256k1_fe_negate(&t, &s, 1);
824 test_sqrt(&t, NULL);
825 }
826
827 /* Consistency checks for large random values */
828 for (i = 0; i < 10; i++) {
829 int j;
830 random_fe_non_square(&ns);
831 for (j = 0; j < count; j++) {
832 random_fe(&x);
833 secp256k1_fe_sqr(&s, &x);
834 test_sqrt(&s, &x);
835 secp256k1_fe_negate(&t, &s, 1);
836 test_sqrt(&t, NULL);
837 secp256k1_fe_mul(&t, &s, &ns);
838 test_sqrt(&t, NULL);
839 }
840 }
841}
842
843/***** GROUP TESTS *****/
844
845void ge_equals_ge(const secp256k1_ge_t *a, const secp256k1_ge_t *b) {
846 CHECK(a->infinity == b->infinity);
847 if (a->infinity)
848 return;
849 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
850 CHECK(secp256k1_fe_equal_var(&b->y, &b->y));
851}
852
853void ge_equals_gej(const secp256k1_ge_t *a, const secp256k1_gej_t *b) {
854 secp256k1_fe_t z2s;
855 secp256k1_fe_t u1, u2, s1, s2;
856 CHECK(a->infinity == b->infinity);
857 if (a->infinity)
858 return;
859 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
860 secp256k1_fe_sqr(&z2s, &b->z);
861 secp256k1_fe_mul(&u1, &a->x, &z2s);
862 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
863 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
864 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
865 CHECK(secp256k1_fe_equal_var(&u1, &u2));
866 CHECK(secp256k1_fe_equal_var(&s1, &s2));
867}
868
869void test_ge(void) {
870 int i, i1;
871 int runs = 4;
872 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
873 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
874 * All magnitudes are randomized.
875 * All 17*17 combinations of points are added to eachother, using all applicable methods.
876 */
877 secp256k1_ge_t *ge = malloc(sizeof(secp256k1_ge_t) * (1 + 4 * runs));
878 secp256k1_gej_t *gej = malloc(sizeof(secp256k1_gej_t) * (1 + 4 * runs));
879 secp256k1_gej_set_infinity(&gej[0]);
880 secp256k1_ge_clear(&ge[0]);
881 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
882 for (i = 0; i < runs; i++) {
883 int j;
884 secp256k1_ge_t g;
885 random_group_element_test(&g);
886 ge[1 + 4 * i] = g;
887 ge[2 + 4 * i] = g;
888 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
889 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
890 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
891 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
892 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
893 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
894 for (j = 0; j < 4; j++) {
895 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
896 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
897 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
898 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
899 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
900 }
901 }
902
903 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
904 int i2;
905 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
906 /* Compute reference result using gej + gej (var). */
907 secp256k1_gej_t refj, resj;
908 secp256k1_ge_t ref;
909 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2]);
910 secp256k1_ge_set_gej_var(&ref, &refj);
911
912 /* Test gej + ge (var). */
913 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2]);
914 ge_equals_gej(&ref, &resj);
915
916 /* Test gej + ge (const). */
917 if (i2 != 0) {
918 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
919 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
920 ge_equals_gej(&ref, &resj);
921 }
922
923 /* Test doubling (var). */
924 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
925 /* Normal doubling. */
926 secp256k1_gej_double_var(&resj, &gej[i1]);
927 ge_equals_gej(&ref, &resj);
928 secp256k1_gej_double_var(&resj, &gej[i2]);
929 ge_equals_gej(&ref, &resj);
930 }
931
932 /* Test adding opposites. */
933 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
934 CHECK(secp256k1_ge_is_infinity(&ref));
935 }
936
937 /* Test adding infinity. */
938 if (i1 == 0) {
939 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
940 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
941 ge_equals_gej(&ref, &gej[i2]);
942 }
943 if (i2 == 0) {
944 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
945 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
946 ge_equals_gej(&ref, &gej[i1]);
947 }
948 }
949 }
950
951 /* Test adding all points together in random order equals infinity. */
952 {
953 secp256k1_gej_t sum = SECP256K1_GEJ_CONST_INFINITY;
954 secp256k1_gej_t *gej_shuffled = malloc((4 * runs + 1) * sizeof(secp256k1_gej_t));
955 for (i = 0; i < 4 * runs + 1; i++) {
956 gej_shuffled[i] = gej[i];
957 }
958 for (i = 0; i < 4 * runs + 1; i++) {
