Raven Core  3.0.0
P2P Digital Currency
tests.c
Go to the documentation of this file.
1 /**********************************************************************
2  * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3  * Distributed under the MIT software license, see the accompanying *
4  * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5  **********************************************************************/
6 
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10 
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14 
15 #include <time.h>
16 
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
20 
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 #endif
27 
30 
31 #if !defined(VG_CHECK)
32 # if defined(VALGRIND)
33 # include <valgrind/memcheck.h>
34 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
35 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
36 # else
37 # define VG_UNDEF(x,y)
38 # define VG_CHECK(x,y)
39 # endif
40 #endif
41 
42 static int count = 64;
43 static secp256k1_context *ctx = NULL;
44 
45 static void counting_illegal_callback_fn(const char* str, void* data) {
46  /* Dummy callback function that just counts. */
47  int32_t *p;
48  (void)str;
49  p = data;
50  (*p)++;
51 }
52 
53 static void uncounting_illegal_callback_fn(const char* str, void* data) {
54  /* Dummy callback function that just counts (backwards). */
55  int32_t *p;
56  (void)str;
57  p = data;
58  (*p)--;
59 }
60 
62  do {
63  unsigned char b32[32];
64  secp256k1_rand256_test(b32);
65  if (secp256k1_fe_set_b32(fe, b32)) {
66  break;
67  }
68  } while(1);
69 }
70 
72  secp256k1_fe zero;
73  int n = secp256k1_rand_int(9);
74  secp256k1_fe_normalize(fe);
75  if (n == 0) {
76  return;
77  }
78  secp256k1_fe_clear(&zero);
79  secp256k1_fe_negate(&zero, &zero, 0);
80  secp256k1_fe_mul_int(&zero, n - 1);
81  secp256k1_fe_add(fe, &zero);
82  VERIFY_CHECK(fe->magnitude == n);
83 }
84 
86  secp256k1_fe fe;
87  do {
89  if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
90  secp256k1_fe_normalize(&ge->y);
91  break;
92  }
93  } while(1);
94 }
95 
97  secp256k1_fe z2, z3;
98  do {
100  if (!secp256k1_fe_is_zero(&gej->z)) {
101  break;
102  }
103  } while(1);
104  secp256k1_fe_sqr(&z2, &gej->z);
105  secp256k1_fe_mul(&z3, &z2, &gej->z);
106  secp256k1_fe_mul(&gej->x, &ge->x, &z2);
107  secp256k1_fe_mul(&gej->y, &ge->y, &z3);
108  gej->infinity = ge->infinity;
109 }
110 
112  do {
113  unsigned char b32[32];
114  int overflow = 0;
115  secp256k1_rand256_test(b32);
116  secp256k1_scalar_set_b32(num, b32, &overflow);
117  if (overflow || secp256k1_scalar_is_zero(num)) {
118  continue;
119  }
120  break;
121  } while(1);
122 }
123 
125  do {
126  unsigned char b32[32];
127  int overflow = 0;
128  secp256k1_rand256(b32);
129  secp256k1_scalar_set_b32(num, b32, &overflow);
130  if (overflow || secp256k1_scalar_is_zero(num)) {
131  continue;
132  }
133  break;
134  } while(1);
135 }
136 
137 void run_context_tests(void) {
138  secp256k1_pubkey pubkey;
139  secp256k1_pubkey zero_pubkey;
141  unsigned char ctmp[32];
142  int32_t ecount;
143  int32_t ecount2;
148 
149  secp256k1_gej pubj;
150  secp256k1_ge pub;
151  secp256k1_scalar msg, key, nonce;
152  secp256k1_scalar sigr, sigs;
153 
154  memset(&zero_pubkey, 0, sizeof(zero_pubkey));
155 
156  ecount = 0;
157  ecount2 = 10;
158  secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
159  secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
160  secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
161  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
162 
163  /*** clone and destroy all of them to make sure cloning was complete ***/
164  {
165  secp256k1_context *ctx_tmp;
166 
167  ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
168  ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
169  ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
170  ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
171  }
172 
173  /* Verify that the error callback makes it across the clone. */
174  CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
175  /* And that it resets back to default. */
176  secp256k1_context_set_error_callback(sign, NULL, NULL);
177  CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
178 
179  /*** attempt to use them ***/
182  secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
183  secp256k1_ge_set_gej(&pub, &pubj);
184 
185  /* Verify context-type checking illegal-argument errors. */
186  memset(ctmp, 1, 32);
187  CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
188  CHECK(ecount == 1);
189  VG_UNDEF(&pubkey, sizeof(pubkey));
190  CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
191  VG_CHECK(&pubkey, sizeof(pubkey));
192  CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
193  CHECK(ecount == 2);
194  VG_UNDEF(&sig, sizeof(sig));
195  CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
196  VG_CHECK(&sig, sizeof(sig));
197  CHECK(ecount2 == 10);
198  CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
199  CHECK(ecount2 == 11);
200  CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
201  CHECK(ecount == 2);
202  CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
203  CHECK(ecount2 == 12);
204  CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
205  CHECK(ecount == 2);
206  CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
207  CHECK(ecount2 == 13);
208  CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
209  CHECK(ecount == 2);
210  CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
211  CHECK(ecount == 2);
212  CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
213  CHECK(ecount2 == 14);
214  CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
215  CHECK(ecount == 3);
216  CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
217  CHECK(ecount == 3);
218  CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
219  CHECK(ecount == 4);
220  CHECK(secp256k1_context_randomize(sign, NULL) == 1);
221  CHECK(ecount2 == 14);
222  secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
223  secp256k1_context_set_illegal_callback(sign, NULL, NULL);
224 
225  /* This shouldn't leak memory, due to already-set tests. */
226  secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
227  secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
228 
229  /* obtain a working nonce */
230  do {
231  random_scalar_order_test(&nonce);
232  } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
233 
234  /* try signing */
235  CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
236  CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
237 
238  /* try verifying */
239  CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
240  CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
241 
242  /* cleanup */
247  /* Defined as no-op. */
249 }
250 
251 /***** HASH TESTS *****/
252 
253 void run_sha256_tests(void) {
254  static const char *inputs[8] = {
255  "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
256  "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
257  "For this sample, this 63-byte string will be used as input data",
258  "This is exactly 64 bytes long, not counting the terminating byte"
259  };
260  static const unsigned char outputs[8][32] = {
261  {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
262  {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
263  {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
264  {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
265  {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
266  {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
267  {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
268  {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
269  };
270  int i;
271  for (i = 0; i < 8; i++) {
272  unsigned char out[32];
273  secp256k1_sha256_t hasher;
274  secp256k1_sha256_initialize(&hasher);
275  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
276  secp256k1_sha256_finalize(&hasher, out);
277  CHECK(memcmp(out, outputs[i], 32) == 0);
278  if (strlen(inputs[i]) > 0) {
279  int split = secp256k1_rand_int(strlen(inputs[i]));
280  secp256k1_sha256_initialize(&hasher);
281  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
282  secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
283  secp256k1_sha256_finalize(&hasher, out);
284  CHECK(memcmp(out, outputs[i], 32) == 0);
285  }
286  }
287 }
288 
290  static const char *keys[6] = {
291  "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
292  "\x4a\x65\x66\x65",
293  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
294  "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
295  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
296  "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
297  };
298  static const char *inputs[6] = {
299  "\x48\x69\x20\x54\x68\x65\x72\x65",
300  "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
301  "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
302  "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
303  "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
304  "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
305  };
306  static const unsigned char outputs[6][32] = {
307  {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
308  {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
309  {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
310  {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
311  {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
312  {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
313  };
314  int i;
315  for (i = 0; i < 6; i++) {
317  unsigned char out[32];
318  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
319  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
320  secp256k1_hmac_sha256_finalize(&hasher, out);
321  CHECK(memcmp(out, outputs[i], 32) == 0);
322  if (strlen(inputs[i]) > 0) {
323  int split = secp256k1_rand_int(strlen(inputs[i]));
324  secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
325  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
326  secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
327  secp256k1_hmac_sha256_finalize(&hasher, out);
328  CHECK(memcmp(out, outputs[i], 32) == 0);
329  }
330  }
331 }
332 
334  static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
335  static const unsigned char out1[3][32] = {
336  {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
337  {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
338  {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
339  };
340 
341  static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
342  static const unsigned char out2[3][32] = {
343  {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
344  {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
345  {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
346  };
347 
349  unsigned char out[32];
350  int i;
351 
352  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
353  for (i = 0; i < 3; i++) {
354  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
355  CHECK(memcmp(out, out1[i], 32) == 0);
356  }
357  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
358 
359  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
360  for (i = 0; i < 3; i++) {
361  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
362  CHECK(memcmp(out, out1[i], 32) != 0);
363  }
364  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
365 
366  secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
367  for (i = 0; i < 3; i++) {
368  secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
369  CHECK(memcmp(out, out2[i], 32) == 0);
370  }
371  secp256k1_rfc6979_hmac_sha256_finalize(&rng);
372 }
373 
374 /***** RANDOM TESTS *****/
375 
376 void test_rand_bits(int rand32, int bits) {
377  /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
378  * get a false negative chance below once in a billion */
379  static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
380  /* We try multiplying the results with various odd numbers, which shouldn't
381  * influence the uniform distribution modulo a power of 2. */
382  static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
383  /* We only select up to 6 bits from the output to analyse */
384  unsigned int usebits = bits > 6 ? 6 : bits;
385  unsigned int maxshift = bits - usebits;
386  /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
387  number, track all observed outcomes, one per bit in a uint64_t. */
388  uint64_t x[6][27] = {{0}};
389  unsigned int i, shift, m;
390  /* Multiply the output of all rand calls with the odd number m, which
391  should not change the uniformity of its distribution. */
392  for (i = 0; i < rounds[usebits]; i++) {
393  uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
394  CHECK((((uint64_t)r) >> bits) == 0);
395  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
396  uint32_t rm = r * mults[m];
397  for (shift = 0; shift <= maxshift; shift++) {
398  x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
399  }
400  }
401  }
402  for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
403  for (shift = 0; shift <= maxshift; shift++) {
404  /* Test that the lower usebits bits of x[shift] are 1 */
405  CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
406  }
407  }
408 }
409 
410 /* Subrange must be a whole divisor of range, and at most 64 */
411 void test_rand_int(uint32_t range, uint32_t subrange) {
412  /* (1-1/subrange)^rounds < 1/10^9 */
413  int rounds = (subrange * 2073) / 100;
414  int i;
415  uint64_t x = 0;
416  CHECK((range % subrange) == 0);
417  for (i = 0; i < rounds; i++) {
418  uint32_t r = secp256k1_rand_int(range);
419  CHECK(r < range);
420  r = r % subrange;
421  x |= (((uint64_t)1) << r);
422  }
423  /* Test that the lower subrange bits of x are 1. */
424  CHECK(((~x) << (64 - subrange)) == 0);
425 }
426 
427 void run_rand_bits(void) {
428  size_t b;
429  test_rand_bits(1, 32);
430  for (b = 1; b <= 32; b++) {
431  test_rand_bits(0, b);
432  }
433 }
434 
435 void run_rand_int(void) {
436  static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
437  static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
438  unsigned int m, s;
439  for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
440  for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
441  test_rand_int(ms[m] * ss[s], ss[s]);
442  }
443  }
444 }
445 
446 /***** NUM TESTS *****/
447 
448 #ifndef USE_NUM_NONE
450  if (secp256k1_rand_bits(1)) {
451  secp256k1_num_negate(num);
452  }
453 }
454 
456  secp256k1_scalar sc;
458  secp256k1_scalar_get_num(num, &sc);
459 }
460 
462  secp256k1_scalar sc;
463  random_scalar_order(&sc);
464  secp256k1_scalar_get_num(num, &sc);
465 }
466 
467 void test_num_negate(void) {
468  secp256k1_num n1;
469  secp256k1_num n2;
470  random_num_order_test(&n1); /* n1 = R */
471  random_num_negate(&n1);
472  secp256k1_num_copy(&n2, &n1); /* n2 = R */
473  secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
474  CHECK(secp256k1_num_is_zero(&n1));
475  secp256k1_num_copy(&n1, &n2); /* n1 = R */
476  secp256k1_num_negate(&n1); /* n1 = -R */
477  CHECK(!secp256k1_num_is_zero(&n1));
