1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14
15 #include <time.h>
16
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "include/secp256k1_preallocated.h"
20 #include "testrand_impl.h"
21
22 #ifdef ENABLE_OPENSSL_TESTS
23 #include "openssl/bn.h"
24 #include "openssl/ec.h"
25 #include "openssl/ecdsa.h"
26 #include "openssl/obj_mac.h"
27 # if OPENSSL_VERSION_NUMBER < 0x10100000L
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)28 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
29 # endif
30 #endif
31
32 #include "contrib/lax_der_parsing.c"
33 #include "contrib/lax_der_privatekey_parsing.c"
34
35 static int count = 64;
36 static secp256k1_context *ctx = NULL;
37
counting_illegal_callback_fn(const char * str,void * data)38 static void counting_illegal_callback_fn(const char* str, void* data) {
39 /* Dummy callback function that just counts. */
40 int32_t *p;
41 (void)str;
42 p = data;
43 (*p)++;
44 }
45
uncounting_illegal_callback_fn(const char * str,void * data)46 static void uncounting_illegal_callback_fn(const char* str, void* data) {
47 /* Dummy callback function that just counts (backwards). */
48 int32_t *p;
49 (void)str;
50 p = data;
51 (*p)--;
52 }
53
random_field_element_test(secp256k1_fe * fe)54 void random_field_element_test(secp256k1_fe *fe) {
55 do {
56 unsigned char b32[32];
57 secp256k1_testrand256_test(b32);
58 if (secp256k1_fe_set_b32(fe, b32)) {
59 break;
60 }
61 } while(1);
62 }
63
random_field_element_magnitude(secp256k1_fe * fe)64 void random_field_element_magnitude(secp256k1_fe *fe) {
65 secp256k1_fe zero;
66 int n = secp256k1_testrand_int(9);
67 secp256k1_fe_normalize(fe);
68 if (n == 0) {
69 return;
70 }
71 secp256k1_fe_clear(&zero);
72 secp256k1_fe_negate(&zero, &zero, 0);
73 secp256k1_fe_mul_int(&zero, n - 1);
74 secp256k1_fe_add(fe, &zero);
75 #ifdef VERIFY
76 CHECK(fe->magnitude == n);
77 #endif
78 }
79
random_group_element_test(secp256k1_ge * ge)80 void random_group_element_test(secp256k1_ge *ge) {
81 secp256k1_fe fe;
82 do {
83 random_field_element_test(&fe);
84 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_testrand_bits(1))) {
85 secp256k1_fe_normalize(&ge->y);
86 break;
87 }
88 } while(1);
89 ge->infinity = 0;
90 }
91
random_group_element_jacobian_test(secp256k1_gej * gej,const secp256k1_ge * ge)92 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
93 secp256k1_fe z2, z3;
94 do {
95 random_field_element_test(&gej->z);
96 if (!secp256k1_fe_is_zero(&gej->z)) {
97 break;
98 }
99 } while(1);
100 secp256k1_fe_sqr(&z2, &gej->z);
101 secp256k1_fe_mul(&z3, &z2, &gej->z);
102 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
103 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
104 gej->infinity = ge->infinity;
105 }
106
random_scalar_order_test(secp256k1_scalar * num)107 void random_scalar_order_test(secp256k1_scalar *num) {
108 do {
109 unsigned char b32[32];
110 int overflow = 0;
111 secp256k1_testrand256_test(b32);
112 secp256k1_scalar_set_b32(num, b32, &overflow);
113 if (overflow || secp256k1_scalar_is_zero(num)) {
114 continue;
115 }
116 break;
117 } while(1);
118 }
119
random_scalar_order(secp256k1_scalar * num)120 void random_scalar_order(secp256k1_scalar *num) {
121 do {
122 unsigned char b32[32];
123 int overflow = 0;
124 secp256k1_testrand256(b32);
125 secp256k1_scalar_set_b32(num, b32, &overflow);
126 if (overflow || secp256k1_scalar_is_zero(num)) {
127 continue;
128 }
129 break;
130 } while(1);
131 }
132
random_scalar_order_b32(unsigned char * b32)133 void random_scalar_order_b32(unsigned char *b32) {
134 secp256k1_scalar num;
135 random_scalar_order(&num);
136 secp256k1_scalar_get_b32(b32, &num);
137 }
138
run_context_tests(int use_prealloc)139 void run_context_tests(int use_prealloc) {
140 secp256k1_pubkey pubkey;
141 secp256k1_pubkey zero_pubkey;
142 secp256k1_ecdsa_signature sig;
143 unsigned char ctmp[32];
144 int32_t ecount;
145 int32_t ecount2;
146 secp256k1_context *none;
147 secp256k1_context *sign;
148 secp256k1_context *vrfy;
149 secp256k1_context *both;
150 void *none_prealloc = NULL;
151 void *sign_prealloc = NULL;
152 void *vrfy_prealloc = NULL;
153 void *both_prealloc = NULL;
154
155 secp256k1_gej pubj;
156 secp256k1_ge pub;
157 secp256k1_scalar msg, key, nonce;
158 secp256k1_scalar sigr, sigs;
159
160 if (use_prealloc) {
161 none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
162 sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
163 vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
164 both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
165 CHECK(none_prealloc != NULL);
166 CHECK(sign_prealloc != NULL);
167 CHECK(vrfy_prealloc != NULL);
168 CHECK(both_prealloc != NULL);
169 none = secp256k1_context_preallocated_create(none_prealloc, SECP256K1_CONTEXT_NONE);
170 sign = secp256k1_context_preallocated_create(sign_prealloc, SECP256K1_CONTEXT_SIGN);
171 vrfy = secp256k1_context_preallocated_create(vrfy_prealloc, SECP256K1_CONTEXT_VERIFY);
172 both = secp256k1_context_preallocated_create(both_prealloc, SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
173 } else {
174 none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
175 sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
176 vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
177 both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
178 }
179
180 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
181
182 ecount = 0;
183 ecount2 = 10;
184 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
185 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
186 /* set error callback (to a function that still aborts in case malloc() fails in secp256k1_context_clone() below) */
187 secp256k1_context_set_error_callback(sign, secp256k1_default_illegal_callback_fn, NULL);
188 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
189 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
190
191 /* check if sizes for cloning are consistent */
192 CHECK(secp256k1_context_preallocated_clone_size(none) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE));
193 CHECK(secp256k1_context_preallocated_clone_size(sign) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN));
194 CHECK(secp256k1_context_preallocated_clone_size(vrfy) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY));
195 CHECK(secp256k1_context_preallocated_clone_size(both) == secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY));
196
197 /*** clone and destroy all of them to make sure cloning was complete ***/
198 {
199 secp256k1_context *ctx_tmp;
200
201 if (use_prealloc) {
202 /* clone into a non-preallocated context and then again into a new preallocated one. */
203 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
204 free(none_prealloc); none_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(none_prealloc != NULL);
205 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, none_prealloc); secp256k1_context_destroy(ctx_tmp);
206
207 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
208 free(sign_prealloc); sign_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(sign_prealloc != NULL);
209 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, sign_prealloc); secp256k1_context_destroy(ctx_tmp);
210
211 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
212 free(vrfy_prealloc); vrfy_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(vrfy_prealloc != NULL);
213 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, vrfy_prealloc); secp256k1_context_destroy(ctx_tmp);
214
215 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
216 free(both_prealloc); both_prealloc = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(both_prealloc != NULL);
217 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, both_prealloc); secp256k1_context_destroy(ctx_tmp);
218 } else {
219 /* clone into a preallocated context and then again into a new non-preallocated one. */
220 void *prealloc_tmp;
221
222 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_NONE)); CHECK(prealloc_tmp != NULL);
223 ctx_tmp = none; none = secp256k1_context_preallocated_clone(none, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
224 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_preallocated_destroy(ctx_tmp);
225 free(prealloc_tmp);
226
227 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN)); CHECK(prealloc_tmp != NULL);
228 ctx_tmp = sign; sign = secp256k1_context_preallocated_clone(sign, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
229 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_preallocated_destroy(ctx_tmp);
230 free(prealloc_tmp);
231
232 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
233 ctx_tmp = vrfy; vrfy = secp256k1_context_preallocated_clone(vrfy, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
234 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_preallocated_destroy(ctx_tmp);
235 free(prealloc_tmp);
236
237 prealloc_tmp = malloc(secp256k1_context_preallocated_size(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY)); CHECK(prealloc_tmp != NULL);
238 ctx_tmp = both; both = secp256k1_context_preallocated_clone(both, prealloc_tmp); secp256k1_context_destroy(ctx_tmp);
239 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_preallocated_destroy(ctx_tmp);
240 free(prealloc_tmp);
241 }
242 }
243
244 /* Verify that the error callback makes it across the clone. */
245 CHECK(sign->error_callback.fn != vrfy->error_callback.fn);
246 CHECK(sign->error_callback.fn == secp256k1_default_illegal_callback_fn);
247 /* And that it resets back to default. */
248 secp256k1_context_set_error_callback(sign, NULL, NULL);
249 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
250
251 /*** attempt to use them ***/
252 random_scalar_order_test(&msg);
253 random_scalar_order_test(&key);
254 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
255 secp256k1_ge_set_gej(&pub, &pubj);
256
257 /* Verify context-type checking illegal-argument errors. */
258 memset(ctmp, 1, 32);
259 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
260 CHECK(ecount == 1);
261 VG_UNDEF(&pubkey, sizeof(pubkey));
262 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
263 VG_CHECK(&pubkey, sizeof(pubkey));
264 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
265 CHECK(ecount == 2);
266 VG_UNDEF(&sig, sizeof(sig));
267 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
268 VG_CHECK(&sig, sizeof(sig));
269 CHECK(ecount2 == 10);
270 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
271 CHECK(ecount2 == 11);
272 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
273 CHECK(ecount == 2);
274 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
275 CHECK(ecount2 == 12);
276 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
277 CHECK(ecount == 2);
278 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
279 CHECK(ecount2 == 13);
280 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
281 CHECK(ecount == 2);
282 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
283 CHECK(ecount == 2);
284 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
285 CHECK(ecount2 == 14);
286 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
287 CHECK(ecount == 3);
288 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
289 CHECK(ecount == 3);
290 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
291 CHECK(ecount == 3);
292 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
293 CHECK(ecount == 3);
294 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
295 CHECK(ecount2 == 14);
296 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
297 CHECK(ecount2 == 14);
298 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
299 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
300
301 /* obtain a working nonce */
302 do {
303 random_scalar_order_test(&nonce);
304 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
305
306 /* try signing */
307 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
308 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
309
310 /* try verifying */
311 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
312 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
313
314 /* cleanup */
315 if (use_prealloc) {
316 secp256k1_context_preallocated_destroy(none);
317 secp256k1_context_preallocated_destroy(sign);
318 secp256k1_context_preallocated_destroy(vrfy);
319 secp256k1_context_preallocated_destroy(both);
320 free(none_prealloc);
321 free(sign_prealloc);
322 free(vrfy_prealloc);
323 free(both_prealloc);
324 } else {
325 secp256k1_context_destroy(none);
326 secp256k1_context_destroy(sign);
327 secp256k1_context_destroy(vrfy);
328 secp256k1_context_destroy(both);
329 }
330 /* Defined as no-op. */
331 secp256k1_context_destroy(NULL);
332 secp256k1_context_preallocated_destroy(NULL);
333
334 }
335
run_scratch_tests(void)336 void run_scratch_tests(void) {
337 const size_t adj_alloc = ((500 + ALIGNMENT - 1) / ALIGNMENT) * ALIGNMENT;
338
339 int32_t ecount = 0;
340 size_t checkpoint;
341 size_t checkpoint_2;
342 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
343 secp256k1_scratch_space *scratch;
344 secp256k1_scratch_space local_scratch;
345
346 /* Test public API */
347 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
348 secp256k1_context_set_error_callback(none, counting_illegal_callback_fn, &ecount);
349
350 scratch = secp256k1_scratch_space_create(none, 1000);
351 CHECK(scratch != NULL);
352 CHECK(ecount == 0);
353
354 /* Test internal API */
355 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
356 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - (ALIGNMENT - 1));
357 CHECK(scratch->alloc_size == 0);
358 CHECK(scratch->alloc_size % ALIGNMENT == 0);
359
360 /* Allocating 500 bytes succeeds */
361 checkpoint = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
362 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
363 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
364 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
365 CHECK(scratch->alloc_size != 0);
366 CHECK(scratch->alloc_size % ALIGNMENT == 0);
367
368 /* Allocating another 501 bytes fails */
369 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 501) == NULL);
370 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000 - adj_alloc);
371 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 1) == 1000 - adj_alloc - (ALIGNMENT - 1));
372 CHECK(scratch->alloc_size != 0);
373 CHECK(scratch->alloc_size % ALIGNMENT == 0);
374
375 /* ...but it succeeds once we apply the checkpoint to undo it */
376 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
377 CHECK(scratch->alloc_size == 0);
378 CHECK(secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0) == 1000);
379 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) != NULL);
380 CHECK(scratch->alloc_size != 0);
381
382 /* try to apply a bad checkpoint */
383 checkpoint_2 = secp256k1_scratch_checkpoint(&none->error_callback, scratch);
384 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint);
385 CHECK(ecount == 0);
386 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, checkpoint_2); /* checkpoint_2 is after checkpoint */
387 CHECK(ecount == 1);
388 secp256k1_scratch_apply_checkpoint(&none->error_callback, scratch, (size_t) -1); /* this is just wildly invalid */
389 CHECK(ecount == 2);
390
391 /* try to use badly initialized scratch space */
392 secp256k1_scratch_space_destroy(none, scratch);
393 memset(&local_scratch, 0, sizeof(local_scratch));
394 scratch = &local_scratch;
395 CHECK(!secp256k1_scratch_max_allocation(&none->error_callback, scratch, 0));
396 CHECK(ecount == 3);
397 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, 500) == NULL);
398 CHECK(ecount == 4);
399 secp256k1_scratch_space_destroy(none, scratch);
400 CHECK(ecount == 5);
401
402 /* Test that large integers do not wrap around in a bad way */
403 scratch = secp256k1_scratch_space_create(none, 1000);
404 /* Try max allocation with a large number of objects. Only makes sense if
405 * ALIGNMENT is greater than 1 because otherwise the objects take no extra
406 * space. */
407 CHECK(ALIGNMENT <= 1 || !secp256k1_scratch_max_allocation(&none->error_callback, scratch, (SIZE_MAX / (ALIGNMENT - 1)) + 1));
408 /* Try allocating SIZE_MAX to test wrap around which only happens if
409 * ALIGNMENT > 1, otherwise it returns NULL anyway because the scratch
410 * space is too small. */
411 CHECK(secp256k1_scratch_alloc(&none->error_callback, scratch, SIZE_MAX) == NULL);
412 secp256k1_scratch_space_destroy(none, scratch);
413
414 /* cleanup */
415 secp256k1_scratch_space_destroy(none, NULL); /* no-op */
416 secp256k1_context_destroy(none);
417 }
418
419 /***** HASH TESTS *****/
420
run_sha256_tests(void)421 void run_sha256_tests(void) {
422 static const char *inputs[8] = {
423 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
424 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
425 "For this sample, this 63-byte string will be used as input data",
426 "This is exactly 64 bytes long, not counting the terminating byte"
427 };
428 static const unsigned char outputs[8][32] = {
429 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
430 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
431 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
432 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
433 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
434 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
435 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
436 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
437 };
438 int i;
439 for (i = 0; i < 8; i++) {
440 unsigned char out[32];
441 secp256k1_sha256 hasher;
442 secp256k1_sha256_initialize(&hasher);
443 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
444 secp256k1_sha256_finalize(&hasher, out);
445 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
446 if (strlen(inputs[i]) > 0) {
447 int split = secp256k1_testrand_int(strlen(inputs[i]));
448 secp256k1_sha256_initialize(&hasher);
449 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
450 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
451 secp256k1_sha256_finalize(&hasher, out);
452 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
453 }
454 }
455 }
456
run_hmac_sha256_tests(void)457 void run_hmac_sha256_tests(void) {
458 static const char *keys[6] = {
459 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
460 "\x4a\x65\x66\x65",
461 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
462 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
463 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
464 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
465 };
466 static const char *inputs[6] = {
467 "\x48\x69\x20\x54\x68\x65\x72\x65",
468 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
469 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
470 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
471 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
472 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
473 };
474 static const unsigned char outputs[6][32] = {
475 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
476 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
477 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
478 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
479 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
480 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
481 };
482 int i;
483 for (i = 0; i < 6; i++) {
484 secp256k1_hmac_sha256 hasher;
485 unsigned char out[32];
486 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
487 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
488 secp256k1_hmac_sha256_finalize(&hasher, out);
489 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
490 if (strlen(inputs[i]) > 0) {
491 int split = secp256k1_testrand_int(strlen(inputs[i]));
492 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
493 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
494 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
495 secp256k1_hmac_sha256_finalize(&hasher, out);
496 CHECK(secp256k1_memcmp_var(out, outputs[i], 32) == 0);
497 }
498 }
499 }
500
run_rfc6979_hmac_sha256_tests(void)501 void run_rfc6979_hmac_sha256_tests(void) {
502 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
503 static const unsigned char out1[3][32] = {
504 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
505 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
506 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
507 };
508
509 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
510 static const unsigned char out2[3][32] = {
511 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
512 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
513 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
514 };
515
516 secp256k1_rfc6979_hmac_sha256 rng;
517 unsigned char out[32];
518 int i;
519
520 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
521 for (i = 0; i < 3; i++) {
522 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
523 CHECK(secp256k1_memcmp_var(out, out1[i], 32) == 0);
524 }
525 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
526
527 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
528 for (i = 0; i < 3; i++) {
529 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
530 CHECK(secp256k1_memcmp_var(out, out1[i], 32) != 0);
531 }
532 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
533
534 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
535 for (i = 0; i < 3; i++) {