959 int swap = i + secp256k1_rand32() % (4 * runs + 1 - i);
960 if (swap != i) {
961 secp256k1_gej_t t = gej_shuffled[i];
962 gej_shuffled[i] = gej_shuffled[swap];
963 gej_shuffled[swap] = t;
964 }
965 }
966 for (i = 0; i < 4 * runs + 1; i++) {
967 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i]);
968 }
969 CHECK(secp256k1_gej_is_infinity(&sum));
970 free(gej_shuffled);
971 }
972
973 /* Test batch gej -> ge conversion. */
974 {
975 secp256k1_ge_t *ge_set_all = malloc((4 * runs + 1) * sizeof(secp256k1_ge_t));
976 secp256k1_ge_set_all_gej_var(4 * runs + 1, ge_set_all, gej);
977 for (i = 0; i < 4 * runs + 1; i++) {
978 ge_equals_gej(&ge_set_all[i], &gej[i]);
979 }
980 free(ge_set_all);
981 }
982
983 free(ge);
984 free(gej);
985}
986
987void run_ge(void) {
988 int i;
989 for (i = 0; i < count * 32; i++) {
990 test_ge();
991 }
992}
993
994/***** ECMULT TESTS *****/
995
996void run_ecmult_chain(void) {
997 /* random starting point A (on the curve) */
998 secp256k1_gej_t a = SECP256K1_GEJ_CONST(
999 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
1000 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
1001 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
1002 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
1003 );
1004 /* two random initial factors xn and gn */
1005 secp256k1_scalar_t xn = SECP256K1_SCALAR_CONST(
1006 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
1007 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
1008 );
1009 secp256k1_scalar_t gn = SECP256K1_SCALAR_CONST(
1010 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
1011 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
1012 );
1013 /* two small multipliers to be applied to xn and gn in every iteration: */
1014 static const secp256k1_scalar_t xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
1015 static const secp256k1_scalar_t gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
1016 /* accumulators with the resulting coefficients to A and G */
1017 secp256k1_scalar_t ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1018 secp256k1_scalar_t ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
1019 /* actual points */
1020 secp256k1_gej_t x = a;
1021 secp256k1_gej_t x2;
1022 int i;
1023
1024 /* the point being computed */
1025 x = a;
1026 for (i = 0; i < 200*count; i++) {
1027 /* in each iteration, compute X = xn*X + gn*G; */
1028 secp256k1_ecmult(&x, &x, &xn, &gn);
1029 /* also compute ae and ge: the actual accumulated factors for A and G */
1030 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
1031 secp256k1_scalar_mul(&ae, &ae, &xn);
1032 secp256k1_scalar_mul(&ge, &ge, &xn);
1033 secp256k1_scalar_add(&ge, &ge, &gn);
1034 /* modify xn and gn */
1035 secp256k1_scalar_mul(&xn, &xn, &xf);
1036 secp256k1_scalar_mul(&gn, &gn, &gf);
1037
1038 /* verify */
1039 if (i == 19999) {
1040 /* expected result after 19999 iterations */
1041 secp256k1_gej_t rp = SECP256K1_GEJ_CONST(
1042 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
1043 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
1044 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
1045 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
1046 );
1047
1048 secp256k1_gej_neg(&rp, &rp);
1049 secp256k1_gej_add_var(&rp, &rp, &x);
1050 CHECK(secp256k1_gej_is_infinity(&rp));
1051 }
1052 }
1053 /* redo the computation, but directly with the resulting ae and ge coefficients: */
1054 secp256k1_ecmult(&x2, &a, &ae, &ge);
1055 secp256k1_gej_neg(&x2, &x2);
1056 secp256k1_gej_add_var(&x2, &x2, &x);
1057 CHECK(secp256k1_gej_is_infinity(&x2));
1058}
1059
1060void test_point_times_order(const secp256k1_gej_t *point) {
1061 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
1062 secp256k1_scalar_t x;
1063 secp256k1_scalar_t nx;
1064 secp256k1_gej_t res1, res2;
1065 secp256k1_ge_t res3;
1066 unsigned char pub[65];
1067 int psize = 65;
1068 random_scalar_order_test(&x);
1069 secp256k1_scalar_negate(&nx, &x);
1070 secp256k1_ecmult(&res1, point, &x, &x); /* calc res1 = x * point + x * G; */
1071 secp256k1_ecmult(&res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
1072 secp256k1_gej_add_var(&res1, &res1, &res2);
1073 CHECK(secp256k1_gej_is_infinity(&res1));
1074 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
1075 secp256k1_ge_set_gej(&res3, &res1);
1076 CHECK(secp256k1_ge_is_infinity(&res3));
1077 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
1078 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
1079 psize = 65;
1080 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
1081}
1082
1083void run_point_times_order(void) {
1084 int i;
1085 secp256k1_fe_t x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