478  secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
479  CHECK(secp256k1_num_is_zero(&n1));
480  secp256k1_num_copy(&n1, &n2); /* n1 = R */
481  secp256k1_num_negate(&n1); /* n1 = -R */
482  CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
483  secp256k1_num_negate(&n1); /* n1 = R */
484  CHECK(secp256k1_num_eq(&n1, &n2));
485 }
486 
487 void test_num_add_sub(void) {
488  int i;
490  secp256k1_num n1;
491  secp256k1_num n2;
492  secp256k1_num n1p2, n2p1, n1m2, n2m1;
493  random_num_order_test(&n1); /* n1 = R1 */
494  if (secp256k1_rand_bits(1)) {
495  random_num_negate(&n1);
496  }
497  random_num_order_test(&n2); /* n2 = R2 */
498  if (secp256k1_rand_bits(1)) {
499  random_num_negate(&n2);
500  }
501  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
502  secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
503  secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
504  secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
505  CHECK(secp256k1_num_eq(&n1p2, &n2p1));
506  CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
507  secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
508  CHECK(secp256k1_num_eq(&n2m1, &n1m2));
509  CHECK(!secp256k1_num_eq(&n2m1, &n1));
510  secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
511  CHECK(secp256k1_num_eq(&n2m1, &n1));
512  CHECK(!secp256k1_num_eq(&n2p1, &n1));
513  secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
514  CHECK(secp256k1_num_eq(&n2p1, &n1));
515 
516  /* check is_one */
517  secp256k1_scalar_set_int(&s, 1);
518  secp256k1_scalar_get_num(&n1, &s);
519  CHECK(secp256k1_num_is_one(&n1));
520  /* check that 2^n + 1 is never 1 */
521  secp256k1_scalar_get_num(&n2, &s);
522  for (i = 0; i < 250; ++i) {
523  secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
524  secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
525  CHECK(!secp256k1_num_is_one(&n1p2));
526  }
527 }
528 
529 void test_num_mod(void) {
530  int i;
532  secp256k1_num order, n;
533 
534  /* check that 0 mod anything is 0 */
536  secp256k1_scalar_get_num(&order, &s);
537  secp256k1_scalar_set_int(&s, 0);
538  secp256k1_scalar_get_num(&n, &s);
539  secp256k1_num_mod(&n, &order);
540  CHECK(secp256k1_num_is_zero(&n));
541 
542  /* check that anything mod 1 is 0 */
543  secp256k1_scalar_set_int(&s, 1);
544  secp256k1_scalar_get_num(&order, &s);
545  secp256k1_scalar_get_num(&n, &s);
546  secp256k1_num_mod(&n, &order);
547  CHECK(secp256k1_num_is_zero(&n));
548 
549  /* check that increasing the number past 2^256 does not break this */
551  secp256k1_scalar_get_num(&n, &s);
552  /* multiply by 2^8, which'll test this case with high probability */
553  for (i = 0; i < 8; ++i) {
554  secp256k1_num_add(&n, &n, &n);
555  }
556  secp256k1_num_mod(&n, &order);
557  CHECK(secp256k1_num_is_zero(&n));
558 }
559 
560 void test_num_jacobi(void) {
561  secp256k1_scalar sqr;
562  secp256k1_scalar small;
563  secp256k1_scalar five; /* five is not a quadratic residue */
564  secp256k1_num order, n;
565  int i;
566  /* squares mod 5 are 1, 4 */
567  const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
568 
569  /* check some small values with 5 as the order */
570  secp256k1_scalar_set_int(&five, 5);
571  secp256k1_scalar_get_num(&order, &five);
572  for (i = 0; i < 10; ++i) {
573  secp256k1_scalar_set_int(&small, i);
574  secp256k1_scalar_get_num(&n, &small);
575  CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
576  }
577 
579  secp256k1_scalar_get_num(&order, &five);
580  /* we first need a scalar which is not a multiple of 5 */
581  do {
582  secp256k1_num fiven;
584  secp256k1_scalar_get_num(&fiven, &five);
585  secp256k1_scalar_get_num(&n, &sqr);
586  secp256k1_num_mod(&n, &fiven);
587  } while (secp256k1_num_is_zero(&n));
588  /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
589  * just multiply by two, i.e. add the number to itself */
590  if (secp256k1_num_jacobi(&n, &order) == -1) {
591  secp256k1_num_add(&n, &n, &n);
592  }
593 
594  /* test residue */
595  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
596  /* test nonresidue */
597  secp256k1_num_add(&n, &n, &n);
598  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
599 
601  secp256k1_scalar_order_get_num(&order);
603  secp256k1_scalar_sqr(&sqr, &sqr);
604  /* test residue */
605  secp256k1_scalar_get_num(&n, &sqr);
606  CHECK(secp256k1_num_jacobi(&n, &order) == 1);
607  /* test nonresidue */
608  secp256k1_scalar_mul(&sqr, &sqr, &five);
609  secp256k1_scalar_get_num(&n, &sqr);
610  CHECK(secp256k1_num_jacobi(&n, &order) == -1);
611  /* test multiple of the order*/
612  CHECK(secp256k1_num_jacobi(&order, &order) == 0);
613 
614  /* check one less than the order */
615  secp256k1_scalar_set_int(&small, 1);
616  secp256k1_scalar_get_num(&n, &small);
617  secp256k1_num_sub(&n, &order, &n);
618  CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
619 }
620 
621 void run_num_smalltests(void) {
622  int i;
623  for (i = 0; i < 100*count; i++) {
624  test_num_negate();
626  test_num_mod();
627  test_num_jacobi();
628  }
629 }
630 #endif
631 
632 /***** SCALAR TESTS *****/
633 
634 void scalar_test(void) {
638 #ifndef USE_NUM_NONE
639  secp256k1_num snum, s1num, s2num;
640  secp256k1_num order, half_order;
641 #endif
642  unsigned char c[32];
643 
644  /* Set 's' to a random scalar, with value 'snum'. */
646 
647  /* Set 's1' to a random scalar, with value 's1num'. */
649 
650  /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
652  secp256k1_scalar_get_b32(c, &s2);
653 
654 #ifndef USE_NUM_NONE
655  secp256k1_scalar_get_num(&snum, &s);
656  secp256k1_scalar_get_num(&s1num, &s1);
657  secp256k1_scalar_get_num(&s2num, &s2);
658 
659  secp256k1_scalar_order_get_num(&order);
660  half_order = order;
661  secp256k1_num_shift(&half_order, 1);
662 #endif
663 
664  {
665  int i;
666  /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
668  secp256k1_scalar_set_int(&n, 0);
669  for (i = 0; i < 256; i += 4) {
671  int j;
672  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
673  for (j = 0; j < 4; j++) {
674  secp256k1_scalar_add(&n, &n, &n);
675  }
676  secp256k1_scalar_add(&n, &n, &t);
677  }
678  CHECK(secp256k1_scalar_eq(&n, &s));
679  }
680 
681  {
682  /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
684  int i = 0;
685  secp256k1_scalar_set_int(&n, 0);
686  while (i < 256) {
688  int j;
689  int now = secp256k1_rand_int(15) + 1;
690  if (now + i > 256) {
691  now = 256 - i;
692  }
693  secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
694  for (j = 0; j < now; j++) {
695  secp256k1_scalar_add(&n, &n, &n);
696  }
697  secp256k1_scalar_add(&n, &n, &t);
698  i += now;
699  }
700  CHECK(secp256k1_scalar_eq(&n, &s));
701  }
702 
703 #ifndef USE_NUM_NONE
704  {
705  /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
706  secp256k1_num rnum;
707  secp256k1_num r2num;
709  secp256k1_num_add(&rnum, &snum, &s2num);
710  secp256k1_num_mod(&rnum, &order);
711  secp256k1_scalar_add(&r, &s, &s2);
712  secp256k1_scalar_get_num(&r2num, &r);
713  CHECK(secp256k1_num_eq(&rnum, &r2num));
714  }
715 
716  {
717  /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
719  secp256k1_num r2num;
720  secp256k1_num rnum;
721  secp256k1_num_mul(&rnum, &snum, &s2num);
722  secp256k1_num_mod(&rnum, &order);
723  secp256k1_scalar_mul(&r, &s, &s2);
724  secp256k1_scalar_get_num(&r2num, &r);
725  CHECK(secp256k1_num_eq(&rnum, &r2num));
726  /* The result can only be zero if at least one of the factors was zero. */
727  CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
728  /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
729  CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
730  CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
731  }
732 
733  {
734  secp256k1_scalar neg;
735  secp256k1_num negnum;
736  secp256k1_num negnum2;
737  /* Check that comparison with zero matches comparison with zero on the number. */
738  CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
739  /* Check that comparison with the half order is equal to testing for high scalar. */
740  CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
741  secp256k1_scalar_negate(&neg, &s);
742  secp256k1_num_sub(&negnum, &order, &snum);
743  secp256k1_num_mod(&negnum, &order);
744  /* Check that comparison with the half order is equal to testing for high scalar after negation. */
745  CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
746  /* Negating should change the high property, unless the value was already zero. */
747  CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
748  secp256k1_scalar_get_num(&negnum2, &neg);
749  /* Negating a scalar should be equal to (order - n) mod order on the number. */
750  CHECK(secp256k1_num_eq(&negnum, &negnum2));
751  secp256k1_scalar_add(&neg, &neg, &s);
752  /* Adding a number to its negation should result in zero. */
753  CHECK(secp256k1_scalar_is_zero(&neg));
754  secp256k1_scalar_negate(&neg, &neg);
755  /* Negating zero should still result in zero. */
756  CHECK(secp256k1_scalar_is_zero(&neg));
757  }
758 
759  {
760  /* Test secp256k1_scalar_mul_shift_var. */
762  secp256k1_num one;
763  secp256k1_num rnum;
764  secp256k1_num rnum2;
765  unsigned char cone[1] = {0x01};
766  unsigned int shift = 256 + secp256k1_rand_int(257);
767  secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
768  secp256k1_num_mul(&rnum, &s1num, &s2num);
769  secp256k1_num_shift(&rnum, shift - 1);
770  secp256k1_num_set_bin(&one, cone, 1);
771  secp256k1_num_add(&rnum, &rnum, &one);
772  secp256k1_num_shift(&rnum, 1);
773  secp256k1_scalar_get_num(&rnum2, &r);
774  CHECK(secp256k1_num_eq(&rnum, &rnum2));
775  }
776 
777  {
778  /* test secp256k1_scalar_shr_int */
780  int i;
782  for (i = 0; i < 100; ++i) {
783  int low;
784  int shift = 1 + secp256k1_rand_int(15);
785  int expected = r.d[0] % (1 << shift);
786  low = secp256k1_scalar_shr_int(&r, shift);
787  CHECK(expected == low);
788  }
789  }
790 #endif
791 
792  {
793  /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
794  if (!secp256k1_scalar_is_zero(&s)) {
795  secp256k1_scalar inv;
796 #ifndef USE_NUM_NONE
797  secp256k1_num invnum;
798  secp256k1_num invnum2;
799 #endif
800  secp256k1_scalar_inverse(&inv, &s);
801 #ifndef USE_NUM_NONE
802  secp256k1_num_mod_inverse(&invnum, &snum, &order);
803  secp256k1_scalar_get_num(&invnum2, &inv);
804  CHECK(secp256k1_num_eq(&invnum, &invnum2));
805 #endif
806  secp256k1_scalar_mul(&inv, &inv, &s);
807  /* Multiplying a scalar with its inverse must result in one. */
808  CHECK(secp256k1_scalar_is_one(&inv));
809  secp256k1_scalar_inverse(&inv, &inv);
810  /* Inverting one must result in one. */
811  CHECK(secp256k1_scalar_is_one(&inv));
812 #ifndef USE_NUM_NONE
813  secp256k1_scalar_get_num(&invnum, &inv);
814  CHECK(secp256k1_num_is_one(&invnum));
815 #endif
816  }
817  }
818 
819  {
820  /* Test commutativity of add. */
821  secp256k1_scalar r1, r2;
822  secp256k1_scalar_add(&r1, &s1, &s2);
823  secp256k1_scalar_add(&r2, &s2, &s1);
824  CHECK(secp256k1_scalar_eq(&r1, &r2));
825  }
826 
827  {
828  secp256k1_scalar r1, r2;
830  int i;
831  /* Test add_bit. */
832  int bit = secp256k1_rand_bits(8);
833  secp256k1_scalar_set_int(&b, 1);
834  CHECK(secp256k1_scalar_is_one(&b));
835  for (i = 0; i < bit; i++) {
836  secp256k1_scalar_add(&b, &b, &b);
837  }
838  r1 = s1;
839  r2 = s1;
840  if (!secp256k1_scalar_add(&r1, &r1, &b)) {
841  /* No overflow happened. */
842  secp256k1_scalar_cadd_bit(&r2, bit, 1);
843  CHECK(secp256k1_scalar_eq(&r1, &r2));
844  /* cadd is a noop when flag is zero */
845  secp256k1_scalar_cadd_bit(&r2, bit, 0);
846  CHECK(secp256k1_scalar_eq(&r1, &r2));
847  }
848  }
849 
850  {
851  /* Test commutativity of mul. */
852  secp256k1_scalar r1, r2;
853  secp256k1_scalar_mul(&r1, &s1, &s2);
854  secp256k1_scalar_mul(&r2, &s2, &s1);
855  CHECK(secp256k1_scalar_eq(&r1, &r2));
856  }
857 
858  {
859  /* Test associativity of add. */
860  secp256k1_scalar r1, r2;
861  secp256k1_scalar_add(&r1, &s1, &s2);
862  secp256k1_scalar_add(&r1, &r1, &s);
863  secp256k1_scalar_add(&r2, &s2, &s);
864  secp256k1_scalar_add(&r2, &s1, &r2);
865  CHECK(secp256k1_scalar_eq(&r1, &r2));
866  }
867 
868  {
869  /* Test associativity of mul. */
870  secp256k1_scalar r1, r2;
871  secp256k1_scalar_mul(&r1, &s1, &s2);
872  secp256k1_scalar_mul(&r1, &r1, &s);
873  secp256k1_scalar_mul(&r2, &s2, &s);
874  secp256k1_scalar_mul(&r2, &s1, &r2);
875  CHECK(secp256k1_scalar_eq(&r1, &r2));
876  }
877 
878  {
879  /* Test distributitivity of mul over add. */
880  secp256k1_scalar r1, r2, t;
881  secp256k1_scalar_add(&r1, &s1, &s2);
882  secp256k1_scalar_mul(&r1, &r1, &s);
883  secp256k1_scalar_mul(&r2, &s1, &s);
884  secp256k1_scalar_mul(&t, &s2, &s);
885  secp256k1_scalar_add(&r2, &r2, &t);
886  CHECK(secp256k1_scalar_eq(&r1, &r2));
887  }
888 
889  {
890  /* Test square. */
891  secp256k1_scalar r1, r2;
892  secp256k1_scalar_sqr(&r1, &s1);
893  secp256k1_scalar_mul(&r2, &s1, &s1);
894  CHECK(secp256k1_scalar_eq(&r1, &r2));
895  }
896 
897  {
898  /* Test multiplicative identity. */
899  secp256k1_scalar r1, v1;
900  secp256k1_scalar_set_int(&v1,1);
901  secp256k1_scalar_mul(&r1, &s1, &v1);
902  CHECK(secp256k1_scalar_eq(&r1, &s1));
903  }
904 
905  {
906  /* Test additive identity. */
907  secp256k1_scalar r1, v0;
908  secp256k1_scalar_set_int(&v0,0);
909  secp256k1_scalar_add(&r1, &s1, &v0);
910  CHECK(secp256k1_scalar_eq(&r1, &s1));
911  }
912 
913  {
914  /* Test zero product property. */
915  secp256k1_scalar r1, v0;
916  secp256k1_scalar_set_int(&v0,0);
917  secp256k1_scalar_mul(&r1, &s1, &v0);
918  CHECK(secp256k1_scalar_eq(&r1, &v0));
919  }
920 
921 }
922 
923 void run_scalar_tests(void) {
924  int i;
925  for (i = 0; i < 128 * count; i++) {
926  scalar_test();
927  }
928 
929  {
930  /* (-1)+1 should be zero. */
931  secp256k1_scalar s, o;
932  secp256k1_scalar_set_int(&s, 1);
933  CHECK(secp256k1_scalar_is_one(&s));
934  secp256k1_scalar_negate(&o, &s);
935  secp256k1_scalar_add(&o, &o, &s);
936  CHECK(secp256k1_scalar_is_zero(&o));
937  secp256k1_scalar_negate(&o, &o);
938  CHECK(secp256k1_scalar_is_zero(&o));
939  }
940 
941 #ifndef USE_NUM_NONE
942  {
943  /* A scalar with value of the curve order should be 0. */
944  secp256k1_num order;
945  secp256k1_scalar zero;
946  unsigned char bin[32];
947  int overflow = 0;
948  secp256k1_scalar_order_get_num(&order);
949  secp256k1_num_get_bin(bin, 32, &order);
950  secp256k1_scalar_set_b32(&zero, bin, &overflow);
951  CHECK(overflow == 1);
952  CHECK(secp256k1_scalar_is_zero(&zero));
953  }
954 #endif
955 
956  {
957  /* Does check_overflow check catch all ones? */
958  static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
959  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
960  0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
961  );
962  CHECK(secp256k1_scalar_check_overflow(&overflowed));
963  }
964 
965  {
966  /* Static test vectors.
967  * These were reduced from ~10^12 random vectors based on comparison-decision
968  * and edge-case coverage on 32-bit and 64-bit implementations.
969  * The responses were generated with Sage 5.9.