536 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
537 CHECK(secp256k1_memcmp_var(out, out2[i], 32) == 0);
538 }
539 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
540 }
541
542 /***** RANDOM TESTS *****/
543
test_rand_bits(int rand32,int bits)544 void test_rand_bits(int rand32, int bits) {
545 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
546 * get a false negative chance below once in a billion */
547 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
548 /* We try multiplying the results with various odd numbers, which shouldn't
549 * influence the uniform distribution modulo a power of 2. */
550 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
551 /* We only select up to 6 bits from the output to analyse */
552 unsigned int usebits = bits > 6 ? 6 : bits;
553 unsigned int maxshift = bits - usebits;
554 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
555 number, track all observed outcomes, one per bit in a uint64_t. */
556 uint64_t x[6][27] = {{0}};
557 unsigned int i, shift, m;
558 /* Multiply the output of all rand calls with the odd number m, which
559 should not change the uniformity of its distribution. */
560 for (i = 0; i < rounds[usebits]; i++) {
561 uint32_t r = (rand32 ? secp256k1_testrand32() : secp256k1_testrand_bits(bits));
562 CHECK((((uint64_t)r) >> bits) == 0);
563 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
564 uint32_t rm = r * mults[m];
565 for (shift = 0; shift <= maxshift; shift++) {
566 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
567 }
568 }
569 }
570 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
571 for (shift = 0; shift <= maxshift; shift++) {
572 /* Test that the lower usebits bits of x[shift] are 1 */
573 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
574 }
575 }
576 }
577
578 /* Subrange must be a whole divisor of range, and at most 64 */
test_rand_int(uint32_t range,uint32_t subrange)579 void test_rand_int(uint32_t range, uint32_t subrange) {
580 /* (1-1/subrange)^rounds < 1/10^9 */
581 int rounds = (subrange * 2073) / 100;
582 int i;
583 uint64_t x = 0;
584 CHECK((range % subrange) == 0);
585 for (i = 0; i < rounds; i++) {
586 uint32_t r = secp256k1_testrand_int(range);
587 CHECK(r < range);
588 r = r % subrange;
589 x |= (((uint64_t)1) << r);
590 }
591 /* Test that the lower subrange bits of x are 1. */
592 CHECK(((~x) << (64 - subrange)) == 0);
593 }
594
run_rand_bits(void)595 void run_rand_bits(void) {
596 size_t b;
597 test_rand_bits(1, 32);
598 for (b = 1; b <= 32; b++) {
599 test_rand_bits(0, b);
600 }
601 }
602
run_rand_int(void)603 void run_rand_int(void) {
604 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
605 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
606 unsigned int m, s;
607 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
608 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
609 test_rand_int(ms[m] * ss[s], ss[s]);
610 }
611 }
612 }
613
614 /***** NUM TESTS *****/
615
616 #ifndef USE_NUM_NONE
random_num_negate(secp256k1_num * num)617 void random_num_negate(secp256k1_num *num) {
618 if (secp256k1_testrand_bits(1)) {
619 secp256k1_num_negate(num);
620 }
621 }
622
random_num_order_test(secp256k1_num * num)623 void random_num_order_test(secp256k1_num *num) {
624 secp256k1_scalar sc;
625 random_scalar_order_test(&sc);
626 secp256k1_scalar_get_num(num, &sc);
627 }
628
random_num_order(secp256k1_num * num)629 void random_num_order(secp256k1_num *num) {
630 secp256k1_scalar sc;
631 random_scalar_order(&sc);
632 secp256k1_scalar_get_num(num, &sc);
633 }
634
test_num_negate(void)635 void test_num_negate(void) {
636 secp256k1_num n1;
637 secp256k1_num n2;
638 random_num_order_test(&n1); /* n1 = R */
639 random_num_negate(&n1);
640 secp256k1_num_copy(&n2, &n1); /* n2 = R */
641 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
642 CHECK(secp256k1_num_is_zero(&n1));
643 secp256k1_num_copy(&n1, &n2); /* n1 = R */
644 secp256k1_num_negate(&n1); /* n1 = -R */
645 CHECK(!secp256k1_num_is_zero(&n1));
646 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
647 CHECK(secp256k1_num_is_zero(&n1));
648 secp256k1_num_copy(&n1, &n2); /* n1 = R */
649 secp256k1_num_negate(&n1); /* n1 = -R */
650 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
651 secp256k1_num_negate(&n1); /* n1 = R */
652 CHECK(secp256k1_num_eq(&n1, &n2));
653 }
654
test_num_add_sub(void)655 void test_num_add_sub(void) {
656 int i;
657 secp256k1_scalar s;
658 secp256k1_num n1;
659 secp256k1_num n2;
660 secp256k1_num n1p2, n2p1, n1m2, n2m1;
661 random_num_order_test(&n1); /* n1 = R1 */
662 if (secp256k1_testrand_bits(1)) {
663 random_num_negate(&n1);
664 }
665 random_num_order_test(&n2); /* n2 = R2 */
666 if (secp256k1_testrand_bits(1)) {
667 random_num_negate(&n2);
668 }
669 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
670 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
671 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
672 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
673 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
674 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
675 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
676 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
677 CHECK(!secp256k1_num_eq(&n2m1, &n1));
678 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
679 CHECK(secp256k1_num_eq(&n2m1, &n1));
680 CHECK(!secp256k1_num_eq(&n2p1, &n1));
681 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
682 CHECK(secp256k1_num_eq(&n2p1, &n1));
683
684 /* check is_one */
685 secp256k1_scalar_set_int(&s, 1);
686 secp256k1_scalar_get_num(&n1, &s);
687 CHECK(secp256k1_num_is_one(&n1));
688 /* check that 2^n + 1 is never 1 */
689 secp256k1_scalar_get_num(&n2, &s);
690 for (i = 0; i < 250; ++i) {
691 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
692 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
693 CHECK(!secp256k1_num_is_one(&n1p2));
694 }
695 }
696
test_num_mod(void)697 void test_num_mod(void) {
698 int i;
699 secp256k1_scalar s;
700 secp256k1_num order, n;
701
702 /* check that 0 mod anything is 0 */
703 random_scalar_order_test(&s);
704 secp256k1_scalar_get_num(&order, &s);
705 secp256k1_scalar_set_int(&s, 0);
706 secp256k1_scalar_get_num(&n, &s);
707 secp256k1_num_mod(&n, &order);
708 CHECK(secp256k1_num_is_zero(&n));
709
710 /* check that anything mod 1 is 0 */
711 secp256k1_scalar_set_int(&s, 1);
712 secp256k1_scalar_get_num(&order, &s);
713 secp256k1_scalar_get_num(&n, &s);
714 secp256k1_num_mod(&n, &order);
715 CHECK(secp256k1_num_is_zero(&n));
716
717 /* check that increasing the number past 2^256 does not break this */
718 random_scalar_order_test(&s);
719 secp256k1_scalar_get_num(&n, &s);
720 /* multiply by 2^8, which'll test this case with high probability */
721 for (i = 0; i < 8; ++i) {
722 secp256k1_num_add(&n, &n, &n);
723 }
724 secp256k1_num_mod(&n, &order);
725 CHECK(secp256k1_num_is_zero(&n));
726 }
727
test_num_jacobi(void)728 void test_num_jacobi(void) {
729 secp256k1_scalar sqr;
730 secp256k1_scalar small;
731 secp256k1_scalar five; /* five is not a quadratic residue */
732 secp256k1_num order, n;
733 int i;
734 /* squares mod 5 are 1, 4 */
735 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
736
737 /* check some small values with 5 as the order */
738 secp256k1_scalar_set_int(&five, 5);
739 secp256k1_scalar_get_num(&order, &five);
740 for (i = 0; i < 10; ++i) {
741 secp256k1_scalar_set_int(&small, i);
742 secp256k1_scalar_get_num(&n, &small);
743 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
744 }
745
746 /** test large values with 5 as group order */
747 secp256k1_scalar_get_num(&order, &five);
748 /* we first need a scalar which is not a multiple of 5 */
749 do {
750 secp256k1_num fiven;
751 random_scalar_order_test(&sqr);
752 secp256k1_scalar_get_num(&fiven, &five);
753 secp256k1_scalar_get_num(&n, &sqr);
754 secp256k1_num_mod(&n, &fiven);
755 } while (secp256k1_num_is_zero(&n));
756 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
757 * just multiply by two, i.e. add the number to itself */
758 if (secp256k1_num_jacobi(&n, &order) == -1) {
759 secp256k1_num_add(&n, &n, &n);
760 }
761
762 /* test residue */
763 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
764 /* test nonresidue */
765 secp256k1_num_add(&n, &n, &n);
766 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
767
768 /** test with secp group order as order */
769 secp256k1_scalar_order_get_num(&order);
770 random_scalar_order_test(&sqr);
771 secp256k1_scalar_sqr(&sqr, &sqr);
772 /* test residue */
773 secp256k1_scalar_get_num(&n, &sqr);
774 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
775 /* test nonresidue */
776 secp256k1_scalar_mul(&sqr, &sqr, &five);
777 secp256k1_scalar_get_num(&n, &sqr);
778 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
779 /* test multiple of the order*/
780 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
781
782 /* check one less than the order */
783 secp256k1_scalar_set_int(&small, 1);
784 secp256k1_scalar_get_num(&n, &small);
785 secp256k1_num_sub(&n, &order, &n);
786 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
787 }
788
run_num_smalltests(void)789 void run_num_smalltests(void) {
790 int i;
791 for (i = 0; i < 100*count; i++) {
792 test_num_negate();
793 test_num_add_sub();
794 test_num_mod();
795 test_num_jacobi();
796 }
797 }
798 #endif
799
800 /***** SCALAR TESTS *****/
801
scalar_test(void)802 void scalar_test(void) {
803 secp256k1_scalar s;
804 secp256k1_scalar s1;
805 secp256k1_scalar s2;
806 #ifndef USE_NUM_NONE
807 secp256k1_num snum, s1num, s2num;
808 secp256k1_num order, half_order;
809 #endif
810 unsigned char c[32];
811
812 /* Set 's' to a random scalar, with value 'snum'. */
813 random_scalar_order_test(&s);
814
815 /* Set 's1' to a random scalar, with value 's1num'. */
816 random_scalar_order_test(&s1);
817
818 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
819 random_scalar_order_test(&s2);
820 secp256k1_scalar_get_b32(c, &s2);
821
822 #ifndef USE_NUM_NONE
823 secp256k1_scalar_get_num(&snum, &s);
824 secp256k1_scalar_get_num(&s1num, &s1);
825 secp256k1_scalar_get_num(&s2num, &s2);
826
827 secp256k1_scalar_order_get_num(&order);
828 half_order = order;
829 secp256k1_num_shift(&half_order, 1);
830 #endif
831
832 {
833 int i;
834 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
835 secp256k1_scalar n;
836 secp256k1_scalar_set_int(&n, 0);
837 for (i = 0; i < 256; i += 4) {
838 secp256k1_scalar t;
839 int j;
840 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
841 for (j = 0; j < 4; j++) {
842 secp256k1_scalar_add(&n, &n, &n);
843 }
844 secp256k1_scalar_add(&n, &n, &t);
845 }
846 CHECK(secp256k1_scalar_eq(&n, &s));
847 }
848
849 {
850 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
851 secp256k1_scalar n;
852 int i = 0;
853 secp256k1_scalar_set_int(&n, 0);
854 while (i < 256) {
855 secp256k1_scalar t;
856 int j;
857 int now = secp256k1_testrand_int(15) + 1;
858 if (now + i > 256) {
859 now = 256 - i;
860 }
861 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
862 for (j = 0; j < now; j++) {
863 secp256k1_scalar_add(&n, &n, &n);
864 }
865 secp256k1_scalar_add(&n, &n, &t);
866 i += now;
867 }
868 CHECK(secp256k1_scalar_eq(&n, &s));
869 }
870
871 #ifndef USE_NUM_NONE
872 {
873 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
874 secp256k1_num rnum;
875 secp256k1_num r2num;
876 secp256k1_scalar r;
877 secp256k1_num_add(&rnum, &snum, &s2num);
878 secp256k1_num_mod(&rnum, &order);
879 secp256k1_scalar_add(&r, &s, &s2);
880 secp256k1_scalar_get_num(&r2num, &r);
881 CHECK(secp256k1_num_eq(&rnum, &r2num));
882 }
883
884 {
885 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
886 secp256k1_scalar r;
887 secp256k1_num r2num;
888 secp256k1_num rnum;
889 secp256k1_num_mul(&rnum, &snum, &s2num);
890 secp256k1_num_mod(&rnum, &order);
891 secp256k1_scalar_mul(&r, &s, &s2);
892 secp256k1_scalar_get_num(&r2num, &r);
893 CHECK(secp256k1_num_eq(&rnum, &r2num));
894 /* The result can only be zero if at least one of the factors was zero. */
895 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
896 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
897 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
898 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
899 }
900
901 {
902 secp256k1_scalar neg;
903 secp256k1_num negnum;
904 secp256k1_num negnum2;
905 /* Check that comparison with zero matches comparison with zero on the number. */
906 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
907 /* Check that comparison with the half order is equal to testing for high scalar. */
908 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
909 secp256k1_scalar_negate(&neg, &s);
910 secp256k1_num_sub(&negnum, &order, &snum);
911 secp256k1_num_mod(&negnum, &order);
912 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
913 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
914 /* Negating should change the high property, unless the value was already zero. */
915 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
916 secp256k1_scalar_get_num(&negnum2, &neg);
917 /* Negating a scalar should be equal to (order - n) mod order on the number. */
918 CHECK(secp256k1_num_eq(&negnum, &negnum2));
919 secp256k1_scalar_add(&neg, &neg, &s);
920 /* Adding a number to its negation should result in zero. */
921 CHECK(secp256k1_scalar_is_zero(&neg));
922 secp256k1_scalar_negate(&neg, &neg);
923 /* Negating zero should still result in zero. */
924 CHECK(secp256k1_scalar_is_zero(&neg));
925 }
926
927 {
928 /* Test secp256k1_scalar_mul_shift_var. */
929 secp256k1_scalar r;
930 secp256k1_num one;
931 secp256k1_num rnum;
932 secp256k1_num rnum2;
933 unsigned char cone[1] = {0x01};
934 unsigned int shift = 256 + secp256k1_testrand_int(257);
935 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
936 secp256k1_num_mul(&rnum, &s1num, &s2num);
937 secp256k1_num_shift(&rnum, shift - 1);
938 secp256k1_num_set_bin(&one, cone, 1);
939 secp256k1_num_add(&rnum, &rnum, &one);
940 secp256k1_num_shift(&rnum, 1);
941 secp256k1_scalar_get_num(&rnum2, &r);
942 CHECK(secp256k1_num_eq(&rnum, &rnum2));
943 }
944
945 {
946 /* test secp256k1_scalar_shr_int */
947 secp256k1_scalar r;
948 int i;
949 random_scalar_order_test(&r);
950 for (i = 0; i < 100; ++i) {
951 int low;
952 int shift = 1 + secp256k1_testrand_int(15);
953 int expected = r.d[0] % (1 << shift);
954 low = secp256k1_scalar_shr_int(&r, shift);
955 CHECK(expected == low);
956 }
957 }
958 #endif
959
960 {
961 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
962 if (!secp256k1_scalar_is_zero(&s)) {
963 secp256k1_scalar inv;
964 #ifndef USE_NUM_NONE
965 secp256k1_num invnum;
966 secp256k1_num invnum2;
967 #endif
968 secp256k1_scalar_inverse(&inv, &s);
969 #ifndef USE_NUM_NONE
970 secp256k1_num_mod_inverse(&invnum, &snum, &order);
971 secp256k1_scalar_get_num(&invnum2, &inv);
972 CHECK(secp256k1_num_eq(&invnum, &invnum2));
973 #endif
974 secp256k1_scalar_mul(&inv, &inv, &s);
975 /* Multiplying a scalar with its inverse must result in one. */
976 CHECK(secp256k1_scalar_is_one(&inv));
977 secp256k1_scalar_inverse(&inv, &inv);
978 /* Inverting one must result in one. */
979 CHECK(secp256k1_scalar_is_one(&inv));
980 #ifndef USE_NUM_NONE
981 secp256k1_scalar_get_num(&invnum, &inv);
982 CHECK(secp256k1_num_is_one(&invnum));
983 #endif
984 }
985 }
986
987 {
988 /* Test commutativity of add. */
989 secp256k1_scalar r1, r2;
990 secp256k1_scalar_add(&r1, &s1, &s2);
991 secp256k1_scalar_add(&r2, &s2, &s1);
992 CHECK(secp256k1_scalar_eq(&r1, &r2));
993 }
994
995 {
996 secp256k1_scalar r1, r2;
997 secp256k1_scalar b;
998 int i;
999 /* Test add_bit. */
1000 int bit = secp256k1_testrand_bits(8);
1001 secp256k1_scalar_set_int(&b, 1);
1002 CHECK(secp256k1_scalar_is_one(&b));
1003 for (i = 0; i < bit; i++) {
1004 secp256k1_scalar_add(&b, &b, &b);
1005 }
1006 r1 = s1;
1007 r2 = s1;
1008 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
1009 /* No overflow happened. */
1010 secp256k1_scalar_cadd_bit(&r2, bit, 1);
1011 CHECK(secp256k1_scalar_eq(&r1, &r2));
1012 /* cadd is a noop when flag is zero */
1013 secp256k1_scalar_cadd_bit(&r2, bit, 0);
1014 CHECK(secp256k1_scalar_eq(&r1, &r2));
1015 }
1016 }
1017
1018 {
1019 /* Test commutativity of mul. */
1020 secp256k1_scalar r1, r2;
1021 secp256k1_scalar_mul(&r1, &s1, &s2);
1022 secp256k1_scalar_mul(&r2, &s2, &s1);
1023 CHECK(secp256k1_scalar_eq(&r1, &r2));
1024 }
1025
1026 {
1027 /* Test associativity of add. */
1028 secp256k1_scalar r1, r2;
1029 secp256k1_scalar_add(&r1, &s1, &s2);
1030 secp256k1_scalar_add(&r1, &r1, &s);
1031 secp256k1_scalar_add(&r2, &s2, &s);
1032 secp256k1_scalar_add(&r2, &s1, &r2);
1033 CHECK(secp256k1_scalar_eq(&r1, &r2));
1034 }
1035
1036 {
1037 /* Test associativity of mul. */
1038 secp256k1_scalar r1, r2;
1039 secp256k1_scalar_mul(&r1, &s1, &s2);
1040 secp256k1_scalar_mul(&r1, &r1, &s);
1041 secp256k1_scalar_mul(&r2, &s2, &s);
1042 secp256k1_scalar_mul(&r2, &s1, &r2);
1043 CHECK(secp256k1_scalar_eq(&r1, &r2));
1044 }
1045
1046 {
1047 /* Test distributitivity of mul over add. */
1048 secp256k1_scalar r1, r2, t;
1049 secp256k1_scalar_add(&r1, &s1, &s2);
1050 secp256k1_scalar_mul(&r1, &r1, &s);
1051 secp256k1_scalar_mul(&r2, &s1, &s);
1052 secp256k1_scalar_mul(&t, &s2, &s);
1053 secp256k1_scalar_add(&r2, &r2, &t);
1054 CHECK(secp256k1_scalar_eq(&r1, &r2));
1055 }
1056
1057 {
1058 /* Test square. */
1059 secp256k1_scalar r1, r2;
1060 secp256k1_scalar_sqr(&r1, &s1);
1061 secp256k1_scalar_mul(&r2, &s1, &s1);
1062 CHECK(secp256k1_scalar_eq(&r1, &r2));
1063 }
1064
1065 {
1066 /* Test multiplicative identity. */
1067 secp256k1_scalar r1, v1;
1068 secp256k1_scalar_set_int(&v1,1);
1069 secp256k1_scalar_mul(&r1, &s1, &v1);
1070 CHECK(secp256k1_scalar_eq(&r1, &s1));
1071 }
1072
1073 {
1074 /* Test additive identity. */
1075 secp256k1_scalar r1, v0;
1076 secp256k1_scalar_set_int(&v0,0);
1077 secp256k1_scalar_add(&r1, &s1, &v0);
1078 CHECK(secp256k1_scalar_eq(&r1, &s1));
1079 }
1080
1081 {
1082 /* Test zero product property. */
1083 secp256k1_scalar r1, v0;
1084 secp256k1_scalar_set_int(&v0,0);
1085 secp256k1_scalar_mul(&r1, &s1, &v0);
1086 CHECK(secp256k1_scalar_eq(&r1, &v0));
1087 }
1088
1089 }
1090
run_scalar_set_b32_seckey_tests(void)1091 void run_scalar_set_b32_seckey_tests(void) {
1092 unsigned char b32[32];
1093 secp256k1_scalar s1;
1094 secp256k1_scalar s2;
1095
1096 /* Usually set_b32 and set_b32_seckey give the same result */
1097 random_scalar_order_b32(b32);
1098 secp256k1_scalar_set_b32(&s1, b32, NULL);
1099 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 1);
1100 CHECK(secp256k1_scalar_eq(&s1, &s2) == 1);
1101
1102 memset(b32, 0, sizeof(b32));
1103 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1104 memset(b32, 0xFF, sizeof(b32));
1105 CHECK(secp256k1_scalar_set_b32_seckey(&s2, b32) == 0);
1106 }
1107
run_scalar_tests(void)1108 void run_scalar_tests(void) {
1109 int i;
1110 for (i = 0; i < 128 * count; i++) {
1111 scalar_test();
1112 }
1113 for (i = 0; i < count; i++) {
1114 run_scalar_set_b32_seckey_tests();
1115 }
1116
1117 {
1118 /* (-1)+1 should be zero. */
1119 secp256k1_scalar s, o;
1120 secp256k1_scalar_set_int(&s, 1);
1121 CHECK(secp256k1_scalar_is_one(&s));
1122 secp256k1_scalar_negate(&o, &s);
1123 secp256k1_scalar_add(&o, &o, &s);
1124 CHECK(secp256k1_scalar_is_zero(&o));
1125 secp256k1_scalar_negate(&o, &o);
1126 CHECK(secp256k1_scalar_is_zero(&o));
1127 }
1128
1129 #ifndef USE_NUM_NONE
1130 {
1131 /* Test secp256k1_scalar_set_b32 boundary conditions */
1132 secp256k1_num order;
1133 secp256k1_scalar scalar;
1134 unsigned char bin[32];
1135 unsigned char bin_tmp[32];
1136 int overflow = 0;
1137 /* 2^256-1 - order */
1138 static const secp256k1_scalar all_ones_minus_order = SECP256K1_SCALAR_CONST(
1139 0x00000000UL, 0x00000000UL, 0x00000000UL, 0x00000001UL,
1140 0x45512319UL, 0x50B75FC4UL, 0x402DA173UL, 0x2FC9BEBEUL
1141 );
1142
1143 /* A scalar set to 0s should be 0. */
1144 memset(bin, 0, 32);
1145 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1146 CHECK(overflow == 0);
1147 CHECK(secp256k1_scalar_is_zero(&scalar));
1148
1149 /* A scalar with value of the curve order should be 0. */
1150 secp256k1_scalar_order_get_num(&order);
1151 secp256k1_num_get_bin(bin, 32, &order);
1152 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1153 CHECK(overflow == 1);
1154 CHECK(secp256k1_scalar_is_zero(&scalar));
1155
1156 /* A scalar with value of the curve order minus one should not overflow. */
1157 bin[31] -= 1;
1158 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1159 CHECK(overflow == 0);
1160 secp256k1_scalar_get_b32(bin_tmp, &scalar);
1161 CHECK(secp256k1_memcmp_var(bin, bin_tmp, 32) == 0);
1162
1163 /* A scalar set to all 1s should overflow. */
1164 memset(bin, 0xFF, 32);
1165 secp256k1_scalar_set_b32(&scalar, bin, &overflow);
1166 CHECK(overflow == 1);
1167 CHECK(secp256k1_scalar_eq(&scalar, &all_ones_minus_order));
1168 }
1169 #endif
1170
1171 {
1172 /* Does check_overflow check catch all ones? */
1173 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1174 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1175 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1176 );
1177 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1178 }
1179
1180 {
1181 /* Static test vectors.
1182 * These were reduced from ~10^12 random vectors based on comparison-decision
1183 * and edge-case coverage on 32-bit and 64-bit implementations.
1184 * The responses were generated with Sage 5.9.