1086 static const secp256k1_fe_t xr = SECP256K1_FE_CONST(
1087 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
1088 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
1089 );
1090 for (i = 0; i < 500; i++) {
1091 secp256k1_ge_t p;
1092 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
1093 secp256k1_gej_t j;
1094 CHECK(secp256k1_ge_is_valid_var(&p));
1095 secp256k1_gej_set_ge(&j, &p);
1096 CHECK(secp256k1_gej_is_valid_var(&j));
1097 test_point_times_order(&j);
1098 }
1099 secp256k1_fe_sqr(&x, &x);
1100 }
1101 secp256k1_fe_normalize_var(&x);
1102 CHECK(secp256k1_fe_equal_var(&x, &xr));
1103}
1104
1105void test_wnaf(const secp256k1_scalar_t *number, int w) {
1106 secp256k1_scalar_t x, two, t;
1107 int wnaf[256];
1108 int zeroes = -1;
1109 int i;
1110 int bits;
1111 secp256k1_scalar_set_int(&x, 0);
1112 secp256k1_scalar_set_int(&two, 2);
1113 bits = secp256k1_ecmult_wnaf(wnaf, number, w);
1114 CHECK(bits <= 256);
1115 for (i = bits-1; i >= 0; i--) {
1116 int v = wnaf[i];
1117 secp256k1_scalar_mul(&x, &x, &two);
1118 if (v) {
1119 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
1120 zeroes=0;
1121 CHECK((v & 1) == 1); /* check non-zero elements are odd */
1122 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
1123 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
1124 } else {
1125 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
1126 zeroes++;
1127 }
1128 if (v >= 0) {
1129 secp256k1_scalar_set_int(&t, v);
1130 } else {
1131 secp256k1_scalar_set_int(&t, -v);
1132 secp256k1_scalar_negate(&t, &t);
1133 }
1134 secp256k1_scalar_add(&x, &x, &t);
1135 }
1136 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
1137}
1138
1139void run_wnaf(void) {
1140 int i;
1141 secp256k1_scalar_t n;
1142 for (i = 0; i < count; i++) {
1143 random_scalar_order(&n);
1144 if (i % 1)
1145 secp256k1_scalar_negate(&n, &n);
1146 test_wnaf(&n, 4+(i%10));
1147 }
1148}
1149
1150void random_sign(secp256k1_ecdsa_sig_t *sig, const secp256k1_scalar_t *key, const secp256k1_scalar_t *msg, int *recid) {
1151 secp256k1_scalar_t nonce;
1152 do {
1153 random_scalar_order_test(&nonce);
1154 } while(!secp256k1_ecdsa_sig_sign(sig, key, msg, &nonce, recid));
1155}
1156
1157void test_ecdsa_sign_verify(void) {
1158 secp256k1_gej_t pubj;
1159 secp256k1_ge_t pub;
1160 secp256k1_scalar_t one;
1161 secp256k1_scalar_t msg, key;
1162 secp256k1_ecdsa_sig_t sig;
1163 int recid;
1164 int getrec;
1165 random_scalar_order_test(&msg);
1166 random_scalar_order_test(&key);
1167 secp256k1_ecmult_gen(&pubj, &key);
1168 secp256k1_ge_set_gej(&pub, &pubj);
1169 getrec = secp256k1_rand32()&1;
1170 random_sign(&sig, &key, &msg, getrec?&recid:NULL);
1171 if (getrec) CHECK(recid >= 0 && recid < 4);
1172 CHECK(secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
1173 secp256k1_scalar_set_int(&one, 1);
1174 secp256k1_scalar_add(&msg, &msg, &one);
1175 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &pub, &msg));
1176}
1177
1178void run_ecdsa_sign_verify(void) {
1179 int i;
1180 for (i = 0; i < 10*count; i++) {
1181 test_ecdsa_sign_verify();
1182 }
1183}
1184
1185/** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
1186static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1187 (void)msg32;
1188 (void)key32;
1189 memcpy(nonce32, data, 32);
1190 return (counter == 0);
1191}
1192
1193static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1194 /* Dummy nonce generator that has a fatal error on the first counter value. */
1195 if (counter == 0) return 0;
1196 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 1, data);
1197}
1198
1199static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, unsigned int counter, const void *data) {
1200 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
1201 if (counter < 3) {
1202 memset(nonce32, counter==0 ? 0 : 255, 32);
1203 if (counter == 2) nonce32[31]--;
1204 return 1;
1205 }
1206 if (counter < 5) {
1207 static const unsigned char order[] = {
1208 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
1209 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
1210 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
1211 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
1212 };
1213 memcpy(nonce32, order, 32);
1214 if (counter == 4) nonce32[31]++;
1215 return 1;
1216 }
1217 /* Retry rate of 6979 is negligible esp. as we only call this in determinstic tests. */
1218 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
1219 if (counter > 5) return 0;
1220 return nonce_function_rfc6979(nonce32, msg32, key32, counter - 5, data);
1221}
1222
1223int is_empty_compact_signature(const unsigned char *sig64) {
