1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10
11 #include <stdio.h>
12 #include <stdlib.h>
13
14 #include <time.h>
15
16 #include "secp256k1.c"
17 #include "include/secp256k1.h"
18 #include "testrand_impl.h"
19
20 #ifdef ENABLE_OPENSSL_TESTS
21 #include "openssl/bn.h"
22 #include "openssl/ec.h"
23 #include "openssl/ecdsa.h"
24 #include "openssl/obj_mac.h"
25 #endif
26
27 #include "contrib/lax_der_parsing.c"
28 #include "contrib/lax_der_privatekey_parsing.c"
29
30 #if !defined(VG_CHECK)
31 # if defined(VALGRIND)
32 # include <valgrind/memcheck.h>
33 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
34 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
35 # else
36 # define VG_UNDEF(x,y)
37 # define VG_CHECK(x,y)
38 # endif
39 #endif
40
41 static int count = 64;
42 static secp256k1_context *ctx = NULL;
43
counting_illegal_callback_fn(const char * str,void * data)44 static void counting_illegal_callback_fn(const char* str, void* data) {
45 /* Dummy callback function that just counts. */
46 int32_t *p;
47 (void)str;
48 p = data;
49 (*p)++;
50 }
51
uncounting_illegal_callback_fn(const char * str,void * data)52 static void uncounting_illegal_callback_fn(const char* str, void* data) {
53 /* Dummy callback function that just counts (backwards). */
54 int32_t *p;
55 (void)str;
56 p = data;
57 (*p)--;
58 }
59
random_field_element_test(secp256k1_fe * fe)60 void random_field_element_test(secp256k1_fe *fe) {
61 do {
62 unsigned char b32[32];
63 secp256k1_rand256_test(b32);
64 if (secp256k1_fe_set_b32(fe, b32)) {
65 break;
66 }
67 } while(1);
68 }
69
random_field_element_magnitude(secp256k1_fe * fe)70 void random_field_element_magnitude(secp256k1_fe *fe) {
71 secp256k1_fe zero;
72 int n = secp256k1_rand_int(9);
73 secp256k1_fe_normalize(fe);
74 if (n == 0) {
75 return;
76 }
77 secp256k1_fe_clear(&zero);
78 secp256k1_fe_negate(&zero, &zero, 0);
79 secp256k1_fe_mul_int(&zero, n - 1);
80 secp256k1_fe_add(fe, &zero);
81 VERIFY_CHECK(fe->magnitude == n);
82 }
83
random_group_element_test(secp256k1_ge * ge)84 void random_group_element_test(secp256k1_ge *ge) {
85 secp256k1_fe fe;
86 do {
87 random_field_element_test(&fe);
88 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
89 secp256k1_fe_normalize(&ge->y);
90 break;
91 }
92 } while(1);
93 }
94
random_group_element_jacobian_test(secp256k1_gej * gej,const secp256k1_ge * ge)95 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
96 secp256k1_fe z2, z3;
97 do {
98 random_field_element_test(&gej->z);
99 if (!secp256k1_fe_is_zero(&gej->z)) {
100 break;
101 }
102 } while(1);
103 secp256k1_fe_sqr(&z2, &gej->z);
104 secp256k1_fe_mul(&z3, &z2, &gej->z);
105 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
106 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
107 gej->infinity = ge->infinity;
108 }
109
random_scalar_order_test(secp256k1_scalar * num)110 void random_scalar_order_test(secp256k1_scalar *num) {
111 do {
112 unsigned char b32[32];
113 int overflow = 0;
114 secp256k1_rand256_test(b32);
115 secp256k1_scalar_set_b32(num, b32, &overflow);
116 if (overflow || secp256k1_scalar_is_zero(num)) {
117 continue;
118 }
119 break;
120 } while(1);
121 }
122
random_scalar_order(secp256k1_scalar * num)123 void random_scalar_order(secp256k1_scalar *num) {
124 do {
125 unsigned char b32[32];
126 int overflow = 0;
127 secp256k1_rand256(b32);
128 secp256k1_scalar_set_b32(num, b32, &overflow);
129 if (overflow || secp256k1_scalar_is_zero(num)) {
130 continue;
131 }
132 break;
133 } while(1);
134 }
135
run_context_tests(void)136 void run_context_tests(void) {
137 secp256k1_pubkey pubkey;
138 secp256k1_ecdsa_signature sig;
139 unsigned char ctmp[32];
140 int32_t ecount;
141 int32_t ecount2;
142 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
143 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
144 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
145 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
146
147 secp256k1_gej pubj;
148 secp256k1_ge pub;
149 secp256k1_scalar msg, key, nonce;
150 secp256k1_scalar sigr, sigs;
151
152 ecount = 0;
153 ecount2 = 10;
154 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
155 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
156 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
157 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
158
159 /*** clone and destroy all of them to make sure cloning was complete ***/
160 {
161 secp256k1_context *ctx_tmp;
162
163 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
164 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
165 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
166 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
167 }
168
169 /* Verify that the error callback makes it across the clone. */
170 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
171 /* And that it resets back to default. */
172 secp256k1_context_set_error_callback(sign, NULL, NULL);
173 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
174
175 /*** attempt to use them ***/
176 random_scalar_order_test(&msg);
177 random_scalar_order_test(&key);
178 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
179 secp256k1_ge_set_gej(&pub, &pubj);
180
181 /* Verify context-type checking illegal-argument errors. */
182 memset(ctmp, 1, 32);
183 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
184 CHECK(ecount == 1);
185 VG_UNDEF(&pubkey, sizeof(pubkey));
186 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
187 VG_CHECK(&pubkey, sizeof(pubkey));
188 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
189 CHECK(ecount == 2);
190 VG_UNDEF(&sig, sizeof(sig));
191 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
192 VG_CHECK(&sig, sizeof(sig));
193 CHECK(ecount2 == 10);
194 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
195 CHECK(ecount2 == 11);
196 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
197 CHECK(ecount == 2);
198 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
199 CHECK(ecount2 == 12);
200 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
201 CHECK(ecount == 2);
202 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
203 CHECK(ecount2 == 13);
204 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
205 CHECK(ecount == 2);
206 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 0);
207 CHECK(ecount == 3);
208 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
209 CHECK(ecount2 == 13);
210 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
211 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
212
213 /* This shouldn't leak memory, due to already-set tests. */
214 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
215 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
216
217 /* obtain a working nonce */
218 do {
219 random_scalar_order_test(&nonce);
220 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
221
222 /* try signing */
223 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
224 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
225
226 /* try verifying */
227 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
228 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
229
230 /* cleanup */
231 secp256k1_context_destroy(none);
232 secp256k1_context_destroy(sign);
233 secp256k1_context_destroy(vrfy);
234 secp256k1_context_destroy(both);
235 /* Defined as no-op. */
236 secp256k1_context_destroy(NULL);
237 }
238
239 /***** HASH TESTS *****/
240
run_sha256_tests(void)241 void run_sha256_tests(void) {
242 static const char *inputs[8] = {
243 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
244 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
245 "For this sample, this 63-byte string will be used as input data",
246 "This is exactly 64 bytes long, not counting the terminating byte"
247 };
248 static const unsigned char outputs[8][32] = {
249 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
250 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
251 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
252 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
253 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
254 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
255 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
256 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
257 };
258 int i;
259 for (i = 0; i < 8; i++) {
260 unsigned char out[32];
261 secp256k1_sha256_t hasher;
262 secp256k1_sha256_initialize(&hasher);
263 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
264 secp256k1_sha256_finalize(&hasher, out);
265 CHECK(memcmp(out, outputs[i], 32) == 0);
266 if (strlen(inputs[i]) > 0) {
267 int split = secp256k1_rand_int(strlen(inputs[i]));
268 secp256k1_sha256_initialize(&hasher);
269 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
270 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
271 secp256k1_sha256_finalize(&hasher, out);
272 CHECK(memcmp(out, outputs[i], 32) == 0);
273 }
274 }
275 }
276
run_hmac_sha256_tests(void)277 void run_hmac_sha256_tests(void) {
278 static const char *keys[6] = {
279 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
280 "\x4a\x65\x66\x65",
281 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
282 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
283 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
284 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
285 };
286 static const char *inputs[6] = {
287 "\x48\x69\x20\x54\x68\x65\x72\x65",
288 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
289 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
290 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
291 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
292 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
293 };
294 static const unsigned char outputs[6][32] = {
295 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
296 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
297 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
298 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
299 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
300 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
301 };
302 int i;
303 for (i = 0; i < 6; i++) {
304 secp256k1_hmac_sha256_t hasher;
305 unsigned char out[32];
306 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
307 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
308 secp256k1_hmac_sha256_finalize(&hasher, out);
309 CHECK(memcmp(out, outputs[i], 32) == 0);
310 if (strlen(inputs[i]) > 0) {
311 int split = secp256k1_rand_int(strlen(inputs[i]));
312 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
313 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
314 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
315 secp256k1_hmac_sha256_finalize(&hasher, out);
316 CHECK(memcmp(out, outputs[i], 32) == 0);
317 }
318 }
319 }
320
run_rfc6979_hmac_sha256_tests(void)321 void run_rfc6979_hmac_sha256_tests(void) {
322 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
323 static const unsigned char out1[3][32] = {
324 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
325 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
326 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
327 };
328
329 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
330 static const unsigned char out2[3][32] = {
331 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
332 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
333 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
334 };
335
336 secp256k1_rfc6979_hmac_sha256_t rng;
337 unsigned char out[32];
338 int i;
339
340 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
341 for (i = 0; i < 3; i++) {
342 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
343 CHECK(memcmp(out, out1[i], 32) == 0);
344 }
345 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
346
347 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
348 for (i = 0; i < 3; i++) {
349 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
350 CHECK(memcmp(out, out1[i], 32) != 0);
351 }
352 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
353
354 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
355 for (i = 0; i < 3; i++) {
356 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
357 CHECK(memcmp(out, out2[i], 32) == 0);
358 }
359 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
360 }
361
362 /***** RANDOM TESTS *****/
363
test_rand_bits(int rand32,int bits)364 void test_rand_bits(int rand32, int bits) {
365 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
366 * get a false negative chance below once in a billion */
367 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
368 /* We try multiplying the results with various odd numbers, which shouldn't
369 * influence the uniform distribution modulo a power of 2. */
370 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
371 /* We only select up to 6 bits from the output to analyse */
372 unsigned int usebits = bits > 6 ? 6 : bits;
373 unsigned int maxshift = bits - usebits;
374 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
375 number, track all observed outcomes, one per bit in a uint64_t. */
376 uint64_t x[6][27] = {{0}};
377 unsigned int i, shift, m;
378 /* Multiply the output of all rand calls with the odd number m, which
379 should not change the uniformity of its distribution. */
380 for (i = 0; i < rounds[usebits]; i++) {
381 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
382 CHECK((((uint64_t)r) >> bits) == 0);
383 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
384 uint32_t rm = r * mults[m];
385 for (shift = 0; shift <= maxshift; shift++) {
386 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
387 }
388 }
389 }
390 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
391 for (shift = 0; shift <= maxshift; shift++) {
392 /* Test that the lower usebits bits of x[shift] are 1 */
393 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
394 }
395 }
396 }
397
398 /* Subrange must be a whole divisor of range, and at most 64 */
test_rand_int(uint32_t range,uint32_t subrange)399 void test_rand_int(uint32_t range, uint32_t subrange) {
400 /* (1-1/subrange)^rounds < 1/10^9 */
401 int rounds = (subrange * 2073) / 100;
402 int i;
403 uint64_t x = 0;
404 CHECK((range % subrange) == 0);
405 for (i = 0; i < rounds; i++) {
406 uint32_t r = secp256k1_rand_int(range);
407 CHECK(r < range);
408 r = r % subrange;
409 x |= (((uint64_t)1) << r);
410 }
411 /* Test that the lower subrange bits of x are 1. */
412 CHECK(((~x) << (64 - subrange)) == 0);
413 }
414
run_rand_bits(void)415 void run_rand_bits(void) {
416 size_t b;
417 test_rand_bits(1, 32);
418 for (b = 1; b <= 32; b++) {
419 test_rand_bits(0, b);
420 }
421 }
422
run_rand_int(void)423 void run_rand_int(void) {
424 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
425 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
426 unsigned int m, s;
427 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
428 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
429 test_rand_int(ms[m] * ss[s], ss[s]);
430 }
431 }
432 }
433
434 /***** NUM TESTS *****/
435
436 #ifndef USE_NUM_NONE
random_num_negate(secp256k1_num * num)437 void random_num_negate(secp256k1_num *num) {
438 if (secp256k1_rand_bits(1)) {
439 secp256k1_num_negate(num);
440 }
441 }
442
random_num_order_test(secp256k1_num * num)443 void random_num_order_test(secp256k1_num *num) {
444 secp256k1_scalar sc;
445 random_scalar_order_test(&sc);
446 secp256k1_scalar_get_num(num, &sc);
447 }
448
random_num_order(secp256k1_num * num)449 void random_num_order(secp256k1_num *num) {
450 secp256k1_scalar sc;
451 random_scalar_order(&sc);
452 secp256k1_scalar_get_num(num, &sc);
453 }
454
test_num_negate(void)455 void test_num_negate(void) {
456 secp256k1_num n1;
457 secp256k1_num n2;
458 random_num_order_test(&n1); /* n1 = R */
