Bitcoin ABC 0.30.5
P2P Digital Currency
tests.c
Go to the documentation of this file.
1/***********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or https://www.opensource.org/licenses/mit-license.php.*
5 ***********************************************************************/
6
7#if defined HAVE_CONFIG_H
8#include "libsecp256k1-config.h"
9#endif
10
11#include <stdio.h>
12#include <stdlib.h>
13#include <string.h>
14
15#include <time.h>
16
17#include "secp256k1.c"
18#include "include/secp256k1.h"
19#include "include/secp256k1_preallocated.h"
20#include "testrand_impl.h"
21#include "util.h"
22
23#include "contrib/lax_der_parsing.c"
24#include "contrib/lax_der_privatekey_parsing.c"
25
26#include "modinv32_impl.h"
27#ifdef SECP256K1_WIDEMUL_INT128
28#include "modinv64_impl.h"
29#endif
30
31static int count = 64;
32static secp256k1_context *ctx = NULL;
33
34static void counting_illegal_callback_fn(const char* str, void* data) {
35 /* Dummy callback function that just counts. */
36 int32_t *p;
37 (void)str;
38 p = data;
39 (*p)++;
40}
41
42static void uncounting_illegal_callback_fn(const char* str, void* data) {
43 /* Dummy callback function that just counts (backwards). */
44 int32_t *p;
45 (void)str;
46 p = data;
47 (*p)--;
48}
49
50void random_field_element_test(secp256k1_fe *fe) {
51 do {
52 unsigned char b32[32];
53 secp256k1_testrand256_test(b32);
54 if (secp256k1_fe_set_b32(fe, b32)) {
55 break;
56 }
57 } while(1);
58}
59
60void random_field_element_magnitude(secp256k1_fe *fe) {
61 secp256k1_fe zero;
62 int n = secp256k1_testrand_int(9);
63 secp256k1_fe_normalize(fe);
64 if (n == 0) {
65 return;
66 }
67 secp256k1_fe_clear(&zero);
68 secp256k1_fe_negate(&zero, &zero, 0);
69 secp256k1_fe_mul_int(&zero, n - 1);
70 secp256k1_fe_add(fe, &zero);
71#ifdef VERIFY
72 CHECK(fe->magnitude == n);
73#endif
74}
75
76void random_group_element_test(secp256k1_ge *ge) {
77 secp256k1_fe fe;
78 do {
79 random_field_element_test(&fe);
80 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
81 secp256k1_fe_normalize(&ge->y);
82 break;
83 }
84 } while(1);
85 ge->infinity = 0;
86}
87
88void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
89 secp256k1_fe z2, z3;
90 do {
91 random_field_element_test(&gej->z);
92 if (!secp256k1_fe_is_zero(&gej->z)) {
93 break;
94 }
95 } while(1);
96 secp256k1_fe_sqr(&z2, &gej->z);
97 secp256k1_fe_mul(&z3, &z2, &gej->z);
98 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
99 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
100 gej->infinity = ge->infinity;
101}
102
103void random_scalar_order_test(secp256k1_scalar *num) {
104 do {
105 unsigned char b32[32];
106 int overflow = 0;
107 secp256k1_testrand256_test(b32);
108 secp256k1_scalar_set_b32(num, b32, &overflow);
109 if (overflow || secp256k1_scalar_is_zero(num)) {
110 continue;
111 }
112 break;
113 } while(1);
114}
115
116void random_scalar_order(secp256k1_scalar *num) {
117 do {
118 unsigned char b32[32];
119 int overflow = 0;
120 secp256k1_testrand256(b32);
121 secp256k1_scalar_set_b32(num, b32, &overflow);
122 if (overflow || secp256k1_scalar_is_zero(num)) {
123 continue;
124 }
125 break;
126 } while(1);
127}
128
129void random_scalar_order_b32(unsigned char *b32) {
130 secp256k1_scalar num;
131 random_scalar_order(&num);
132 secp256k1_scalar_get_b32(b32, &num);
133}
134
135void run_context_tests(int use_prealloc) {
136 secp256k1_pubkey pubkey;
137 secp256k1_pubkey zero_pubkey;
138 secp256k1_ecdsa_signature sig;
139 unsigned char ctmp[32];
140 int32_t ecount;
141 int32_t ecount2;
142 secp256k1_context *none;
143 secp256k1_context *sign;
144 secp256k1_context *vrfy;
145 secp256k1_context *both;
146 void *none_prealloc = NULL;
147 void *sign_prealloc = NULL;
148 void *vrfy_prealloc = NULL;
149 void *both_prealloc = NULL;
150
151 secp256k1_gej pubj;
152 secp256k1_ge pub;
153 secp256k1_scalar msg, key, nonce;
154 secp256k1_scalar sigr, sigs;
155
156 if (use_prealloc) {
157 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
158 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
159 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
160 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
161 CHECK(none_prealloc != NULL);
162 CHECK(sign_prealloc != NULL);
163 CHECK(vrfy_prealloc != NULL);
164 CHECK(both_prealloc != NULL);
165 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
166 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
167 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
168 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
169 } else {
170 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
171 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
172 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
173 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
174 }
175
176 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
177
178 ecount = 0;
179 ecount2 = 10;
180 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
181 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
182 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
183 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
184 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
185 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
186
187 /* check if sizes for cloning are consistent */
188 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
189 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
190 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
191 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
192
193 /*** clone and destroy all of them to make sure cloning was complete ***/
194 {
195 secp256k1_context *ctx_tmp;
196
197 if (use_prealloc) {
198 /* clone into a non-preallocated context and then again into a new preallocated one. */
199 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
200 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
201 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
202
203 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
205 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
209 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
213 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
214 } else {
215 /* clone into a preallocated context and then again into a new non-preallocated one. */
216 void *prealloc_tmp;
217
218 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
219 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
220 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
221 free(prealloc_tmp);
222
223 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
224 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
225 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
226 free(prealloc_tmp);
227
228 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
229 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
230 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
231 free(prealloc_tmp);
232
233 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
234 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
235 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
236 free(prealloc_tmp);
237 }
238 }
239
240 /* Verify that the error callback makes it across the clone. */
241 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
242 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
243 /* And that it resets back to default. */
244 secp256k1_context_set_error_callback(sign, NULL, NULL);
245 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
246
247 /*** attempt to use them ***/
248 random_scalar_order_test(&msg);
249 random_scalar_order_test(&key);
250 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
251 secp256k1_ge_set_gej(&pub, &pubj);
252
253 /* Verify context-type checking illegal-argument errors. */
254 memset(ctmp, 1, 32);
255 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
256 CHECK(ecount == 1);
257 VG_UNDEF(&pubkey, sizeof(pubkey));
258 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
259 VG_CHECK(&pubkey, sizeof(pubkey));
260 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
261 CHECK(ecount == 2);
262 VG_UNDEF(&sig, sizeof(sig));
263 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
264 VG_CHECK(&sig, sizeof(sig));
265 CHECK(ecount2 == 10);
266 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
267 CHECK(ecount2 == 11);
268 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
269 CHECK(ecount == 2);
270 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
271 CHECK(ecount2 == 12);
272 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
273 CHECK(ecount == 2);
274 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
275 CHECK(ecount2 == 13);
276 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
277 CHECK(ecount == 2);
278 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
279 CHECK(ecount == 2);
280 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
281 CHECK(ecount2 == 14);
282 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
283 CHECK(ecount == 3);
284 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
285 CHECK(ecount == 3);
286 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
287 CHECK(ecount == 3);
288 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
289 CHECK(ecount == 3);
290 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
291 CHECK(ecount2 == 14);
292 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
293 CHECK(ecount2 == 14);
294 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
295 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
296
297 /* obtain a working nonce */
298 do {
299 random_scalar_order_test(&nonce);
300 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
301
302 /* try signing */
303 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
304 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305
306 /* try verifying */
307 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
308 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
309
310 /* cleanup */
311 if (use_prealloc) {
312 secp256k1_context_preallocated_destroy(none);
313 secp256k1_context_preallocated_destroy(sign);
314 secp256k1_context_preallocated_destroy(vrfy);
315 secp256k1_context_preallocated_destroy(both);
316 free(none_prealloc);
317 free(sign_prealloc);
318 free(vrfy_prealloc);
319 free(both_prealloc);
320 } else {
321 secp256k1_context_destroy(none);
322 secp256k1_context_destroy(sign);
323 secp256k1_context_destroy(vrfy);
324 secp256k1_context_destroy(both);
325 }
326 /* Defined as no-op. */
327 secp256k1_context_destroy(NULL);
328 secp256k1_context_preallocated_destroy(NULL);
329
330}
331
332void run_scratch_tests(void) {
333 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
334
335 int32_t ecount = 0;
336 size_t checkpoint;
337 size_t checkpoint_2;
338 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
339 secp256k1_scratch_space *scratch;
340 secp256k1_scratch_space local_scratch;
341
342 /* Test public API */
343 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
344 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
345
346 scratch = secp256k1_scratch_space_create(none, 1000);
347 CHECK(scratch != NULL);
348 CHECK(ecount == 0);
349
350 /* Test internal API */
351 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
352 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
353 CHECK(scratch->alloc_size == 0);
354 CHECK(scratch->alloc_size % ALIGNMENT == 0);
355
356 /* Allocating 500 bytes succeeds */
357 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
358 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
359 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
360 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
361 CHECK(scratch->alloc_size != 0);
362 CHECK(scratch->alloc_size % ALIGNMENT == 0);
363
364 /* Allocating another 501 bytes fails */
365 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
366 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
367 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
368 CHECK(scratch->alloc_size != 0);
369 CHECK(scratch->alloc_size % ALIGNMENT == 0);
370
371 /* ...but it succeeds once we apply the checkpoint to undo it */
372 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
373 CHECK(scratch->alloc_size == 0);
374 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
375 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
376 CHECK(scratch->alloc_size != 0);
377
378 /* try to apply a bad checkpoint */
379 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
380 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
381 CHECK(ecount == 0);
382 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
383 CHECK(ecount == 1);
384 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
385 CHECK(ecount == 2);
386
387 /* try to use badly initialized scratch space */
388 secp256k1_scratch_space_destroy(none, scratch);
389 memset(&local_scratch, 0, sizeof(local_scratch));
390 scratch = &local_scratch;
391 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
392 CHECK(ecount == 3);
393 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
394 CHECK(ecount == 4);
395 secp256k1_scratch_space_destroy(none, scratch);
396 CHECK(ecount == 5);
397
398 /* Test that large integers do not wrap around in a bad way */
399 scratch = secp256k1_scratch_space_create(none, 1000);
400 /* Try max allocation with a large number of objects. Only makes sense if
401 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
402 * space. */
403 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
404 /* Try allocating SIZE_MAX to test wrap around which only happens if
405 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
406 * space is too small. */
407 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
408 secp256k1_scratch_space_destroy(none, scratch);
409
410 /* cleanup */
411 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
412 secp256k1_context_destroy(none);
413}
414
415void run_ctz_tests(void) {
416 static const uint32_t b32[] = {1, 0xffffffff, 0x5e56968f, 0xe0d63129};
417 static const uint64_t b64[] = {1, 0xffffffffffffffff, 0xbcd02462139b3fc3, 0x98b5f80c769693ef};
418 int shift;
419 unsigned i;
420 for (i = 0; i < sizeof(b32) / sizeof(b32[0]); ++i) {
421 for (shift = 0; shift < 32; ++shift) {
422 CHECK(secp256k1_ctz32_var_debruijn(b32[i] << shift) == shift);
423 CHECK(secp256k1_ctz32_var(b32[i] << shift) == shift);
424 }
425 }
426 for (i = 0; i < sizeof(b64) / sizeof(b64[0]); ++i) {
427 for (shift = 0; shift < 64; ++shift) {
428 CHECK(secp256k1_ctz64_var_debruijn(b64[i] << shift) == shift);
429 CHECK(secp256k1_ctz64_var(b64[i] << shift) == shift);
430 }
431 }
432}
433
434/***** HASH TESTS *****/
435
436void run_sha256_tests(void) {
437 static const char *inputs[8] = {
438 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
439 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
440 "For this sample, this 63-byte string will be used as input data",
441 "This is exactly 64 bytes long, not counting the terminating byte"
442 };
443 static const unsigned char outputs[8][32] = {
444 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
445 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
446 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
447 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
448 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
449 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
450 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
451 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
452 };
453 int i;
454 for (i = 0; i < 8; i++) {
455 unsigned char out[32];
456 secp256k1_sha256 hasher;
457 secp256k1_sha256_initialize(&hasher);
458 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
459 secp256k1_sha256_finalize(&hasher, out);
460 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
461 if (strlen(inputs[i]) > 0) {
462 int split = secp256k1_testrand_int(strlen(inputs[i]));
463 secp256k1_sha256_initialize(&hasher);
464 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
465 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
466 secp256k1_sha256_finalize(&hasher, out);
467 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
468 }
469 }
470}
471
472void run_hmac_sha256_tests(void) {
473 static const char *keys[6] = {
474 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
475 "\x4a\x65\x66\x65",
476 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
477 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
478 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
479 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
480 };
481 static const char *inputs[6] = {
482 "\x48\x69\x20\x54\x68\x65\x72\x65",
483 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
484 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
485 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
486 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
487 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
488 };
489 static const unsigned char outputs[6][32] = {
490 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
491 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
492 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
493 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
494 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
495 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
496 };
497 int i;
498 for (i = 0; i < 6; i++) {
499 secp256k1_hmac_sha256 hasher;
500 unsigned char out[32];
501 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
502 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
503 secp256k1_hmac_sha256_finalize(&hasher, out);
504 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
505 if (strlen(inputs[i]) > 0) {
506 int split = secp256k1_testrand_int(strlen(inputs[i]));
507 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
508 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
509 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
510 secp256k1_hmac_sha256_finalize(&hasher, out);
511 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
512 }
513 }
514}
515
516void run_rfc6979_hmac_sha256_tests(void) {
517 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
518 static const unsigned char out1[3][32] = {
519 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
520 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
521 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
522 };
523
524 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
525 static const unsigned char out2[3][32] = {
526 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
527 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
528 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
529 };
530
531 secp256k1_rfc6979_hmac_sha256 rng;
532 unsigned char out[32];
533 int i;
534
535 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
536 for (i = 0; i < 3; i++) {
537 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
538 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
539 }
540 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
541
542 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
543 for (i = 0; i < 3; i++) {
544 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
545 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
546 }
547 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
548
549 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
550 for (i = 0; i < 3; i++) {
551 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
552 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
553 }
554 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
555}
556
557void run_tagged_sha256_tests(void) {
558 int ecount = 0;
559 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
560 unsigned char tag[32] = { 0 };
561 unsigned char msg[32] = { 0 };
562 unsigned char hash32[32];
563 unsigned char hash_expected[32] = {
564 0x04, 0x7A, 0x5E, 0x17, 0xB5, 0x86, 0x47, 0xC1,
565 0x3C, 0xC6, 0xEB, 0xC0, 0xAA, 0x58, 0x3B, 0x62,
566 0xFB, 0x16, 0x43, 0x32, 0x68, 0x77, 0x40, 0x6C,
567 0xE2, 0x76, 0x55, 0x9A, 0x3B, 0xDE, 0x55, 0xB3
568 };
569
570 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
571
572 /* API test */
573 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), msg, sizeof(msg)) == 1);
574 CHECK(secp256k1_tagged_sha256(none, NULL, tag, sizeof(tag), msg, sizeof(msg)) == 0);
575 CHECK(ecount == 1);
576 CHECK(secp256k1_tagged_sha256(none, hash32, NULL, 0, msg, sizeof(msg)) == 0);
577 CHECK(ecount == 2);
578 CHECK(secp256k1_tagged_sha256(none, hash32, tag, sizeof(tag), NULL, 0) == 0);
579 CHECK(ecount == 3);
580
581 /* Static test vector */
582 memcpy(tag, "tag", 3);
583 memcpy(msg, "msg", 3);
584 CHECK(secp256k1_tagged_sha256(none, hash32, tag, 3, msg, 3) == 1);
585 CHECK(secp256k1_memcmp_var(hash32, hash_expected, sizeof(hash32)) == 0);
586 secp256k1_context_destroy(none);
587}
588
589/***** RANDOM TESTS *****/
590
591void test_rand_bits(int rand32, int bits) {
592 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
593 * get a false negative chance below once in a billion */
594 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
595 /* We try multiplying the results with various odd numbers, which shouldn't
596 * influence the uniform distribution modulo a power of 2. */
597 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
598 /* We only select up to 6 bits from the output to analyse */
599 unsigned int usebits = bits > 6 ? 6 : bits;
600 unsigned int maxshift = bits - usebits;
601 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
602 number, track all observed outcomes, one per bit in a uint64_t. */
603 uint64_t x[6][27] = {{0}};
604 unsigned int i, shift, m;
605 /* Multiply the output of all rand calls with the odd number m, which
606 should not change the uniformity of its distribution. */
607 for (i = 0; i < rounds[usebits]; i++) {
608 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
609 CHECK((((uint64_t)r) >> bits) == 0);
610 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
611 uint32_t rm = r * mults[m];
612 for (shift = 0; shift <= maxshift; shift++) {
613 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
614 }
615 }
616 }
617 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
618 for (shift = 0; shift <= maxshift; shift++) {
619 /* Test that the lower usebits bits of x[shift] are 1 */
620 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
621 }
622 }
623}
624
625/* Subrange must be a whole divisor of range, and at most 64 */
626void test_rand_int(uint32_t range, uint32_t subrange) {
627 /* (1-1/subrange)^rounds < 1/10^9 */
628 int rounds = (subrange * 2073) / 100;
629 int i;
630 uint64_t x = 0;
631 CHECK((range % subrange) == 0);
632 for (i = 0; i < rounds; i++) {
633 uint32_t r = secp256k1_testrand_int(range);
634 CHECK(r < range);
635 r = r % subrange;
636 x |= (((uint64_t)1) << r);
637 }
638 /* Test that the lower subrange bits of x are 1. */
639 CHECK(((~x) << (64 - subrange)) == 0);
640}
641
642void run_rand_bits(void) {
643 size_t b;
644 test_rand_bits(1, 32);
645 for (b = 1; b <= 32; b++) {
646 test_rand_bits(0, b);
647 }
648}
649
650void run_rand_int(void) {
651 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
652 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
653 unsigned int m, s;
654 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
655 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
656 test_rand_int(ms[m] * ss[s], ss[s]);
657 }
658 }
659}
660
661/***** MODINV TESTS *****/
662
663/* Compute the modular inverse of (odd) x mod 2^64. */
664uint64_t modinv2p64(uint64_t x) {
665 /* If w = 1/x mod 2^(2^L), then w*(2 - w*x) = 1/x mod 2^(2^(L+1)). See
666 * Hacker's Delight second edition, Henry S. Warren, Jr., pages 245-247 for
667 * why. Start with L=0, for which it is true for every odd x that
668 * 1/x=1 mod 2. Iterating 6 times gives us 1/x mod 2^64. */
669 int l;
670 uint64_t w = 1;
671 CHECK(x & 1);
672 for (l = 0; l < 6; ++l) w *= (2 - w*x);
673 return w;
674}
675
676/* compute out = (a*b) mod m; if b=NULL, treat b=1.
677 *
678 * Out is a 512-bit number (represented as 32 uint16_t's in LE order). The other
679 * arguments are 256-bit numbers (represented as 16 uint16_t's in LE order). */
680void mulmod256(uint16_t* out, const uint16_t* a, const uint16_t* b, const uint16_t* m) {
681 uint16_t mul[32];
682 uint64_t c = 0;
683 int i, j;
684 int m_bitlen = 0;
685 int mul_bitlen = 0;
686
687 if (b != NULL) {
688 /* Compute the product of a and b, and put it in mul. */
689 for (i = 0; i < 32; ++i) {
690 for (j = i <= 15 ? 0 : i - 15; j <= i && j <= 15; j++) {
691 c += (uint64_t)a[j] * b[i - j];
692 }
693 mul[i] = c & 0xFFFF;
694 c >>= 16;
695 }
696 CHECK(c == 0);
697
698 /* compute the highest set bit in mul */
699 for (i = 511; i >= 0; --i) {
700 if ((mul[i >> 4] >> (i & 15)) & 1) {
701 mul_bitlen = i;
702 break;
703 }
704 }
705 } else {
706 /* if b==NULL, set mul=a. */
707 memcpy(mul, a, 32);
708 memset(mul + 16, 0, 32);
709 /* compute the highest set bit in mul */
710 for (i = 255; i >= 0; --i) {
711 if ((mul[i >> 4] >> (i & 15)) & 1) {
712 mul_bitlen = i;
713 break;
714 }
715 }
716 }
717
718 /* Compute the highest set bit in m. */
719 for (i = 255; i >= 0; --i) {
720 if ((m[i >> 4] >> (i & 15)) & 1) {
721 m_bitlen = i;
722 break;
723 }
724 }
725
726 /* Try do mul -= m<<i, for i going down to 0, whenever the result is not negative */
727 for (i = mul_bitlen - m_bitlen; i >= 0; --i) {
728 uint16_t mul2[32];
729 int64_t cs;
730
731 /* Compute mul2 = mul - m<<i. */
732 cs = 0; /* accumulator */
733 for (j = 0; j < 32; ++j) { /* j loops over the output limbs in mul2. */
734 /* Compute sub: the 16 bits in m that will be subtracted from mul2[j]. */
735 uint16_t sub = 0;
736 int p;
737 for (p = 0; p < 16; ++p) { /* p loops over the bit positions in mul2[j]. */
738 int bitpos = j * 16 - i + p; /* bitpos is the correspond bit position in m. */
739 if (bitpos >= 0 && bitpos < 256) {
740 sub |= ((m[bitpos >> 4] >> (bitpos & 15)) & 1) << p;
741 }
742 }
743 /* Add mul[j]-sub to accumulator, and shift bottom 16 bits out to mul2[j]. */
744 cs += mul[j];
745 cs -= sub;
746 mul2[j] = (cs & 0xFFFF);
747 cs >>= 16;
748 }
749 /* If remainder of subtraction is 0, set mul = mul2. */
750 if (cs == 0) {
751 memcpy(mul, mul2, sizeof(mul));
752 }
753 }
754 /* Sanity check: test that all limbs higher than m's highest are zero */
755 for (i = (m_bitlen >> 4) + 1; i < 32; ++i) {
756 CHECK(mul[i] == 0);
757 }
758 memcpy(out, mul, 32);
759}
760
761/* Convert a 256-bit number represented as 16 uint16_t's to signed30 notation. */
762void uint16_to_signed30(secp256k1_modinv32_signed30* out, const uint16_t* in) {
763 int i;
764 memset(out->v, 0, sizeof(out->v));
765 for (i = 0; i < 256; ++i) {
766 out->v[i / 30] |= (int32_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 30);
767 }
768}
769
770/* Convert a 256-bit number in signed30 notation to a representation as 16 uint16_t's. */
771void signed30_to_uint16(uint16_t* out, const secp256k1_modinv32_signed30* in) {
772 int i;
773 memset(out, 0, 32);
774 for (i = 0; i < 256; ++i) {
775 out[i >> 4] |= (((in->v[i / 30]) >> (i % 30)) & 1) << (i & 15);
776 }
777}
778
779/* Randomly mutate the sign of limbs in signed30 representation, without changing the value. */
780void mutate_sign_signed30(secp256k1_modinv32_signed30* x) {
781 int i;
782 for (i = 0; i < 16; ++i) {
783 int pos = secp256k1_testrand_int(8);
784 if (x->v[pos] > 0 && x->v[pos + 1] <= 0x3fffffff) {
785 x->v[pos] -= 0x40000000;
786 x->v[pos + 1] += 1;
787 } else if (x->v[pos] < 0 && x->v[pos + 1] >= 0x3fffffff) {
788 x->v[pos] += 0x40000000;
789 x->v[pos + 1] -= 1;
790 }
791 }
792}
793
794/* Test secp256k1_modinv32{_var}, using inputs in 16-bit limb format, and returning inverse. */
795void test_modinv32_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
796 uint16_t tmp[16];
797 secp256k1_modinv32_signed30 x;
798 secp256k1_modinv32_modinfo m;
799 int i, vartime, nonzero;
800
801 uint16_to_signed30(&x, in);
802 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4] | x.v[5] | x.v[6] | x.v[7] | x.v[8]) != 0;
803 uint16_to_signed30(&m.modulus, mod);
804 mutate_sign_signed30(&m.modulus);
805
806 /* compute 1/modulus mod 2^30 */
807 m.modulus_inv30 = modinv2p64(m.modulus.v[0]) & 0x3fffffff;
808 CHECK(((m.modulus_inv30 * m.modulus.v[0]) & 0x3fffffff) == 1);
809
810 for (vartime = 0; vartime < 2; ++vartime) {
811 /* compute inverse */
812 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
813
814 /* produce output */
815 signed30_to_uint16(out, &x);
816
817 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
818 mulmod256(tmp, out, in, mod);
819 CHECK(tmp[0] == nonzero);
820 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
821
822 /* invert again */
823 (vartime ? secp256k1_modinv32_var : secp256k1_modinv32)(&x, &m);
824
825 /* check if the result is equal to the input */
826 signed30_to_uint16(tmp, &x);
827 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
828 }
829}
830
831#ifdef SECP256K1_WIDEMUL_INT128
832/* Convert a 256-bit number represented as 16 uint16_t's to signed62 notation. */
833void uint16_to_signed62(secp256k1_modinv64_signed62* out, const uint16_t* in) {
834 int i;
835 memset(out->v, 0, sizeof(out->v));
836 for (i = 0; i < 256; ++i) {
837 out->v[i / 62] |= (int64_t)(((in[i >> 4]) >> (i & 15)) & 1) << (i % 62);
838 }
839}
840
841/* Convert a 256-bit number in signed62 notation to a representation as 16 uint16_t's. */
842void signed62_to_uint16(uint16_t* out, const secp256k1_modinv64_signed62* in) {
843 int i;
844 memset(out, 0, 32);
845 for (i = 0; i < 256; ++i) {
846 out[i >> 4] |= (((in->v[i / 62]) >> (i % 62)) & 1) << (i & 15);
847 }
848}
849
850/* Randomly mutate the sign of limbs in signed62 representation, without changing the value. */
851void mutate_sign_signed62(secp256k1_modinv64_signed62* x) {
852 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
853 int i;
854 for (i = 0; i < 8; ++i) {
855 int pos = secp256k1_testrand_int(4);
856 if (x->v[pos] > 0 && x->v[pos + 1] <= M62) {
857 x->v[pos] -= (M62 + 1);
858 x->v[pos + 1] += 1;
859 } else if (x->v[pos] < 0 && x->v[pos + 1] >= -M62) {
860 x->v[pos] += (M62 + 1);
861 x->v[pos + 1] -= 1;
862 }
863 }
864}
865
866/* Test secp256k1_modinv64{_var}, using inputs in 16-bit limb format, and returning inverse. */
867void test_modinv64_uint16(uint16_t* out, const uint16_t* in, const uint16_t* mod) {
868 static const int64_t M62 = (int64_t)(UINT64_MAX >> 2);
869 uint16_t tmp[16];
870 secp256k1_modinv64_signed62 x;
871 secp256k1_modinv64_modinfo m;
872 int i, vartime, nonzero;
873
874 uint16_to_signed62(&x, in);
875 nonzero = (x.v[0] | x.v[1] | x.v[2] | x.v[3] | x.v[4]) != 0;
876 uint16_to_signed62(&m.modulus, mod);
877 mutate_sign_signed62(&m.modulus);
878
879 /* compute 1/modulus mod 2^62 */
880 m.modulus_inv62 = modinv2p64(m.modulus.v[0]) & M62;
881 CHECK(((m.modulus_inv62 * m.modulus.v[0]) & M62) == 1);
882
883 for (vartime = 0; vartime < 2; ++vartime) {
884 /* compute inverse */
885 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
886
887 /* produce output */
888 signed62_to_uint16(out, &x);
889
890 /* check if the inverse times the input is 1 (mod m), unless x is 0. */
891 mulmod256(tmp, out, in, mod);
892 CHECK(tmp[0] == nonzero);
893 for (i = 1; i < 16; ++i) CHECK(tmp[i] == 0);
894
895 /* invert again */
896 (vartime ? secp256k1_modinv64_var : secp256k1_modinv64)(&x, &m);
897
898 /* check if the result is equal to the input */
899 signed62_to_uint16(tmp, &x);
900 for (i = 0; i < 16; ++i) CHECK(tmp[i] == in[i]);
901 }
902}
903#endif
904
905/* test if a and b are coprime */
906int coprime(const uint16_t* a, const uint16_t* b) {
907 uint16_t x[16], y[16], t[16];
908 int i;
909 int iszero;
910 memcpy(x, a, 32);
911 memcpy(y, b, 32);
912
913 /* simple gcd loop: while x!=0, (x,y)=(y%x,x) */
914 while (1) {
915 iszero = 1;
916 for (i = 0; i < 16; ++i) {
917 if (x[i] != 0) {
918 iszero = 0;
919 break;
920 }
921 }
922 if (iszero) break;
923 mulmod256(t, y, NULL, x);
924 memcpy(y, x, 32);
925 memcpy(x, t, 32);
926 }
927
928 /* return whether y=1 */
929 if (y[0] != 1) return 0;
930 for (i = 1; i < 16; ++i) {
931 if (y[i] != 0) return 0;
932 }
933 return 1;
934}
935
936void run_modinv_tests(void) {
937 /* Fixed test cases. Each tuple is (input, modulus, output), each as 16x16 bits in LE order. */
938 static const uint16_t CASES[][3][16] = {
939 /* Test case known to need 713 divsteps */
940 {{0x1513, 0x5389, 0x54e9, 0x2798, 0x1957, 0x66a0, 0x8057, 0x3477,
941 0x7784, 0x1052, 0x326a, 0x9331, 0x6506, 0xa95c, 0x91f3, 0xfb5e},
942 {0x2bdd, 0x8df4, 0xcc61, 0x481f, 0xdae5, 0x5ca7, 0xf43b, 0x7d54,
943 0x13d6, 0x469b, 0x2294, 0x20f4, 0xb2a4, 0xa2d1, 0x3ff1, 0xfd4b},
944 {0xffd8, 0xd9a0, 0x456e, 0x81bb, 0xbabd, 0x6cea, 0x6dbd, 0x73ab,
945 0xbb94, 0x3d3c, 0xdf08, 0x31c4, 0x3e32, 0xc179, 0x2486, 0xb86b}},
946 /* Test case known to need 589 divsteps, reaching delta=-140 and
947 delta=141. */
948 {{0x3fb1, 0x903b, 0x4eb7, 0x4813, 0xd863, 0x26bf, 0xd89f, 0xa8a9,
949 0x02fe, 0x57c6, 0x554a, 0x4eab, 0x165e, 0x3d61, 0xee1e, 0x456c},
950 {0x9295, 0x823b, 0x5c1f, 0x5386, 0x48e0, 0x02ff, 0x4c2a, 0xa2da,
951 0xe58f, 0x967c, 0xc97e, 0x3f5a, 0x69fb, 0x52d9, 0x0a86, 0xb4a3},
952 {0x3d30, 0xb893, 0xa809, 0xa7a8, 0x26f5, 0x5b42, 0x55be, 0xf4d0,
953 0x12c2, 0x7e6a, 0xe41a, 0x90c7, 0xebfa, 0xf920, 0x304e, 0x1419}},
954 /* Test case known to need 650 divsteps, and doing 65 consecutive (f,g/2) steps. */
955 {{0x8583, 0x5058, 0xbeae, 0xeb69, 0x48bc, 0x52bb, 0x6a9d, 0xcc94,
956 0x2a21, 0x87d5, 0x5b0d, 0x42f6, 0x5b8a, 0x2214, 0xe9d6, 0xa040},
957 {0x7531, 0x27cb, 0x7e53, 0xb739, 0x6a5f, 0x83f5, 0xa45c, 0xcb1d,
958 0x8a87, 0x1c9c, 0x51d7, 0x851c, 0xb9d8, 0x1fbe, 0xc241, 0xd4a3},
959 {0xcdb4, 0x275c, 0x7d22, 0xa906, 0x0173, 0xc054, 0x7fdf, 0x5005,
960 0x7fb8, 0x9059, 0xdf51, 0x99df, 0x2654, 0x8f6e, 0x070f, 0xb347}},
961 /* Test case with the group order as modulus, needing 635 divsteps. */
962 {{0x95ed, 0x6c01, 0xd113, 0x5ff1, 0xd7d0, 0x29cc, 0x5817, 0x6120,
963 0xca8e, 0xaad1, 0x25ae, 0x8e84, 0x9af6, 0x30bf, 0xf0ed, 0x1686},
964 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
965 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