1224 static const unsigned char res[64] = {0};
1225 return memcmp(sig64, res, 64) == 0;
1226}
1227
1228void test_ecdsa_end_to_end(void) {
1229 unsigned char privkey[32];
1230 unsigned char message[32];
1231 unsigned char privkey2[32];
1232 unsigned char csignature[64];
1233 unsigned char signature[72];
1234 unsigned char pubkey[65];
1235 unsigned char recpubkey[65];
1236 unsigned char seckey[300];
1237 int signaturelen = 72;
1238 int recid = 0;
1239 int recpubkeylen = 0;
1240 int pubkeylen = 65;
1241 int seckeylen = 300;
1242
1243 /* Generate a random key and message. */
1244 {
1245 secp256k1_scalar_t msg, key;
1246 random_scalar_order_test(&msg);
1247 random_scalar_order_test(&key);
1248 secp256k1_scalar_get_b32(privkey, &key);
1249 secp256k1_scalar_get_b32(message, &msg);
1250 }
1251
1252 /* Construct and verify corresponding public key. */
1253 CHECK(secp256k1_ec_seckey_verify(privkey) == 1);
1254 CHECK(secp256k1_ec_pubkey_create(pubkey, &pubkeylen, privkey, (secp256k1_rand32() & 3) != 0) == 1);
1255 if (secp256k1_rand32() & 1) {
1256 CHECK(secp256k1_ec_pubkey_decompress(pubkey, &pubkeylen));
1257 }
1258 CHECK(secp256k1_ec_pubkey_verify(pubkey, pubkeylen));
1259
1260 /* Verify private key import and export. */
1261 CHECK(secp256k1_ec_privkey_export(privkey, seckey, &seckeylen, secp256k1_rand32() % 2) == 1);
1262 CHECK(secp256k1_ec_privkey_import(privkey2, seckey, seckeylen) == 1);
1263 CHECK(memcmp(privkey, privkey2, 32) == 0);
1264
1265 /* Optionally tweak the keys using addition. */
1266 if (secp256k1_rand32() % 3 == 0) {
1267 int ret1;
1268 int ret2;
1269 unsigned char rnd[32];
1270 unsigned char pubkey2[65];
1271 int pubkeylen2 = 65;
1272 secp256k1_rand256_test(rnd);
1273 ret1 = secp256k1_ec_privkey_tweak_add(privkey, rnd);
1274 ret2 = secp256k1_ec_pubkey_tweak_add(pubkey, pubkeylen, rnd);
1275 CHECK(ret1 == ret2);
1276 if (ret1 == 0) return;
1277 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
1278 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1279 }
1280
1281 /* Optionally tweak the keys using multiplication. */
1282 if (secp256k1_rand32() % 3 == 0) {
1283 int ret1;
1284 int ret2;
1285 unsigned char rnd[32];
1286 unsigned char pubkey2[65];
1287 int pubkeylen2 = 65;
1288 secp256k1_rand256_test(rnd);
1289 ret1 = secp256k1_ec_privkey_tweak_mul(privkey, rnd);
1290 ret2 = secp256k1_ec_pubkey_tweak_mul(pubkey, pubkeylen, rnd);
1291 CHECK(ret1 == ret2);
1292 if (ret1 == 0) return;
1293 CHECK(secp256k1_ec_pubkey_create(pubkey2, &pubkeylen2, privkey, pubkeylen == 33) == 1);
1294 CHECK(memcmp(pubkey, pubkey2, pubkeylen) == 0);
1295 }
1296
1297 /* Sign. */
1298 CHECK(secp256k1_ecdsa_sign(message, signature, &signaturelen, privkey, NULL, NULL) == 1);
1299 CHECK(signaturelen > 0);
1300 /* Verify. */
1301 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) == 1);
1302 /* Destroy signature and verify again. */
1303 signature[signaturelen - 1 - secp256k1_rand32() % 20] += 1 + (secp256k1_rand32() % 255);
1304 CHECK(secp256k1_ecdsa_verify(message, signature, signaturelen, pubkey, pubkeylen) != 1);
1305
1306 /* Compact sign. */
1307 CHECK(secp256k1_ecdsa_sign_compact(message, csignature, privkey, NULL, NULL, &recid) == 1);
1308 CHECK(!is_empty_compact_signature(csignature));
1309 /* Recover. */
1310 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) == 1);
1311 CHECK(recpubkeylen == pubkeylen);
1312 CHECK(memcmp(pubkey, recpubkey, pubkeylen) == 0);
1313 /* Destroy signature and verify again. */
1314 csignature[secp256k1_rand32() % 64] += 1 + (secp256k1_rand32() % 255);
1315 CHECK(secp256k1_ecdsa_recover_compact(message, csignature, recpubkey, &recpubkeylen, pubkeylen == 33, recid) != 1 ||
1316 memcmp(pubkey, recpubkey, pubkeylen) != 0);
1317 CHECK(recpubkeylen == pubkeylen);
1318
1319}
1320
1321void test_random_pubkeys(void) {
1322 secp256k1_ge_t elem;
1323 secp256k1_ge_t elem2;
1324 unsigned char in[65];
1325 /* Generate some randomly sized pubkeys. */
1326 uint32_t r = secp256k1_rand32();
1327 int len = (r & 3) == 0 ? 65 : 33;
1328 r>>=2;
1329 if ((r & 3) == 0) len = (r & 252) >> 3;
1330 r>>=8;
1331 if (len == 65) {
1332 in[0] = (r & 2) ? 4 : (r & 1? 6 : 7);
1333 } else {
1334 in[0] = (r & 1) ? 2 : 3;
1335 }
1336 r>>=2;
1337 if ((r & 7) == 0) in[0] = (r & 2040) >> 3;
1338 r>>=11;
1339 if (len > 1) secp256k1_rand256(&in[1]);
1340 if (len > 33) secp256k1_rand256(&in[33]);
1341 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
1342 unsigned char out[65];
1343 unsigned char firstb;
1344 int res;
1345 int size = len;
1346 firstb = in[0];
1347 /* If the pubkey can be parsed, it should round-trip... */
1348 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