459 random_num_negate(&n1);
460 secp256k1_num_copy(&n2, &n1); /* n2 = R */
461 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
462 CHECK(secp256k1_num_is_zero(&n1));
463 secp256k1_num_copy(&n1, &n2); /* n1 = R */
464 secp256k1_num_negate(&n1); /* n1 = -R */
465 CHECK(!secp256k1_num_is_zero(&n1));
466 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
467 CHECK(secp256k1_num_is_zero(&n1));
468 secp256k1_num_copy(&n1, &n2); /* n1 = R */
469 secp256k1_num_negate(&n1); /* n1 = -R */
470 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
471 secp256k1_num_negate(&n1); /* n1 = R */
472 CHECK(secp256k1_num_eq(&n1, &n2));
473 }
474
test_num_add_sub(void)475 void test_num_add_sub(void) {
476 int i;
477 secp256k1_scalar s;
478 secp256k1_num n1;
479 secp256k1_num n2;
480 secp256k1_num n1p2, n2p1, n1m2, n2m1;
481 random_num_order_test(&n1); /* n1 = R1 */
482 if (secp256k1_rand_bits(1)) {
483 random_num_negate(&n1);
484 }
485 random_num_order_test(&n2); /* n2 = R2 */
486 if (secp256k1_rand_bits(1)) {
487 random_num_negate(&n2);
488 }
489 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
490 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
491 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
492 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
493 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
494 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
495 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
496 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
497 CHECK(!secp256k1_num_eq(&n2m1, &n1));
498 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
499 CHECK(secp256k1_num_eq(&n2m1, &n1));
500 CHECK(!secp256k1_num_eq(&n2p1, &n1));
501 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
502 CHECK(secp256k1_num_eq(&n2p1, &n1));
503
504 /* check is_one */
505 secp256k1_scalar_set_int(&s, 1);
506 secp256k1_scalar_get_num(&n1, &s);
507 CHECK(secp256k1_num_is_one(&n1));
508 /* check that 2^n + 1 is never 1 */
509 secp256k1_scalar_get_num(&n2, &s);
510 for (i = 0; i < 250; ++i) {
511 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
512 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
513 CHECK(!secp256k1_num_is_one(&n1p2));
514 }
515 }
516
test_num_mod(void)517 void test_num_mod(void) {
518 int i;
519 secp256k1_scalar s;
520 secp256k1_num order, n;
521
522 /* check that 0 mod anything is 0 */
523 random_scalar_order_test(&s);
524 secp256k1_scalar_get_num(&order, &s);
525 secp256k1_scalar_set_int(&s, 0);
526 secp256k1_scalar_get_num(&n, &s);
527 secp256k1_num_mod(&n, &order);
528 CHECK(secp256k1_num_is_zero(&n));
529
530 /* check that anything mod 1 is 0 */
531 secp256k1_scalar_set_int(&s, 1);
532 secp256k1_scalar_get_num(&order, &s);
533 secp256k1_scalar_get_num(&n, &s);
534 secp256k1_num_mod(&n, &order);
535 CHECK(secp256k1_num_is_zero(&n));
536
537 /* check that increasing the number past 2^256 does not break this */
538 random_scalar_order_test(&s);
539 secp256k1_scalar_get_num(&n, &s);
540 /* multiply by 2^8, which'll test this case with high probability */
541 for (i = 0; i < 8; ++i) {
542 secp256k1_num_add(&n, &n, &n);
543 }
544 secp256k1_num_mod(&n, &order);
545 CHECK(secp256k1_num_is_zero(&n));
546 }
547
test_num_jacobi(void)548 void test_num_jacobi(void) {
549 secp256k1_scalar sqr;
550 secp256k1_scalar small;
551 secp256k1_scalar five; /* five is not a quadratic residue */
552 secp256k1_num order, n;
553 int i;
554 /* squares mod 5 are 1, 4 */
555 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
556
557 /* check some small values with 5 as the order */
558 secp256k1_scalar_set_int(&five, 5);
559 secp256k1_scalar_get_num(&order, &five);
560 for (i = 0; i < 10; ++i) {
561 secp256k1_scalar_set_int(&small, i);
562 secp256k1_scalar_get_num(&n, &small);
563 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
564 }
565
566 /** test large values with 5 as group order */
567 secp256k1_scalar_get_num(&order, &five);
568 /* we first need a scalar which is not a multiple of 5 */
569 do {
570 secp256k1_num fiven;
571 random_scalar_order_test(&sqr);
572 secp256k1_scalar_get_num(&fiven, &five);
573 secp256k1_scalar_get_num(&n, &sqr);
574 secp256k1_num_mod(&n, &fiven);
575 } while (secp256k1_num_is_zero(&n));
576 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
577 * just multiply by two, i.e. add the number to itself */
578 if (secp256k1_num_jacobi(&n, &order) == -1) {
579 secp256k1_num_add(&n, &n, &n);
580 }
581
582 /* test residue */
583 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
584 /* test nonresidue */
585 secp256k1_num_add(&n, &n, &n);
586 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
587
588 /** test with secp group order as order */
589 secp256k1_scalar_order_get_num(&order);
590 random_scalar_order_test(&sqr);
591 secp256k1_scalar_sqr(&sqr, &sqr);
592 /* test residue */
593 secp256k1_scalar_get_num(&n, &sqr);
594 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
595 /* test nonresidue */
596 secp256k1_scalar_mul(&sqr, &sqr, &five);
597 secp256k1_scalar_get_num(&n, &sqr);
598 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
599 /* test multiple of the order*/
600 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
601
602 /* check one less than the order */
603 secp256k1_scalar_set_int(&small, 1);
604 secp256k1_scalar_get_num(&n, &small);
605 secp256k1_num_sub(&n, &order, &n);
606 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
607 }
608
run_num_smalltests(void)609 void run_num_smalltests(void) {
610 int i;
611 for (i = 0; i < 100*count; i++) {
612 test_num_negate();
613 test_num_add_sub();
614 test_num_mod();
615 test_num_jacobi();
616 }
617 }
618 #endif
619
620 /***** SCALAR TESTS *****/
621
scalar_test(void)622 void scalar_test(void) {
623 secp256k1_scalar s;
624 secp256k1_scalar s1;
625 secp256k1_scalar s2;
626 #ifndef USE_NUM_NONE
627 secp256k1_num snum, s1num, s2num;
628 secp256k1_num order, half_order;
629 #endif
630 unsigned char c[32];
631
632 /* Set 's' to a random scalar, with value 'snum'. */
633 random_scalar_order_test(&s);
634
635 /* Set 's1' to a random scalar, with value 's1num'. */
636 random_scalar_order_test(&s1);
637
638 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
639 random_scalar_order_test(&s2);
640 secp256k1_scalar_get_b32(c, &s2);
641
642 #ifndef USE_NUM_NONE
643 secp256k1_scalar_get_num(&snum, &s);
644 secp256k1_scalar_get_num(&s1num, &s1);
645 secp256k1_scalar_get_num(&s2num, &s2);
646
647 secp256k1_scalar_order_get_num(&order);
648 half_order = order;
649 secp256k1_num_shift(&half_order, 1);
650 #endif
651
652 {
653 int i;
654 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
655 secp256k1_scalar n;
656 secp256k1_scalar_set_int(&n, 0);
657 for (i = 0; i < 256; i += 4) {
658 secp256k1_scalar t;
659 int j;
660 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
661 for (j = 0; j < 4; j++) {
662 secp256k1_scalar_add(&n, &n, &n);
663 }
664 secp256k1_scalar_add(&n, &n, &t);
665 }
666 CHECK(secp256k1_scalar_eq(&n, &s));
667 }
668
669 {
670 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
671 secp256k1_scalar n;
672 int i = 0;
673 secp256k1_scalar_set_int(&n, 0);
674 while (i < 256) {
675 secp256k1_scalar t;
676 int j;
677 int now = secp256k1_rand_int(15) + 1;
678 if (now + i > 256) {
679 now = 256 - i;
680 }
681 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
682 for (j = 0; j < now; j++) {
683 secp256k1_scalar_add(&n, &n, &n);
684 }
685 secp256k1_scalar_add(&n, &n, &t);
686 i += now;
687 }
688 CHECK(secp256k1_scalar_eq(&n, &s));
689 }
690
691 #ifndef USE_NUM_NONE
692 {
693 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
694 secp256k1_num rnum;
695 secp256k1_num r2num;
696 secp256k1_scalar r;
697 secp256k1_num_add(&rnum, &snum, &s2num);
698 secp256k1_num_mod(&rnum, &order);
699 secp256k1_scalar_add(&r, &s, &s2);
700 secp256k1_scalar_get_num(&r2num, &r);
701 CHECK(secp256k1_num_eq(&rnum, &r2num));
702 }
703
704 {
705 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
706 secp256k1_scalar r;
707 secp256k1_num r2num;
708 secp256k1_num rnum;
709 secp256k1_num_mul(&rnum, &snum, &s2num);
710 secp256k1_num_mod(&rnum, &order);
711 secp256k1_scalar_mul(&r, &s, &s2);
712 secp256k1_scalar_get_num(&r2num, &r);
713 CHECK(secp256k1_num_eq(&rnum, &r2num));
714 /* The result can only be zero if at least one of the factors was zero. */
715 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
716 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
717 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
718 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
719 }
720
721 {
722 secp256k1_scalar neg;
723 secp256k1_num negnum;
724 secp256k1_num negnum2;
725 /* Check that comparison with zero matches comparison with zero on the number. */
726 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
727 /* Check that comparison with the half order is equal to testing for high scalar. */
728 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
729 secp256k1_scalar_negate(&neg, &s);
730 secp256k1_num_sub(&negnum, &order, &snum);
731 secp256k1_num_mod(&negnum, &order);
732 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
733 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
734 /* Negating should change the high property, unless the value was already zero. */
735 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
736 secp256k1_scalar_get_num(&negnum2, &neg);
737 /* Negating a scalar should be equal to (order - n) mod order on the number. */
738 CHECK(secp256k1_num_eq(&negnum, &negnum2));
739 secp256k1_scalar_add(&neg, &neg, &s);
740 /* Adding a number to its negation should result in zero. */
741 CHECK(secp256k1_scalar_is_zero(&neg));
742 secp256k1_scalar_negate(&neg, &neg);
743 /* Negating zero should still result in zero. */
744 CHECK(secp256k1_scalar_is_zero(&neg));
745 }
746
747 {
748 /* Test secp256k1_scalar_mul_shift_var. */
749 secp256k1_scalar r;
750 secp256k1_num one;
751 secp256k1_num rnum;
752 secp256k1_num rnum2;
753 unsigned char cone[1] = {0x01};
754 unsigned int shift = 256 + secp256k1_rand_int(257);
755 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
756 secp256k1_num_mul(&rnum, &s1num, &s2num);
757 secp256k1_num_shift(&rnum, shift - 1);
758 secp256k1_num_set_bin(&one, cone, 1);
759 secp256k1_num_add(&rnum, &rnum, &one);
760 secp256k1_num_shift(&rnum, 1);
761 secp256k1_scalar_get_num(&rnum2, &r);
762 CHECK(secp256k1_num_eq(&rnum, &rnum2));
763 }
764
765 {
766 /* test secp256k1_scalar_shr_int */
767 secp256k1_scalar r;
768 int i;
769 random_scalar_order_test(&r);
770 for (i = 0; i < 100; ++i) {
771 int low;
772 int shift = 1 + secp256k1_rand_int(15);
773 int expected = r.d[0] % (1 << shift);
774 low = secp256k1_scalar_shr_int(&r, shift);
775 CHECK(expected == low);
776 }
777 }
778 #endif
779
780 {
781 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
782 if (!secp256k1_scalar_is_zero(&s)) {
783 secp256k1_scalar inv;
784 #ifndef USE_NUM_NONE
785 secp256k1_num invnum;
786 secp256k1_num invnum2;
787 #endif
788 secp256k1_scalar_inverse(&inv, &s);
789 #ifndef USE_NUM_NONE
790 secp256k1_num_mod_inverse(&invnum, &snum, &order);
791 secp256k1_scalar_get_num(&invnum2, &inv);
792 CHECK(secp256k1_num_eq(&invnum, &invnum2));
793 #endif
794 secp256k1_scalar_mul(&inv, &inv, &s);
795 /* Multiplying a scalar with its inverse must result in one. */
796 CHECK(secp256k1_scalar_is_one(&inv));
797 secp256k1_scalar_inverse(&inv, &inv);
798 /* Inverting one must result in one. */
799 CHECK(secp256k1_scalar_is_one(&inv));
800 #ifndef USE_NUM_NONE
801 secp256k1_scalar_get_num(&invnum, &inv);
802 CHECK(secp256k1_num_is_one(&invnum));
803 #endif
804 }
805 }
806
807 {
808 /* Test commutativity of add. */
809 secp256k1_scalar r1, r2;
810 secp256k1_scalar_add(&r1, &s1, &s2);
811 secp256k1_scalar_add(&r2, &s2, &s1);
812 CHECK(secp256k1_scalar_eq(&r1, &r2));
813 }
814
815 {
816 secp256k1_scalar r1, r2;
817 secp256k1_scalar b;
818 int i;
819 /* Test add_bit. */
820 int bit = secp256k1_rand_bits(8);
821 secp256k1_scalar_set_int(&b, 1);
822 CHECK(secp256k1_scalar_is_one(&b));
823 for (i = 0; i < bit; i++) {
824 secp256k1_scalar_add(&b, &b, &b);
825 }
826 r1 = s1;
827 r2 = s1;
828 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
829 /* No overflow happened. */
830 secp256k1_scalar_cadd_bit(&r2, bit, 1);
831 CHECK(secp256k1_scalar_eq(&r1, &r2));
832 /* cadd is a noop when flag is zero */
833 secp256k1_scalar_cadd_bit(&r2, bit, 0);
834 CHECK(secp256k1_scalar_eq(&r1, &r2));
835 }
836 }
837
838 {
839 /* Test commutativity of mul. */
840 secp256k1_scalar r1, r2;
841 secp256k1_scalar_mul(&r1, &s1, &s2);
842 secp256k1_scalar_mul(&r2, &s2, &s1);
843 CHECK(secp256k1_scalar_eq(&r1, &r2));
844 }
845
846 {
847 /* Test associativity of add. */
848 secp256k1_scalar r1, r2;
849 secp256k1_scalar_add(&r1, &s1, &s2);
850 secp256k1_scalar_add(&r1, &r1, &s);
851 secp256k1_scalar_add(&r2, &s2, &s);
852 secp256k1_scalar_add(&r2, &s1, &r2);
853 CHECK(secp256k1_scalar_eq(&r1, &r2));
854 }
855
856 {
857 /* Test associativity of mul. */
858 secp256k1_scalar r1, r2;
859 secp256k1_scalar_mul(&r1, &s1, &s2);
860 secp256k1_scalar_mul(&r1, &r1, &s);
861 secp256k1_scalar_mul(&r2, &s2, &s);
862 secp256k1_scalar_mul(&r2, &s1, &r2);
863 CHECK(secp256k1_scalar_eq(&r1, &r2));
864 }
865
866 {
867 /* Test distributitivity of mul over add. */
868 secp256k1_scalar r1, r2, t;
869 secp256k1_scalar_add(&r1, &s1, &s2);
870 secp256k1_scalar_mul(&r1, &r1, &s);
871 secp256k1_scalar_mul(&r2, &s1, &s);
872 secp256k1_scalar_mul(&t, &s2, &s);
873 secp256k1_scalar_add(&r2, &r2, &t);
874 CHECK(secp256k1_scalar_eq(&r1, &r2));
875 }
876
877 {
878 /* Test square. */
879 secp256k1_scalar r1, r2;
880 secp256k1_scalar_sqr(&r1, &s1);
881 secp256k1_scalar_mul(&r2, &s1, &s1);
882 CHECK(secp256k1_scalar_eq(&r1, &r2));
883 }
884
885 {
886 /* Test multiplicative identity. */
887 secp256k1_scalar r1, v1;
888 secp256k1_scalar_set_int(&v1,1);
889 secp256k1_scalar_mul(&r1, &s1, &v1);
890 CHECK(secp256k1_scalar_eq(&r1, &s1));
891 }
892
893 {
894 /* Test additive identity. */
895 secp256k1_scalar r1, v0;
896 secp256k1_scalar_set_int(&v0,0);
897 secp256k1_scalar_add(&r1, &s1, &v0);
898 CHECK(secp256k1_scalar_eq(&r1, &s1));
899 }
900
901 {
902 /* Test zero product property. */
903 secp256k1_scalar r1, v0;
904 secp256k1_scalar_set_int(&v0,0);
905 secp256k1_scalar_mul(&r1, &s1, &v0);
906 CHECK(secp256k1_scalar_eq(&r1, &v0));
907 }
908
909 }
910
run_scalar_tests(void)911 void run_scalar_tests(void) {
912 int i;
913 for (i = 0; i < 128 * count; i++) {
914 scalar_test();
915 }
916
917 {
918 /* (-1)+1 should be zero. */
919 secp256k1_scalar s, o;
920 secp256k1_scalar_set_int(&s, 1);
921 CHECK(secp256k1_scalar_is_one(&s));
922 secp256k1_scalar_negate(&o, &s);
923 secp256k1_scalar_add(&o, &o, &s);
924 CHECK(secp256k1_scalar_is_zero(&o));
925 secp256k1_scalar_negate(&o, &o);
926 CHECK(secp256k1_scalar_is_zero(&o));
927 }
928
929 #ifndef USE_NUM_NONE
930 {
931 /* A scalar with value of the curve order should be 0. */
932 secp256k1_num order;
933 secp256k1_scalar zero;
934 unsigned char bin[32];
935 int overflow = 0;
936 secp256k1_scalar_order_get_num(&order);
937 secp256k1_num_get_bin(bin, 32, &order);
938 secp256k1_scalar_set_b32(&zero, bin, &overflow);
939 CHECK(overflow == 1);
940 CHECK(secp256k1_scalar_is_zero(&zero));
941 }
942 #endif
943
944 {
945 /* Does check_overflow check catch all ones? */
946 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
947 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
948 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
949 );
950 CHECK(secp256k1_scalar_check_overflow(&overflowed));
951 }
952
953 {
954 /* Static test vectors.
955 * These were reduced from ~10^12 random vectors based on comparison-decision
956 * and edge-case coverage on 32-bit and 64-bit implementations.
957 * The responses were generated with Sage 5.9.