1185 */
1186 secp256k1_scalar x;
1187 secp256k1_scalar y;
1188 secp256k1_scalar z;
1189 secp256k1_scalar zz;
1190 secp256k1_scalar one;
1191 secp256k1_scalar r1;
1192 secp256k1_scalar r2;
1193 #if defined(USE_SCALAR_INV_NUM)
1194 secp256k1_scalar zzv;
1195 #endif
1196 int overflow;
1197 unsigned char chal[33][2][32] = {
1198 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1199 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1201 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1202 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1204 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1206 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1207 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1208 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1209 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1210 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1211 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1212 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1214 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1215 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1216 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1217 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1218 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1219 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1220 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1221 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1222 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1223 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1224 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1225 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1226 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1227 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1228 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1229 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1230 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1231 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1232 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1234 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1235 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1236 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1237 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1238 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1239 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1240 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1241 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1242 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1243 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1244 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1245 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1246 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1248 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1249 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1250 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1251 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1252 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1253 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1254 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1255 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1256 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1257 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1258 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1259 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1260 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1261 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1262 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1263 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1264 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1265 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1266 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1267 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1268 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1269 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1270 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1271 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1272 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1273 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1274 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1275 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1276 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1278 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1279 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1280 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1281 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1282 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1283 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1284 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1285 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1286 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1287 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1288 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1289 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1290 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1291 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1292 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1293 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1294 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1295 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1296 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1297 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1298 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1299 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1300 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1301 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1302 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1303 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1304 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1305 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1306 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1307 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1308 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1309 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1310 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1311 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1312 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1313 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1314 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1315 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1316 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1317 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1318 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1319 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1320 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1321 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1322 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1323 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1324 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1325 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1326 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1327 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1328 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1329 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1330 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1331 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1332 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1333 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1334 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1335 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1336 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1337 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1338 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1339 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1340 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1341 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1342 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1343 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1344 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1345 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1346 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1347 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1348 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1349 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1350 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1351 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1352 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1353 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1354 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1355 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1356 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1357 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1358 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1359 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1360 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1361 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1362 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1363 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1364 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1365 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1366 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1367 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1368 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1369 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1370 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1371 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1372 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1373 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1374 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1375 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1376 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1377 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1378 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1379 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1380 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1381 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1382 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1383 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1384 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1385 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1386 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1387 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1388 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1389 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1390 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1391 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1392 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1393 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1394 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1395 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1396 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1397 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1398 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1399 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1400 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1401 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1402 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1405 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1406 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1407 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1408 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1409 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1410 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1411 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1412 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1413 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1414 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1415 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1416 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1417 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1418 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1419 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1421 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1422 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1423 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1424 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1425 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1426 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1428 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1429 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1430 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1431 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1432 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1433 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1434 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1435 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1436 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1437 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1438 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1439 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1440 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1441 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1442 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1443 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1444 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1445 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1446 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1447 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1448 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1449 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1450 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1451 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1452 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1453 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1454 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1455 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1456 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1457 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1458 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1459 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1460 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1461 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1462 };
1463 unsigned char res[33][2][32] = {
1464 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1465 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1466 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1467 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1468 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1469 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1470 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1471 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1472 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1473 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1474 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1475 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1476 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1477 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1478 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1479 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1480 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1481 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1482 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1483 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1484 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1485 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1486 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1487 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1488 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1489 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1490 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1491 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1492 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1493 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1494 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1495 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1496 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1497 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1498 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1499 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1500 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1501 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1502 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1503 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1504 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1505 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1506 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1507 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1508 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1509 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1510 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1511 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1512 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1513 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1514 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1515 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1516 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1517 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1518 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1519 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1520 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1521 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1522 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1523 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1524 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1525 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1526 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1527 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1528 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1529 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1530 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1531 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1532 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1533 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1534 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1535 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1536 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1537 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1538 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1539 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1540 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1541 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1542 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1543 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1544 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1545 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1546 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1547 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1548 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1549 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1550 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1551 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1552 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1553 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1554 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1555 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1556 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1557 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1558 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1559 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1560 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1561 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1562 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1563 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1564 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1565 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1566 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1567 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1568 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1569 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1570 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1571 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1572 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1573 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1574 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1575 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1576 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1577 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1578 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1579 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1580 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1581 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1582 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1583 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1584 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1585 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1586 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1587 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1588 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1589 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1590 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1591 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1592 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1593 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1594 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1595 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1596 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1597 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1598 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1599 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1600 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1601 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1602 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1603 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1604 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1605 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1606 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1607 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1608 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1609 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1610 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1611 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1612 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1613 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1614 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1615 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1616 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1617 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1618 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1619 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1620 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1621 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1622 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1623 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1624 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1628 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1629 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1630 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1631 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1632 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1633 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1634 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1635 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1636 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1637 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1638 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1639 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1640 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1641 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1642 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1643 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1644 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1645 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1646 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1647 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1648 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1649 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1650 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1651 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1652 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1653 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1654 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1655 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1656 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1657 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1658 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1659 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1660 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1661 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1662 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1663 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1664 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1665 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1666 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1667 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1668 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1669 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1670 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1671 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1672 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1673 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1674 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1675 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1676 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1677 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1678 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1679 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1680 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1681 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1682 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1683 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1684 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1685 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1686 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1687 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1688 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1689 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1690 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1691 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1692 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1693 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1694 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1695 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1696 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1697 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1698 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1699 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1700 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1701 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1702 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1703 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1704 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1705 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1706 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1707 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1708 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1709 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1710 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1711 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1712 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1713 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1714 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1715 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1716 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1717 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1718 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1719 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1720 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1721 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1722 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1723 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1724 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1725 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1726 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1727 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1728 };
1729 secp256k1_scalar_set_int(&one, 1);
1730 for (i = 0; i < 33; i++) {
1731 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1732 CHECK(!overflow);
1733 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1734 CHECK(!overflow);
1735 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1736 CHECK(!overflow);
1737 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1738 CHECK(!overflow);
1739 secp256k1_scalar_mul(&z, &x, &y);
1740 CHECK(!secp256k1_scalar_check_overflow(&z));
1741 CHECK(secp256k1_scalar_eq(&r1, &z));
1742 if (!secp256k1_scalar_is_zero(&y)) {
1743 secp256k1_scalar_inverse(&zz, &y);
1744 CHECK(!secp256k1_scalar_check_overflow(&zz));
1745 #if defined(USE_SCALAR_INV_NUM)
1746 secp256k1_scalar_inverse_var(&zzv, &y);
1747 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1748 #endif
1749 secp256k1_scalar_mul(&z, &z, &zz);
1750 CHECK(!secp256k1_scalar_check_overflow(&z));
1751 CHECK(secp256k1_scalar_eq(&x, &z));
1752 secp256k1_scalar_mul(&zz, &zz, &y);
1753 CHECK(!secp256k1_scalar_check_overflow(&zz));
1754 CHECK(secp256k1_scalar_eq(&one, &zz));
1755 }
1756 secp256k1_scalar_mul(&z, &x, &x);
1757 CHECK(!secp256k1_scalar_check_overflow(&z));
1758 secp256k1_scalar_sqr(&zz, &x);
1759 CHECK(!secp256k1_scalar_check_overflow(&zz));
1760 CHECK(secp256k1_scalar_eq(&zz, &z));
1761 CHECK(secp256k1_scalar_eq(&r2, &zz));
1762 }
1763 }
1764 }
1765
1766 /***** FIELD TESTS *****/
1767
random_fe(secp256k1_fe * x)1768 void random_fe(secp256k1_fe *x) {
1769 unsigned char bin[32];
1770 do {
1771 secp256k1_testrand256(bin);
1772 if (secp256k1_fe_set_b32(x, bin)) {
1773 return;
1774 }
1775 } while(1);
1776 }
1777
random_fe_test(secp256k1_fe * x)1778 void random_fe_test(secp256k1_fe *x) {
1779 unsigned char bin[32];
1780 do {
1781 secp256k1_testrand256_test(bin);
1782 if (secp256k1_fe_set_b32(x, bin)) {
1783 return;
1784 }
1785 } while(1);
1786 }
1787
random_fe_non_zero(secp256k1_fe * nz)1788 void random_fe_non_zero(secp256k1_fe *nz) {
1789 int tries = 10;
1790 while (--tries >= 0) {
1791 random_fe(nz);
1792 secp256k1_fe_normalize(nz);
1793 if (!secp256k1_fe_is_zero(nz)) {
1794 break;
1795 }
1796 }
1797 /* Infinitesimal probability of spurious failure here */
1798 CHECK(tries >= 0);
1799 }
1800
random_fe_non_square(secp256k1_fe * ns)1801 void random_fe_non_square(secp256k1_fe *ns) {
1802 secp256k1_fe r;
1803 random_fe_non_zero(ns);
1804 if (secp256k1_fe_sqrt(&r, ns)) {
1805 secp256k1_fe_negate(ns, ns, 1);
1806 }
1807 }
1808
check_fe_equal(const secp256k1_fe * a,const secp256k1_fe * b)1809 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1810 secp256k1_fe an = *a;
1811 secp256k1_fe bn = *b;
1812 secp256k1_fe_normalize_weak(&an);
1813 secp256k1_fe_normalize_var(&bn);
1814 return secp256k1_fe_equal_var(&an, &bn);
1815 }
1816
check_fe_inverse(const secp256k1_fe * a,const secp256k1_fe * ai)1817 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1818 secp256k1_fe x;
1819 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1820 secp256k1_fe_mul(&x, a, ai);
1821 return check_fe_equal(&x, &one);
1822 }
1823
run_field_convert(void)1824 void run_field_convert(void) {
1825 static const unsigned char b32[32] = {
1826 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1827 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1828 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1829 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1830 };
1831 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1832 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1833 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1834 );
1835 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1836 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1837 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1838 );
1839 secp256k1_fe fe2;
1840 unsigned char b322[32];
1841 secp256k1_fe_storage fes2;
1842 /* Check conversions to fe. */
1843 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1844 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1845 secp256k1_fe_from_storage(&fe2, &fes);
1846 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1847 /* Check conversion from fe. */
1848 secp256k1_fe_get_b32(b322, &fe);
1849 CHECK(secp256k1_memcmp_var(b322, b32, 32) == 0);
1850 secp256k1_fe_to_storage(&fes2, &fe);
1851 CHECK(secp256k1_memcmp_var(&fes2, &fes, sizeof(fes)) == 0);
1852 }
1853
fe_secp256k1_memcmp_var(const secp256k1_fe * a,const secp256k1_fe * b)1854 int fe_secp256k1_memcmp_var(const secp256k1_fe *a, const secp256k1_fe *b) {
1855 secp256k1_fe t = *b;
1856 #ifdef VERIFY
1857 t.magnitude = a->magnitude;
1858 t.normalized = a->normalized;
1859 #endif
1860 return secp256k1_memcmp_var(a, &t, sizeof(secp256k1_fe));
1861 }
1862
run_field_misc(void)1863 void run_field_misc(void) {
1864 secp256k1_fe x;
1865 secp256k1_fe y;
1866 secp256k1_fe z;
1867 secp256k1_fe q;
1868 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1869 int i, j;
1870 for (i = 0; i < 5*count; i++) {
1871 secp256k1_fe_storage xs, ys, zs;
1872 random_fe(&x);
1873 random_fe_non_zero(&y);
1874 /* Test the fe equality and comparison operations. */
1875 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1876 CHECK(secp256k1_fe_equal_var(&x, &x));
1877 z = x;
1878 secp256k1_fe_add(&z,&y);
1879 /* Test fe conditional move; z is not normalized here. */
1880 q = x;
1881 secp256k1_fe_cmov(&x, &z, 0);
1882 #ifdef VERIFY
1883 CHECK(x.normalized && x.magnitude == 1);
1884 #endif
1885 secp256k1_fe_cmov(&x, &x, 1);
1886 CHECK(fe_secp256k1_memcmp_var(&x, &z) != 0);
1887 CHECK(fe_secp256k1_memcmp_var(&x, &q) == 0);
1888 secp256k1_fe_cmov(&q, &z, 1);
1889 #ifdef VERIFY
1890 CHECK(!q.normalized && q.magnitude == z.magnitude);
1891 #endif
1892 CHECK(fe_secp256k1_memcmp_var(&q, &z) == 0);
1893 secp256k1_fe_normalize_var(&x);
1894 secp256k1_fe_normalize_var(&z);
1895 CHECK(!secp256k1_fe_equal_var(&x, &z));
1896 secp256k1_fe_normalize_var(&q);
1897 secp256k1_fe_cmov(&q, &z, (i&1));
1898 #ifdef VERIFY
1899 CHECK(q.normalized && q.magnitude == 1);
1900 #endif
1901 for (j = 0; j < 6; j++) {
1902 secp256k1_fe_negate(&z, &z, j+1);
1903 secp256k1_fe_normalize_var(&q);
1904 secp256k1_fe_cmov(&q, &z, (j&1));
1905 #ifdef VERIFY
1906 CHECK((q.normalized != (j&1)) && q.magnitude == ((j&1) ? z.magnitude : 1));
1907 #endif
1908 }
1909 secp256k1_fe_normalize_var(&z);
1910 /* Test storage conversion and conditional moves. */
1911 secp256k1_fe_to_storage(&xs, &x);
1912 secp256k1_fe_to_storage(&ys, &y);
1913 secp256k1_fe_to_storage(&zs, &z);
1914 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1915 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1916 CHECK(secp256k1_memcmp_var(&xs, &zs, sizeof(xs)) != 0);
1917 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1918 CHECK(secp256k1_memcmp_var(&xs, &ys, sizeof(xs)) == 0);
1919 secp256k1_fe_from_storage(&x, &xs);
1920 secp256k1_fe_from_storage(&y, &ys);
1921 secp256k1_fe_from_storage(&z, &zs);
1922 /* Test that mul_int, mul, and add agree. */
1923 secp256k1_fe_add(&y, &x);
1924 secp256k1_fe_add(&y, &x);
1925 z = x;
1926 secp256k1_fe_mul_int(&z, 3);
1927 CHECK(check_fe_equal(&y, &z));
1928 secp256k1_fe_add(&y, &x);
1929 secp256k1_fe_add(&z, &x);
1930 CHECK(check_fe_equal(&z, &y));
1931 z = x;
1932 secp256k1_fe_mul_int(&z, 5);
1933 secp256k1_fe_mul(&q, &x, &fe5);
1934 CHECK(check_fe_equal(&z, &q));
1935 secp256k1_fe_negate(&x, &x, 1);
1936 secp256k1_fe_add(&z, &x);
1937 secp256k1_fe_add(&q, &x);
1938 CHECK(check_fe_equal(&y, &z));
1939 CHECK(check_fe_equal(&q, &y));
1940 }
1941 }
1942
run_field_inv(void)1943 void run_field_inv(void) {
1944 secp256k1_fe x, xi, xii;
1945 int i;
1946 for (i = 0; i < 10*count; i++) {
1947 random_fe_non_zero(&x);
1948 secp256k1_fe_inv(&xi, &x);
1949 CHECK(check_fe_inverse(&x, &xi));
1950 secp256k1_fe_inv(&xii, &xi);
1951 CHECK(check_fe_equal(&x, &xii));
1952 }
1953 }
1954
run_field_inv_var(void)1955 void run_field_inv_var(void) {
1956 secp256k1_fe x, xi, xii;
1957 int i;
1958 for (i = 0; i < 10*count; i++) {
1959 random_fe_non_zero(&x);
1960 secp256k1_fe_inv_var(&xi, &x);
1961 CHECK(check_fe_inverse(&x, &xi));
1962 secp256k1_fe_inv_var(&xii, &xi);
1963 CHECK(check_fe_equal(&x, &xii));
1964 }
1965 }
1966
run_field_inv_all_var(void)1967 void run_field_inv_all_var(void) {
1968 secp256k1_fe x[16], xi[16], xii[16];
1969 int i;
1970 /* Check it's safe to call for 0 elements */
1971 secp256k1_fe_inv_all_var(xi, x, 0);
1972 for (i = 0; i < count; i++) {
1973 size_t j;
1974 size_t len = secp256k1_testrand_int(15) + 1;
1975 for (j = 0; j < len; j++) {
1976 random_fe_non_zero(&x[j]);
1977 }
1978 secp256k1_fe_inv_all_var(xi, x, len);
1979 for (j = 0; j < len; j++) {
1980 CHECK(check_fe_inverse(&x[j], &xi[j]));
1981 }
1982 secp256k1_fe_inv_all_var(xii, xi, len);
1983 for (j = 0; j < len; j++) {
1984 CHECK(check_fe_equal(&x[j], &xii[j]));
1985 }
1986 }
1987 }
1988
run_sqr(void)1989 void run_sqr(void) {
1990 secp256k1_fe x, s;
1991
1992 {
1993 int i;
1994 secp256k1_fe_set_int(&x, 1);
1995 secp256k1_fe_negate(&x, &x, 1);
1996
1997 for (i = 1; i <= 512; ++i) {
1998 secp256k1_fe_mul_int(&x, 2);
1999 secp256k1_fe_normalize(&x);
2000 secp256k1_fe_sqr(&s, &x);
2001 }
2002 }
2003 }
2004
test_sqrt(const secp256k1_fe * a,const secp256k1_fe * k)2005 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
2006 secp256k1_fe r1, r2;
2007 int v = secp256k1_fe_sqrt(&r1, a);
2008 CHECK((v == 0) == (k == NULL));
2009
2010 if (k != NULL) {
2011 /* Check that the returned root is +/- the given known answer */
2012 secp256k1_fe_negate(&r2, &r1, 1);
2013 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
2014 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
2015 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
2016 }
2017 }
2018
run_sqrt(void)2019 void run_sqrt(void) {
2020 secp256k1_fe ns, x, s, t;
2021 int i;
2022
2023 /* Check sqrt(0) is 0 */
2024 secp256k1_fe_set_int(&x, 0);
2025 secp256k1_fe_sqr(&s, &x);
2026 test_sqrt(&s, &x);
2027
2028 /* Check sqrt of small squares (and their negatives) */
2029 for (i = 1; i <= 100; i++) {
2030 secp256k1_fe_set_int(&x, i);
2031 secp256k1_fe_sqr(&s, &x);
2032 test_sqrt(&s, &x);
2033 secp256k1_fe_negate(&t, &s, 1);
2034 test_sqrt(&t, NULL);
2035 }
2036
2037 /* Consistency checks for large random values */
2038 for (i = 0; i < 10; i++) {
2039 int j;
2040 random_fe_non_square(&ns);
2041 for (j = 0; j < count; j++) {
2042 random_fe(&x);
2043 secp256k1_fe_sqr(&s, &x);
2044 test_sqrt(&s, &x);
2045 secp256k1_fe_negate(&t, &s, 1);
2046 test_sqrt(&t, NULL);
2047 secp256k1_fe_mul(&t, &s, &ns);
2048 test_sqrt(&t, NULL);
2049 }
2050 }
2051 }
2052
2053 /***** GROUP TESTS *****/
2054
ge_equals_ge(const secp256k1_ge * a,const secp256k1_ge * b)2055 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
2056 CHECK(a->infinity == b->infinity);
2057 if (a->infinity) {
2058 return;
2059 }
2060 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
2061 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
2062 }
2063
2064 /* This compares jacobian points including their Z, not just their geometric meaning. */
gej_xyz_equals_gej(const secp256k1_gej * a,const secp256k1_gej * b)2065 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
2066 secp256k1_gej a2;
2067 secp256k1_gej b2;
2068 int ret = 1;
2069 ret &= a->infinity == b->infinity;
2070 if (ret && !a->infinity) {
2071 a2 = *a;
2072 b2 = *b;
2073 secp256k1_fe_normalize(&a2.x);
2074 secp256k1_fe_normalize(&a2.y);
2075 secp256k1_fe_normalize(&a2.z);
2076 secp256k1_fe_normalize(&b2.x);
2077 secp256k1_fe_normalize(&b2.y);
2078 secp256k1_fe_normalize(&b2.z);
2079 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
2080 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
2081 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
2082 }
2083 return ret;
2084 }
2085
ge_equals_gej(const secp256k1_ge * a,const secp256k1_gej * b)2086 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
2087 secp256k1_fe z2s;
2088 secp256k1_fe u1, u2, s1, s2;
2089 CHECK(a->infinity == b->infinity);
2090 if (a->infinity) {
2091 return;
2092 }
2093 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
2094 secp256k1_fe_sqr(&z2s, &b->z);
2095 secp256k1_fe_mul(&u1, &a->x, &z2s);
2096 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
2097 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
2098 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
2099 CHECK(secp256k1_fe_equal_var(&u1, &u2));
2100 CHECK(secp256k1_fe_equal_var(&s1, &s2));
2101 }
2102
test_ge(void)2103 void test_ge(void) {
2104 int i, i1;
2105 int runs = 6;
2106 /* 25 points are used:
2107 * - infinity
2108 * - for each of four random points p1 p2 p3 p4, we add the point, its
2109 * negation, and then those two again but with randomized Z coordinate.
2110 * - The same is then done for lambda*p1 and lambda^2*p1.
2111 */
2112 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
2113 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
2114 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2115 secp256k1_fe zf;
2116 secp256k1_fe zfi2, zfi3;
2117
2118 secp256k1_gej_set_infinity(&gej[0]);
2119 secp256k1_ge_clear(&ge[0]);
2120 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
2121 for (i = 0; i < runs; i++) {
2122 int j;
2123 secp256k1_ge g;
2124 random_group_element_test(&g);
2125 if (i >= runs - 2) {
2126 secp256k1_ge_mul_lambda(&g, &ge[1]);
2127 }
2128 if (i >= runs - 1) {
2129 secp256k1_ge_mul_lambda(&g, &g);
2130 }
2131 ge[1 + 4 * i] = g;
2132 ge[2 + 4 * i] = g;
2133 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
2134 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
2135 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
2136 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
2137 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
2138 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
2139 for (j = 0; j < 4; j++) {
2140 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
2141 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
2142 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
2143 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
2144 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
2145 }
2146 }
2147
2148 /* Compute z inverses. */
2149 {
2150 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
2151 for (i = 0; i < 4 * runs + 1; i++) {
2152 if (i == 0) {
2153 /* The point at infinity does not have a meaningful z inverse. Any should do. */
2154 do {
2155 random_field_element_test(&zs[i]);
2156 } while(secp256k1_fe_is_zero(&zs[i]));
2157 } else {
2158 zs[i] = gej[i].z;
2159 }
2160 }
2161 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
2162 free(zs);
2163 }
2164
2165 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
2166 do {
2167 random_field_element_test(&zf);
2168 } while(secp256k1_fe_is_zero(&zf));
2169 random_field_element_magnitude(&zf);
2170 secp256k1_fe_inv_var(&zfi3, &zf);
2171 secp256k1_fe_sqr(&zfi2, &zfi3);
2172 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2173
2174 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2175 int i2;
2176 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2177 /* Compute reference result using gej + gej (var). */
2178 secp256k1_gej refj, resj;
2179 secp256k1_ge ref;
2180 secp256k1_fe zr;
2181 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2182 /* Check Z ratio. */
2183 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2184 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2185 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2186 }
2187 secp256k1_ge_set_gej_var(&ref, &refj);
2188
2189 /* Test gej + ge with Z ratio result (var). */
2190 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2191 ge_equals_gej(&ref, &resj);
2192 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2193 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2194 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2195 }
2196
2197 /* Test gej + ge (var, with additional Z factor). */
2198 {
2199 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2200 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2201 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2202 random_field_element_magnitude(&ge2_zfi.x);
2203 random_field_element_magnitude(&ge2_zfi.y);
2204 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2205 ge_equals_gej(&ref, &resj);
2206 }
2207
2208 /* Test gej + ge (const). */
2209 if (i2 != 0) {
2210 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2211 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2212 ge_equals_gej(&ref, &resj);
2213 }
2214
2215 /* Test doubling (var). */
2216 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2217 secp256k1_fe zr2;
2218 /* Normal doubling with Z ratio result. */
2219 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2220 ge_equals_gej(&ref, &resj);
2221 /* Check Z ratio. */
2222 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2223 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2224 /* Normal doubling. */
2225 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2226 ge_equals_gej(&ref, &resj);
2227 /* Constant-time doubling. */
2228 secp256k1_gej_double(&resj, &gej[i2]);
2229 ge_equals_gej(&ref, &resj);
2230 }
2231
2232 /* Test adding opposites. */
2233 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2234 CHECK(secp256k1_ge_is_infinity(&ref));
2235 }
2236
2237 /* Test adding infinity. */
2238 if (i1 == 0) {
2239 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2240 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2241 ge_equals_gej(&ref, &gej[i2]);
2242 }
2243 if (i2 == 0) {
2244 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2245 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2246 ge_equals_gej(&ref, &gej[i1]);
2247 }
2248 }
2249 }
2250
2251 /* Test adding all points together in random order equals infinity. */
2252 {
2253 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2254 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2255 for (i = 0; i < 4 * runs + 1; i++) {
2256 gej_shuffled[i] = gej[i];
2257 }
2258 for (i = 0; i < 4 * runs + 1; i++) {
2259 int swap = i + secp256k1_testrand_int(4 * runs + 1 - i);
2260 if (swap != i) {
2261 secp256k1_gej t = gej_shuffled[i];
2262 gej_shuffled[i] = gej_shuffled[swap];
2263 gej_shuffled[swap] = t;
2264 }
2265 }
2266 for (i = 0; i < 4 * runs + 1; i++) {
2267 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2268 }
2269 CHECK(secp256k1_gej_is_infinity(&sum));
2270 free(gej_shuffled);
2271 }
2272
2273 /* Test batch gej -> ge conversion with and without known z ratios. */
2274 {
2275 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2276 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2277 for (i = 0; i < 4 * runs + 1; i++) {
2278 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2279 if (i < 4 * runs) {
2280 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2281 }
2282 }
2283 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2284 for (i = 0; i < 4 * runs + 1; i++) {
2285 secp256k1_fe s;
2286 random_fe_non_zero(&s);
2287 secp256k1_gej_rescale(&gej[i], &s);
2288 ge_equals_gej(&ge_set_all[i], &gej[i]);
2289 }
2290 free(ge_set_all);
2291 free(zr);
2292 }
2293
2294 /* Test batch gej -> ge conversion with many infinities. */
2295 for (i = 0; i < 4 * runs + 1; i++) {
2296 random_group_element_test(&ge[i]);
2297 /* randomly set half the points to infinity */
2298 if(secp256k1_fe_is_odd(&ge[i].x)) {
2299 secp256k1_ge_set_infinity(&ge[i]);
2300 }
2301 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2302 }
2303 /* batch invert */
2304 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2305 /* check result */
2306 for (i = 0; i < 4 * runs + 1; i++) {
2307 ge_equals_gej(&ge[i], &gej[i]);
2308 }
2309
2310 free(ge);
2311 free(gej);
2312 free(zinv);
2313 }
2314
2315
test_intialized_inf(void)2316 void test_intialized_inf(void) {
2317 secp256k1_ge p;
2318 secp256k1_gej pj, npj, infj1, infj2, infj3;
2319 secp256k1_fe zinv;
2320
2321 /* Test that adding P+(-P) results in a fully initalized infinity*/
2322 random_group_element_test(&p);
2323 secp256k1_gej_set_ge(&pj, &p);
2324 secp256k1_gej_neg(&npj, &pj);
2325
2326 secp256k1_gej_add_var(&infj1, &pj, &npj, NULL);
2327 CHECK(secp256k1_gej_is_infinity(&infj1));
2328 CHECK(secp256k1_fe_is_zero(&infj1.x));
2329 CHECK(secp256k1_fe_is_zero(&infj1.y));
2330 CHECK(secp256k1_fe_is_zero(&infj1.z));
2331
2332 secp256k1_gej_add_ge_var(&infj2, &npj, &p, NULL);
2333 CHECK(secp256k1_gej_is_infinity(&infj2));
2334 CHECK(secp256k1_fe_is_zero(&infj2.x));
2335 CHECK(secp256k1_fe_is_zero(&infj2.y));
2336 CHECK(secp256k1_fe_is_zero(&infj2.z));
2337
2338 secp256k1_fe_set_int(&zinv, 1);
2339 secp256k1_gej_add_zinv_var(&infj3, &npj, &p, &zinv);
2340 CHECK(secp256k1_gej_is_infinity(&infj3));
2341 CHECK(secp256k1_fe_is_zero(&infj3.x));
2342 CHECK(secp256k1_fe_is_zero(&infj3.y));
2343 CHECK(secp256k1_fe_is_zero(&infj3.z));
2344
2345
2346 }
2347
test_add_neg_y_diff_x(void)2348 void test_add_neg_y_diff_x(void) {
2349 /* The point of this test is to check that we can add two points
2350 * whose y-coordinates are negatives of each other but whose x
2351 * coordinates differ. If the x-coordinates were the same, these
2352 * points would be negatives of each other and their sum is
2353 * infinity. This is cool because it "covers up" any degeneracy
2354 * in the addition algorithm that would cause the xy coordinates
2355 * of the sum to be wrong (since infinity has no xy coordinates).