1349 CHECK(size == len);
1350 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
1351 /* ... except for the type of hybrid inputs. */
1352 if ((in[0] != 6) && (in[0] != 7)) CHECK(in[0] == out[0]);
1353 size = 65;
1354 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
1355 CHECK(size == 65);
1356 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
1357 ge_equals_ge(&elem,&elem2);
1358 /* Check that the X9.62 hybrid type is checked. */
1359 in[0] = (r & 1) ? 6 : 7;
1360 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
1361 if (firstb == 2 || firstb == 3) {
1362 if (in[0] == firstb + 4) CHECK(res);
1363 else CHECK(!res);
1364 }
1365 if (res) {
1366 ge_equals_ge(&elem,&elem2);
1367 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
1368 CHECK(memcmp(&in[1], &out[1], 64) == 0);
1369 }
1370 }
1371}
1372
1373void run_random_pubkeys(void) {
1374 int i;
1375 for (i = 0; i < 10*count; i++) {
1376 test_random_pubkeys();
1377 }
1378}
1379
1380void run_ecdsa_end_to_end(void) {
1381 int i;
1382 for (i = 0; i < 64*count; i++) {
1383 test_ecdsa_end_to_end();
1384 }
1385}
1386
1387/* Tests several edge cases. */
1388void test_ecdsa_edge_cases(void) {
1389 const unsigned char msg32[32] = {
1390 'T', 'h', 'i', 's', ' ', 'i', 's', ' ',
1391 'a', ' ', 'v', 'e', 'r', 'y', ' ', 's',
1392 'e', 'c', 'r', 'e', 't', ' ', 'm', 'e',
1393 's', 's', 'a', 'g', 'e', '.', '.', '.'
1394 };
1395 const unsigned char sig64[64] = {
1396 /* Generated by signing the above message with nonce 'This is the nonce we will use...'
1397 * and secret key 0 (which is not valid), resulting in recid 0. */
1398 0x67, 0xCB, 0x28, 0x5F, 0x9C, 0xD1, 0x94, 0xE8,
1399 0x40, 0xD6, 0x29, 0x39, 0x7A, 0xF5, 0x56, 0x96,
1400 0x62, 0xFD, 0xE4, 0x46, 0x49, 0x99, 0x59, 0x63,
1401 0x17, 0x9A, 0x7D, 0xD1, 0x7B, 0xD2, 0x35, 0x32,
1402 0x4B, 0x1B, 0x7D, 0xF3, 0x4C, 0xE1, 0xF6, 0x8E,
1403 0x69, 0x4F, 0xF6, 0xF1, 0x1A, 0xC7, 0x51, 0xDD,
1404 0x7D, 0xD7, 0x3E, 0x38, 0x7E, 0xE4, 0xFC, 0x86,
1405 0x6E, 0x1B, 0xE8, 0xEC, 0xC7, 0xDD, 0x95, 0x57
1406 };
1407 unsigned char pubkey[65];
1408 int pubkeylen = 65;
1409 /* signature (r,s) = (4,4), which can be recovered with all 4 recids. */
1410 const unsigned char sigb64[64] = {
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1415 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1416 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1417 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1418 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1419 };
1420 unsigned char pubkeyb[33];
1421 int pubkeyblen = 33;
1422 int recid;
1423
1424 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 0));
1425 CHECK(secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 1));
1426 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 2));
1427 CHECK(!secp256k1_ecdsa_recover_compact(msg32, sig64, pubkey, &pubkeylen, 0, 3));
1428
1429 for (recid = 0; recid < 4; recid++) {
1430 int i;
1431 int recid2;
1432 /* (4,4) encoded in DER. */
1433 unsigned char sigbder[8] = {0x30, 0x06, 0x02, 0x01, 0x04, 0x02, 0x01, 0x04};
1434 unsigned char sigcder_zr[7] = {0x30, 0x05, 0x02, 0x00, 0x02, 0x01, 0x01};
1435 unsigned char sigcder_zs[7] = {0x30, 0x05, 0x02, 0x01, 0x01, 0x02, 0x00};
1436 unsigned char sigbderalt1[39] = {
1437 0x30, 0x25, 0x02, 0x20, 0x00, 0x00, 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1439 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1440 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1441 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1442 };
1443 unsigned char sigbderalt2[39] = {
1444 0x30, 0x25, 0x02, 0x01, 0x04, 0x02, 0x20, 0x00,
1445 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1446 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1447 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1448 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1449 };
1450 unsigned char sigbderalt3[40] = {
1451 0x30, 0x26, 0x02, 0x21, 0x00, 0x00, 0x00, 0x00,
1452 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1453 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x01, 0x04,
1456 };
1457 unsigned char sigbderalt4[40] = {
1458 0x30, 0x26, 0x02, 0x01, 0x04, 0x02, 0x21, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04,
1463 };
1464 /* (order + r,4) encoded in DER. */
1465 unsigned char sigbderlong[40] = {
1466 0x30, 0x26, 0x02, 0x21, 0x00, 0xFF, 0xFF, 0xFF,
1467 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
1468 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC,
1469 0xE6, 0xAF, 0x48, 0xA0, 0x3B, 0xBF, 0xD2, 0x5E,
1470 0x8C, 0xD0, 0x36, 0x41, 0x45, 0x02, 0x01, 0x04
1471 };