958 */
959 secp256k1_scalar x;
960 secp256k1_scalar y;
961 secp256k1_scalar z;
962 secp256k1_scalar zz;
963 secp256k1_scalar one;
964 secp256k1_scalar r1;
965 secp256k1_scalar r2;
966 #if defined(USE_SCALAR_INV_NUM)
967 secp256k1_scalar zzv;
968 #endif
969 int overflow;
970 unsigned char chal[33][2][32] = {
971 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
972 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
973 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
974 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
975 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
976 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
977 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
978 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
979 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
980 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
981 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
982 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
983 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
984 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
985 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
986 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
987 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
988 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
989 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
990 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
991 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
992 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
993 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
994 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
995 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
996 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
997 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
998 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
999 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1000 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1001 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1002 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1003 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1004 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1005 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1006 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1007 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1008 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1009 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1010 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1011 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1012 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1013 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1014 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1015 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1016 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1017 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1018 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1019 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1020 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1021 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1022 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1023 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1024 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1025 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1026 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1027 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1028 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1029 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1030 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1031 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1032 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1033 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1035 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1036 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1037 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1038 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1039 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1040 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1042 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1043 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1044 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1045 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1046 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1047 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1048 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1049 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1050 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1051 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1052 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1053 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1054 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1055 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1056 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1057 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1058 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1059 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1060 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1061 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1062 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1063 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1064 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1065 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1066 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1067 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1068 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1069 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1070 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1071 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1072 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1073 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1074 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1075 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1076 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1077 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1078 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1079 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1080 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1081 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1083 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1084 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1085 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1086 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1087 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1088 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1089 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1090 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1091 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1092 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1093 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1095 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1096 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1097 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1098 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1099 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1100 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1101 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1102 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1103 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1104 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1105 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1107 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1108 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1109 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1111 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1112 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1113 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1114 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1115 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1116 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1117 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1118 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1119 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1120 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1121 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1122 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1123 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1124 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1125 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1126 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1127 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1128 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1129 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1130 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1131 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1135 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1136 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1137 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1138 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1139 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1143 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1144 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1145 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1146 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1147 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1148 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1151 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1152 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1155 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1156 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1157 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1158 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1159 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1160 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1163 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1164 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1165 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1167 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1171 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1172 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1173 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1174 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1175 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1176 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1177 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1179 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1180 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1181 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1182 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1183 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1184 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1185 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1186 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1187 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1188 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1189 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1190 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1191 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1192 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1194 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1195 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1196 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1197 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1199 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1201 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1202 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1203 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1204 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1205 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1207 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1208 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1209 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1210 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1211 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1212 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1213 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1214 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1215 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1216 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1217 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1218 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1219 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1220 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1221 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1222 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1223 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1224 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1225 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1226 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1227 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1228 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1230 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1231 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1232 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1233 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1234 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1235 };
1236 unsigned char res[33][2][32] = {
1237 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1238 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1239 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1240 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1241 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1242 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1243 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1244 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1245 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1246 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1247 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1248 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1249 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1250 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1251 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1252 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1253 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1254 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1255 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1256 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1257 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1258 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1259 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1260 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1261 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1262 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1263 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1264 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1265 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1266 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1267 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1268 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1269 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1270 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1271 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1272 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1273 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1274 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1275 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1276 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1277 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1278 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1279 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1280 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1281 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1282 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1283 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1284 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1285 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1286 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1287 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1288 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1289 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1290 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1291 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1292 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1293 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1294 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1295 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1296 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1297 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1298 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1299 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1300 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1301 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1302 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1303 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1304 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1305 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1306 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1307 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1308 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1309 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1310 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1311 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1312 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1313 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1314 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1315 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1316 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1317 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1318 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1319 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1320 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1321 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1322 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1323 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1324 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1325 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1326 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1327 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1328 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1329 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1330 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1331 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1332 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1333 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1334 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1335 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1336 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1337 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1338 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1339 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1340 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1341 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1342 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1343 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1344 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1345 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1346 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1347 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1348 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1349 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1350 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1351 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1352 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1353 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1354 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1355 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1356 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1357 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1358 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1359 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1360 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1361 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1362 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1363 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1364 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1365 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1366 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1367 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1368 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1369 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1370 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1371 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1372 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1373 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1374 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1375 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1376 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1377 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1378 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1379 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1380 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1381 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1382 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1383 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1384 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1385 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1386 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1387 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1388 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1389 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1390 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1391 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1392 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1393 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1394 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1395 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1396 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1397 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1400 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1401 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1402 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1403 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1404 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1405 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1406 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1407 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1408 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1409 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1410 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1411 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1412 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1413 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1414 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1415 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1416 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1417 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1418 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1419 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1420 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1421 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1422 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1423 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1424 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1425 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1426 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1427 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1428 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1429 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1430 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1431 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1432 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1433 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1434 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1435 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1436 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1437 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1438 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1439 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1440 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1441 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1442 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1443 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1444 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1445 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1446 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1447 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1448 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1449 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1450 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1451 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1452 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1453 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1454 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1455 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1456 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1457 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1458 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1459 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1460 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1461 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1462 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1463 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1464 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1465 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1466 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1467 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1468 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1469 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1470 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1471 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1472 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1473 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1474 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1475 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1476 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1477 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1478 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1479 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1480 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1481 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1482 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1483 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1484 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1485 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1486 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1487 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1488 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1489 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1490 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1491 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1492 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1493 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1494 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1495 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1496 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1497 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1498 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1499 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1500 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1501 };
1502 secp256k1_scalar_set_int(&one, 1);
1503 for (i = 0; i < 33; i++) {
1504 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1505 CHECK(!overflow);
1506 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1507 CHECK(!overflow);
1508 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1509 CHECK(!overflow);
1510 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1511 CHECK(!overflow);
1512 secp256k1_scalar_mul(&z, &x, &y);
1513 CHECK(!secp256k1_scalar_check_overflow(&z));
1514 CHECK(secp256k1_scalar_eq(&r1, &z));
1515 if (!secp256k1_scalar_is_zero(&y)) {
1516 secp256k1_scalar_inverse(&zz, &y);
1517 CHECK(!secp256k1_scalar_check_overflow(&zz));
1518 #if defined(USE_SCALAR_INV_NUM)
1519 secp256k1_scalar_inverse_var(&zzv, &y);
1520 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1521 #endif
1522 secp256k1_scalar_mul(&z, &z, &zz);
1523 CHECK(!secp256k1_scalar_check_overflow(&z));
1524 CHECK(secp256k1_scalar_eq(&x, &z));
1525 secp256k1_scalar_mul(&zz, &zz, &y);
1526 CHECK(!secp256k1_scalar_check_overflow(&zz));
1527 CHECK(secp256k1_scalar_eq(&one, &zz));
1528 }
1529 secp256k1_scalar_mul(&z, &x, &x);
1530 CHECK(!secp256k1_scalar_check_overflow(&z));
1531 secp256k1_scalar_sqr(&zz, &x);
1532 CHECK(!secp256k1_scalar_check_overflow(&zz));
1533 CHECK(secp256k1_scalar_eq(&zz, &z));
1534 CHECK(secp256k1_scalar_eq(&r2, &zz));
1535 }
1536 }
1537 }
1538
1539 /***** FIELD TESTS *****/
1540
random_fe(secp256k1_fe * x)1541 void random_fe(secp256k1_fe *x) {
1542 unsigned char bin[32];
1543 do {
1544 secp256k1_rand256(bin);
1545 if (secp256k1_fe_set_b32(x, bin)) {
1546 return;
1547 }
1548 } while(1);
1549 }
1550
random_fe_test(secp256k1_fe * x)1551 void random_fe_test(secp256k1_fe *x) {
1552 unsigned char bin[32];
1553 do {
1554 secp256k1_rand256_test(bin);
1555 if (secp256k1_fe_set_b32(x, bin)) {
1556 return;
1557 }
1558 } while(1);
1559 }
1560
random_fe_non_zero(secp256k1_fe * nz)1561 void random_fe_non_zero(secp256k1_fe *nz) {
1562 int tries = 10;
1563 while (--tries >= 0) {
1564 random_fe(nz);
1565 secp256k1_fe_normalize(nz);
1566 if (!secp256k1_fe_is_zero(nz)) {
1567 break;
1568 }
1569 }
1570 /* Infinitesimal probability of spurious failure here */
1571 CHECK(tries >= 0);
1572 }
1573
random_fe_non_square(secp256k1_fe * ns)1574 void random_fe_non_square(secp256k1_fe *ns) {
1575 secp256k1_fe r;
1576 random_fe_non_zero(ns);
1577 if (secp256k1_fe_sqrt(&r, ns)) {
1578 secp256k1_fe_negate(ns, ns, 1);
1579 }
1580 }
1581
check_fe_equal(const secp256k1_fe * a,const secp256k1_fe * b)1582 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1583 secp256k1_fe an = *a;
1584 secp256k1_fe bn = *b;
1585 secp256k1_fe_normalize_weak(&an);
1586 secp256k1_fe_normalize_var(&bn);
1587 return secp256k1_fe_equal_var(&an, &bn);
1588 }
1589
check_fe_inverse(const secp256k1_fe * a,const secp256k1_fe * ai)1590 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1591 secp256k1_fe x;
1592 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1593 secp256k1_fe_mul(&x, a, ai);
1594 return check_fe_equal(&x, &one);
1595 }
1596
run_field_convert(void)1597 void run_field_convert(void) {
1598 static const unsigned char b32[32] = {
1599 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1600 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1601 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1602 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1603 };
1604 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1605 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1606 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1607 );
1608 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1609 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1610 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1611 );
1612 secp256k1_fe fe2;
1613 unsigned char b322[32];
1614 secp256k1_fe_storage fes2;
1615 /* Check conversions to fe. */
1616 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1617 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1618 secp256k1_fe_from_storage(&fe2, &fes);
1619 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1620 /* Check conversion from fe. */
1621 secp256k1_fe_get_b32(b322, &fe);
1622 CHECK(memcmp(b322, b32, 32) == 0);
1623 secp256k1_fe_to_storage(&fes2, &fe);
1624 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1625 }
1626
fe_memcmp(const secp256k1_fe * a,const secp256k1_fe * b)1627 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1628 secp256k1_fe t = *b;
1629 #ifdef VERIFY
1630 t.magnitude = a->magnitude;
1631 t.normalized = a->normalized;
1632 #endif
1633 return memcmp(a, &t, sizeof(secp256k1_fe));
1634 }
1635
run_field_misc(void)1636 void run_field_misc(void) {
1637 secp256k1_fe x;
1638 secp256k1_fe y;
1639 secp256k1_fe z;
1640 secp256k1_fe q;
1641 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1642 int i, j;
1643 for (i = 0; i < 5*count; i++) {
1644 secp256k1_fe_storage xs, ys, zs;
1645 random_fe(&x);
1646 random_fe_non_zero(&y);
1647 /* Test the fe equality and comparison operations. */
1648 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1649 CHECK(secp256k1_fe_equal_var(&x, &x));
1650 z = x;
1651 secp256k1_fe_add(&z,&y);
1652 /* Test fe conditional move; z is not normalized here. */
1653 q = x;
1654 secp256k1_fe_cmov(&x, &z, 0);
1655 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1656 secp256k1_fe_cmov(&x, &x, 1);
1657 CHECK(fe_memcmp(&x, &z) != 0);
1658 CHECK(fe_memcmp(&x, &q) == 0);
1659 secp256k1_fe_cmov(&q, &z, 1);
1660 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1661 CHECK(fe_memcmp(&q, &z) == 0);
1662 secp256k1_fe_normalize_var(&x);
1663 secp256k1_fe_normalize_var(&z);
1664 CHECK(!secp256k1_fe_equal_var(&x, &z));
1665 secp256k1_fe_normalize_var(&q);
1666 secp256k1_fe_cmov(&q, &z, (i&1));
1667 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1668 for (j = 0; j < 6; j++) {
1669 secp256k1_fe_negate(&z, &z, j+1);
1670 secp256k1_fe_normalize_var(&q);
1671 secp256k1_fe_cmov(&q, &z, (j&1));
1672 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1673 }
1674 secp256k1_fe_normalize_var(&z);
1675 /* Test storage conversion and conditional moves. */
1676 secp256k1_fe_to_storage(&xs, &x);
1677 secp256k1_fe_to_storage(&ys, &y);
1678 secp256k1_fe_to_storage(&zs, &z);
1679 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1680 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1681 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1682 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1683 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1684 secp256k1_fe_from_storage(&x, &xs);
1685 secp256k1_fe_from_storage(&y, &ys);
1686 secp256k1_fe_from_storage(&z, &zs);
1687 /* Test that mul_int, mul, and add agree. */
1688 secp256k1_fe_add(&y, &x);
1689 secp256k1_fe_add(&y, &x);
1690 z = x;
1691 secp256k1_fe_mul_int(&z, 3);
1692 CHECK(check_fe_equal(&y, &z));
1693 secp256k1_fe_add(&y, &x);
1694 secp256k1_fe_add(&z, &x);
1695 CHECK(check_fe_equal(&z, &y));
1696 z = x;
1697 secp256k1_fe_mul_int(&z, 5);
1698 secp256k1_fe_mul(&q, &x, &fe5);
1699 CHECK(check_fe_equal(&z, &q));
1700 secp256k1_fe_negate(&x, &x, 1);
1701 secp256k1_fe_add(&z, &x);
1702 secp256k1_fe_add(&q, &x);
1703 CHECK(check_fe_equal(&y, &z));
1704 CHECK(check_fe_equal(&q, &y));
1705 }
1706 }
1707
run_field_inv(void)1708 void run_field_inv(void) {
1709 secp256k1_fe x, xi, xii;
1710 int i;
1711 for (i = 0; i < 10*count; i++) {
1712 random_fe_non_zero(&x);
1713 secp256k1_fe_inv(&xi, &x);
1714 CHECK(check_fe_inverse(&x, &xi));
1715 secp256k1_fe_inv(&xii, &xi);
1716 CHECK(check_fe_equal(&x, &xii));
1717 }
1718 }
1719
run_field_inv_var(void)1720 void run_field_inv_var(void) {
1721 secp256k1_fe x, xi, xii;
1722 int i;
1723 for (i = 0; i < 10*count; i++) {
1724 random_fe_non_zero(&x);
1725 secp256k1_fe_inv_var(&xi, &x);
1726 CHECK(check_fe_inverse(&x, &xi));
1727 secp256k1_fe_inv_var(&xii, &xi);
1728 CHECK(check_fe_equal(&x, &xii));
1729 }
1730 }
1731
run_field_inv_all_var(void)1732 void run_field_inv_all_var(void) {
1733 secp256k1_fe x[16], xi[16], xii[16];
1734 int i;
1735 /* Check it's safe to call for 0 elements */
1736 secp256k1_fe_inv_all_var(xi, x, 0);
1737 for (i = 0; i < count; i++) {
1738 size_t j;
1739 size_t len = secp256k1_rand_int(15) + 1;
1740 for (j = 0; j < len; j++) {
1741 random_fe_non_zero(&x[j]);
1742 }
1743 secp256k1_fe_inv_all_var(xi, x, len);
1744 for (j = 0; j < len; j++) {
1745 CHECK(check_fe_inverse(&x[j], &xi[j]));
1746 }
1747 secp256k1_fe_inv_all_var(xii, xi, len);
1748 for (j = 0; j < len; j++) {
1749 CHECK(check_fe_equal(&x[j], &xii[j]));
1750 }
1751 }
1752 }
1753
run_sqr(void)1754 void run_sqr(void) {
1755 secp256k1_fe x, s;
1756
1757 {
1758 int i;
1759 secp256k1_fe_set_int(&x, 1);
1760 secp256k1_fe_negate(&x, &x, 1);
1761
1762 for (i = 1; i <= 512; ++i) {
1763 secp256k1_fe_mul_int(&x, 2);
1764 secp256k1_fe_normalize(&x);
1765 secp256k1_fe_sqr(&s, &x);
1766 }
1767 }
1768 }
1769
test_sqrt(const secp256k1_fe * a,const secp256k1_fe * k)1770 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1771 secp256k1_fe r1, r2;
1772 int v = secp256k1_fe_sqrt(&r1, a);
1773 CHECK((v == 0) == (k == NULL));
1774
1775 if (k != NULL) {
1776 /* Check that the returned root is +/- the given known answer */
1777 secp256k1_fe_negate(&r2, &r1, 1);
1778 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1779 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1780 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1781 }
1782 }
1783
run_sqrt(void)1784 void run_sqrt(void) {
1785 secp256k1_fe ns, x, s, t;
1786 int i;
1787
1788 /* Check sqrt(0) is 0 */
1789 secp256k1_fe_set_int(&x, 0);
1790 secp256k1_fe_sqr(&s, &x);
1791 test_sqrt(&s, &x);
1792
1793 /* Check sqrt of small squares (and their negatives) */
1794 for (i = 1; i <= 100; i++) {
1795 secp256k1_fe_set_int(&x, i);
1796 secp256k1_fe_sqr(&s, &x);
1797 test_sqrt(&s, &x);
1798 secp256k1_fe_negate(&t, &s, 1);
1799 test_sqrt(&t, NULL);
1800 }
1801
1802 /* Consistency checks for large random values */
1803 for (i = 0; i < 10; i++) {
1804 int j;
1805 random_fe_non_square(&ns);
1806 for (j = 0; j < count; j++) {
1807 random_fe(&x);
1808 secp256k1_fe_sqr(&s, &x);
1809 test_sqrt(&s, &x);
1810 secp256k1_fe_negate(&t, &s, 1);
1811 test_sqrt(&t, NULL);
1812 secp256k1_fe_mul(&t, &s, &ns);
1813 test_sqrt(&t, NULL);
1814 }
1815 }
1816 }
1817
1818 /***** GROUP TESTS *****/
1819
ge_equals_ge(const secp256k1_ge * a,const secp256k1_ge * b)1820 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1821 CHECK(a->infinity == b->infinity);
1822 if (a->infinity) {
1823 return;
1824 }
1825 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1826 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1827 }
1828
1829 /* This compares jacobian points including their Z, not just their geometric meaning. */
gej_xyz_equals_gej(const secp256k1_gej * a,const secp256k1_gej * b)1830 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1831 secp256k1_gej a2;
1832 secp256k1_gej b2;
1833 int ret = 1;
1834 ret &= a->infinity == b->infinity;
1835 if (ret && !a->infinity) {
1836 a2 = *a;
1837 b2 = *b;
1838 secp256k1_fe_normalize(&a2.x);
1839 secp256k1_fe_normalize(&a2.y);
1840 secp256k1_fe_normalize(&a2.z);
1841 secp256k1_fe_normalize(&b2.x);
1842 secp256k1_fe_normalize(&b2.y);
1843 secp256k1_fe_normalize(&b2.z);
1844 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1845 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1846 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1847 }
1848 return ret;
1849 }
1850
ge_equals_gej(const secp256k1_ge * a,const secp256k1_gej * b)1851 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1852 secp256k1_fe z2s;
1853 secp256k1_fe u1, u2, s1, s2;
1854 CHECK(a->infinity == b->infinity);
1855 if (a->infinity) {
1856 return;
1857 }
1858 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1859 secp256k1_fe_sqr(&z2s, &b->z);
1860 secp256k1_fe_mul(&u1, &a->x, &z2s);
1861 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1862 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1863 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1864 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1865 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1866 }
1867
test_ge(void)1868 void test_ge(void) {
1869 int i, i1;
1870 #ifdef USE_ENDOMORPHISM
1871 int runs = 6;
1872 #else
1873 int runs = 4;
1874 #endif
1875 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1876 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1877 * All magnitudes are randomized.