2356 * HOWEVER, if the x-coordinates are different, infinity is the
2357 * wrong answer, and such degeneracies are exposed. This is the
2358 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2359 * which this test is a regression test for.
2360 *
2361 * These points were generated in sage as
2362 * # secp256k1 params
2363 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2364 * C = EllipticCurve ([F (0), F (7)])
2365 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2366 * N = FiniteField(G.order())
2367 *
2368 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2369 * x = polygen(N)
2370 * lam = (1 - x^3).roots()[1][0]
2371 *
2372 * # random "bad pair"
2373 * P = C.random_element()
2374 * Q = -int(lam) * P
2375 * print " P: %x %x" % P.xy()
2376 * print " Q: %x %x" % Q.xy()
2377 * print "P + Q: %x %x" % (P + Q).xy()
2378 */
2379 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2380 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2381 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2382 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2383 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2384 );
2385 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2386 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2387 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2388 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2389 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2390 );
2391 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2392 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2393 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2394 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2395 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2396 );
2397 secp256k1_ge b;
2398 secp256k1_gej resj;
2399 secp256k1_ge res;
2400 secp256k1_ge_set_gej(&b, &bj);
2401
2402 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2403 secp256k1_ge_set_gej(&res, &resj);
2404 ge_equals_gej(&res, &sumj);
2405
2406 secp256k1_gej_add_ge(&resj, &aj, &b);
2407 secp256k1_ge_set_gej(&res, &resj);
2408 ge_equals_gej(&res, &sumj);
2409
2410 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2411 secp256k1_ge_set_gej(&res, &resj);
2412 ge_equals_gej(&res, &sumj);
2413 }
2414
run_ge(void)2415 void run_ge(void) {
2416 int i;
2417 for (i = 0; i < count * 32; i++) {
2418 test_ge();
2419 }
2420 test_add_neg_y_diff_x();
2421 test_intialized_inf();
2422 }
2423
test_ec_combine(void)2424 void test_ec_combine(void) {
2425 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2426 secp256k1_pubkey data[6];
2427 const secp256k1_pubkey* d[6];
2428 secp256k1_pubkey sd;
2429 secp256k1_pubkey sd2;
2430 secp256k1_gej Qj;
2431 secp256k1_ge Q;
2432 int i;
2433 for (i = 1; i <= 6; i++) {
2434 secp256k1_scalar s;
2435 random_scalar_order_test(&s);
2436 secp256k1_scalar_add(&sum, &sum, &s);
2437 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2438 secp256k1_ge_set_gej(&Q, &Qj);
2439 secp256k1_pubkey_save(&data[i - 1], &Q);
2440 d[i - 1] = &data[i - 1];
2441 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2442 secp256k1_ge_set_gej(&Q, &Qj);
2443 secp256k1_pubkey_save(&sd, &Q);
2444 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2445 CHECK(secp256k1_memcmp_var(&sd, &sd2, sizeof(sd)) == 0);
2446 }
2447 }
2448
run_ec_combine(void)2449 void run_ec_combine(void) {
2450 int i;
2451 for (i = 0; i < count * 8; i++) {
2452 test_ec_combine();
2453 }
2454 }
2455
test_group_decompress(const secp256k1_fe * x)2456 void test_group_decompress(const secp256k1_fe* x) {
2457 /* The input itself, normalized. */
2458 secp256k1_fe fex = *x;
2459 secp256k1_fe fez;
2460 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2461 secp256k1_ge ge_quad, ge_even, ge_odd;
2462 secp256k1_gej gej_quad;
2463 /* Return values of the above calls. */
2464 int res_quad, res_even, res_odd;
2465
2466 secp256k1_fe_normalize_var(&fex);
2467
2468 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2469 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2470 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2471
2472 CHECK(res_quad == res_even);
2473 CHECK(res_quad == res_odd);
2474
2475 if (res_quad) {
2476 secp256k1_fe_normalize_var(&ge_quad.x);
2477 secp256k1_fe_normalize_var(&ge_odd.x);
2478 secp256k1_fe_normalize_var(&ge_even.x);
2479 secp256k1_fe_normalize_var(&ge_quad.y);
2480 secp256k1_fe_normalize_var(&ge_odd.y);
2481 secp256k1_fe_normalize_var(&ge_even.y);
2482
2483 /* No infinity allowed. */
2484 CHECK(!ge_quad.infinity);
2485 CHECK(!ge_even.infinity);
2486 CHECK(!ge_odd.infinity);
2487
2488 /* Check that the x coordinates check out. */
2489 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2490 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2491 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2492
2493 /* Check that the Y coordinate result in ge_quad is a square. */
2494 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2495
2496 /* Check odd/even Y in ge_odd, ge_even. */
2497 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2498 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2499
2500 /* Check secp256k1_gej_has_quad_y_var. */
2501 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2502 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2503 do {
2504 random_fe_test(&fez);
2505 } while (secp256k1_fe_is_zero(&fez));
2506 secp256k1_gej_rescale(&gej_quad, &fez);
2507 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2508 secp256k1_gej_neg(&gej_quad, &gej_quad);
2509 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2510 do {
2511 random_fe_test(&fez);
2512 } while (secp256k1_fe_is_zero(&fez));
2513 secp256k1_gej_rescale(&gej_quad, &fez);
2514 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2515 secp256k1_gej_neg(&gej_quad, &gej_quad);
2516 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2517 }
2518 }
2519
run_group_decompress(void)2520 void run_group_decompress(void) {
2521 int i;
2522 for (i = 0; i < count * 4; i++) {
2523 secp256k1_fe fe;
2524 random_fe_test(&fe);
2525 test_group_decompress(&fe);
2526 }
2527 }
2528
2529 /***** ECMULT TESTS *****/
2530
run_ecmult_chain(void)2531 void run_ecmult_chain(void) {
2532 /* random starting point A (on the curve) */
2533 secp256k1_gej a = SECP256K1_GEJ_CONST(
2534 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2535 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2536 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2537 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2538 );
2539 /* two random initial factors xn and gn */
2540 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2541 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2542 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2543 );
2544 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2545 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2546 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2547 );
2548 /* two small multipliers to be applied to xn and gn in every iteration: */
2549 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2550 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2551 /* accumulators with the resulting coefficients to A and G */
2552 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2553 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2554 /* actual points */
2555 secp256k1_gej x;
2556 secp256k1_gej x2;
2557 int i;
2558
2559 /* the point being computed */
2560 x = a;
2561 for (i = 0; i < 200*count; i++) {
2562 /* in each iteration, compute X = xn*X + gn*G; */
2563 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2564 /* also compute ae and ge: the actual accumulated factors for A and G */
2565 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2566 secp256k1_scalar_mul(&ae, &ae, &xn);
2567 secp256k1_scalar_mul(&ge, &ge, &xn);
2568 secp256k1_scalar_add(&ge, &ge, &gn);
2569 /* modify xn and gn */
2570 secp256k1_scalar_mul(&xn, &xn, &xf);
2571 secp256k1_scalar_mul(&gn, &gn, &gf);
2572
2573 /* verify */
2574 if (i == 19999) {
2575 /* expected result after 19999 iterations */
2576 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2577 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2578 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2579 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2580 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2581 );
2582
2583 secp256k1_gej_neg(&rp, &rp);
2584 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2585 CHECK(secp256k1_gej_is_infinity(&rp));
2586 }
2587 }
2588 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2589 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2590 secp256k1_gej_neg(&x2, &x2);
2591 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2592 CHECK(secp256k1_gej_is_infinity(&x2));
2593 }
2594
test_point_times_order(const secp256k1_gej * point)2595 void test_point_times_order(const secp256k1_gej *point) {
2596 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2597 secp256k1_scalar x;
2598 secp256k1_scalar nx;
2599 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2600 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2601 secp256k1_gej res1, res2;
2602 secp256k1_ge res3;
2603 unsigned char pub[65];
2604 size_t psize = 65;
2605 random_scalar_order_test(&x);
2606 secp256k1_scalar_negate(&nx, &x);
2607 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2608 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2609 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2610 CHECK(secp256k1_gej_is_infinity(&res1));
2611 secp256k1_ge_set_gej(&res3, &res1);
2612 CHECK(secp256k1_ge_is_infinity(&res3));
2613 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2614 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2615 psize = 65;
2616 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2617 /* check zero/one edge cases */
2618 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2619 secp256k1_ge_set_gej(&res3, &res1);
2620 CHECK(secp256k1_ge_is_infinity(&res3));
2621 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2622 secp256k1_ge_set_gej(&res3, &res1);
2623 ge_equals_gej(&res3, point);
2624 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2625 secp256k1_ge_set_gej(&res3, &res1);
2626 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2627 }
2628
2629 /* These scalars reach large (in absolute value) outputs when fed to secp256k1_scalar_split_lambda.
2630 *
2631 * They are computed as:
2632 * - For a in [-2, -1, 0, 1, 2]:
2633 * - For b in [-3, -1, 1, 3]:
2634 * - Output (a*LAMBDA + (ORDER+b)/2) % ORDER
2635 */
2636 static const secp256k1_scalar scalars_near_split_bounds[20] = {
2637 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fc),
2638 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fd),
2639 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6fe),
2640 SECP256K1_SCALAR_CONST(0xd938a566, 0x7f479e3e, 0xb5b3c7fa, 0xefdb3749, 0x3aa0585c, 0xc5ea2367, 0xe1b660db, 0x0209e6ff),
2641 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632d),
2642 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632e),
2643 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf7632f),
2644 SECP256K1_SCALAR_CONST(0x2c9c52b3, 0x3fa3cf1f, 0x5ad9e3fd, 0x77ed9ba5, 0xb294b893, 0x3722e9a5, 0x00e698ca, 0x4cf76330),
2645 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b209f),
2646 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a0),
2647 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a1),
2648 SECP256K1_SCALAR_CONST(0x7fffffff, 0xffffffff, 0xffffffff, 0xffffffff, 0xd576e735, 0x57a4501d, 0xdfe92f46, 0x681b20a2),
2649 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede11),
2650 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede12),
2651 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede13),
2652 SECP256K1_SCALAR_CONST(0xd363ad4c, 0xc05c30e0, 0xa5261c02, 0x88126459, 0xf85915d7, 0x7825b696, 0xbeebc5c2, 0x833ede14),
2653 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a42),
2654 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a43),
2655 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a44),
2656 SECP256K1_SCALAR_CONST(0x26c75a99, 0x80b861c1, 0x4a4c3805, 0x1024c8b4, 0x704d760e, 0xe95e7cd3, 0xde1bfdb1, 0xce2c5a45)
2657 };
2658
test_ecmult_target(const secp256k1_scalar * target,int mode)2659 void test_ecmult_target(const secp256k1_scalar* target, int mode) {
2660 /* Mode: 0=ecmult_gen, 1=ecmult, 2=ecmult_const */
2661 secp256k1_scalar n1, n2;
2662 secp256k1_ge p;
2663 secp256k1_gej pj, p1j, p2j, ptj;
2664 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2665
2666 /* Generate random n1,n2 such that n1+n2 = -target. */
2667 random_scalar_order_test(&n1);
2668 secp256k1_scalar_add(&n2, &n1, target);
2669 secp256k1_scalar_negate(&n2, &n2);
2670
2671 /* Generate a random input point. */
2672 if (mode != 0) {
2673 random_group_element_test(&p);
2674 secp256k1_gej_set_ge(&pj, &p);
2675 }
2676
2677 /* EC multiplications */
2678 if (mode == 0) {
2679 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p1j, &n1);
2680 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &p2j, &n2);
2681 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &ptj, target);
2682 } else if (mode == 1) {
2683 secp256k1_ecmult(&ctx->ecmult_ctx, &p1j, &pj, &n1, &zero);
2684 secp256k1_ecmult(&ctx->ecmult_ctx, &p2j, &pj, &n2, &zero);
2685 secp256k1_ecmult(&ctx->ecmult_ctx, &ptj, &pj, target, &zero);
2686 } else {
2687 secp256k1_ecmult_const(&p1j, &p, &n1, 256);
2688 secp256k1_ecmult_const(&p2j, &p, &n2, 256);
2689 secp256k1_ecmult_const(&ptj, &p, target, 256);
2690 }
2691
2692 /* Add them all up: n1*P + n2*P + target*P = (n1+n2+target)*P = (n1+n1-n1-n2)*P = 0. */
2693 secp256k1_gej_add_var(&ptj, &ptj, &p1j, NULL);
2694 secp256k1_gej_add_var(&ptj, &ptj, &p2j, NULL);
2695 CHECK(secp256k1_gej_is_infinity(&ptj));
2696 }
2697
run_ecmult_near_split_bound(void)2698 void run_ecmult_near_split_bound(void) {
2699 int i;
2700 unsigned j;
2701 for (i = 0; i < 4*count; ++i) {
2702 for (j = 0; j < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++j) {
2703 test_ecmult_target(&scalars_near_split_bounds[j], 0);
2704 test_ecmult_target(&scalars_near_split_bounds[j], 1);
2705 test_ecmult_target(&scalars_near_split_bounds[j], 2);
2706 }
2707 }
2708 }
2709
run_point_times_order(void)2710 void run_point_times_order(void) {
2711 int i;
2712 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2713 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2714 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2715 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2716 );
2717 for (i = 0; i < 500; i++) {
2718 secp256k1_ge p;
2719 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2720 secp256k1_gej j;
2721 CHECK(secp256k1_ge_is_valid_var(&p));
2722 secp256k1_gej_set_ge(&j, &p);
2723 test_point_times_order(&j);
2724 }
2725 secp256k1_fe_sqr(&x, &x);
2726 }
2727 secp256k1_fe_normalize_var(&x);
2728 CHECK(secp256k1_fe_equal_var(&x, &xr));
2729 }
2730
ecmult_const_random_mult(void)2731 void ecmult_const_random_mult(void) {
2732 /* random starting point A (on the curve) */
2733 secp256k1_ge a = SECP256K1_GE_CONST(
2734 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2735 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2736 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2737 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2738 );
2739 /* random initial factor xn */
2740 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2741 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2742 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2743 );
2744 /* expected xn * A (from sage) */
2745 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2746 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2747 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2748 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2749 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2750 );
2751 secp256k1_gej b;
2752 secp256k1_ecmult_const(&b, &a, &xn, 256);
2753
2754 CHECK(secp256k1_ge_is_valid_var(&a));
2755 ge_equals_gej(&expected_b, &b);
2756 }
2757
ecmult_const_commutativity(void)2758 void ecmult_const_commutativity(void) {
2759 secp256k1_scalar a;
2760 secp256k1_scalar b;
2761 secp256k1_gej res1;
2762 secp256k1_gej res2;
2763 secp256k1_ge mid1;
2764 secp256k1_ge mid2;
2765 random_scalar_order_test(&a);
2766 random_scalar_order_test(&b);
2767
2768 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2769 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2770 secp256k1_ge_set_gej(&mid1, &res1);
2771 secp256k1_ge_set_gej(&mid2, &res2);
2772 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2773 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2774 secp256k1_ge_set_gej(&mid1, &res1);
2775 secp256k1_ge_set_gej(&mid2, &res2);
2776 ge_equals_ge(&mid1, &mid2);
2777 }
2778
ecmult_const_mult_zero_one(void)2779 void ecmult_const_mult_zero_one(void) {
2780 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2781 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2782 secp256k1_scalar negone;
2783 secp256k1_gej res1;
2784 secp256k1_ge res2;
2785 secp256k1_ge point;
2786 secp256k1_scalar_negate(&negone, &one);
2787
2788 random_group_element_test(&point);
2789 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2790 secp256k1_ge_set_gej(&res2, &res1);
2791 CHECK(secp256k1_ge_is_infinity(&res2));
2792 secp256k1_ecmult_const(&res1, &point, &one, 2);
2793 secp256k1_ge_set_gej(&res2, &res1);
2794 ge_equals_ge(&res2, &point);
2795 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2796 secp256k1_gej_neg(&res1, &res1);
2797 secp256k1_ge_set_gej(&res2, &res1);
2798 ge_equals_ge(&res2, &point);
2799 }
2800
ecmult_const_chain_multiply(void)2801 void ecmult_const_chain_multiply(void) {
2802 /* Check known result (randomly generated test problem from sage) */
2803 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2804 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2805 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2806 );
2807 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2808 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2809 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2810 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2811 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2812 );
2813 secp256k1_gej point;
2814 secp256k1_ge res;
2815 int i;
2816
2817 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2818 for (i = 0; i < 100; ++i) {
2819 secp256k1_ge tmp;
2820 secp256k1_ge_set_gej(&tmp, &point);
2821 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2822 }
2823 secp256k1_ge_set_gej(&res, &point);
2824 ge_equals_gej(&res, &expected_point);
2825 }
2826
run_ecmult_const_tests(void)2827 void run_ecmult_const_tests(void) {
2828 ecmult_const_mult_zero_one();
2829 ecmult_const_random_mult();
2830 ecmult_const_commutativity();
2831 ecmult_const_chain_multiply();
2832 }
2833
2834 typedef struct {
2835 secp256k1_scalar *sc;
2836 secp256k1_ge *pt;
2837 } ecmult_multi_data;
2838
ecmult_multi_callback(secp256k1_scalar * sc,secp256k1_ge * pt,size_t idx,void * cbdata)2839 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2840 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2841 *sc = data->sc[idx];
2842 *pt = data->pt[idx];
2843 return 1;
2844 }
2845
ecmult_multi_false_callback(secp256k1_scalar * sc,secp256k1_ge * pt,size_t idx,void * cbdata)2846 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2847 (void)sc;
2848 (void)pt;
2849 (void)idx;
2850 (void)cbdata;
2851 return 0;
2852 }
2853
test_ecmult_multi(secp256k1_scratch * scratch,secp256k1_ecmult_multi_func ecmult_multi)2854 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2855 int ncount;
2856 secp256k1_scalar szero;
2857 secp256k1_scalar sc[32];
2858 secp256k1_ge pt[32];
2859 secp256k1_gej r;
2860 secp256k1_gej r2;
2861 ecmult_multi_data data;
2862
2863 data.sc = sc;
2864 data.pt = pt;
2865 secp256k1_scalar_set_int(&szero, 0);
2866
2867 /* No points to multiply */
2868 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2869
2870 /* Check 1- and 2-point multiplies against ecmult */
2871 for (ncount = 0; ncount < count; ncount++) {
2872 secp256k1_ge ptg;
2873 secp256k1_gej ptgj;
2874 random_scalar_order(&sc[0]);
2875 random_scalar_order(&sc[1]);
2876
2877 random_group_element_test(&ptg);
2878 secp256k1_gej_set_ge(&ptgj, &ptg);
2879 pt[0] = ptg;
2880 pt[1] = secp256k1_ge_const_g;
2881
2882 /* only G scalar */
2883 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2884 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2885 secp256k1_gej_neg(&r2, &r2);
2886 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2887 CHECK(secp256k1_gej_is_infinity(&r));
2888
2889 /* 1-point */
2890 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2891 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2892 secp256k1_gej_neg(&r2, &r2);
2893 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2894 CHECK(secp256k1_gej_is_infinity(&r));
2895
2896 /* Try to multiply 1 point, but callback returns false */
2897 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2898
2899 /* 2-point */
2900 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2901 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2902 secp256k1_gej_neg(&r2, &r2);
2903 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2904 CHECK(secp256k1_gej_is_infinity(&r));
2905
2906 /* 2-point with G scalar */
2907 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2908 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2909 secp256k1_gej_neg(&r2, &r2);
2910 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2911 CHECK(secp256k1_gej_is_infinity(&r));
2912 }
2913
2914 /* Check infinite outputs of various forms */
2915 for (ncount = 0; ncount < count; ncount++) {
2916 secp256k1_ge ptg;
2917 size_t i, j;
2918 size_t sizes[] = { 2, 10, 32 };
2919
2920 for (j = 0; j < 3; j++) {
2921 for (i = 0; i < 32; i++) {
2922 random_scalar_order(&sc[i]);
2923 secp256k1_ge_set_infinity(&pt[i]);
2924 }
2925 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2926 CHECK(secp256k1_gej_is_infinity(&r));
2927 }
2928
2929 for (j = 0; j < 3; j++) {
2930 for (i = 0; i < 32; i++) {
2931 random_group_element_test(&ptg);
2932 pt[i] = ptg;
2933 secp256k1_scalar_set_int(&sc[i], 0);
2934 }
2935 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2936 CHECK(secp256k1_gej_is_infinity(&r));
2937 }
2938
2939 for (j = 0; j < 3; j++) {
2940 random_group_element_test(&ptg);
2941 for (i = 0; i < 16; i++) {
2942 random_scalar_order(&sc[2*i]);
2943 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2944 pt[2 * i] = ptg;
2945 pt[2 * i + 1] = ptg;
2946 }
2947
2948 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2949 CHECK(secp256k1_gej_is_infinity(&r));
2950
2951 random_scalar_order(&sc[0]);
2952 for (i = 0; i < 16; i++) {
2953 random_group_element_test(&ptg);
2954
2955 sc[2*i] = sc[0];
2956 sc[2*i+1] = sc[0];
2957 pt[2 * i] = ptg;
2958 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2959 }
2960
2961 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2962 CHECK(secp256k1_gej_is_infinity(&r));
2963 }
2964
2965 random_group_element_test(&ptg);
2966 secp256k1_scalar_set_int(&sc[0], 0);
2967 pt[0] = ptg;
2968 for (i = 1; i < 32; i++) {
2969 pt[i] = ptg;
2970
2971 random_scalar_order(&sc[i]);
2972 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2973 secp256k1_scalar_negate(&sc[i], &sc[i]);
2974 }
2975
2976 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2977 CHECK(secp256k1_gej_is_infinity(&r));
2978 }
2979
2980 /* Check random points, constant scalar */
2981 for (ncount = 0; ncount < count; ncount++) {
2982 size_t i;
2983 secp256k1_gej_set_infinity(&r);
2984
2985 random_scalar_order(&sc[0]);
2986 for (i = 0; i < 20; i++) {
2987 secp256k1_ge ptg;
2988 sc[i] = sc[0];
2989 random_group_element_test(&ptg);
2990 pt[i] = ptg;
2991 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2992 }
2993
2994 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2995 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2996 secp256k1_gej_neg(&r2, &r2);
2997 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2998 CHECK(secp256k1_gej_is_infinity(&r));
2999 }
3000
3001 /* Check random scalars, constant point */
3002 for (ncount = 0; ncount < count; ncount++) {
3003 size_t i;
3004 secp256k1_ge ptg;
3005 secp256k1_gej p0j;
3006 secp256k1_scalar rs;
3007 secp256k1_scalar_set_int(&rs, 0);
3008
3009 random_group_element_test(&ptg);
3010 for (i = 0; i < 20; i++) {
3011 random_scalar_order(&sc[i]);
3012 pt[i] = ptg;
3013 secp256k1_scalar_add(&rs, &rs, &sc[i]);
3014 }
3015
3016 secp256k1_gej_set_ge(&p0j, &pt[0]);
3017 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
3018 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3019 secp256k1_gej_neg(&r2, &r2);
3020 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3021 CHECK(secp256k1_gej_is_infinity(&r));
3022 }
3023
3024 /* Sanity check that zero scalars don't cause problems */
3025 for (ncount = 0; ncount < 20; ncount++) {
3026 random_scalar_order(&sc[ncount]);
3027 random_group_element_test(&pt[ncount]);
3028 }
3029
3030 secp256k1_scalar_clear(&sc[0]);
3031 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
3032 secp256k1_scalar_clear(&sc[1]);
3033 secp256k1_scalar_clear(&sc[2]);
3034 secp256k1_scalar_clear(&sc[3]);
3035 secp256k1_scalar_clear(&sc[4]);
3036 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
3037 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
3038 CHECK(secp256k1_gej_is_infinity(&r));
3039
3040 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
3041 {
3042 const size_t TOP = 8;
3043 size_t s0i, s1i;
3044 size_t t0i, t1i;
3045 secp256k1_ge ptg;
3046 secp256k1_gej ptgj;
3047
3048 random_group_element_test(&ptg);
3049 secp256k1_gej_set_ge(&ptgj, &ptg);
3050
3051 for(t0i = 0; t0i < TOP; t0i++) {
3052 for(t1i = 0; t1i < TOP; t1i++) {
3053 secp256k1_gej t0p, t1p;
3054 secp256k1_scalar t0, t1;
3055
3056 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
3057 secp256k1_scalar_cond_negate(&t0, t0i & 1);
3058 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
3059 secp256k1_scalar_cond_negate(&t1, t1i & 1);
3060
3061 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
3062 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
3063
3064 for(s0i = 0; s0i < TOP; s0i++) {
3065 for(s1i = 0; s1i < TOP; s1i++) {
3066 secp256k1_scalar tmp1, tmp2;
3067 secp256k1_gej expected, actual;
3068
3069 secp256k1_ge_set_gej(&pt[0], &t0p);
3070 secp256k1_ge_set_gej(&pt[1], &t1p);
3071
3072 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
3073 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
3074 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
3075 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
3076
3077 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
3078 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
3079 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
3080
3081 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
3082 CHECK(ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
3083 secp256k1_gej_neg(&expected, &expected);
3084 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
3085 CHECK(secp256k1_gej_is_infinity(&actual));
3086 }
3087 }
3088 }
3089 }
3090 }
3091 }
3092
test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi)3093 void test_ecmult_multi_batch_single(secp256k1_ecmult_multi_func ecmult_multi) {
3094 secp256k1_scalar szero;
3095 secp256k1_scalar sc;
3096 secp256k1_ge pt;
3097 secp256k1_gej r;
3098 ecmult_multi_data data;
3099 secp256k1_scratch *scratch_empty;
3100
3101 random_group_element_test(&pt);
3102 random_scalar_order(&sc);
3103 data.sc = ≻
3104 data.pt = &pt;
3105 secp256k1_scalar_set_int(&szero, 0);
3106
3107 /* Try to multiply 1 point, but scratch space is empty.*/
3108 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
3109 CHECK(!ecmult_multi(&ctx->error_callback, &ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
3110 secp256k1_scratch_destroy(&ctx->error_callback, scratch_empty);
3111 }
3112
test_secp256k1_pippenger_bucket_window_inv(void)3113 void test_secp256k1_pippenger_bucket_window_inv(void) {
3114 int i;
3115
3116 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
3117 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
3118 /* Bucket_window of 8 is not used with endo */
3119 if (i == 8) {
3120 continue;
3121 }
3122 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
3123 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
3124 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
3125 }
3126 }
3127 }
3128
3129 /**
3130 * Probabilistically test the function returning the maximum number of possible points
3131 * for a given scratch space.