970  */
974  secp256k1_scalar zz;
975  secp256k1_scalar one;
976  secp256k1_scalar r1;
977  secp256k1_scalar r2;
978 #if defined(USE_SCALAR_INV_NUM)
979  secp256k1_scalar zzv;
980 #endif
981  int overflow;
982  unsigned char chal[33][2][32] = {
983  {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
984  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
985  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
986  0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
987  {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
988  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
989  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
990  0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
991  {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
992  0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
993  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
994  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
995  {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
996  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
997  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
998  0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
999  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1000  0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1001  0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1002  0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1003  {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1004  0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1005  0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1006  0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1007  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1008  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1009  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1010  0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1011  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1012  0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1013  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1014  0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1015  {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1016  0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1017  0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1018  0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1019  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1020  0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1021  0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1022  0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1023  {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1024  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1025  0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1026  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1027  {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1028  0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1029  0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1030  0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1031  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1032  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1033  0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1034  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1035  {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1036  0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1037  0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1038  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1039  {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1040  0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1041  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1042  0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1043  {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1044  0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1045  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1046  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1047  {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1048  0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1049  0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1050  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1051  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1052  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1053  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1054  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1055  {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1056  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1057  0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1058  0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1059  {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1060  0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1061  0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1062  0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1063  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1064  0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1065  0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1066  0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1067  {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1068  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1070  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1071  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1072  0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1073  0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1074  0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1075  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1076  0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1077  0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1078  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1079  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1080  0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1081  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1082  0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1083  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1084  0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1085  0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1086  0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1087  {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1088  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1089  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090  0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1091  {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1092  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093  0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1094  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1095  {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1096  0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1097  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098  0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1099  {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1100  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1101  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102  0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1103  {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1104  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1105  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1106  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1107  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1108  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1109  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1110  0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1111  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1112  0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1113  0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1114  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1115  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1116  0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1117  0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1119  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1120  0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1121  0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1122  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1123  {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1124  0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1125  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1126  0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1127  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1128  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1129  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1130  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1131  {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1132  0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1133  0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1134  0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1135  {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1136  0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1137  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1139  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1140  0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1141  0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1142  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1143  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1147  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1148  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1149  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1150  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1151  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1152  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1153  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1154  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1155  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1156  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1159  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1160  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1161  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1162  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1163  {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1164  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1165  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1166  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1167  {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1168  0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169  0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1170  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1171  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1172  0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1173  0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1174  0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1175  {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1176  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1178  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1179  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1180  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1181  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1182  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1183  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1184  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1185  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1186  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1187  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1188  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1191  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1192  0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1193  0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1194  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1195  {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1196  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1197  0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1198  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1199  {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1200  0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1201  0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1202  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1203  {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1204  0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1205  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206  0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1207  {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1208  0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1209  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1210  0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1211  {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1212  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1213  0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1214  0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1215  {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1216  0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1217  0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1218  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1219  {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1220  0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1221  0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1222  0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1223  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1224  0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1225  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1226  0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1227  {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1228  0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1229  0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1230  0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1231  {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1232  0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1233  0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1234  0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1235  {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1236  0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1237  0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1238  0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1239  {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1240  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1241  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1242  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1243  {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1244  0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1245  0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1246  0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1247  };
1248  unsigned char res[33][2][32] = {
1249  {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1250  0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1251  0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1252  0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1253  {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1254  0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1255  0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1256  0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1257  {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1258  0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1259  0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1260  0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1261  {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1262  0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1263  0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1264  0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1265  {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1266  0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1267  0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1268  0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1269  {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1270  0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1271  0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1272  0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1273  {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1274  0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1275  0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1276  0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1277  {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1278  0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1279  0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1280  0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1281  {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1282  0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1283  0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1284  0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1285  {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1286  0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1287  0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1288  0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1289  {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1290  0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1291  0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1292  0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1293  {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1294  0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1295  0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1296  0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1297  {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1298  0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1299  0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1300  0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1301  {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1302  0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1303  0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1304  0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1305  {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1306  0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1307  0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1308  0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1309  {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1310  0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1311  0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1312  0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1313  {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1314  0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1315  0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1316  0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1317  {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1318  0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1319  0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1320  0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1321  {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1322  0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1323  0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1324  0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1325  {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1326  0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1327  0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1328  0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1329  {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1330  0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1331  0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1332  0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1333  {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1334  0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1335  0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1336  0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1337  {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1338  0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1339  0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1340  0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1341  {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1342  0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1343  0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1344  0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1345  {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1346  0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1347  0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1348  0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1349  {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1350  0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1351  0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1352  0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1353  {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1354  0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1355  0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1356  0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1357  {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1358  0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1359  0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1360  0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1361  {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1362  0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1363  0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1364  0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1365  {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1366  0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1367  0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1368  0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1369  {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1370  0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1371  0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1372  0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1373  {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1374  0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1375  0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1376  0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1377  {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1378  0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1379  0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1380  0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1381  {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1382  0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1383  0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1384  0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1385  {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1386  0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1387  0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1388  0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1389  {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1390  0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1391  0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1392  0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1393  {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1394  0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1395  0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1396  0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1397  {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1398  0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1399  0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1400  0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1401  {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1402  0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1403  0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1404  0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1405  {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1406  0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1407  0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1408  0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1409  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1413  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1414  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1415  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1416  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1417  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1418  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1419  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1420  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1421  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1422  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1423  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1424  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1425  {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1426  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1427  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1428  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1429  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1430  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1431  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1432  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1433  {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1434  0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1435  0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1436  0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1437  {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1438  0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1439  0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1440  0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1441  {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1443  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1444  0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1445  {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1446  0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1447  0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1448  0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1449  {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1450  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1451  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1452  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1453  {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1454  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1457  {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1458  0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1459  0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1460  0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1461  {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1462  0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1463  0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1464  0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1465  {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1466  0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1467  0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1468  0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1469  {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1470  0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1471  0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1472  0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1473  {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1474  0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1475  0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1476  0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1477  {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1478  0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1479  0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1480  0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1481  {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1482  0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1483  0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1484  0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1485  {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1486  0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1487  0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1488  0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1489  {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1490  0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1491  0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1492  0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1493  {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1494  0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1495  0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1496  0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1497  {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1498  0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1499  0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1500  0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1501  {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1502  0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1503  0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1504  0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1505  {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1506  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1507  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1508  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1509  {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1510  0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1511  0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1512  0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1513  };
1514  secp256k1_scalar_set_int(&one, 1);
1515  for (i = 0; i < 33; i++) {
1516  secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1517  CHECK(!overflow);
1518  secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1519  CHECK(!overflow);
1520  secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1521  CHECK(!overflow);
1522  secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1523  CHECK(!overflow);
1524  secp256k1_scalar_mul(&z, &x, &y);
1525  CHECK(!secp256k1_scalar_check_overflow(&z));
1526  CHECK(secp256k1_scalar_eq(&r1, &z));
1527  if (!secp256k1_scalar_is_zero(&y)) {
1528  secp256k1_scalar_inverse(&zz, &y);
1529  CHECK(!secp256k1_scalar_check_overflow(&zz));
1530 #if defined(USE_SCALAR_INV_NUM)
1531  secp256k1_scalar_inverse_var(&zzv, &y);
1532  CHECK(secp256k1_scalar_eq(&zzv, &zz));
1533 #endif
1534  secp256k1_scalar_mul(&z, &z, &zz);
1535  CHECK(!secp256k1_scalar_check_overflow(&z));
1536  CHECK(secp256k1_scalar_eq(&x, &z));
1537  secp256k1_scalar_mul(&zz, &zz, &y);
1538  CHECK(!secp256k1_scalar_check_overflow(&zz));
1539  CHECK(secp256k1_scalar_eq(&one, &zz));
1540  }
1541  secp256k1_scalar_mul(&z, &x, &x);
1542  CHECK(!secp256k1_scalar_check_overflow(&z));
1543  secp256k1_scalar_sqr(&zz, &x);
1544  CHECK(!secp256k1_scalar_check_overflow(&zz));
1545  CHECK(secp256k1_scalar_eq(&zz, &z));
1546  CHECK(secp256k1_scalar_eq(&r2, &zz));
1547  }
1548  }
1549 }
1550 
1551 /***** FIELD TESTS *****/
1552 
1554  unsigned char bin[32];
1555  do {
1556  secp256k1_rand256(bin);
1557  if (secp256k1_fe_set_b32(x, bin)) {
1558  return;
1559  }
1560  } while(1);
1561 }
1562 
1564  unsigned char bin[32];
1565  do {
1566  secp256k1_rand256_test(bin);
1567  if (secp256k1_fe_set_b32(x, bin)) {
1568  return;
1569  }
1570  } while(1);
1571 }
1572 
1574  int tries = 10;
1575  while (--tries >= 0) {
1576  random_fe(nz);
1577  secp256k1_fe_normalize(nz);
1578  if (!secp256k1_fe_is_zero(nz)) {
1579  break;
1580  }
1581  }
1582  /* Infinitesimal probability of spurious failure here */
1583  CHECK(tries >= 0);
1584 }
1585 
1587  secp256k1_fe r;
1588  random_fe_non_zero(ns);
1589  if (secp256k1_fe_sqrt(&r, ns)) {
1590  secp256k1_fe_negate(ns, ns, 1);
1591  }
1592 }
1593 
1594 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1595  secp256k1_fe an = *a;
1596  secp256k1_fe bn = *b;
1597  secp256k1_fe_normalize_weak(&an);
1598  secp256k1_fe_normalize_var(&bn);
1599  return secp256k1_fe_equal_var(&an, &bn);
1600 }
1601 
1602 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1603  secp256k1_fe x;
1604  secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1605  secp256k1_fe_mul(&x, a, ai);
1606  return check_fe_equal(&x, &one);
1607 }
1608 
1609 void run_field_convert(void) {
1610  static const unsigned char b32[32] = {
1611  0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1612  0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1613  0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1614  0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1615  };
1617  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1618  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1619  );
1620  static const secp256k1_fe fe = SECP256K1_FE_CONST(
1621  0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1622  0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1623  );
1624  secp256k1_fe fe2;
1625  unsigned char b322[32];
1626  secp256k1_fe_storage fes2;
1627  /* Check conversions to fe. */
1628  CHECK(secp256k1_fe_set_b32(&fe2, b32));
1629  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1630  secp256k1_fe_from_storage(&fe2, &fes);
1631  CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1632  /* Check conversion from fe. */
1633  secp256k1_fe_get_b32(b322, &fe);
1634  CHECK(memcmp(b322, b32, 32) == 0);
1635  secp256k1_fe_to_storage(&fes2, &fe);
1636  CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1637 }
1638 
1639 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1640  secp256k1_fe t = *b;
1641 #ifdef VERIFY
1642  t.magnitude = a->magnitude;
1643  t.normalized = a->normalized;
1644 #endif
1645  return memcmp(a, &t, sizeof(secp256k1_fe));
1646 }
1647 
1648 void run_field_misc(void) {
1649  secp256k1_fe x;
1650  secp256k1_fe y;
1651  secp256k1_fe z;
1652  secp256k1_fe q;
1653  secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1654  int i, j;
1655  for (i = 0; i < 5*count; i++) {
1656  secp256k1_fe_storage xs, ys, zs;
1657  random_fe(&x);
1658  random_fe_non_zero(&y);
1659  /* Test the fe equality and comparison operations. */
1660  CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1661  CHECK(secp256k1_fe_equal_var(&x, &x));
1662  z = x;
1663  secp256k1_fe_add(&z,&y);
1664  /* Test fe conditional move; z is not normalized here. */
1665  q = x;
1666  secp256k1_fe_cmov(&x, &z, 0);
1667  VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1668  secp256k1_fe_cmov(&x, &x, 1);
1669  CHECK(fe_memcmp(&x, &z) != 0);
1670  CHECK(fe_memcmp(&x, &q) == 0);
1671  secp256k1_fe_cmov(&q, &z, 1);
1672  VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1673  CHECK(fe_memcmp(&q, &z) == 0);
1674  secp256k1_fe_normalize_var(&x);
1675  secp256k1_fe_normalize_var(&z);
1676  CHECK(!secp256k1_fe_equal_var(&x, &z));
1677  secp256k1_fe_normalize_var(&q);
1678  secp256k1_fe_cmov(&q, &z, (i&1));
1679  VERIFY_CHECK(q.normalized && q.magnitude == 1);
1680  for (j = 0; j < 6; j++) {
1681  secp256k1_fe_negate(&z, &z, j+1);
1682  secp256k1_fe_normalize_var(&q);
1683  secp256k1_fe_cmov(&q, &z, (j&1));
1684  VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1685  }
1686  secp256k1_fe_normalize_var(&z);
1687  /* Test storage conversion and conditional moves. */
1688  secp256k1_fe_to_storage(&xs, &x);
1689  secp256k1_fe_to_storage(&ys, &y);
1690  secp256k1_fe_to_storage(&zs, &z);
1691  secp256k1_fe_storage_cmov(&zs, &xs, 0);
1692  secp256k1_fe_storage_cmov(&zs, &zs, 1);
1693  CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1694  secp256k1_fe_storage_cmov(&ys, &xs, 1);
1695  CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1696  secp256k1_fe_from_storage(&x, &xs);
1697  secp256k1_fe_from_storage(&y, &ys);
1698  secp256k1_fe_from_storage(&z, &zs);
1699  /* Test that mul_int, mul, and add agree. */
1700  secp256k1_fe_add(&y, &x);
1701  secp256k1_fe_add(&y, &x);
1702  z = x;
1703  secp256k1_fe_mul_int(&z, 3);
1704  CHECK(check_fe_equal(&y, &z));
1705  secp256k1_fe_add(&y, &x);
1706  secp256k1_fe_add(&z, &x);
1707  CHECK(check_fe_equal(&z, &y));
1708  z = x;
1709  secp256k1_fe_mul_int(&z, 5);
1710  secp256k1_fe_mul(&q, &x, &fe5);
1711  CHECK(check_fe_equal(&z, &q));
1712  secp256k1_fe_negate(&x, &x, 1);
1713  secp256k1_fe_add(&z, &x);
1714  secp256k1_fe_add(&q, &x);
1715  CHECK(check_fe_equal(&y, &z));
1716  CHECK(check_fe_equal(&q, &y));
1717  }
1718 }
1719 
1720 void run_field_inv(void) {
1721  secp256k1_fe x, xi, xii;
1722  int i;
1723  for (i = 0; i < 10*count; i++) {
1724  random_fe_non_zero(&x);
1725  secp256k1_fe_inv(&xi, &x);
1726  CHECK(check_fe_inverse(&x, &xi));
1727  secp256k1_fe_inv(&xii, &xi);
1728  CHECK(check_fe_equal(&x, &xii));
1729  }
1730 }
1731 
1732 void run_field_inv_var(void) {
1733  secp256k1_fe x, xi, xii;
1734  int i;
1735  for (i = 0; i < 10*count; i++) {
1736  random_fe_non_zero(&x);
1737  secp256k1_fe_inv_var(&xi, &x);
1738  CHECK(check_fe_inverse(&x, &xi));
1739  secp256k1_fe_inv_var(&xii, &xi);
1740  CHECK(check_fe_equal(&x, &xii));
1741  }
1742 }
1743 
1745  secp256k1_fe x[16], xi[16], xii[16];
1746  int i;
1747  /* Check it's safe to call for 0 elements */
1748  secp256k1_fe_inv_all_var(xi, x, 0);
1749  for (i = 0; i < count; i++) {
1750  size_t j;
1751  size_t len = secp256k1_rand_int(15) + 1;
1752  for (j = 0; j < len; j++) {
1753  random_fe_non_zero(&x[j]);
1754  }
1755  secp256k1_fe_inv_all_var(xi, x, len);
1756  for (j = 0; j < len; j++) {
1757  CHECK(check_fe_inverse(&x[j], &xi[j]));
1758  }
1759  secp256k1_fe_inv_all_var(xii, xi, len);
1760  for (j = 0; j < len; j++) {
1761  CHECK(check_fe_equal(&x[j], &xii[j]));
1762  }
1763  }
1764 }
1765 
1766 void run_sqr(void) {
1767  secp256k1_fe x, s;
1768 
1769  {
1770  int i;
1771  secp256k1_fe_set_int(&x, 1);
1772  secp256k1_fe_negate(&x, &x, 1);
1773 
1774  for (i = 1; i <= 512; ++i) {
1775  secp256k1_fe_mul_int(&x, 2);
1776  secp256k1_fe_normalize(&x);
1777  secp256k1_fe_sqr(&s, &x);
1778  }
1779  }
1780 }
1781 
1782 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1783  secp256k1_fe r1, r2;
1784  int v = secp256k1_fe_sqrt(&r1, a);
1785  CHECK((v == 0) == (k == NULL));
1786 
1787  if (k != NULL) {
1788  /* Check that the returned root is +/- the given known answer */
1789  secp256k1_fe_negate(&r2, &r1, 1);
1790  secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1791  secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1792  CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1793  }
1794 }
1795 
1796 void run_sqrt(void) {
1797  secp256k1_fe ns, x, s, t;
1798  int i;
1799 
1800  /* Check sqrt(0) is 0 */
1801  secp256k1_fe_set_int(&x, 0);
1802  secp256k1_fe_sqr(&s, &x);
1803  test_sqrt(&s, &x);
1804 
1805  /* Check sqrt of small squares (and their negatives) */
1806  for (i = 1; i <= 100; i++) {
1807  secp256k1_fe_set_int(&x, i);
1808  secp256k1_fe_sqr(&s, &x);
1809  test_sqrt(&s, &x);
1810  secp256k1_fe_negate(&t, &s, 1);
1811  test_sqrt(&t, NULL);
1812  }
1813 
1814  /* Consistency checks for large random values */
1815  for (i = 0; i < 10; i++) {
1816  int j;
1817  random_fe_non_square(&ns);
1818  for (j = 0; j < count; j++) {
1819  random_fe(&x);
1820  secp256k1_fe_sqr(&s, &x);
1821  test_sqrt(&s, &x);
1822  secp256k1_fe_negate(&t, &s, 1);
1823  test_sqrt(&t, NULL);
1824  secp256k1_fe_mul(&t, &s, &ns);
1825  test_sqrt(&t, NULL);
1826  }
1827  }
1828 }
1829 
1830 /***** GROUP TESTS *****/
1831 
1832 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1833  CHECK(a->infinity == b->infinity);
1834  if (a->infinity) {
1835  return;
1836  }
1837  CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1838  CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1839 }
1840 
1841 /* This compares jacobian points including their Z, not just their geometric meaning. */
1843  secp256k1_gej a2;
1844  secp256k1_gej b2;
1845  int ret = 1;
1846  ret &= a->infinity == b->infinity;
1847  if (ret && !a->infinity) {
1848  a2 = *a;
1849  b2 = *b;
1850  secp256k1_fe_normalize(&a2.x);
1851  secp256k1_fe_normalize(&a2.y);
1852  secp256k1_fe_normalize(&a2.z);
1853  secp256k1_fe_normalize(&b2.x);
1854  secp256k1_fe_normalize(&b2.y);
1855  secp256k1_fe_normalize(&b2.z);
1856  ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1857  ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1858  ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1859  }
1860  return ret;
1861 }
1862 
1863 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1864  secp256k1_fe z2s;
1865  secp256k1_fe u1, u2, s1, s2;
1866  CHECK(a->infinity == b->infinity);
1867  if (a->infinity) {
1868  return;
1869  }
1870  /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1871  secp256k1_fe_sqr(&z2s, &b->z);
1872  secp256k1_fe_mul(&u1, &a->x, &z2s);
1873  u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1874  secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1875  s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1876  CHECK(secp256k1_fe_equal_var(&u1, &u2));
1877  CHECK(secp256k1_fe_equal_var(&s1, &s2));
1878 }
1879 
1880 void test_ge(void) {
1881  int i, i1;
1882 #ifdef USE_ENDOMORPHISM
1883  int runs = 6;
1884 #else
1885  int runs = 4;
1886 #endif
1887  /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1888  * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1889  * All magnitudes are randomized.