966 {0x1631, 0xbf4a, 0x286a, 0x2716, 0x469f, 0x2ac8, 0x1312, 0xe9bc,
967 0x04f4, 0x304b, 0x9931, 0x113b, 0xd932, 0xc8f4, 0x0d0d, 0x01a1}},
968 /* Test case with the field size as modulus, needing 637 divsteps. */
969 {{0x9ec3, 0x1919, 0xca84, 0x7c11, 0xf996, 0x06f3, 0x5408, 0x6688,
970 0x1320, 0xdb8a, 0x632a, 0x0dcb, 0x8a84, 0x6bee, 0x9c95, 0xe34e},
971 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
972 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
973 {0x18e5, 0x19b6, 0xdf92, 0x1aaa, 0x09fb, 0x8a3f, 0x52b0, 0x8701,
974 0xac0c, 0x2582, 0xda44, 0x9bcc, 0x6828, 0x1c53, 0xbd8f, 0xbd2c}},
975 /* Test case with the field size as modulus, needing 935 divsteps with
976 broken eta handling. */
977 {{0x1b37, 0xbdc3, 0x8bcd, 0x25e3, 0x1eae, 0x567d, 0x30b6, 0xf0d8,
978 0x9277, 0x0cf8, 0x9c2e, 0xecd7, 0x631d, 0xe38f, 0xd4f8, 0x5c93},
979 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
980 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
981 {0x1622, 0xe05b, 0xe880, 0x7de9, 0x3e45, 0xb682, 0xee6c, 0x67ed,
982 0xa179, 0x15db, 0x6b0d, 0xa656, 0x7ccb, 0x8ef7, 0xa2ff, 0xe279}},
983 /* Test case with the group size as modulus, needing 981 divsteps with
984 broken eta handling. */
985 {{0xfeb9, 0xb877, 0xee41, 0x7fa3, 0x87da, 0x94c4, 0x9d04, 0xc5ae,
986 0x5708, 0x0994, 0xfc79, 0x0916, 0xbf32, 0x3ad8, 0xe11c, 0x5ca2},
987 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
988 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
989 {0x0f12, 0x075e, 0xce1c, 0x6f92, 0xc80f, 0xca92, 0x9a04, 0x6126,
990 0x4b6c, 0x57d6, 0xca31, 0x97f3, 0x1f99, 0xf4fd, 0xda4d, 0x42ce}},
991 /* Test case with the field size as modulus, input = 0. */
992 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
993 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
994 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
995 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
996 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
997 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
998 /* Test case with the field size as modulus, input = 1. */
999 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1000 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1001 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1002 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1003 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1004 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1005 /* Test case with the field size as modulus, input = 2. */
1006 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1007 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1008 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1009 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1010 {0xfe18, 0x7fff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1011 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1012 /* Test case with the field size as modulus, input = field - 1. */
1013 {{0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1014 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1015 {0xfc2f, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1016 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1017 {0xfc2e, 0xffff, 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff,
1018 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}},
1019 /* Test case with the group size as modulus, input = 0. */
1020 {{0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1021 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1022 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1023 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1024 {0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1025 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1026 /* Test case with the group size as modulus, input = 1. */
1027 {{0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1028 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1029 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1030 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1031 {0x0001, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1032 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000}},
1033 /* Test case with the group size as modulus, input = 2. */
1034 {{0x0002, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000,
1035 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000, 0x0000},
1036 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1037 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1038 {0x20a1, 0x681b, 0x2f46, 0xdfe9, 0x501d, 0x57a4, 0x6e73, 0x5d57,
1039 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0x7fff}},
1040 /* Test case with the group size as modulus, input = group - 1. */
1041 {{0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1042 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1043 {0x4141, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1044 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff},
1045 {0x4140, 0xd036, 0x5e8c, 0xbfd2, 0xa03b, 0xaf48, 0xdce6, 0xbaae,
1046 0xfffe, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff, 0xffff}}
1047 };
1048
1049 int i, j, ok;
1050
1051 /* Test known inputs/outputs */
1052 for (i = 0; (size_t)i < sizeof(CASES) / sizeof(CASES[0]); ++i) {
1053 uint16_t out[16];
1054 test_modinv32_uint16(out, CASES[i][0], CASES[i][1]);
1055 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1056#ifdef SECP256K1_WIDEMUL_INT128
1057 test_modinv64_uint16(out, CASES[i][0], CASES[i][1]);
1058 for (j = 0; j < 16; ++j) CHECK(out[j] == CASES[i][2][j]);
1059#endif
1060 }
1061
1062 for (i = 0; i < 100 * count; ++i) {
1063 /* 256-bit numbers in 16-uint16_t's notation */
1064 static const uint16_t ZERO[16] = {0};
1065 uint16_t xd[16]; /* the number (in range [0,2^256)) to be inverted */
1066 uint16_t md[16]; /* the modulus (odd, in range [3,2^256)) */
1067 uint16_t id[16]; /* the inverse of xd mod md */
1068
1069 /* generate random xd and md, so that md is odd, md>1, xd<md, and gcd(xd,md)=1 */
1070 do {
1071 /* generate random xd and md (with many subsequent 0s and 1s) */
1072 secp256k1_testrand256_test((unsigned char*)xd);
1073 secp256k1_testrand256_test((unsigned char*)md);
1074 md[0] |= 1; /* modulus must be odd */
1075 /* If modulus is 1, find another one. */
1076 ok = md[0] != 1;
1077 for (j = 1; j < 16; ++j) ok |= md[j] != 0;
1078 mulmod256(xd, xd, NULL, md); /* Make xd = xd mod md */
1079 } while (!(ok && coprime(xd, md)));
1080
1081 test_modinv32_uint16(id, xd, md);
1082#ifdef SECP256K1_WIDEMUL_INT128
1083 test_modinv64_uint16(id, xd, md);
1084#endif
1085
1086 /* In a few cases, also test with input=0 */
1087 if (i < count) {
1088 test_modinv32_uint16(id, ZERO, md);
1089#ifdef SECP256K1_WIDEMUL_INT128
1090 test_modinv64_uint16(id, ZERO, md);
1091#endif
1092 }
1093 }
1094}
1095
1096/***** SCALAR TESTS *****/
1097
1098
1099void scalar_test(void) {
1100 secp256k1_scalar s;
1101 secp256k1_scalar s1;
1102 secp256k1_scalar s2;
1103 unsigned char c[32];
1104
1105 /* Set 's' to a random scalar, with value 'snum'. */
1106 random_scalar_order_test(&s);
1107
1108 /* Set 's1' to a random scalar, with value 's1num'. */
1109 random_scalar_order_test(&s1);
1110
1111 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
1112 random_scalar_order_test(&s2);
1113 secp256k1_scalar_get_b32(c, &s2);
1114
1115 {
1116 int i;
1117 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
1118 secp256k1_scalar n;
1119 secp256k1_scalar_set_int(&n, 0);
1120 for (i = 0; i < 256; i += 4) {
1121 secp256k1_scalar t;
1122 int j;
1123 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
1124 for (j = 0; j < 4; j++) {
1125 secp256k1_scalar_add(&n, &n, &n);
1126 }
1127 secp256k1_scalar_add(&n, &n, &t);
1128 }
1129 CHECK(secp256k1_scalar_eq(&n, &s));
1130 }
1131
1132 {
1133 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
1134 secp256k1_scalar n;
1135 int i = 0;
1136 secp256k1_scalar_set_int(&n, 0);
1137 while (i < 256) {
1138 secp256k1_scalar t;
1139 int j;
1140 int now = secp256k1_testrand_int(15) + 1;
1141 if (now + i > 256) {
1142 now = 256 - i;
1143 }
1144 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
1145 for (j = 0; j < now; j++) {
1146 secp256k1_scalar_add(&n, &n, &n);
1147 }
1148 secp256k1_scalar_add(&n, &n, &t);
1149 i += now;
1150 }
1151 CHECK(secp256k1_scalar_eq(&n, &s));
1152 }
1153
1154 {
1155 /* test secp256k1_scalar_shr_int */
1156 secp256k1_scalar r;
1157 int i;
1158 random_scalar_order_test(&r);
1159 for (i = 0; i < 100; ++i) {
1160 int low;
1161 int shift = 1 + secp256k1_testrand_int(15);
1162 int expected = r.d[0] % (1 << shift);
1163 low = secp256k1_scalar_shr_int(&r, shift);
1164 CHECK(expected == low);
1165 }
1166 }
1167
1168 {
1169 /* Test commutativity of add. */
1170 secp256k1_scalar r1, r2;
1171 secp256k1_scalar_add(&r1, &s1, &s2);
1172 secp256k1_scalar_add(&r2, &s2, &s1);
1173 CHECK(secp256k1_scalar_eq(&r1, &r2));
1174 }
1175
1176 {
1177 secp256k1_scalar r1, r2;
1178 secp256k1_scalar b;
1179 int i;
1180 /* Test add_bit. */
1181 int bit = secp256k1_testrand_bits(8);
1182 secp256k1_scalar_set_int(&b, 1);
1183 CHECK(secp256k1_scalar_is_one(&b));
1184 for (i = 0; i < bit; i++) {
1185 secp256k1_scalar_add(&b, &b, &b);
1186 }
1187 r1 = s1;
1188 r2 = s1;
1189 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1190 /* No overflow happened. */
1191 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1192 CHECK(secp256k1_scalar_eq(&r1, &r2));
1193 /* cadd is a noop when flag is zero */
1194 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1195 CHECK(secp256k1_scalar_eq(&r1, &r2));
1196 }
1197 }
1198
1199 {
1200 /* Test commutativity of mul. */
1201 secp256k1_scalar r1, r2;
1202 secp256k1_scalar_mul(&r1, &s1, &s2);
1203 secp256k1_scalar_mul(&r2, &s2, &s1);
1204 CHECK(secp256k1_scalar_eq(&r1, &r2));
1205 }
1206
1207 {
1208 /* Test associativity of add. */
1209 secp256k1_scalar r1, r2;
1210 secp256k1_scalar_add(&r1, &s1, &s2);
1211 secp256k1_scalar_add(&r1, &r1, &s);
1212 secp256k1_scalar_add(&r2, &s2, &s);
1213 secp256k1_scalar_add(&r2, &s1, &r2);
1214 CHECK(secp256k1_scalar_eq(&r1, &r2));
1215 }
1216
1217 {
1218 /* Test associativity of mul. */
1219 secp256k1_scalar r1, r2;
1220 secp256k1_scalar_mul(&r1, &s1, &s2);
1221 secp256k1_scalar_mul(&r1, &r1, &s);
1222 secp256k1_scalar_mul(&r2, &s2, &s);
1223 secp256k1_scalar_mul(&r2, &s1, &r2);
1224 CHECK(secp256k1_scalar_eq(&r1, &r2));
1225 }
1226
1227 {
1228 /* Test distributitivity of mul over add. */
1229 secp256k1_scalar r1, r2, t;
1230 secp256k1_scalar_add(&r1, &s1, &s2);
1231 secp256k1_scalar_mul(&r1, &r1, &s);
1232 secp256k1_scalar_mul(&r2, &s1, &s);
1233 secp256k1_scalar_mul(&t, &s2, &s);
1234 secp256k1_scalar_add(&r2, &r2, &t);
1235 CHECK(secp256k1_scalar_eq(&r1, &r2));
1236 }
1237
1238 {
1239 /* Test multiplicative identity. */
1240 secp256k1_scalar r1, v1;
1241 secp256k1_scalar_set_int(&v1,1);
1242 secp256k1_scalar_mul(&r1, &s1, &v1);
1243 CHECK(secp256k1_scalar_eq(&r1, &s1));
1244 }
1245
1246 {
1247 /* Test additive identity. */
1248 secp256k1_scalar r1, v0;
1249 secp256k1_scalar_set_int(&v0,0);
1250 secp256k1_scalar_add(&r1, &s1, &v0);
1251 CHECK(secp256k1_scalar_eq(&r1, &s1));
1252 }
1253
1254 {
1255 /* Test zero product property. */
1256 secp256k1_scalar r1, v0;
1257 secp256k1_scalar_set_int(&v0,0);
1258 secp256k1_scalar_mul(&r1, &s1, &v0);
1259 CHECK(secp256k1_scalar_eq(&r1, &v0));
1260 }
1261
1262}
1263
1264void run_scalar_set_b32_seckey_tests(void) {
1265 unsigned char b32[32];
1266 secp256k1_scalar s1;
1267 secp256k1_scalar s2;
1268
1269 /* Usually set_b32 and set_b32_seckey give the same result */
1270 random_scalar_order_b32(b32);
1271 secp256k1_scalar_set_b32(&s1, b32, NULL);
1272 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1273 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1274
1275 memset(b32, 0, sizeof(b32));
1276 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1277 memset(b32, 0xFF, sizeof(b32));
1278 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1279}
1280
1281void run_scalar_tests(void) {
1282 int i;
1283 for (i = 0; i < 128 * count; i++) {
1284 scalar_test();
1285 }
1286 for (i = 0; i < count; i++) {
1287 run_scalar_set_b32_seckey_tests();
1288 }
1289
1290 {
1291 /* (-1)+1 should be zero. */
1292 secp256k1_scalar s, o;
1293 secp256k1_scalar_set_int(&s, 1);
1294 CHECK(secp256k1_scalar_is_one(&s));
1295 secp256k1_scalar_negate(&o, &s);
1296 secp256k1_scalar_add(&o, &o, &s);
1297 CHECK(secp256k1_scalar_is_zero(&o));
1298 secp256k1_scalar_negate(&o, &o);
1299 CHECK(secp256k1_scalar_is_zero(&o));
1300 }
1301
1302 {
1303 /* Does check_overflow check catch all ones? */
1304 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1305 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1306 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1307 );
1308 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1309 }
1310
1311 {
1312 /* Static test vectors.
1313 * These were reduced from ~10^12 random vectors based on comparison-decision
1314 * and edge-case coverage on 32-bit and 64-bit implementations.
1315 * The responses were generated with Sage 5.9.
1316 */
1317 secp256k1_scalar x;
1318 secp256k1_scalar y;
1319 secp256k1_scalar z;
1320 secp256k1_scalar zz;
1321 secp256k1_scalar one;
1322 secp256k1_scalar r1;
1323 secp256k1_scalar r2;
1324 secp256k1_scalar zzv;
1325 int overflow;
1326 unsigned char chal[33][2][32] = {
1327 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1328 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1329 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1330 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1331 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1332 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1333 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1334 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1335 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1336 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1338 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1339 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1340 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1341 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1342 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1343 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1344 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1345 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1346 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1347 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1348 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1349 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1350 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1351 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1352 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1354 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1355 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1356 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1357 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1358 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1359 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1360 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1361 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1362 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1363 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1364 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1365 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1366 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1367 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1368 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1369 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1370 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1371 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1372 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1373 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1374 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1375 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1376 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1377 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1378 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1379 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1381 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1382 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1383 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1384 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1385 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1386 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1387 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1388 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1389 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1390 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1391 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1392 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1393 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1394 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1395 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1396 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1399 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1400 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1401 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1402 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1403 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1404 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1405 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1406 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1407 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1408 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1409 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1410 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1411 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1413 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1414 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1415 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1416 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1417 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1418 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1419 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1420 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1421 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1422 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1423 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1424 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1426 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1427 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1428 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1429 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1430 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1431 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1432 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1434 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1435 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1436 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1437 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1438 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1439 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1440 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1441 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1443 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1444 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1445 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1446 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1447 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1448 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1451 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1452 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1453 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1454 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1455 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1456 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1458 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1459 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1461 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1462 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1463 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1465 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1466 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1467 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1468 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1469 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1470 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1471 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1472 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1473 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1474 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1475 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1476 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1477 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1478 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1479 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1480 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1481 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1482 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1483 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1484 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1485 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1486 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1487 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1488 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1489 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1490 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1491 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1492 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1493 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1494 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1495 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1496 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1497 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1498 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1499 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1502 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1503 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1504 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1505 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1506 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1507 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1508 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1509 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1510 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1511 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1512 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1513 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1514 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1515 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1516 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1517 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1518 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1519 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1520 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1521 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1522 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1523 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1524 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1525 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1526 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1527 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1528 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1529 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1530 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1531 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1532 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1533 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1534 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1535 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1536 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1537 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1538 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1539 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1540 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1541 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1542 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1543 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1544 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1545 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1546 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1547 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1548 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1549 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1550 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1551 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1552 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1553 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1554 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1555 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1556 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1557 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1558 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1559 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1560 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1561 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1563 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1564 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1565 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1566 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1567 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1568 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1569 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1570 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1571 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1572 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1573 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1574 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1575 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1576 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1577 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1578 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1579 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1580 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1581 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1582 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1583 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1584 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1585 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1586 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1587 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1588 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1589 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1590 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1591 };
1592 unsigned char res[33][2][32] = {
1593 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1594 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1595 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1596 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1597 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1598 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1599 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1600 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1601 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1602 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1603 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1604 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1605 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1606 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1607 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1608 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1609 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1610 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1611 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1612 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1613 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1614 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1615 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1616 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1617 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1618 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1619 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1620 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1621 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1622 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1623 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1624 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1625 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1626 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1627 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1628 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1629 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1630 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1631 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1632 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1633 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1634 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1635 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1636 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1637 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1638 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1639 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1640 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1641 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1642 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1643 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1644 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1645 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1646 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1647 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1648 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1649 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1650 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1651 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1652 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1653 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1654 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1655 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1656 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1657 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1658 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1659 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1660 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1661 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1662 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1663 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1664 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1665 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1666 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1667 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1668 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1669 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1670 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1671 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1672 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1673 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1674 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1675 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1676 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1677 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1678 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1679 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1680 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1681 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1682 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1683 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1684 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1685 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1686 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1687 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1688 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1689 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1690 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1691 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1692 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1693 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1694 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1695 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1696 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1697 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1698 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1699 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1700 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1701 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1702 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1703 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1704 