3132 */
test_ecmult_multi_pippenger_max_points(void)3133 void test_ecmult_multi_pippenger_max_points(void) {
3134 size_t scratch_size = secp256k1_testrand_int(256);
3135 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
3136 secp256k1_scratch *scratch;
3137 size_t n_points_supported;
3138 int bucket_window = 0;
3139
3140 for(; scratch_size < max_size; scratch_size+=256) {
3141 size_t i;
3142 size_t total_alloc;
3143 size_t checkpoint;
3144 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
3145 CHECK(scratch != NULL);
3146 checkpoint = secp256k1_scratch_checkpoint(&ctx->error_callback, scratch);
3147 n_points_supported = secp256k1_pippenger_max_points(&ctx->error_callback, scratch);
3148 if (n_points_supported == 0) {
3149 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3150 continue;
3151 }
3152 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
3153 /* allocate `total_alloc` bytes over `PIPPENGER_SCRATCH_OBJECTS` many allocations */
3154 total_alloc = secp256k1_pippenger_scratch_size(n_points_supported, bucket_window);
3155 for (i = 0; i < PIPPENGER_SCRATCH_OBJECTS - 1; i++) {
3156 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, 1));
3157 total_alloc--;
3158 }
3159 CHECK(secp256k1_scratch_alloc(&ctx->error_callback, scratch, total_alloc));
3160 secp256k1_scratch_apply_checkpoint(&ctx->error_callback, scratch, checkpoint);
3161 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3162 }
3163 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
3164 }
3165
test_ecmult_multi_batch_size_helper(void)3166 void test_ecmult_multi_batch_size_helper(void) {
3167 size_t n_batches, n_batch_points, max_n_batch_points, n;
3168
3169 max_n_batch_points = 0;
3170 n = 1;
3171 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
3172
3173 max_n_batch_points = 1;
3174 n = 0;
3175 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3176 CHECK(n_batches == 0);
3177 CHECK(n_batch_points == 0);
3178
3179 max_n_batch_points = 2;
3180 n = 5;
3181 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3182 CHECK(n_batches == 3);
3183 CHECK(n_batch_points == 2);
3184
3185 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
3186 n = ECMULT_MAX_POINTS_PER_BATCH;
3187 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3188 CHECK(n_batches == 1);
3189 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
3190
3191 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
3192 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
3193 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3194 CHECK(n_batches == 2);
3195 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
3196
3197 max_n_batch_points = 1;
3198 n = SIZE_MAX;
3199 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3200 CHECK(n_batches == SIZE_MAX);
3201 CHECK(n_batch_points == 1);
3202
3203 max_n_batch_points = 2;
3204 n = SIZE_MAX;
3205 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
3206 CHECK(n_batches == SIZE_MAX/2 + 1);
3207 CHECK(n_batch_points == 2);
3208 }
3209
3210 /**
3211 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
3212 * 1 <= i <= num points.
3213 */
test_ecmult_multi_batching(void)3214 void test_ecmult_multi_batching(void) {
3215 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
3216 secp256k1_scalar scG;
3217 secp256k1_scalar szero;
3218 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
3219 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
3220 secp256k1_gej r;
3221 secp256k1_gej r2;
3222 ecmult_multi_data data;
3223 int i;
3224 secp256k1_scratch *scratch;
3225
3226 secp256k1_gej_set_infinity(&r2);
3227 secp256k1_scalar_set_int(&szero, 0);
3228
3229 /* Get random scalars and group elements and compute result */
3230 random_scalar_order(&scG);
3231 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
3232 for(i = 0; i < n_points; i++) {
3233 secp256k1_ge ptg;
3234 secp256k1_gej ptgj;
3235 random_group_element_test(&ptg);
3236 secp256k1_gej_set_ge(&ptgj, &ptg);
3237 pt[i] = ptg;
3238 random_scalar_order(&sc[i]);
3239 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
3240 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
3241 }
3242 data.sc = sc;
3243 data.pt = pt;
3244 secp256k1_gej_neg(&r2, &r2);
3245
3246 /* Test with empty scratch space. It should compute the correct result using
3247 * ecmult_mult_simple algorithm which doesn't require a scratch space. */
3248 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
3249 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3250 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3251 CHECK(secp256k1_gej_is_infinity(&r));
3252 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3253
3254 /* Test with space for 1 point in pippenger. That's not enough because
3255 * ecmult_multi selects strauss which requires more memory. It should
3256 * therefore select the simple algorithm. */
3257 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3258 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3259 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3260 CHECK(secp256k1_gej_is_infinity(&r));
3261 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3262
3263 for(i = 1; i <= n_points; i++) {
3264 if (i > ECMULT_PIPPENGER_THRESHOLD) {
3265 int bucket_window = secp256k1_pippenger_bucket_window(i);
3266 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
3267 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
3268 } else {
3269 size_t scratch_size = secp256k1_strauss_scratch_size(i);
3270 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3271 }
3272 CHECK(secp256k1_ecmult_multi_var(&ctx->error_callback, &ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
3273 secp256k1_gej_add_var(&r, &r, &r2, NULL);
3274 CHECK(secp256k1_gej_is_infinity(&r));
3275 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3276 }
3277 free(sc);
3278 free(pt);
3279 }
3280
run_ecmult_multi_tests(void)3281 void run_ecmult_multi_tests(void) {
3282 secp256k1_scratch *scratch;
3283
3284 test_secp256k1_pippenger_bucket_window_inv();
3285 test_ecmult_multi_pippenger_max_points();
3286 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
3287 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3288 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
3289 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
3290 test_ecmult_multi_batch_single(secp256k1_ecmult_pippenger_batch_single);
3291 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
3292 test_ecmult_multi_batch_single(secp256k1_ecmult_strauss_batch_single);
3293 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3294
3295 /* Run test_ecmult_multi with space for exactly one point */
3296 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
3297 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
3298 secp256k1_scratch_destroy(&ctx->error_callback, scratch);
3299
3300 test_ecmult_multi_batch_size_helper();
3301 test_ecmult_multi_batching();
3302 }
3303
test_wnaf(const secp256k1_scalar * number,int w)3304 void test_wnaf(const secp256k1_scalar *number, int w) {
3305 secp256k1_scalar x, two, t;
3306 int wnaf[256];
3307 int zeroes = -1;
3308 int i;
3309 int bits;
3310 secp256k1_scalar_set_int(&x, 0);
3311 secp256k1_scalar_set_int(&two, 2);
3312 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
3313 CHECK(bits <= 256);
3314 for (i = bits-1; i >= 0; i--) {
3315 int v = wnaf[i];
3316 secp256k1_scalar_mul(&x, &x, &two);
3317 if (v) {
3318 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3319 zeroes=0;
3320 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3321 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3322 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3323 } else {
3324 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3325 zeroes++;
3326 }
3327 if (v >= 0) {
3328 secp256k1_scalar_set_int(&t, v);
3329 } else {
3330 secp256k1_scalar_set_int(&t, -v);
3331 secp256k1_scalar_negate(&t, &t);
3332 }
3333 secp256k1_scalar_add(&x, &x, &t);
3334 }
3335 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3336 }
3337
test_constant_wnaf_negate(const secp256k1_scalar * number)3338 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3339 secp256k1_scalar neg1 = *number;
3340 secp256k1_scalar neg2 = *number;
3341 int sign1 = 1;
3342 int sign2 = 1;
3343
3344 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3345 secp256k1_scalar_negate(&neg1, &neg1);
3346 sign1 = -1;
3347 }
3348 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3349 CHECK(sign1 == sign2);
3350 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3351 }
3352
test_constant_wnaf(const secp256k1_scalar * number,int w)3353 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3354 secp256k1_scalar x, shift;
3355 int wnaf[256] = {0};
3356 int i;
3357 int skew;
3358 int bits = 256;
3359 secp256k1_scalar num = *number;
3360 secp256k1_scalar scalar_skew;
3361
3362 secp256k1_scalar_set_int(&x, 0);
3363 secp256k1_scalar_set_int(&shift, 1 << w);
3364 for (i = 0; i < 16; ++i) {
3365 secp256k1_scalar_shr_int(&num, 8);
3366 }
3367 bits = 128;
3368 skew = secp256k1_wnaf_const(wnaf, &num, w, bits);
3369
3370 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3371 secp256k1_scalar t;
3372 int v = wnaf[i];
3373 CHECK(v != 0); /* check nonzero */
3374 CHECK(v & 1); /* check parity */
3375 CHECK(v > -(1 << w)); /* check range above */
3376 CHECK(v < (1 << w)); /* check range below */
3377
3378 secp256k1_scalar_mul(&x, &x, &shift);
3379 if (v >= 0) {
3380 secp256k1_scalar_set_int(&t, v);
3381 } else {
3382 secp256k1_scalar_set_int(&t, -v);
3383 secp256k1_scalar_negate(&t, &t);
3384 }
3385 secp256k1_scalar_add(&x, &x, &t);
3386 }
3387 /* Skew num because when encoding numbers as odd we use an offset */
3388 secp256k1_scalar_set_int(&scalar_skew, 1 << (skew == 2));
3389 secp256k1_scalar_add(&num, &num, &scalar_skew);
3390 CHECK(secp256k1_scalar_eq(&x, &num));
3391 }
3392
test_fixed_wnaf(const secp256k1_scalar * number,int w)3393 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3394 secp256k1_scalar x, shift;
3395 int wnaf[256] = {0};
3396 int i;
3397 int skew;
3398 secp256k1_scalar num = *number;
3399
3400 secp256k1_scalar_set_int(&x, 0);
3401 secp256k1_scalar_set_int(&shift, 1 << w);
3402 for (i = 0; i < 16; ++i) {
3403 secp256k1_scalar_shr_int(&num, 8);
3404 }
3405 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3406
3407 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3408 secp256k1_scalar t;
3409 int v = wnaf[i];
3410 CHECK(v == 0 || v & 1); /* check parity */
3411 CHECK(v > -(1 << w)); /* check range above */
3412 CHECK(v < (1 << w)); /* check range below */
3413
3414 secp256k1_scalar_mul(&x, &x, &shift);
3415 if (v >= 0) {
3416 secp256k1_scalar_set_int(&t, v);
3417 } else {
3418 secp256k1_scalar_set_int(&t, -v);
3419 secp256k1_scalar_negate(&t, &t);
3420 }
3421 secp256k1_scalar_add(&x, &x, &t);
3422 }
3423 /* If skew is 1 then add 1 to num */
3424 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3425 CHECK(secp256k1_scalar_eq(&x, &num));
3426 }
3427
3428 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3429 * rest is 0.*/
test_fixed_wnaf_small_helper(int * wnaf,int * wnaf_expected,int w)3430 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3431 int i;
3432 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3433 CHECK(wnaf[i] == 0);
3434 }
3435 for (i = 7; i >= 0; --i) {
3436 CHECK(wnaf[i] == wnaf_expected[i]);
3437 }
3438 }
3439
test_fixed_wnaf_small(void)3440 void test_fixed_wnaf_small(void) {
3441 int w = 4;
3442 int wnaf[256] = {0};
3443 int i;
3444 int skew;
3445 secp256k1_scalar num;
3446
3447 secp256k1_scalar_set_int(&num, 0);
3448 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3449 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3450 int v = wnaf[i];
3451 CHECK(v == 0);
3452 }
3453 CHECK(skew == 0);
3454
3455 secp256k1_scalar_set_int(&num, 1);
3456 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3457 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3458 int v = wnaf[i];
3459 CHECK(v == 0);
3460 }
3461 CHECK(wnaf[0] == 1);
3462 CHECK(skew == 0);
3463
3464 {
3465 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3466 secp256k1_scalar_set_int(&num, 0xffffffff);
3467 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3468 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3469 CHECK(skew == 0);
3470 }
3471 {
3472 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3473 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3474 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3475 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3476 CHECK(skew == 1);
3477 }
3478 {
3479 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3480 secp256k1_scalar_set_int(&num, 0x01010101);
3481 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3482 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3483 CHECK(skew == 0);
3484 }
3485 {
3486 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3487 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3488 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3489 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3490 CHECK(skew == 0);
3491 }
3492 }
3493
run_wnaf(void)3494 void run_wnaf(void) {
3495 int i;
3496 secp256k1_scalar n = {{0}};
3497
3498 test_constant_wnaf(&n, 4);
3499 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3500 * have easier-to-diagnose failure modes */
3501 n.d[0] = 1;
3502 test_constant_wnaf(&n, 4);
3503 n.d[0] = 2;
3504 test_constant_wnaf(&n, 4);
3505 /* Test -1, because it's a special case in wnaf_const */
3506 n = secp256k1_scalar_one;
3507 secp256k1_scalar_negate(&n, &n);
3508 test_constant_wnaf(&n, 4);
3509
3510 /* Test -2, which may not lead to overflows in wnaf_const */
3511 secp256k1_scalar_add(&n, &secp256k1_scalar_one, &secp256k1_scalar_one);
3512 secp256k1_scalar_negate(&n, &n);
3513 test_constant_wnaf(&n, 4);
3514
3515 /* Test (1/2) - 1 = 1/-2 and 1/2 = (1/-2) + 1
3516 as corner cases of negation handling in wnaf_const */
3517 secp256k1_scalar_inverse(&n, &n);
3518 test_constant_wnaf(&n, 4);
3519
3520 secp256k1_scalar_add(&n, &n, &secp256k1_scalar_one);
3521 test_constant_wnaf(&n, 4);
3522
3523 /* Test 0 for fixed wnaf */
3524 test_fixed_wnaf_small();
3525 /* Random tests */
3526 for (i = 0; i < count; i++) {
3527 random_scalar_order(&n);
3528 test_wnaf(&n, 4+(i%10));
3529 test_constant_wnaf_negate(&n);
3530 test_constant_wnaf(&n, 4 + (i % 10));
3531 test_fixed_wnaf(&n, 4 + (i % 10));
3532 }
3533 secp256k1_scalar_set_int(&n, 0);
3534 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3535 CHECK(secp256k1_scalar_is_zero(&n));
3536 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3537 CHECK(secp256k1_scalar_is_zero(&n));
3538 }
3539
test_ecmult_constants(void)3540 void test_ecmult_constants(void) {
3541 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3542 secp256k1_scalar x;
3543 secp256k1_gej r;
3544 secp256k1_ge ng;
3545 int i;
3546 int j;
3547 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3548 for (i = 0; i < 36; i++ ) {
3549 secp256k1_scalar_set_int(&x, i);
3550 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3551 for (j = 0; j < i; j++) {
3552 if (j == i - 1) {
3553 ge_equals_gej(&secp256k1_ge_const_g, &r);
3554 }
3555 secp256k1_gej_add_ge(&r, &r, &ng);
3556 }
3557 CHECK(secp256k1_gej_is_infinity(&r));
3558 }
3559 for (i = 1; i <= 36; i++ ) {
3560 secp256k1_scalar_set_int(&x, i);
3561 secp256k1_scalar_negate(&x, &x);
3562 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3563 for (j = 0; j < i; j++) {
3564 if (j == i - 1) {
3565 ge_equals_gej(&ng, &r);
3566 }
3567 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3568 }
3569 CHECK(secp256k1_gej_is_infinity(&r));
3570 }
3571 }
3572
run_ecmult_constants(void)3573 void run_ecmult_constants(void) {
3574 test_ecmult_constants();
3575 }
3576
test_ecmult_gen_blind(void)3577 void test_ecmult_gen_blind(void) {
3578 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3579 secp256k1_scalar key;
3580 secp256k1_scalar b;
3581 unsigned char seed32[32];
3582 secp256k1_gej pgej;
3583 secp256k1_gej pgej2;
3584 secp256k1_gej i;
3585 secp256k1_ge pge;
3586 random_scalar_order_test(&key);
3587 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3588 secp256k1_testrand256(seed32);
3589 b = ctx->ecmult_gen_ctx.blind;
3590 i = ctx->ecmult_gen_ctx.initial;
3591 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3592 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3593 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3594 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3595 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3596 secp256k1_ge_set_gej(&pge, &pgej);
3597 ge_equals_gej(&pge, &pgej2);
3598 }
3599
test_ecmult_gen_blind_reset(void)3600 void test_ecmult_gen_blind_reset(void) {
3601 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3602 secp256k1_scalar b;
3603 secp256k1_gej initial;
3604 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3605 b = ctx->ecmult_gen_ctx.blind;
3606 initial = ctx->ecmult_gen_ctx.initial;
3607 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3608 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3609 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3610 }
3611
run_ecmult_gen_blind(void)3612 void run_ecmult_gen_blind(void) {
3613 int i;
3614 test_ecmult_gen_blind_reset();
3615 for (i = 0; i < 10; i++) {
3616 test_ecmult_gen_blind();
3617 }
3618 }
3619
3620 /***** ENDOMORPHISH TESTS *****/
test_scalar_split(const secp256k1_scalar * full)3621 void test_scalar_split(const secp256k1_scalar* full) {
3622 secp256k1_scalar s, s1, slam;
3623 const unsigned char zero[32] = {0};
3624 unsigned char tmp[32];
3625
3626 secp256k1_scalar_split_lambda(&s1, &slam, full);
3627
3628 /* check slam*lambda + s1 == full */
3629 secp256k1_scalar_mul(&s, &secp256k1_const_lambda, &slam);
3630 secp256k1_scalar_add(&s, &s, &s1);
3631 CHECK(secp256k1_scalar_eq(&s, full));
3632
3633 /* check that both are <= 128 bits in size */
3634 if (secp256k1_scalar_is_high(&s1)) {
3635 secp256k1_scalar_negate(&s1, &s1);
3636 }
3637 if (secp256k1_scalar_is_high(&slam)) {
3638 secp256k1_scalar_negate(&slam, &slam);
3639 }
3640
3641 secp256k1_scalar_get_b32(tmp, &s1);
3642 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3643 secp256k1_scalar_get_b32(tmp, &slam);
3644 CHECK(secp256k1_memcmp_var(zero, tmp, 16) == 0);
3645 }
3646
3647
run_endomorphism_tests(void)3648 void run_endomorphism_tests(void) {
3649 unsigned i;
3650 static secp256k1_scalar s;
3651 test_scalar_split(&secp256k1_scalar_zero);
3652 test_scalar_split(&secp256k1_scalar_one);
3653 secp256k1_scalar_negate(&s,&secp256k1_scalar_one);
3654 test_scalar_split(&s);
3655 test_scalar_split(&secp256k1_const_lambda);
3656 secp256k1_scalar_add(&s, &secp256k1_const_lambda, &secp256k1_scalar_one);
3657 test_scalar_split(&s);
3658
3659 for (i = 0; i < 100U * count; ++i) {
3660 secp256k1_scalar full;
3661 random_scalar_order_test(&full);
3662 test_scalar_split(&full);
3663 }
3664 for (i = 0; i < sizeof(scalars_near_split_bounds) / sizeof(scalars_near_split_bounds[0]); ++i) {
3665 test_scalar_split(&scalars_near_split_bounds[i]);
3666 }
3667 }
3668
ec_pubkey_parse_pointtest(const unsigned char * input,int xvalid,int yvalid)3669 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3670 unsigned char pubkeyc[65];
3671 secp256k1_pubkey pubkey;
3672 secp256k1_ge ge;
3673 size_t pubkeyclen;
3674 int32_t ecount;
3675 ecount = 0;
3676 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3677 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3678 /* Smaller sizes are tested exhaustively elsewhere. */
3679 int32_t i;
3680 memcpy(&pubkeyc[1], input, 64);
3681 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3682 for (i = 0; i < 256; i++) {
3683 /* Try all type bytes. */
3684 int xpass;
3685 int ypass;
3686 int ysign;
3687 pubkeyc[0] = i;
3688 /* What sign does this point have? */
3689 ysign = (input[63] & 1) + 2;
3690 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3691 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3692 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3693 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3694 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3695 if (xpass || ypass) {
3696 /* These cases must parse. */
3697 unsigned char pubkeyo[65];
3698 size_t outl;
3699 memset(&pubkey, 0, sizeof(pubkey));
3700 VG_UNDEF(&pubkey, sizeof(pubkey));
3701 ecount = 0;
3702 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3703 VG_CHECK(&pubkey, sizeof(pubkey));
3704 outl = 65;
3705 VG_UNDEF(pubkeyo, 65);
3706 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3707 VG_CHECK(pubkeyo, outl);
3708 CHECK(outl == 33);
3709 CHECK(secp256k1_memcmp_var(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3710 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3711 if (ypass) {
3712 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3713 CHECK(pubkeyo[0] == ysign);
3714 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3715 memset(&pubkey, 0, sizeof(pubkey));
3716 VG_UNDEF(&pubkey, sizeof(pubkey));
3717 secp256k1_pubkey_save(&pubkey, &ge);
3718 VG_CHECK(&pubkey, sizeof(pubkey));
3719 outl = 65;
3720 VG_UNDEF(pubkeyo, 65);
3721 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3722 VG_CHECK(pubkeyo, outl);
3723 CHECK(outl == 65);
3724 CHECK(pubkeyo[0] == 4);
3725 CHECK(secp256k1_memcmp_var(&pubkeyo[1], input, 64) == 0);
3726 }
3727 CHECK(ecount == 0);
3728 } else {
3729 /* These cases must fail to parse. */
3730 memset(&pubkey, 0xfe, sizeof(pubkey));
3731 ecount = 0;
3732 VG_UNDEF(&pubkey, sizeof(pubkey));
3733 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3734 VG_CHECK(&pubkey, sizeof(pubkey));
3735 CHECK(ecount == 0);
3736 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3737 CHECK(ecount == 1);
3738 }
3739 }
3740 }
3741 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3742 }
3743
run_ec_pubkey_parse_test(void)3744 void run_ec_pubkey_parse_test(void) {
3745 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3746 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3747 {
3748 /* Point with leading and trailing zeros in x and y serialization. */
3749 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3750 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3751 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3752 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3753 },
3754 {
3755 /* Point with x equal to a 3rd root of unity.*/
3756 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3757 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3758 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3759 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3760 },
3761 {
3762 /* Point with largest x. (1/2) */
3763 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3764 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3765 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3766 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3767 },
3768 {
3769 /* Point with largest x. (2/2) */
3770 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3771 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3772 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3773 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3774 },
3775 {
3776 /* Point with smallest x. (1/2) */
3777 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3778 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3779 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3780 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3781 },
3782 {
3783 /* Point with smallest x. (2/2) */
3784 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3785 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3786 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3787 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3788 },
3789 {
3790 /* Point with largest y. (1/3) */
3791 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3792 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3793 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3795 },
3796 {
3797 /* Point with largest y. (2/3) */