1890  * All 17*17 combinations of points are added to each other, using all applicable methods.
1891  *
1892  * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1893  */
1894  secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1895  secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1896  secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1897  secp256k1_fe zf;
1898  secp256k1_fe zfi2, zfi3;
1899 
1900  secp256k1_gej_set_infinity(&gej[0]);
1901  secp256k1_ge_clear(&ge[0]);
1902  secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1903  for (i = 0; i < runs; i++) {
1904  int j;
1905  secp256k1_ge g;
1907 #ifdef USE_ENDOMORPHISM
1908  if (i >= runs - 2) {
1909  secp256k1_ge_mul_lambda(&g, &ge[1]);
1910  }
1911  if (i >= runs - 1) {
1912  secp256k1_ge_mul_lambda(&g, &g);
1913  }
1914 #endif
1915  ge[1 + 4 * i] = g;
1916  ge[2 + 4 * i] = g;
1917  secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1918  secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1919  secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1920  random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1921  secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1922  random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1923  for (j = 0; j < 4; j++) {
1924  random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1925  random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1926  random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1927  random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1928  random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1929  }
1930  }
1931 
1932  /* Compute z inverses. */
1933  {
1934  secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1935  for (i = 0; i < 4 * runs + 1; i++) {
1936  if (i == 0) {
1937  /* The point at infinity does not have a meaningful z inverse. Any should do. */
1938  do {
1939  random_field_element_test(&zs[i]);
1940  } while(secp256k1_fe_is_zero(&zs[i]));
1941  } else {
1942  zs[i] = gej[i].z;
1943  }
1944  }
1945  secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1946  free(zs);
1947  }
1948 
1949  /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1950  do {
1952  } while(secp256k1_fe_is_zero(&zf));
1954  secp256k1_fe_inv_var(&zfi3, &zf);
1955  secp256k1_fe_sqr(&zfi2, &zfi3);
1956  secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1957 
1958  for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1959  int i2;
1960  for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1961  /* Compute reference result using gej + gej (var). */
1962  secp256k1_gej refj, resj;
1963  secp256k1_ge ref;
1964  secp256k1_fe zr;
1965  secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1966  /* Check Z ratio. */
1967  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
1968  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1969  CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1970  }
1971  secp256k1_ge_set_gej_var(&ref, &refj);
1972 
1973  /* Test gej + ge with Z ratio result (var). */
1974  secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1975  ge_equals_gej(&ref, &resj);
1976  if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
1977  secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1978  CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1979  }
1980 
1981  /* Test gej + ge (var, with additional Z factor). */
1982  {
1983  secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
1984  secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1985  secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1988  secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1989  ge_equals_gej(&ref, &resj);
1990  }
1991 
1992  /* Test gej + ge (const). */
1993  if (i2 != 0) {
1994  /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1995  secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1996  ge_equals_gej(&ref, &resj);
1997  }
1998 
1999  /* Test doubling (var). */
2000  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2001  secp256k1_fe zr2;
2002  /* Normal doubling with Z ratio result. */
2003  secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2004  ge_equals_gej(&ref, &resj);
2005  /* Check Z ratio. */
2006  secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2007  CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2008  /* Normal doubling. */
2009  secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2010  ge_equals_gej(&ref, &resj);
2011  }
2012 
2013  /* Test adding opposites. */
2014  if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2015  CHECK(secp256k1_ge_is_infinity(&ref));
2016  }
2017 
2018  /* Test adding infinity. */
2019  if (i1 == 0) {
2020  CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2021  CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2022  ge_equals_gej(&ref, &gej[i2]);
2023  }
2024  if (i2 == 0) {
2025  CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2026  CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2027  ge_equals_gej(&ref, &gej[i1]);
2028  }
2029  }
2030  }
2031 
2032  /* Test adding all points together in random order equals infinity. */
2033  {
2035  secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2036  for (i = 0; i < 4 * runs + 1; i++) {
2037  gej_shuffled[i] = gej[i];
2038  }
2039  for (i = 0; i < 4 * runs + 1; i++) {
2040  int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2041  if (swap != i) {
2042  secp256k1_gej t = gej_shuffled[i];
2043  gej_shuffled[i] = gej_shuffled[swap];
2044  gej_shuffled[swap] = t;
2045  }
2046  }
2047  for (i = 0; i < 4 * runs + 1; i++) {
2048  secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2049  }
2050  CHECK(secp256k1_gej_is_infinity(&sum));
2051  free(gej_shuffled);
2052  }
2053 
2054  /* Test batch gej -> ge conversion with and without known z ratios. */
2055  {
2056  secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2057  secp256k1_ge *ge_set_table = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2058  secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2059  for (i = 0; i < 4 * runs + 1; i++) {
2060  /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2061  if (i < 4 * runs) {
2062  secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2063  }
2064  }
2065  secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2066  secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2067  for (i = 0; i < 4 * runs + 1; i++) {
2068  secp256k1_fe s;
2069  random_fe_non_zero(&s);
2070  secp256k1_gej_rescale(&gej[i], &s);
2071  ge_equals_gej(&ge_set_table[i], &gej[i]);
2072  ge_equals_gej(&ge_set_all[i], &gej[i]);
2073  }
2074  free(ge_set_table);
2075  free(ge_set_all);
2076  free(zr);
2077  }
2078 
2079  free(ge);
2080  free(gej);
2081  free(zinv);
2082 }
2083 
2085  /* The point of this test is to check that we can add two points
2086  * whose y-coordinates are negatives of each other but whose x
2087  * coordinates differ. If the x-coordinates were the same, these
2088  * points would be negatives of each other and their sum is
2089  * infinity. This is cool because it "covers up" any degeneracy
2090  * in the addition algorithm that would cause the xy coordinates
2091  * of the sum to be wrong (since infinity has no xy coordinates).
2092  * HOWEVER, if the x-coordinates are different, infinity is the
2093  * wrong answer, and such degeneracies are exposed. This is the
2094  * root of https://github.com/raven-core/secp256k1/issues/257
2095  * which this test is a regression test for.
2096  *
2097  * These points were generated in sage as
2098  * # secp256k1 params
2099  * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2100  * C = EllipticCurve ([F (0), F (7)])
2101  * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2102  * N = FiniteField(G.order())
2103  *
2104  * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2105  * x = polygen(N)
2106  * lam = (1 - x^3).roots()[1][0]
2107  *
2108  * # random "bad pair"
2109  * P = C.random_element()
2110  * Q = -int(lam) * P
2111  * print " P: %x %x" % P.xy()
2112  * print " Q: %x %x" % Q.xy()
2113  * print "P + Q: %x %x" % (P + Q).xy()
2114  */
2116  0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2117  0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2118  0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2119  0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2120  );
2122  0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2123  0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2124  0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2125  0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2126  );
2128  0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2129  0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2130  0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2131  0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2132  );
2133  secp256k1_ge b;
2134  secp256k1_gej resj;
2135  secp256k1_ge res;
2136  secp256k1_ge_set_gej(&b, &bj);
2137 
2138  secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2139  secp256k1_ge_set_gej(&res, &resj);
2140  ge_equals_gej(&res, &sumj);
2141 
2142  secp256k1_gej_add_ge(&resj, &aj, &b);
2143  secp256k1_ge_set_gej(&res, &resj);
2144  ge_equals_gej(&res, &sumj);
2145 
2146  secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2147  secp256k1_ge_set_gej(&res, &resj);
2148  ge_equals_gej(&res, &sumj);
2149 }
2150 
2151 void run_ge(void) {
2152  int i;
2153  for (i = 0; i < count * 32; i++) {
2154  test_ge();
2155  }
2157 }
2158 
2159 void test_ec_combine(void) {
2160  secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2161  secp256k1_pubkey data[6];
2162  const secp256k1_pubkey* d[6];
2163  secp256k1_pubkey sd;
2164  secp256k1_pubkey sd2;
2165  secp256k1_gej Qj;
2166  secp256k1_ge Q;
2167  int i;
2168  for (i = 1; i <= 6; i++) {
2169  secp256k1_scalar s;
2171  secp256k1_scalar_add(&sum, &sum, &s);
2172  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2173  secp256k1_ge_set_gej(&Q, &Qj);
2174  secp256k1_pubkey_save(&data[i - 1], &Q);
2175  d[i - 1] = &data[i - 1];
2176  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2177  secp256k1_ge_set_gej(&Q, &Qj);
2178  secp256k1_pubkey_save(&sd, &Q);
2179  CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2180  CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2181  }
2182 }
2183 
2184 void run_ec_combine(void) {
2185  int i;
2186  for (i = 0; i < count * 8; i++) {
2187  test_ec_combine();
2188  }
2189 }
2190 
2192  /* The input itself, normalized. */
2193  secp256k1_fe fex = *x;
2194  secp256k1_fe fez;
2195  /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2196  secp256k1_ge ge_quad, ge_even, ge_odd;
2197  secp256k1_gej gej_quad;
2198  /* Return values of the above calls. */
2199  int res_quad, res_even, res_odd;
2200 
2201  secp256k1_fe_normalize_var(&fex);
2202 
2203  res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2204  res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2205  res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2206 
2207  CHECK(res_quad == res_even);
2208  CHECK(res_quad == res_odd);
2209 
2210  if (res_quad) {
2211  secp256k1_fe_normalize_var(&ge_quad.x);
2212  secp256k1_fe_normalize_var(&ge_odd.x);
2213  secp256k1_fe_normalize_var(&ge_even.x);
2214  secp256k1_fe_normalize_var(&ge_quad.y);
2215  secp256k1_fe_normalize_var(&ge_odd.y);
2216  secp256k1_fe_normalize_var(&ge_even.y);
2217 
2218  /* No infinity allowed. */
2219  CHECK(!ge_quad.infinity);
2220  CHECK(!ge_even.infinity);
2221  CHECK(!ge_odd.infinity);
2222 
2223  /* Check that the x coordinates check out. */
2224  CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2225  CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2226  CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2227 
2228  /* Check that the Y coordinate result in ge_quad is a square. */
2229  CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2230 
2231  /* Check odd/even Y in ge_odd, ge_even. */
2232  CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2233  CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2234 
2235  /* Check secp256k1_gej_has_quad_y_var. */
2236  secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2237  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2238  do {
2239  random_fe_test(&fez);
2240  } while (secp256k1_fe_is_zero(&fez));
2241  secp256k1_gej_rescale(&gej_quad, &fez);
2242  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2243  secp256k1_gej_neg(&gej_quad, &gej_quad);
2244  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2245  do {
2246  random_fe_test(&fez);
2247  } while (secp256k1_fe_is_zero(&fez));
2248  secp256k1_gej_rescale(&gej_quad, &fez);
2249  CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2250  secp256k1_gej_neg(&gej_quad, &gej_quad);
2251  CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2252  }
2253 }
2254 
2256  int i;
2257  for (i = 0; i < count * 4; i++) {
2258  secp256k1_fe fe;
2259  random_fe_test(&fe);
2260  test_group_decompress(&fe);
2261  }
2262 }
2263 
2264 /***** ECMULT TESTS *****/
2265 
2266 void run_ecmult_chain(void) {
2267  /* random starting point A (on the curve) */
2269  0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2270  0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2271  0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2272  0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2273  );
2274  /* two random initial factors xn and gn */
2276  0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2277  0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2278  );
2280  0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2281  0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2282  );
2283  /* two small multipliers to be applied to xn and gn in every iteration: */
2284  static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2285  static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2286  /* accumulators with the resulting coefficients to A and G */
2287  secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2288  secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2289  /* actual points */
2290  secp256k1_gej x;
2291  secp256k1_gej x2;
2292  int i;
2293 
2294  /* the point being computed */
2295  x = a;
2296  for (i = 0; i < 200*count; i++) {
2297  /* in each iteration, compute X = xn*X + gn*G; */
2298  secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2299  /* also compute ae and ge: the actual accumulated factors for A and G */
2300  /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2301  secp256k1_scalar_mul(&ae, &ae, &xn);
2302  secp256k1_scalar_mul(&ge, &ge, &xn);
2303  secp256k1_scalar_add(&ge, &ge, &gn);
2304  /* modify xn and gn */
2305  secp256k1_scalar_mul(&xn, &xn, &xf);
2306  secp256k1_scalar_mul(&gn, &gn, &gf);
2307 
2308  /* verify */
2309  if (i == 19999) {
2310  /* expected result after 19999 iterations */
2312  0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2313  0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2314  0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2315  0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2316  );
2317 
2318  secp256k1_gej_neg(&rp, &rp);
2319  secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2320  CHECK(secp256k1_gej_is_infinity(&rp));
2321  }
2322  }
2323  /* redo the computation, but directly with the resulting ae and ge coefficients: */
2324  secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2325  secp256k1_gej_neg(&x2, &x2);
2326  secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2327  CHECK(secp256k1_gej_is_infinity(&x2));
2328 }
2329 
2331  /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2332  secp256k1_scalar x;
2333  secp256k1_scalar nx;
2334  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2335  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2336  secp256k1_gej res1, res2;
2337  secp256k1_ge res3;
2338  unsigned char pub[65];
2339  size_t psize = 65;
2341  secp256k1_scalar_negate(&nx, &x);
2342  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2343  secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2344  secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2345  CHECK(secp256k1_gej_is_infinity(&res1));
2346  CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2347  secp256k1_ge_set_gej(&res3, &res1);
2348  CHECK(secp256k1_ge_is_infinity(&res3));
2349  CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2350  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2351  psize = 65;
2352  CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2353  /* check zero/one edge cases */
2354  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2355  secp256k1_ge_set_gej(&res3, &res1);
2356  CHECK(secp256k1_ge_is_infinity(&res3));
2357  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2358  secp256k1_ge_set_gej(&res3, &res1);
2359  ge_equals_gej(&res3, point);
2360  secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2361  secp256k1_ge_set_gej(&res3, &res1);
2362  ge_equals_ge(&res3, &secp256k1_ge_const_g);
2363 }
2364 
2366  int i;
2367  secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2368  static const secp256k1_fe xr = SECP256K1_FE_CONST(
2369  0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2370  0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2371  );
2372  for (i = 0; i < 500; i++) {
2373  secp256k1_ge p;
2374  if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2375  secp256k1_gej j;
2376  CHECK(secp256k1_ge_is_valid_var(&p));
2377  secp256k1_gej_set_ge(&j, &p);
2378  CHECK(secp256k1_gej_is_valid_var(&j));
2380  }
2381  secp256k1_fe_sqr(&x, &x);
2382  }
2383  secp256k1_fe_normalize_var(&x);
2384  CHECK(secp256k1_fe_equal_var(&x, &xr));
2385 }
2386 
2388  /* random starting point A (on the curve) */
2390  0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2391  0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2392  0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2393  0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2394  );
2395  /* random initial factor xn */
2397  0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2398  0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2399  );
2400  /* expected xn * A (from sage) */
2401  secp256k1_ge expected_b = SECP256K1_GE_CONST(
2402  0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2403  0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2404  0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2405  0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2406  );
2407  secp256k1_gej b;
2408  secp256k1_ecmult_const(&b, &a, &xn);
2409 
2410  CHECK(secp256k1_ge_is_valid_var(&a));
2411  ge_equals_gej(&expected_b, &b);
2412 }
2413 
2415  secp256k1_scalar a;
2416  secp256k1_scalar b;
2417  secp256k1_gej res1;
2418  secp256k1_gej res2;
2419  secp256k1_ge mid1;
2420  secp256k1_ge mid2;
2423 
2424  secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2425  secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2426  secp256k1_ge_set_gej(&mid1, &res1);
2427  secp256k1_ge_set_gej(&mid2, &res2);
2428  secp256k1_ecmult_const(&res1, &mid1, &b);
2429  secp256k1_ecmult_const(&res2, &mid2, &a);
2430  secp256k1_ge_set_gej(&mid1, &res1);
2431  secp256k1_ge_set_gej(&mid2, &res2);
2432  ge_equals_ge(&mid1, &mid2);
2433 }
2434 
2436  secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2437  secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2438  secp256k1_scalar negone;
2439  secp256k1_gej res1;
2440  secp256k1_ge res2;
2441  secp256k1_ge point;
2442  secp256k1_scalar_negate(&negone, &one);
2443 
2444  random_group_element_test(&point);
2445  secp256k1_ecmult_const(&res1, &point, &zero);
2446  secp256k1_ge_set_gej(&res2, &res1);
2447  CHECK(secp256k1_ge_is_infinity(&res2));
2448  secp256k1_ecmult_const(&res1, &point, &one);
2449  secp256k1_ge_set_gej(&res2, &res1);
2450  ge_equals_ge(&res2, &point);
2451  secp256k1_ecmult_const(&res1, &point, &negone);
2452  secp256k1_gej_neg(&res1, &res1);
2453  secp256k1_ge_set_gej(&res2, &res1);
2454  ge_equals_ge(&res2, &point);
2455 }
2456 
2458  /* Check known result (randomly generated test problem from sage) */
2460  0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2461  0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2462  );
2463  const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2464  0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2465  0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2466  0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2467  0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2468  );