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1705 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1706 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1707 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1708 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1709 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1710 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1711 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1712 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1713 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1714 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1715 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1716 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1717 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1718 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1719 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1720 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1721 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1722 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1723 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1724 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1725 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1726 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1727 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1728 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1729 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1730 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1731 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1732 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1733 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1734 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1735 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1736 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1737 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1738 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1739 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1740 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1741 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1742 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1743 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1744 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1745 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1746 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1747 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1748 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1749 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1750 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1751 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1752 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1753 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1754 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1757 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1759 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1760 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1761 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1762 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1763 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1764 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1765 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1766 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1769 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1770 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1771 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1772 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1773 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1774 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1775 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1776 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1777 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1778 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1779 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1780 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1781 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1782 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1783 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1784 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1785 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1786 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1787 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1788 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1789 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1790 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1791 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1792 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1793 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1795 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1796 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1797 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1798 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1799 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1800 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1801 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1802 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1803 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1804 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1805 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1806 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1807 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1808 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1809 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1810 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1811 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1812 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1813 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1814 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1815 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1816 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1817 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1818 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1819 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1820 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1821 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1822 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1823 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1824 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1825 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1826 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1827 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1828 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1829 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1830 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1831 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1832 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1833 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1834 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1835 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1836 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1837 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1838 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1839 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1840 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1841 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1842 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1843 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1844 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1845 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1846 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1847 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1848 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1849 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1850 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1851 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1852 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1853 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1854 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1855 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1856 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1857 };
1858 secp256k1_scalar_set_int(&one, 1);
1859 for (i = 0; i < 33; i++) {
1860 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1861 CHECK(!overflow);
1862 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1863 CHECK(!overflow);
1864 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1865 CHECK(!overflow);
1866 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1867 CHECK(!overflow);
1868 secp256k1_scalar_mul(&z, &x, &y);
1869 CHECK(!secp256k1_scalar_check_overflow(&z));
1870 CHECK(secp256k1_scalar_eq(&r1, &z));
1871 if (!secp256k1_scalar_is_zero(&y)) {
1872 secp256k1_scalar_inverse(&zz, &y);
1873 CHECK(!secp256k1_scalar_check_overflow(&zz));
1874 secp256k1_scalar_inverse_var(&zzv, &y);
1875 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1876 secp256k1_scalar_mul(&z, &z, &zz);
1877 CHECK(!secp256k1_scalar_check_overflow(&z));
1878 CHECK(secp256k1_scalar_eq(&x, &z));
1879 secp256k1_scalar_mul(&zz, &zz, &y);
1880 CHECK(!secp256k1_scalar_check_overflow(&zz));
1881 CHECK(secp256k1_scalar_eq(&one, &zz));
1882 }
1883 }
1884 }
1885}
1886
1887/***** FIELD TESTS *****/
1888
1889void random_fe(secp256k1_fe *x) {
1890 unsigned char bin[32];
1891 do {
1892 secp256k1_testrand256(bin);
1893 if (secp256k1_fe_set_b32(x, bin)) {
1894 return;
1895 }
1896 } while(1);
1897}
1898
1899void random_fe_test(secp256k1_fe *x) {
1900 unsigned char bin[32];
1901 do {
1902 secp256k1_testrand256_test(bin);
1903 if (secp256k1_fe_set_b32(x, bin)) {
1904 return;
1905 }
1906 } while(1);
1907}
1908
1909void random_fe_non_zero(secp256k1_fe *nz) {
1910 int tries = 10;
1911 while (--tries >= 0) {
1912 random_fe(nz);
1913 secp256k1_fe_normalize(nz);
1914 if (!secp256k1_fe_is_zero(nz)) {
1915 break;
1916 }
1917 }
1918 /* Infinitesimal probability of spurious failure here */
1919 CHECK(tries >= 0);
1920}
1921
1922void random_fe_non_square(secp256k1_fe *ns) {
1923 secp256k1_fe r;
1924 random_fe_non_zero(ns);
1925 if (secp256k1_fe_sqrt(&r, ns)) {
1926 secp256k1_fe_negate(ns, ns, 1);
1927 }
1928}
1929
1930int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1931 secp256k1_fe an = *a;
1932 secp256k1_fe bn = *b;
1933 secp256k1_fe_normalize_weak(&an);
1934 secp256k1_fe_normalize_var(&bn);
1935 return secp256k1_fe_equal_var(&an, &bn);
1936}
1937
1938void run_field_convert(void) {
1939 static const unsigned char b32[32] = {
1940 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1941 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1942 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1943 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1944 };
1945 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1946 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1947 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1948 );
1949 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1950 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1951 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1952 );
1953 secp256k1_fe fe2;
1954 unsigned char b322[32];
1955 secp256k1_fe_storage fes2;
1956 /* Check conversions to fe. */
1957 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1958 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1959 secp256k1_fe_from_storage(&fe2, &fes);
1960 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1961 /* Check conversion from fe. */
1962 secp256k1_fe_get_b32(b322, &fe);
1963 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1964 secp256k1_fe_to_storage(&fes2, &fe);
1965 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1966}
1967
1968int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1969 secp256k1_fe t = *b;
1970#ifdef VERIFY
1971 t.magnitude = a->magnitude;
1972 t.normalized = a->normalized;
1973#endif
1974 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1975}
1976
1977void run_field_misc(void) {
1978 secp256k1_fe x;
1979 secp256k1_fe y;
1980 secp256k1_fe z;
1981 secp256k1_fe q;
1982 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1983 int i, j;
1984 for (i = 0; i < 5*count; i++) {
1985 secp256k1_fe_storage xs, ys, zs;
1986 random_fe(&x);
1987 random_fe_non_zero(&y);
1988 /* Test the fe equality and comparison operations. */
1989 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1990 CHECK(secp256k1_fe_equal_var(&x, &x));
1991 z = x;
1992 secp256k1_fe_add(&z,&y);
1993 /* Test fe conditional move; z is not normalized here. */
1994 q = x;
1995 secp256k1_fe_cmov(&x, &z, 0);
1996#ifdef VERIFY
1997 CHECK(x.normalized && x.magnitude == 1);
1998#endif
1999 secp256k1_fe_cmov(&x, &x, 1);
2000 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
2001 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
2002 secp256k1_fe_cmov(&q, &z, 1);
2003#ifdef VERIFY
2004 CHECK(!q.normalized && q.magnitude == z.magnitude);
2005#endif
2006 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
2007 secp256k1_fe_normalize_var(&x);
2008 secp256k1_fe_normalize_var(&z);
2009 CHECK(!secp256k1_fe_equal_var(&x, &z));
2010 secp256k1_fe_normalize_var(&q);
2011 secp256k1_fe_cmov(&q, &z, (i&1));
2012#ifdef VERIFY
2013 CHECK(q.normalized && q.magnitude == 1);
2014#endif
2015 for (j = 0; j < 6; j++) {
2016 secp256k1_fe_negate(&z, &z, j+1);
2017 secp256k1_fe_normalize_var(&q);
2018 secp256k1_fe_cmov(&q, &z, (j&1));
2019#ifdef VERIFY
2020 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
2021#endif
2022 }
2023 secp256k1_fe_normalize_var(&z);
2024 /* Test storage conversion and conditional moves. */
2025 secp256k1_fe_to_storage(&xs, &x);
2026 secp256k1_fe_to_storage(&ys, &y);
2027 secp256k1_fe_to_storage(&zs, &z);
2028 secp256k1_fe_storage_cmov(&zs, &xs, 0);
2029 secp256k1_fe_storage_cmov(&zs, &zs, 1);
2030 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
2031 secp256k1_fe_storage_cmov(&ys, &xs, 1);
2032 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
2033 secp256k1_fe_from_storage(&x, &xs);
2034 secp256k1_fe_from_storage(&y, &ys);
2035 secp256k1_fe_from_storage(&z, &zs);
2036 /* Test that mul_int, mul, and add agree. */
2037 secp256k1_fe_add(&y, &x);
2038 secp256k1_fe_add(&y, &x);
2039 z = x;
2040 secp256k1_fe_mul_int(&z, 3);
2041 CHECK(check_fe_equal(&y, &z));
2042 secp256k1_fe_add(&y, &x);
2043 secp256k1_fe_add(&z, &x);
2044 CHECK(check_fe_equal(&z, &y));
2045 z = x;
2046 secp256k1_fe_mul_int(&z, 5);
2047 secp256k1_fe_mul(&q, &x, &fe5);
2048 CHECK(check_fe_equal(&z, &q));
2049 secp256k1_fe_negate(&x, &x, 1);
2050 secp256k1_fe_add(&z, &x);
2051 secp256k1_fe_add(&q, &x);
2052 CHECK(check_fe_equal(&y, &z));
2053 CHECK(check_fe_equal(&q, &y));
2054 }
2055}
2056
2057void run_sqr(void) {
2058 secp256k1_fe x, s;
2059
2060 {
2061 int i;
2062 secp256k1_fe_set_int(&x, 1);
2063 secp256k1_fe_negate(&x, &x, 1);
2064
2065 for (i = 1; i <= 512; ++i) {
2066 secp256k1_fe_mul_int(&x, 2);
2067 secp256k1_fe_normalize(&x);
2068 secp256k1_fe_sqr(&s, &x);
2069 }
2070 }
2071}
2072
2073void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2074 secp256k1_fe r1, r2;
2075 int v = secp256k1_fe_sqrt(&r1, a);
2076 CHECK((v == 0) == (k == NULL));
2077
2078 if (k != NULL) {
2079 /* Check that the returned root is +/- the given known answer */
2080 secp256k1_fe_negate(&r2, &r1, 1);
2081 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2082 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2083 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2084 }
2085}
2086
2087void run_sqrt(void) {
2088 secp256k1_fe ns, x, s, t;
2089 int i;
2090
2091 /* Check sqrt(0) is 0 */
2092 secp256k1_fe_set_int(&x, 0);
2093 secp256k1_fe_sqr(&s, &x);
2094 test_sqrt(&s, &x);
2095
2096 /* Check sqrt of small squares (and their negatives) */
2097 for (i = 1; i <= 100; i++) {
2098 secp256k1_fe_set_int(&x, i);
2099 secp256k1_fe_sqr(&s, &x);
2100 test_sqrt(&s, &x);
2101 secp256k1_fe_negate(&t, &s, 1);
2102 test_sqrt(&t, NULL);
2103 }
2104
2105 /* Consistency checks for large random values */
2106 for (i = 0; i < 10; i++) {
2107 int j;
2108 random_fe_non_square(&ns);
2109 for (j = 0; j < count; j++) {
2110 random_fe(&x);
2111 secp256k1_fe_sqr(&s, &x);
2112 test_sqrt(&s, &x);
2113 secp256k1_fe_negate(&t, &s, 1);
2114 test_sqrt(&t, NULL);
2115 secp256k1_fe_mul(&t, &s, &ns);
2116 test_sqrt(&t, NULL);
2117 }
2118 }
2119}
2120
2121/***** FIELD/SCALAR INVERSE TESTS *****/
2122
2123static const secp256k1_scalar scalar_minus_one = SECP256K1_SCALAR_CONST(
2124 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE,
2125 0xBAAEDCE6, 0xAF48A03B, 0xBFD25E8C, 0xD0364140
2126);
2127
2128static const secp256k1_fe fe_minus_one = SECP256K1_FE_CONST(
2129 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF,
2130 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFE, 0xFFFFFC2E
2131);
2132
2133/* These tests test the following identities:
2134 *
2135 * for x==0: 1/x == 0
2136 * for x!=0: x*(1/x) == 1
2137 * for x!=0 and x!=1: 1/(1/x - 1) + 1 == -1/(x-1)
2138 */
2139
2140void test_inverse_scalar(secp256k1_scalar* out, const secp256k1_scalar* x, int var)
2141{
2142 secp256k1_scalar l, r, t;
2143
2144 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, x); /* l = 1/x */
2145 if (out) *out = l;
2146 if (secp256k1_scalar_is_zero(x)) {
2147 CHECK(secp256k1_scalar_is_zero(&l));
2148 return;
2149 }
2150 secp256k1_scalar_mul(&t, x, &l); /* t = x*(1/x) */
2151 CHECK(secp256k1_scalar_is_one(&t)); /* x*(1/x) == 1 */
2152 secp256k1_scalar_add(&r, x, &scalar_minus_one); /* r = x-1 */
2153 if (secp256k1_scalar_is_zero(&r)) return;
2154 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&r, &r); /* r = 1/(x-1) */
2155 secp256k1_scalar_add(&l, &scalar_minus_one, &l); /* l = 1/x-1 */
2156 (var ? secp256k1_scalar_inverse_var : secp256k1_scalar_inverse_var)(&l, &l); /* l = 1/(1/x-1) */
2157 secp256k1_scalar_add(&l, &l, &secp256k1_scalar_one); /* l = 1/(1/x-1)+1 */
2158 secp256k1_scalar_add(&l, &r, &l); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2159 CHECK(secp256k1_scalar_is_zero(&l)); /* l == 0 */
2160}
2161
2162void test_inverse_field(secp256k1_fe* out, const secp256k1_fe* x, int var)
2163{
2164 secp256k1_fe l, r, t;
2165
2166 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, x) ; /* l = 1/x */
2167 if (out) *out = l;
2168 t = *x; /* t = x */
2169 if (secp256k1_fe_normalizes_to_zero_var(&t)) {
2170 CHECK(secp256k1_fe_normalizes_to_zero(&l));
2171 return;
2172 }
2173 secp256k1_fe_mul(&t, x, &l); /* t = x*(1/x) */
2174 secp256k1_fe_add(&t, &fe_minus_one); /* t = x*(1/x)-1 */
2175 CHECK(secp256k1_fe_normalizes_to_zero(&t)); /* x*(1/x)-1 == 0 */
2176 r = *x; /* r = x */
2177 secp256k1_fe_add(&r, &fe_minus_one); /* r = x-1 */
2178 if (secp256k1_fe_normalizes_to_zero_var(&r)) return;
2179 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&r, &r); /* r = 1/(x-1) */
2180 secp256k1_fe_add(&l, &fe_minus_one); /* l = 1/x-1 */
2181 (var ? secp256k1_fe_inv_var : secp256k1_fe_inv)(&l, &l); /* l = 1/(1/x-1) */
2182 secp256k1_fe_add(&l, &secp256k1_fe_one); /* l = 1/(1/x-1)+1 */
2183 secp256k1_fe_add(&l, &r); /* l = 1/(1/x-1)+1 + 1/(x-1) */
2184 CHECK(secp256k1_fe_normalizes_to_zero_var(&l)); /* l == 0 */
2185}
2186
2187void run_inverse_tests(void)
2188{
2189 /* Fixed test cases for field inverses: pairs of (x, 1/x) mod p. */
2190 static const secp256k1_fe fe_cases[][2] = {
2191 /* 0 */
2192 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2193 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2194 /* 1 */
2195 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2196 SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2197 /* -1 */
2198 {SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e),
2199 SECP256K1_FE_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xfffffc2e)},
2200 /* 2 */
2201 {SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2202 SECP256K1_FE_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x7ffffe18)},
2203 /* 2**128 */
2204 {SECP256K1_FE_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2205 SECP256K1_FE_CONST(0xbcb223fe, 0xdc24a059, 0xd838091d, 0xd2253530, 0xffffffff, 0xffffffff, 0xffffffff, 0x434dd931)},
2206 /* Input known to need 637 divsteps */
2207 {SECP256K1_FE_CONST(0xe34e9c95, 0x6bee8a84, 0x0dcb632a, 0xdb8a1320, 0x66885408, 0x06f3f996, 0x7c11ca84, 0x19199ec3),
2208 SECP256K1_FE_CONST(0xbd2cbd8f, 0x1c536828, 0x9bccda44, 0x2582ac0c, 0x870152b0, 0x8a3f09fb, 0x1aaadf92, 0x19b618e5)}
2209 };
2210 /* Fixed test cases for scalar inverses: pairs of (x, 1/x) mod n. */
2211 static const secp256k1_scalar scalar_cases[][2] = {
2212 /* 0 */
2213 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0),
2214 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0)},
2215 /* 1 */
2216 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1),
2217 SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1)},
2218 /* -1 */
2219 {SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140),
2220 SECP256K1_SCALAR_CONST(0xffffffff, 0xffffffff, 0xffffffff, 0xfffffffe, 0xbaaedce6, 0xaf48a03b, 0xbfd25e8c, 0xd0364140)},
2221 /* 2 */
2222 {SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 2),
2223 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0x5d576e73, 0x57a4501d, 0xdfe92f46, 0x681b20a1)},
2224 /* 2**128 */
2225 {SECP256K1_SCALAR_CONST(0, 0, 0, 1, 0, 0, 0, 0),
2226 SECP256K1_SCALAR_CONST(0x50a51ac8, 0x34b9ec24, 0x4b0dff66, 0x5588b13e, 0x9984d5b3, 0xcf80ef0f, 0xd6a23766, 0xa3ee9f22)},
2227 /* Input known to need 635 divsteps */
2228 {SECP256K1_SCALAR_CONST(0xcb9f1d35, 0xdd4416c2, 0xcd71bf3f, 0x6365da66, 0x3c9b3376, 0x8feb7ae9, 0x32a5ef60, 0x19199ec3),
2229 SECP256K1_SCALAR_CONST(0x1d7c7bba, 0xf1893d53, 0xb834bd09, 0x36b411dc, 0x42c2e42f, 0xec72c428, 0x5e189791, 0x8e9bc708)}
2230 };
2231 int i, var, testrand;
2232 unsigned char b32[32];
2233 secp256k1_fe x_fe;
2234 secp256k1_scalar x_scalar;
2235 memset(b32, 0, sizeof(b32));
2236 /* Test fixed test cases through test_inverse_{scalar,field}, both ways. */
2237 for (i = 0; (size_t)i < sizeof(fe_cases)/sizeof(fe_cases[0]); ++i) {
2238 for (var = 0; var <= 1; ++var) {
2239 test_inverse_field(&x_fe, &fe_cases[i][0], var);
2240 check_fe_equal(&x_fe, &fe_cases[i][1]);
2241 test_inverse_field(&x_fe, &fe_cases[i][1], var);
2242 check_fe_equal(&x_fe, &fe_cases[i][0]);
2243 }
2244 }
2245 for (i = 0; (size_t)i < sizeof(scalar_cases)/sizeof(scalar_cases[0]); ++i) {
2246 for (var = 0; var <= 1; ++var) {
2247 test_inverse_scalar(&x_scalar, &scalar_cases[i][0], var);
2248 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][1]));
2249 test_inverse_scalar(&x_scalar, &scalar_cases[i][1], var);
2250 CHECK(secp256k1_scalar_eq(&x_scalar, &scalar_cases[i][0]));
2251 }
2252 }
2253 /* Test inputs 0..999 and their respective negations. */
2254 for (i = 0; i < 1000; ++i) {
2255 b32[31] = i & 0xff;
2256 b32[30] = (i >> 8) & 0xff;
2257 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2258 secp256k1_fe_set_b32(&x_fe, b32);
2259 for (var = 0; var <= 1; ++var) {
2260 test_inverse_scalar(NULL, &x_scalar, var);
2261 test_inverse_field(NULL, &x_fe, var);
2262 }
2263 secp256k1_scalar_negate(&x_scalar, &x_scalar);
2264 secp256k1_fe_negate(&x_fe, &x_fe, 1);
2265 for (var = 0; var <= 1; ++var) {
2266 test_inverse_scalar(NULL, &x_scalar, var);
2267 test_inverse_field(NULL, &x_fe, var);
2268 }
2269 }
2270 /* test 128*count random inputs; half with testrand256_test, half with testrand256 */
2271 for (testrand = 0; testrand <= 1; ++testrand) {
2272 for (i = 0; i < 64 * count; ++i) {
2273 (testrand ? secp256k1_testrand256_test : secp256k1_testrand256)(b32);
2274 secp256k1_scalar_set_b32(&x_scalar, b32, NULL);
2275 secp256k1_fe_set_b32(&x_fe, b32);
2276 for (var = 0; var <= 1; ++var) {
2277 test_inverse_scalar(NULL, &x_scalar, var);
2278 test_inverse_field(NULL, &x_fe, var);
2279 }
2280 }
2281 }
2282}
2283
2284/***** GROUP TESTS *****/
2285
2286void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2287 CHECK(a->infinity == b->infinity);
2288 if (a->infinity) {
2289 return;
2290 }
2291 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2292 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2293}
2294
2295/* This compares jacobian points including their Z, not just their geometric meaning. */
2296int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2297 secp256k1_gej a2;
2298 secp256k1_gej b2;
2299 int ret = 1;
2300 ret &= a->infinity == b->infinity;
2301 if (ret && !a->infinity) {
2302 a2 = *a;
2303 b2 = *b;
2304 secp256k1_fe_normalize(&a2.x);
2305 secp256k1_fe_normalize(&a2.y);
2306 secp256k1_fe_normalize(&a2.z);
2307 secp256k1_fe_normalize(&b2.x);
2308 secp256k1_fe_normalize(&b2.y);
2309 secp256k1_fe_normalize(&b2.z);
2310 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2311 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2312 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2313 }
2314 return ret;
2315}
2316
2317void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2318 secp256k1_fe z2s;
2319 secp256k1_fe u1, u2, s1, s2;
2320 CHECK(a->infinity == b->infinity);
2321 if (a->infinity) {
2322 return;
2323 }
2324 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2325 secp256k1_fe_sqr(&z2s, &b->z);
2326 secp256k1_fe_mul(&u1, &a->x, &z2s);
2327 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2328 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2329 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2330 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2331 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2332}
2333
2334void test_ge(void) {
2335 int i, i1;
2336 int runs = 6;
2337 /* 25 points are used:
2338 * - infinity
2339 * - for each of four random points p1 p2 p3 p4, we add the point, its
2340 * negation, and then those two again but with randomized Z coordinate.
2341 * - The same is then done for lambda*p1 and lambda^2*p1.
2342 */
2343 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2344 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2345 secp256k1_fe zf;
2346 secp256k1_fe zfi2, zfi3;
2347
2348 secp256k1_gej_set_infinity(&gej[0]);
2349 secp256k1_ge_clear(&ge[0]);
2350 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2351 for (i = 0; i < runs; i++) {
2352 int j;
2353 secp256k1_ge g;
2354 random_group_element_test(&g);
2355 if (i >= runs - 2) {
2356 secp256k1_ge_mul_lambda(&g, &ge[1]);
2357 }
2358 if (i >= runs - 1) {
2359 secp256k1_ge_mul_lambda(&g, &g);
2360 }
2361 ge[1 + 4 * i] = g;
2362 ge[2 + 4 * i] = g;
2363 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2364 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2365 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2366 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2367 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2368 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2369 for (j = 0; j < 4; j++) {
2370 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2371 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2372 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2373 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2374 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2375 }
2376 }
2377
2378 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2379 do {
2380 random_field_element_test(&zf);
2381 } while(secp256k1_fe_is_zero(&zf));
2382 random_field_element_magnitude(&zf);
2383 secp256k1_fe_inv_var(&zfi3, &zf);
2384 secp256k1_fe_sqr(&zfi2, &zfi3);
2385 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2386
2387 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2388 int i2;
2389 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2390 /* Compute reference result using gej + gej (var). */
2391 secp256k1_gej refj, resj;
2392 secp256k1_ge ref;
2393 secp256k1_fe zr;
2394 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2395 /* Check Z ratio. */
2396 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2397 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2398 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2399 }
2400 secp256k1_ge_set_gej_var(&ref, &refj);
2401
2402 /* Test gej + ge with Z ratio result (var). */
2403 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2404 ge_equals_gej(&ref, &resj);
2405 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2406 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2407 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2408 }
2409
2410 /* Test gej + ge (var, with additional Z factor). */
2411 {
2412 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2413 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2414 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2415 random_field_element_magnitude(&ge2_zfi.x);
2416 random_field_element_magnitude(&ge2_zfi.y);
2417 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2418 ge_equals_gej(&ref, &resj);
2419 }
2420
2421 /* Test gej + ge (const). */
2422 if (i2 != 0) {
2423 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2424 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2425 ge_equals_gej(&ref, &resj);
2426 }
2427
2428 /* Test doubling (var). */
2429 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2430 secp256k1_fe zr2;
2431 /* Normal doubling with Z ratio result. */
2432 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2433 ge_equals_gej(&ref, &resj);
2434 /* Check Z ratio. */
2435 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2436 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2437 /* Normal doubling. */
2438 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2439 ge_equals_gej(&ref, &resj);
2440 /* Constant-time doubling. */
2441 secp256k1_gej_double(&resj, &gej[i2]);
2442 ge_equals_gej(&ref, &resj);
2443 }
2444
2445 /* Test adding opposites. */
2446 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2447 CHECK(secp256k1_ge_is_infinity(&ref));
2448 }
2449
2450 /* Test adding infinity. */
2451 if (i1 == 0) {
2452 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2453 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2454 ge_equals_gej(&ref, &gej[i2]);
2455 }
2456 if (i2 == 0) {
2457 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2458 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2459 ge_equals_gej(&ref, &gej[i1]);
2460 }
2461 }
2462 }
2463
2464 /* Test adding all points together in random order equals infinity. */
2465 {
2466 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2467 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2468 for (i = 0; i < 4 * runs + 1; i++) {
2469 gej_shuffled[i] = gej[i];
2470 }
2471 for (i = 0; i < 4 * runs + 1; i++) {
2472 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2473 if (swap != i) {
2474 secp256k1_gej t = gej_shuffled[i];
2475 gej_shuffled[i] = gej_shuffled[swap];
2476 gej_shuffled[swap] = t;
2477 }
2478 }
2479 for (i = 0; i < 4 * runs + 1; i++) {
2480 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2481 }
2482 CHECK(secp256k1_gej_is_infinity(&sum));
2483 free(gej_shuffled);
2484 }
2485
2486 /* Test batch gej -> ge conversion without known z ratios. */
2487 {
2488 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2489 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2490 for (i = 0; i < 4 * runs + 1; i++) {
2491 secp256k1_fe s;
2492 random_fe_non_zero(&s);
2493 secp256k1_gej_rescale(&gej[i], &s);
2494 ge_equals_gej(&ge_set_all[i], &gej[i]);
2495 }
2496 free(ge_set_all);
2497 }
2498
2499 /* Test batch gej -> ge conversion with many infinities. */
2500 for (i = 0; i < 4 * runs + 1; i++) {
2501 random_group_element_test(&ge[i]);
2502 /* randomly set half the points to infinity */
2503 if(secp256k1_fe_is_odd(&ge[i].x)) {
2504 secp256k1_ge_set_infinity(&ge[i]);
2505 }
2506 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2507 }
2508 /* batch invert */
2509 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2510 /* check result */
2511 for (i = 0; i < 4 * runs + 1; i++) {
2512 ge_equals_gej(&ge[i], &gej[i]);
2513 }
2514
2515 free(ge);
2516 free(gej);
2517}
2518
2519
2520void test_intialized_inf(void) {
2521 secp256k1_ge p;
2522 secp256k1_gej pj, npj, infj1, infj2, infj3;
2523 secp256k1_fe zinv;
2524
2525 /* Test that adding P+(-P) results in a fully initalized infinity*/
2526 random_group_element_test(&p);
2527 secp256k1_gej_set_ge(&pj, &p);
2528 secp256k1_gej_neg(&npj, &pj);
2529
2530 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2531 CHECK(secp256k1_gej_is_infinity(&infj1));
2532 CHECK(secp256k1_fe_is_zero(&infj1.x));
2533 CHECK(secp256k1_fe_is_zero(&infj1.y));
2534 CHECK(secp256k1_fe_is_zero(&infj1.z));
2535
2536 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2537 CHECK(secp256k1_gej_is_infinity(&infj2));
2538 CHECK(secp256k1_fe_is_zero(&infj2.x));
2539 CHECK(secp256k1_fe_is_zero(&infj2.y));
2540 CHECK(secp256k1_fe_is_zero(&infj2.z));
2541
2542 secp256k1_fe_set_int(&zinv, 1);
2543 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2544 CHECK(secp256k1_gej_is_infinity(&infj3));
2545 CHECK(secp256k1_fe_is_zero(&infj3.x));
2546 CHECK(secp256k1_fe_is_zero(&infj3.y));
2547 CHECK(secp256k1_fe_is_zero(&infj3.z));
2548
2549
2550}
2551
2552void test_add_neg_y_diff_x(void) {
2553 /* The point of this test is to check that we can add two points
2554 * whose y-coordinates are negatives of each other but whose x
2555 * coordinates differ. If the x-coordinates were the same, these
2556 * points would be negatives of each other and their sum is
2557 * infinity. This is cool because it "covers up" any degeneracy
2558 * in the addition algorithm that would cause the xy coordinates
2559 * of the sum to be wrong (since infinity has no xy coordinates).
2560 * HOWEVER, if the x-coordinates are different, infinity is the
2561 * wrong answer, and such degeneracies are exposed. This is the
2562 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2563 * which this test is a regression test for.