1878 * All 17*17 combinations of points are added to each other, using all applicable methods.
1879 *
1880 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1881 */
1882 secp256k1_ge *ge = (secp256k1_ge *)malloc(sizeof(secp256k1_ge) * (1 + 4 * runs));
1883 secp256k1_gej *gej = (secp256k1_gej *)malloc(sizeof(secp256k1_gej) * (1 + 4 * runs));
1884 secp256k1_fe *zinv = (secp256k1_fe *)malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
1885 secp256k1_fe zf;
1886 secp256k1_fe zfi2, zfi3;
1887
1888 secp256k1_gej_set_infinity(&gej[0]);
1889 secp256k1_ge_clear(&ge[0]);
1890 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1891 for (i = 0; i < runs; i++) {
1892 int j;
1893 secp256k1_ge g;
1894 random_group_element_test(&g);
1895 #ifdef USE_ENDOMORPHISM
1896 if (i >= runs - 2) {
1897 secp256k1_ge_mul_lambda(&g, &ge[1]);
1898 }
1899 if (i >= runs - 1) {
1900 secp256k1_ge_mul_lambda(&g, &g);
1901 }
1902 #endif
1903 ge[1 + 4 * i] = g;
1904 ge[2 + 4 * i] = g;
1905 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1906 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1907 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1908 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1909 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1910 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1911 for (j = 0; j < 4; j++) {
1912 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1913 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1914 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1915 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1916 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1917 }
1918 }
1919
1920 /* Compute z inverses. */
1921 {
1922 secp256k1_fe *zs = malloc(sizeof(secp256k1_fe) * (1 + 4 * runs));
1923 for (i = 0; i < 4 * runs + 1; i++) {
1924 if (i == 0) {
1925 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1926 do {
1927 random_field_element_test(&zs[i]);
1928 } while(secp256k1_fe_is_zero(&zs[i]));
1929 } else {
1930 zs[i] = gej[i].z;
1931 }
1932 }
1933 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1934 free(zs);
1935 }
1936
1937 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1938 do {
1939 random_field_element_test(&zf);
1940 } while(secp256k1_fe_is_zero(&zf));
1941 random_field_element_magnitude(&zf);
1942 secp256k1_fe_inv_var(&zfi3, &zf);
1943 secp256k1_fe_sqr(&zfi2, &zfi3);
1944 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
1945
1946 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
1947 int i2;
1948 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
1949 /* Compute reference result using gej + gej (var). */
1950 secp256k1_gej refj, resj;
1951 secp256k1_ge ref;
1952 secp256k1_fe zr;
1953 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1954 /* Check Z ratio. */
1955 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
1956 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1957 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
1958 }
1959 secp256k1_ge_set_gej_var(&ref, &refj);
1960
1961 /* Test gej + ge with Z ratio result (var). */
1962 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
1963 ge_equals_gej(&ref, &resj);
1964 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
1965 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
1966 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
1967 }
1968
1969 /* Test gej + ge (var, with additional Z factor). */
1970 {
1971 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
1972 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
1973 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
1974 random_field_element_magnitude(&ge2_zfi.x);
1975 random_field_element_magnitude(&ge2_zfi.y);
1976 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
1977 ge_equals_gej(&ref, &resj);
1978 }
1979
1980 /* Test gej + ge (const). */
1981 if (i2 != 0) {
1982 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
1983 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
1984 ge_equals_gej(&ref, &resj);
1985 }
1986
1987 /* Test doubling (var). */
1988 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
1989 secp256k1_fe zr2;
1990 /* Normal doubling with Z ratio result. */
1991 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
1992 ge_equals_gej(&ref, &resj);
1993 /* Check Z ratio. */
1994 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
1995 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
1996 /* Normal doubling. */
1997 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
1998 ge_equals_gej(&ref, &resj);
1999 }
2000
2001 /* Test adding opposites. */
2002 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2003 CHECK(secp256k1_ge_is_infinity(&ref));
2004 }
2005
2006 /* Test adding infinity. */
2007 if (i1 == 0) {
2008 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2009 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2010 ge_equals_gej(&ref, &gej[i2]);
2011 }
2012 if (i2 == 0) {
2013 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2014 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2015 ge_equals_gej(&ref, &gej[i1]);
2016 }
2017 }
2018 }
2019
2020 /* Test adding all points together in random order equals infinity. */
2021 {
2022 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2023 secp256k1_gej *gej_shuffled = (secp256k1_gej *)malloc((4 * runs + 1) * sizeof(secp256k1_gej));
2024 for (i = 0; i < 4 * runs + 1; i++) {
2025 gej_shuffled[i] = gej[i];
2026 }
2027 for (i = 0; i < 4 * runs + 1; i++) {
2028 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2029 if (swap != i) {
2030 secp256k1_gej t = gej_shuffled[i];
2031 gej_shuffled[i] = gej_shuffled[swap];
2032 gej_shuffled[swap] = t;
2033 }
2034 }
2035 for (i = 0; i < 4 * runs + 1; i++) {
2036 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2037 }
2038 CHECK(secp256k1_gej_is_infinity(&sum));
2039 free(gej_shuffled);
2040 }
2041
2042 /* Test batch gej -> ge conversion with and without known z ratios. */
2043 {
2044 secp256k1_fe *zr = (secp256k1_fe *)malloc((4 * runs + 1) * sizeof(secp256k1_fe));
2045 secp256k1_ge *ge_set_table = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
2046 secp256k1_ge *ge_set_all = (secp256k1_ge *)malloc((4 * runs + 1) * sizeof(secp256k1_ge));
2047 for (i = 0; i < 4 * runs + 1; i++) {
2048 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2049 if (i < 4 * runs) {
2050 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2051 }
2052 }
2053 secp256k1_ge_set_table_gej_var(ge_set_table, gej, zr, 4 * runs + 1);
2054 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1, &ctx->error_callback);
2055 for (i = 0; i < 4 * runs + 1; i++) {
2056 secp256k1_fe s;
2057 random_fe_non_zero(&s);
2058 secp256k1_gej_rescale(&gej[i], &s);
2059 ge_equals_gej(&ge_set_table[i], &gej[i]);
2060 ge_equals_gej(&ge_set_all[i], &gej[i]);
2061 }
2062 free(ge_set_table);
2063 free(ge_set_all);
2064 free(zr);
2065 }
2066
2067 free(ge);
2068 free(gej);
2069 free(zinv);
2070 }
2071
test_add_neg_y_diff_x(void)2072 void test_add_neg_y_diff_x(void) {
2073 /* The point of this test is to check that we can add two points
2074 * whose y-coordinates are negatives of each other but whose x
2075 * coordinates differ. If the x-coordinates were the same, these
2076 * points would be negatives of each other and their sum is
2077 * infinity. This is cool because it "covers up" any degeneracy
2078 * in the addition algorithm that would cause the xy coordinates
2079 * of the sum to be wrong (since infinity has no xy coordinates).
2080 * HOWEVER, if the x-coordinates are different, infinity is the
2081 * wrong answer, and such degeneracies are exposed. This is the
2082 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2083 * which this test is a regression test for.
2084 *
2085 * These points were generated in sage as
2086 * # secp256k1 params
2087 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2088 * C = EllipticCurve ([F (0), F (7)])
2089 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2090 * N = FiniteField(G.order())
2091 *
2092 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2093 * x = polygen(N)
2094 * lam = (1 - x^3).roots()[1][0]
2095 *
2096 * # random "bad pair"
2097 * P = C.random_element()
2098 * Q = -int(lam) * P
2099 * print " P: %x %x" % P.xy()
2100 * print " Q: %x %x" % Q.xy()
2101 * print "P + Q: %x %x" % (P + Q).xy()
2102 */
2103 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2104 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2105 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2106 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2107 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2108 );
2109 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2110 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2111 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2112 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2113 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2114 );
2115 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2116 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2117 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2118 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2119 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2120 );
2121 secp256k1_ge b;
2122 secp256k1_gej resj;
2123 secp256k1_ge res;
2124 secp256k1_ge_set_gej(&b, &bj);
2125
2126 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2127 secp256k1_ge_set_gej(&res, &resj);
2128 ge_equals_gej(&res, &sumj);
2129
2130 secp256k1_gej_add_ge(&resj, &aj, &b);
2131 secp256k1_ge_set_gej(&res, &resj);
2132 ge_equals_gej(&res, &sumj);
2133
2134 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2135 secp256k1_ge_set_gej(&res, &resj);
2136 ge_equals_gej(&res, &sumj);
2137 }
2138
run_ge(void)2139 void run_ge(void) {
2140 int i;
2141 for (i = 0; i < count * 32; i++) {
2142 test_ge();
2143 }
2144 test_add_neg_y_diff_x();
2145 }
2146
test_ec_combine(void)2147 void test_ec_combine(void) {
2148 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2149 secp256k1_pubkey data[6];
2150 const secp256k1_pubkey* d[6];
2151 secp256k1_pubkey sd;
2152 secp256k1_pubkey sd2;
2153 secp256k1_gej Qj;
2154 secp256k1_ge Q;
2155 int i;
2156 for (i = 1; i <= 6; i++) {
2157 secp256k1_scalar s;
2158 random_scalar_order_test(&s);
2159 secp256k1_scalar_add(&sum, &sum, &s);
2160 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2161 secp256k1_ge_set_gej(&Q, &Qj);
2162 secp256k1_pubkey_save(&data[i - 1], &Q);
2163 d[i - 1] = &data[i - 1];
2164 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2165 secp256k1_ge_set_gej(&Q, &Qj);
2166 secp256k1_pubkey_save(&sd, &Q);
2167 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2168 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2169 }
2170 }
2171
run_ec_combine(void)2172 void run_ec_combine(void) {
2173 int i;
2174 for (i = 0; i < count * 8; i++) {
2175 test_ec_combine();
2176 }
2177 }
2178
test_group_decompress(const secp256k1_fe * x)2179 void test_group_decompress(const secp256k1_fe* x) {
2180 /* The input itself, normalized. */
2181 secp256k1_fe fex = *x;
2182 secp256k1_fe fez;
2183 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2184 secp256k1_ge ge_quad, ge_even, ge_odd;
2185 secp256k1_gej gej_quad;
2186 /* Return values of the above calls. */
2187 int res_quad, res_even, res_odd;
2188
2189 secp256k1_fe_normalize_var(&fex);
2190
2191 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2192 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2193 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2194
2195 CHECK(res_quad == res_even);
2196 CHECK(res_quad == res_odd);
2197
2198 if (res_quad) {
2199 secp256k1_fe_normalize_var(&ge_quad.x);
2200 secp256k1_fe_normalize_var(&ge_odd.x);
2201 secp256k1_fe_normalize_var(&ge_even.x);
2202 secp256k1_fe_normalize_var(&ge_quad.y);
2203 secp256k1_fe_normalize_var(&ge_odd.y);
2204 secp256k1_fe_normalize_var(&ge_even.y);
2205
2206 /* No infinity allowed. */
2207 CHECK(!ge_quad.infinity);
2208 CHECK(!ge_even.infinity);
2209 CHECK(!ge_odd.infinity);
2210
2211 /* Check that the x coordinates check out. */
2212 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2213 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2214 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2215
2216 /* Check that the Y coordinate result in ge_quad is a square. */
2217 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2218
2219 /* Check odd/even Y in ge_odd, ge_even. */
2220 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2221 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2222
2223 /* Check secp256k1_gej_has_quad_y_var. */
2224 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2225 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2226 do {
2227 random_fe_test(&fez);
2228 } while (secp256k1_fe_is_zero(&fez));
2229 secp256k1_gej_rescale(&gej_quad, &fez);
2230 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2231 secp256k1_gej_neg(&gej_quad, &gej_quad);
2232 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2233 do {
2234 random_fe_test(&fez);
2235 } while (secp256k1_fe_is_zero(&fez));
2236 secp256k1_gej_rescale(&gej_quad, &fez);
2237 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2238 secp256k1_gej_neg(&gej_quad, &gej_quad);
2239 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2240 }
2241 }
2242
run_group_decompress(void)2243 void run_group_decompress(void) {
2244 int i;
2245 for (i = 0; i < count * 4; i++) {
2246 secp256k1_fe fe;
2247 random_fe_test(&fe);
2248 test_group_decompress(&fe);
2249 }
2250 }
2251
2252 /***** ECMULT TESTS *****/
2253
run_ecmult_chain(void)2254 void run_ecmult_chain(void) {
2255 /* random starting point A (on the curve) */
2256 secp256k1_gej a = SECP256K1_GEJ_CONST(
2257 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2258 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2259 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2260 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2261 );
2262 /* two random initial factors xn and gn */
2263 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2264 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2265 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2266 );
2267 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2268 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2269 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2270 );
2271 /* two small multipliers to be applied to xn and gn in every iteration: */
2272 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2273 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2274 /* accumulators with the resulting coefficients to A and G */
2275 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2276 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2277 /* actual points */
2278 secp256k1_gej x;
2279 secp256k1_gej x2;
2280 int i;
2281
2282 /* the point being computed */
2283 x = a;
2284 for (i = 0; i < 200*count; i++) {
2285 /* in each iteration, compute X = xn*X + gn*G; */
2286 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2287 /* also compute ae and ge: the actual accumulated factors for A and G */
2288 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2289 secp256k1_scalar_mul(&ae, &ae, &xn);
2290 secp256k1_scalar_mul(&ge, &ge, &xn);
2291 secp256k1_scalar_add(&ge, &ge, &gn);
2292 /* modify xn and gn */
2293 secp256k1_scalar_mul(&xn, &xn, &xf);
2294 secp256k1_scalar_mul(&gn, &gn, &gf);
2295
2296 /* verify */
2297 if (i == 19999) {
2298 /* expected result after 19999 iterations */
2299 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2300 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2301 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2302 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2303 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2304 );
2305
2306 secp256k1_gej_neg(&rp, &rp);
2307 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2308 CHECK(secp256k1_gej_is_infinity(&rp));
2309 }
2310 }
2311 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2312 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2313 secp256k1_gej_neg(&x2, &x2);
2314 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2315 CHECK(secp256k1_gej_is_infinity(&x2));
2316 }
2317
test_point_times_order(const secp256k1_gej * point)2318 void test_point_times_order(const secp256k1_gej *point) {
2319 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2320 secp256k1_scalar x;
2321 secp256k1_scalar nx;
2322 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2323 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2324 secp256k1_gej res1, res2;
2325 secp256k1_ge res3;
2326 unsigned char pub[65];
2327 size_t psize = 65;
2328 random_scalar_order_test(&x);
2329 secp256k1_scalar_negate(&nx, &x);
2330 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2331 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2332 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2333 CHECK(secp256k1_gej_is_infinity(&res1));
2334 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2335 secp256k1_ge_set_gej(&res3, &res1);
2336 CHECK(secp256k1_ge_is_infinity(&res3));
2337 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2338 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2339 psize = 65;
2340 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2341 /* check zero/one edge cases */
2342 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2343 secp256k1_ge_set_gej(&res3, &res1);
2344 CHECK(secp256k1_ge_is_infinity(&res3));
2345 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2346 secp256k1_ge_set_gej(&res3, &res1);
2347 ge_equals_gej(&res3, point);
2348 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2349 secp256k1_ge_set_gej(&res3, &res1);
2350 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2351 }
2352
run_point_times_order(void)2353 void run_point_times_order(void) {
2354 int i;
2355 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2356 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2357 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2358 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2359 );
2360 for (i = 0; i < 500; i++) {
2361 secp256k1_ge p;
2362 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2363 secp256k1_gej j;
2364 CHECK(secp256k1_ge_is_valid_var(&p));
2365 secp256k1_gej_set_ge(&j, &p);
2366 CHECK(secp256k1_gej_is_valid_var(&j));
2367 test_point_times_order(&j);
2368 }
2369 secp256k1_fe_sqr(&x, &x);
2370 }
2371 secp256k1_fe_normalize_var(&x);