2469  secp256k1_gej point;
2470  secp256k1_ge res;
2471  int i;
2472 
2473  secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2474  for (i = 0; i < 100; ++i) {
2475  secp256k1_ge tmp;
2476  secp256k1_ge_set_gej(&tmp, &point);
2477  secp256k1_ecmult_const(&point, &tmp, &scalar);
2478  }
2479  secp256k1_ge_set_gej(&res, &point);
2480  ge_equals_gej(&res, &expected_point);
2481 }
2482 
2488 }
2489 
2490 void test_wnaf(const secp256k1_scalar *number, int w) {
2491  secp256k1_scalar x, two, t;
2492  int wnaf[256];
2493  int zeroes = -1;
2494  int i;
2495  int bits;
2496  secp256k1_scalar_set_int(&x, 0);
2497  secp256k1_scalar_set_int(&two, 2);
2498  bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2499  CHECK(bits <= 256);
2500  for (i = bits-1; i >= 0; i--) {
2501  int v = wnaf[i];
2502  secp256k1_scalar_mul(&x, &x, &two);
2503  if (v) {
2504  CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2505  zeroes=0;
2506  CHECK((v & 1) == 1); /* check non-zero elements are odd */
2507  CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2508  CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2509  } else {
2510  CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2511  zeroes++;
2512  }
2513  if (v >= 0) {
2514  secp256k1_scalar_set_int(&t, v);
2515  } else {
2516  secp256k1_scalar_set_int(&t, -v);
2517  secp256k1_scalar_negate(&t, &t);
2518  }
2519  secp256k1_scalar_add(&x, &x, &t);
2520  }
2521  CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2522 }
2523 
2525  secp256k1_scalar neg1 = *number;
2526  secp256k1_scalar neg2 = *number;
2527  int sign1 = 1;
2528  int sign2 = 1;
2529 
2530  if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2531  secp256k1_scalar_negate(&neg1, &neg1);
2532  sign1 = -1;
2533  }
2534  sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2535  CHECK(sign1 == sign2);
2536  CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2537 }
2538 
2539 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2540  secp256k1_scalar x, shift;
2541  int wnaf[256] = {0};
2542  int i;
2543  int skew;
2544  secp256k1_scalar num = *number;
2545 
2546  secp256k1_scalar_set_int(&x, 0);
2547  secp256k1_scalar_set_int(&shift, 1 << w);
2548  /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2549 #ifdef USE_ENDOMORPHISM
2550  for (i = 0; i < 16; ++i) {
2551  secp256k1_scalar_shr_int(&num, 8);
2552  }
2553 #endif
2554  skew = secp256k1_wnaf_const(wnaf, num, w);
2555 
2556  for (i = WNAF_SIZE(w); i >= 0; --i) {
2557  secp256k1_scalar t;
2558  int v = wnaf[i];
2559  CHECK(v != 0); /* check nonzero */
2560  CHECK(v & 1); /* check parity */
2561  CHECK(v > -(1 << w)); /* check range above */
2562  CHECK(v < (1 << w)); /* check range below */
2563 
2564  secp256k1_scalar_mul(&x, &x, &shift);
2565  if (v >= 0) {
2566  secp256k1_scalar_set_int(&t, v);
2567  } else {
2568  secp256k1_scalar_set_int(&t, -v);
2569  secp256k1_scalar_negate(&t, &t);
2570  }
2571  secp256k1_scalar_add(&x, &x, &t);
2572  }
2573  /* Skew num because when encoding numbers as odd we use an offset */
2574  secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
2575  CHECK(secp256k1_scalar_eq(&x, &num));
2576 }
2577 
2578 void run_wnaf(void) {
2579  int i;
2580  secp256k1_scalar n = {{0}};
2581 
2582  /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2583  * have easier-to-diagnose failure modes */
2584  n.d[0] = 1;
2585  test_constant_wnaf(&n, 4);
2586  n.d[0] = 2;
2587  test_constant_wnaf(&n, 4);
2588  /* Random tests */
2589  for (i = 0; i < count; i++) {
2590  random_scalar_order(&n);
2591  test_wnaf(&n, 4+(i%10));
2593  test_constant_wnaf(&n, 4 + (i % 10));
2594  }
2595  secp256k1_scalar_set_int(&n, 0);
2596  CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
2597  CHECK(secp256k1_scalar_is_zero(&n));
2598  CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
2599  CHECK(secp256k1_scalar_is_zero(&n));
2600 }
2601 
2603  /* Test ecmult_gen() for [0..36) and [order-36..0). */
2604  secp256k1_scalar x;
2605  secp256k1_gej r;
2606  secp256k1_ge ng;
2607  int i;
2608  int j;
2609  secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
2610  for (i = 0; i < 36; i++ ) {
2611  secp256k1_scalar_set_int(&x, i);
2612  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2613  for (j = 0; j < i; j++) {
2614  if (j == i - 1) {
2615  ge_equals_gej(&secp256k1_ge_const_g, &r);
2616  }
2617  secp256k1_gej_add_ge(&r, &r, &ng);
2618  }
2619  CHECK(secp256k1_gej_is_infinity(&r));
2620  }
2621  for (i = 1; i <= 36; i++ ) {
2622  secp256k1_scalar_set_int(&x, i);
2623  secp256k1_scalar_negate(&x, &x);
2624  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2625  for (j = 0; j < i; j++) {
2626  if (j == i - 1) {
2627  ge_equals_gej(&ng, &r);
2628  }
2629  secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
2630  }
2631  CHECK(secp256k1_gej_is_infinity(&r));
2632  }
2633 }
2634 
2637 }
2638 
2640  /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
2641  secp256k1_scalar key;
2642  secp256k1_scalar b;
2643  unsigned char seed32[32];
2644  secp256k1_gej pgej;
2645  secp256k1_gej pgej2;
2646  secp256k1_gej i;
2647  secp256k1_ge pge;
2649  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
2650  secp256k1_rand256(seed32);
2651  b = ctx->ecmult_gen_ctx.blind;
2652  i = ctx->ecmult_gen_ctx.initial;
2653  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
2654  CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2655  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
2656  CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
2658  secp256k1_ge_set_gej(&pge, &pgej);
2659  ge_equals_gej(&pge, &pgej2);
2660 }
2661 
2663  /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
2664  secp256k1_scalar b;
2665  secp256k1_gej initial;
2666  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2667  b = ctx->ecmult_gen_ctx.blind;
2668  initial = ctx->ecmult_gen_ctx.initial;
2669  secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2670  CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2671  CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
2672 }
2673 
2675  int i;
2677  for (i = 0; i < 10; i++) {
2679  }
2680 }
2681 
2682 #ifdef USE_ENDOMORPHISM
2683 /***** ENDOMORPHISH TESTS *****/
2684 void test_scalar_split(void) {
2685  secp256k1_scalar full;
2686  secp256k1_scalar s1, slam;
2687  const unsigned char zero[32] = {0};
2688  unsigned char tmp[32];
2689 
2690  random_scalar_order_test(&full);
2691  secp256k1_scalar_split_lambda(&s1, &slam, &full);
2692 
2693  /* check that both are <= 128 bits in size */
2694  if (secp256k1_scalar_is_high(&s1)) {
2695  secp256k1_scalar_negate(&s1, &s1);
2696  }
2697  if (secp256k1_scalar_is_high(&slam)) {
2698  secp256k1_scalar_negate(&slam, &slam);
2699  }
2700 
2701  secp256k1_scalar_get_b32(tmp, &s1);
2702  CHECK(memcmp(zero, tmp, 16) == 0);
2703  secp256k1_scalar_get_b32(tmp, &slam);
2704  CHECK(memcmp(zero, tmp, 16) == 0);
2705 }
2706 
2707 void run_endomorphism_tests(void) {
2708  test_scalar_split();
2709 }
2710 #endif
2711 
2712 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
2713  unsigned char pubkeyc[65];
2714  secp256k1_pubkey pubkey;
2715  secp256k1_ge ge;
2716  size_t pubkeyclen;
2717  int32_t ecount;
2718  ecount = 0;
2719  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2720  for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
2721  /* Smaller sizes are tested exhaustively elsewhere. */
2722  int32_t i;
2723  memcpy(&pubkeyc[1], input, 64);
2724  VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
2725  for (i = 0; i < 256; i++) {
2726  /* Try all type bytes. */
2727  int xpass;
2728  int ypass;
2729  int ysign;
2730  pubkeyc[0] = i;
2731  /* What sign does this point have? */
2732  ysign = (input[63] & 1) + 2;
2733  /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2734  xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
2735  /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2736  ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
2737  ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
2738  if (xpass || ypass) {
2739  /* These cases must parse. */
2740  unsigned char pubkeyo[65];
2741  size_t outl;
2742  memset(&pubkey, 0, sizeof(pubkey));
2743  VG_UNDEF(&pubkey, sizeof(pubkey));
2744  ecount = 0;
2745  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
2746  VG_CHECK(&pubkey, sizeof(pubkey));
2747  outl = 65;
2748  VG_UNDEF(pubkeyo, 65);
2749  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
2750  VG_CHECK(pubkeyo, outl);
2751  CHECK(outl == 33);
2752  CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
2753  CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
2754  if (ypass) {
2755  /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2756  CHECK(pubkeyo[0] == ysign);
2757  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2758  memset(&pubkey, 0, sizeof(pubkey));
2759  VG_UNDEF(&pubkey, sizeof(pubkey));
2760  secp256k1_pubkey_save(&pubkey, &ge);
2761  VG_CHECK(&pubkey, sizeof(pubkey));
2762  outl = 65;
2763  VG_UNDEF(pubkeyo, 65);
2764  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
2765  VG_CHECK(pubkeyo, outl);
2766  CHECK(outl == 65);
2767  CHECK(pubkeyo[0] == 4);
2768  CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
2769  }
2770  CHECK(ecount == 0);
2771  } else {
2772  /* These cases must fail to parse. */
2773  memset(&pubkey, 0xfe, sizeof(pubkey));
2774  ecount = 0;
2775  VG_UNDEF(&pubkey, sizeof(pubkey));
2776  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
2777  VG_CHECK(&pubkey, sizeof(pubkey));
2778  CHECK(ecount == 0);
2779  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2780  CHECK(ecount == 1);
2781  }
2782  }
2783  }
2784  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2785 }
2786 
2788 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
2789  const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
2790  {
2791  /* Point with leading and trailing zeros in x and y serialization. */
2792  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2793  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2794  0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2795  0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2796  },
2797  {
2798  /* Point with x equal to a 3rd root of unity.*/
2799  0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2800  0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2801  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2802  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2803  },
2804  {
2805  /* Point with largest x. (1/2) */
2806  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2807  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2808  0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2809  0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2810  },
2811  {
2812  /* Point with largest x. (2/2) */
2813  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2814  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2815  0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2816  0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2817  },
2818  {
2819  /* Point with smallest x. (1/2) */
2820  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2821  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2822  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2823  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2824  },
2825  {
2826  /* Point with smallest x. (2/2) */
2827  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2828  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2829  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2830  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2831  },
2832  {
2833  /* Point with largest y. (1/3) */
2834  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2835  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2836  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2837  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2838  },
2839  {
2840  /* Point with largest y. (2/3) */
2841  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2842  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2843  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2844  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2845  },
2846  {
2847  /* Point with largest y. (3/3) */
2848  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2849  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2850  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2851  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2852  },
2853  {
2854  /* Point with smallest y. (1/3) */
2855  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2856  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2857  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2858  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2859  },
2860  {
2861  /* Point with smallest y. (2/3) */
2862  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2863  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2864  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2865  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2866  },
2867  {
2868  /* Point with smallest y. (3/3) */
2869  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2870  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2871  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2872  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2873  }
2874  };
2875 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2876  const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
2877  {
2878  /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2879  0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2880  0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2881  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2882  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2883  },
2884  {
2885  /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2886  0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2887  0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2888  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2889  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2890  },
2891  {
2892  /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2893  0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2894  0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2895  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2896  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2897  },
2898  {
2899  /* x on curve, y is from y^2 = x^3 + 8. */
2900  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2901  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2902  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2903  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2904  }
2905  };
2906 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2907  const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
2908  {
2909  /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2910  0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2911  0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2912  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2913  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2914  },
2915  {
2916  /* Valid if x overflow ignored (x = 1 mod p). */
2917  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2918  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2919  0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2920  0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2921  },
2922  {
2923  /* Valid if x overflow ignored (x = 1 mod p). */
2924  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2925  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2926  0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2927  0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2928  },
2929  {
2930  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2931  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2932  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2933  0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2934  0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2935  },
2936  {
2937  /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2938  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2939  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2940  0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2941  0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2942  },
2943  {
2944  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2945  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2946  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2947  0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2948  0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2949  },
2950  {
2951  /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2952  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2953  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2954  0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2955  0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2956  }
2957  };
2958  const unsigned char pubkeyc[66] = {
2959  /* Serialization of G. */
2960  0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2961  0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2962  0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2963  0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2964  0xB8, 0x00
2965  };
2966  unsigned char sout[65];
2967  unsigned char shortkey[2];
2968  secp256k1_ge ge;
2969  secp256k1_pubkey pubkey;
2970  size_t len;
2971  int32_t i;
2972  int32_t ecount;
2973  int32_t ecount2;
2974  ecount = 0;
2975  /* Nothing should be reading this far into pubkeyc. */
2976  VG_UNDEF(&pubkeyc[65], 1);
2977  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2978  /* Zero length claimed, fail, zeroize, no illegal arg error. */
2979  memset(&pubkey, 0xfe, sizeof(pubkey));
2980  ecount = 0;
2981  VG_UNDEF(shortkey, 2);
2982  VG_UNDEF(&pubkey, sizeof(pubkey));
2983  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
2984  VG_CHECK(&pubkey, sizeof(pubkey));
2985  CHECK(ecount == 0);
2986  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2987  CHECK(ecount == 1);
2988  /* Length one claimed, fail, zeroize, no illegal arg error. */
2989  for (i = 0; i < 256 ; i++) {
2990  memset(&pubkey, 0xfe, sizeof(pubkey));
2991  ecount = 0;
2992  shortkey[0] = i;
2993  VG_UNDEF(&shortkey[1], 1);
2994  VG_UNDEF(&pubkey, sizeof(pubkey));
2995  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
2996  VG_CHECK(&pubkey, sizeof(pubkey));
2997  CHECK(ecount == 0);
2998  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2999  CHECK(ecount == 1);
3000  }
3001  /* Length two claimed, fail, zeroize, no illegal arg error. */
3002  for (i = 0; i < 65536 ; i++) {
3003  memset(&pubkey, 0xfe, sizeof(pubkey));
3004  ecount = 0;
3005  shortkey[0] = i & 255;
3006  shortkey[1] = i >> 8;
3007  VG_UNDEF(&pubkey, sizeof(pubkey));
3008  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3009  VG_CHECK(&pubkey, sizeof(pubkey));
3010  CHECK(ecount == 0);
3011  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3012  CHECK(ecount == 1);
3013  }
3014  memset(&pubkey, 0xfe, sizeof(pubkey));
3015  ecount = 0;
3016  VG_UNDEF(&pubkey, sizeof(pubkey));
3017  /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3018  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3019  VG_CHECK(&pubkey, sizeof(pubkey));
3020  CHECK(ecount == 0);
3021  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3022  CHECK(ecount == 1);
3023  /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3024  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3025  CHECK(ecount == 2);
3026  /* NULL input string. Illegal arg and zeroize output. */
3027  memset(&pubkey, 0xfe, sizeof(pubkey));
3028  ecount = 0;
3029  VG_UNDEF(&pubkey, sizeof(pubkey));
3030  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3031  VG_CHECK(&pubkey, sizeof(pubkey));
3032  CHECK(ecount == 1);
3033  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3034  CHECK(ecount == 2);
3035  /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3036  memset(&pubkey, 0xfe, sizeof(pubkey));
3037  ecount = 0;
3038  VG_UNDEF(&pubkey, sizeof(pubkey));
3039  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3040  VG_CHECK(&pubkey, sizeof(pubkey));
3041  CHECK(ecount == 0);