1472 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkeyb, &pubkeyblen, 1, recid));
1473 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 1);
1474 for (recid2 = 0; recid2 < 4; recid2++) {
1475 unsigned char pubkey2b[33];
1476 int pubkey2blen = 33;
1477 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigb64, pubkey2b, &pubkey2blen, 1, recid2));
1478 /* Verifying with (order + r,4) should always fail. */
1479 CHECK(secp256k1_ecdsa_verify(msg32, sigbderlong, sizeof(sigbderlong), pubkey2b, pubkey2blen) != 1);
1480 }
1481 /* DER parsing tests. */
1482 /* Zero length r/s. */
1483 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zr, sizeof(sigcder_zr), pubkeyb, pubkeyblen) == -2);
1484 CHECK(secp256k1_ecdsa_verify(msg32, sigcder_zs, sizeof(sigcder_zs), pubkeyb, pubkeyblen) == -2);
1485 /* Leading zeros. */
1486 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt1, sizeof(sigbderalt1), pubkeyb, pubkeyblen) == 1);
1487 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt2, sizeof(sigbderalt2), pubkeyb, pubkeyblen) == 1);
1488 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == 1);
1489 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == 1);
1490 sigbderalt3[4] = 1;
1491 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt3, sizeof(sigbderalt3), pubkeyb, pubkeyblen) == -2);
1492 sigbderalt4[7] = 1;
1493 CHECK(secp256k1_ecdsa_verify(msg32, sigbderalt4, sizeof(sigbderalt4), pubkeyb, pubkeyblen) == -2);
1494 /* Damage signature. */
1495 sigbder[7]++;
1496 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) == 0);
1497 sigbder[7]--;
1498 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, 6, pubkeyb, pubkeyblen) == -2);
1499 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder)-1, pubkeyb, pubkeyblen) == -2);
1500 for(i = 0; i < 8; i++) {
1501 int c;
1502 unsigned char orig = sigbder[i];
1503 /*Try every single-byte change.*/
1504 for (c = 0; c < 256; c++) {
1505 if (c == orig ) continue;
1506 sigbder[i] = c;
1507 CHECK(secp256k1_ecdsa_verify(msg32, sigbder, sizeof(sigbder), pubkeyb, pubkeyblen) ==
1508 (i==4 || i==7) ? 0 : -2 );
1509 }
1510 sigbder[i] = orig;
1511 }
1512 }
1513
1514 /* Test the case where ECDSA recomputes a point that is infinity. */
1515 {
1516 secp256k1_gej_t keyj;
1517 secp256k1_ge_t key;
1518 secp256k1_scalar_t msg;
1519 secp256k1_ecdsa_sig_t sig;
1520 secp256k1_scalar_set_int(&sig.s, 1);
1521 secp256k1_scalar_negate(&sig.s, &sig.s);
1522 secp256k1_scalar_inverse(&sig.s, &sig.s);
1523 secp256k1_scalar_set_int(&sig.r, 1);
1524 secp256k1_ecmult_gen(&keyj, &sig.r);
1525 secp256k1_ge_set_gej(&key, &keyj);
1526 msg = sig.s;
1527 CHECK(secp256k1_ecdsa_sig_verify(&sig, &key, &msg) == 0);
1528 }
1529
1530 /* Test r/s equal to zero */
1531 {
1532 /* (1,1) encoded in DER. */
1533 unsigned char sigcder[8] = {0x30, 0x06, 0x02, 0x01, 0x01, 0x02, 0x01, 0x01};
1534 unsigned char sigc64[64] = {
1535 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1536 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1537 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1538 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1539 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1540 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1541 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1542 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1543 };
1544 unsigned char pubkeyc[65];
1545 int pubkeyclen = 65;
1546 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyc, &pubkeyclen, 0, 0) == 1);
1547 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 1);
1548 sigcder[4] = 0;
1549 sigc64[31] = 0;
1550 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1551 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1552 sigcder[4] = 1;
1553 sigcder[7] = 0;
1554 sigc64[31] = 1;
1555 sigc64[63] = 0;
1556 CHECK(secp256k1_ecdsa_recover_compact(msg32, sigc64, pubkeyb, &pubkeyblen, 1, 0) == 0);
1557 CHECK(secp256k1_ecdsa_verify(msg32, sigcder, sizeof(sigcder), pubkeyc, pubkeyclen) == 0);
1558 }
1559
1560 /*Signature where s would be zero.*/
1561 {
1562 const unsigned char nonce[32] = {
1563 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1564 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1565 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1566 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1567 };
1568 static const unsigned char nonce2[32] = {
1569 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
1570 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
1571 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
1572 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
1573 };
1574 const unsigned char key[32] = {