2564 *
2565 * These points were generated in sage as
2566 * # secp256k1 params
2567 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2568 * C = EllipticCurve ([F (0), F (7)])
2569 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2570 * N = FiniteField(G.order())
2571 *
2572 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2573 * x = polygen(N)
2574 * lam = (1 - x^3).roots()[1][0]
2575 *
2576 * # random "bad pair"
2577 * P = C.random_element()
2578 * Q = -int(lam) * P
2579 * print " P: %x %x" % P.xy()
2580 * print " Q: %x %x" % Q.xy()
2581 * print "P + Q: %x %x" % (P + Q).xy()
2582 */
2583 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2584 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2585 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2586 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2587 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2588 );
2589 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2590 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2591 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2592 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2593 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2594 );
2595 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2596 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2597 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2598 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2599 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2600 );
2601 secp256k1_ge b;
2602 secp256k1_gej resj;
2603 secp256k1_ge res;
2604 secp256k1_ge_set_gej(&b, &bj);
2605
2606 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2607 secp256k1_ge_set_gej(&res, &resj);
2608 ge_equals_gej(&res, &sumj);
2609
2610 secp256k1_gej_add_ge(&resj, &aj, &b);
2611 secp256k1_ge_set_gej(&res, &resj);
2612 ge_equals_gej(&res, &sumj);
2613
2614 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2615 secp256k1_ge_set_gej(&res, &resj);
2616 ge_equals_gej(&res, &sumj);
2617}
2618
2619void run_ge(void) {
2620 int i;
2621 for (i = 0; i < count * 32; i++) {
2622 test_ge();
2623 }
2624 test_add_neg_y_diff_x();
2625 test_intialized_inf();
2626}
2627
2628void test_ec_combine(void) {
2629 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2630 secp256k1_pubkey data[6];
2631 const secp256k1_pubkey* d[6];
2632 secp256k1_pubkey sd;
2633 secp256k1_pubkey sd2;
2634 secp256k1_gej Qj;
2635 secp256k1_ge Q;
2636 int i;
2637 for (i = 1; i <= 6; i++) {
2638 secp256k1_scalar s;
2639 random_scalar_order_test(&s);
2640 secp256k1_scalar_add(&sum, &sum, &s);
2641 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2642 secp256k1_ge_set_gej(&Q, &Qj);
2643 secp256k1_pubkey_save(&data[i - 1], &Q);
2644 d[i - 1] = &data[i - 1];
2645 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2646 secp256k1_ge_set_gej(&Q, &Qj);
2647 secp256k1_pubkey_save(&sd, &Q);
2648 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2649 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2650 }
2651}
2652
2653void run_ec_combine(void) {
2654 int i;
2655 for (i = 0; i < count * 8; i++) {
2656 test_ec_combine();
2657 }
2658}
2659
2660void test_group_decompress(const secp256k1_fe* x) {
2661 /* The input itself, normalized. */
2662 secp256k1_fe fex = *x;
2663 secp256k1_fe fez;
2664 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2665 secp256k1_ge ge_quad, ge_even, ge_odd;
2666 secp256k1_gej gej_quad;
2667 /* Return values of the above calls. */
2668 int res_quad, res_even, res_odd;
2669
2670 secp256k1_fe_normalize_var(&fex);
2671
2672 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2673 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2674 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2675
2676 CHECK(res_quad == res_even);
2677 CHECK(res_quad == res_odd);
2678
2679 if (res_quad) {
2680 secp256k1_fe_normalize_var(&ge_quad.x);
2681 secp256k1_fe_normalize_var(&ge_odd.x);
2682 secp256k1_fe_normalize_var(&ge_even.x);
2683 secp256k1_fe_normalize_var(&ge_quad.y);
2684 secp256k1_fe_normalize_var(&ge_odd.y);
2685 secp256k1_fe_normalize_var(&ge_even.y);
2686
2687 /* No infinity allowed. */
2688 CHECK(!ge_quad.infinity);
2689 CHECK(!ge_even.infinity);
2690 CHECK(!ge_odd.infinity);
2691
2692 /* Check that the x coordinates check out. */
2693 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2694 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2695 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2696
2697 /* Check that the Y coordinate result in ge_quad is a square. */
2698 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2699
2700 /* Check odd/even Y in ge_odd, ge_even. */
2701 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2702 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2703
2704 /* Check secp256k1_gej_has_quad_y_var. */
2705 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2706 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2707 do {
2708 random_fe_test(&fez);
2709 } while (secp256k1_fe_is_zero(&fez));
2710 secp256k1_gej_rescale(&gej_quad, &fez);
2711 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2712 secp256k1_gej_neg(&gej_quad, &gej_quad);
2713 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2714 do {
2715 random_fe_test(&fez);
2716 } while (secp256k1_fe_is_zero(&fez));
2717 secp256k1_gej_rescale(&gej_quad, &fez);
2718 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2719 secp256k1_gej_neg(&gej_quad, &gej_quad);
2720 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2721 }
2722}
2723
2724void run_group_decompress(void) {
2725 int i;
2726 for (i = 0; i < count * 4; i++) {
2727 secp256k1_fe fe;
2728 random_fe_test(&fe);
2729 test_group_decompress(&fe);
2730 }
2731}
2732
2733/***** ECMULT TESTS *****/
2734
2735void run_ecmult_chain(void) {
2736 /* random starting point A (on the curve) */
2737 secp256k1_gej a = SECP256K1_GEJ_CONST(
2738 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2739 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2740 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2741 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2742 );
2743 /* two random initial factors xn and gn */
2744 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2745 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2746 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2747 );
2748 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2749 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2750 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2751 );
2752 /* two small multipliers to be applied to xn and gn in every iteration: */
2753 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2754 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2755 /* accumulators with the resulting coefficients to A and G */
2756 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2757 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2758 /* actual points */
2759 secp256k1_gej x;
2760 secp256k1_gej x2;
2761 int i;
2762
2763 /* the point being computed */
2764 x = a;
2765 for (i = 0; i < 200*count; i++) {
2766 /* in each iteration, compute X = xn*X + gn*G; */
2767 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2768 /* also compute ae and ge: the actual accumulated factors for A and G */
2769 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2770 secp256k1_scalar_mul(&ae, &ae, &xn);
2771 secp256k1_scalar_mul(&ge, &ge, &xn);
2772 secp256k1_scalar_add(&ge, &ge, &gn);
2773 /* modify xn and gn */
2774 secp256k1_scalar_mul(&xn, &xn, &xf);
2775 secp256k1_scalar_mul(&gn, &gn, &gf);
2776
2777 /* verify */
2778 if (i == 19999) {
2779 /* expected result after 19999 iterations */
2780 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2781 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2782 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2783 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2784 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2785 );
2786
2787 secp256k1_gej_neg(&rp, &rp);
2788 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2789 CHECK(secp256k1_gej_is_infinity(&rp));
2790 }
2791 }
2792 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2793 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2794 secp256k1_gej_neg(&x2, &x2);
2795 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2796 CHECK(secp256k1_gej_is_infinity(&x2));
2797}
2798
2799void test_point_times_order(const secp256k1_gej *point) {
2800 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2801 secp256k1_scalar x;
2802 secp256k1_scalar nx;
2803 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2804 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2805 secp256k1_gej res1, res2;
2806 secp256k1_ge res3;
2807 unsigned char pub[65];
2808 size_t psize = 65;
2809 random_scalar_order_test(&x);
2810 secp256k1_scalar_negate(&nx, &x);
2811 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2812 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2813 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2814 CHECK(secp256k1_gej_is_infinity(&res1));
2815 secp256k1_ge_set_gej(&res3, &res1);
2816 CHECK(secp256k1_ge_is_infinity(&res3));
2817 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2818 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2819 psize = 65;
2820 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2821 /* check zero/one edge cases */
2822 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2823 secp256k1_ge_set_gej(&res3, &res1);
2824 CHECK(secp256k1_ge_is_infinity(&res3));
2825 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2826 secp256k1_ge_set_gej(&res3, &res1);
2827 ge_equals_gej(&res3, point);
2828 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2829 secp256k1_ge_set_gej(&res3, &res1);
2830 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2831}
2832
2833/* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2834 *
2835 * They are computed as:
2836 * - For a in [-2, -1, 0, 1, 2]:
2837 * - For b in [-3, -1, 1, 3]:
2838 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2839 */
2840static const secp256k1_scalar scalars_near_split_bounds[20] = {
2841 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2842 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2843 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2844 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2845 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2846 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2847 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2848 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2849 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2850 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2851 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2852 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2853 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2854 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2855 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2856 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2857 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2858 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2859 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2860 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2861};
2862
2863void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2864 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2865 secp256k1_scalar n1, n2;
2866 secp256k1_ge p;
2867 secp256k1_gej pj, p1j, p2j, ptj;
2868 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2869
2870 /* Generate random n1,n2 such that n1+n2 = -target. */
2871 random_scalar_order_test(&n1);
2872 secp256k1_scalar_add(&n2, &n1, target);
2873 secp256k1_scalar_negate(&n2, &n2);
2874
2875 /* Generate a random input point. */
2876 if (mode != 0) {
2877 random_group_element_test(&p);
2878 secp256k1_gej_set_ge(&pj, &p);
2879 }
2880
2881 /* EC multiplications */
2882 if (mode == 0) {
2883 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2884 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2885 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2886 } else if (mode == 1) {
2887 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2888 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2889 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2890 } else {
2891 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2892 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2893 secp256k1_ecmult_const(&ptj, &p, target, 256);
2894 }
2895
2896 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2897 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2898 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2899 CHECK(secp256k1_gej_is_infinity(&ptj));
2900}
2901
2902void run_ecmult_near_split_bound(void) {
2903 int i;
2904 unsigned j;
2905 for (i = 0; i < 4*count; ++i) {
2906 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2907 test_ecmult_target(&scalars_near_split_bounds[j], 0);
2908 test_ecmult_target(&scalars_near_split_bounds[j], 1);
2909 test_ecmult_target(&scalars_near_split_bounds[j], 2);
2910 }
2911 }
2912}
2913
2914void run_point_times_order(void) {
2915 int i;
2916 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2917 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2918 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2919 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2920 );
2921 for (i = 0; i < 500; i++) {
2922 secp256k1_ge p;
2923 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2924 secp256k1_gej j;
2925 CHECK(secp256k1_ge_is_valid_var(&p));
2926 secp256k1_gej_set_ge(&j, &p);
2927 test_point_times_order(&j);
2928 }
2929 secp256k1_fe_sqr(&x, &x);
2930 }
2931 secp256k1_fe_normalize_var(&x);
2932 CHECK(secp256k1_fe_equal_var(&x, &xr));
2933}
2934
2935void ecmult_const_random_mult(void) {
2936 /* random starting point A (on the curve) */
2937 secp256k1_ge a = SECP256K1_GE_CONST(
2938 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2939 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2940 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2941 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2942 );
2943 /* random initial factor xn */
2944 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2945 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2946 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2947 );
2948 /* expected xn * A (from sage) */
2949 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2950 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2951 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2952 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2953 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2954 );
2955 secp256k1_gej b;
2956 secp256k1_ecmult_const(&b, &a, &xn, 256);
2957
2958 CHECK(secp256k1_ge_is_valid_var(&a));
2959 ge_equals_gej(&expected_b, &b);
2960}
2961
2962void ecmult_const_commutativity(void) {
2963 secp256k1_scalar a;
2964 secp256k1_scalar b;
2965 secp256k1_gej res1;
2966 secp256k1_gej res2;
2967 secp256k1_ge mid1;
2968 secp256k1_ge mid2;
2969 random_scalar_order_test(&a);
2970 random_scalar_order_test(&b);
2971
2972 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2973 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2974 secp256k1_ge_set_gej(&mid1, &res1);
2975 secp256k1_ge_set_gej(&mid2, &res2);
2976 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2977 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2978 secp256k1_ge_set_gej(&mid1, &res1);
2979 secp256k1_ge_set_gej(&mid2, &res2);
2980 ge_equals_ge(&mid1, &mid2);
2981}
2982
2983void ecmult_const_mult_zero_one(void) {
2984 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2985 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2986 secp256k1_scalar negone;
2987 secp256k1_gej res1;
2988 secp256k1_ge res2;
2989 secp256k1_ge point;
2990 secp256k1_scalar_negate(&negone, &one);
2991
2992 random_group_element_test(&point);
2993 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2994 secp256k1_ge_set_gej(&res2, &res1);
2995 CHECK(secp256k1_ge_is_infinity(&res2));
2996 secp256k1_ecmult_const(&res1, &point, &one, 2);
2997 secp256k1_ge_set_gej(&res2, &res1);
2998 ge_equals_ge(&res2, &point);
2999 secp256k1_ecmult_const(&res1, &point, &negone, 256);
3000 secp256k1_gej_neg(&res1, &res1);
3001 secp256k1_ge_set_gej(&res2, &res1);
3002 ge_equals_ge(&res2, &point);
3003}
3004
3005void ecmult_const_chain_multiply(void) {
3006 /* Check known result (randomly generated test problem from sage) */
3007 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
3008 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
3009 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
3010 );
3011 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
3012 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
3013 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
3014 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
3015 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
3016 );
3017 secp256k1_gej point;
3018 secp256k1_ge res;
3019 int i;
3020
3021 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
3022 for (i = 0; i < 100; ++i) {
3023 secp256k1_ge tmp;
3024 secp256k1_ge_set_gej(&tmp, &point);
3025 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
3026 }
3027 secp256k1_ge_set_gej(&res, &point);
3028 ge_equals_gej(&res, &expected_point);
3029}
3030
3031void run_ecmult_const_tests(void) {
3032 ecmult_const_mult_zero_one();
3033 ecmult_const_random_mult();
3034 ecmult_const_commutativity();
3035 ecmult_const_chain_multiply();
3036}
3037
3038typedef struct {
3039 secp256k1_scalar *sc;
3040 secp256k1_ge *pt;
3041} ecmult_multi_data;
3042
3043static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3044 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
3045 *sc = data->sc[idx];
3046 *pt = data->pt[idx];
3047 return 1;
3048}
3049
3050static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
3051 (void)sc;
3052 (void)pt;
3053 (void)idx;
3054 (void)cbdata;
3055 return 0;
3056}
3057
3058void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
3059 int ncount;
3060 secp256k1_scalar szero;
3061 secp256k1_scalar sc[32];
3062 secp256k1_ge pt[32];
3063 secp256k1_gej r;
3064 secp256k1_gej r2;
3065 ecmult_multi_data data;
3066
3067 data.sc = sc;
3068 data.pt = pt;
3069 secp256k1_scalar_set_int(&szero, 0);
3070
3071 /* No points to multiply */
3072 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
3073
3074 /* Check 1- and 2-point multiplies against ecmult */
3075 for (ncount = 0; ncount < count; ncount++) {
3076 secp256k1_ge ptg;
3077 secp256k1_gej ptgj;
3078 random_scalar_order(&sc[0]);
3079 random_scalar_order(&sc[1]);
3080
3081 random_group_element_test(&ptg);
3082 secp256k1_gej_set_ge(&ptgj, &ptg);
3083 pt[0] = ptg;
3084 pt[1] = secp256k1_ge_const_g;
3085
3086 /* only G scalar */
3087 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
3088 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
3089 secp256k1_gej_neg(&r2, &r2);
3090 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3091 CHECK(secp256k1_gej_is_infinity(&r));
3092
3093 /* 1-point */
3094 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
3095 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
3096 secp256k1_gej_neg(&r2, &r2);
3097 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3098 CHECK(secp256k1_gej_is_infinity(&r));
3099
3100 /* Try to multiply 1 point, but callback returns false */
3101 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
3102
3103 /* 2-point */
3104 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3105 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
3106 secp256k1_gej_neg(&r2, &r2);
3107 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3108 CHECK(secp256k1_gej_is_infinity(&r));
3109
3110 /* 2-point with G scalar */
3111 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
3112 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
3113 secp256k1_gej_neg(&r2, &r2);
3114 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3115 CHECK(secp256k1_gej_is_infinity(&r));
3116 }
3117
3118 /* Check infinite outputs of various forms */
3119 for (ncount = 0; ncount < count; ncount++) {
3120 secp256k1_ge ptg;
3121 size_t i, j;
3122 size_t sizes[] = { 2, 10, 32 };
3123
3124 for (j = 0; j < 3; j++) {
3125 for (i = 0; i < 32; i++) {
3126 random_scalar_order(&sc[i]);
3127 secp256k1_ge_set_infinity(&pt[i]);
3128 }
3129 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3130 CHECK(secp256k1_gej_is_infinity(&r));
3131 }
3132
3133 for (j = 0; j < 3; j++) {
3134 for (i = 0; i < 32; i++) {
3135 random_group_element_test(&ptg);
3136 pt[i] = ptg;
3137 secp256k1_scalar_set_int(&sc[i], 0);
3138 }
3139 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3140 CHECK(secp256k1_gej_is_infinity(&r));
3141 }
3142
3143 for (j = 0; j < 3; j++) {
3144 random_group_element_test(&ptg);
3145 for (i = 0; i < 16; i++) {
3146 random_scalar_order(&sc[2*i]);
3147 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
3148 pt[2 * i] = ptg;
3149 pt[2 * i + 1] = ptg;
3150 }
3151
3152 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3153 CHECK(secp256k1_gej_is_infinity(&r));
3154
3155 random_scalar_order(&sc[0]);
3156 for (i = 0; i < 16; i++) {
3157 random_group_element_test(&ptg);
3158
3159 sc[2*i] = sc[0];
3160 sc[2*i+1] = sc[0];
3161 pt[2 * i] = ptg;
3162 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
3163 }
3164
3165 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
3166 CHECK(secp256k1_gej_is_infinity(&r));
3167 }
3168
3169 random_group_element_test(&ptg);
3170 secp256k1_scalar_set_int(&sc[0], 0);
3171 pt[0] = ptg;
3172 for (i = 1; i < 32; i++) {
3173 pt[i] = ptg;
3174
3175 random_scalar_order(&sc[i]);
3176 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
3177 secp256k1_scalar_negate(&sc[i], &sc[i]);
3178 }
3179
3180 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
3181 CHECK(secp256k1_gej_is_infinity(&r));
3182 }
3183
3184 /* Check random points, constant scalar */
3185 for (ncount = 0; ncount < count; ncount++) {
3186 size_t i;
3187 secp256k1_gej_set_infinity(&r);
3188
3189 random_scalar_order(&sc[0]);
3190 for (i = 0; i < 20; i++) {
3191 secp256k1_ge ptg;
3192 sc[i] = sc[0];
3193 random_group_element_test(&ptg);
3194 pt[i] = ptg;
3195 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
3196 }
3197
3198 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
3199 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3200 secp256k1_gej_neg(&r2, &r2);
3201 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3202 CHECK(secp256k1_gej_is_infinity(&r));
3203 }
3204
3205 /* Check random scalars, constant point */
3206 for (ncount = 0; ncount < count; ncount++) {
3207 size_t i;
3208 secp256k1_ge ptg;
3209 secp256k1_gej p0j;
3210 secp256k1_scalar rs;
3211 secp256k1_scalar_set_int(&rs, 0);
3212
3213 random_group_element_test(&ptg);
3214 for (i = 0; i < 20; i++) {
3215 random_scalar_order(&sc[i]);
3216 pt[i] = ptg;
3217 secp256k1_scalar_add(&rs, &rs, &sc[i]);
3218 }
3219
3220 secp256k1_gej_set_ge(&p0j, &pt[0]);
3221 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3222 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3223 secp256k1_gej_neg(&r2, &r2);
3224 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3225 CHECK(secp256k1_gej_is_infinity(&r));
3226 }
3227
3228 /* Sanity check that zero scalars don't cause problems */
3229 for (ncount = 0; ncount < 20; ncount++) {
3230 random_scalar_order(&sc[ncount]);
3231 random_group_element_test(&pt[ncount]);
3232 }
3233 secp256k1_scalar_clear(&sc[0]);
3234 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3235 secp256k1_scalar_clear(&sc[1]);
3236 secp256k1_scalar_clear(&sc[2]);
3237 secp256k1_scalar_clear(&sc[3]);
3238 secp256k1_scalar_clear(&sc[4]);
3239 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3240 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3241 CHECK(secp256k1_gej_is_infinity(&r));
3242
3243 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3244 {
3245 const size_t TOP = 8;
3246 size_t s0i, s1i;
3247 size_t t0i, t1i;
3248 secp256k1_ge ptg;
3249 secp256k1_gej ptgj;
3250
3251 random_group_element_test(&ptg);
3252 secp256k1_gej_set_ge(&ptgj, &ptg);
3253
3254 for(t0i = 0; t0i < TOP; t0i++) {
3255 for(t1i = 0; t1i < TOP; t1i++) {
3256 secp256k1_gej t0p, t1p;
3257 secp256k1_scalar t0, t1;
3258
3259 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3260 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3261 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3262 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3263
3264 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3265 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3266
3267 for(s0i = 0; s0i < TOP; s0i++) {
3268 for(s1i = 0; s1i < TOP; s1i++) {
3269 secp256k1_scalar tmp1, tmp2;
3270 secp256k1_gej expected, actual;
3271
3272 secp256k1_ge_set_gej(&pt[0], &t0p);
3273 secp256k1_ge_set_gej(&pt[1], &t1p);
3274
3275 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3276 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3277 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3278 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3279
3280 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3281 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3282 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3283
3284 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3285 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3286 secp256k1_gej_neg(&expected, &expected);
3287 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3288 CHECK(secp256k1_gej_is_infinity(&actual));
3289 }
3290 }
3291 }
3292 }
3293 }
3294}
3295
3296void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3297 secp256k1_scalar szero;
3298 secp256k1_scalar sc;
3299 secp256k1_ge pt;
3300 secp256k1_gej r;
3301 ecmult_multi_data data;
3302 secp256k1_scratch *scratch_empty;
3303
3304 random_group_element_test(&pt);
3305 random_scalar_order(&sc);
3306 data.sc = &sc;
3307 data.pt = &pt;
3308 secp256k1_scalar_set_int(&szero, 0);
3309
3310 /* Try to multiply 1 point, but scratch space is empty.*/
3311 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3312 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3313 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3314}
3315
3316void test_secp256k1_pippenger_bucket_window_inv(void) {
3317 int i;
3318
3319 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3320 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3321 /* Bucket_window of 8 is not used with endo */
3322 if (i == 8) {
3323 continue;
3324 }
3325 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3326 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3327 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3328 }
3329 }
3330}
3331
3336void test_ecmult_multi_pippenger_max_points(void) {
3337 size_t scratch_size = secp256k1_testrand_int(256);
3338 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3339 secp256k1_scratch *scratch;
3340 size_t n_points_supported;
3341 int bucket_window = 0;
3342
3343 for(; scratch_size < max_size; scratch_size+=256) {
3344 size_t i;
3345 size_t total_alloc;
3346 size_t checkpoint;
3347 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3348 CHECK(scratch != NULL);
3349 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3350 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3351 if (n_points_supported == 0) {
3352 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3353 continue;
3354 }
3355 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3356 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3357 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3358 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3359 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3360 total_alloc--;
3361 }
3362 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3363 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3364 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3365 }
3366 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3367}
3368
3369void test_ecmult_multi_batch_size_helper(void) {
3370 size_t n_batches, n_batch_points, max_n_batch_points, n;
3371
3372 max_n_batch_points = 0;
3373 n = 1;
3374 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3375
3376 max_n_batch_points = 1;
3377 n = 0;
3378 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3379 CHECK(n_batches == 0);
3380 CHECK(n_batch_points == 0);
3381
3382 max_n_batch_points = 2;
3383 n = 5;
3384 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3385 CHECK(n_batches == 3);
3386 CHECK(n_batch_points == 2);
3387
3388 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3389 n = ECMULT_MAX_POINTS_PER_BATCH;
3390 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3391 CHECK(n_batches == 1);
3392 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3393
3394 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3395 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3396 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3397 CHECK(n_batches == 2);
3398 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3399
3400 max_n_batch_points = 1;
3401 n = SIZE_MAX;
3402 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3403 CHECK(n_batches == SIZE_MAX);
3404 CHECK(n_batch_points == 1);
3405
3406 max_n_batch_points = 2;
3407 n = SIZE_MAX;
3408 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3409 CHECK(n_batches == SIZE_MAX/2 + 1);
3410 CHECK(n_batch_points == 2);
3411}
3412
3417void test_ecmult_multi_batching(void) {
3418 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3419 secp256k1_scalar scG;
3420 secp256k1_scalar szero;
3421 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3422 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3423 secp256k1_gej r;
3424 secp256k1_gej r2;
3425 ecmult_multi_data data;
3426 int i;
3427 secp256k1_scratch *scratch;
3428
3429 secp256k1_gej_set_infinity(&r2);
3430 secp256k1_scalar_set_int(&szero, 0);
3431
3432 /* Get random scalars and group elements and compute result */
3433 random_scalar_order(&scG);
3434 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3435 for(i = 0; i < n_points; i++) {
3436 secp256k1_ge ptg;
3437 secp256k1_gej ptgj;
3438 random_group_element_test(&ptg);
3439 secp256k1_gej_set_ge(&ptgj, &ptg);
3440 pt[i] = ptg;
3441 random_scalar_order(&sc[i]);
3442 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3443 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3444 }
3445 data.sc = sc;
3446 data.pt = pt;
3447 secp256k1_gej_neg(&r2, &r2);
3448
3449 /* Test with empty scratch space. It should compute the correct result using
3450 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3451 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3452 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3453 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3454 CHECK(secp256k1_gej_is_infinity(&r));
3455 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3456
3457 /* Test with space for 1 point in pippenger. That's not enough because
3458 * ecmult_multi selects strauss which requires more memory. It should
3459 * therefore select the simple algorithm. */
3460 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3461 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3462 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3463 CHECK(secp256k1_gej_is_infinity(&r));
3464 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3465
3466 for(i = 1; i <= n_points; i++) {
3467 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3468 int bucket_window = secp256k1_pippenger_bucket_window(i);
3469 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3470 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3471 } else {
3472 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3473 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3474 }
3475 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3476 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3477 CHECK(secp256k1_gej_is_infinity(&r));
3478 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3479 }
3480 free(sc);
3481 free(pt);
3482}
3483
3484void run_ecmult_multi_tests(void) {
3485 secp256k1_scratch *scratch;
3486
3487 test_secp256k1_pippenger_bucket_window_inv();
3488 test_ecmult_multi_pippenger_max_points();
3489 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3490 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3491 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3492 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3493 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3494 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3495 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3496 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3497
3498 /* Run test_ecmult_multi with space for exactly one point */
3499 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3500 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3501 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3502
3503 test_ecmult_multi_batch_size_helper();
3504 test_ecmult_multi_batching();
3505}
3506
3507void test_wnaf(const secp256k1_scalar *number, int w) {
3508 secp256k1_scalar x, two, t;
3509 int wnaf[256];
3510 int zeroes = -1;
3511 int i;
3512 int bits;
3513 secp256k1_scalar_set_int(&x, 0);
3514 secp256k1_scalar_set_int(&two, 2);
3515 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3516 CHECK(bits <= 256);
3517 for (i = bits-1; i >= 0; i--) {
3518 int v = wnaf[i];
3519 secp256k1_scalar_mul(&x, &x, &two);
3520 if (v) {
3521 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3522 zeroes=0;
3523 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3524 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3525 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3526 } else {
3527 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3528 zeroes++;
3529 }
3530 if (v >= 0) {
3531 secp256k1_scalar_set_int(&t, v);
3532 } else {
3533 secp256k1_scalar_set_int(&t, -v);
3534 secp256k1_scalar_negate(&t, &t);
3535 }
3536 secp256k1_scalar_add(&x, &x, &t);
3537 }
3538 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3539}
3540
3541void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3542 secp256k1_scalar neg1 = *number;
3543 secp256k1_scalar neg2 = *number;
3544 int sign1 = 1;
3545 int sign2 = 1;
3546
3547 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3548 secp256k1_scalar_negate(&neg1, &neg1);
3549 sign1 = -1;
3550 }
3551 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3552 CHECK(sign1 == sign2);
3553 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3554}
3555
3556void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3557 secp256k1_scalar x, shift;
3558 int wnaf[256] = {0};
3559 int i;
3560 int skew;
3561 int bits = 256;
3562 secp256k1_scalar num = *number;
3563 secp256k1_scalar scalar_skew;
3564
3565 secp256k1_scalar_set_int(&x, 0);
3566 secp256k1_scalar_set_int(&shift, 1 << w);
3567 for (i = 0; i < 16; ++i) {
3568 secp256k1_scalar_shr_int(&num, 8);
3569 }
3570 bits = 128;
3571 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3572
3573 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3574 secp256k1_scalar t;
3575 int v = wnaf[i];
3576 CHECK(v != 0); /* check nonzero */
3577 CHECK(v & 1); /* check parity */
3578 CHECK(v > -(1 << w)); /* check range above */
3579 CHECK(v < (1 << w)); /* check range below */
3580
3581 secp256k1_scalar_mul(&x, &x, &shift);
3582 if (v >= 0) {
3583 secp256k1_scalar_set_int(&t, v);
3584 } else {
3585 secp256k1_scalar_set_int(&t, -v);
3586 secp256k1_scalar_negate(&t, &t);
3587 }
3588 secp256k1_scalar_add(&x, &x, &t);
3589 }
3590 /* Skew num because when encoding numbers as odd we use an offset */
3591 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3592 secp256k1_scalar_add(&num, &num, &scalar_skew);
3593 CHECK(secp256k1_scalar_eq(&x, &num));
3594}
3595
3596void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3597 secp256k1_scalar x, shift;
3598 int wnaf[256] = {0};
3599 int i;
3600 int skew;
3601 secp256k1_scalar num = *number;
3602
3603 secp256k1_scalar_set_int(&x, 0);
3604 secp256k1_scalar_set_int(&shift, 1 << w);
3605 for (i = 0; i < 16; ++i) {
3606 secp256k1_scalar_shr_int(&num, 8);
3607 }
3608 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3609
3610 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3611 secp256k1_scalar t;
3612 int v = wnaf[i];
3613 CHECK(v == 0 || v & 1); /* check parity */
3614 CHECK(v > -(1 << w)); /* check range above */
3615 CHECK(v < (1 << w)); /* check range below */
3616
3617 secp256k1_scalar_mul(&x, &x, &shift);
3618 if (v >= 0) {
3619 secp256k1_scalar_set_int(&t, v);
3620 } else {