3798 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3799 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3800 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3802 },
3803 {
3804 /* Point with largest y. (3/3) */
3805 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3806 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3807 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3808 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3809 },
3810 {
3811 /* Point with smallest y. (1/3) */
3812 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3813 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3814 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3816 },
3817 {
3818 /* Point with smallest y. (2/3) */
3819 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3820 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3821 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3822 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3823 },
3824 {
3825 /* Point with smallest y. (3/3) */
3826 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3827 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3828 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3829 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3830 }
3831 };
3832 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3833 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3834 {
3835 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3836 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3837 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3838 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3840 },
3841 {
3842 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3843 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3844 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3845 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3846 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3847 },
3848 {
3849 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3850 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3851 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3852 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3853 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3854 },
3855 {
3856 /* x on curve, y is from y^2 = x^3 + 8. */
3857 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3858 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3859 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3861 }
3862 };
3863 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3864 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3865 {
3866 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3867 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3868 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3869 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3870 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3871 },
3872 {
3873 /* Valid if x overflow ignored (x = 1 mod p). */
3874 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3875 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3876 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3877 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3878 },
3879 {
3880 /* Valid if x overflow ignored (x = 1 mod p). */
3881 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3882 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3883 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3884 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3885 },
3886 {
3887 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3888 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3889 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3890 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3891 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3892 },
3893 {
3894 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3895 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3896 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3897 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3898 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3899 },
3900 {
3901 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3902 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3903 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3904 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3905 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3906 },
3907 {
3908 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3909 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3910 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3911 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3912 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3913 }
3914 };
3915 const unsigned char pubkeyc[66] = {
3916 /* Serialization of G. */
3917 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3918 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3919 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3920 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3921 0xB8, 0x00
3922 };
3923 unsigned char sout[65];
3924 unsigned char shortkey[2];
3925 secp256k1_ge ge;
3926 secp256k1_pubkey pubkey;
3927 size_t len;
3928 int32_t i;
3929 int32_t ecount;
3930 int32_t ecount2;
3931 ecount = 0;
3932 /* Nothing should be reading this far into pubkeyc. */
3933 VG_UNDEF(&pubkeyc[65], 1);
3934 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3935 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3936 memset(&pubkey, 0xfe, sizeof(pubkey));
3937 ecount = 0;
3938 VG_UNDEF(shortkey, 2);
3939 VG_UNDEF(&pubkey, sizeof(pubkey));
3940 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3941 VG_CHECK(&pubkey, sizeof(pubkey));
3942 CHECK(ecount == 0);
3943 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3944 CHECK(ecount == 1);
3945 /* Length one claimed, fail, zeroize, no illegal arg error. */
3946 for (i = 0; i < 256 ; i++) {
3947 memset(&pubkey, 0xfe, sizeof(pubkey));
3948 ecount = 0;
3949 shortkey[0] = i;
3950 VG_UNDEF(&shortkey[1], 1);
3951 VG_UNDEF(&pubkey, sizeof(pubkey));
3952 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3953 VG_CHECK(&pubkey, sizeof(pubkey));
3954 CHECK(ecount == 0);
3955 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3956 CHECK(ecount == 1);
3957 }
3958 /* Length two claimed, fail, zeroize, no illegal arg error. */
3959 for (i = 0; i < 65536 ; i++) {
3960 memset(&pubkey, 0xfe, sizeof(pubkey));
3961 ecount = 0;
3962 shortkey[0] = i & 255;
3963 shortkey[1] = i >> 8;
3964 VG_UNDEF(&pubkey, sizeof(pubkey));
3965 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3966 VG_CHECK(&pubkey, sizeof(pubkey));
3967 CHECK(ecount == 0);
3968 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3969 CHECK(ecount == 1);
3970 }
3971 memset(&pubkey, 0xfe, sizeof(pubkey));
3972 ecount = 0;
3973 VG_UNDEF(&pubkey, sizeof(pubkey));
3974 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3975 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3976 VG_CHECK(&pubkey, sizeof(pubkey));
3977 CHECK(ecount == 0);
3978 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3979 CHECK(ecount == 1);
3980 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3981 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3982 CHECK(ecount == 2);
3983 /* NULL input string. Illegal arg and zeroize output. */
3984 memset(&pubkey, 0xfe, sizeof(pubkey));
3985 ecount = 0;
3986 VG_UNDEF(&pubkey, sizeof(pubkey));
3987 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3988 VG_CHECK(&pubkey, sizeof(pubkey));
3989 CHECK(ecount == 1);
3990 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3991 CHECK(ecount == 2);
3992 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3993 memset(&pubkey, 0xfe, sizeof(pubkey));
3994 ecount = 0;
3995 VG_UNDEF(&pubkey, sizeof(pubkey));
3996 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3997 VG_CHECK(&pubkey, sizeof(pubkey));
3998 CHECK(ecount == 0);
3999 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4000 CHECK(ecount == 1);
4001 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
4002 memset(&pubkey, 0xfe, sizeof(pubkey));
4003 ecount = 0;
4004 VG_UNDEF(&pubkey, sizeof(pubkey));
4005 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
4006 VG_CHECK(&pubkey, sizeof(pubkey));
4007 CHECK(ecount == 0);
4008 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
4009 CHECK(ecount == 1);
4010 /* Valid parse. */
4011 memset(&pubkey, 0, sizeof(pubkey));
4012 ecount = 0;
4013 VG_UNDEF(&pubkey, sizeof(pubkey));
4014 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
4015 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
4016 VG_CHECK(&pubkey, sizeof(pubkey));
4017 CHECK(ecount == 0);
4018 VG_UNDEF(&ge, sizeof(ge));
4019 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
4020 VG_CHECK(&ge.x, sizeof(ge.x));
4021 VG_CHECK(&ge.y, sizeof(ge.y));
4022 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
4023 ge_equals_ge(&secp256k1_ge_const_g, &ge);
4024 CHECK(ecount == 0);
4025 /* secp256k1_ec_pubkey_serialize illegal args. */
4026 ecount = 0;
4027 len = 65;
4028 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4029 CHECK(ecount == 1);
4030 CHECK(len == 0);
4031 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
4032 CHECK(ecount == 2);
4033 len = 65;
4034 VG_UNDEF(sout, 65);
4035 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
4036 VG_CHECK(sout, 65);
4037 CHECK(ecount == 3);
4038 CHECK(len == 0);
4039 len = 65;
4040 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
4041 CHECK(ecount == 4);
4042 CHECK(len == 0);
4043 len = 65;
4044 VG_UNDEF(sout, 65);
4045 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
4046 VG_CHECK(sout, 65);
4047 CHECK(ecount == 4);
4048 CHECK(len == 65);
4049 /* Multiple illegal args. Should still set arg error only once. */
4050 ecount = 0;
4051 ecount2 = 11;
4052 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4053 CHECK(ecount == 1);
4054 /* Does the illegal arg callback actually change the behavior? */
4055 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
4056 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
4057 CHECK(ecount == 1);
4058 CHECK(ecount2 == 10);
4059 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4060 /* Try a bunch of prefabbed points with all possible encodings. */
4061 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
4062 ec_pubkey_parse_pointtest(valid[i], 1, 1);
4063 }
4064 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
4065 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
4066 }
4067 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
4068 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
4069 }
4070 }
4071
run_eckey_edge_case_test(void)4072 void run_eckey_edge_case_test(void) {
4073 const unsigned char orderc[32] = {
4074 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4075 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4076 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4077 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
4078 };
4079 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
4080 unsigned char ctmp[33];
4081 unsigned char ctmp2[33];
4082 secp256k1_pubkey pubkey;
4083 secp256k1_pubkey pubkey2;
4084 secp256k1_pubkey pubkey_one;
4085 secp256k1_pubkey pubkey_negone;
4086 const secp256k1_pubkey *pubkeys[3];
4087 size_t len;
4088 int32_t ecount;
4089 /* Group order is too large, reject. */
4090 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
4091 VG_UNDEF(&pubkey, sizeof(pubkey));
4092 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
4093 VG_CHECK(&pubkey, sizeof(pubkey));
4094 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4095 /* Maximum value is too large, reject. */
4096 memset(ctmp, 255, 32);
4097 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4098 memset(&pubkey, 1, sizeof(pubkey));
4099 VG_UNDEF(&pubkey, sizeof(pubkey));
4100 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4101 VG_CHECK(&pubkey, sizeof(pubkey));
4102 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4103 /* Zero is too small, reject. */
4104 memset(ctmp, 0, 32);
4105 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4106 memset(&pubkey, 1, sizeof(pubkey));
4107 VG_UNDEF(&pubkey, sizeof(pubkey));
4108 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4109 VG_CHECK(&pubkey, sizeof(pubkey));
4110 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4111 /* One must be accepted. */
4112 ctmp[31] = 0x01;
4113 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4114 memset(&pubkey, 0, sizeof(pubkey));
4115 VG_UNDEF(&pubkey, sizeof(pubkey));
4116 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4117 VG_CHECK(&pubkey, sizeof(pubkey));
4118 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4119 pubkey_one = pubkey;
4120 /* Group order + 1 is too large, reject. */
4121 memcpy(ctmp, orderc, 32);
4122 ctmp[31] = 0x42;
4123 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4124 memset(&pubkey, 1, sizeof(pubkey));
4125 VG_UNDEF(&pubkey, sizeof(pubkey));
4126 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
4127 VG_CHECK(&pubkey, sizeof(pubkey));
4128 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4129 /* -1 must be accepted. */
4130 ctmp[31] = 0x40;
4131 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4132 memset(&pubkey, 0, sizeof(pubkey));
4133 VG_UNDEF(&pubkey, sizeof(pubkey));
4134 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
4135 VG_CHECK(&pubkey, sizeof(pubkey));
4136 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4137 pubkey_negone = pubkey;
4138 /* Tweak of zero leaves the value unchanged. */
4139 memset(ctmp2, 0, 32);
4140 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 1);
4141 CHECK(secp256k1_memcmp_var(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
4142 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
4143 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4144 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4145 /* Multiply tweak of zero zeroizes the output. */
4146 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4147 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4148 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
4149 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4150 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4151 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4152 seckey, the seckey is zeroized. */
4153 memcpy(ctmp, orderc, 32);
4154 memset(ctmp2, 0, 32);
4155 ctmp2[31] = 0x01;
4156 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp2) == 1);
4157 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
4158 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, ctmp2) == 0);
4159 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4160 memcpy(ctmp, orderc, 32);
4161 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, ctmp2) == 0);
4162 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4163 /* If seckey_tweak_add or seckey_tweak_mul are called with an overflowing
4164 tweak, the seckey is zeroized. */
4165 memcpy(ctmp, orderc, 32);
4166 ctmp[31] = 0x40;
4167 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, orderc) == 0);
4168 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4169 memcpy(ctmp, orderc, 32);
4170 ctmp[31] = 0x40;
4171 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, orderc) == 0);
4172 CHECK(secp256k1_memcmp_var(zeros, ctmp, 32) == 0);
4173 memcpy(ctmp, orderc, 32);
4174 ctmp[31] = 0x40;
4175 /* If pubkey_tweak_add or pubkey_tweak_mul are called with an overflowing
4176 tweak, the pubkey is zeroized. */
4177 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
4178 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4179 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4180 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
4181 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4182 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4183 /* If the resulting key in secp256k1_ec_seckey_tweak_add and
4184 * secp256k1_ec_pubkey_tweak_add is 0 the functions fail and in the latter
4185 * case the pubkey is zeroized. */
4186 memcpy(ctmp, orderc, 32);
4187 ctmp[31] = 0x40;
4188 memset(ctmp2, 0, 32);
4189 ctmp2[31] = 1;
4190 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 0);
4191 CHECK(secp256k1_memcmp_var(zeros, ctmp2, 32) == 0);
4192 ctmp2[31] = 1;
4193 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4194 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4195 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4196 /* Tweak computation wraps and results in a key of 1. */
4197 ctmp2[31] = 2;
4198 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp2, ctmp) == 1);
4199 CHECK(secp256k1_memcmp_var(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
4200 ctmp2[31] = 2;
4201 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4202 ctmp2[31] = 1;
4203 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
4204 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4205 /* Tweak mul * 2 = 1+1. */
4206 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
4207 ctmp2[31] = 2;
4208 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
4209 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4210 /* Test argument errors. */
4211 ecount = 0;
4212 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4213 CHECK(ecount == 0);
4214 /* Zeroize pubkey on parse error. */
4215 memset(&pubkey, 0, 32);
4216 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
4217 CHECK(ecount == 1);
4218 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(pubkey)) == 0);
4219 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
4220 memset(&pubkey2, 0, 32);
4221 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
4222 CHECK(ecount == 2);
4223 CHECK(secp256k1_memcmp_var(&pubkey2, zeros, sizeof(pubkey2)) == 0);
4224 /* Plain argument errors. */
4225 ecount = 0;
4226 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
4227 CHECK(ecount == 0);
4228 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
4229 CHECK(ecount == 1);
4230 ecount = 0;
4231 memset(ctmp2, 0, 32);
4232 ctmp2[31] = 4;
4233 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
4234 CHECK(ecount == 1);
4235 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
4236 CHECK(ecount == 2);
4237 ecount = 0;
4238 memset(ctmp2, 0, 32);
4239 ctmp2[31] = 4;
4240 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
4241 CHECK(ecount == 1);
4242 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
4243 CHECK(ecount == 2);
4244 ecount = 0;
4245 memset(ctmp2, 0, 32);
4246 CHECK(secp256k1_ec_seckey_tweak_add(ctx, NULL, ctmp2) == 0);
4247 CHECK(ecount == 1);
4248 CHECK(secp256k1_ec_seckey_tweak_add(ctx, ctmp, NULL) == 0);
4249 CHECK(ecount == 2);
4250 ecount = 0;
4251 memset(ctmp2, 0, 32);
4252 ctmp2[31] = 1;
4253 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, NULL, ctmp2) == 0);
4254 CHECK(ecount == 1);
4255 CHECK(secp256k1_ec_seckey_tweak_mul(ctx, ctmp, NULL) == 0);
4256 CHECK(ecount == 2);
4257 ecount = 0;
4258 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
4259 CHECK(ecount == 1);
4260 memset(&pubkey, 1, sizeof(pubkey));
4261 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4262 CHECK(ecount == 2);
4263 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4264 /* secp256k1_ec_pubkey_combine tests. */
4265 ecount = 0;
4266 pubkeys[0] = &pubkey_one;
4267 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
4268 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
4269 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
4270 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4271 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4272 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
4273 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4274 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4275 CHECK(ecount == 1);
4276 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
4277 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4278 CHECK(ecount == 2);
4279 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4280 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4281 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
4282 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4283 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4284 CHECK(ecount == 3);
4285 pubkeys[0] = &pubkey_negone;
4286 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4287 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4288 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
4289 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4290 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4291 CHECK(ecount == 3);
4292 len = 33;
4293 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4294 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
4295 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4296 /* Result is infinity. */
4297 pubkeys[0] = &pubkey_one;
4298 pubkeys[1] = &pubkey_negone;
4299 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4300 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4301 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
4302 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4303 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
4304 CHECK(ecount == 3);
4305 /* Passes through infinity but comes out one. */
4306 pubkeys[2] = &pubkey_one;
4307 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4308 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4309 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
4310 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4311 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4312 CHECK(ecount == 3);
4313 len = 33;
4314 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
4315 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
4316 CHECK(secp256k1_memcmp_var(ctmp, ctmp2, 33) == 0);
4317 /* Adds to two. */
4318 pubkeys[1] = &pubkey_one;
4319 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
4320 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
4321 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
4322 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
4323 CHECK(secp256k1_memcmp_var(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
4324 CHECK(ecount == 3);
4325 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4326 }
4327
run_eckey_negate_test(void)4328 void run_eckey_negate_test(void) {
4329 unsigned char seckey[32];
4330 unsigned char seckey_tmp[32];
4331
4332 random_scalar_order_b32(seckey);
4333 memcpy(seckey_tmp, seckey, 32);
4334
4335 /* Verify negation changes the key and changes it back */
4336 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4337 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) != 0);
4338 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4339 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4340
4341 /* Check that privkey alias gives same result */
4342 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 1);
4343 CHECK(secp256k1_ec_privkey_negate(ctx, seckey_tmp) == 1);
4344 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4345
4346 /* Negating all 0s fails */
4347 memset(seckey, 0, 32);
4348 memset(seckey_tmp, 0, 32);
4349 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4350 /* Check that seckey is not modified */
4351 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4352
4353 /* Negating an overflowing seckey fails and the seckey is zeroed. In this
4354 * test, the seckey has 16 random bytes to ensure that ec_seckey_negate
4355 * doesn't just set seckey to a constant value in case of failure. */
4356 random_scalar_order_b32(seckey);
4357 memset(seckey, 0xFF, 16);
4358 memset(seckey_tmp, 0, 32);
4359 CHECK(secp256k1_ec_seckey_negate(ctx, seckey) == 0);
4360 CHECK(secp256k1_memcmp_var(seckey, seckey_tmp, 32) == 0);
4361 }
4362
random_sign(secp256k1_scalar * sigr,secp256k1_scalar * sigs,const secp256k1_scalar * key,const secp256k1_scalar * msg,int * recid)4363 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
4364 secp256k1_scalar nonce;
4365 do {
4366 random_scalar_order_test(&nonce);
4367 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
4368 }