2372 CHECK(secp256k1_fe_equal_var(&x, &xr));
2373 }
2374
ecmult_const_random_mult(void)2375 void ecmult_const_random_mult(void) {
2376 /* random starting point A (on the curve) */
2377 secp256k1_ge a = SECP256K1_GE_CONST(
2378 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2379 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2380 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2381 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2382 );
2383 /* random initial factor xn */
2384 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2385 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2386 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2387 );
2388 /* expected xn * A (from sage) */
2389 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2390 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2391 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2392 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2393 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2394 );
2395 secp256k1_gej b;
2396 secp256k1_ecmult_const(&b, &a, &xn);
2397
2398 CHECK(secp256k1_ge_is_valid_var(&a));
2399 ge_equals_gej(&expected_b, &b);
2400 }
2401
ecmult_const_commutativity(void)2402 void ecmult_const_commutativity(void) {
2403 secp256k1_scalar a;
2404 secp256k1_scalar b;
2405 secp256k1_gej res1;
2406 secp256k1_gej res2;
2407 secp256k1_ge mid1;
2408 secp256k1_ge mid2;
2409 random_scalar_order_test(&a);
2410 random_scalar_order_test(&b);
2411
2412 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a);
2413 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b);
2414 secp256k1_ge_set_gej(&mid1, &res1);
2415 secp256k1_ge_set_gej(&mid2, &res2);
2416 secp256k1_ecmult_const(&res1, &mid1, &b);
2417 secp256k1_ecmult_const(&res2, &mid2, &a);
2418 secp256k1_ge_set_gej(&mid1, &res1);
2419 secp256k1_ge_set_gej(&mid2, &res2);
2420 ge_equals_ge(&mid1, &mid2);
2421 }
2422
ecmult_const_mult_zero_one(void)2423 void ecmult_const_mult_zero_one(void) {
2424 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2425 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2426 secp256k1_scalar negone;
2427 secp256k1_gej res1;
2428 secp256k1_ge res2;
2429 secp256k1_ge point;
2430 secp256k1_scalar_negate(&negone, &one);
2431
2432 random_group_element_test(&point);
2433 secp256k1_ecmult_const(&res1, &point, &zero);
2434 secp256k1_ge_set_gej(&res2, &res1);
2435 CHECK(secp256k1_ge_is_infinity(&res2));
2436 secp256k1_ecmult_const(&res1, &point, &one);
2437 secp256k1_ge_set_gej(&res2, &res1);
2438 ge_equals_ge(&res2, &point);
2439 secp256k1_ecmult_const(&res1, &point, &negone);
2440 secp256k1_gej_neg(&res1, &res1);
2441 secp256k1_ge_set_gej(&res2, &res1);
2442 ge_equals_ge(&res2, &point);
2443 }
2444
ecmult_const_chain_multiply(void)2445 void ecmult_const_chain_multiply(void) {
2446 /* Check known result (randomly generated test problem from sage) */
2447 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2448 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2449 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2450 );
2451 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2452 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2453 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2454 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2455 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2456 );
2457 secp256k1_gej point;
2458 secp256k1_ge res;
2459 int i;
2460
2461 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2462 for (i = 0; i < 100; ++i) {
2463 secp256k1_ge tmp;
2464 secp256k1_ge_set_gej(&tmp, &point);
2465 secp256k1_ecmult_const(&point, &tmp, &scalar);
2466 }
2467 secp256k1_ge_set_gej(&res, &point);
2468 ge_equals_gej(&res, &expected_point);
2469 }
2470
run_ecmult_const_tests(void)2471 void run_ecmult_const_tests(void) {
2472 ecmult_const_mult_zero_one();
2473 ecmult_const_random_mult();
2474 ecmult_const_commutativity();
2475 ecmult_const_chain_multiply();
2476 }
2477
test_wnaf(const secp256k1_scalar * number,int w)2478 void test_wnaf(const secp256k1_scalar *number, int w) {
2479 secp256k1_scalar x, two, t;
2480 int wnaf[256];
2481 int zeroes = -1;
2482 int i;
2483 int bits;
2484 secp256k1_scalar_set_int(&x, 0);
2485 secp256k1_scalar_set_int(&two, 2);
2486 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2487 CHECK(bits <= 256);
2488 for (i = bits-1; i >= 0; i--) {
2489 int v = wnaf[i];
2490 secp256k1_scalar_mul(&x, &x, &two);
2491 if (v) {
2492 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
2493 zeroes=0;
2494 CHECK((v & 1) == 1); /* check non-zero elements are odd */
2495 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
2496 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
2497 } else {
2498 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
2499 zeroes++;
2500 }
2501 if (v >= 0) {
2502 secp256k1_scalar_set_int(&t, v);
2503 } else {
2504 secp256k1_scalar_set_int(&t, -v);
2505 secp256k1_scalar_negate(&t, &t);
2506 }
2507 secp256k1_scalar_add(&x, &x, &t);
2508 }
2509 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
2510 }
2511
test_constant_wnaf_negate(const secp256k1_scalar * number)2512 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
2513 secp256k1_scalar neg1 = *number;
2514 secp256k1_scalar neg2 = *number;
2515 int sign1 = 1;
2516 int sign2 = 1;
2517
2518 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
2519 secp256k1_scalar_negate(&neg1, &neg1);
2520 sign1 = -1;
2521 }
2522 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
2523 CHECK(sign1 == sign2);
2524 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
2525 }
2526
test_constant_wnaf(const secp256k1_scalar * number,int w)2527 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
2528 secp256k1_scalar x, shift;
2529 int wnaf[256] = {0};
2530 int i;
2531 int skew;
2532 secp256k1_scalar num = *number;
2533
2534 secp256k1_scalar_set_int(&x, 0);
2535 secp256k1_scalar_set_int(&shift, 1 << w);
2536 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
2537 #ifdef USE_ENDOMORPHISM
2538 for (i = 0; i < 16; ++i) {
2539 secp256k1_scalar_shr_int(&num, 8);
2540 }
2541 #endif
2542 skew = secp256k1_wnaf_const(wnaf, num, w);
2543
2544 for (i = WNAF_SIZE(w); i >= 0; --i) {
2545 secp256k1_scalar t;
2546 int v = wnaf[i];
2547 CHECK(v != 0); /* check nonzero */
2548 CHECK(v & 1); /* check parity */
2549 CHECK(v > -(1 << w)); /* check range above */
2550 CHECK(v < (1 << w)); /* check range below */
2551
2552 secp256k1_scalar_mul(&x, &x, &shift);
2553 if (v >= 0) {
2554 secp256k1_scalar_set_int(&t, v);
2555 } else {
2556 secp256k1_scalar_set_int(&t, -v);
2557 secp256k1_scalar_negate(&t, &t);
2558 }
2559 secp256k1_scalar_add(&x, &x, &t);
2560 }
2561 /* Skew num because when encoding numbers as odd we use an offset */
2562 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
2563 CHECK(secp256k1_scalar_eq(&x, &num));
2564 }
2565
run_wnaf(void)2566 void run_wnaf(void) {
2567 int i;
2568 secp256k1_scalar n = {{0}};
2569
2570 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
2571 * have easier-to-diagnose failure modes */
2572 n.d[0] = 1;
2573 test_constant_wnaf(&n, 4);
2574 n.d[0] = 2;
2575 test_constant_wnaf(&n, 4);
2576 /* Random tests */
2577 for (i = 0; i < count; i++) {
2578 random_scalar_order(&n);
2579 test_wnaf(&n, 4+(i%10));
2580 test_constant_wnaf_negate(&n);
2581 test_constant_wnaf(&n, 4 + (i % 10));
2582 }
2583 secp256k1_scalar_set_int(&n, 0);
2584 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
2585 CHECK(secp256k1_scalar_is_zero(&n));
2586 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
2587 CHECK(secp256k1_scalar_is_zero(&n));
2588 }
2589
test_ecmult_constants(void)2590 void test_ecmult_constants(void) {
2591 /* Test ecmult_gen() for [0..36) and [order-36..0). */
2592 secp256k1_scalar x;
2593 secp256k1_gej r;
2594 secp256k1_ge ng;
2595 int i;
2596 int j;
2597 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
2598 for (i = 0; i < 36; i++ ) {
2599 secp256k1_scalar_set_int(&x, i);
2600 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2601 for (j = 0; j < i; j++) {
2602 if (j == i - 1) {
2603 ge_equals_gej(&secp256k1_ge_const_g, &r);
2604 }
2605 secp256k1_gej_add_ge(&r, &r, &ng);
2606 }
2607 CHECK(secp256k1_gej_is_infinity(&r));
2608 }
2609 for (i = 1; i <= 36; i++ ) {
2610 secp256k1_scalar_set_int(&x, i);
2611 secp256k1_scalar_negate(&x, &x);
2612 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
2613 for (j = 0; j < i; j++) {
2614 if (j == i - 1) {
2615 ge_equals_gej(&ng, &r);
2616 }
2617 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
2618 }
2619 CHECK(secp256k1_gej_is_infinity(&r));
2620 }
2621 }
2622
run_ecmult_constants(void)2623 void run_ecmult_constants(void) {
2624 test_ecmult_constants();
2625 }
2626
test_ecmult_gen_blind(void)2627 void test_ecmult_gen_blind(void) {
2628 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
2629 secp256k1_scalar key;
2630 secp256k1_scalar b;
2631 unsigned char seed32[32];
2632 secp256k1_gej pgej;
2633 secp256k1_gej pgej2;
2634 secp256k1_gej i;
2635 secp256k1_ge pge;
2636 random_scalar_order_test(&key);
2637 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
2638 secp256k1_rand256(seed32);
2639 b = ctx->ecmult_gen_ctx.blind;
2640 i = ctx->ecmult_gen_ctx.initial;
2641 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
2642 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2643 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
2644 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
2645 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
2646 secp256k1_ge_set_gej(&pge, &pgej);
2647 ge_equals_gej(&pge, &pgej2);
2648 }
2649
test_ecmult_gen_blind_reset(void)2650 void test_ecmult_gen_blind_reset(void) {
2651 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
2652 secp256k1_scalar b;
2653 secp256k1_gej initial;
2654 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2655 b = ctx->ecmult_gen_ctx.blind;
2656 initial = ctx->ecmult_gen_ctx.initial;
2657 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
2658 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
2659 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
2660 }
2661
run_ecmult_gen_blind(void)2662 void run_ecmult_gen_blind(void) {
2663 int i;
2664 test_ecmult_gen_blind_reset();
2665 for (i = 0; i < 10; i++) {
2666 test_ecmult_gen_blind();
2667 }
2668 }
2669
2670 #ifdef USE_ENDOMORPHISM
2671 /***** ENDOMORPHISH TESTS *****/
test_scalar_split(void)2672 void test_scalar_split(void) {
2673 secp256k1_scalar full;
2674 secp256k1_scalar s1, slam;
2675 const unsigned char zero[32] = {0};
2676 unsigned char tmp[32];
2677
2678 random_scalar_order_test(&full);
2679 secp256k1_scalar_split_lambda(&s1, &slam, &full);
2680
2681 /* check that both are <= 128 bits in size */
2682 if (secp256k1_scalar_is_high(&s1)) {
2683 secp256k1_scalar_negate(&s1, &s1);
2684 }
2685 if (secp256k1_scalar_is_high(&slam)) {
2686 secp256k1_scalar_negate(&slam, &slam);
2687 }
2688
2689 secp256k1_scalar_get_b32(tmp, &s1);
2690 CHECK(memcmp(zero, tmp, 16) == 0);
2691 secp256k1_scalar_get_b32(tmp, &slam);
2692 CHECK(memcmp(zero, tmp, 16) == 0);
2693 }
2694
run_endomorphism_tests(void)2695 void run_endomorphism_tests(void) {
2696 test_scalar_split();
2697 }
2698 #endif
2699
ec_pubkey_parse_pointtest(const unsigned char * input,int xvalid,int yvalid)2700 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
2701 unsigned char pubkeyc[65];
2702 secp256k1_pubkey pubkey;
2703 secp256k1_ge ge;
2704 size_t pubkeyclen;
2705 int32_t ecount;
2706 ecount = 0;
2707 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2708 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
2709 /* Smaller sizes are tested exhaustively elsewhere. */
2710 int32_t i;
2711 memcpy(&pubkeyc[1], input, 64);
2712 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
2713 for (i = 0; i < 256; i++) {
2714 /* Try all type bytes. */
2715 int xpass;
2716 int ypass;
2717 int ysign;
2718 pubkeyc[0] = i;
2719 /* What sign does this point have? */
2720 ysign = (input[63] & 1) + 2;
2721 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
2722 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
2723 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
2724 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
2725 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
2726 if (xpass || ypass) {
2727 /* These cases must parse. */
2728 unsigned char pubkeyo[65];
2729 size_t outl;
2730 memset(&pubkey, 0, sizeof(pubkey));
2731 VG_UNDEF(&pubkey, sizeof(pubkey));
2732 ecount = 0;
2733 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
2734 VG_CHECK(&pubkey, sizeof(pubkey));
2735 outl = 65;
2736 VG_UNDEF(pubkeyo, 65);
2737 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
2738 VG_CHECK(pubkeyo, outl);
2739 CHECK(outl == 33);
2740 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
2741 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
2742 if (ypass) {
2743 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
2744 CHECK(pubkeyo[0] == ysign);
2745 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
2746 memset(&pubkey, 0, sizeof(pubkey));
2747 VG_UNDEF(&pubkey, sizeof(pubkey));
2748 secp256k1_pubkey_save(&pubkey, &ge);
2749 VG_CHECK(&pubkey, sizeof(pubkey));
2750 outl = 65;
2751 VG_UNDEF(pubkeyo, 65);
2752 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
2753 VG_CHECK(pubkeyo, outl);
2754 CHECK(outl == 65);
2755 CHECK(pubkeyo[0] == 4);
2756 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
2757 }
2758 CHECK(ecount == 0);
2759 } else {
2760 /* These cases must fail to parse. */
2761 memset(&pubkey, 0xfe, sizeof(pubkey));
2762 ecount = 0;
2763 VG_UNDEF(&pubkey, sizeof(pubkey));
2764 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
2765 VG_CHECK(&pubkey, sizeof(pubkey));
2766 CHECK(ecount == 0);
2767 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2768 CHECK(ecount == 1);
2769 }
2770 }
2771 }
2772 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
2773 }
2774
run_ec_pubkey_parse_test(void)2775 void run_ec_pubkey_parse_test(void) {
2776 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
2777 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
2778 {
2779 /* Point with leading and trailing zeros in x and y serialization. */
2780 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
2781 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2782 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
2783 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
2784 },
2785 {
2786 /* Point with x equal to a 3rd root of unity.*/
2787 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
2788 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
2789 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2790 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2791 },
2792 {
2793 /* Point with largest x. (1/2) */
2794 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2795 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2796 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
2797 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
2798 },
2799 {
2800 /* Point with largest x. (2/2) */
2801 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2802 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
2803 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
2804 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
2805 },
2806 {
2807 /* Point with smallest x. (1/2) */
2808 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2809 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2810 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2811 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2812 },
2813 {
2814 /* Point with smallest x. (2/2) */
2815 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2816 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2817 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2818 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2819 },
2820 {
2821 /* Point with largest y. (1/3) */
2822 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2823 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2824 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2825 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2826 },
2827 {
2828 /* Point with largest y. (2/3) */
2829 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2830 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2831 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2832 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2833 },
2834 {
2835 /* Point with largest y. (3/3) */
2836 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2837 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2838 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2839 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2840 },
2841 {
2842 /* Point with smallest y. (1/3) */
2843 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2844 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2845 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2846 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2847 },
2848 {
2849 /* Point with smallest y. (2/3) */
2850 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2851 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2852 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2853 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2854 },
2855 {
2856 /* Point with smallest y. (3/3) */
2857 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2858 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2859 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2860 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
2861 }
2862 };
2863 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
2864 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
2865 {
2866 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
2867 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
2868 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
2869 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2870 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2871 },
2872 {
2873 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
2874 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
2875 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
2876 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2877 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2878 },
2879 {
2880 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
2881 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