3042  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3043  CHECK(ecount == 1);
3044  /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3045  memset(&pubkey, 0xfe, sizeof(pubkey));
3046  ecount = 0;
3047  VG_UNDEF(&pubkey, sizeof(pubkey));
3048  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3049  VG_CHECK(&pubkey, sizeof(pubkey));
3050  CHECK(ecount == 0);
3051  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3052  CHECK(ecount == 1);
3053  /* Valid parse. */
3054  memset(&pubkey, 0, sizeof(pubkey));
3055  ecount = 0;
3056  VG_UNDEF(&pubkey, sizeof(pubkey));
3057  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3058  VG_CHECK(&pubkey, sizeof(pubkey));
3059  CHECK(ecount == 0);
3060  VG_UNDEF(&ge, sizeof(ge));
3061  CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3062  VG_CHECK(&ge.x, sizeof(ge.x));
3063  VG_CHECK(&ge.y, sizeof(ge.y));
3064  VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3065  ge_equals_ge(&secp256k1_ge_const_g, &ge);
3066  CHECK(ecount == 0);
3067  /* secp256k1_ec_pubkey_serialize illegal args. */
3068  ecount = 0;
3069  len = 65;
3070  CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3071  CHECK(ecount == 1);
3072  CHECK(len == 0);
3073  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3074  CHECK(ecount == 2);
3075  len = 65;
3076  VG_UNDEF(sout, 65);
3077  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3078  VG_CHECK(sout, 65);
3079  CHECK(ecount == 3);
3080  CHECK(len == 0);
3081  len = 65;
3082  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3083  CHECK(ecount == 4);
3084  CHECK(len == 0);
3085  len = 65;
3086  VG_UNDEF(sout, 65);
3087  CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3088  VG_CHECK(sout, 65);
3089  CHECK(ecount == 4);
3090  CHECK(len == 65);
3091  /* Multiple illegal args. Should still set arg error only once. */
3092  ecount = 0;
3093  ecount2 = 11;
3094  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3095  CHECK(ecount == 1);
3096  /* Does the illegal arg callback actually change the behavior? */
3097  secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3098  CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3099  CHECK(ecount == 1);
3100  CHECK(ecount2 == 10);
3101  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3102  /* Try a bunch of prefabbed points with all possible encodings. */
3103  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3104  ec_pubkey_parse_pointtest(valid[i], 1, 1);
3105  }
3106  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3107  ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3108  }
3109  for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3110  ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3111  }
3112 }
3113 
3115  const unsigned char orderc[32] = {
3116  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3117  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3118  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3119  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3120  };
3121  const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3122  unsigned char ctmp[33];
3123  unsigned char ctmp2[33];
3124  secp256k1_pubkey pubkey;
3125  secp256k1_pubkey pubkey2;
3126  secp256k1_pubkey pubkey_one;
3127  secp256k1_pubkey pubkey_negone;
3128  const secp256k1_pubkey *pubkeys[3];
3129  size_t len;
3130  int32_t ecount;
3131  /* Group order is too large, reject. */
3132  CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3133  VG_UNDEF(&pubkey, sizeof(pubkey));
3134  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3135  VG_CHECK(&pubkey, sizeof(pubkey));
3136  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3137  /* Maximum value is too large, reject. */
3138  memset(ctmp, 255, 32);
3139  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3140  memset(&pubkey, 1, sizeof(pubkey));
3141  VG_UNDEF(&pubkey, sizeof(pubkey));
3142  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3143  VG_CHECK(&pubkey, sizeof(pubkey));
3144  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3145  /* Zero is too small, reject. */
3146  memset(ctmp, 0, 32);
3147  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3148  memset(&pubkey, 1, sizeof(pubkey));
3149  VG_UNDEF(&pubkey, sizeof(pubkey));
3150  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3151  VG_CHECK(&pubkey, sizeof(pubkey));
3152  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3153  /* One must be accepted. */
3154  ctmp[31] = 0x01;
3155  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3156  memset(&pubkey, 0, sizeof(pubkey));
3157  VG_UNDEF(&pubkey, sizeof(pubkey));
3158  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3159  VG_CHECK(&pubkey, sizeof(pubkey));
3160  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3161  pubkey_one = pubkey;
3162  /* Group order + 1 is too large, reject. */
3163  memcpy(ctmp, orderc, 32);
3164  ctmp[31] = 0x42;
3165  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3166  memset(&pubkey, 1, sizeof(pubkey));
3167  VG_UNDEF(&pubkey, sizeof(pubkey));
3168  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3169  VG_CHECK(&pubkey, sizeof(pubkey));
3170  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3171  /* -1 must be accepted. */
3172  ctmp[31] = 0x40;
3173  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3174  memset(&pubkey, 0, sizeof(pubkey));
3175  VG_UNDEF(&pubkey, sizeof(pubkey));
3176  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3177  VG_CHECK(&pubkey, sizeof(pubkey));
3178  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3179  pubkey_negone = pubkey;
3180  /* Tweak of zero leaves the value changed. */
3181  memset(ctmp2, 0, 32);
3182  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3183  CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3184  memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3185  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3186  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3187  /* Multiply tweak of zero zeroizes the output. */
3188  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3189  CHECK(memcmp(zeros, ctmp, 32) == 0);
3190  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3191  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3192  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3193  /* Overflowing key tweak zeroizes. */
3194  memcpy(ctmp, orderc, 32);
3195  ctmp[31] = 0x40;
3196  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3197  CHECK(memcmp(zeros, ctmp, 32) == 0);
3198  memcpy(ctmp, orderc, 32);
3199  ctmp[31] = 0x40;
3200  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3201  CHECK(memcmp(zeros, ctmp, 32) == 0);
3202  memcpy(ctmp, orderc, 32);
3203  ctmp[31] = 0x40;
3204  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3205  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3206  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3207  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3208  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3209  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3210  /* Private key tweaks results in a key of zero. */
3211  ctmp2[31] = 1;
3212  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3213  CHECK(memcmp(zeros, ctmp2, 32) == 0);
3214  ctmp2[31] = 1;
3215  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3216  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3217  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3218  /* Tweak computation wraps and results in a key of 1. */
3219  ctmp2[31] = 2;
3220  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3221  CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3222  ctmp2[31] = 2;
3223  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3224  ctmp2[31] = 1;
3225  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3226  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3227  /* Tweak mul * 2 = 1+1. */
3228  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3229  ctmp2[31] = 2;
3230  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3231  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3232  /* Test argument errors. */
3233  ecount = 0;
3234  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3235  CHECK(ecount == 0);
3236  /* Zeroize pubkey on parse error. */
3237  memset(&pubkey, 0, 32);
3238  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3239  CHECK(ecount == 1);
3240  CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3241  memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3242  memset(&pubkey2, 0, 32);
3243  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3244  CHECK(ecount == 2);
3245  CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3246  /* Plain argument errors. */
3247  ecount = 0;
3248  CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3249  CHECK(ecount == 0);
3250  CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3251  CHECK(ecount == 1);
3252  ecount = 0;
3253  memset(ctmp2, 0, 32);
3254  ctmp2[31] = 4;
3255  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3256  CHECK(ecount == 1);
3257  CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3258  CHECK(ecount == 2);
3259  ecount = 0;
3260  memset(ctmp2, 0, 32);
3261  ctmp2[31] = 4;
3262  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3263  CHECK(ecount == 1);
3264  CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3265  CHECK(ecount == 2);
3266  ecount = 0;
3267  memset(ctmp2, 0, 32);
3268  CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3269  CHECK(ecount == 1);
3270  CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3271  CHECK(ecount == 2);
3272  ecount = 0;
3273  memset(ctmp2, 0, 32);
3274  ctmp2[31] = 1;
3275  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3276  CHECK(ecount == 1);
3277  CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3278  CHECK(ecount == 2);
3279  ecount = 0;
3280  CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3281  CHECK(ecount == 1);
3282  memset(&pubkey, 1, sizeof(pubkey));
3283  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3284  CHECK(ecount == 2);
3285  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3286  /* secp256k1_ec_pubkey_combine tests. */
3287  ecount = 0;
3288  pubkeys[0] = &pubkey_one;
3289  VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3290  VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3291  VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3292  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3293  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3294  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3295  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3296  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3297  CHECK(ecount == 1);
3298  CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3299  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3300  CHECK(ecount == 2);
3301  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3302  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3303  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3304  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3305  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3306  CHECK(ecount == 3);
3307  pubkeys[0] = &pubkey_negone;
3308  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3309  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3310  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3311  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3312  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3313  CHECK(ecount == 3);
3314  len = 33;
3315  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3316  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3317  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3318  /* Result is infinity. */
3319  pubkeys[0] = &pubkey_one;
3320  pubkeys[1] = &pubkey_negone;
3321  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3322  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3323  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3324  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3325  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3326  CHECK(ecount == 3);
3327  /* Passes through infinity but comes out one. */
3328  pubkeys[2] = &pubkey_one;
3329  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3330  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3331  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3332  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3333  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3334  CHECK(ecount == 3);
3335  len = 33;
3336  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3337  CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3338  CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3339  /* Adds to two. */
3340  pubkeys[1] = &pubkey_one;
3341  memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3342  VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3343  CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3344  VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3345  CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3346  CHECK(ecount == 3);
3347  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3348 }
3349 
3350 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3351  secp256k1_scalar nonce;
3352  do {
3353  random_scalar_order_test(&nonce);
3354  } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3355 }
3356 
3358  secp256k1_gej pubj;
3359  secp256k1_ge pub;
3360  secp256k1_scalar one;
3361  secp256k1_scalar msg, key;
3362  secp256k1_scalar sigr, sigs;
3363  int recid;
3364  int getrec;
3367  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3368  secp256k1_ge_set_gej(&pub, &pubj);
3369  getrec = secp256k1_rand_bits(1);
3370  random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3371  if (getrec) {
3372  CHECK(recid >= 0 && recid < 4);
3373  }
3374  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3375  secp256k1_scalar_set_int(&one, 1);
3376  secp256k1_scalar_add(&msg, &msg, &one);
3377  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3378 }
3379 
3381  int i;
3382  for (i = 0; i < 10*count; i++) {
3384  }
3385 }
3386 
3388 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3389  (void)msg32;
3390  (void)key32;
3391  (void)algo16;
3392  memcpy(nonce32, data, 32);
3393  return (counter == 0);
3394 }
3395 
3396 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3397  /* Dummy nonce generator that has a fatal error on the first counter value. */
3398  if (counter == 0) {
3399  return 0;
3400  }
3401  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3402 }
3403 
3404 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3405  /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3406  if (counter < 3) {
3407  memset(nonce32, counter==0 ? 0 : 255, 32);
3408  if (counter == 2) {
3409  nonce32[31]--;
3410  }
3411  return 1;
3412  }
3413  if (counter < 5) {
3414  static const unsigned char order[] = {
3415  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3416  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3417  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3418  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3419  };
3420  memcpy(nonce32, order, 32);
3421  if (counter == 4) {
3422  nonce32[31]++;
3423  }
3424  return 1;
3425  }
3426  /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3427  /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3428  if (counter > 5) {
3429  return 0;
3430  }
3431  return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3432 }
3433 
3435  static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3436  return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3437 }
3438 
3440  unsigned char extra[32] = {0x00};
3441  unsigned char privkey[32];
3442  unsigned char message[32];
3443  unsigned char privkey2[32];
3444  secp256k1_ecdsa_signature signature[6];
3445  secp256k1_scalar r, s;
3446  unsigned char sig[74];
3447  size_t siglen = 74;
3448  unsigned char pubkeyc[65];
3449  size_t pubkeyclen = 65;
3450  secp256k1_pubkey pubkey;
3451  secp256k1_pubkey pubkey_tmp;
3452  unsigned char seckey[300];
3453  size_t seckeylen = 300;
3454 
3455  /* Generate a random key and message. */
3456  {
3457  secp256k1_scalar msg, key;
3460  secp256k1_scalar_get_b32(privkey, &key);
3461  secp256k1_scalar_get_b32(message, &msg);
3462  }
3463 
3464  /* Construct and verify corresponding public key. */
3465  CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
3466  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
3467 
3468  /* Verify exporting and importing public key. */
3469  CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
3470  memset(&pubkey, 0, sizeof(pubkey));
3471  CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3472 
3473  /* Verify negation changes the key and changes it back */
3474  memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
3475  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3476  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
3477  CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
3478  CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
3479 
3480  /* Verify private key import and export. */
3481  CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3482  CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
3483  CHECK(memcmp(privkey, privkey2, 32) == 0);
3484 
3485  /* Optionally tweak the keys using addition. */
3486  if (secp256k1_rand_int(3) == 0) {
3487  int ret1;
3488  int ret2;
3489  unsigned char rnd[32];
3490  secp256k1_pubkey pubkey2;
3491  secp256k1_rand256_test(rnd);
3492  ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
3493  ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
3494  CHECK(ret1 == ret2);
3495  if (ret1 == 0) {
3496  return;
3497  }
3498  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3499  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3500  }
3501 
3502  /* Optionally tweak the keys using multiplication. */
3503  if (secp256k1_rand_int(3) == 0) {
3504  int ret1;
3505  int ret2;
3506  unsigned char rnd[32];
3507  secp256k1_pubkey pubkey2;
3508  secp256k1_rand256_test(rnd);
3509  ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
3510  ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
3511  CHECK(ret1 == ret2);
3512  if (ret1 == 0) {
3513  return;
3514  }
3515  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3516  CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3517  }
3518 
3519  /* Sign. */
3520  CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3521  CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3522  CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
3523  extra[31] = 1;
3524  CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
3525  extra[31] = 0;
3526  extra[0] = 1;
3527  CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
3528  CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3529  CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3530  CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3531  CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3532  CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3533  CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3534  CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
3535  /* Verify. */
3536  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3537  CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3538  CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3539  CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
3540  /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3541  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3542  secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3543  secp256k1_scalar_negate(&s, &s);
3544  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3545  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3546  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3547  CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3548  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3549  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3550  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3551  secp256k1_scalar_negate(&s, &s);
3552  secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3553  CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3554  CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3555  CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
3556 
3557  /* Serialize/parse DER and verify again */