4369
test_ecdsa_sign_verify(void)4370 void test_ecdsa_sign_verify(void) {
4371 secp256k1_gej pubj;
4372 secp256k1_ge pub;
4373 secp256k1_scalar one;
4374 secp256k1_scalar msg, key;
4375 secp256k1_scalar sigr, sigs;
4376 int recid;
4377 int getrec;
4378 random_scalar_order_test(&msg);
4379 random_scalar_order_test(&key);
4380 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
4381 secp256k1_ge_set_gej(&pub, &pubj);
4382 getrec = secp256k1_testrand_bits(1);
4383 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
4384 if (getrec) {
4385 CHECK(recid >= 0 && recid < 4);
4386 }
4387 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4388 secp256k1_scalar_set_int(&one, 1);
4389 secp256k1_scalar_add(&msg, &msg, &one);
4390 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
4391 }
4392
run_ecdsa_sign_verify(void)4393 void run_ecdsa_sign_verify(void) {
4394 int i;
4395 for (i = 0; i < 10*count; i++) {
4396 test_ecdsa_sign_verify();
4397 }
4398 }
4399
4400 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
precomputed_nonce_function(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)4401 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4402 (void)msg32;
4403 (void)key32;
4404 (void)algo16;
4405 memcpy(nonce32, data, 32);
4406 return (counter == 0);
4407 }
4408
nonce_function_test_fail(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)4409 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4410 /* Dummy nonce generator that has a fatal error on the first counter value. */
4411 if (counter == 0) {
4412 return 0;
4413 }
4414 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4415 }
4416
nonce_function_test_retry(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)4417 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4418 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4419 if (counter < 3) {
4420 memset(nonce32, counter==0 ? 0 : 255, 32);
4421 if (counter == 2) {
4422 nonce32[31]--;
4423 }
4424 return 1;
4425 }
4426 if (counter < 5) {
4427 static const unsigned char order[] = {
4428 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4429 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4430 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4431 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4432 };
4433 memcpy(nonce32, order, 32);
4434 if (counter == 4) {
4435 nonce32[31]++;
4436 }
4437 return 1;
4438 }
4439 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4440 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4441 if (counter > 5) {
4442 return 0;
4443 }
4444 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4445 }
4446
is_empty_signature(const secp256k1_ecdsa_signature * sig)4447 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4448 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4449 return secp256k1_memcmp_var(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4450 }
4451
test_ecdsa_end_to_end(void)4452 void test_ecdsa_end_to_end(void) {
4453 unsigned char extra[32] = {0x00};
4454 unsigned char privkey[32];
4455 unsigned char message[32];
4456 unsigned char privkey2[32];
4457 secp256k1_ecdsa_signature signature[6];
4458 secp256k1_scalar r, s;
4459 unsigned char sig[74];
4460 size_t siglen = 74;
4461 unsigned char pubkeyc[65];
4462 size_t pubkeyclen = 65;
4463 secp256k1_pubkey pubkey;
4464 secp256k1_pubkey pubkey_tmp;
4465 unsigned char seckey[300];
4466 size_t seckeylen = 300;
4467
4468 /* Generate a random key and message. */
4469 {
4470 secp256k1_scalar msg, key;
4471 random_scalar_order_test(&msg);
4472 random_scalar_order_test(&key);
4473 secp256k1_scalar_get_b32(privkey, &key);
4474 secp256k1_scalar_get_b32(message, &msg);
4475 }
4476
4477 /* Construct and verify corresponding public key. */
4478 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4479 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4480
4481 /* Verify exporting and importing public key. */
4482 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_testrand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4483 memset(&pubkey, 0, sizeof(pubkey));
4484 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4485
4486 /* Verify negation changes the key and changes it back */
4487 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4488 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4489 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4490 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4491 CHECK(secp256k1_memcmp_var(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4492
4493 /* Verify private key import and export. */
4494 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_testrand_bits(1) == 1));
4495 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4496 CHECK(secp256k1_memcmp_var(privkey, privkey2, 32) == 0);
4497
4498 /* Optionally tweak the keys using addition. */
4499 if (secp256k1_testrand_int(3) == 0) {
4500 int ret1;
4501 int ret2;
4502 int ret3;
4503 unsigned char rnd[32];
4504 unsigned char privkey_tmp[32];
4505 secp256k1_pubkey pubkey2;
4506 secp256k1_testrand256_test(rnd);
4507 memcpy(privkey_tmp, privkey, 32);
4508 ret1 = secp256k1_ec_seckey_tweak_add(ctx, privkey, rnd);
4509 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4510 /* Check that privkey alias gives same result */
4511 ret3 = secp256k1_ec_privkey_tweak_add(ctx, privkey_tmp, rnd);
4512 CHECK(ret1 == ret2);
4513 CHECK(ret2 == ret3);
4514 if (ret1 == 0) {
4515 return;
4516 }
4517 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4518 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4519 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4520 }
4521
4522 /* Optionally tweak the keys using multiplication. */
4523 if (secp256k1_testrand_int(3) == 0) {
4524 int ret1;
4525 int ret2;
4526 int ret3;
4527 unsigned char rnd[32];
4528 unsigned char privkey_tmp[32];
4529 secp256k1_pubkey pubkey2;
4530 secp256k1_testrand256_test(rnd);
4531 memcpy(privkey_tmp, privkey, 32);
4532 ret1 = secp256k1_ec_seckey_tweak_mul(ctx, privkey, rnd);
4533 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4534 /* Check that privkey alias gives same result */
4535 ret3 = secp256k1_ec_privkey_tweak_mul(ctx, privkey_tmp, rnd);
4536 CHECK(ret1 == ret2);
4537 CHECK(ret2 == ret3);
4538 if (ret1 == 0) {
4539 return;
4540 }
4541 CHECK(secp256k1_memcmp_var(privkey, privkey_tmp, 32) == 0);
4542 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4543 CHECK(secp256k1_memcmp_var(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4544 }
4545
4546 /* Sign. */
4547 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4548 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4549 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4550 extra[31] = 1;
4551 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4552 extra[31] = 0;
4553 extra[0] = 1;
4554 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4555 CHECK(secp256k1_memcmp_var(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4556 CHECK(secp256k1_memcmp_var(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4557 CHECK(secp256k1_memcmp_var(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4558 CHECK(secp256k1_memcmp_var(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4559 CHECK(secp256k1_memcmp_var(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4560 CHECK(secp256k1_memcmp_var(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4561 CHECK(secp256k1_memcmp_var(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4562 /* Verify. */
4563 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4564 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4565 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4566 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4567 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4568 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4569 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4570 secp256k1_scalar_negate(&s, &s);
4571 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4572 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4573 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4574 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4575 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4576 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4577 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4578 secp256k1_scalar_negate(&s, &s);
4579 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4580 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4581 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4582 CHECK(secp256k1_memcmp_var(&signature[5], &signature[0], 64) == 0);
4583
4584 /* Serialize/parse DER and verify again */
4585 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4586 memset(&signature[0], 0, sizeof(signature[0]));
4587 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4588 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4589 /* Serialize/destroy/parse DER and verify again. */
4590 siglen = 74;
4591 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4592 sig[secp256k1_testrand_int(siglen)] += 1 + secp256k1_testrand_int(255);
4593 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4594 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4595 }
4596
test_random_pubkeys(void)4597 void test_random_pubkeys(void) {
4598 secp256k1_ge elem;
4599 secp256k1_ge elem2;
4600 unsigned char in[65];
4601 /* Generate some randomly sized pubkeys. */
4602 size_t len = secp256k1_testrand_bits(2) == 0 ? 65 : 33;
4603 if (secp256k1_testrand_bits(2) == 0) {
4604 len = secp256k1_testrand_bits(6);
4605 }
4606 if (len == 65) {
4607 in[0] = secp256k1_testrand_bits(1) ? 4 : (secp256k1_testrand_bits(1) ? 6 : 7);
4608 } else {
4609 in[0] = secp256k1_testrand_bits(1) ? 2 : 3;
4610 }
4611 if (secp256k1_testrand_bits(3) == 0) {
4612 in[0] = secp256k1_testrand_bits(8);
4613 }
4614 if (len > 1) {
4615 secp256k1_testrand256(&in[1]);
4616 }
4617 if (len > 33) {
4618 secp256k1_testrand256(&in[33]);
4619 }
4620 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4621 unsigned char out[65];
4622 unsigned char firstb;
4623 int res;
4624 size_t size = len;
4625 firstb = in[0];
4626 /* If the pubkey can be parsed, it should round-trip... */
4627 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4628 CHECK(size == len);
4629 CHECK(secp256k1_memcmp_var(&in[1], &out[1], len-1) == 0);
4630 /* ... except for the type of hybrid inputs. */
4631 if ((in[0] != 6) && (in[0] != 7)) {
4632 CHECK(in[0] == out[0]);
4633 }
4634 size = 65;
4635 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4636 CHECK(size == 65);
4637 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4638 ge_equals_ge(&elem,&elem2);
4639 /* Check that the X9.62 hybrid type is checked. */
4640 in[0] = secp256k1_testrand_bits(1) ? 6 : 7;
4641 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4642 if (firstb == 2 || firstb == 3) {
4643 if (in[0] == firstb + 4) {
4644 CHECK(res);
4645 } else {
4646 CHECK(!res);
4647 }
4648 }
4649 if (res) {
4650 ge_equals_ge(&elem,&elem2);
4651 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4652 CHECK(secp256k1_memcmp_var(&in[1], &out[1], 64) == 0);
4653 }
4654 }
4655 }
4656
run_random_pubkeys(void)4657 void run_random_pubkeys(void) {
4658 int i;
4659 for (i = 0; i < 10*count; i++) {
4660 test_random_pubkeys();
4661 }
4662 }
4663
run_ecdsa_end_to_end(void)4664 void run_ecdsa_end_to_end(void) {
4665 int i;
4666 for (i = 0; i < 64*count; i++) {
4667 test_ecdsa_end_to_end();
4668 }
4669 }
4670
test_ecdsa_der_parse(const unsigned char * sig,size_t siglen,int certainly_der,int certainly_not_der)4671 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4672 static const unsigned char zeroes[32] = {0};
4673 #ifdef ENABLE_OPENSSL_TESTS
4674 static const unsigned char max_scalar[32] = {
4675 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4676 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4677 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4678 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4679 };
4680 #endif
4681
4682 int ret = 0;
4683
4684 secp256k1_ecdsa_signature sig_der;
4685 unsigned char roundtrip_der[2048];
4686 unsigned char compact_der[64];
4687 size_t len_der = 2048;
4688 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4689
4690 secp256k1_ecdsa_signature sig_der_lax;
4691 unsigned char roundtrip_der_lax[2048];
4692 unsigned char compact_der_lax[64];
4693 size_t len_der_lax = 2048;
4694 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4695
4696 #ifdef ENABLE_OPENSSL_TESTS
4697 ECDSA_SIG *sig_openssl;
4698 const BIGNUM *r = NULL, *s = NULL;
4699 const unsigned char *sigptr;
4700 unsigned char roundtrip_openssl[2048];
4701 int len_openssl = 2048;
4702 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4703 #endif
4704
4705 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4706 if (parsed_der) {
4707 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4708 valid_der = (secp256k1_memcmp_var(compact_der, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der + 32, zeroes, 32) != 0);
4709 }
4710 if (valid_der) {
4711 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4712 roundtrips_der = (len_der == siglen) && secp256k1_memcmp_var(roundtrip_der, sig, siglen) == 0;
4713 }
4714
4715 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4716 if (parsed_der_lax) {
4717 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4718 valid_der_lax = (secp256k1_memcmp_var(compact_der_lax, zeroes, 32) != 0) && (secp256k1_memcmp_var(compact_der_lax + 32, zeroes, 32) != 0);
4719 }
4720 if (valid_der_lax) {
4721 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4722 roundtrips_der_lax = (len_der_lax == siglen) && secp256k1_memcmp_var(roundtrip_der_lax, sig, siglen) == 0;
4723 }
4724
4725 if (certainly_der) {
4726 ret |= (!parsed_der) << 2;
4727 }
4728 if (certainly_not_der) {
4729 ret |= (parsed_der) << 17;
4730 }
4731 if (valid_der) {
4732 ret |= (!roundtrips_der) << 3;
4733 }
4734
4735 if (valid_der) {
4736 ret |= (!roundtrips_der_lax) << 12;
4737 ret |= (len_der != len_der_lax) << 13;
4738 ret |= ((len_der != len_der_lax) || (secp256k1_memcmp_var(roundtrip_der_lax, roundtrip_der, len_der) != 0)) << 14;
4739 }
4740 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4741 if (parsed_der) {
4742 ret |= (!parsed_der_lax) << 16;
4743 }
4744
4745 #ifdef ENABLE_OPENSSL_TESTS
4746 sig_openssl = ECDSA_SIG_new();
4747 sigptr = sig;
4748 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4749 if (parsed_openssl) {
4750 ECDSA_SIG_get0(sig_openssl, &r, &s);
4751 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4752 if (valid_openssl) {
4753 unsigned char tmp[32] = {0};
4754 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4755 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4756 }
4757 if (valid_openssl) {
4758 unsigned char tmp[32] = {0};
4759 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4760 valid_openssl = secp256k1_memcmp_var(tmp, max_scalar, 32) < 0;
4761 }
4762 }
4763 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4764 if (len_openssl <= 2048) {
4765 unsigned char *ptr = roundtrip_openssl;
4766 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4767 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (secp256k1_memcmp_var(roundtrip_openssl, sig, siglen) == 0);
4768 } else {
4769 len_openssl = 0;
4770 }
4771 ECDSA_SIG_free(sig_openssl);
4772
4773 ret |= (parsed_der && !parsed_openssl) << 4;
4774 ret |= (valid_der && !valid_openssl) << 5;
4775 ret |= (roundtrips_openssl && !parsed_der) << 6;
4776 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4777 if (roundtrips_openssl) {
4778 ret |= (len_der != (size_t)len_openssl) << 8;
4779 ret |= ((len_der != (size_t)len_openssl) || (secp256k1_memcmp_var(roundtrip_der, roundtrip_openssl, len_der) != 0)) << 9;
4780 }
4781 #endif
4782 return ret;
4783 }
4784
assign_big_endian(unsigned char * ptr,size_t ptrlen,uint32_t val)4785 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4786 size_t i;
4787 for (i = 0; i < ptrlen; i++) {
4788 int shift = ptrlen - 1 - i;
4789 if (shift >= 4) {
4790 ptr[i] = 0;
4791 } else {
4792 ptr[i] = (val >> shift) & 0xFF;
4793 }
4794 }
4795 }
4796
damage_array(unsigned char * sig,size_t * len)4797 static void damage_array(unsigned char *sig, size_t *len) {
4798 int pos;
4799 int action = secp256k1_testrand_bits(3);
4800 if (action < 1 && *len > 3) {
4801 /* Delete a byte. */
4802 pos = secp256k1_testrand_int(*len);
4803 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4804 (*len)--;
4805 return;
4806 } else if (action < 2 && *len < 2048) {
4807 /* Insert a byte. */
4808 pos = secp256k1_testrand_int(1 + *len);
4809 memmove(sig + pos + 1, sig + pos, *len - pos);
4810 sig[pos] = secp256k1_testrand_bits(8);
4811 (*len)++;
4812 return;
4813 } else if (action < 4) {
4814 /* Modify a byte. */
4815 sig[secp256k1_testrand_int(*len)] += 1 + secp256k1_testrand_int(255);
4816 return;
4817 } else { /* action < 8 */
4818 /* Modify a bit. */
4819 sig[secp256k1_testrand_int(*len)] ^= 1 << secp256k1_testrand_bits(3);
4820 return;
4821 }
4822 }
4823
random_ber_signature(unsigned char * sig,size_t * len,int * certainly_der,int * certainly_not_der)4824 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4825 int der;
4826 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4827 size_t tlen, elen, glen;
4828 int indet;
4829 int n;
4830
4831 *len = 0;
4832 der = secp256k1_testrand_bits(2) == 0;
4833 *certainly_der = der;
4834 *certainly_not_der = 0;
4835 indet = der ? 0 : secp256k1_testrand_int(10) == 0;
4836
4837 for (n = 0; n < 2; n++) {
4838 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4839 nlow[n] = der ? 1 : (secp256k1_testrand_bits(3) != 0);
4840 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4841 nlen[n] = nlow[n] ? secp256k1_testrand_int(33) : 32 + secp256k1_testrand_int(200) * secp256k1_testrand_int(8) / 8;
4842 CHECK(nlen[n] <= 232);
4843 /* The top bit of the number. */
4844 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_testrand_bits(1));
4845 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4846 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_testrand_bits(7) : 1 + secp256k1_testrand_int(127));
4847 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4848 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_testrand_int(3) : secp256k1_testrand_int(300 - nlen[n]) * secp256k1_testrand_int(8) / 8);
4849 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4850 *certainly_not_der = 1;
4851 }
4852 CHECK(nlen[n] + nzlen[n] <= 300);
4853 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4854 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4855 if (!der) {
4856 /* nlenlen[n] max 127 bytes */
4857 int add = secp256k1_testrand_int(127 - nlenlen[n]) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4858 nlenlen[n] += add;
4859 if (add != 0) {
4860 *certainly_not_der = 1;
4861 }
4862 }
4863 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4864 }
4865
4866 /* The total length of the data to go, so far */
4867 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4868 CHECK(tlen <= 856);
4869
4870 /* The length of the garbage inside the tuple. */
4871 elen = (der || indet) ? 0 : secp256k1_testrand_int(980 - tlen) * secp256k1_testrand_int(8) / 8;
4872 if (elen != 0) {
4873 *certainly_not_der = 1;
4874 }
4875 tlen += elen;
4876 CHECK(tlen <= 980);
4877
4878 /* The length of the garbage after the end of the tuple. */
4879 glen = der ? 0 : secp256k1_testrand_int(990 - tlen) * secp256k1_testrand_int(8) / 8;
4880 if (glen != 0) {
4881 *certainly_not_der = 1;
4882 }
4883 CHECK(tlen + glen <= 990);
4884
4885 /* Write the tuple header. */
4886 sig[(*len)++] = 0x30;
4887 if (indet) {
4888 /* Indeterminate length */
4889 sig[(*len)++] = 0x80;
4890 *certainly_not_der = 1;
4891 } else {
4892 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4893 if (!der) {
4894 int add = secp256k1_testrand_int(127 - tlenlen) * secp256k1_testrand_int(16) * secp256k1_testrand_int(16) / 256;
4895 tlenlen += add;
4896 if (add != 0) {
4897 *certainly_not_der = 1;
4898 }
4899 }
4900 if (tlenlen == 0) {
4901 /* Short length notation */
4902 sig[(*len)++] = tlen;
4903 } else {
4904 /* Long length notation */
4905 sig[(*len)++] = 128 + tlenlen;
4906 assign_big_endian(sig + *len, tlenlen, tlen);
4907 *len += tlenlen;
4908 }
4909 tlen += tlenlen;
4910 }
4911 tlen += 2;
4912 CHECK(tlen + glen <= 1119);
4913
4914 for (n = 0; n < 2; n++) {
4915 /* Write the integer header. */
4916 sig[(*len)++] = 0x02;
4917 if (nlenlen[n] == 0) {
4918 /* Short length notation */
4919 sig[(*len)++] = nlen[n] + nzlen[n];
4920 } else {
4921 /* Long length notation. */
4922 sig[(*len)++] = 128 + nlenlen[n];
4923 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4924 *len += nlenlen[n];
4925 }
4926 /* Write zero padding */
4927 while (nzlen[n] > 0) {
4928 sig[(*len)++] = 0x00;
4929 nzlen[n]--;
4930 }
4931 if (nlen[n] == 32 && !nlow[n]) {
4932 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4933 int i;
4934 for (i = 0; i < 16; i++) {
4935 sig[(*len)++] = 0xFF;
4936 }
4937 nlen[n] -= 16;
4938 }
4939 /* Write first byte of number */
4940 if (nlen[n] > 0) {
4941 sig[(*len)++] = nhbyte[n];
4942 nlen[n]--;
4943 }
4944 /* Generate remaining random bytes of number */
4945 secp256k1_testrand_bytes_test(sig + *len, nlen[n]);
4946 *len += nlen[n];
4947 nlen[n] = 0;
4948 }
4949
4950 /* Generate random garbage inside tuple. */
4951 secp256k1_testrand_bytes_test(sig + *len, elen);
4952 *len += elen;
4953
4954 /* Generate end-of-contents bytes. */
4955 if (indet) {
4956 sig[(*len)++] = 0;
4957 sig[(*len)++] = 0;
4958 tlen += 2;
4959 }
4960 CHECK(tlen + glen <= 1121);
4961
4962 /* Generate random garbage outside tuple. */
4963 secp256k1_testrand_bytes_test(sig + *len, glen);
4964 *len += glen;
4965 tlen += glen;
4966 CHECK(tlen <= 1121);
4967 CHECK(tlen == *len);
4968 }
4969
run_ecdsa_der_parse(void)4970 void run_ecdsa_der_parse(void) {
4971 int i,j;
4972 for (i = 0; i < 200 * count; i++) {
4973 unsigned char buffer[2048];
4974 size_t buflen = 0;
4975 int certainly_der = 0;
4976 int certainly_not_der = 0;
4977 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4978 CHECK(buflen <= 2048);
4979 for (j = 0; j < 16; j++) {
4980 int ret = 0;
4981 if (j > 0) {
4982 damage_array(buffer, &buflen);
4983 /* We don't know anything anymore about the DERness of the result */
4984 certainly_der = 0;
4985 certainly_not_der = 0;
4986 }
4987 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4988 if (ret != 0) {
4989 size_t k;
4990 fprintf(stderr, "Failure %x on ", ret);
4991 for (k = 0; k < buflen; k++) {
4992 fprintf(stderr, "%02x ", buffer[k]);
4993 }
4994 fprintf(stderr, "\n");
4995 }
4996 CHECK(ret == 0);
4997 }
4998 }
4999 }
5000
5001 /* Tests several edge cases. */
test_ecdsa_edge_cases(void)5002 void test_ecdsa_edge_cases(void) {
5003 int t;
5004 secp256k1_ecdsa_signature sig;
5005
5006 /* Test the case where ECDSA recomputes a point that is infinity. */
5007 {
5008 secp256k1_gej keyj;
5009 secp256k1_ge key;
5010 secp256k1_scalar msg;
5011 secp256k1_scalar sr, ss;
5012 secp256k1_scalar_set_int(&ss, 1);
5013 secp256k1_scalar_negate(&ss, &ss);
5014 secp256k1_scalar_inverse(&ss, &ss);
5015 secp256k1_scalar_set_int(&sr, 1);
5016 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
5017 secp256k1_ge_set_gej(&key, &keyj);
5018 msg = ss;
5019 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5020 }
5021
5022 /* Verify signature with r of zero fails. */
5023 {
5024 const unsigned char pubkey_mods_zero[33] = {
5025 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5027 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5028 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5029 0x41
5030 };
5031 secp256k1_ge key;
5032 secp256k1_scalar msg;
5033 secp256k1_scalar sr, ss;
5034 secp256k1_scalar_set_int(&ss, 1);
5035 secp256k1_scalar_set_int(&msg, 0);
5036 secp256k1_scalar_set_int(&sr, 0);
5037 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
5038 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5039 }
5040
5041 /* Verify signature with s of zero fails. */
5042 {