1575 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1576 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1577 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1578 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1579 };
1580 unsigned char msg[32] = {
1581 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
1582 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
1583 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
1584 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
1585 };
1586 unsigned char sig[72];
1587 int siglen = 72;
1588 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 0);
1589 CHECK(siglen == 0);
1590 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce2) == 0);
1591 CHECK(siglen == 0);
1592 msg[31] = 0xaa;
1593 siglen = 72;
1594 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) == 1);
1595 CHECK(siglen > 0);
1596 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce2) == 1);
1597 CHECK(siglen > 0);
1598 siglen = 10;
1599 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, precomputed_nonce_function, nonce) != 1);
1600 CHECK(siglen == 0);
1601 }
1602
1603 /* Nonce function corner cases. */
1604 {
1605 int i;
1606 unsigned char key[32];
1607 unsigned char msg[32];
1608 unsigned char sig[72];
1609 unsigned char sig2[72];
1610 secp256k1_ecdsa_sig_t s[512];
1611 int siglen = 72;
1612 int siglen2 = 72;
1613 int recid2;
1614 memset(msg, 0, 32);
1615 msg[31] = 1;
1616 /* High key results in signature failure. */
1617 memset(key, 0xFF, 32);
1618 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1619 CHECK(siglen == 0);
1620 /* Zero key results in signature failure. */
1621 memset(key, 0, 32);
1622 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 0);
1623 CHECK(siglen == 0);
1624 /* Nonce function failure results in signature failure. */
1625 key[31] = 1;
1626 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_fail, NULL) == 0);
1627 CHECK(siglen == 0);
1628 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_fail, NULL, &recid) == 0);
1629 CHECK(is_empty_compact_signature(sig));
1630 /* The retry loop successfully makes its way to the first good value. */
1631 siglen = 72;
1632 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, nonce_function_test_retry, NULL) == 1);
1633 CHECK(siglen > 0);
1634 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, nonce_function_rfc6979, NULL) == 1);
1635 CHECK(siglen > 0);
1636 CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
1637 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, nonce_function_test_retry, NULL, &recid) == 1);
1638 CHECK(!is_empty_compact_signature(sig));
1639 CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, nonce_function_rfc6979, NULL, &recid2) == 1);
1640 CHECK(!is_empty_compact_signature(sig2));
1641 CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
1642 /* The default nonce function is determinstic. */
1643 siglen = 72;
1644 siglen2 = 72;
1645 CHECK(secp256k1_ecdsa_sign(msg, sig, &siglen, key, NULL, NULL) == 1);
1646 CHECK(siglen > 0);
1647 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1648 CHECK(siglen2 > 0);
1649 CHECK((siglen == siglen2) && (memcmp(sig, sig2, siglen) == 0));
1650 CHECK(secp256k1_ecdsa_sign_compact(msg, sig, key, NULL, NULL, &recid) == 1);
1651 CHECK(!is_empty_compact_signature(sig));
1652 CHECK(secp256k1_ecdsa_sign_compact(msg, sig2, key, NULL, NULL, &recid2) == 1);
1653 CHECK(!is_empty_compact_signature(sig));
1654 CHECK((recid == recid2) && (memcmp(sig, sig2, 64) == 0));
1655 /* The default nonce function changes output with different messages. */
1656 for(i = 0; i < 256; i++) {
1657 int j;
1658 siglen2 = 72;
1659 msg[0] = i;
1660 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1661 CHECK(!is_empty_compact_signature(sig));
1662 CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
1663 for (j = 0; j < i; j++) {
1664 CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
1665 }
1666 }
1667 msg[0] = 0;
1668 msg[31] = 2;
1669 /* The default nonce function changes output with different keys. */
1670 for(i = 256; i < 512; i++) {
1671 int j;
1672 siglen2 = 72;
1673 key[0] = i - 256;
1674 CHECK(secp256k1_ecdsa_sign(msg, sig2, &siglen2, key, NULL, NULL) == 1);
1675 CHECK(secp256k1_ecdsa_sig_parse(&s[i], sig2, siglen2));
1676 for (j = 0; j < i; j++) {
1677 CHECK(!secp256k1_scalar_eq(&s[i].r, &s[j].r));
1678 }
1679 }
1680 key[0] = 0;
1681 }
1682
1683 /* Privkey export where pubkey is the point at infinity. */
1684 {
1685 unsigned char privkey[300];
1686 unsigned char seckey[32] = {