3558  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3559  memset(&signature[0], 0, sizeof(signature[0]));
3560  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
3561  CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3562  /* Serialize/destroy/parse DER and verify again. */
3563  siglen = 74;
3564  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3565  sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
3566  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
3567  secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
3568 }
3569 
3571  secp256k1_ge elem;
3572  secp256k1_ge elem2;
3573  unsigned char in[65];
3574  /* Generate some randomly sized pubkeys. */
3575  size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
3576  if (secp256k1_rand_bits(2) == 0) {
3577  len = secp256k1_rand_bits(6);
3578  }
3579  if (len == 65) {
3580  in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
3581  } else {
3582  in[0] = secp256k1_rand_bits(1) ? 2 : 3;
3583  }
3584  if (secp256k1_rand_bits(3) == 0) {
3585  in[0] = secp256k1_rand_bits(8);
3586  }
3587  if (len > 1) {
3588  secp256k1_rand256(&in[1]);
3589  }
3590  if (len > 33) {
3591  secp256k1_rand256(&in[33]);
3592  }
3593  if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
3594  unsigned char out[65];
3595  unsigned char firstb;
3596  int res;
3597  size_t size = len;
3598  firstb = in[0];
3599  /* If the pubkey can be parsed, it should round-trip... */
3600  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
3601  CHECK(size == len);
3602  CHECK(memcmp(&in[1], &out[1], len-1) == 0);
3603  /* ... except for the type of hybrid inputs. */
3604  if ((in[0] != 6) && (in[0] != 7)) {
3605  CHECK(in[0] == out[0]);
3606  }
3607  size = 65;
3608  CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
3609  CHECK(size == 65);
3610  CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
3611  ge_equals_ge(&elem,&elem2);
3612  /* Check that the X9.62 hybrid type is checked. */
3613  in[0] = secp256k1_rand_bits(1) ? 6 : 7;
3614  res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
3615  if (firstb == 2 || firstb == 3) {
3616  if (in[0] == firstb + 4) {
3617  CHECK(res);
3618  } else {
3619  CHECK(!res);
3620  }
3621  }
3622  if (res) {
3623  ge_equals_ge(&elem,&elem2);
3624  CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
3625  CHECK(memcmp(&in[1], &out[1], 64) == 0);
3626  }
3627  }
3628 }
3629 
3631  int i;
3632  for (i = 0; i < 10*count; i++) {
3634  }
3635 }
3636 
3638  int i;
3639  for (i = 0; i < 64*count; i++) {
3641  }
3642 }
3643 
3644 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
3645  static const unsigned char zeroes[32] = {0};
3646 #ifdef ENABLE_OPENSSL_TESTS
3647  static const unsigned char max_scalar[32] = {
3648  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3649  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3650  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3651  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3652  };
3653 #endif
3654 
3655  int ret = 0;
3656 
3657  secp256k1_ecdsa_signature sig_der;
3658  unsigned char roundtrip_der[2048];
3659  unsigned char compact_der[64];
3660  size_t len_der = 2048;
3661  int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
3662 
3663  secp256k1_ecdsa_signature sig_der_lax;
3664  unsigned char roundtrip_der_lax[2048];
3665  unsigned char compact_der_lax[64];
3666  size_t len_der_lax = 2048;
3667  int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
3668 
3669 #ifdef ENABLE_OPENSSL_TESTS
3670  ECDSA_SIG *sig_openssl;
3671  const unsigned char *sigptr;
3672  unsigned char roundtrip_openssl[2048];
3673  int len_openssl = 2048;
3674  int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
3675 #endif
3676 
3677  parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
3678  if (parsed_der) {
3679  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
3680  valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
3681  }
3682  if (valid_der) {
3683  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
3684  roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
3685  }
3686 
3687  parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
3688  if (parsed_der_lax) {
3689  ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
3690  valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
3691  }
3692  if (valid_der_lax) {
3693  ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
3694  roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
3695  }
3696 
3697  if (certainly_der) {
3698  ret |= (!parsed_der) << 2;
3699  }
3700  if (certainly_not_der) {
3701  ret |= (parsed_der) << 17;
3702  }
3703  if (valid_der) {
3704  ret |= (!roundtrips_der) << 3;
3705  }
3706 
3707  if (valid_der) {
3708  ret |= (!roundtrips_der_lax) << 12;
3709  ret |= (len_der != len_der_lax) << 13;
3710  ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
3711  }
3712  ret |= (roundtrips_der != roundtrips_der_lax) << 15;
3713  if (parsed_der) {
3714  ret |= (!parsed_der_lax) << 16;
3715  }
3716 
3717 #ifdef ENABLE_OPENSSL_TESTS
3718  sig_openssl = ECDSA_SIG_new();
3719  sigptr = sig;
3720  parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
3721  if (parsed_openssl) {
3722  valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
3723  if (valid_openssl) {
3724  unsigned char tmp[32] = {0};
3725  BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
3726  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3727  }
3728  if (valid_openssl) {
3729  unsigned char tmp[32] = {0};
3730  BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
3731  valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3732  }
3733  }
3734  len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
3735  if (len_openssl <= 2048) {
3736  unsigned char *ptr = roundtrip_openssl;
3737  CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
3738  roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
3739  } else {
3740  len_openssl = 0;
3741  }
3742  ECDSA_SIG_free(sig_openssl);
3743 
3744  ret |= (parsed_der && !parsed_openssl) << 4;
3745  ret |= (valid_der && !valid_openssl) << 5;
3746  ret |= (roundtrips_openssl && !parsed_der) << 6;
3747  ret |= (roundtrips_der != roundtrips_openssl) << 7;
3748  if (roundtrips_openssl) {
3749  ret |= (len_der != (size_t)len_openssl) << 8;
3750  ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
3751  }
3752 #endif
3753  return ret;
3754 }
3755 
3756 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
3757  size_t i;
3758  for (i = 0; i < ptrlen; i++) {
3759  int shift = ptrlen - 1 - i;
3760  if (shift >= 4) {
3761  ptr[i] = 0;
3762  } else {
3763  ptr[i] = (val >> shift) & 0xFF;
3764  }
3765  }
3766 }
3767 
3768 static void damage_array(unsigned char *sig, size_t *len) {
3769  int pos;
3770  int action = secp256k1_rand_bits(3);
3771  if (action < 1 && *len > 3) {
3772  /* Delete a byte. */
3773  pos = secp256k1_rand_int(*len);
3774  memmove(sig + pos, sig + pos + 1, *len - pos - 1);
3775  (*len)--;
3776  return;
3777  } else if (action < 2 && *len < 2048) {
3778  /* Insert a byte. */
3779  pos = secp256k1_rand_int(1 + *len);
3780  memmove(sig + pos + 1, sig + pos, *len - pos);
3781  sig[pos] = secp256k1_rand_bits(8);
3782  (*len)++;
3783  return;
3784  } else if (action < 4) {
3785  /* Modify a byte. */
3786  sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
3787  return;
3788  } else { /* action < 8 */
3789  /* Modify a bit. */
3790  sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
3791  return;
3792  }
3793 }
3794 
3795 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
3796  int der;
3797  int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
3798  size_t tlen, elen, glen;
3799  int indet;
3800  int n;
3801 
3802  *len = 0;
3803  der = secp256k1_rand_bits(2) == 0;
3804  *certainly_der = der;
3805  *certainly_not_der = 0;
3806  indet = der ? 0 : secp256k1_rand_int(10) == 0;
3807 
3808  for (n = 0; n < 2; n++) {
3809  /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3810  nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
3811  /* The length of the number in bytes (the first byte of which will always be nonzero) */
3812  nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3813  CHECK(nlen[n] <= 232);
3814  /* The top bit of the number. */
3815  nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
3816  /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3817  nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3818  /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3819  nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
3820  if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
3821  *certainly_not_der = 1;
3822  }
3823  CHECK(nlen[n] + nzlen[n] <= 300);
3824  /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3825  nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
3826  if (!der) {
3827  /* nlenlen[n] max 127 bytes */
3828  int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3829  nlenlen[n] += add;
3830  if (add != 0) {
3831  *certainly_not_der = 1;
3832  }
3833  }
3834  CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
3835  }
3836 
3837  /* The total length of the data to go, so far */
3838  tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
3839  CHECK(tlen <= 856);
3840 
3841  /* The length of the garbage inside the tuple. */
3842  elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
3843  if (elen != 0) {
3844  *certainly_not_der = 1;
3845  }
3846  tlen += elen;
3847  CHECK(tlen <= 980);
3848 
3849  /* The length of the garbage after the end of the tuple. */
3850  glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
3851  if (glen != 0) {
3852  *certainly_not_der = 1;
3853  }
3854  CHECK(tlen + glen <= 990);
3855 
3856  /* Write the tuple header. */
3857  sig[(*len)++] = 0x30;
3858  if (indet) {
3859  /* Indeterminate length */
3860  sig[(*len)++] = 0x80;
3861  *certainly_not_der = 1;
3862  } else {
3863  int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
3864  if (!der) {
3865  int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3866  tlenlen += add;
3867  if (add != 0) {
3868  *certainly_not_der = 1;
3869  }
3870  }
3871  if (tlenlen == 0) {
3872  /* Short length notation */
3873  sig[(*len)++] = tlen;
3874  } else {
3875  /* Long length notation */
3876  sig[(*len)++] = 128 + tlenlen;
3877  assign_big_endian(sig + *len, tlenlen, tlen);
3878  *len += tlenlen;
3879  }
3880  tlen += tlenlen;
3881  }
3882  tlen += 2;
3883  CHECK(tlen + glen <= 1119);
3884 
3885  for (n = 0; n < 2; n++) {
3886  /* Write the integer header. */
3887  sig[(*len)++] = 0x02;
3888  if (nlenlen[n] == 0) {
3889  /* Short length notation */
3890  sig[(*len)++] = nlen[n] + nzlen[n];
3891  } else {
3892  /* Long length notation. */
3893  sig[(*len)++] = 128 + nlenlen[n];
3894  assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
3895  *len += nlenlen[n];
3896  }
3897  /* Write zero padding */
3898  while (nzlen[n] > 0) {
3899  sig[(*len)++] = 0x00;
3900  nzlen[n]--;
3901  }
3902  if (nlen[n] == 32 && !nlow[n]) {
3903  /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3904  int i;
3905  for (i = 0; i < 16; i++) {
3906  sig[(*len)++] = 0xFF;
3907  }
3908  nlen[n] -= 16;
3909  }
3910  /* Write first byte of number */
3911  if (nlen[n] > 0) {
3912  sig[(*len)++] = nhbyte[n];
3913  nlen[n]--;
3914  }
3915  /* Generate remaining random bytes of number */
3916  secp256k1_rand_bytes_test(sig + *len, nlen[n]);
3917  *len += nlen[n];
3918  nlen[n] = 0;
3919  }
3920 
3921  /* Generate random garbage inside tuple. */
3922  secp256k1_rand_bytes_test(sig + *len, elen);
3923  *len += elen;
3924 
3925  /* Generate end-of-contents bytes. */
3926  if (indet) {
3927  sig[(*len)++] = 0;
3928  sig[(*len)++] = 0;
3929  tlen += 2;
3930  }
3931  CHECK(tlen + glen <= 1121);
3932 
3933  /* Generate random garbage outside tuple. */
3934  secp256k1_rand_bytes_test(sig + *len, glen);
3935  *len += glen;
3936  tlen += glen;
3937  CHECK(tlen <= 1121);
3938  CHECK(tlen == *len);
3939 }
3940 
3942  int i,j;
3943  for (i = 0; i < 200 * count; i++) {
3944  unsigned char buffer[2048];
3945  size_t buflen = 0;
3946  int certainly_der = 0;
3947  int certainly_not_der = 0;
3948  random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
3949  CHECK(buflen <= 2048);
3950  for (j = 0; j < 16; j++) {
3951  int ret = 0;
3952  if (j > 0) {
3953  damage_array(buffer, &buflen);
3954  /* We don't know anything anymore about the DERness of the result */
3955  certainly_der = 0;
3956  certainly_not_der = 0;
3957  }
3958  ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
3959  if (ret != 0) {
3960  size_t k;
3961  fprintf(stderr, "Failure %x on ", ret);
3962  for (k = 0; k < buflen; k++) {
3963  fprintf(stderr, "%02x ", buffer[k]);
3964  }
3965  fprintf(stderr, "\n");
3966  }
3967  CHECK(ret == 0);
3968  }
3969  }
3970 }
3971 
3972 /* Tests several edge cases. */
3974  int t;
3976 
3977  /* Test the case where ECDSA recomputes a point that is infinity. */
3978  {
3979  secp256k1_gej keyj;
3980  secp256k1_ge key;
3981  secp256k1_scalar msg;
3982  secp256k1_scalar sr, ss;
3983  secp256k1_scalar_set_int(&ss, 1);
3984  secp256k1_scalar_negate(&ss, &ss);
3985  secp256k1_scalar_inverse(&ss, &ss);
3986  secp256k1_scalar_set_int(&sr, 1);
3987  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
3988  secp256k1_ge_set_gej(&key, &keyj);
3989  msg = ss;
3990  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3991  }
3992 
3993  /* Verify signature with r of zero fails. */
3994  {
3995  const unsigned char pubkey_mods_zero[33] = {
3996  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3997  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3998  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3999  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4000  0x41
4001  };
4002  secp256k1_ge key;
4003  secp256k1_scalar msg;
4004  secp256k1_scalar sr, ss;
4005  secp256k1_scalar_set_int(&ss, 1);
4006  secp256k1_scalar_set_int(&msg, 0);
4007  secp256k1_scalar_set_int(&sr, 0);
4008  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4009  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4010  }
4011 
4012  /* Verify signature with s of zero fails. */
4013  {
4014  const unsigned char pubkey[33] = {
4015  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4016  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4017  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4019  0x01
4020  };
4021  secp256k1_ge key;
4022  secp256k1_scalar msg;
4023  secp256k1_scalar sr, ss;
4024  secp256k1_scalar_set_int(&ss, 0);
4025  secp256k1_scalar_set_int(&msg, 0);
4026  secp256k1_scalar_set_int(&sr, 1);
4027  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4028  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4029  }
4030 
4031  /* Verify signature with message 0 passes. */
4032  {
4033  const unsigned char pubkey[33] = {
4034  0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4035  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4036  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4037  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4038  0x02
4039  };
4040  const unsigned char pubkey2[33] = {
4041  0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4042  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4043  0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4044  0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4045  0x43
4046  };
4047  secp256k1_ge key;
4048  secp256k1_ge key2;
4049  secp256k1_scalar msg;
4050  secp256k1_scalar sr, ss;
4051  secp256k1_scalar_set_int(&ss, 2);
4052  secp256k1_scalar_set_int(&msg, 0);
4053  secp256k1_scalar_set_int(&sr, 2);
4054  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4055  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4056  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4057  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4058  secp256k1_scalar_negate(&ss, &ss);
4059  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4060  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4061  secp256k1_scalar_set_int(&ss, 1);
4062  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4063  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4064  }
4065 
4066  /* Verify signature with message 1 passes. */
4067  {
4068  const unsigned char pubkey[33] = {
4069  0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4070  0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4071  0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4072  0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4073  0x25
4074  };
4075  const unsigned char pubkey2[33] = {
4076  0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4077  0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4078  0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4079  0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4080  0x62
4081  };
4082  const unsigned char csr[32] = {
4083  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4084  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4085  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4086  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4087  };
4088  secp256k1_ge key;
4089  secp256k1_ge key2;
4090  secp256k1_scalar msg;
4091  secp256k1_scalar sr, ss;
4092  secp256k1_scalar_set_int(&ss, 1);
4093  secp256k1_scalar_set_int(&msg, 1);
4094  secp256k1_scalar_set_b32(&sr, csr, NULL);
4095  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4096  CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4097  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4098  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4099  secp256k1_scalar_negate(&ss, &ss);
4100  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4101  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4102  secp256k1_scalar_set_int(&ss, 2);
4103  secp256k1_scalar_inverse_var(&ss, &ss);
4104  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4105  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4106  }
4107 
4108  /* Verify signature with message -1 passes. */
4109  {
4110  const unsigned char pubkey[33] = {
4111  0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4112  0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4113  0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4114  0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4115  0xf1
4116  };
4117  const unsigned char csr[32] = {
4118  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4119  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4120  0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4121  0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4122  };
4123  secp256k1_ge key;
4124  secp256k1_scalar msg;
4125  secp256k1_scalar sr, ss;
4126  secp256k1_scalar_set_int(&ss, 1);
4127  secp256k1_scalar_set_int(&msg, 1);
4128  secp256k1_scalar_negate(&msg, &msg);
4129  secp256k1_scalar_set_b32(&sr, csr, NULL);
4130  CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4131  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4132  secp256k1_scalar_negate(&ss, &ss);
4133  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4134  secp256k1_scalar_set_int(&ss, 3);
4135  secp256k1_scalar_inverse_var(&ss, &ss);
4136  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4137  }
4138 
4139  /* Signature where s would be zero. */
4140  {
4141  secp256k1_pubkey pubkey;
4142  size_t siglen;
4143  int32_t ecount;
4144  unsigned char signature[72];
4145  static const unsigned char nonce[32] = {
4146  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4147  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4148  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4149  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4150  };
4151  static const unsigned char nonce2[32] = {
4152  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4153  0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4154  0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4155  0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4156  };
4157  const unsigned char key[32] = {
4158  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4159  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4160  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4161  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4162  };
4163  unsigned char msg[32] = {
4164  0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4165  0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4166  0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4167  0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4168  };