3621 secp256k1_scalar_set_int(&t, -v);
3622 secp256k1_scalar_negate(&t, &t);
3623 }
3624 secp256k1_scalar_add(&x, &x, &t);
3625 }
3626 /* If skew is 1 then add 1 to num */
3627 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3628 CHECK(secp256k1_scalar_eq(&x, &num));
3629}
3630
3631/* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3632 * rest is 0.*/
3633void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3634 int i;
3635 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3636 CHECK(wnaf[i] == 0);
3637 }
3638 for (i = 7; i >= 0; --i) {
3639 CHECK(wnaf[i] == wnaf_expected[i]);
3640 }
3641}
3642
3643void test_fixed_wnaf_small(void) {
3644 int w = 4;
3645 int wnaf[256] = {0};
3646 int i;
3647 int skew;
3648 secp256k1_scalar num;
3649
3650 secp256k1_scalar_set_int(&num, 0);
3651 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3652 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3653 int v = wnaf[i];
3654 CHECK(v == 0);
3655 }
3656 CHECK(skew == 0);
3657
3658 secp256k1_scalar_set_int(&num, 1);
3659 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3660 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3661 int v = wnaf[i];
3662 CHECK(v == 0);
3663 }
3664 CHECK(wnaf[0] == 1);
3665 CHECK(skew == 0);
3666
3667 {
3668 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3669 secp256k1_scalar_set_int(&num, 0xffffffff);
3670 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3671 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3672 CHECK(skew == 0);
3673 }
3674 {
3675 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3676 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3677 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3678 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3679 CHECK(skew == 1);
3680 }
3681 {
3682 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3683 secp256k1_scalar_set_int(&num, 0x01010101);
3684 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3685 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3686 CHECK(skew == 0);
3687 }
3688 {
3689 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3690 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3691 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3692 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3693 CHECK(skew == 0);
3694 }
3695}
3696
3697void run_wnaf(void) {
3698 int i;
3699 secp256k1_scalar n = {{0}};
3700
3701 test_constant_wnaf(&n, 4);
3702 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3703 * have easier-to-diagnose failure modes */
3704 n.d[0] = 1;
3705 test_constant_wnaf(&n, 4);
3706 n.d[0] = 2;
3707 test_constant_wnaf(&n, 4);
3708 /* Test -1, because it's a special case in wnaf_const */
3709 n = secp256k1_scalar_one;
3710 secp256k1_scalar_negate(&n, &n);
3711 test_constant_wnaf(&n, 4);
3712
3713 /* Test -2, which may not lead to overflows in wnaf_const */
3714 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3715 secp256k1_scalar_negate(&n, &n);
3716 test_constant_wnaf(&n, 4);
3717
3718 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3719 as corner cases of negation handling in wnaf_const */
3720 secp256k1_scalar_inverse(&n, &n);
3721 test_constant_wnaf(&n, 4);
3722
3723 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3724 test_constant_wnaf(&n, 4);
3725
3726 /* Test 0 for fixed wnaf */
3727 test_fixed_wnaf_small();
3728 /* Random tests */
3729 for (i = 0; i < count; i++) {
3730 random_scalar_order(&n);
3731 test_wnaf(&n, 4+(i%10));
3732 test_constant_wnaf_negate(&n);
3733 test_constant_wnaf(&n, 4 + (i % 10));
3734 test_fixed_wnaf(&n, 4 + (i % 10));
3735 }
3736 secp256k1_scalar_set_int(&n, 0);
3737 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3738 CHECK(secp256k1_scalar_is_zero(&n));
3739 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3740 CHECK(secp256k1_scalar_is_zero(&n));
3741}
3742
3743void test_ecmult_constants(void) {
3744 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3745 secp256k1_scalar x;
3746 secp256k1_gej r;
3747 secp256k1_ge ng;
3748 int i;
3749 int j;
3750 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3751 for (i = 0; i < 36; i++ ) {
3752 secp256k1_scalar_set_int(&x, i);
3753 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3754 for (j = 0; j < i; j++) {
3755 if (j == i - 1) {
3756 ge_equals_gej(&secp256k1_ge_const_g, &r);
3757 }
3758 secp256k1_gej_add_ge(&r, &r, &ng);
3759 }
3760 CHECK(secp256k1_gej_is_infinity(&r));
3761 }
3762 for (i = 1; i <= 36; i++ ) {
3763 secp256k1_scalar_set_int(&x, i);
3764 secp256k1_scalar_negate(&x, &x);
3765 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3766 for (j = 0; j < i; j++) {
3767 if (j == i - 1) {
3768 ge_equals_gej(&ng, &r);
3769 }
3770 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3771 }
3772 CHECK(secp256k1_gej_is_infinity(&r));
3773 }
3774}
3775
3776void run_ecmult_constants(void) {
3777 test_ecmult_constants();
3778}
3779
3780void test_ecmult_gen_blind(void) {
3781 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3782 secp256k1_scalar key;
3783 secp256k1_scalar b;
3784 unsigned char seed32[32];
3785 secp256k1_gej pgej;
3786 secp256k1_gej pgej2;
3787 secp256k1_gej i;
3788 secp256k1_ge pge;
3789 random_scalar_order_test(&key);
3790 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3791 secp256k1_testrand256(seed32);
3792 b = ctx->ecmult_gen_ctx.blind;
3793 i = ctx->ecmult_gen_ctx.initial;
3794 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3795 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3796 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3797 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3798 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3799 secp256k1_ge_set_gej(&pge, &pgej);
3800 ge_equals_gej(&pge, &pgej2);
3801}
3802
3803void test_ecmult_gen_blind_reset(void) {
3804 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3805 secp256k1_scalar b;
3806 secp256k1_gej initial;
3807 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3808 b = ctx->ecmult_gen_ctx.blind;
3809 initial = ctx->ecmult_gen_ctx.initial;
3810 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3811 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3812 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3813}
3814
3815void run_ecmult_gen_blind(void) {
3816 int i;
3817 test_ecmult_gen_blind_reset();
3818 for (i = 0; i < 10; i++) {
3819 test_ecmult_gen_blind();
3820 }
3821}
3822
3823/***** ENDOMORPHISH TESTS *****/
3824void test_scalar_split(const secp256k1_scalar* full) {
3825 secp256k1_scalar s, s1, slam;
3826 const unsigned char zero[32] = {0};
3827 unsigned char tmp[32];
3828
3829 secp256k1_scalar_split_lambda(&s1, &slam, full);
3830
3831 /* check slam*lambda + s1 == full */
3832 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3833 secp256k1_scalar_add(&s, &s, &s1);
3834 CHECK(secp256k1_scalar_eq(&s, full));
3835
3836 /* check that both are <= 128 bits in size */
3837 if (secp256k1_scalar_is_high(&s1)) {
3838 secp256k1_scalar_negate(&s1, &s1);
3839 }
3840 if (secp256k1_scalar_is_high(&slam)) {
3841 secp256k1_scalar_negate(&slam, &slam);
3842 }
3843
3844 secp256k1_scalar_get_b32(tmp, &s1);
3845 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3846 secp256k1_scalar_get_b32(tmp, &slam);
3847 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3848}
3849
3850
3851void run_endomorphism_tests(void) {
3852 unsigned i;
3853 static secp256k1_scalar s;
3854 test_scalar_split(&secp256k1_scalar_zero);
3855 test_scalar_split(&secp256k1_scalar_one);
3856 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3857 test_scalar_split(&s);
3858 test_scalar_split(&secp256k1_const_lambda);
3859 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3860 test_scalar_split(&s);
3861
3862 for (i = 0; i < 100U * count; ++i) {
3863 secp256k1_scalar full;
3864 random_scalar_order_test(&full);
3865 test_scalar_split(&full);
3866 }
3867 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3868 test_scalar_split(&scalars_near_split_bounds[i]);
3869 }
3870}
3871
3872void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3873 unsigned char pubkeyc[65];
3874 secp256k1_pubkey pubkey;
3875 secp256k1_ge ge;
3876 size_t pubkeyclen;
3877 int32_t ecount;
3878 ecount = 0;
3879 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3880 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3881 /* Smaller sizes are tested exhaustively elsewhere. */
3882 int32_t i;
3883 memcpy(&pubkeyc[1], input, 64);
3884 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3885 for (i = 0; i < 256; i++) {
3886 /* Try all type bytes. */
3887 int xpass;
3888 int ypass;
3889 int ysign;
3890 pubkeyc[0] = i;
3891 /* What sign does this point have? */
3892 ysign = (input[63] & 1) + 2;
3893 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3894 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3895 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3896 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3897 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3898 if (xpass || ypass) {
3899 /* These cases must parse. */
3900 unsigned char pubkeyo[65];
3901 size_t outl;
3902 memset(&pubkey, 0, sizeof(pubkey));
3903 VG_UNDEF(&pubkey, sizeof(pubkey));
3904 ecount = 0;
3905 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3906 VG_CHECK(&pubkey, sizeof(pubkey));
3907 outl = 65;
3908 VG_UNDEF(pubkeyo, 65);
3909 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3910 VG_CHECK(pubkeyo, outl);
3911 CHECK(outl == 33);
3912 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3913 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3914 if (ypass) {
3915 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3916 CHECK(pubkeyo[0] == ysign);
3917 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3918 memset(&pubkey, 0, sizeof(pubkey));
3919 VG_UNDEF(&pubkey, sizeof(pubkey));
3920 secp256k1_pubkey_save(&pubkey, &ge);
3921 VG_CHECK(&pubkey, sizeof(pubkey));
3922 outl = 65;
3923 VG_UNDEF(pubkeyo, 65);
3924 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3925 VG_CHECK(pubkeyo, outl);
3926 CHECK(outl == 65);
3927 CHECK(pubkeyo[0] == 4);
3928 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3929 }
3930 CHECK(ecount == 0);
3931 } else {
3932 /* These cases must fail to parse. */
3933 memset(&pubkey, 0xfe, sizeof(pubkey));
3934 ecount = 0;
3935 VG_UNDEF(&pubkey, sizeof(pubkey));
3936 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3937 VG_CHECK(&pubkey, sizeof(pubkey));
3938 CHECK(ecount == 0);
3939 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3940 CHECK(ecount == 1);
3941 }
3942 }
3943 }
3944 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3945}
3946
3947void run_ec_pubkey_parse_test(void) {
3948#define SECP256K1_EC_PARSE_TEST_NVALID (12)
3949 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3950 {
3951 /* Point with leading and trailing zeros in x and y serialization. */
3952 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3953 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3954 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3955 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3956 },
3957 {
3958 /* Point with x equal to a 3rd root of unity.*/
3959 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3960 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3961 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3962 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3963 },
3964 {
3965 /* Point with largest x. (1/2) */
3966 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3967 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3968 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3969 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3970 },
3971 {
3972 /* Point with largest x. (2/2) */
3973 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3974 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3975 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3976 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3977 },
3978 {
3979 /* Point with smallest x. (1/2) */
3980 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3982 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3983 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3984 },
3985 {
3986 /* Point with smallest x. (2/2) */
3987 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3988 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3989 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3990 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3991 },
3992 {
3993 /* Point with largest y. (1/3) */
3994 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3995 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3996 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3998 },
3999 {
4000 /* Point with largest y. (2/3) */
4001 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4002 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4003 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4004 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4005 },
4006 {
4007 /* Point with largest y. (3/3) */
4008 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4009 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4010 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4011 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4012 },
4013 {
4014 /* Point with smallest y. (1/3) */
4015 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4016 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4019 },
4020 {
4021 /* Point with smallest y. (2/3) */
4022 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4023 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4024 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4025 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4026 },
4027 {
4028 /* Point with smallest y. (3/3) */
4029 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4030 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4031 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4032 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
4033 }
4034 };
4035#define SECP256K1_EC_PARSE_TEST_NXVALID (4)
4036 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
4037 {
4038 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
4039 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
4040 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
4041 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4042 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4043 },
4044 {
4045 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
4046 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
4047 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
4048 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4049 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4050 },
4051 {
4052 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
4053 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
4054 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
4055 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4056 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4057 },
4058 {
4059 /* x on curve, y is from y^2 = x^3 + 8. */
4060 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4061 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4062 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
4064 }
4065 };
4066#define SECP256K1_EC_PARSE_TEST_NINVALID (7)
4067 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
4068 {
4069 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
4070 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
4071 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
4072 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4073 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4074 },
4075 {
4076 /* Valid if x overflow ignored (x = 1 mod p). */
4077 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4078 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4079 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
4080 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
4081 },
4082 {
4083 /* Valid if x overflow ignored (x = 1 mod p). */
4084 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4085 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
4086 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
4087 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
4088 },
4089 {
4090 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4092 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4093 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
4094 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
4095 },
4096 {
4097 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
4098 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4099 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
4100 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
4101 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
4102 },
4103 {
4104 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4105 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4107 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
4108 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
4109 },
4110 {
4111 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
4112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4114 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
4115 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
4116 }
4117 };
4118 const unsigned char pubkeyc[66] = {
4119 /* Serialization of G. */
4120 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
4121 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
4122 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
4123 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
4124 0xB8, 0x00
4125 };
4126 unsigned char sout[65];
4127 unsigned char shortkey[2];
4128 secp256k1_ge ge;
4129 secp256k1_pubkey pubkey;
4130 size_t len;
4131 int32_t i;
4132 int32_t ecount;
4133 int32_t ecount2;
4134 ecount = 0;
4135 /* Nothing should be reading this far into pubkeyc. */
4136 VG_UNDEF(&pubkeyc[65], 1);
4137 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4138 /* Zero length claimed, fail, zeroize, no illegal arg error. */
4139 memset(&pubkey, 0xfe, sizeof(pubkey));
4140 ecount = 0;
4141 VG_UNDEF(shortkey, 2);
4142 VG_UNDEF(&pubkey, sizeof(pubkey));
4143 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
4144 VG_CHECK(&pubkey, sizeof(pubkey));
4145 CHECK(ecount == 0);
4146 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4147 CHECK(ecount == 1);
4148 /* Length one claimed, fail, zeroize, no illegal arg error. */
4149 for (i = 0; i < 256 ; i++) {
4150 memset(&pubkey, 0xfe, sizeof(pubkey));
4151 ecount = 0;
4152 shortkey[0] = i;
4153 VG_UNDEF(&shortkey[1], 1);
4154 VG_UNDEF(&pubkey, sizeof(pubkey));
4155 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
4156 VG_CHECK(&pubkey, sizeof(pubkey));
4157 CHECK(ecount == 0);
4158 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4159 CHECK(ecount == 1);
4160 }
4161 /* Length two claimed, fail, zeroize, no illegal arg error. */
4162 for (i = 0; i < 65536 ; i++) {
4163 memset(&pubkey, 0xfe, sizeof(pubkey));
4164 ecount = 0;
4165 shortkey[0] = i & 255;
4166 shortkey[1] = i >> 8;
4167 VG_UNDEF(&pubkey, sizeof(pubkey));
4168 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
4169 VG_CHECK(&pubkey, sizeof(pubkey));
4170 CHECK(ecount == 0);
4171 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4172 CHECK(ecount == 1);
4173 }
4174 memset(&pubkey, 0xfe, sizeof(pubkey));
4175 ecount = 0;
4176 VG_UNDEF(&pubkey, sizeof(pubkey));
4177 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
4178 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
4179 VG_CHECK(&pubkey, sizeof(pubkey));
4180 CHECK(ecount == 0);
4181 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4182 CHECK(ecount == 1);
4183 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
4184 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
4185 CHECK(ecount == 2);
4186 /* NULL input string. Illegal arg and zeroize output. */
4187 memset(&pubkey, 0xfe, sizeof(pubkey));
4188 ecount = 0;
4189 VG_UNDEF(&pubkey, sizeof(pubkey));
4190 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
4191 VG_CHECK(&pubkey, sizeof(pubkey));
4192 CHECK(ecount == 1);
4193 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4194 CHECK(ecount == 2);
4195 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
4196 memset(&pubkey, 0xfe, sizeof(pubkey));
4197 ecount = 0;
4198 VG_UNDEF(&pubkey, sizeof(pubkey));
4199 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
4200 VG_CHECK(&pubkey, sizeof(pubkey));
4201 CHECK(ecount == 0);
4202 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4203 CHECK(ecount == 1);
4204 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4205 memset(&pubkey, 0xfe, sizeof(pubkey));
4206 ecount = 0;
4207 VG_UNDEF(&pubkey, sizeof(pubkey));
4208 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4209 VG_CHECK(&pubkey, sizeof(pubkey));
4210 CHECK(ecount == 0);
4211 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4212 CHECK(ecount == 1);
4213 /* Valid parse. */
4214 memset(&pubkey, 0, sizeof(pubkey));
4215 ecount = 0;
4216 VG_UNDEF(&pubkey, sizeof(pubkey));
4217 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4218 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4219 VG_CHECK(&pubkey, sizeof(pubkey));
4220 CHECK(ecount == 0);
4221 VG_UNDEF(&ge, sizeof(ge));
4222 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4223 VG_CHECK(&ge.x, sizeof(ge.x));
4224 VG_CHECK(&ge.y, sizeof(ge.y));
4225 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4226 ge_equals_ge(&secp256k1_ge_const_g, &ge);
4227 CHECK(ecount == 0);
4228 /* secp256k1_ec_pubkey_serialize illegal args. */
4229 ecount = 0;
4230 len = 65;
4231 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4232 CHECK(ecount == 1);
4233 CHECK(len == 0);
4234 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4235 CHECK(ecount == 2);
4236 len = 65;
4237 VG_UNDEF(sout, 65);
4238 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4239 VG_CHECK(sout, 65);
4240 CHECK(ecount == 3);
4241 CHECK(len == 0);
4242 len = 65;
4243 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4244 CHECK(ecount == 4);
4245 CHECK(len == 0);
4246 len = 65;
4247 VG_UNDEF(sout, 65);
4248 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4249 VG_CHECK(sout, 65);
4250 CHECK(ecount == 4);
4251 CHECK(len == 65);
4252 /* Multiple illegal args. Should still set arg error only once. */
4253 ecount = 0;
4254 ecount2 = 11;
4255 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4256 CHECK(ecount == 1);
4257 /* Does the illegal arg callback actually change the behavior? */
4258 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4259 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4260 CHECK(ecount == 1);
4261 CHECK(ecount2 == 10);
4262 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4263 /* Try a bunch of prefabbed points with all possible encodings. */
4264 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4265 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4266 }
4267 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4268 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4269 }
4270 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4271 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4272 }
4273}
4274
4275void run_eckey_edge_case_test(void) {
4276 const unsigned char orderc[32] = {
4277 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4278 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4279 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4280 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4281 };
4282 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4283 unsigned char ctmp[33];
4284 unsigned char ctmp2[33];
4285 secp256k1_pubkey pubkey;
4286 secp256k1_pubkey pubkey2;
4287 secp256k1_pubkey pubkey_one;
4288 secp256k1_pubkey pubkey_negone;
4289 const secp256k1_pubkey *pubkeys[3];
4290 size_t len;
4291 int32_t ecount;
4292 /* Group order is too large, reject. */
4293 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4294 VG_UNDEF(&pubkey, sizeof(pubkey));
4295 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4296 VG_CHECK(&pubkey, sizeof(pubkey));
4297 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4298 /* Maximum value is too large, reject. */
4299 memset(ctmp, 255, 32);
4300 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4301 memset(&pubkey, 1, sizeof(pubkey));
4302 VG_UNDEF(&pubkey, sizeof(pubkey));
4303 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4304 VG_CHECK(&pubkey, sizeof(pubkey));
4305 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4306 /* Zero is too small, reject. */
4307 memset(ctmp, 0, 32);
4308 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4309 memset(&pubkey, 1, sizeof(pubkey));
4310 VG_UNDEF(&pubkey, sizeof(pubkey));
4311 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4312 VG_CHECK(&pubkey, sizeof(pubkey));
4313 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4314 /* One must be accepted. */
4315 ctmp[31] = 0x01;
4316 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4317 memset(&pubkey, 0, sizeof(pubkey));
4318 VG_UNDEF(&pubkey, sizeof(pubkey));
4319 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4320 VG_CHECK(&pubkey, sizeof(pubkey));
4321 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4322 pubkey_one = pubkey;
4323 /* Group order + 1 is too large, reject. */
4324 memcpy(ctmp, orderc, 32);
4325 ctmp[31] = 0x42;
4326 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4327 memset(&pubkey, 1, sizeof(pubkey));
4328 VG_UNDEF(&pubkey, sizeof(pubkey));
4329 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4330 VG_CHECK(&pubkey, sizeof(pubkey));
4331 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4332 /* -1 must be accepted. */
4333 ctmp[31] = 0x40;
4334 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4335 memset(&pubkey, 0, sizeof(pubkey));
4336 VG_UNDEF(&pubkey, sizeof(pubkey));
4337 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4338 VG_CHECK(&pubkey, sizeof(pubkey));
4339 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4340 pubkey_negone = pubkey;
4341 /* Tweak of zero leaves the value unchanged. */
4342 memset(ctmp2, 0, 32);
4343 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4344 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4345 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4346 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4347 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4348 /* Multiply tweak of zero zeroizes the output. */
4349 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4350 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4351 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4352 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4353 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4354 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4355 seckey, the seckey is zeroized. */
4356 memcpy(ctmp, orderc, 32);
4357 memset(ctmp2, 0, 32);
4358 ctmp2[31] = 0x01;
4359 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4360 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4361 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4362 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4363 memcpy(ctmp, orderc, 32);
4364 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4365 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4366 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4367 tweak, the seckey is zeroized. */
4368 memcpy(ctmp, orderc, 32);
4369 ctmp[31] = 0x40;
4370 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4371 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4372 memcpy(ctmp, orderc, 32);
4373 ctmp[31] = 0x40;
4374 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4375 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4376 memcpy(ctmp, orderc, 32);
4377 ctmp[31] = 0x40;
4378 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4379 tweak, the pubkey is zeroized. */
4380 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4381 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4382 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4383 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4384 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4385 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4386 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4387 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4388 * case the pubkey is zeroized. */
4389 memcpy(ctmp, orderc, 32);
4390 ctmp[31] = 0x40;
4391 memset(ctmp2, 0, 32);
4392 ctmp2[31] = 1;
4393 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4394 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4395 ctmp2[31] = 1;
4396 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4397 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4398 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4399 /* Tweak computation wraps and results in a key of 1. */
4400 ctmp2[31] = 2;
4401 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4402 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4403 ctmp2[31] = 2;
4404 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4405 ctmp2[31] = 1;
4406 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4407 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4408 /* Tweak mul * 2 = 1+1. */
4409 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4410 ctmp2[31] = 2;
4411 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4412 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4413 /* Test argument errors. */
4414 ecount = 0;
4415 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4416 CHECK(ecount == 0);
4417 /* Zeroize pubkey on parse error. */
4418 memset(&pubkey, 0, 32);
4419 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4420 CHECK(ecount == 1);
4421 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4422 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4423 memset(&pubkey2, 0, 32);
4424 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4425 CHECK(ecount == 2);
4426 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4427 /* Plain argument errors. */
4428 ecount = 0;
4429 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4430 CHECK(ecount == 0);
4431 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4432 CHECK(ecount == 1);
4433 ecount = 0;
4434 memset(ctmp2, 0, 32);
4435 ctmp2[31] = 4;
4436 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4437 CHECK(ecount == 1);
4438 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4439 CHECK(ecount == 2);
4440 ecount = 0;
4441 memset(ctmp2, 0, 32);
4442 ctmp2[31] = 4;
4443 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4444 CHECK(ecount == 1);
4445 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4446 CHECK(ecount == 2);
4447 ecount = 0;
4448 memset(ctmp2, 0, 32);
4449 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4450 CHECK(ecount == 1);
4451 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4452 CHECK(ecount == 2);
4453 ecount = 0;
4454 memset(ctmp2, 0, 32);
4455 ctmp2[31] = 1;
4456 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4457 CHECK(ecount == 1);
4458 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4459 CHECK(ecount == 2);
4460 ecount = 0;
4461 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4462 CHECK(ecount == 1);
4463 memset(&pubkey, 1, sizeof(pubkey));
4464 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4465 CHECK(ecount == 2);
4466 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4467 /* secp256k1_ec_pubkey_combine tests. */
4468 ecount = 0;
4469 pubkeys[0] = &pubkey_one;
4470 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4471 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4472 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4473 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4474 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4475 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4476 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4477 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4478 CHECK(ecount == 1);
4479 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4480 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4481 CHECK(ecount == 2);
4482 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4483 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4484 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4485 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4486 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4487 CHECK(ecount == 3);
4488 pubkeys[0] = &pubkey_negone;
4489 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4490 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4491 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4492 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4493 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4494 CHECK(ecount == 3);
4495 len = 33;
4496 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4497 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4498 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4499 /* Result is infinity. */
4500 pubkeys[0] = &pubkey_one;
4501 pubkeys[1] = &pubkey_negone;
4502 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4503 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4504 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4505 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4506 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4507 CHECK(ecount == 3);
4508 /* Passes through infinity but comes out one. */
4509 pubkeys[2] = &pubkey_one;
4510 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4511 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4512 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4513 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4514 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4515 CHECK(ecount == 3);
4516 len = 33;
4517 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4518 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4519 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4520 /* Adds to two. */
4521 pubkeys[1] = &pubkey_one;
4522 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4523 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4524 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4525 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4526 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4527 CHECK(ecount == 3);
4528 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4529}
4530
4531void run_eckey_negate_test(void) {
4532 unsigned char seckey[32];
4533 unsigned char seckey_tmp[32];
4534
4535 random_scalar_order_b32(seckey);
4536 memcpy(seckey_tmp, seckey, 32);
4537
4538 /* Verify negation changes the key and changes it back */
4539 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4540 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4541 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4542 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4543
4544 /* Check that privkey alias gives same result */
4545 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4546 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4547 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4548
4549 /* Negating all 0s fails */
4550 memset(seckey, 0, 32);
4551 memset(seckey_tmp, 0, 32);
4552 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4553 /* Check that seckey is not modified */
4554 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4555
4556 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4557 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4558 * doesn't just set seckey to a constant value in case of failure. */
4559 random_scalar_order_b32(seckey);
4560 memset(seckey, 0xFF, 16);
4561 memset(seckey_tmp, 0, 32);
4562 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4563 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4564}
4565
4566void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4567 secp256k1_scalar nonce;
4568 do {
4569 random_scalar_order_test(&nonce);
4570 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4571}
4572
4573void test_ecdsa_sign_verify(void) {
4574 secp256k1_gej pubj;
4575 secp256k1_ge pub;
4576 secp256k1_scalar one;
4577 secp256k1_scalar msg, key;
4578 secp256k1_scalar sigr, sigs;
4579 int getrec;
4580 int recid;
4581 random_scalar_order_test(&msg);
4582 random_scalar_order_test(&key);
4583 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4584 secp256k1_ge_set_gej(&pub, &pubj);
4585 getrec = secp256k1_testrand_bits(1);
4586 /* The specific way in which this conditional is written sidesteps a potential bug in clang.