2882 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
2883 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2884 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2885 },
2886 {
2887 /* x on curve, y is from y^2 = x^3 + 8. */
2888 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2889 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2890 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2891 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
2892 }
2893 };
2894 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
2895 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
2896 {
2897 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
2898 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
2899 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
2900 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2901 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
2902 },
2903 {
2904 /* Valid if x overflow ignored (x = 1 mod p). */
2905 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2906 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2907 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
2908 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
2909 },
2910 {
2911 /* Valid if x overflow ignored (x = 1 mod p). */
2912 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2913 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
2914 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
2915 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
2916 },
2917 {
2918 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2919 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2920 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2921 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
2922 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
2923 },
2924 {
2925 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
2926 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
2927 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
2928 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
2929 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
2930 },
2931 {
2932 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2933 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2934 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2935 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
2936 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
2937 },
2938 {
2939 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
2940 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2941 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
2942 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
2943 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
2944 }
2945 };
2946 const unsigned char pubkeyc[66] = {
2947 /* Serialization of G. */
2948 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
2949 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
2950 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
2951 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
2952 0xB8, 0x00
2953 };
2954 unsigned char sout[65];
2955 unsigned char shortkey[2];
2956 secp256k1_ge ge;
2957 secp256k1_pubkey pubkey;
2958 size_t len;
2959 int32_t i;
2960 int32_t ecount;
2961 int32_t ecount2;
2962 ecount = 0;
2963 /* Nothing should be reading this far into pubkeyc. */
2964 VG_UNDEF(&pubkeyc[65], 1);
2965 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
2966 /* Zero length claimed, fail, zeroize, no illegal arg error. */
2967 memset(&pubkey, 0xfe, sizeof(pubkey));
2968 ecount = 0;
2969 VG_UNDEF(shortkey, 2);
2970 VG_UNDEF(&pubkey, sizeof(pubkey));
2971 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
2972 VG_CHECK(&pubkey, sizeof(pubkey));
2973 CHECK(ecount == 0);
2974 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2975 CHECK(ecount == 1);
2976 /* Length one claimed, fail, zeroize, no illegal arg error. */
2977 for (i = 0; i < 256 ; i++) {
2978 memset(&pubkey, 0xfe, sizeof(pubkey));
2979 ecount = 0;
2980 shortkey[0] = i;
2981 VG_UNDEF(&shortkey[1], 1);
2982 VG_UNDEF(&pubkey, sizeof(pubkey));
2983 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
2984 VG_CHECK(&pubkey, sizeof(pubkey));
2985 CHECK(ecount == 0);
2986 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
2987 CHECK(ecount == 1);
2988 }
2989 /* Length two claimed, fail, zeroize, no illegal arg error. */
2990 for (i = 0; i < 65536 ; i++) {
2991 memset(&pubkey, 0xfe, sizeof(pubkey));
2992 ecount = 0;
2993 shortkey[0] = i & 255;
2994 shortkey[1] = i >> 8;
2995 VG_UNDEF(&pubkey, sizeof(pubkey));
2996 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
2997 VG_CHECK(&pubkey, sizeof(pubkey));
2998 CHECK(ecount == 0);
2999 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3000 CHECK(ecount == 1);
3001 }
3002 memset(&pubkey, 0xfe, sizeof(pubkey));
3003 ecount = 0;
3004 VG_UNDEF(&pubkey, sizeof(pubkey));
3005 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3006 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3007 VG_CHECK(&pubkey, sizeof(pubkey));
3008 CHECK(ecount == 0);
3009 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3010 CHECK(ecount == 1);
3011 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3012 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3013 CHECK(ecount == 2);
3014 /* NULL input string. Illegal arg and zeroize output. */
3015 memset(&pubkey, 0xfe, sizeof(pubkey));
3016 ecount = 0;
3017 VG_UNDEF(&pubkey, sizeof(pubkey));
3018 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3019 VG_CHECK(&pubkey, sizeof(pubkey));
3020 CHECK(ecount == 1);
3021 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3022 CHECK(ecount == 2);
3023 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3024 memset(&pubkey, 0xfe, sizeof(pubkey));
3025 ecount = 0;
3026 VG_UNDEF(&pubkey, sizeof(pubkey));
3027 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3028 VG_CHECK(&pubkey, sizeof(pubkey));
3029 CHECK(ecount == 0);
3030 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3031 CHECK(ecount == 1);
3032 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3033 memset(&pubkey, 0xfe, sizeof(pubkey));
3034 ecount = 0;
3035 VG_UNDEF(&pubkey, sizeof(pubkey));
3036 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3037 VG_CHECK(&pubkey, sizeof(pubkey));
3038 CHECK(ecount == 0);
3039 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3040 CHECK(ecount == 1);
3041 /* Valid parse. */
3042 memset(&pubkey, 0, sizeof(pubkey));
3043 ecount = 0;
3044 VG_UNDEF(&pubkey, sizeof(pubkey));
3045 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3046 VG_CHECK(&pubkey, sizeof(pubkey));
3047 CHECK(ecount == 0);
3048 VG_UNDEF(&ge, sizeof(ge));
3049 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3050 VG_CHECK(&ge.x, sizeof(ge.x));
3051 VG_CHECK(&ge.y, sizeof(ge.y));
3052 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3053 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3054 CHECK(ecount == 0);
3055 /* secp256k1_ec_pubkey_serialize illegal args. */
3056 ecount = 0;
3057 len = 65;
3058 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3059 CHECK(ecount == 1);
3060 CHECK(len == 0);
3061 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3062 CHECK(ecount == 2);
3063 len = 65;
3064 VG_UNDEF(sout, 65);
3065 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3066 VG_CHECK(sout, 65);
3067 CHECK(ecount == 3);
3068 CHECK(len == 0);
3069 len = 65;
3070 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3071 CHECK(ecount == 4);
3072 CHECK(len == 0);
3073 len = 65;
3074 VG_UNDEF(sout, 65);
3075 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3076 VG_CHECK(sout, 65);
3077 CHECK(ecount == 4);
3078 CHECK(len == 65);
3079 /* Multiple illegal args. Should still set arg error only once. */
3080 ecount = 0;
3081 ecount2 = 11;
3082 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3083 CHECK(ecount == 1);
3084 /* Does the illegal arg callback actually change the behavior? */
3085 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3086 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3087 CHECK(ecount == 1);
3088 CHECK(ecount2 == 10);
3089 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3090 /* Try a bunch of prefabbed points with all possible encodings. */
3091 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3092 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3093 }
3094 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3095 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3096 }
3097 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3098 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3099 }
3100 }
3101
run_eckey_edge_case_test(void)3102 void run_eckey_edge_case_test(void) {
3103 const unsigned char orderc[32] = {
3104 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3105 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3106 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3107 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3108 };
3109 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3110 unsigned char ctmp[33];
3111 unsigned char ctmp2[33];
3112 secp256k1_pubkey pubkey;
3113 secp256k1_pubkey pubkey2;
3114 secp256k1_pubkey pubkey_one;
3115 secp256k1_pubkey pubkey_negone;
3116 const secp256k1_pubkey *pubkeys[3];
3117 size_t len;
3118 int32_t ecount;
3119 /* Group order is too large, reject. */
3120 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3121 VG_UNDEF(&pubkey, sizeof(pubkey));
3122 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3123 VG_CHECK(&pubkey, sizeof(pubkey));
3124 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3125 /* Maximum value is too large, reject. */
3126 memset(ctmp, 255, 32);
3127 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3128 memset(&pubkey, 1, sizeof(pubkey));
3129 VG_UNDEF(&pubkey, sizeof(pubkey));
3130 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3131 VG_CHECK(&pubkey, sizeof(pubkey));
3132 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3133 /* Zero is too small, reject. */
3134 memset(ctmp, 0, 32);
3135 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3136 memset(&pubkey, 1, sizeof(pubkey));
3137 VG_UNDEF(&pubkey, sizeof(pubkey));
3138 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3139 VG_CHECK(&pubkey, sizeof(pubkey));
3140 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3141 /* One must be accepted. */
3142 ctmp[31] = 0x01;
3143 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3144 memset(&pubkey, 0, sizeof(pubkey));
3145 VG_UNDEF(&pubkey, sizeof(pubkey));
3146 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3147 VG_CHECK(&pubkey, sizeof(pubkey));
3148 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3149 pubkey_one = pubkey;
3150 /* Group order + 1 is too large, reject. */
3151 memcpy(ctmp, orderc, 32);
3152 ctmp[31] = 0x42;
3153 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3154 memset(&pubkey, 1, sizeof(pubkey));
3155 VG_UNDEF(&pubkey, sizeof(pubkey));
3156 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3157 VG_CHECK(&pubkey, sizeof(pubkey));
3158 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3159 /* -1 must be accepted. */
3160 ctmp[31] = 0x40;
3161 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3162 memset(&pubkey, 0, sizeof(pubkey));
3163 VG_UNDEF(&pubkey, sizeof(pubkey));
3164 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3165 VG_CHECK(&pubkey, sizeof(pubkey));
3166 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3167 pubkey_negone = pubkey;
3168 /* Tweak of zero leaves the value changed. */
3169 memset(ctmp2, 0, 32);
3170 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3171 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3172 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3173 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3174 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3175 /* Multiply tweak of zero zeroizes the output. */
3176 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3177 CHECK(memcmp(zeros, ctmp, 32) == 0);
3178 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3179 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3180 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3181 /* Overflowing key tweak zeroizes. */
3182 memcpy(ctmp, orderc, 32);
3183 ctmp[31] = 0x40;
3184 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3185 CHECK(memcmp(zeros, ctmp, 32) == 0);
3186 memcpy(ctmp, orderc, 32);
3187 ctmp[31] = 0x40;
3188 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3189 CHECK(memcmp(zeros, ctmp, 32) == 0);
3190 memcpy(ctmp, orderc, 32);
3191 ctmp[31] = 0x40;
3192 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3193 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3194 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3195 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3196 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3197 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3198 /* Private key tweaks results in a key of zero. */
3199 ctmp2[31] = 1;
3200 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3201 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3202 ctmp2[31] = 1;
3203 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3204 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3205 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3206 /* Tweak computation wraps and results in a key of 1. */
3207 ctmp2[31] = 2;
3208 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3209 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3210 ctmp2[31] = 2;
3211 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3212 ctmp2[31] = 1;
3213 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3214 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3215 /* Tweak mul * 2 = 1+1. */
3216 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3217 ctmp2[31] = 2;
3218 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3219 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3220 /* Test argument errors. */
3221 ecount = 0;
3222 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3223 CHECK(ecount == 0);
3224 /* Zeroize pubkey on parse error. */
3225 memset(&pubkey, 0, 32);
3226 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3227 CHECK(ecount == 1);
3228 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3229 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3230 memset(&pubkey2, 0, 32);
3231 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3232 CHECK(ecount == 2);
3233 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3234 /* Plain argument errors. */
3235 ecount = 0;
3236 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3237 CHECK(ecount == 0);
3238 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3239 CHECK(ecount == 1);
3240 ecount = 0;
3241 memset(ctmp2, 0, 32);
3242 ctmp2[31] = 4;
3243 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3244 CHECK(ecount == 1);
3245 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3246 CHECK(ecount == 2);
3247 ecount = 0;
3248 memset(ctmp2, 0, 32);
3249 ctmp2[31] = 4;
3250 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3251 CHECK(ecount == 1);
3252 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3253 CHECK(ecount == 2);
3254 ecount = 0;
3255 memset(ctmp2, 0, 32);
3256 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3257 CHECK(ecount == 1);
3258 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3259 CHECK(ecount == 2);
3260 ecount = 0;
3261 memset(ctmp2, 0, 32);
3262 ctmp2[31] = 1;
3263 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3264 CHECK(ecount == 1);
3265 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3266 CHECK(ecount == 2);
3267 ecount = 0;
3268 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3269 CHECK(ecount == 1);
3270 memset(&pubkey, 1, sizeof(pubkey));
3271 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3272 CHECK(ecount == 2);
3273 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3274 /* secp256k1_ec_pubkey_combine tests. */
3275 ecount = 0;
3276 pubkeys[0] = &pubkey_one;
3277 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3278 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3279 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3280 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3281 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3282 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3283 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3284 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3285 CHECK(ecount == 1);
3286 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3287 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3288 CHECK(ecount == 2);
3289 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3290 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3291 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3292 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3293 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3294 CHECK(ecount == 3);
3295 pubkeys[0] = &pubkey_negone;
3296 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3297 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3298 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3299 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3300 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3301 CHECK(ecount == 3);
3302 len = 33;
3303 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3304 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3305 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3306 /* Result is infinity. */
3307 pubkeys[0] = &pubkey_one;
3308 pubkeys[1] = &pubkey_negone;
3309 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3310 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3311 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3312 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3313 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3314 CHECK(ecount == 3);
3315 /* Passes through infinity but comes out one. */
3316 pubkeys[2] = &pubkey_one;
3317 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3318 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3319 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3320 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3321 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3322 CHECK(ecount == 3);
3323 len = 33;
3324 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3325 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3326 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3327 /* Adds to two. */