4169  ecount = 0;
4170  secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4171  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4172  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4173  msg[31] = 0xaa;
4174  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4175  CHECK(ecount == 0);
4176  CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4177  CHECK(ecount == 1);
4178  CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4179  CHECK(ecount == 2);
4180  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4181  CHECK(ecount == 3);
4182  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4183  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4184  CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4185  CHECK(ecount == 4);
4186  CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4187  CHECK(ecount == 5);
4188  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4189  CHECK(ecount == 6);
4190  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4191  CHECK(ecount == 6);
4192  CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4193  CHECK(ecount == 7);
4194  /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4195  CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4196  CHECK(ecount == 8);
4197  siglen = 72;
4198  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4199  CHECK(ecount == 9);
4200  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4201  CHECK(ecount == 10);
4202  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4203  CHECK(ecount == 11);
4204  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4205  CHECK(ecount == 11);
4206  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4207  CHECK(ecount == 12);
4208  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4209  CHECK(ecount == 13);
4210  CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4211  CHECK(ecount == 13);
4212  siglen = 10;
4213  /* Too little room for a signature does not fail via ARGCHECK. */
4214  CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4215  CHECK(ecount == 13);
4216  ecount = 0;
4217  CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4218  CHECK(ecount == 1);
4219  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4220  CHECK(ecount == 2);
4221  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4222  CHECK(ecount == 3);
4223  CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4224  CHECK(ecount == 3);
4225  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4226  CHECK(ecount == 4);
4227  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4228  CHECK(ecount == 5);
4229  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4230  CHECK(ecount == 5);
4231  memset(signature, 255, 64);
4232  CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4233  CHECK(ecount == 5);
4234  secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4235  }
4236 
4237  /* Nonce function corner cases. */
4238  for (t = 0; t < 2; t++) {
4239  static const unsigned char zero[32] = {0x00};
4240  int i;
4241  unsigned char key[32];
4242  unsigned char msg[32];
4244  secp256k1_scalar sr[512], ss;
4245  const unsigned char *extra;
4246  extra = t == 0 ? NULL : zero;
4247  memset(msg, 0, 32);
4248  msg[31] = 1;
4249  /* High key results in signature failure. */
4250  memset(key, 0xFF, 32);
4251  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4252  CHECK(is_empty_signature(&sig));
4253  /* Zero key results in signature failure. */
4254  memset(key, 0, 32);
4255  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4256  CHECK(is_empty_signature(&sig));
4257  /* Nonce function failure results in signature failure. */
4258  key[31] = 1;
4259  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4260  CHECK(is_empty_signature(&sig));
4261  /* The retry loop successfully makes its way to the first good value. */
4262  CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4263  CHECK(!is_empty_signature(&sig));
4264  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4265  CHECK(!is_empty_signature(&sig2));
4266  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4267  /* The default nonce function is deterministic. */
4268  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4269  CHECK(!is_empty_signature(&sig2));
4270  CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4271  /* The default nonce function changes output with different messages. */
4272  for(i = 0; i < 256; i++) {
4273  int j;
4274  msg[0] = i;
4275  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4276  CHECK(!is_empty_signature(&sig2));
4277  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4278  for (j = 0; j < i; j++) {
4279  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4280  }
4281  }
4282  msg[0] = 0;
4283  msg[31] = 2;
4284  /* The default nonce function changes output with different keys. */
4285  for(i = 256; i < 512; i++) {
4286  int j;
4287  key[0] = i - 256;
4288  CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4289  CHECK(!is_empty_signature(&sig2));
4290  secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4291  for (j = 0; j < i; j++) {
4292  CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4293  }
4294  }
4295  key[0] = 0;
4296  }
4297 
4298  {
4299  /* Check that optional nonce arguments do not have equivalent effect. */
4300  const unsigned char zeros[32] = {0};
4301  unsigned char nonce[32];
4302  unsigned char nonce2[32];
4303  unsigned char nonce3[32];
4304  unsigned char nonce4[32];
4305  VG_UNDEF(nonce,32);
4306  VG_UNDEF(nonce2,32);
4307  VG_UNDEF(nonce3,32);
4308  VG_UNDEF(nonce4,32);
4309  CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4310  VG_CHECK(nonce,32);
4311  CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4312  VG_CHECK(nonce2,32);
4313  CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4314  VG_CHECK(nonce3,32);
4315  CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4316  VG_CHECK(nonce4,32);
4317  CHECK(memcmp(nonce, nonce2, 32) != 0);
4318  CHECK(memcmp(nonce, nonce3, 32) != 0);
4319  CHECK(memcmp(nonce, nonce4, 32) != 0);
4320  CHECK(memcmp(nonce2, nonce3, 32) != 0);
4321  CHECK(memcmp(nonce2, nonce4, 32) != 0);
4322  CHECK(memcmp(nonce3, nonce4, 32) != 0);
4323  }
4324 
4325 
4326  /* Privkey export where pubkey is the point at infinity. */
4327  {
4328  unsigned char privkey[300];
4329  unsigned char seckey[32] = {
4330  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4331  0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4332  0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4333  0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4334  };
4335  size_t outlen = 300;
4336  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4337  outlen = 300;
4338  CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4339  }
4340 }
4341 
4344 }
4345 
4346 #ifdef ENABLE_OPENSSL_TESTS
4347 EC_KEY *get_openssl_key(const unsigned char *key32) {
4348  unsigned char privkey[300];
4349  size_t privkeylen;
4350  const unsigned char* pbegin = privkey;
4351  int compr = secp256k1_rand_bits(1);
4352  EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4353  CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4354  CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4355  CHECK(EC_KEY_check_key(ec_key));
4356  return ec_key;
4357 }
4358 
4359 void test_ecdsa_openssl(void) {
4360  secp256k1_gej qj;
4361  secp256k1_ge q;
4362  secp256k1_scalar sigr, sigs;
4363  secp256k1_scalar one;
4364  secp256k1_scalar msg2;
4365  secp256k1_scalar key, msg;
4366  EC_KEY *ec_key;
4367  unsigned int sigsize = 80;
4368  size_t secp_sigsize = 80;
4369  unsigned char message[32];
4370  unsigned char signature[80];
4371  unsigned char key32[32];
4372  secp256k1_rand256_test(message);
4373  secp256k1_scalar_set_b32(&msg, message, NULL);
4375  secp256k1_scalar_get_b32(key32, &key);
4376  secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4377  secp256k1_ge_set_gej(&q, &qj);
4378  ec_key = get_openssl_key(key32);
4379  CHECK(ec_key != NULL);
4380  CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4381  CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4382  CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4383  secp256k1_scalar_set_int(&one, 1);
4384  secp256k1_scalar_add(&msg2, &msg, &one);
4385  CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4386 
4387  random_sign(&sigr, &sigs, &key, &msg, NULL);
4388  CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4389  CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4390 
4391  EC_KEY_free(ec_key);
4392 }
4393 
4394 void run_ecdsa_openssl(void) {
4395  int i;
4396  for (i = 0; i < 10*count; i++) {
4397  test_ecdsa_openssl();
4398  }
4399 }
4400 #endif
4401 
4402 #ifdef ENABLE_MODULE_ECDH
4403 # include "modules/ecdh/tests_impl.h"
4404 #endif
4405 
4406 #ifdef ENABLE_MODULE_RECOVERY
4408 #endif
4409 
4410 int main(int argc, char **argv) {
4411  unsigned char seed16[16] = {0};
4412  unsigned char run32[32] = {0};
4413  /* find iteration count */
4414  if (argc > 1) {
4415  count = strtol(argv[1], NULL, 0);
4416  }
4417 
4418  /* find random seed */
4419  if (argc > 2) {
4420  int pos = 0;
4421  const char* ch = argv[2];
4422  while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4423  unsigned short sh;
4424  if (sscanf(ch, "%2hx", &sh)) {
4425  seed16[pos] = sh;
4426  } else {
4427  break;
4428  }
4429  ch += 2;
4430  pos++;
4431  }
4432  } else {
4433  FILE *frand = fopen("/dev/urandom", "r");
4434  if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
4435  uint64_t t = time(NULL) * (uint64_t)1337;
4436  seed16[0] ^= t;
4437  seed16[1] ^= t >> 8;
4438  seed16[2] ^= t >> 16;
4439  seed16[3] ^= t >> 24;
4440  seed16[4] ^= t >> 32;
4441  seed16[5] ^= t >> 40;
4442  seed16[6] ^= t >> 48;
4443  seed16[7] ^= t >> 56;
4444  }
4445  fclose(frand);
4446  }
4447  secp256k1_rand_seed(seed16);
4448 
4449  printf("test count = %i\n", count);
4450  printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4451 
4452  /* initialize */
4455  if (secp256k1_rand_bits(1)) {
4456  secp256k1_rand256(run32);
4457  CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
4458  }
4459 
4460  run_rand_bits();
4461  run_rand_int();
4462 
4463  run_sha256_tests();
4466 
4467 #ifndef USE_NUM_NONE
4468  /* num tests */
4470 #endif
4471 
4472  /* scalar tests */
4473  run_scalar_tests();
4474 
4475  /* field tests */
4476  run_field_inv();
4479  run_field_misc();
4481  run_sqr();
4482  run_sqrt();
4483 
4484  /* group tests */
4485  run_ge();
4487 
4488  /* ecmult tests */
4489  run_wnaf();
4491  run_ecmult_chain();
4495  run_ec_combine();
4496 
4497  /* endomorphism tests */
4498 #ifdef USE_ENDOMORPHISM
4499  run_endomorphism_tests();
4500 #endif
4501 
4502  /* EC point parser test */
4504 
4505  /* EC key edge cases */
4507 
4508 #ifdef ENABLE_MODULE_ECDH
4509  /* ecdh tests */
4510  run_ecdh_tests();
4511 #endif
4512 
4513  /* ecdsa tests */
4519 #ifdef ENABLE_OPENSSL_TESTS
4520  run_ecdsa_openssl();
4521 #endif
4522 
4523 #ifdef ENABLE_MODULE_RECOVERY
4524  /* ECDSA pubkey recovery tests */
4526 #endif
4527 
4528  secp256k1_rand256(run32);
4529  printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
4530 
4531  /* shutdown */
4533 
4534  printf("no problems found\n");
4535  return 0;
4536 }
#define VERIFY_CHECK(cond)
Definition: util.h:67
void run_hmac_sha256_tests(void)
Definition: tests.c:289
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1594
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:477
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by multiplying it by a tweak.
Definition: secp256k1.c:501
void random_fe(secp256k1_fe *x)
Definition: tests.c:1553
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call...
Definition: secp256k1.c:101
#define s2
Definition: sph_hamsi.c:214
void test_add_neg_y_diff_x(void)
Definition: tests.c:2084
void run_ecmult_const_tests(void)
Definition: tests.c:2483
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:261
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2330
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:31
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:274
void run_group_decompress(void)
Definition: tests.c:2255
FILE * fopen(const fs::path &p, const char *mode)
Definition: fs.cpp:5
secp256k1_fe x
Definition: group.h:25
int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1639
void run_scalar_tests(void)
Definition: tests.c:923
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:1782
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:547
void test_random_pubkeys(void)
Definition: tests.c:3570
int ec_privkey_export_der(const secp256k1_context *ctx, unsigned char *privkey, size_t *privkeylen, const unsigned char *key32, int compressed)
Export a private key in DER format.
void test_ecmult_constants(void)
Definition: tests.c:2602
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:156
void run_field_misc(void)
Definition: tests.c:1648
void run_ge(void)
Definition: tests.c:2151
void run_sqrt(void)
Definition: tests.c:1796
void run_random_pubkeys(void)
Definition: tests.c:3630
void run_rand_int(void)
Definition: tests.c:435
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2490
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:124
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:32
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1573
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:165
void run_ecmult_constants(void)
Definition: tests.c:2635
void(* fn)(const char *text, void *data)
Definition: util.h:19
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:24
void run_rand_bits(void)
Definition: tests.c:427
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:1832
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:155
void test_num_add_sub(void)
Definition: tests.c:487
void run_ecdsa_sign_verify(void)
Definition: tests.c:3380
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:61
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a private key by adding tweak to it.
Definition: secp256k1.c:454
void test_ec_combine(void)
Definition: tests.c:2159
void test_num_negate(void)
Definition: tests.c:467
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:3350
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:38
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:2662
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:1863
void test_num_jacobi(void)
Definition: tests.c:560
void run_eckey_edge_case_test(void)
Definition: tests.c:3114
void run_context_tests(void)
Definition: tests.c:137
int ec_privkey_import_der(const secp256k1_context *ctx, unsigned char *out32, const unsigned char *privkey, size_t privkeylen)
Import a private key in DER format.
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object.
Definition: secp256k1.c:92
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:3644
void run_ecdh_tests(void)
Definition: tests_impl.h:99
void run_field_inv_all_var(void)
Definition: tests.c:1744
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:404
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:411
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:160
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize and secp256k1_ec_privkey_export.
Definition: secp256k1.h:159
#define WNAF_SIZE(w)
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:333
void run_field_inv_var(void)
Definition: tests.c:1732
void random_num_order(secp256k1_num *num)
Definition: tests.c:461
void run_ec_pubkey_parse_test(void)
Definition: tests.c:2787
void run_field_inv(void)
Definition: tests.c:1720
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:391
void run_ecmult_gen_blind(void)
Definition: tests.c:2674
void run_ecdsa_der_parse(void)
Definition: tests.c:3941
secp256k1_scalar blind
Definition: ecmult_gen.h:27
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:53
void run_field_convert(void)
Definition: tests.c:1609
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
void run_num_smalltests(void)
Definition: tests.c:621
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2435
void run_ecmult_chain(void)
Definition: tests.c:2266
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:3434
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:345
int infinity
Definition: group.h:28
#define VG_UNDEF(x, y)
Definition: tests.c:37
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen)
Parse a signature in "lax DER" format.
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:523
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2191
void run_ecdsa_end_to_end(void)
Definition: tests.c:3637
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:2524
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:2712
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:150
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:52
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:14
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:66
secp256k1_fe x
Definition: group.h:15
void run_sqr(void)
Definition: tests.c:1766
#define VG_CHECK(x, y)
Definition: tests.c:38
#define SECP256K1_EC_PARSE_TEST_NINVALID
#define CHECK(cond)
Definition: util.h:52
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:109
int infinity
Definition: group.h:17
volatile double sum
Definition: Examples.cpp:24
int main(int argc, char **argv)
Definition: tests.c:4410
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:212
void run_sha256_tests(void)
Definition: tests.c:253
#define s1(x)
Definition: sha2.c:57
void test_ecdsa_edge_cases(void)
Definition: tests.c:3973
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:20
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create.
Definition: secp256k1.h:154
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copies a secp256k1 context object.
Definition: secp256k1.c:83
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:96
uint64_t d[4]
Definition: scalar_4x64.h:14
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:249
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:111
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:439
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:85
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:228
void run_wnaf(void)
Definition: tests.c:2578
void ecmult_const_random_mult(void)
Definition: tests.c:2387
secp256k1_fe z
Definition: group.h:27
#define SECP256K1_EC_PARSE_TEST_NVALID
void * memcpy(void *a, const void *b, size_t c)
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:1563
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:45
void test_ecdsa_sign_verify(void)
Definition: tests.c:3357
sph_u32 low
Definition: keccak.c:370
void test_ecdsa_end_to_end(void)
Definition: tests.c:3439
secp256k1_callback error_callback
Definition: secp256k1.c:55
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:554
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:2539
void random_num_negate(secp256k1_num *num)
Definition: tests.c:449
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:71
void ecmult_const_commutativity(void)
Definition: tests.c:2414
void random_num_order_test(secp256k1_num *num)
Definition: tests.c:455
void ecmult_const_chain_multiply(void)
Definition: tests.c:2457
secp256k1_fe y
Definition: group.h:26
void test_ecmult_gen_blind(void)
Definition: tests.c:2639
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:1842
void test_ge(void)
Definition: tests.c:1880
void printf(const char *fmt, const Args &... args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:972
secp256k1_fe y
Definition: group.h:16
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:1586
void * memmove(void *a, const void *b, size_t c)
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object.
Definition: secp256k1.c:58
void run_ec_combine(void)
Definition: tests.c:2184
void run_ecdsa_edge_cases(void)
Definition: tests.c:4342
void test_num_mod(void)
Definition: tests.c:529
void test_rand_bits(int rand32, int bits)
Definition: tests.c:376
void run_recovery_tests(void)
Definition: tests_impl.h:382
int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai)
Definition: tests.c:1602
#define SECP256K1_EC_PARSE_TEST_NXVALID
void run_point_times_order(void)
Definition: tests.c:2365
void scalar_test(void)
Definition: tests.c:634
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:53
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msg32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:293