4587 See the commit messages of the commit that introduced this comment for details. */
4588 if (getrec) {
4589 random_sign(&sigr, &sigs, &key, &msg, &recid);
4590 CHECK(recid >= 0 && recid < 4);
4591 } else {
4592 random_sign(&sigr, &sigs, &key, &msg, NULL);
4593 }
4594 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4595 secp256k1_scalar_set_int(&one, 1);
4596 secp256k1_scalar_add(&msg, &msg, &one);
4597 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4598}
4599
4600void run_ecdsa_sign_verify(void) {
4601 int i;
4602 for (i = 0; i < 10*count; i++) {
4603 test_ecdsa_sign_verify();
4604 }
4605}
4606
4608static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4609 (void)msg32;
4610 (void)key32;
4611 (void)algo16;
4612 memcpy(nonce32, data, 32);
4613 return (counter == 0);
4614}
4615
4616static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4617 /* Dummy nonce generator that has a fatal error on the first counter value. */
4618 if (counter == 0) {
4619 return 0;
4620 }
4621 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4622}
4623
4624static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4625 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4626 if (counter < 3) {
4627 memset(nonce32, counter==0 ? 0 : 255, 32);
4628 if (counter == 2) {
4629 nonce32[31]--;
4630 }
4631 return 1;
4632 }
4633 if (counter < 5) {
4634 static const unsigned char order[] = {
4635 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4636 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4637 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4638 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4639 };
4640 memcpy(nonce32, order, 32);
4641 if (counter == 4) {
4642 nonce32[31]++;
4643 }
4644 return 1;
4645 }
4646 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4647 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4648 if (counter > 5) {
4649 return 0;
4650 }
4651 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4652}
4653
4654int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4655 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4656 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4657}
4658
4659void test_ecdsa_end_to_end(void) {
4660 unsigned char extra[32] = {0x00};
4661 unsigned char privkey[32];
4662 unsigned char message[32];
4663 unsigned char privkey2[32];
4664 secp256k1_ecdsa_signature signature[6];
4665 secp256k1_scalar r, s;
4666 unsigned char sig[74];
4667 size_t siglen = 74;
4668 unsigned char pubkeyc[65];
4669 size_t pubkeyclen = 65;
4670 secp256k1_pubkey pubkey;
4671 secp256k1_pubkey pubkey_tmp;
4672 unsigned char seckey[300];
4673 size_t seckeylen = 300;
4674
4675 /* Generate a random key and message. */
4676 {
4677 secp256k1_scalar msg, key;
4678 random_scalar_order_test(&msg);
4679 random_scalar_order_test(&key);
4680 secp256k1_scalar_get_b32(privkey, &key);
4681 secp256k1_scalar_get_b32(message, &msg);
4682 }
4683
4684 /* Construct and verify corresponding public key. */
4685 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4686 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4687
4688 /* Verify exporting and importing public key. */
4689 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4690 memset(&pubkey, 0, sizeof(pubkey));
4691 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4692
4693 /* Verify negation changes the key and changes it back */
4694 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4695 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4696 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4697 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4698 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4699
4700 /* Verify private key import and export. */
4701 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4702 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4703 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4704
4705 /* Optionally tweak the keys using addition. */
4706 if (secp256k1_testrand_int(3) == 0) {
4707 int ret1;
4708 int ret2;
4709 int ret3;
4710 unsigned char rnd[32];
4711 unsigned char privkey_tmp[32];
4712 secp256k1_pubkey pubkey2;
4713 secp256k1_testrand256_test(rnd);
4714 memcpy(privkey_tmp, privkey, 32);
4715 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4716 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4717 /* Check that privkey alias gives same result */
4718 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4719 CHECK(ret1 == ret2);
4720 CHECK(ret2 == ret3);
4721 if (ret1 == 0) {
4722 return;
4723 }
4724 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4725 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4726 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4727 }
4728
4729 /* Optionally tweak the keys using multiplication. */
4730 if (secp256k1_testrand_int(3) == 0) {
4731 int ret1;
4732 int ret2;
4733 int ret3;
4734 unsigned char rnd[32];
4735 unsigned char privkey_tmp[32];
4736 secp256k1_pubkey pubkey2;
4737 secp256k1_testrand256_test(rnd);
4738 memcpy(privkey_tmp, privkey, 32);
4739 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4740 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4741 /* Check that privkey alias gives same result */
4742 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4743 CHECK(ret1 == ret2);
4744 CHECK(ret2 == ret3);
4745 if (ret1 == 0) {
4746 return;
4747 }
4748 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4749 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4750 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4751 }
4752
4753 /* Sign. */
4754 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4755 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4756 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4757 extra[31] = 1;
4758 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4759 extra[31] = 0;
4760 extra[0] = 1;
4761 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4762 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4763 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4764 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4765 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4766 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4767 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4768 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4769 /* Verify. */
4770 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4771 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4772 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4773 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4774 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4775 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4776 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4777 secp256k1_scalar_negate(&s, &s);
4778 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4779 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4780 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4781 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4782 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4783 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4784 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4785 secp256k1_scalar_negate(&s, &s);
4786 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4787 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4788 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4789 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4790
4791 /* Serialize/parse DER and verify again */
4792 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4793 memset(&signature[0], 0, sizeof(signature[0]));
4794 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4795 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4796 /* Serialize/destroy/parse DER and verify again. */
4797 siglen = 74;
4798 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4799 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4800 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4801 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4802}
4803
4804void test_random_pubkeys(void) {
4805 secp256k1_ge elem;
4806 secp256k1_ge elem2;
4807 unsigned char in[65];
4808 /* Generate some randomly sized pubkeys. */
4809 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4810 if (secp256k1_testrand_bits(2) == 0) {
4811 len = secp256k1_testrand_bits(6);
4812 }
4813 if (len == 65) {
4814 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4815 } else {
4816 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4817 }
4818 if (secp256k1_testrand_bits(3) == 0) {
4819 in[0] = secp256k1_testrand_bits(8);
4820 }
4821 if (len > 1) {
4822 secp256k1_testrand256(&in[1]);
4823 }
4824 if (len > 33) {
4825 secp256k1_testrand256(&in[33]);
4826 }
4827 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4828 unsigned char out[65];
4829 unsigned char firstb;
4830 int res;
4831 size_t size = len;
4832 firstb = in[0];
4833 /* If the pubkey can be parsed, it should round-trip... */
4834 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4835 CHECK(size == len);
4836 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4837 /* ... except for the type of hybrid inputs. */
4838 if ((in[0] != 6) && (in[0] != 7)) {
4839 CHECK(in[0] == out[0]);
4840 }
4841 size = 65;
4842 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4843 CHECK(size == 65);
4844 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4845 ge_equals_ge(&elem,&elem2);
4846 /* Check that the X9.62 hybrid type is checked. */
4847 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4848 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4849 if (firstb == 2 || firstb == 3) {
4850 if (in[0] == firstb + 4) {
4851 CHECK(res);
4852 } else {
4853 CHECK(!res);
4854 }
4855 }
4856 if (res) {
4857 ge_equals_ge(&elem,&elem2);
4858 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4859 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4860 }
4861 }
4862}
4863
4864void run_pubkey_comparison(void) {
4865 unsigned char pk1_ser[33] = {
4866 0x02,
4867 0x58, 0x84, 0xb3, 0xa2, 0x4b, 0x97, 0x37, 0x88, 0x92, 0x38, 0xa6, 0x26, 0x62, 0x52, 0x35, 0x11,
4868 0xd0, 0x9a, 0xa1, 0x1b, 0x80, 0x0b, 0x5e, 0x93, 0x80, 0x26, 0x11, 0xef, 0x67, 0x4b, 0xd9, 0x23
4869 };
4870 const unsigned char pk2_ser[33] = {
4871 0x02,
4872 0xde, 0x36, 0x0e, 0x87, 0x59, 0x8f, 0x3c, 0x01, 0x36, 0x2a, 0x2a, 0xb8, 0xc6, 0xf4, 0x5e, 0x4d,
4873 0xb2, 0xc2, 0xd5, 0x03, 0xa7, 0xf9, 0xf1, 0x4f, 0xa8, 0xfa, 0x95, 0xa8, 0xe9, 0x69, 0x76, 0x1c
4874 };
4875 secp256k1_pubkey pk1;
4876 secp256k1_pubkey pk2;
4877 int32_t ecount = 0;
4878
4879 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk1, pk1_ser, sizeof(pk1_ser)) == 1);
4880 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk2_ser, sizeof(pk2_ser)) == 1);
4881
4882 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4883 CHECK(secp256k1_ec_pubkey_cmp(ctx, NULL, &pk2) < 0);
4884 CHECK(ecount == 1);
4885 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, NULL) > 0);
4886 CHECK(ecount == 2);
4887 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
4888 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
4889 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk1) == 0);
4890 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk2) == 0);
4891 CHECK(ecount == 2);
4892 {
4893 secp256k1_pubkey pk_tmp;
4894 memset(&pk_tmp, 0, sizeof(pk_tmp)); /* illegal pubkey */
4895 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk2) < 0);
4896 CHECK(ecount == 3);
4897 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk_tmp, &pk_tmp) == 0);
4898 CHECK(ecount == 5);
4899 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk_tmp) > 0);
4900 CHECK(ecount == 6);
4901 }
4902
4903 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4904
4905 /* Make pk2 the same as pk1 but with 3 rather than 2. Note that in
4906 * an uncompressed encoding, these would have the opposite ordering */
4907 pk1_ser[0] = 3;
4908 CHECK(secp256k1_ec_pubkey_parse(ctx, &pk2, pk1_ser, sizeof(pk1_ser)) == 1);
4909 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk1, &pk2) < 0);
4910 CHECK(secp256k1_ec_pubkey_cmp(ctx, &pk2, &pk1) > 0);
4911}
4912
4913void run_random_pubkeys(void) {
4914 int i;
4915 for (i = 0; i < 10*count; i++) {
4916 test_random_pubkeys();
4917 }
4918}
4919
4920void run_ecdsa_end_to_end(void) {
4921 int i;
4922 for (i = 0; i < 64*count; i++) {
4923 test_ecdsa_end_to_end();
4924 }
4925}
4926
4927int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4928 static const unsigned char zeroes[32] = {0};
4929
4930 int ret = 0;
4931
4932 secp256k1_ecdsa_signature sig_der;
4933 unsigned char roundtrip_der[2048];
4934 unsigned char compact_der[64];
4935 size_t len_der = 2048;
4936 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4937
4938 secp256k1_ecdsa_signature sig_der_lax;
4939 unsigned char roundtrip_der_lax[2048];
4940 unsigned char compact_der_lax[64];
4941 size_t len_der_lax = 2048;
4942 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4943
4944 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4945 if (parsed_der) {
4946 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4947 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4948 }
4949 if (valid_der) {
4950 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4951 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4952 }
4953
4954 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4955 if (parsed_der_lax) {
4956 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4957 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4958 }
4959 if (valid_der_lax) {
4960 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4961 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4962 }
4963
4964 if (certainly_der) {
4965 ret |= (!parsed_der) << 2;
4966 }
4967 if (certainly_not_der) {
4968 ret |= (parsed_der) << 17;
4969 }
4970 if (valid_der) {
4971 ret |= (!roundtrips_der) << 3;
4972 }
4973
4974 if (valid_der) {
4975 ret |= (!roundtrips_der_lax) << 12;
4976 ret |= (len_der != len_der_lax) << 13;
4977 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4978 }
4979 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4980 if (parsed_der) {
4981 ret |= (!parsed_der_lax) << 16;
4982 }
4983
4984 return ret;
4985}
4986
4987static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4988 size_t i;
4989 for (i = 0; i < ptrlen; i++) {
4990 int shift = ptrlen - 1 - i;
4991 if (shift >= 4) {
4992 ptr[i] = 0;
4993 } else {
4994 ptr[i] = (val >> shift) & 0xFF;
4995 }
4996 }
4997}
4998
4999static void damage_array(unsigned char *sig, size_t *len) {
5000 int pos;
5001 int action = secp256k1_testrand_bits(3);
5002 if (action < 1 && *len > 3) {
5003 /* Delete a byte. */
5004 pos = secp256k1_testrand_int(*len);
5005 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
5006 (*len)--;
5007 return;
5008 } else if (action < 2 && *len < 2048) {
5009 /* Insert a byte. */
5010 pos = secp256k1_testrand_int(1 + *len);
5011 memmove(sig + pos + 1, sig + pos, *len - pos);
5012 sig[pos] = secp256k1_testrand_bits(8);
5013 (*len)++;
5014 return;
5015 } else if (action < 4) {
5016 /* Modify a byte. */
5017 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
5018 return;
5019 } else { /* action < 8 */
5020 /* Modify a bit. */
5021 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
5022 return;
5023 }
5024}
5025
5026static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
5027 int der;
5028 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
5029 size_t tlen, elen, glen;
5030 int indet;
5031 int n;
5032
5033 *len = 0;
5034 der = secp256k1_testrand_bits(2) == 0;
5035 *certainly_der = der;
5036 *certainly_not_der = 0;
5037 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
5038
5039 for (n = 0; n < 2; n++) {
5040 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
5041 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
5042 /* The length of the number in bytes (the first byte of which will always be nonzero) */
5043 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
5044 CHECK(nlen[n] <= 232);
5045 /* The top bit of the number. */
5046 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
5047 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
5048 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
5049 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
5050 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
5051 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
5052 *certainly_not_der = 1;
5053 }
5054 CHECK(nlen[n] + nzlen[n] <= 300);
5055 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
5056 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
5057 if (!der) {
5058 /* nlenlen[n] max 127 bytes */
5059 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5060 nlenlen[n] += add;
5061 if (add != 0) {
5062 *certainly_not_der = 1;
5063 }
5064 }
5065 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
5066 }
5067
5068 /* The total length of the data to go, so far */
5069 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
5070 CHECK(tlen <= 856);
5071
5072 /* The length of the garbage inside the tuple. */
5073 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
5074 if (elen != 0) {
5075 *certainly_not_der = 1;
5076 }
5077 tlen += elen;
5078 CHECK(tlen <= 980);
5079
5080 /* The length of the garbage after the end of the tuple. */
5081 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
5082 if (glen != 0) {
5083 *certainly_not_der = 1;
5084 }
5085 CHECK(tlen + glen <= 990);
5086
5087 /* Write the tuple header. */
5088 sig[(*len)++] = 0x30;
5089 if (indet) {
5090 /* Indeterminate length */
5091 sig[(*len)++] = 0x80;
5092 *certainly_not_der = 1;
5093 } else {
5094 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
5095 if (!der) {
5096 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
5097 tlenlen += add;
5098 if (add != 0) {
5099 *certainly_not_der = 1;
5100 }
5101 }
5102 if (tlenlen == 0) {
5103 /* Short length notation */
5104 sig[(*len)++] = tlen;
5105 } else {
5106 /* Long length notation */
5107 sig[(*len)++] = 128 + tlenlen;
5108 assign_big_endian(sig + *len, tlenlen, tlen);
5109 *len += tlenlen;
5110 }
5111 tlen += tlenlen;
5112 }
5113 tlen += 2;
5114 CHECK(tlen + glen <= 1119);
5115
5116 for (n = 0; n < 2; n++) {
5117 /* Write the integer header. */
5118 sig[(*len)++] = 0x02;
5119 if (nlenlen[n] == 0) {
5120 /* Short length notation */
5121 sig[(*len)++] = nlen[n] + nzlen[n];
5122 } else {
5123 /* Long length notation. */
5124 sig[(*len)++] = 128 + nlenlen[n];
5125 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
5126 *len += nlenlen[n];
5127 }
5128 /* Write zero padding */
5129 while (nzlen[n] > 0) {
5130 sig[(*len)++] = 0x00;
5131 nzlen[n]--;
5132 }
5133 if (nlen[n] == 32 && !nlow[n]) {
5134 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
5135 int i;
5136 for (i = 0; i < 16; i++) {
5137 sig[(*len)++] = 0xFF;
5138 }
5139 nlen[n] -= 16;
5140 }
5141 /* Write first byte of number */
5142 if (nlen[n] > 0) {
5143 sig[(*len)++] = nhbyte[n];
5144 nlen[n]--;
5145 }
5146 /* Generate remaining random bytes of number */
5147 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
5148 *len += nlen[n];
5149 nlen[n] = 0;
5150 }
5151
5152 /* Generate random garbage inside tuple. */
5153 secp256k1_testrand_bytes_test(sig + *len, elen);
5154 *len += elen;
5155
5156 /* Generate end-of-contents bytes. */
5157 if (indet) {
5158 sig[(*len)++] = 0;
5159 sig[(*len)++] = 0;
5160 tlen += 2;
5161 }
5162 CHECK(tlen + glen <= 1121);
5163
5164 /* Generate random garbage outside tuple. */
5165 secp256k1_testrand_bytes_test(sig + *len, glen);
5166 *len += glen;
5167 tlen += glen;
5168 CHECK(tlen <= 1121);
5169 CHECK(tlen == *len);
5170}
5171
5172void run_ecdsa_der_parse(void) {
5173 int i,j;
5174 for (i = 0; i < 200 * count; i++) {
5175 unsigned char buffer[2048];
5176 size_t buflen = 0;
5177 int certainly_der = 0;
5178 int certainly_not_der = 0;
5179 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
5180 CHECK(buflen <= 2048);
5181 for (j = 0; j < 16; j++) {
5182 int ret = 0;
5183 if (j > 0) {
5184 damage_array(buffer, &buflen);
5185 /* We don't know anything anymore about the DERness of the result */
5186 certainly_der = 0;
5187 certainly_not_der = 0;
5188 }
5189 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
5190 if (ret != 0) {
5191 size_t k;
5192 fprintf(stderr, "Failure %x on ", ret);
5193 for (k = 0; k < buflen; k++) {
5194 fprintf(stderr, "%02x ", buffer[k]);
5195 }
5196 fprintf(stderr, "\n");
5197 }
5198 CHECK(ret == 0);
5199 }
5200 }
5201}
5202
5203/* Tests several edge cases. */
5204void test_ecdsa_edge_cases(void) {
5205 int t;
5206 secp256k1_ecdsa_signature sig;
5207
5208 /* Test the case where ECDSA recomputes a point that is infinity. */
5209 {
5210 secp256k1_gej keyj;
5211 secp256k1_ge key;
5212 secp256k1_scalar msg;
5213 secp256k1_scalar sr, ss;
5214 secp256k1_scalar_set_int(&ss, 1);
5215 secp256k1_scalar_negate(&ss, &ss);
5216 secp256k1_scalar_inverse(&ss, &ss);
5217 secp256k1_scalar_set_int(&sr, 1);
5218 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5219 secp256k1_ge_set_gej(&key, &keyj);
5220 msg = ss;
5221 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5222 }
5223
5224 /* Verify signature with r of zero fails. */
5225 {
5226 const unsigned char pubkey_mods_zero[33] = {
5227 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5228 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5229 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5230 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5231 0x41
5232 };
5233 secp256k1_ge key;
5234 secp256k1_scalar msg;
5235 secp256k1_scalar sr, ss;
5236 secp256k1_scalar_set_int(&ss, 1);
5237 secp256k1_scalar_set_int(&msg, 0);
5238 secp256k1_scalar_set_int(&sr, 0);
5239 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5240 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5241 }
5242
5243 /* Verify signature with s of zero fails. */
5244 {
5245 const unsigned char pubkey[33] = {
5246 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5247 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5248 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5249 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5250 0x01
5251 };
5252 secp256k1_ge key;
5253 secp256k1_scalar msg;
5254 secp256k1_scalar sr, ss;
5255 secp256k1_scalar_set_int(&ss, 0);
5256 secp256k1_scalar_set_int(&msg, 0);
5257 secp256k1_scalar_set_int(&sr, 1);
5258 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5259 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5260 }
5261
5262 /* Verify signature with message 0 passes. */
5263 {
5264 const unsigned char pubkey[33] = {
5265 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5266 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5267 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5269 0x02
5270 };
5271 const unsigned char pubkey2[33] = {
5272 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5273 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5274 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5275 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5276 0x43
5277 };
5278 secp256k1_ge key;
5279 secp256k1_ge key2;
5280 secp256k1_scalar msg;
5281 secp256k1_scalar sr, ss;
5282 secp256k1_scalar_set_int(&ss, 2);
5283 secp256k1_scalar_set_int(&msg, 0);
5284 secp256k1_scalar_set_int(&sr, 2);
5285 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5286 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5287 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5288 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5289 secp256k1_scalar_negate(&ss, &ss);
5290 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5291 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5292 secp256k1_scalar_set_int(&ss, 1);
5293 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5294 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5295 }
5296
5297 /* Verify signature with message 1 passes. */
5298 {
5299 const unsigned char pubkey[33] = {
5300 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5301 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5302 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5303 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5304 0x25
5305 };
5306 const unsigned char pubkey2[33] = {
5307 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5308 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5309 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5310 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5311 0x62
5312 };
5313 const unsigned char csr[32] = {
5314 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5315 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5316 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5317 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5318 };
5319 secp256k1_ge key;
5320 secp256k1_ge key2;
5321 secp256k1_scalar msg;
5322 secp256k1_scalar sr, ss;
5323 secp256k1_scalar_set_int(&ss, 1);
5324 secp256k1_scalar_set_int(&msg, 1);
5325 secp256k1_scalar_set_b32(&sr, csr, NULL);
5326 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5327 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5328 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5329 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5330 secp256k1_scalar_negate(&ss, &ss);
5331 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5332 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5333 secp256k1_scalar_set_int(&ss, 2);
5334 secp256k1_scalar_inverse_var(&ss, &ss);
5335 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5336 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5337 }
5338
5339 /* Verify signature with message -1 passes. */
5340 {
5341 const unsigned char pubkey[33] = {
5342 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5343 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5344 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5345 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5346 0xf1
5347 };
5348 const unsigned char csr[32] = {
5349 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5350 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5351 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5352 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5353 };
5354 secp256k1_ge key;
5355 secp256k1_scalar msg;
5356 secp256k1_scalar sr, ss;
5357 secp256k1_scalar_set_int(&ss, 1);
5358 secp256k1_scalar_set_int(&msg, 1);
5359 secp256k1_scalar_negate(&msg, &msg);
5360 secp256k1_scalar_set_b32(&sr, csr, NULL);
5361 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5363 secp256k1_scalar_negate(&ss, &ss);
5364 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5365 secp256k1_scalar_set_int(&ss, 3);
5366 secp256k1_scalar_inverse_var(&ss, &ss);
5367 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5368 }
5369
5370 /* Signature where s would be zero. */
5371 {
5372 secp256k1_pubkey pubkey;
5373 size_t siglen;
5374 int32_t ecount;
5375 unsigned char signature[72];
5376 static const unsigned char nonce[32] = {
5377 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5378 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5379 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5380 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5381 };
5382 static const unsigned char nonce2[32] = {
5383 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5384 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5385 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5386 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5387 };
5388 const unsigned char key[32] = {
5389 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5390 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5391 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5392 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5393 };
5394 unsigned char msg[32] = {
5395 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5396 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5397 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5398 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5399 };
5400 ecount = 0;
5401 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5402 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5403 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5404 msg[31] = 0xaa;
5405 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5406 CHECK(ecount == 0);
5407 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5408 CHECK(ecount == 1);
5409 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5410 CHECK(ecount == 2);
5411 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5412 CHECK(ecount == 3);
5413 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5414 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5415 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5416 CHECK(ecount == 4);
5417 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5418 CHECK(ecount == 5);
5419 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5420 CHECK(ecount == 6);
5421 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5422 CHECK(ecount == 6);
5423 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5424 CHECK(ecount == 7);
5425 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5426 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5427 CHECK(ecount == 8);
5428 siglen = 72;
5429 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5430 CHECK(ecount == 9);
5431 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5432 CHECK(ecount == 10);
5433 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5434 CHECK(ecount == 11);
5435 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5436 CHECK(ecount == 11);
5437 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5438 CHECK(ecount == 12);
5439 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5440 CHECK(ecount == 13);
5441 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5442 CHECK(ecount == 13);
5443 siglen = 10;
5444 /* Too little room for a signature does not fail via ARGCHECK. */
5445 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5446 CHECK(ecount == 13);
5447 ecount = 0;
5448 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5449 CHECK(ecount == 1);
5450 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5451 CHECK(ecount == 2);
5452 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5453 CHECK(ecount == 3);
5454 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5455 CHECK(ecount == 3);
5456 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5457 CHECK(ecount == 4);
5458 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5459 CHECK(ecount == 5);
5460 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5461 CHECK(ecount == 5);
5462 memset(signature, 255, 64);
5463 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5464 CHECK(ecount == 5);
5465 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5466 }
5467
5468 /* Nonce function corner cases. */
5469 for (t = 0; t < 2; t++) {
5470 static const unsigned char zero[32] = {0x00};
5471 int i;
5472 unsigned char key[32];
5473 unsigned char msg[32];
5474 secp256k1_ecdsa_signature sig2;
5475 secp256k1_scalar sr[512], ss;
5476 const unsigned char *extra;
5477 extra = t == 0 ? NULL : zero;
5478 memset(msg, 0, 32);
5479 msg[31] = 1;
5480 /* High key results in signature failure. */
5481 memset(key, 0xFF, 32);
5482 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5483 CHECK(is_empty_signature(&sig));
5484 /* Zero key results in signature failure. */
5485 memset(key, 0, 32);
5486 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5487 CHECK(is_empty_signature(&sig));
5488 /* Nonce function failure results in signature failure. */
5489 key[31] = 1;
5490 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5491 CHECK(is_empty_signature(&sig));
5492 /* The retry loop successfully makes its way to the first good value. */
5493 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5494 CHECK(!is_empty_signature(&sig));
5495 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5496 CHECK(!is_empty_signature(&sig2));
5497 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5498 /* The default nonce function is deterministic. */
5499 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5500 CHECK(!is_empty_signature(&sig2));
5501 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5502 /* The default nonce function changes output with different messages. */
5503 for(i = 0; i < 256; i++) {
5504 int j;
5505 msg[0] = i;
5506 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5507 CHECK(!is_empty_signature(&sig2));
5508 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5509 for (j = 0; j < i; j++) {
5510 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5511 }
5512 }
5513 msg[0] = 0;
5514 msg[31] = 2;
5515 /* The default nonce function changes output with different keys. */
5516 for(i = 256; i < 512; i++) {
5517 int j;
5518 key[0] = i - 256;
5519 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5520 CHECK(!is_empty_signature(&sig2));
5521 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5522 for (j = 0; j < i; j++) {
5523 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5524 }
5525 }
5526 key[0] = 0;
5527 }
5528
5529 {
5530 /* Check that optional nonce arguments do not have equivalent effect. */
5531 const unsigned char zeros[32] = {0};
5532 unsigned char nonce[32];
5533 unsigned char nonce2[32];
5534 unsigned char nonce3[32];
5535 unsigned char nonce4[32];
5536 VG_UNDEF(nonce,32);
5537 VG_UNDEF(nonce2,32);
5538 VG_UNDEF(nonce3,32);
5539 VG_UNDEF(nonce4,32);
5540 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5541 VG_CHECK(nonce,32);
5542 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5543 VG_CHECK(nonce2,32);
5544 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5545 VG_CHECK(nonce3,32);
5546 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5547 VG_CHECK(nonce4,32);
5548 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5549 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5550 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5551 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5552 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5553 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5554 }
5555
5556
5557 /* Privkey export where pubkey is the point at infinity. */
5558 {
5559 unsigned char privkey[300];
5560 unsigned char seckey[32] = {
5561 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5562 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5563 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5564 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5565 };
5566 size_t outlen = 300;
5567 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5568 outlen = 300;
5569 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5570 }
5571}
5572
5573void run_ecdsa_edge_cases(void) {
5574 test_ecdsa_edge_cases();
5575}
5576
5577#ifdef ENABLE_MODULE_ECDH
5578# include "modules/ecdh/tests_impl.h"
5579#endif
5580
5581#ifdef ENABLE_MODULE_MULTISET
5582# include "modules/multiset/tests_impl.h"
5583#endif
5584
5585#ifdef ENABLE_MODULE_RECOVERY
5586# include "modules/recovery/tests_impl.h"
5587#endif
5588
5589#ifdef ENABLE_MODULE_SCHNORR
5590# include "modules/schnorr/tests_impl.h"
5591#endif
5592
5593#ifdef ENABLE_MODULE_EXTRAKEYS
5594# include "modules/extrakeys/tests_impl.h"
5595#endif
5596
5597#ifdef ENABLE_MODULE_SCHNORRSIG
5598# include "modules/schnorrsig/tests_impl.h"
5599#endif
5600
5601void run_secp256k1_memczero_test(void) {
5602 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5603 unsigned char buf2[sizeof(buf1)];
5604
5605 /* secp256k1_memczero(..., ..., 0) is a noop. */
5606 memcpy(buf2, buf1, sizeof(buf1));
5607 secp256k1_memczero(buf1, sizeof(buf1), 0);
5608 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5609
5610 /* secp256k1_memczero(..., ..., 1) zeros the buffer. */
5611 memset(buf2, 0, sizeof(buf2));
5612 secp256k1_memczero(buf1, sizeof(buf1) , 1);
5613 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5614}
5615
5616void int_cmov_test(void) {
5617 int r = INT_MAX;
5618 int a = 0;
5619
5620 secp256k1_int_cmov(&r, &a, 0);
5621 CHECK(r == INT_MAX);
5622
5623 r = 0; a = INT_MAX;
5624 secp256k1_int_cmov(&r, &a, 1);
5625 CHECK(r == INT_MAX);
5626
5627 a = 0;
5628 secp256k1_int_cmov(&r, &a, 1);
5629 CHECK(r == 0);
5630
5631 a = 1;
5632 secp256k1_int_cmov(&r, &a, 1);
5633 CHECK(r == 1);
5634
5635 r = 1; a = 0;
5636 secp256k1_int_cmov(&r, &a, 0);
5637 CHECK(r == 1);
5638
5639}
5640
5641void fe_cmov_test(void) {
5642 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5643 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5644 static const secp256k1_fe max = SECP256K1_FE_CONST(
5645 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5646 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5647 );
5648 secp256k1_fe r = max;
5649 secp256k1_fe a = zero;
5650
5651 secp256k1_fe_cmov(&r, &a, 0);
5652 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5653
5654 r = zero; a = max;
5655 secp256k1_fe_cmov(&r, &a, 1);
5656 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5657
5658 a = zero;
5659 secp256k1_fe_cmov(&r, &a, 1);
5660 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5661
5662 a = one;
5663 secp256k1_fe_cmov(&r, &a, 1);
5664 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5665
5666 r = one; a = zero;
5667 secp256k1_fe_cmov(&r, &a, 0);
5668 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5669}
5670
5671void fe_storage_cmov_test(void) {
5672 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5673 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5674 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5675 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5676 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5677 );
5678 secp256k1_fe_storage r = max;
5679 secp256k1_fe_storage a = zero;
5680
5681 secp256k1_fe_storage_cmov(&r, &a, 0);
5682 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5683
5684 r = zero; a = max;
5685 secp256k1_fe_storage_cmov(&r, &a, 1);
5686 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5687
5688 a = zero;
5689 secp256k1_fe_storage_cmov(&r, &a, 1);
5690 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5691
5692 a = one;
5693 secp256k1_fe_storage_cmov(&r, &a, 1);
5694 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5695
5696 r = one; a = zero;
5697 secp256k1_fe_storage_cmov(&r, &a, 0);
5698 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5699}
5700
5701void scalar_cmov_test(void) {
5702 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5703 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5704 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5705 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5706 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5707 );
5708 secp256k1_scalar r = max;
5709 secp256k1_scalar a = zero;
5710
5711 secp256k1_scalar_cmov(&r, &a, 0);
5712 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5713
5714 r = zero; a = max;
5715 secp256k1_scalar_cmov(&r, &a, 1);
5716 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5717
5718 a = zero;
5719 secp256k1_scalar_cmov(&r, &a, 1);
5720 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5721
5722 a = one;
5723 secp256k1_scalar_cmov(&r, &a, 1);
5724 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5725
5726 r = one; a = zero;
5727 secp256k1_scalar_cmov(&r, &a, 0);
5728 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5729}
5730
5731void ge_storage_cmov_test(void) {
5732 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5733 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5734 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5735 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5736 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5737 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5738 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5739 );
5740 secp256k1_ge_storage r = max;
5741 secp256k1_ge_storage a = zero;
5742
5743 secp256k1_ge_storage_cmov(&r, &a, 0);
5744 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5745
5746 r = zero; a = max;
5747 secp256k1_ge_storage_cmov(&r, &a, 1);
5748 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5749
5750 a = zero;
5751 secp256k1_ge_storage_cmov(&r, &a, 1);
5752 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5753
5754 a = one;
5755 secp256k1_ge_storage_cmov(&r, &a, 1);
5756 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5757
5758 r = one; a = zero;
5759 secp256k1_ge_storage_cmov(&r, &a, 0);
5760 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5761}
5762
5763void run_cmov_tests(void) {
5764 int_cmov_test();
5765 fe_cmov_test();
5766 fe_storage_cmov_test();
5767 scalar_cmov_test();
5768 ge_storage_cmov_test();
5769}
5770
5771int main(int argc, char **argv) {
5772 /* Disable buffering for stdout to improve reliability of getting
5773 * diagnostic information. Happens right at the start of main because
5774 * setbuf must be used before any other operation on the stream. */
5775 setbuf(stdout, NULL);
5776 /* Also disable buffering for stderr because it's not guaranteed that it's
5777 * unbuffered on all systems. */
5778 setbuf(stderr, NULL);
5779
5780 /* find iteration count */
5781 if (argc > 1) {
5782 count = strtol(argv[1], NULL, 0);
5783 } else {
5784 const char* env = getenv("SECP256K1_TEST_ITERS");
5785 if (env && strlen(env) > 0) {
5786 count = strtol(env, NULL, 0);
5787 }
5788 }
5789 if (count <= 0) {
5790 fputs("An iteration count of 0 or less is not allowed.\n", stderr);
5791 return EXIT_FAILURE;
5792 }
5793 printf("test count = %i\n", count);
5794
5795 /* find random seed */
5796 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
5797
5798 /* initialize */
5799 run_context_tests(0);
5800 run_context_tests(1);
5801 run_scratch_tests();
5802 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5803 if (secp256k1_testrand_bits(1)) {
5804 unsigned char rand32[32];
5805 secp256k1_testrand256(rand32);
5806 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
5807 }
5808
5809 run_rand_bits();
5810 run_rand_int();
5811
5812 run_ctz_tests();
5813 run_modinv_tests();
5814 run_inverse_tests();
5815
5816 run_sha256_tests();
5817 run_hmac_sha256_tests();
5818 run_rfc6979_hmac_sha256_tests();
5819 run_tagged_sha256_tests();
5820
5821 /* scalar tests */
5822 run_scalar_tests();
5823
5824 /* field tests */
5825 run_field_misc();
5826 run_field_convert();
5827 run_sqr();
5828 run_sqrt();
5829
5830 /* group tests */
5831 run_ge();
5832 run_group_decompress();
5833
5834 /* ecmult tests */
5835 run_wnaf();
5836 run_point_times_order();
5837 run_ecmult_near_split_bound();
5838 run_ecmult_chain();
5839 run_ecmult_constants();
5840 run_ecmult_gen_blind();
5841 run_ecmult_const_tests();
5842 run_ecmult_multi_tests();
5843 run_ec_combine();
5844
5845 /* endomorphism tests */
5846 run_endomorphism_tests();
5847
5848 /* EC point parser test */
5849 run_ec_pubkey_parse_test();
5850
5851 /* EC key edge cases */
5852 run_eckey_edge_case_test();
5853
5854 /* EC key arithmetic test */
5855 run_eckey_negate_test();
5856
5857#ifdef ENABLE_MODULE_ECDH
5858 /* ecdh tests */
5859 run_ecdh_tests();
5860#endif
5861
5862 /* ecdsa tests */
5863 run_pubkey_comparison();
5864 run_random_pubkeys();
5865 run_ecdsa_der_parse();
5866 run_ecdsa_sign_verify();
5867 run_ecdsa_end_to_end();
5868 run_ecdsa_edge_cases();
5869
5870#ifdef ENABLE_MODULE_MULTISET
5871 run_multiset_tests();
5872#endif
5873
5874#ifdef ENABLE_MODULE_RECOVERY
5875 /* ECDSA pubkey recovery tests */
5876 run_recovery_tests();
5877#endif
5878
5879#ifdef ENABLE_MODULE_SCHNORR
5880 /* Schnorr signature tests */
5881 run_schnorr_tests();
5882#endif
5883
5884#ifdef ENABLE_MODULE_EXTRAKEYS
5885 run_extrakeys_tests();
5886#endif
5887
5888#ifdef ENABLE_MODULE_SCHNORRSIG
5889 run_schnorrsig_tests();
5890#endif
5891
5892 /* util tests */
5893 run_secp256k1_memczero_test();
5894
5895 run_cmov_tests();
5896
5897 secp256k1_testrand_finish();
5898
5899 /* shutdown */
5900 secp256k1_context_destroy(ctx);
5901
5902 printf("no problems found\n");
5903 return 0;
5904}
tests_impl.h
run_ecdh_tests
void run_ecdh_tests(void)
Definition: tests_impl.h:126
secp256k1_ecdsa_sig_sign
static int secp256k1_ecdsa_sig_sign(const secp256k1_ecmult_gen_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_scalar *seckey, const secp256k1_scalar *message, const secp256k1_scalar *nonce, int *recid)
secp256k1_ecdsa_sig_verify
static int secp256k1_ecdsa_sig_verify(const secp256k1_ecmult_context *ctx, const secp256k1_scalar *r, const secp256k1_scalar *s, const secp256k1_ge *pubkey, const secp256k1_scalar *message)
secp256k1_eckey_pubkey_parse
static int secp256k1_eckey_pubkey_parse(secp256k1_ge *elem, const unsigned char *pub, size_t size)
secp256k1_eckey_pubkey_serialize
static int secp256k1_eckey_pubkey_serialize(secp256k1_ge *elem, unsigned char *pub, size_t *size, int compressed)
secp256k1_ecmult
static void secp256k1_ecmult(const secp256k1_ecmult_context *ctx, secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_scalar *na, const secp256k1_scalar *ng)
Double multiply: R = na*A + ng*G.