5043 const unsigned char pubkey[33] = {
5044 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5045 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5046 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5047 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5048 0x01
5049 };
5050 secp256k1_ge key;
5051 secp256k1_scalar msg;
5052 secp256k1_scalar sr, ss;
5053 secp256k1_scalar_set_int(&ss, 0);
5054 secp256k1_scalar_set_int(&msg, 0);
5055 secp256k1_scalar_set_int(&sr, 1);
5056 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5057 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5058 }
5059
5060 /* Verify signature with message 0 passes. */
5061 {
5062 const unsigned char pubkey[33] = {
5063 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5064 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5065 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5066 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5067 0x02
5068 };
5069 const unsigned char pubkey2[33] = {
5070 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5071 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5072 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
5073 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
5074 0x43
5075 };
5076 secp256k1_ge key;
5077 secp256k1_ge key2;
5078 secp256k1_scalar msg;
5079 secp256k1_scalar sr, ss;
5080 secp256k1_scalar_set_int(&ss, 2);
5081 secp256k1_scalar_set_int(&msg, 0);
5082 secp256k1_scalar_set_int(&sr, 2);
5083 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5084 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5085 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5086 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5087 secp256k1_scalar_negate(&ss, &ss);
5088 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5089 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5090 secp256k1_scalar_set_int(&ss, 1);
5091 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5092 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5093 }
5094
5095 /* Verify signature with message 1 passes. */
5096 {
5097 const unsigned char pubkey[33] = {
5098 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
5099 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
5100 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
5101 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
5102 0x25
5103 };
5104 const unsigned char pubkey2[33] = {
5105 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
5106 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
5107 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
5108 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
5109 0x62
5110 };
5111 const unsigned char csr[32] = {
5112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5114 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5115 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
5116 };
5117 secp256k1_ge key;
5118 secp256k1_ge key2;
5119 secp256k1_scalar msg;
5120 secp256k1_scalar sr, ss;
5121 secp256k1_scalar_set_int(&ss, 1);
5122 secp256k1_scalar_set_int(&msg, 1);
5123 secp256k1_scalar_set_b32(&sr, csr, NULL);
5124 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5125 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
5126 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5127 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5128 secp256k1_scalar_negate(&ss, &ss);
5129 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5130 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
5131 secp256k1_scalar_set_int(&ss, 2);
5132 secp256k1_scalar_inverse_var(&ss, &ss);
5133 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5134 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
5135 }
5136
5137 /* Verify signature with message -1 passes. */
5138 {
5139 const unsigned char pubkey[33] = {
5140 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
5141 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
5142 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
5143 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
5144 0xf1
5145 };
5146 const unsigned char csr[32] = {
5147 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5148 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5149 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
5150 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
5151 };
5152 secp256k1_ge key;
5153 secp256k1_scalar msg;
5154 secp256k1_scalar sr, ss;
5155 secp256k1_scalar_set_int(&ss, 1);
5156 secp256k1_scalar_set_int(&msg, 1);
5157 secp256k1_scalar_negate(&msg, &msg);
5158 secp256k1_scalar_set_b32(&sr, csr, NULL);
5159 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
5160 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5161 secp256k1_scalar_negate(&ss, &ss);
5162 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
5163 secp256k1_scalar_set_int(&ss, 3);
5164 secp256k1_scalar_inverse_var(&ss, &ss);
5165 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
5166 }
5167
5168 /* Signature where s would be zero. */
5169 {
5170 secp256k1_pubkey pubkey;
5171 size_t siglen;
5172 int32_t ecount;
5173 unsigned char signature[72];
5174 static const unsigned char nonce[32] = {
5175 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5177 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5179 };
5180 static const unsigned char nonce2[32] = {
5181 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
5182 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
5183 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
5184 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
5185 };
5186 const unsigned char key[32] = {
5187 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
5190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
5191 };
5192 unsigned char msg[32] = {
5193 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
5194 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
5195 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
5196 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
5197 };
5198 ecount = 0;
5199 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
5200 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
5201 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
5202 msg[31] = 0xaa;
5203 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
5204 CHECK(ecount == 0);
5205 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
5206 CHECK(ecount == 1);
5207 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
5208 CHECK(ecount == 2);
5209 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
5210 CHECK(ecount == 3);
5211 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
5212 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
5213 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
5214 CHECK(ecount == 4);
5215 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
5216 CHECK(ecount == 5);
5217 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
5218 CHECK(ecount == 6);
5219 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
5220 CHECK(ecount == 6);
5221 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
5222 CHECK(ecount == 7);
5223 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
5224 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
5225 CHECK(ecount == 8);
5226 siglen = 72;
5227 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
5228 CHECK(ecount == 9);
5229 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
5230 CHECK(ecount == 10);
5231 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
5232 CHECK(ecount == 11);
5233 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
5234 CHECK(ecount == 11);
5235 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
5236 CHECK(ecount == 12);
5237 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
5238 CHECK(ecount == 13);
5239 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
5240 CHECK(ecount == 13);
5241 siglen = 10;
5242 /* Too little room for a signature does not fail via ARGCHECK. */
5243 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
5244 CHECK(ecount == 13);
5245 ecount = 0;
5246 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
5247 CHECK(ecount == 1);
5248 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
5249 CHECK(ecount == 2);
5250 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
5251 CHECK(ecount == 3);
5252 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
5253 CHECK(ecount == 3);
5254 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
5255 CHECK(ecount == 4);
5256 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
5257 CHECK(ecount == 5);
5258 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
5259 CHECK(ecount == 5);
5260 memset(signature, 255, 64);
5261 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
5262 CHECK(ecount == 5);
5263 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
5264 }
5265
5266 /* Nonce function corner cases. */
5267 for (t = 0; t < 2; t++) {
5268 static const unsigned char zero[32] = {0x00};
5269 int i;
5270 unsigned char key[32];
5271 unsigned char msg[32];
5272 secp256k1_ecdsa_signature sig2;
5273 secp256k1_scalar sr[512], ss;
5274 const unsigned char *extra;
5275 extra = t == 0 ? NULL : zero;
5276 memset(msg, 0, 32);
5277 msg[31] = 1;
5278 /* High key results in signature failure. */
5279 memset(key, 0xFF, 32);
5280 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5281 CHECK(is_empty_signature(&sig));
5282 /* Zero key results in signature failure. */
5283 memset(key, 0, 32);
5284 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
5285 CHECK(is_empty_signature(&sig));
5286 /* Nonce function failure results in signature failure. */
5287 key[31] = 1;
5288 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
5289 CHECK(is_empty_signature(&sig));
5290 /* The retry loop successfully makes its way to the first good value. */
5291 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
5292 CHECK(!is_empty_signature(&sig));
5293 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
5294 CHECK(!is_empty_signature(&sig2));
5295 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5296 /* The default nonce function is deterministic. */
5297 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5298 CHECK(!is_empty_signature(&sig2));
5299 CHECK(secp256k1_memcmp_var(&sig, &sig2, sizeof(sig)) == 0);
5300 /* The default nonce function changes output with different messages. */
5301 for(i = 0; i < 256; i++) {
5302 int j;
5303 msg[0] = i;
5304 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5305 CHECK(!is_empty_signature(&sig2));
5306 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5307 for (j = 0; j < i; j++) {
5308 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5309 }
5310 }
5311 msg[0] = 0;
5312 msg[31] = 2;
5313 /* The default nonce function changes output with different keys. */
5314 for(i = 256; i < 512; i++) {
5315 int j;
5316 key[0] = i - 256;
5317 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
5318 CHECK(!is_empty_signature(&sig2));
5319 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
5320 for (j = 0; j < i; j++) {
5321 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
5322 }
5323 }
5324 key[0] = 0;
5325 }
5326
5327 {
5328 /* Check that optional nonce arguments do not have equivalent effect. */
5329 const unsigned char zeros[32] = {0};
5330 unsigned char nonce[32];
5331 unsigned char nonce2[32];
5332 unsigned char nonce3[32];
5333 unsigned char nonce4[32];
5334 VG_UNDEF(nonce,32);
5335 VG_UNDEF(nonce2,32);
5336 VG_UNDEF(nonce3,32);
5337 VG_UNDEF(nonce4,32);
5338 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
5339 VG_CHECK(nonce,32);
5340 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
5341 VG_CHECK(nonce2,32);
5342 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
5343 VG_CHECK(nonce3,32);
5344 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
5345 VG_CHECK(nonce4,32);
5346 CHECK(secp256k1_memcmp_var(nonce, nonce2, 32) != 0);
5347 CHECK(secp256k1_memcmp_var(nonce, nonce3, 32) != 0);
5348 CHECK(secp256k1_memcmp_var(nonce, nonce4, 32) != 0);
5349 CHECK(secp256k1_memcmp_var(nonce2, nonce3, 32) != 0);
5350 CHECK(secp256k1_memcmp_var(nonce2, nonce4, 32) != 0);
5351 CHECK(secp256k1_memcmp_var(nonce3, nonce4, 32) != 0);
5352 }
5353
5354
5355 /* Privkey export where pubkey is the point at infinity. */
5356 {
5357 unsigned char privkey[300];
5358 unsigned char seckey[32] = {
5359 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
5360 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
5361 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
5362 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
5363 };
5364 size_t outlen = 300;
5365 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
5366 outlen = 300;
5367 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
5368 }
5369 }
5370
run_ecdsa_edge_cases(void)5371 void run_ecdsa_edge_cases(void) {
5372 test_ecdsa_edge_cases();
5373 }
5374
5375 #ifdef ENABLE_OPENSSL_TESTS
get_openssl_key(const unsigned char * key32)5376 EC_KEY *get_openssl_key(const unsigned char *key32) {
5377 unsigned char privkey[300];
5378 size_t privkeylen;
5379 const unsigned char* pbegin = privkey;
5380 int compr = secp256k1_testrand_bits(1);
5381 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
5382 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
5383 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
5384 CHECK(EC_KEY_check_key(ec_key));
5385 return ec_key;
5386 }
5387
test_ecdsa_openssl(void)5388 void test_ecdsa_openssl(void) {
5389 secp256k1_gej qj;
5390 secp256k1_ge q;
5391 secp256k1_scalar sigr, sigs;
5392 secp256k1_scalar one;
5393 secp256k1_scalar msg2;
5394 secp256k1_scalar key, msg;
5395 EC_KEY *ec_key;
5396 unsigned int sigsize = 80;
5397 size_t secp_sigsize = 80;
5398 unsigned char message[32];
5399 unsigned char signature[80];
5400 unsigned char key32[32];
5401 secp256k1_testrand256_test(message);
5402 secp256k1_scalar_set_b32(&msg, message, NULL);
5403 random_scalar_order_test(&key);
5404 secp256k1_scalar_get_b32(key32, &key);
5405 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
5406 secp256k1_ge_set_gej(&q, &qj);
5407 ec_key = get_openssl_key(key32);
5408 CHECK(ec_key != NULL);
5409 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
5410 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
5411 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
5412 secp256k1_scalar_set_int(&one, 1);
5413 secp256k1_scalar_add(&msg2, &msg, &one);
5414 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
5415
5416 random_sign(&sigr, &sigs, &key, &msg, NULL);
5417 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
5418 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
5419
5420 EC_KEY_free(ec_key);
5421 }
5422
run_ecdsa_openssl(void)5423 void run_ecdsa_openssl(void) {
5424 int i;
5425 for (i = 0; i < 10*count; i++) {
5426 test_ecdsa_openssl();
5427 }
5428 }
5429 #endif
5430
5431 #ifdef ENABLE_MODULE_ECDH
5432 # include "modules/ecdh/tests_impl.h"
5433 #endif
5434
5435 #ifdef ENABLE_MODULE_RECOVERY
5436 # include "modules/recovery/tests_impl.h"
5437 #endif
5438
5439 #ifdef ENABLE_MODULE_EXTRAKEYS
5440 # include "modules/extrakeys/tests_impl.h"
5441 #endif
5442
5443 #ifdef ENABLE_MODULE_SCHNORRSIG
5444 # include "modules/schnorrsig/tests_impl.h"
5445 #endif
5446
run_memczero_test(void)5447 void run_memczero_test(void) {
5448 unsigned char buf1[6] = {1, 2, 3, 4, 5, 6};
5449 unsigned char buf2[sizeof(buf1)];
5450
5451 /* memczero(..., ..., 0) is a noop. */
5452 memcpy(buf2, buf1, sizeof(buf1));
5453 memczero(buf1, sizeof(buf1), 0);
5454 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5455
5456 /* memczero(..., ..., 1) zeros the buffer. */
5457 memset(buf2, 0, sizeof(buf2));
5458 memczero(buf1, sizeof(buf1) , 1);
5459 CHECK(secp256k1_memcmp_var(buf1, buf2, sizeof(buf1)) == 0);
5460 }
5461
int_cmov_test(void)5462 void int_cmov_test(void) {
5463 int r = INT_MAX;
5464 int a = 0;
5465
5466 secp256k1_int_cmov(&r, &a, 0);
5467 CHECK(r == INT_MAX);
5468
5469 r = 0; a = INT_MAX;
5470 secp256k1_int_cmov(&r, &a, 1);
5471 CHECK(r == INT_MAX);
5472
5473 a = 0;
5474 secp256k1_int_cmov(&r, &a, 1);
5475 CHECK(r == 0);
5476
5477 a = 1;
5478 secp256k1_int_cmov(&r, &a, 1);
5479 CHECK(r == 1);
5480
5481 r = 1; a = 0;
5482 secp256k1_int_cmov(&r, &a, 0);
5483 CHECK(r == 1);
5484
5485 }
5486
fe_cmov_test(void)5487 void fe_cmov_test(void) {
5488 static const secp256k1_fe zero = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5489 static const secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5490 static const secp256k1_fe max = SECP256K1_FE_CONST(
5491 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5492 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5493 );
5494 secp256k1_fe r = max;
5495 secp256k1_fe a = zero;
5496
5497 secp256k1_fe_cmov(&r, &a, 0);
5498 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5499
5500 r = zero; a = max;
5501 secp256k1_fe_cmov(&r, &a, 1);
5502 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5503
5504 a = zero;
5505 secp256k1_fe_cmov(&r, &a, 1);
5506 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5507
5508 a = one;
5509 secp256k1_fe_cmov(&r, &a, 1);
5510 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5511
5512 r = one; a = zero;
5513 secp256k1_fe_cmov(&r, &a, 0);
5514 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5515 }
5516
fe_storage_cmov_test(void)5517 void fe_storage_cmov_test(void) {
5518 static const secp256k1_fe_storage zero = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5519 static const secp256k1_fe_storage one = SECP256K1_FE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5520 static const secp256k1_fe_storage max = SECP256K1_FE_STORAGE_CONST(
5521 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5522 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5523 );
5524 secp256k1_fe_storage r = max;
5525 secp256k1_fe_storage a = zero;
5526
5527 secp256k1_fe_storage_cmov(&r, &a, 0);
5528 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5529
5530 r = zero; a = max;
5531 secp256k1_fe_storage_cmov(&r, &a, 1);
5532 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5533
5534 a = zero;
5535 secp256k1_fe_storage_cmov(&r, &a, 1);
5536 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5537
5538 a = one;
5539 secp256k1_fe_storage_cmov(&r, &a, 1);
5540 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5541
5542 r = one; a = zero;
5543 secp256k1_fe_storage_cmov(&r, &a, 0);
5544 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5545 }
5546
scalar_cmov_test(void)5547 void scalar_cmov_test(void) {
5548 static const secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
5549 static const secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
5550 static const secp256k1_scalar max = SECP256K1_SCALAR_CONST(
5551 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5552 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5553 );
5554 secp256k1_scalar r = max;
5555 secp256k1_scalar a = zero;
5556
5557 secp256k1_scalar_cmov(&r, &a, 0);
5558 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5559
5560 r = zero; a = max;
5561 secp256k1_scalar_cmov(&r, &a, 1);
5562 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5563
5564 a = zero;
5565 secp256k1_scalar_cmov(&r, &a, 1);
5566 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5567
5568 a = one;
5569 secp256k1_scalar_cmov(&r, &a, 1);
5570 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5571
5572 r = one; a = zero;
5573 secp256k1_scalar_cmov(&r, &a, 0);
5574 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5575 }
5576
ge_storage_cmov_test(void)5577 void ge_storage_cmov_test(void) {
5578 static const secp256k1_ge_storage zero = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0);
5579 static const secp256k1_ge_storage one = SECP256K1_GE_STORAGE_CONST(0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1);
5580 static const secp256k1_ge_storage max = SECP256K1_GE_STORAGE_CONST(
5581 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5582 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5583 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
5584 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
5585 );
5586 secp256k1_ge_storage r = max;
5587 secp256k1_ge_storage a = zero;
5588
5589 secp256k1_ge_storage_cmov(&r, &a, 0);
5590 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5591
5592 r = zero; a = max;
5593 secp256k1_ge_storage_cmov(&r, &a, 1);
5594 CHECK(secp256k1_memcmp_var(&r, &max, sizeof(r)) == 0);
5595
5596 a = zero;
5597 secp256k1_ge_storage_cmov(&r, &a, 1);
5598 CHECK(secp256k1_memcmp_var(&r, &zero, sizeof(r)) == 0);
5599
5600 a = one;
5601 secp256k1_ge_storage_cmov(&r, &a, 1);
5602 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5603
5604 r = one; a = zero;
5605 secp256k1_ge_storage_cmov(&r, &a, 0);
5606 CHECK(secp256k1_memcmp_var(&r, &one, sizeof(r)) == 0);
5607 }
5608
run_cmov_tests(void)5609 void run_cmov_tests(void) {
5610 int_cmov_test();
5611 fe_cmov_test();
5612 fe_storage_cmov_test();
5613 scalar_cmov_test();
5614 ge_storage_cmov_test();
5615 }
5616
main(int argc,char ** argv)5617 int main(int argc, char **argv) {
5618 /* Disable buffering for stdout to improve reliability of getting
5619 * diagnostic information. Happens right at the start of main because
5620 * setbuf must be used before any other operation on the stream. */
5621 setbuf(stdout, NULL);
5622 /* Also disable buffering for stderr because it's not guaranteed that it's
5623 * unbuffered on all systems. */
5624 setbuf(stderr, NULL);
5625
5626 /* find iteration count */
5627 if (argc > 1) {
5628 count = strtol(argv[1], NULL, 0);
5629 }
5630 printf("test count = %i\n", count);
5631
5632 /* find random seed */
5633 secp256k1_testrand_init(argc > 2 ? argv[2] : NULL);
5634
5635 /* initialize */
5636 run_context_tests(0);
5637 run_context_tests(1);
5638 run_scratch_tests();
5639 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5640 if (secp256k1_testrand_bits(1)) {
5641 unsigned char rand32[32];
5642 secp256k1_testrand256(rand32);
5643 CHECK(secp256k1_context_randomize(ctx, secp256k1_testrand_bits(1) ? rand32 : NULL));
5644 }
5645
5646 run_rand_bits();
5647 run_rand_int();
5648
5649 run_sha256_tests();
5650 run_hmac_sha256_tests();
5651 run_rfc6979_hmac_sha256_tests();
5652
5653 #ifndef USE_NUM_NONE
5654 /* num tests */
5655 run_num_smalltests();
5656 #endif
5657
5658 /* scalar tests */
5659 run_scalar_tests();
5660
5661 /* field tests */
5662 run_field_inv();
5663 run_field_inv_var();
5664 run_field_inv_all_var();
5665 run_field_misc();
5666 run_field_convert();
5667 run_sqr();
5668 run_sqrt();
5669
5670 /* group tests */
5671 run_ge();
5672 run_group_decompress();
5673
5674 /* ecmult tests */
5675 run_wnaf();
5676 run_point_times_order();
5677 run_ecmult_near_split_bound();
5678 run_ecmult_chain();
5679 run_ecmult_constants();
5680 run_ecmult_gen_blind();
5681 run_ecmult_const_tests();
5682 run_ecmult_multi_tests();
5683 run_ec_combine();
5684
5685 /* endomorphism tests */
5686 run_endomorphism_tests();
5687
5688 /* EC point parser test */
5689 run_ec_pubkey_parse_test();
5690
5691 /* EC key edge cases */
5692 run_eckey_edge_case_test();
5693
5694 /* EC key arithmetic test */
5695 run_eckey_negate_test();
5696
5697 #ifdef ENABLE_MODULE_ECDH
5698 /* ecdh tests */
5699 run_ecdh_tests();
5700 #endif
5701
5702 /* ecdsa tests */
5703 run_random_pubkeys();
5704 run_ecdsa_der_parse();
5705 run_ecdsa_sign_verify();
5706 run_ecdsa_end_to_end();
5707 run_ecdsa_edge_cases();
5708 #ifdef ENABLE_OPENSSL_TESTS
5709 run_ecdsa_openssl();
5710 #endif
5711
5712 #ifdef ENABLE_MODULE_RECOVERY
5713 /* ECDSA pubkey recovery tests */
5714 run_recovery_tests();
5715 #endif
5716
5717 #ifdef ENABLE_MODULE_EXTRAKEYS
5718 run_extrakeys_tests();
5719 #endif
5720
5721 #ifdef ENABLE_MODULE_SCHNORRSIG
5722 run_schnorrsig_tests();
5723 #endif
5724
5725 /* util tests */
5726 run_memczero_test();
5727
5728 run_cmov_tests();
5729
5730 secp256k1_testrand_finish();
5731
5732 /* shutdown */
5733 secp256k1_context_destroy(ctx);
5734
5735 printf("no problems found\n");
5736 return 0;
5737 }
5738