1687 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1688 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1689 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1690 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
1691 };
1692 int outlen = 300;
1693 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 0));
1694 CHECK(!secp256k1_ec_privkey_export(seckey, privkey, &outlen, 1));
1695 }
1696}
1697
1698void run_ecdsa_edge_cases(void) {
1699 test_ecdsa_edge_cases();
1700}
1701
1702#ifdef ENABLE_OPENSSL_TESTS
1703EC_KEY *get_openssl_key(const secp256k1_scalar_t *key) {
1704 unsigned char privkey[300];
1705 int privkeylen;
1706 const unsigned char* pbegin = privkey;
1707 int compr = secp256k1_rand32() & 1;
1708 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
1709 CHECK(secp256k1_eckey_privkey_serialize(privkey, &privkeylen, key, compr));
1710 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
1711 CHECK(EC_KEY_check_key(ec_key));
1712 return ec_key;
1713}
1714
1715void test_ecdsa_openssl(void) {
1716 secp256k1_gej_t qj;
1717 secp256k1_ge_t q;
1718 secp256k1_ecdsa_sig_t sig;
1719 secp256k1_scalar_t one;
1720 secp256k1_scalar_t msg2;
1721 secp256k1_scalar_t key, msg;
1722 EC_KEY *ec_key;
1723 unsigned int sigsize = 80;
1724 int secp_sigsize = 80;
1725 unsigned char message[32];
1726 unsigned char signature[80];
1727 secp256k1_rand256_test(message);
1728 secp256k1_scalar_set_b32(&msg, message, NULL);
1729 random_scalar_order_test(&key);
1730 secp256k1_ecmult_gen(&qj, &key);
1731 secp256k1_ge_set_gej(&q, &qj);
1732 ec_key = get_openssl_key(&key);
1733 CHECK(ec_key);
1734 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
1735 CHECK(secp256k1_ecdsa_sig_parse(&sig, signature, sigsize));
1736 CHECK(secp256k1_ecdsa_sig_verify(&sig, &q, &msg));
1737 secp256k1_scalar_set_int(&one, 1);
1738 secp256k1_scalar_add(&msg2, &msg, &one);
1739 CHECK(!secp256k1_ecdsa_sig_verify(&sig, &q, &msg2));
1740
1741 random_sign(&sig, &key, &msg, NULL);
1742 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sig));
1743 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
1744
1745 EC_KEY_free(ec_key);
1746}
1747
1748void run_ecdsa_openssl(void) {
1749 int i;
1750 for (i = 0; i < 10*count; i++) {
1751 test_ecdsa_openssl();
1752 }
1753}
1754#endif
1755
1756int main(int argc, char **argv) {
1757 unsigned char seed16[16] = {0};
1758 unsigned char run32[32] = {0};
1759 /* find iteration count */
1760 if (argc > 1) {
1761 count = strtol(argv[1], NULL, 0);
1762 }
1763
1764 /* find random seed */
1765 if (argc > 2) {
1766 int pos = 0;
1767 const char* ch = argv[2];
1768 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
1769 unsigned short sh;
1770 if (sscanf(ch, "%2hx", &sh)) {
1771 seed16[pos] = sh;
1772 } else {
1773 break;
1774 }
1775 ch += 2;
1776 pos++;
1777 }
1778 } else {
1779 FILE *frand = fopen("/dev/urandom", "r");
1780 if (!frand || !fread(&seed16, sizeof(seed16), 1, frand)) {
1781 uint64_t t = time(NULL) * (uint64_t)1337;
1782 seed16[0] ^= t;
1783 seed16[1] ^= t >> 8;
1784 seed16[2] ^= t >> 16;
1785 seed16[3] ^= t >> 24;
1786 seed16[4] ^= t >> 32;
1787 seed16[5] ^= t >> 40;
1788 seed16[6] ^= t >> 48;
1789 seed16[7] ^= t >> 56;
1790 }
1791 fclose(frand);
1792 }
1793 secp256k1_rand_seed(seed16);
1794
1795 printf("test count = %i\n", count);
1796 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
1797
1798 /* initialize */
1799 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1800
1801 /* initializing a second time shouldn't cause any harm or memory leaks. */
1802 secp256k1_start(SECP256K1_START_SIGN | SECP256K1_START_VERIFY);
1803
1804 run_sha256_tests();
1805 run_hmac_sha256_tests();
1806 run_rfc6979_hmac_sha256_tests();
1807
1808#ifndef USE_NUM_NONE
1809 /* num tests */
1810 run_num_smalltests();
1811#endif
1812
1813 /* scalar tests */
1814 run_scalar_tests();
1815
1816 /* field tests */
1817 run_field_inv();
1818 run_field_inv_var();
1819 run_field_inv_all_var();
1820 run_field_misc();
1821 run_field_convert();
1822 run_sqr();
1823 run_sqrt();
1824
1825 /* group tests */
1826 run_ge();
1827
1828 /* ecmult tests */
1829 run_wnaf();
1830 run_point_times_order();
1831 run_ecmult_chain();
1832
1833 /* ecdsa tests */
1834 run_random_pubkeys();
1835 run_ecdsa_sign_verify();
1836 run_ecdsa_end_to_end();
1837 run_ecdsa_edge_cases();
1838#ifdef ENABLE_OPENSSL_TESTS
1839 run_ecdsa_openssl();
1840#endif
1841
1842 secp256k1_rand256(run32);
1843 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
1844
1845 /* shutdown */
1846 secp256k1_stop();
1847
1848 /* shutting down twice shouldn't cause any double frees. */
1849 secp256k1_stop();
1850 return 0;
1851}
Empty description
This page took 0.042141 seconds and 4 git commands to generate.