secp256k1_ecmult_multi_var
static int secp256k1_ecmult_multi_var(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *ctx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Multi-multiply: R = inp_g_sc * G + sum_i ni * Ai.
secp256k1_ecmult_const
static void secp256k1_ecmult_const(secp256k1_gej *r, const secp256k1_ge *a, const secp256k1_scalar *q, int bits)
Multiply: R = q*A (in constant-time) Here bits should be set to the maximum bitlength of the absolute...
secp256k1_wnaf_const
static int secp256k1_wnaf_const(int *wnaf, const secp256k1_scalar *scalar, int w, int size)
Convert a number to WNAF notation.
Definition: ecmult_const_impl.h:55
secp256k1_ecmult_gen
static void secp256k1_ecmult_gen(const secp256k1_ecmult_gen_context *ctx, secp256k1_gej *r, const secp256k1_scalar *a)
Multiply with the generator: R = a*G.
secp256k1_ecmult_gen_blind
static void secp256k1_ecmult_gen_blind(secp256k1_ecmult_gen_context *ctx, const unsigned char *seed32)
STRAUSS_SCRATCH_OBJECTS
#define STRAUSS_SCRATCH_OBJECTS
Definition: ecmult_impl.h:71
secp256k1_pippenger_bucket_window_inv
static size_t secp256k1_pippenger_bucket_window_inv(int bucket_window)
Returns the maximum optimal number of points for a bucket_window.
Definition: ecmult_impl.h:825
secp256k1_pippenger_max_points
static size_t secp256k1_pippenger_max_points(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
Returns the maximum number of points in addition to G that can be used with a given scratch space.
Definition: ecmult_impl.h:953
WNAF_SIZE
#define WNAF_SIZE(w)
Definition: ecmult_impl.h:64
secp256k1_wnaf_fixed
static int secp256k1_wnaf_fixed(int *wnaf, const secp256k1_scalar *s, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:636
secp256k1_ecmult_wnaf
static int secp256k1_ecmult_wnaf(int *wnaf, int len, const secp256k1_scalar *a, int w)
Convert a number to WNAF notation.
Definition: ecmult_impl.h:377
secp256k1_ecmult_pippenger_batch_single
static int secp256k1_ecmult_pippenger_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:944
secp256k1_strauss_scratch_size
static size_t secp256k1_strauss_scratch_size(size_t n_points)
Definition: ecmult_impl.h:577
ECMULT_PIPPENGER_THRESHOLD
#define ECMULT_PIPPENGER_THRESHOLD
Definition: ecmult_impl.h:76
secp256k1_pippenger_bucket_window
static int secp256k1_pippenger_bucket_window(size_t n)
Returns optimal bucket_window (number of bits of a scalar represented by a set of buckets) for a give...
Definition: ecmult_impl.h:796
ECMULT_MAX_POINTS_PER_BATCH
#define ECMULT_MAX_POINTS_PER_BATCH
Definition: ecmult_impl.h:78
PIPPENGER_MAX_BUCKET_WINDOW
#define PIPPENGER_MAX_BUCKET_WINDOW
Definition: ecmult_impl.h:73
PIPPENGER_SCRATCH_OBJECTS
#define PIPPENGER_SCRATCH_OBJECTS
Definition: ecmult_impl.h:70
secp256k1_ecmult_multi_batch_size_helper
static int secp256k1_ecmult_multi_batch_size_helper(size_t *n_batches, size_t *n_batch_points, size_t max_n_batch_points, size_t n)
Definition: ecmult_impl.h:1016
secp256k1_pippenger_scratch_size
static size_t secp256k1_pippenger_scratch_size(size_t n_points, int bucket_window)
Returns the scratch size required for a given number of points (excluding base point G) without consi...
Definition: ecmult_impl.h:863
secp256k1_ecmult_multi_func
int(* secp256k1_ecmult_multi_func)(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *, secp256k1_scratch *, secp256k1_gej *, const secp256k1_scalar *, secp256k1_ecmult_multi_callback cb, void *, size_t)
Definition: ecmult_impl.h:1034
secp256k1_ecmult_strauss_batch_single
static int secp256k1_ecmult_strauss_batch_single(const secp256k1_callback *error_callback, const secp256k1_ecmult_context *actx, secp256k1_scratch *scratch, secp256k1_gej *r, const secp256k1_scalar *inp_g_sc, secp256k1_ecmult_multi_callback cb, void *cbdata, size_t n)
Definition: ecmult_impl.h:621
WNAF_SIZE_BITS
#define WNAF_SIZE_BITS(bits, w)
Definition: ecmult_impl.h:63
sum
volatile double sum
Definition: examples.cpp:10
tests_impl.h
run_extrakeys_tests
void run_extrakeys_tests(void)
Definition: tests_impl.h:574
secp256k1_fe_inv_var
static void secp256k1_fe_inv_var(secp256k1_fe *r, const secp256k1_fe *a)
Potentially faster version of secp256k1_fe_inv, without constant-time guarantee.
secp256k1_fe_normalize_weak
static void secp256k1_fe_normalize_weak(secp256k1_fe *r)
Weakly normalize a field element: reduce its magnitude to 1, but don't fully normalize.
secp256k1_fe_is_quad_var
static int secp256k1_fe_is_quad_var(const secp256k1_fe *a)
Checks whether a field element is a quadratic residue.
secp256k1_fe_equal_var
static int secp256k1_fe_equal_var(const secp256k1_fe *a, const secp256k1_fe *b)
Same as secp256k1_fe_equal, but may be variable time.
secp256k1_fe_sqrt
static int secp256k1_fe_sqrt(secp256k1_fe *r, const secp256k1_fe *a)
If a has a square root, it is computed in r and 1 is returned.
secp256k1_fe_normalize_var
static void secp256k1_fe_normalize_var(secp256k1_fe *r)
Normalize a field element, without constant-time guarantee.
secp256k1_fe_clear
static void secp256k1_fe_clear(secp256k1_fe *a)
Sets a field element equal to zero, initializing all fields.
secp256k1_fe_inv
static void secp256k1_fe_inv(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the (modular) inverse of another.
secp256k1_fe_cmov
static void secp256k1_fe_cmov(secp256k1_fe *r, const secp256k1_fe *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_mul_int
static void secp256k1_fe_mul_int(secp256k1_fe *r, int a)
Multiplies the passed field element with a small integer constant.
secp256k1_fe_negate
static void secp256k1_fe_negate(secp256k1_fe *r, const secp256k1_fe *a, int m)
Set a field element equal to the additive inverse of another.
secp256k1_fe_is_odd
static int secp256k1_fe_is_odd(const secp256k1_fe *a)
Check the "oddness" of a field element.
secp256k1_fe_set_int
static void secp256k1_fe_set_int(secp256k1_fe *r, int a)
Set a field element equal to a small integer.
secp256k1_fe_mul
static void secp256k1_fe_mul(secp256k1_fe *r, const secp256k1_fe *a, const secp256k1_fe *SECP256K1_RESTRICT b)
Sets a field element to be the product of two others.
secp256k1_fe_set_b32
static int secp256k1_fe_set_b32(secp256k1_fe *r, const unsigned char *a)
Set a field element equal to 32-byte big endian value.
secp256k1_fe_is_zero
static int secp256k1_fe_is_zero(const secp256k1_fe *a)
Verify whether a field element is zero.
secp256k1_fe_from_storage
static void secp256k1_fe_from_storage(secp256k1_fe *r, const secp256k1_fe_storage *a)
Convert a field element back from the storage type.
secp256k1_fe_normalizes_to_zero_var
static int secp256k1_fe_normalizes_to_zero_var(secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_sqr
static void secp256k1_fe_sqr(secp256k1_fe *r, const secp256k1_fe *a)
Sets a field element to be the square of another.
secp256k1_fe_add
static void secp256k1_fe_add(secp256k1_fe *r, const secp256k1_fe *a)
Adds a field element to another.
secp256k1_fe_normalize
static void secp256k1_fe_normalize(secp256k1_fe *r)
Field element module.
secp256k1_fe_to_storage
static void secp256k1_fe_to_storage(secp256k1_fe_storage *r, const secp256k1_fe *a)
Convert a field element to the storage type.
secp256k1_fe_get_b32
static void secp256k1_fe_get_b32(unsigned char *r, const secp256k1_fe *a)
Convert a field element to a 32-byte big endian value.
secp256k1_fe_normalizes_to_zero
static int secp256k1_fe_normalizes_to_zero(secp256k1_fe *r)
Verify whether a field element represents zero i.e.
secp256k1_fe_storage_cmov
static void secp256k1_fe_storage_cmov(secp256k1_fe_storage *r, const secp256k1_fe_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_fe_cmp_var
static int secp256k1_fe_cmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Compare two field elements.
SECP256K1_FE_CONST
#define SECP256K1_FE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:40
SECP256K1_FE_STORAGE_CONST
#define SECP256K1_FE_STORAGE_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: field_10x26.h:47
secp256k1_fe_one
static const secp256k1_fe secp256k1_fe_one
Definition: field_impl.h:143
SECP256K1_GEJ_CONST_INFINITY
#define SECP256K1_GEJ_CONST_INFINITY
Definition: group.h:31
SECP256K1_GE_STORAGE_CONST
#define SECP256K1_GE_STORAGE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:38
secp256k1_gej_double_var
static void secp256k1_gej_double_var(secp256k1_gej *r, const secp256k1_gej *a, secp256k1_fe *rzr)
Set r equal to the double of a.
secp256k1_gej_add_zinv_var
static void secp256k1_gej_add_zinv_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, const secp256k1_fe *bzinv)
Set r equal to the sum of a and b (with the inverse of b's Z coordinate passed as bzinv).
secp256k1_ge_mul_lambda
static void secp256k1_ge_mul_lambda(secp256k1_ge *r, const secp256k1_ge *a)
Set r to be equal to lambda times a, where lambda is chosen in a way such that this is very fast.
secp256k1_gej_set_infinity
static void secp256k1_gej_set_infinity(secp256k1_gej *r)
Set a group element (jacobian) equal to the point at infinity.
secp256k1_gej_is_infinity
static int secp256k1_gej_is_infinity(const secp256k1_gej *a)
Check whether a group element is the point at infinity.
secp256k1_ge_clear
static void secp256k1_ge_clear(secp256k1_ge *r)
Clear a secp256k1_ge to prevent leaking sensitive information.
secp256k1_ge_set_xo_var
static int secp256k1_ge_set_xo_var(secp256k1_ge *r, const secp256k1_fe *x, int odd)
Set a group element (affine) equal to the point with the given X coordinate, and given oddness for Y.
secp256k1_gej_add_ge_var
static void secp256k1_gej_add_ge_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b (with b given in affine coordinates).
secp256k1_gej_add_ge
static void secp256k1_gej_add_ge(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_ge *b)
Set r equal to the sum of a and b (with b given in affine coordinates, and not infinity).
secp256k1_ge_is_valid_var
static int secp256k1_ge_is_valid_var(const secp256k1_ge *a)
Check whether a group element is valid (i.e., on the curve).
secp256k1_gej_add_var
static void secp256k1_gej_add_var(secp256k1_gej *r, const secp256k1_gej *a, const secp256k1_gej *b, secp256k1_fe *rzr)
Set r equal to the sum of a and b.
secp256k1_gej_rescale
static void secp256k1_gej_rescale(secp256k1_gej *r, const secp256k1_fe *b)
Rescale a jacobian point by b which must be non-zero.
secp256k1_ge_storage_cmov
static void secp256k1_ge_storage_cmov(secp256k1_ge_storage *r, const secp256k1_ge_storage *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_ge_set_xquad
static int secp256k1_ge_set_xquad(secp256k1_ge *r, const secp256k1_fe *x)
Set a group element (affine) equal to the point with the given X coordinate and a Y coordinate that i...
secp256k1_ge_set_gej
static void secp256k1_ge_set_gej(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_ge_neg
static void secp256k1_ge_neg(secp256k1_ge *r, const secp256k1_ge *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_is_infinity
static int secp256k1_ge_is_infinity(const secp256k1_ge *a)
Check whether a group element is the point at infinity.
secp256k1_ge_set_infinity
static void secp256k1_ge_set_infinity(secp256k1_ge *r)
Set a group element (affine) equal to the point at infinity.
secp256k1_ge_set_all_gej_var
static void secp256k1_ge_set_all_gej_var(secp256k1_ge *r, const secp256k1_gej *a, size_t len)
Set a batch of group elements equal to the inputs given in jacobian coordinates.
secp256k1_gej_double
static void secp256k1_gej_double(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the double of a.
secp256k1_gej_set_ge
static void secp256k1_gej_set_ge(secp256k1_gej *r, const secp256k1_ge *a)
Set a group element (jacobian) equal to another which is given in affine coordinates.
SECP256K1_GE_CONST
#define SECP256K1_GE_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:19
secp256k1_ge_set_gej_var
static void secp256k1_ge_set_gej_var(secp256k1_ge *r, secp256k1_gej *a)
Set a group element equal to another which is given in jacobian coordinates.
secp256k1_gej_has_quad_y_var
static int secp256k1_gej_has_quad_y_var(const secp256k1_gej *a)
Check whether a group element's y coordinate is a quadratic residue.
SECP256K1_GEJ_CONST
#define SECP256K1_GEJ_CONST(a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p)
Definition: group.h:30
secp256k1_gej_neg
static void secp256k1_gej_neg(secp256k1_gej *r, const secp256k1_gej *a)
Set r equal to the inverse of a (i.e., mirrored around the X axis)
secp256k1_ge_const_g
static const secp256k1_ge secp256k1_ge_const_g
Generator for secp256k1, value 'g' defined in "Standards for Efficient Cryptography" (SEC2) 2....
Definition: group_impl.h:52
ec_privkey_export_der
int ec_privkey_export_der(const secp256k1_context *ctx, uint8_t *privkey, size_t *privkeylen, const uint8_t *key32, bool compressed)
This serializes to a DER encoding of the ECPrivateKey type from section C.4 of SEC 1 http://www....
Definition: key.cpp:101
ec_privkey_import_der
int ec_privkey_import_der(const secp256k1_context *ctx, uint8_t *out32, const uint8_t *privkey, size_t privkeylen)
These functions are taken from the libsecp256k1 distribution and are very ugly.
Definition: key.cpp:40
lax_der_parsing.c
lax_der_privatekey_parsing.c
cs
static void pool cs
Definition: mempool_eviction.cpp:13
secp256k1_modinv32_var
static void secp256k1_modinv32_var(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
secp256k1_modinv32
static void secp256k1_modinv32(secp256k1_modinv32_signed30 *x, const secp256k1_modinv32_modinfo *modinfo)
modinv32_impl.h
secp256k1_modinv64
static void secp256k1_modinv64(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
secp256k1_modinv64_var
static void secp256k1_modinv64_var(secp256k1_modinv64_signed62 *x, const secp256k1_modinv64_modinfo *modinfo)
modinv64_impl.h
tests_impl.h
run_multiset_tests
void run_multiset_tests(void)
Definition: tests_impl.h:336
tinyformat::printf
void printf(const char *fmt, const Args &...args)
Format list of arguments to std::cout, according to the given format string.
Definition: tinyformat.h:1126
sig
SchnorrSig sig
Definition: processor.cpp:498
ecdsa_signature_parse_der_lax
int ecdsa_signature_parse_der_lax(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const uint8_t *input, size_t inputlen)
This function is taken from the libsecp256k1 distribution and implements DER parsing for ECDSA signat...
Definition: pubkey.cpp:28
tests_impl.h
run_recovery_tests
void run_recovery_tests(void)
Definition: tests_impl.h:381
secp256k1_scalar_cmov
static void secp256k1_scalar_cmov(secp256k1_scalar *r, const secp256k1_scalar *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
secp256k1_scalar_set_b32
static void secp256k1_scalar_set_b32(secp256k1_scalar *r, const unsigned char *bin, int *overflow)
Set a scalar from a big endian byte array.
secp256k1_scalar_set_b32_seckey
static int secp256k1_scalar_set_b32_seckey(secp256k1_scalar *r, const unsigned char *bin)
Set a scalar from a big endian byte array and returns 1 if it is a valid seckey and 0 otherwise.
secp256k1_scalar_is_even
static int secp256k1_scalar_is_even(const secp256k1_scalar *a)
Check whether a scalar, considered as an nonnegative integer, is even.
secp256k1_scalar_is_zero
static int secp256k1_scalar_is_zero(const secp256k1_scalar *a)
Check whether a scalar equals zero.
secp256k1_scalar_set_int
static void secp256k1_scalar_set_int(secp256k1_scalar *r, unsigned int v)
Set a scalar to an unsigned integer.
secp256k1_scalar_eq
static int secp256k1_scalar_eq(const secp256k1_scalar *a, const secp256k1_scalar *b)
Compare two scalars.
secp256k1_scalar_get_b32
static void secp256k1_scalar_get_b32(unsigned char *bin, const secp256k1_scalar *a)
Convert a scalar to a byte array.
secp256k1_scalar_cond_negate
static int secp256k1_scalar_cond_negate(secp256k1_scalar *a, int flag)
Conditionally negate a number, in constant time.
secp256k1_scalar_inverse_var
static void secp256k1_scalar_inverse_var(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order), without constant-time guarantee.
secp256k1_scalar_get_bits
static unsigned int secp256k1_scalar_get_bits(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_add
static int secp256k1_scalar_add(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Add two scalars together (modulo the group order).
secp256k1_scalar_mul
static void secp256k1_scalar_mul(secp256k1_scalar *r, const secp256k1_scalar *a, const secp256k1_scalar *b)
Multiply two scalars (modulo the group order).
secp256k1_scalar_is_one
static int secp256k1_scalar_is_one(const secp256k1_scalar *a)
Check whether a scalar equals one.
secp256k1_scalar_negate
static void secp256k1_scalar_negate(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the complement of a scalar (modulo the group order).
secp256k1_scalar_is_high
static int secp256k1_scalar_is_high(const secp256k1_scalar *a)
Check whether a scalar is higher than the group order divided by 2.
secp256k1_scalar_get_bits_var
static unsigned int secp256k1_scalar_get_bits_var(const secp256k1_scalar *a, unsigned int offset, unsigned int count)
Access bits from a scalar.
secp256k1_scalar_inverse
static void secp256k1_scalar_inverse(secp256k1_scalar *r, const secp256k1_scalar *a)
Compute the inverse of a scalar (modulo the group order).
secp256k1_scalar_cadd_bit
static void secp256k1_scalar_cadd_bit(secp256k1_scalar *r, unsigned int bit, int flag)
Conditionally add a power of two to a scalar.
secp256k1_scalar_clear
static void secp256k1_scalar_clear(secp256k1_scalar *r)
Clear a scalar to prevent the leak of sensitive data.
secp256k1_scalar_split_lambda
static void secp256k1_scalar_split_lambda(secp256k1_scalar *r1, secp256k1_scalar *r2, const secp256k1_scalar *k)
Find r1 and r2 such that r1+r2*lambda = k, where r1 and r2 or their negations are maximum 128 bits lo...
secp256k1_scalar_shr_int
static int secp256k1_scalar_shr_int(secp256k1_scalar *r, int n)
Shift a scalar right by some amount strictly between 0 and 16, returning the low bits that were shift...
SECP256K1_SCALAR_CONST
#define SECP256K1_SCALAR_CONST(d7, d6, d5, d4, d3, d2, d1, d0)
Definition: scalar_4x64.h:17
secp256k1_scalar_check_overflow
static SECP256K1_INLINE int secp256k1_scalar_check_overflow(const secp256k1_scalar *a)
Definition: scalar_4x64_impl.h:59
secp256k1_scalar_zero
static const secp256k1_scalar secp256k1_scalar_zero
Definition: scalar_impl.h:32
secp256k1_scalar_one
static const secp256k1_scalar secp256k1_scalar_one
Definition: scalar_impl.h:31
secp256k1_const_lambda
static const secp256k1_scalar secp256k1_const_lambda
The Secp256k1 curve has an endomorphism, where lambda * (x, y) = (beta * x, y), where lambda is:
Definition: scalar_impl.h:64
tests_impl.h
run_schnorr_tests
void run_schnorr_tests(void)
Definition: tests_impl.h:512
tests_impl.h
run_schnorrsig_tests
void run_schnorrsig_tests(void)
Definition: tests_impl.h:877
secp256k1_scratch_apply_checkpoint
static void secp256k1_scratch_apply_checkpoint(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t checkpoint)
Applies a check point received from secp256k1_scratch_checkpoint, undoing all allocations since that ...
secp256k1_scratch_destroy
static void secp256k1_scratch_destroy(const secp256k1_callback *error_callback, secp256k1_scratch *scratch)
secp256k1_scratch_create
static secp256k1_scratch * secp256k1_scratch_create(const secp256k1_callback *error_callback, size_t max_size)
secp256k1_scratch_max_allocation
static size_t secp256k1_scratch_max_allocation(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch, size_t n_objects)
Returns the maximum allocation the scratch space will allow.
secp256k1_scratch_alloc
static void * secp256k1_scratch_alloc(const secp256k1_callback *error_callback, secp256k1_scratch *scratch, size_t n)
Returns a pointer into the most recently allocated frame, or NULL if there is insufficient available ...
secp256k1_scratch_checkpoint
static size_t secp256k1_scratch_checkpoint(const secp256k1_callback *error_callback, const secp256k1_scratch *scratch)
Returns an opaque object used to "checkpoint" a scratch space.
secp256k1_sha256_initialize
static void secp256k1_sha256_initialize(secp256k1_sha256 *hash)
secp256k1_rfc6979_hmac_sha256_generate
static void secp256k1_rfc6979_hmac_sha256_generate(secp256k1_rfc6979_hmac_sha256 *rng, unsigned char *out, size_t outlen)
secp256k1_hmac_sha256_finalize
static void secp256k1_hmac_sha256_finalize(secp256k1_hmac_sha256 *hash, unsigned char *out32)
secp256k1_hmac_sha256_initialize
static void secp256k1_hmac_sha256_initialize(secp256k1_hmac_sha256 *hash, const unsigned char *key, size_t size)
secp256k1_sha256_finalize
static void secp256k1_sha256_finalize(secp256k1_sha256 *hash, unsigned char *out32)
secp256k1_rfc6979_hmac_sha256_initialize
static void secp256k1_rfc6979_hmac_sha256_initialize(secp256k1_rfc6979_hmac_sha256 *rng, const unsigned char *key, size_t keylen)
secp256k1_rfc6979_hmac_sha256_finalize
static void secp256k1_rfc6979_hmac_sha256_finalize(secp256k1_rfc6979_hmac_sha256 *rng)
secp256k1_hmac_sha256_write
static void secp256k1_hmac_sha256_write(secp256k1_hmac_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_sha256_write
static void secp256k1_sha256_write(secp256k1_sha256 *hash, const unsigned char *data, size_t size)
secp256k1_ctz64_var
static SECP256K1_INLINE int secp256k1_ctz64_var(uint64_t x)
Definition: util.h:327
secp256k1_memcmp_var
static SECP256K1_INLINE int secp256k1_memcmp_var(const void *s1, const void *s2, size_t n)
Semantics like memcmp.
Definition: util.h:224
secp256k1_int_cmov
static SECP256K1_INLINE void secp256k1_int_cmov(int *r, const int *a, int flag)
If flag is true, set *r equal to *a; otherwise leave it.