3328 pubkeys[1] = &pubkey_one;
3329 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3330 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3331 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3332 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3333 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3334 CHECK(ecount == 3);
3335 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3336 }
3337
random_sign(secp256k1_scalar * sigr,secp256k1_scalar * sigs,const secp256k1_scalar * key,const secp256k1_scalar * msg,int * recid)3338 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3339 secp256k1_scalar nonce;
3340 do {
3341 random_scalar_order_test(&nonce);
3342 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3343 }
3344
test_ecdsa_sign_verify(void)3345 void test_ecdsa_sign_verify(void) {
3346 secp256k1_gej pubj;
3347 secp256k1_ge pub;
3348 secp256k1_scalar one;
3349 secp256k1_scalar msg, key;
3350 secp256k1_scalar sigr, sigs;
3351 int recid;
3352 int getrec;
3353 random_scalar_order_test(&msg);
3354 random_scalar_order_test(&key);
3355 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3356 secp256k1_ge_set_gej(&pub, &pubj);
3357 getrec = secp256k1_rand_bits(1);
3358 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3359 if (getrec) {
3360 CHECK(recid >= 0 && recid < 4);
3361 }
3362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3363 secp256k1_scalar_set_int(&one, 1);
3364 secp256k1_scalar_add(&msg, &msg, &one);
3365 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3366 }
3367
run_ecdsa_sign_verify(void)3368 void run_ecdsa_sign_verify(void) {
3369 int i;
3370 for (i = 0; i < 10*count; i++) {
3371 test_ecdsa_sign_verify();
3372 }
3373 }
3374
3375 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
precomputed_nonce_function(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)3376 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3377 (void)msg32;
3378 (void)key32;
3379 (void)algo16;
3380 memcpy(nonce32, data, 32);
3381 return (counter == 0);
3382 }
3383
nonce_function_test_fail(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)3384 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3385 /* Dummy nonce generator that has a fatal error on the first counter value. */
3386 if (counter == 0) {
3387 return 0;
3388 }
3389 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
3390 }
3391
nonce_function_test_retry(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)3392 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3393 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
3394 if (counter < 3) {
3395 memset(nonce32, counter==0 ? 0 : 255, 32);
3396 if (counter == 2) {
3397 nonce32[31]--;
3398 }
3399 return 1;
3400 }
3401 if (counter < 5) {
3402 static const unsigned char order[] = {
3403 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
3404 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
3405 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
3406 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
3407 };
3408 memcpy(nonce32, order, 32);
3409 if (counter == 4) {
3410 nonce32[31]++;
3411 }
3412 return 1;
3413 }
3414 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
3415 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
3416 if (counter > 5) {
3417 return 0;
3418 }
3419 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
3420 }
3421
is_empty_signature(const secp256k1_ecdsa_signature * sig)3422 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
3423 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
3424 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
3425 }
3426
test_ecdsa_end_to_end(void)3427 void test_ecdsa_end_to_end(void) {
3428 unsigned char extra[32] = {0x00};
3429 unsigned char privkey[32];
3430 unsigned char message[32];
3431 unsigned char privkey2[32];
3432 secp256k1_ecdsa_signature signature[6];
3433 secp256k1_scalar r, s;
3434 unsigned char sig[74];
3435 size_t siglen = 74;
3436 unsigned char pubkeyc[65];
3437 size_t pubkeyclen = 65;
3438 secp256k1_pubkey pubkey;
3439 unsigned char seckey[300];
3440 size_t seckeylen = 300;
3441
3442 /* Generate a random key and message. */
3443 {
3444 secp256k1_scalar msg, key;
3445 random_scalar_order_test(&msg);
3446 random_scalar_order_test(&key);
3447 secp256k1_scalar_get_b32(privkey, &key);
3448 secp256k1_scalar_get_b32(message, &msg);
3449 }
3450
3451 /* Construct and verify corresponding public key. */
3452 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
3453 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
3454
3455 /* Verify exporting and importing public key. */
3456 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
3457 memset(&pubkey, 0, sizeof(pubkey));
3458 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3459
3460 /* Verify private key import and export. */
3461 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
3462 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
3463 CHECK(memcmp(privkey, privkey2, 32) == 0);
3464
3465 /* Optionally tweak the keys using addition. */
3466 if (secp256k1_rand_int(3) == 0) {
3467 int ret1;
3468 int ret2;
3469 unsigned char rnd[32];
3470 secp256k1_pubkey pubkey2;
3471 secp256k1_rand256_test(rnd);
3472 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
3473 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
3474 CHECK(ret1 == ret2);
3475 if (ret1 == 0) {
3476 return;
3477 }
3478 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3479 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3480 }
3481
3482 /* Optionally tweak the keys using multiplication. */
3483 if (secp256k1_rand_int(3) == 0) {
3484 int ret1;
3485 int ret2;
3486 unsigned char rnd[32];
3487 secp256k1_pubkey pubkey2;
3488 secp256k1_rand256_test(rnd);
3489 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
3490 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
3491 CHECK(ret1 == ret2);
3492 if (ret1 == 0) {
3493 return;
3494 }
3495 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
3496 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3497 }
3498
3499 /* Sign. */
3500 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
3501 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
3502 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
3503 extra[31] = 1;
3504 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
3505 extra[31] = 0;
3506 extra[0] = 1;
3507 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
3508 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
3509 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
3510 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
3511 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
3512 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
3513 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
3514 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
3515 /* Verify. */
3516 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3517 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
3518 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
3519 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
3520 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
3521 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
3522 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
3523 secp256k1_scalar_negate(&s, &s);
3524 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3525 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
3526 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3527 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3528 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3529 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
3530 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3531 secp256k1_scalar_negate(&s, &s);
3532 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
3533 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
3534 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
3535 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
3536
3537 /* Serialize/parse DER and verify again */
3538 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3539 memset(&signature[0], 0, sizeof(signature[0]));
3540 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
3541 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
3542 /* Serialize/destroy/parse DER and verify again. */
3543 siglen = 74;
3544 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
3545 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
3546 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
3547 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
3548 }
3549
test_random_pubkeys(void)3550 void test_random_pubkeys(void) {
3551 secp256k1_ge elem;
3552 secp256k1_ge elem2;
3553 unsigned char in[65];
3554 /* Generate some randomly sized pubkeys. */
3555 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
3556 if (secp256k1_rand_bits(2) == 0) {
3557 len = secp256k1_rand_bits(6);
3558 }
3559 if (len == 65) {
3560 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
3561 } else {
3562 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
3563 }
3564 if (secp256k1_rand_bits(3) == 0) {
3565 in[0] = secp256k1_rand_bits(8);
3566 }
3567 if (len > 1) {
3568 secp256k1_rand256(&in[1]);
3569 }
3570 if (len > 33) {
3571 secp256k1_rand256(&in[33]);
3572 }
3573 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
3574 unsigned char out[65];
3575 unsigned char firstb;
3576 int res;
3577 size_t size = len;
3578 firstb = in[0];
3579 /* If the pubkey can be parsed, it should round-trip... */
3580 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
3581 CHECK(size == len);
3582 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
3583 /* ... except for the type of hybrid inputs. */
3584 if ((in[0] != 6) && (in[0] != 7)) {
3585 CHECK(in[0] == out[0]);
3586 }
3587 size = 65;
3588 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
3589 CHECK(size == 65);
3590 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
3591 ge_equals_ge(&elem,&elem2);
3592 /* Check that the X9.62 hybrid type is checked. */
3593 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
3594 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
3595 if (firstb == 2 || firstb == 3) {
3596 if (in[0] == firstb + 4) {
3597 CHECK(res);
3598 } else {
3599 CHECK(!res);
3600 }
3601 }
3602 if (res) {
3603 ge_equals_ge(&elem,&elem2);
3604 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
3605 CHECK(memcmp(&in[1], &out[1], 64) == 0);
3606 }
3607 }
3608 }
3609
run_random_pubkeys(void)3610 void run_random_pubkeys(void) {
3611 int i;
3612 for (i = 0; i < 10*count; i++) {
3613 test_random_pubkeys();
3614 }
3615 }
3616
run_ecdsa_end_to_end(void)3617 void run_ecdsa_end_to_end(void) {
3618 int i;
3619 for (i = 0; i < 64*count; i++) {
3620 test_ecdsa_end_to_end();
3621 }
3622 }
3623
test_ecdsa_der_parse(const unsigned char * sig,size_t siglen,int certainly_der,int certainly_not_der)3624 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
3625 static const unsigned char zeroes[32] = {0};
3626 #ifdef ENABLE_OPENSSL_TESTS
3627 static const unsigned char max_scalar[32] = {
3628 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3629 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3630 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3631 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
3632 };
3633 #endif
3634
3635 int ret = 0;
3636
3637 secp256k1_ecdsa_signature sig_der;
3638 unsigned char roundtrip_der[2048];
3639 unsigned char compact_der[64];
3640 size_t len_der = 2048;
3641 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
3642
3643 secp256k1_ecdsa_signature sig_der_lax;
3644 unsigned char roundtrip_der_lax[2048];
3645 unsigned char compact_der_lax[64];
3646 size_t len_der_lax = 2048;
3647 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
3648
3649 #ifdef ENABLE_OPENSSL_TESTS
3650 ECDSA_SIG *sig_openssl;
3651 const unsigned char *sigptr;
3652 unsigned char roundtrip_openssl[2048];
3653 int len_openssl = 2048;
3654 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
3655 #endif
3656
3657 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
3658 if (parsed_der) {
3659 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
3660 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
3661 }
3662 if (valid_der) {
3663 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
3664 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
3665 }
3666
3667 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
3668 if (parsed_der_lax) {
3669 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
3670 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
3671 }
3672 if (valid_der_lax) {
3673 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
3674 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
3675 }
3676
3677 if (certainly_der) {
3678 ret |= (!parsed_der) << 2;
3679 }
3680 if (certainly_not_der) {
3681 ret |= (parsed_der) << 17;
3682 }
3683 if (valid_der) {
3684 ret |= (!roundtrips_der) << 3;
3685 }
3686
3687 if (valid_der) {
3688 ret |= (!roundtrips_der_lax) << 12;
3689 ret |= (len_der != len_der_lax) << 13;
3690 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
3691 }
3692 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
3693 if (parsed_der) {
3694 ret |= (!parsed_der_lax) << 16;
3695 }
3696
3697 #ifdef ENABLE_OPENSSL_TESTS
3698 sig_openssl = ECDSA_SIG_new();
3699 sigptr = sig;
3700 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
3701 if (parsed_openssl) {
3702 valid_openssl = !BN_is_negative(sig_openssl->r) && !BN_is_negative(sig_openssl->s) && BN_num_bits(sig_openssl->r) > 0 && BN_num_bits(sig_openssl->r) <= 256 && BN_num_bits(sig_openssl->s) > 0 && BN_num_bits(sig_openssl->s) <= 256;
3703 if (valid_openssl) {
3704 unsigned char tmp[32] = {0};
3705 BN_bn2bin(sig_openssl->r, tmp + 32 - BN_num_bytes(sig_openssl->r));
3706 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3707 }
3708 if (valid_openssl) {
3709 unsigned char tmp[32] = {0};
3710 BN_bn2bin(sig_openssl->s, tmp + 32 - BN_num_bytes(sig_openssl->s));
3711 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
3712 }
3713 }
3714 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
3715 if (len_openssl <= 2048) {
3716 unsigned char *ptr = roundtrip_openssl;
3717 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
3718 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
3719 } else {
3720 len_openssl = 0;
3721 }
3722 ECDSA_SIG_free(sig_openssl);
3723
3724 ret |= (parsed_der && !parsed_openssl) << 4;
3725 ret |= (valid_der && !valid_openssl) << 5;
3726 ret |= (roundtrips_openssl && !parsed_der) << 6;
3727 ret |= (roundtrips_der != roundtrips_openssl) << 7;
3728 if (roundtrips_openssl) {
3729 ret |= (len_der != (size_t)len_openssl) << 8;
3730 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
3731 }
3732 #endif
3733 return ret;
3734 }
3735
assign_big_endian(unsigned char * ptr,size_t ptrlen,uint32_t val)3736 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
3737 size_t i;
3738 for (i = 0; i < ptrlen; i++) {
3739 int shift = ptrlen - 1 - i;
3740 if (shift >= 4) {
3741 ptr[i] = 0;
3742 } else {
3743 ptr[i] = (val >> shift) & 0xFF;
3744 }
3745 }
3746 }
3747
damage_array(unsigned char * sig,size_t * len)3748 static void damage_array(unsigned char *sig, size_t *len) {
3749 int pos;
3750 int action = secp256k1_rand_bits(3);
3751 if (action < 1 && *len > 3) {
3752 /* Delete a byte. */
3753 pos = secp256k1_rand_int(*len);
3754 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
3755 (*len)--;
3756 return;
3757 } else if (action < 2 && *len < 2048) {
3758 /* Insert a byte. */
3759 pos = secp256k1_rand_int(1 + *len);
3760 memmove(sig + pos + 1, sig + pos, *len - pos);
3761 sig[pos] = secp256k1_rand_bits(8);
3762 (*len)++;
3763 return;
3764 } else if (action < 4) {
3765 /* Modify a byte. */
3766 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
3767 return;
3768 } else { /* action < 8 */
3769 /* Modify a bit. */
3770 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
3771 return;
3772 }
3773 }
3774
random_ber_signature(unsigned char * sig,size_t * len,int * certainly_der,int * certainly_not_der)3775 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
3776 int der;
3777 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
3778 size_t tlen, elen, glen;
3779 int indet;
3780 int n;
3781
3782 *len = 0;
3783 der = secp256k1_rand_bits(2) == 0;
3784 *certainly_der = der;
3785 *certainly_not_der = 0;
3786 indet = der ? 0 : secp256k1_rand_int(10) == 0;
3787
3788 for (n = 0; n < 2; n++) {
3789 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
3790 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
3791 /* The length of the number in bytes (the first byte of which will always be nonzero) */
3792 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
3793 CHECK(nlen[n] <= 232);
3794 /* The top bit of the number. */
3795 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
3796 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
3797 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
3798 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
3799 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
3800 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
3801 *certainly_not_der = 1;
3802 }
3803 CHECK(nlen[n] + nzlen[n] <= 300);
3804 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
3805 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
3806 if (!der) {
3807 /* nlenlen[n] max 127 bytes */
3808 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3809 nlenlen[n] += add;
3810 if (add != 0) {
3811 *certainly_not_der = 1;
3812 }
3813 }
3814 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
3815 }
3816
3817 /* The total length of the data to go, so far */
3818 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
3819 CHECK(tlen <= 856);
3820
3821 /* The length of the garbage inside the tuple. */
3822 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
3823 if (elen != 0) {
3824 *certainly_not_der = 1;
3825 }
3826 tlen += elen;
3827 CHECK(tlen <= 980);
3828
3829 /* The length of the garbage after the end of the tuple. */
3830 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
3831 if (glen != 0) {
3832 *certainly_not_der = 1;
3833 }
3834 CHECK(tlen + glen <= 990);
3835
3836 /* Write the tuple header. */
3837 sig[(*len)++] = 0x30;
3838 if (indet) {
3839 /* Indeterminate length */
3840 sig[(*len)++] = 0x80;
3841 *certainly_not_der = 1;
3842 } else {
3843 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