Definition: util.h:238
VG_CHECK
#define VG_CHECK(x, y)
Definition: util.h:80
ALIGNMENT
#define ALIGNMENT
Definition: util.h:113
VG_UNDEF
#define VG_UNDEF(x, y)
Definition: util.h:79
secp256k1_ctz32_var
static SECP256K1_INLINE int secp256k1_ctz32_var(uint32_t x)
Definition: util.h:309
secp256k1_ctz64_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz64_var_debruijn(uint64_t x)
Definition: util.h:298
CHECK
#define CHECK(cond)
Definition: util.h:53
secp256k1_ctz32_var_debruijn
static SECP256K1_INLINE int secp256k1_ctz32_var_debruijn(uint32_t x)
Definition: util.h:286
checked_malloc
static SECP256K1_INLINE void * checked_malloc(const secp256k1_callback *cb, size_t size)
Definition: util.h:91
secp256k1_memczero
static SECP256K1_INLINE void secp256k1_memczero(void *s, size_t len, int flag)
Definition: util.h:205
secp256k1_ecdsa_signature_save
static void secp256k1_ecdsa_signature_save(secp256k1_ecdsa_signature *sig, const secp256k1_scalar *r, const secp256k1_scalar *s)
Definition: secp256k1.c:359
secp256k1_pubkey_load
static int secp256k1_pubkey_load(const secp256k1_context *ctx, secp256k1_ge *ge, const secp256k1_pubkey *pubkey)
Definition: secp256k1.c:245
secp256k1_pubkey_save
static void secp256k1_pubkey_save(secp256k1_pubkey *pubkey, secp256k1_ge *ge)
Definition: secp256k1.c:264
secp256k1_default_illegal_callback_fn
static void secp256k1_default_illegal_callback_fn(const char *str, void *data)
Definition: secp256k1.c:44
nonce_function_rfc6979
static int nonce_function_rfc6979(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: secp256k1.c:472
secp256k1_ecdsa_signature_load
static void secp256k1_ecdsa_signature_load(const secp256k1_context *ctx, secp256k1_scalar *r, secp256k1_scalar *s, const secp256k1_ecdsa_signature *sig)
Definition: secp256k1.c:345
secp256k1_ec_seckey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by multiplying it by a tweak.
Definition: secp256k1.c:708
SECP256K1_CONTEXT_SIGN
#define SECP256K1_CONTEXT_SIGN
Definition: secp256k1.h:174
secp256k1_scratch_space_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT secp256k1_scratch_space * secp256k1_scratch_space_create(const secp256k1_context *ctx, size_t size) SECP256K1_ARG_NONNULL(1)
Create a secp256k1 scratch space object.
Definition: secp256k1.c:221
secp256k1_context_no_precomp
SECP256K1_API const secp256k1_context * secp256k1_context_no_precomp
A simple secp256k1 context object with no precomputed tables.
Definition: secp256k1.c:84
secp256k1_context_randomize
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_context_randomize(secp256k1_context *ctx, const unsigned char *seed32) SECP256K1_ARG_NONNULL(1)
Updates the context randomization to protect against side-channel leakage.
Definition: secp256k1.c:756
secp256k1_ec_seckey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a secret key in place.
Definition: secp256k1.c:617
secp256k1_ecdsa_signature_parse_compact
SECP256K1_API int secp256k1_ecdsa_signature_parse_compact(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input64) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse an ECDSA signature in compact (64 bytes) format.
Definition: secp256k1.c:385
secp256k1_ec_pubkey_serialize
SECP256K1_API int secp256k1_ec_pubkey_serialize(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_pubkey *pubkey, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize a pubkey object into a serialized byte sequence.
Definition: secp256k1.c:296
secp256k1_context_set_error_callback
SECP256K1_API void secp256k1_context_set_error_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an internal consistency check fails.
Definition: secp256k1.c:212
secp256k1_ec_pubkey_cmp
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_cmp(const secp256k1_context *ctx, const secp256k1_pubkey *pubkey1, const secp256k1_pubkey *pubkey2) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compare two public keys using lexicographic (of compressed serialization) order.
Definition: secp256k1.c:319
secp256k1_ec_seckey_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_verify(const secp256k1_context *ctx, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Verify an ECDSA secret key.
Definition: secp256k1.c:576
secp256k1_context_create
SECP256K1_API secp256k1_context * secp256k1_context_create(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object (in dynamically allocated memory).
Definition: secp256k1.c:152
secp256k1_context_set_illegal_callback
SECP256K1_API void secp256k1_context_set_illegal_callback(secp256k1_context *ctx, void(*fun)(const char *message, void *data), const void *data) SECP256K1_ARG_NONNULL(1)
Set a callback function to be called when an illegal argument is passed to an API call.
Definition: secp256k1.c:203
secp256k1_ecdsa_sign
SECP256K1_API int secp256k1_ecdsa_sign(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const unsigned char *seckey, secp256k1_nonce_function noncefp, const void *ndata) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Create an ECDSA signature.
Definition: secp256k1.c:561
secp256k1_ec_pubkey_combine
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_combine(const secp256k1_context *ctx, secp256k1_pubkey *out, const secp256k1_pubkey *const *ins, size_t n) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Add a number of public keys together.
Definition: secp256k1.c:764
secp256k1_ec_pubkey_parse
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_parse(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a variable-length public key into the pubkey object.
Definition: secp256k1.c:278
SECP256K1_CONTEXT_NONE
#define SECP256K1_CONTEXT_NONE
Definition: secp256k1.h:176
secp256k1_ecdsa_signature_parse_der
SECP256K1_API int secp256k1_ecdsa_signature_parse_der(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sig, const unsigned char *input, size_t inputlen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Parse a DER ECDSA signature.
Definition: secp256k1.c:369
secp256k1_ec_privkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_negate(const secp256k1_context *ctx, unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Same as secp256k1_ec_seckey_negate, but DEPRECATED.
Definition: secp256k1.c:632
secp256k1_ec_pubkey_create
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_create(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *seckey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Compute the public key for a secret key.
Definition: secp256k1.c:599
secp256k1_tagged_sha256
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_tagged_sha256(const secp256k1_context *ctx, unsigned char *hash32, const unsigned char *tag, size_t taglen, const unsigned char *msg, size_t msglen) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(5)
Compute a tagged hash as defined in BIP-340.
Definition: secp256k1.c:788
SECP256K1_EC_COMPRESSED
#define SECP256K1_EC_COMPRESSED
Flag to pass to secp256k1_ec_pubkey_serialize.
Definition: secp256k1.h:179
secp256k1_ecdsa_verify
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ecdsa_verify(const secp256k1_context *ctx, const secp256k1_ecdsa_signature *sig, const unsigned char *msghash32, const secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Verify an ECDSA signature.
Definition: secp256k1.c:450
secp256k1_ecdsa_signature_normalize
SECP256K1_API int secp256k1_ecdsa_signature_normalize(const secp256k1_context *ctx, secp256k1_ecdsa_signature *sigout, const secp256k1_ecdsa_signature *sigin) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(3)
Convert a signature to a normalized lower-S form.
Definition: secp256k1.c:431
secp256k1_context_clone
SECP256K1_API secp256k1_context * secp256k1_context_clone(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object (into dynamically allocated memory).
Definition: secp256k1.c:177
secp256k1_ec_pubkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_add(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by adding tweak times the generator to it.
Definition: secp256k1.c:690
secp256k1_ec_privkey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_add, but DEPRECATED.
Definition: secp256k1.c:679
SECP256K1_EC_UNCOMPRESSED
#define SECP256K1_EC_UNCOMPRESSED
Definition: secp256k1.h:180
secp256k1_ec_privkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_privkey_tweak_mul(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Same as secp256k1_ec_seckey_tweak_mul, but DEPRECATED.
Definition: secp256k1.c:728
secp256k1_ecdsa_signature_serialize_der
SECP256K1_API int secp256k1_ecdsa_signature_serialize_der(const secp256k1_context *ctx, unsigned char *output, size_t *outputlen, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3) SECP256K1_ARG_NONNULL(4)
Serialize an ECDSA signature in DER format.
Definition: secp256k1.c:406
secp256k1_ec_pubkey_negate
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_negate(const secp256k1_context *ctx, secp256k1_pubkey *pubkey) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2)
Negates a public key in place.
Definition: secp256k1.c:636
secp256k1_scratch_space_destroy
SECP256K1_API void secp256k1_scratch_space_destroy(const secp256k1_context *ctx, secp256k1_scratch_space *scratch) SECP256K1_ARG_NONNULL(1)
Destroy a secp256k1 scratch space.
Definition: secp256k1.c:226
SECP256K1_CONTEXT_VERIFY
#define SECP256K1_CONTEXT_VERIFY
Flags to pass to secp256k1_context_create, secp256k1_context_preallocated_size, and secp256k1_context...
Definition: secp256k1.h:173
secp256k1_ec_seckey_tweak_add
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_seckey_tweak_add(const secp256k1_context *ctx, unsigned char *seckey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a secret key by adding tweak to it.
Definition: secp256k1.c:663
secp256k1_ec_pubkey_tweak_mul
SECP256K1_API SECP256K1_WARN_UNUSED_RESULT int secp256k1_ec_pubkey_tweak_mul(const secp256k1_context *ctx, secp256k1_pubkey *pubkey, const unsigned char *tweak32) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Tweak a public key by multiplying it by a tweak value.
Definition: secp256k1.c:732
secp256k1_context_destroy
SECP256K1_API void secp256k1_context_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object (created in dynamically allocated memory).
Definition: secp256k1.c:196
secp256k1_ecdsa_signature_serialize_compact
SECP256K1_API int secp256k1_ecdsa_signature_serialize_compact(const secp256k1_context *ctx, unsigned char *output64, const secp256k1_ecdsa_signature *sig) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_ARG_NONNULL(3)
Serialize an ECDSA signature in compact (64 byte) format.
Definition: secp256k1.c:418
secp256k1_preallocated.h
secp256k1_context_preallocated_destroy
SECP256K1_API void secp256k1_context_preallocated_destroy(secp256k1_context *ctx)
Destroy a secp256k1 context object that has been created in caller-provided memory.
Definition: secp256k1.c:188
secp256k1_context_preallocated_clone_size
SECP256K1_API size_t secp256k1_context_preallocated_clone_size(const secp256k1_context *ctx) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be copied into caller-provided memory.
Definition: secp256k1.c:106
secp256k1_context_preallocated_create
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_create(void *prealloc, unsigned int flags) SECP256K1_ARG_NONNULL(1) SECP256K1_WARN_UNUSED_RESULT
Create a secp256k1 context object in caller-provided memory.
Definition: secp256k1.c:118
secp256k1_context_preallocated_size
SECP256K1_API size_t secp256k1_context_preallocated_size(unsigned int flags) SECP256K1_WARN_UNUSED_RESULT
Determine the memory size of a secp256k1 context object to be created in caller-provided memory.
Definition: secp256k1.c:86
secp256k1_context_preallocated_clone
SECP256K1_API secp256k1_context * secp256k1_context_preallocated_clone(const secp256k1_context *ctx, void *prealloc) SECP256K1_ARG_NONNULL(1) SECP256K1_ARG_NONNULL(2) SECP256K1_WARN_UNUSED_RESULT
Copy a secp256k1 context object into caller-provided memory.
Definition: secp256k1.c:163
ecmult_multi_data
Definition: tests.c:3038
ecmult_multi_data::sc
secp256k1_scalar * sc
Definition: tests.c:3039
ecmult_multi_data::pt
secp256k1_ge * pt
Definition: tests.c:3040
secp256k1_callback::fn
void(* fn)(const char *text, void *data)
Definition: util.h:20
secp256k1_context_struct
Definition: secp256k1.c:69
secp256k1_context_struct::error_callback
secp256k1_callback error_callback
Definition: secp256k1.c:73
secp256k1_context_struct::ecmult_gen_ctx
secp256k1_ecmult_gen_context ecmult_gen_ctx
Definition: secp256k1.c:71
secp256k1_context_struct::ecmult_ctx
secp256k1_ecmult_context ecmult_ctx
Definition: secp256k1.c:70
secp256k1_ecdsa_signature
Opaque data structured that holds a parsed ECDSA signature.
Definition: secp256k1.h:83
secp256k1_ecmult_gen_context::initial
secp256k1_gej initial
Definition: ecmult_gen.h:35
secp256k1_ecmult_gen_context::blind
secp256k1_scalar blind
Definition: ecmult_gen.h:34
secp256k1_fe_storage
Definition: field_10x26.h:43
secp256k1_fe
Definition: field_10x26.h:12
secp256k1_ge_storage
Definition: group.h:33
secp256k1_ge
A group element of the secp256k1 curve, in affine coordinates.
Definition: group.h:13
secp256k1_ge::infinity
int infinity
Definition: group.h:16
secp256k1_ge::x
secp256k1_fe x
Definition: group.h:14
secp256k1_ge::y
secp256k1_fe y
Definition: group.h:15
secp256k1_gej
A group element of the secp256k1 curve, in jacobian coordinates.
Definition: group.h:23
secp256k1_gej::y
secp256k1_fe y
Definition: group.h:25
secp256k1_gej::x
secp256k1_fe x
Definition: group.h:24
secp256k1_gej::infinity
int infinity
Definition: group.h:27
secp256k1_gej::z
secp256k1_fe z
Definition: group.h:26
secp256k1_hmac_sha256
Definition: hash.h:23
secp256k1_modinv32_modinfo
Definition: modinv32.h:23
secp256k1_modinv32_modinfo::modulus_inv30
uint32_t modulus_inv30
Definition: modinv32.h:28
secp256k1_modinv32_modinfo::modulus
secp256k1_modinv32_signed30 modulus
Definition: modinv32.h:25
secp256k1_modinv32_signed30
Definition: modinv32.h:19
secp256k1_modinv32_signed30::v
int32_t v[9]
Definition: modinv32.h:20
secp256k1_modinv64_modinfo
Definition: modinv64.h:27
secp256k1_modinv64_modinfo::modulus_inv62
uint64_t modulus_inv62
Definition: modinv64.h:32
secp256k1_modinv64_modinfo::modulus
secp256k1_modinv64_signed62 modulus
Definition: modinv64.h:29
secp256k1_modinv64_signed62
Definition: modinv64.h:23
secp256k1_modinv64_signed62::v
int64_t v[5]
Definition: modinv64.h:24
secp256k1_pubkey
Opaque data structure that holds a parsed and valid public key.
Definition: secp256k1.h:70
secp256k1_rfc6979_hmac_sha256
Definition: hash.h:31
secp256k1_scalar
A scalar modulo the group order of the secp256k1 curve.
Definition: scalar_4x64.h:13
secp256k1_scalar::d
uint64_t d[4]
Definition: scalar_4x64.h:14
secp256k1_scratch_space_struct
Definition: scratch.h:12
secp256k1_scratch_space_struct::alloc_size
size_t alloc_size
amount that has been allocated (i.e.
Definition: scratch.h:19
secp256k1_sha256
Definition: hash.h:13
secp256k1_testrand_int
static uint32_t secp256k1_testrand_int(uint32_t range)
Generate a pseudorandom number in the range [0..range-1].
secp256k1_testrand32
static uint32_t secp256k1_testrand32(void)
Generate a pseudorandom number in the range [0..2**32-1].
secp256k1_testrand_bytes_test
static void secp256k1_testrand_bytes_test(unsigned char *bytes, size_t len)
Generate pseudorandom bytes with long sequences of zero and one bits.
secp256k1_testrand256
static void secp256k1_testrand256(unsigned char *b32)
Generate a pseudorandom 32-byte array.
secp256k1_testrand_init
static void secp256k1_testrand_init(const char *hexseed)
Initialize the test RNG using (hex encoded) array up to 16 bytes, or randomly if hexseed is NULL.
secp256k1_testrand_finish
static void secp256k1_testrand_finish(void)
Print final test information.
secp256k1_testrand256_test
static void secp256k1_testrand256_test(unsigned char *b32)
Generate a pseudorandom 32-byte array with long sequences of zero and one bits.
secp256k1_testrand_bits
static uint32_t secp256k1_testrand_bits(int bits)
Generate a pseudorandom number in the range [0..2**bits-1].
testrand_impl.h
test_ecmult_multi_batching
void test_ecmult_multi_batching(void)
Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to 1 <= i <= num points...
Definition: tests.c:3417
random_scalar_order
void random_scalar_order(secp256k1_scalar *num)
Definition: tests.c:116
run_group_decompress
void run_group_decompress(void)
Definition: tests.c:2724
run_random_pubkeys
void run_random_pubkeys(void)
Definition: tests.c:4913
ctx
static secp256k1_context * ctx
Definition: tests.c:32
scalar_test
void scalar_test(void)
Definition: tests.c:1099
test_intialized_inf
void test_intialized_inf(void)
Definition: tests.c:2520
test_ecmult_target
void test_ecmult_target(const secp256k1_scalar *target, int mode)
Definition: tests.c:2863
fe_cmov_test
void fe_cmov_test(void)
Definition: tests.c:5641
test_inverse_field
void test_inverse_field(secp256k1_fe *out, const secp256k1_fe *x, int var)
Definition: tests.c:2162
run_modinv_tests
void run_modinv_tests(void)
Definition: tests.c:936
test_ecdsa_der_parse
int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der)
Definition: tests.c:4927
test_ecmult_multi_batch_size_helper
void test_ecmult_multi_batch_size_helper(void)
Definition: tests.c:3369
run_ec_pubkey_parse_test
void run_ec_pubkey_parse_test(void)
Definition: tests.c:3947
nonce_function_test_fail
static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4616
nonce_function_test_retry
static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Definition: tests.c:4624
SECP256K1_EC_PARSE_TEST_NINVALID
#define SECP256K1_EC_PARSE_TEST_NINVALID
run_endomorphism_tests
void run_endomorphism_tests(void)
Definition: tests.c:3851
run_sha256_tests
void run_sha256_tests(void)
Definition: tests.c:436
ecmult_const_random_mult
void ecmult_const_random_mult(void)
Definition: tests.c:2935
test_ge
void test_ge(void)
Definition: tests.c:2334
run_eckey_edge_case_test
void run_eckey_edge_case_test(void)
Definition: tests.c:4275
test_ecmult_gen_blind_reset
void test_ecmult_gen_blind_reset(void)
Definition: tests.c:3803
run_ec_combine
void run_ec_combine(void)
Definition: tests.c:2653
main
int main(int argc, char **argv)
Definition: tests.c:5771
test_secp256k1_pippenger_bucket_window_inv
void test_secp256k1_pippenger_bucket_window_inv(void)
Definition: tests.c:3316
run_cmov_tests
void run_cmov_tests(void)
Definition: tests.c:5763
run_field_convert
void run_field_convert(void)
Definition: tests.c:1938
test_ecdsa_end_to_end
void test_ecdsa_end_to_end(void)
Definition: tests.c:4659
SECP256K1_EC_PARSE_TEST_NVALID
#define SECP256K1_EC_PARSE_TEST_NVALID
run_field_misc
void run_field_misc(void)
Definition: tests.c:1977
test_sqrt
void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k)
Definition: tests.c:2073
random_field_element_magnitude
void random_field_element_magnitude(secp256k1_fe *fe)
Definition: tests.c:60
mulmod256
void mulmod256(uint16_t *out, const uint16_t *a, const uint16_t *b, const uint16_t *m)
Definition: tests.c:680
random_scalar_order_test
void random_scalar_order_test(secp256k1_scalar *num)
Definition: tests.c:103
test_point_times_order
void test_point_times_order(const secp256k1_gej *point)
Definition: tests.c:2799
random_ber_signature
static void random_ber_signature(unsigned char *sig, size_t *len, int *certainly_der, int *certainly_not_der)
Definition: tests.c:5026
test_ecmult_multi
void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:3058
random_sign
void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid)
Definition: tests.c:4566
int_cmov_test
void int_cmov_test(void)
Definition: tests.c:5616
run_ctz_tests
void run_ctz_tests(void)
Definition: tests.c:415
ecmult_const_chain_multiply
void ecmult_const_chain_multiply(void)
Definition: tests.c:3005
assign_big_endian
static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val)
Definition: tests.c:4987
random_group_element_test
void random_group_element_test(secp256k1_ge *ge)
Definition: tests.c:76
test_modinv32_uint16
void test_modinv32_uint16(uint16_t *out, const uint16_t *in, const uint16_t *mod)
Definition: tests.c:795
scalar_cmov_test
void scalar_cmov_test(void)
Definition: tests.c:5701
run_hmac_sha256_tests
void run_hmac_sha256_tests(void)
Definition: tests.c:472
ge_equals_ge
void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b)
Definition: tests.c:2286
test_rand_int
void test_rand_int(uint32_t range, uint32_t subrange)
Definition: tests.c:626
run_rand_int
void run_rand_int(void)
Definition: tests.c:650
random_fe_test
void random_fe_test(secp256k1_fe *x)
Definition: tests.c:1899
ge_equals_gej
void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b)
Definition: tests.c:2317
test_wnaf
void test_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3507
is_empty_signature
int is_empty_signature(const secp256k1_ecdsa_signature *sig)
Definition: tests.c:4654
random_fe_non_zero
void random_fe_non_zero(secp256k1_fe *nz)
Definition: tests.c:1909
precomputed_nonce_function
static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter)
Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted.
Definition: tests.c:4608
test_add_neg_y_diff_x
void test_add_neg_y_diff_x(void)
Definition: tests.c:2552
run_ecdsa_sign_verify
void run_ecdsa_sign_verify(void)
Definition: tests.c:4600
scalar_minus_one
static const secp256k1_scalar scalar_minus_one
Definition: tests.c:2123
run_rand_bits
void run_rand_bits(void)
Definition: tests.c:642
random_group_element_jacobian_test
void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge)
Definition: tests.c:88
coprime
int coprime(const uint16_t *a, const uint16_t *b)
Definition: tests.c:906
run_ecmult_constants
void run_ecmult_constants(void)
Definition: tests.c:3776
random_scalar_order_b32
void random_scalar_order_b32(unsigned char *b32)
Definition: tests.c:129
run_pubkey_comparison
void run_pubkey_comparison(void)
Definition: tests.c:4864
gej_xyz_equals_gej
int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b)
Definition: tests.c:2296
test_random_pubkeys
void test_random_pubkeys(void)
Definition: tests.c:4804
run_sqrt
void run_sqrt(void)
Definition: tests.c:2087
test_ecdsa_sign_verify
void test_ecdsa_sign_verify(void)
Definition: tests.c:4573
ge_storage_cmov_test
void ge_storage_cmov_test(void)
Definition: tests.c:5731
run_inverse_tests
void run_inverse_tests(void)
Definition: tests.c:2187
run_ge
void run_ge(void)
Definition: tests.c:2619
ecmult_const_mult_zero_one
void ecmult_const_mult_zero_one(void)
Definition: tests.c:2983
test_ecmult_constants
void test_ecmult_constants(void)
Definition: tests.c:3743
run_ecdsa_end_to_end
void run_ecdsa_end_to_end(void)
Definition: tests.c:4920
ecmult_const_commutativity
void ecmult_const_commutativity(void)
Definition: tests.c:2962
test_constant_wnaf
void test_constant_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3556
ec_pubkey_parse_pointtest
void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid)
Definition: tests.c:3872
test_ecmult_gen_blind
void test_ecmult_gen_blind(void)
Definition: tests.c:3780
ecmult_multi_callback
static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:3043
fe_storage_cmov_test
void fe_storage_cmov_test(void)
Definition: tests.c:5671
run_ecmult_near_split_bound
void run_ecmult_near_split_bound(void)
Definition: tests.c:2902
test_fixed_wnaf
void test_fixed_wnaf(const secp256k1_scalar *number, int w)
Definition: tests.c:3596
test_ecdsa_edge_cases
void test_ecdsa_edge_cases(void)
Definition: tests.c:5204
test_inverse_scalar
void test_inverse_scalar(secp256k1_scalar *out, const secp256k1_scalar *x, int var)
Definition: tests.c:2140
test_group_decompress
void test_group_decompress(const secp256k1_fe *x)
Definition: tests.c:2660
test_fixed_wnaf_small_helper
void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w)
Definition: tests.c:3633
run_ecmult_gen_blind
void run_ecmult_gen_blind(void)
Definition: tests.c:3815
run_scalar_set_b32_seckey_tests
void run_scalar_set_b32_seckey_tests(void)
Definition: tests.c:1264
run_secp256k1_memczero_test
void run_secp256k1_memczero_test(void)
Definition: tests.c:5601
counting_illegal_callback_fn
static void counting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:34
random_fe_non_square
void random_fe_non_square(secp256k1_fe *ns)
Definition: tests.c:1922
run_point_times_order
void run_point_times_order(void)
Definition: tests.c:2914
uncounting_illegal_callback_fn
static void uncounting_illegal_callback_fn(const char *str, void *data)
Definition: tests.c:42
test_scalar_split
void test_scalar_split(const secp256k1_scalar *full)
Definition: tests.c:3824
scalars_near_split_bounds
static const secp256k1_scalar scalars_near_split_bounds[20]
Definition: tests.c:2840
run_eckey_negate_test
void run_eckey_negate_test(void)
Definition: tests.c:4531
uint16_to_signed30
void uint16_to_signed30(secp256k1_modinv32_signed30 *out, const uint16_t *in)
Definition: tests.c:762
count
static int count
Definition: tests.c:31
random_fe
void random_fe(secp256k1_fe *x)
Definition: tests.c:1889
test_fixed_wnaf_small
void test_fixed_wnaf_small(void)
Definition: tests.c:3643
test_ecmult_multi_pippenger_max_points
void test_ecmult_multi_pippenger_max_points(void)
Probabilistically test the function returning the maximum number of possible points for a given scrat...
Definition: tests.c:3336
run_ecmult_multi_tests
void run_ecmult_multi_tests(void)
Definition: tests.c:3484
run_ecdsa_edge_cases
void run_ecdsa_edge_cases(void)
Definition: tests.c:5573
test_ecmult_multi_batch_single
void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)
Definition: tests.c:3296
fe_secp256k1_memcmp_var
int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1968
test_constant_wnaf_negate
void test_constant_wnaf_negate(const secp256k1_scalar *number)
Definition: tests.c:3541
run_rfc6979_hmac_sha256_tests
void run_rfc6979_hmac_sha256_tests(void)
Definition: tests.c:516
ecmult_multi_false_callback
static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata)
Definition: tests.c:3050
run_tagged_sha256_tests
void run_tagged_sha256_tests(void)
Definition: tests.c:557
check_fe_equal
int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b)
Definition: tests.c:1930
run_sqr
void run_sqr(void)
Definition: tests.c:2057
run_ecmult_chain
void run_ecmult_chain(void)
Definition: tests.c:2735
run_ecdsa_der_parse
void run_ecdsa_der_parse(void)
Definition: tests.c:5172
mutate_sign_signed30
void mutate_sign_signed30(secp256k1_modinv32_signed30 *x)
Definition: tests.c:780
modinv2p64
uint64_t modinv2p64(uint64_t x)
Definition: tests.c:664
random_field_element_test
void random_field_element_test(secp256k1_fe *fe)
Definition: tests.c:50
run_wnaf
void run_wnaf(void)
Definition: tests.c:3697
run_scratch_tests
void run_scratch_tests(void)
Definition: tests.c:332
run_context_tests
void run_context_tests(int use_prealloc)
Definition: tests.c:135
signed30_to_uint16
void signed30_to_uint16(uint16_t *out, const secp256k1_modinv32_signed30 *in)
Definition: tests.c:771
test_ec_combine
void test_ec_combine(void)
Definition: tests.c:2628
run_ecmult_const_tests
void run_ecmult_const_tests(void)
Definition: tests.c:3031
SECP256K1_EC_PARSE_TEST_NXVALID
#define SECP256K1_EC_PARSE_TEST_NXVALID
damage_array
static void damage_array(unsigned char *sig, size_t *len)
Definition: tests.c:4999
test_rand_bits
void test_rand_bits(int rand32, int bits)
Definition: tests.c:591
run_scalar_tests
void run_scalar_tests(void)
Definition: tests.c:1281
fe_minus_one
static const secp256k1_fe fe_minus_one
Definition: tests.c:2128
Generated on Wed Nov 20 2024 17:55:59 for Bitcoin ABC by doxygen 1.9.4