3844 if (!der) {
3845 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
3846 tlenlen += add;
3847 if (add != 0) {
3848 *certainly_not_der = 1;
3849 }
3850 }
3851 if (tlenlen == 0) {
3852 /* Short length notation */
3853 sig[(*len)++] = tlen;
3854 } else {
3855 /* Long length notation */
3856 sig[(*len)++] = 128 + tlenlen;
3857 assign_big_endian(sig + *len, tlenlen, tlen);
3858 *len += tlenlen;
3859 }
3860 tlen += tlenlen;
3861 }
3862 tlen += 2;
3863 CHECK(tlen + glen <= 1119);
3864
3865 for (n = 0; n < 2; n++) {
3866 /* Write the integer header. */
3867 sig[(*len)++] = 0x02;
3868 if (nlenlen[n] == 0) {
3869 /* Short length notation */
3870 sig[(*len)++] = nlen[n] + nzlen[n];
3871 } else {
3872 /* Long length notation. */
3873 sig[(*len)++] = 128 + nlenlen[n];
3874 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
3875 *len += nlenlen[n];
3876 }
3877 /* Write zero padding */
3878 while (nzlen[n] > 0) {
3879 sig[(*len)++] = 0x00;
3880 nzlen[n]--;
3881 }
3882 if (nlen[n] == 32 && !nlow[n]) {
3883 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
3884 int i;
3885 for (i = 0; i < 16; i++) {
3886 sig[(*len)++] = 0xFF;
3887 }
3888 nlen[n] -= 16;
3889 }
3890 /* Write first byte of number */
3891 if (nlen[n] > 0) {
3892 sig[(*len)++] = nhbyte[n];
3893 nlen[n]--;
3894 }
3895 /* Generate remaining random bytes of number */
3896 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
3897 *len += nlen[n];
3898 nlen[n] = 0;
3899 }
3900
3901 /* Generate random garbage inside tuple. */
3902 secp256k1_rand_bytes_test(sig + *len, elen);
3903 *len += elen;
3904
3905 /* Generate end-of-contents bytes. */
3906 if (indet) {
3907 sig[(*len)++] = 0;
3908 sig[(*len)++] = 0;
3909 tlen += 2;
3910 }
3911 CHECK(tlen + glen <= 1121);
3912
3913 /* Generate random garbage outside tuple. */
3914 secp256k1_rand_bytes_test(sig + *len, glen);
3915 *len += glen;
3916 tlen += glen;
3917 CHECK(tlen <= 1121);
3918 CHECK(tlen == *len);
3919 }
3920
run_ecdsa_der_parse(void)3921 void run_ecdsa_der_parse(void) {
3922 int i,j;
3923 for (i = 0; i < 200 * count; i++) {
3924 unsigned char buffer[2048];
3925 size_t buflen = 0;
3926 int certainly_der = 0;
3927 int certainly_not_der = 0;
3928 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
3929 CHECK(buflen <= 2048);
3930 for (j = 0; j < 16; j++) {
3931 int ret = 0;
3932 if (j > 0) {
3933 damage_array(buffer, &buflen);
3934 /* We don't know anything anymore about the DERness of the result */
3935 certainly_der = 0;
3936 certainly_not_der = 0;
3937 }
3938 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
3939 if (ret != 0) {
3940 size_t k;
3941 fprintf(stderr, "Failure %x on ", ret);
3942 for (k = 0; k < buflen; k++) {
3943 fprintf(stderr, "%02x ", buffer[k]);
3944 }
3945 fprintf(stderr, "\n");
3946 }
3947 CHECK(ret == 0);
3948 }
3949 }
3950 }
3951
3952 /* Tests several edge cases. */
test_ecdsa_edge_cases(void)3953 void test_ecdsa_edge_cases(void) {
3954 int t;
3955 secp256k1_ecdsa_signature sig;
3956
3957 /* Test the case where ECDSA recomputes a point that is infinity. */
3958 {
3959 secp256k1_gej keyj;
3960 secp256k1_ge key;
3961 secp256k1_scalar msg;
3962 secp256k1_scalar sr, ss;
3963 secp256k1_scalar_set_int(&ss, 1);
3964 secp256k1_scalar_negate(&ss, &ss);
3965 secp256k1_scalar_inverse(&ss, &ss);
3966 secp256k1_scalar_set_int(&sr, 1);
3967 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
3968 secp256k1_ge_set_gej(&key, &keyj);
3969 msg = ss;
3970 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3971 }
3972
3973 /* Verify signature with r of zero fails. */
3974 {
3975 const unsigned char pubkey_mods_zero[33] = {
3976 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3977 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3978 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
3979 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
3980 0x41
3981 };
3982 secp256k1_ge key;
3983 secp256k1_scalar msg;
3984 secp256k1_scalar sr, ss;
3985 secp256k1_scalar_set_int(&ss, 1);
3986 secp256k1_scalar_set_int(&msg, 0);
3987 secp256k1_scalar_set_int(&sr, 0);
3988 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
3989 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
3990 }
3991
3992 /* Verify signature with s of zero fails. */
3993 {
3994 const unsigned char pubkey[33] = {
3995 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3996 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3997 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3998 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3999 0x01
4000 };
4001 secp256k1_ge key;
4002 secp256k1_scalar msg;
4003 secp256k1_scalar sr, ss;
4004 secp256k1_scalar_set_int(&ss, 0);
4005 secp256k1_scalar_set_int(&msg, 0);
4006 secp256k1_scalar_set_int(&sr, 1);
4007 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4008 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4009 }
4010
4011 /* Verify signature with message 0 passes. */
4012 {
4013 const unsigned char pubkey[33] = {
4014 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4015 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4016 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4017 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4018 0x02
4019 };
4020 const unsigned char pubkey2[33] = {
4021 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4022 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4023 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4024 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4025 0x43
4026 };
4027 secp256k1_ge key;
4028 secp256k1_ge key2;
4029 secp256k1_scalar msg;
4030 secp256k1_scalar sr, ss;
4031 secp256k1_scalar_set_int(&ss, 2);
4032 secp256k1_scalar_set_int(&msg, 0);
4033 secp256k1_scalar_set_int(&sr, 2);
4034 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4035 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4036 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4037 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4038 secp256k1_scalar_negate(&ss, &ss);
4039 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4040 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4041 secp256k1_scalar_set_int(&ss, 1);
4042 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4043 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4044 }
4045
4046 /* Verify signature with message 1 passes. */
4047 {
4048 const unsigned char pubkey[33] = {
4049 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4050 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4051 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4052 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4053 0x25
4054 };
4055 const unsigned char pubkey2[33] = {
4056 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4057 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4058 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4059 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4060 0x62
4061 };
4062 const unsigned char csr[32] = {
4063 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4064 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4065 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4066 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4067 };
4068 secp256k1_ge key;
4069 secp256k1_ge key2;
4070 secp256k1_scalar msg;
4071 secp256k1_scalar sr, ss;
4072 secp256k1_scalar_set_int(&ss, 1);
4073 secp256k1_scalar_set_int(&msg, 1);
4074 secp256k1_scalar_set_b32(&sr, csr, NULL);
4075 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4076 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4077 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4078 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4079 secp256k1_scalar_negate(&ss, &ss);
4080 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4081 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4082 secp256k1_scalar_set_int(&ss, 2);
4083 secp256k1_scalar_inverse_var(&ss, &ss);
4084 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4085 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4086 }
4087
4088 /* Verify signature with message -1 passes. */
4089 {
4090 const unsigned char pubkey[33] = {
4091 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4092 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4093 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4094 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4095 0xf1
4096 };
4097 const unsigned char csr[32] = {
4098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4100 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4101 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4102 };
4103 secp256k1_ge key;
4104 secp256k1_scalar msg;
4105 secp256k1_scalar sr, ss;
4106 secp256k1_scalar_set_int(&ss, 1);
4107 secp256k1_scalar_set_int(&msg, 1);
4108 secp256k1_scalar_negate(&msg, &msg);
4109 secp256k1_scalar_set_b32(&sr, csr, NULL);
4110 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4111 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4112 secp256k1_scalar_negate(&ss, &ss);
4113 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4114 secp256k1_scalar_set_int(&ss, 3);
4115 secp256k1_scalar_inverse_var(&ss, &ss);
4116 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4117 }
4118
4119 /* Signature where s would be zero. */
4120 {
4121 secp256k1_pubkey pubkey;
4122 size_t siglen;
4123 int32_t ecount;
4124 unsigned char signature[72];
4125 static const unsigned char nonce[32] = {
4126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4130 };
4131 static const unsigned char nonce2[32] = {
4132 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4133 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4134 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4135 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4136 };
4137 const unsigned char key[32] = {
4138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4140 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4141 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4142 };
4143 unsigned char msg[32] = {
4144 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4145 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4146 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4147 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4148 };
4149 ecount = 0;
4150 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4151 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4152 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4153 msg[31] = 0xaa;
4154 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4155 CHECK(ecount == 0);
4156 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4157 CHECK(ecount == 1);
4158 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4159 CHECK(ecount == 2);
4160 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4161 CHECK(ecount == 3);
4162 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4163 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4164 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4165 CHECK(ecount == 4);
4166 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4167 CHECK(ecount == 5);
4168 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4169 CHECK(ecount == 6);
4170 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4171 CHECK(ecount == 6);
4172 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4173 CHECK(ecount == 7);
4174 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4175 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4176 CHECK(ecount == 8);
4177 siglen = 72;
4178 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4179 CHECK(ecount == 9);
4180 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4181 CHECK(ecount == 10);
4182 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4183 CHECK(ecount == 11);
4184 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4185 CHECK(ecount == 11);
4186 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4187 CHECK(ecount == 12);
4188 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4189 CHECK(ecount == 13);
4190 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4191 CHECK(ecount == 13);
4192 siglen = 10;
4193 /* Too little room for a signature does not fail via ARGCHECK. */
4194 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4195 CHECK(ecount == 13);
4196 ecount = 0;
4197 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4198 CHECK(ecount == 1);
4199 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4200 CHECK(ecount == 2);
4201 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4202 CHECK(ecount == 3);
4203 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4204 CHECK(ecount == 3);
4205 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4206 CHECK(ecount == 4);
4207 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4208 CHECK(ecount == 5);
4209 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4210 CHECK(ecount == 5);
4211 memset(signature, 255, 64);
4212 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4213 CHECK(ecount == 5);
4214 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4215 }
4216
4217 /* Nonce function corner cases. */
4218 for (t = 0; t < 2; t++) {
4219 static const unsigned char zero[32] = {0x00};
4220 int i;
4221 unsigned char key[32];
4222 unsigned char msg[32];
4223 secp256k1_ecdsa_signature sig2;
4224 secp256k1_scalar sr[512], ss;
4225 const unsigned char *extra;
4226 extra = t == 0 ? NULL : zero;
4227 memset(msg, 0, 32);
4228 msg[31] = 1;
4229 /* High key results in signature failure. */
4230 memset(key, 0xFF, 32);
4231 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4232 CHECK(is_empty_signature(&sig));
4233 /* Zero key results in signature failure. */
4234 memset(key, 0, 32);
4235 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4236 CHECK(is_empty_signature(&sig));
4237 /* Nonce function failure results in signature failure. */
4238 key[31] = 1;
4239 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4240 CHECK(is_empty_signature(&sig));
4241 /* The retry loop successfully makes its way to the first good value. */
4242 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4243 CHECK(!is_empty_signature(&sig));
4244 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4245 CHECK(!is_empty_signature(&sig2));
4246 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4247 /* The default nonce function is deterministic. */
4248 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4249 CHECK(!is_empty_signature(&sig2));
4250 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4251 /* The default nonce function changes output with different messages. */
4252 for(i = 0; i < 256; i++) {
4253 int j;
4254 msg[0] = i;
4255 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4256 CHECK(!is_empty_signature(&sig2));
4257 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4258 for (j = 0; j < i; j++) {
4259 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4260 }
4261 }
4262 msg[0] = 0;
4263 msg[31] = 2;
4264 /* The default nonce function changes output with different keys. */
4265 for(i = 256; i < 512; i++) {
4266 int j;
4267 key[0] = i - 256;
4268 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4269 CHECK(!is_empty_signature(&sig2));
4270 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4271 for (j = 0; j < i; j++) {
4272 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4273 }
4274 }
4275 key[0] = 0;
4276 }
4277
4278 {
4279 /* Check that optional nonce arguments do not have equivalent effect. */
4280 const unsigned char zeros[32] = {0};
4281 unsigned char nonce[32];
4282 unsigned char nonce2[32];
4283 unsigned char nonce3[32];
4284 unsigned char nonce4[32];
4285 VG_UNDEF(nonce,32);
4286 VG_UNDEF(nonce2,32);
4287 VG_UNDEF(nonce3,32);
4288 VG_UNDEF(nonce4,32);
4289 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4290 VG_CHECK(nonce,32);
4291 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4292 VG_CHECK(nonce2,32);
4293 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4294 VG_CHECK(nonce3,32);
4295 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4296 VG_CHECK(nonce4,32);
4297 CHECK(memcmp(nonce, nonce2, 32) != 0);
4298 CHECK(memcmp(nonce, nonce3, 32) != 0);
4299 CHECK(memcmp(nonce, nonce4, 32) != 0);
4300 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4301 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4302 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4303 }
4304
4305
4306 /* Privkey export where pubkey is the point at infinity. */
4307 {
4308 unsigned char privkey[300];
4309 unsigned char seckey[32] = {
4310 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4311 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4312 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4313 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4314 };
4315 size_t outlen = 300;
4316 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4317 outlen = 300;
4318 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4319 }
4320 }
4321
run_ecdsa_edge_cases(void)4322 void run_ecdsa_edge_cases(void) {
4323 test_ecdsa_edge_cases();
4324 }
4325
4326 #ifdef ENABLE_OPENSSL_TESTS
get_openssl_key(const unsigned char * key32)4327 EC_KEY *get_openssl_key(const unsigned char *key32) {
4328 unsigned char privkey[300];
4329 size_t privkeylen;
4330 const unsigned char* pbegin = privkey;
4331 int compr = secp256k1_rand_bits(1);
4332 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4333 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4334 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4335 CHECK(EC_KEY_check_key(ec_key));
4336 return ec_key;
4337 }
4338
test_ecdsa_openssl(void)4339 void test_ecdsa_openssl(void) {
4340 secp256k1_gej qj;
4341 secp256k1_ge q;
4342 secp256k1_scalar sigr, sigs;
4343 secp256k1_scalar one;
4344 secp256k1_scalar msg2;
4345 secp256k1_scalar key, msg;
4346 EC_KEY *ec_key;
4347 unsigned int sigsize = 80;
4348 size_t secp_sigsize = 80;
4349 unsigned char message[32];
4350 unsigned char signature[80];
4351 unsigned char key32[32];
4352 secp256k1_rand256_test(message);
4353 secp256k1_scalar_set_b32(&msg, message, NULL);
4354 random_scalar_order_test(&key);
4355 secp256k1_scalar_get_b32(key32, &key);
4356 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4357 secp256k1_ge_set_gej(&q, &qj);
4358 ec_key = get_openssl_key(key32);
4359 CHECK(ec_key != NULL);
4360 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4361 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4362 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4363 secp256k1_scalar_set_int(&one, 1);
4364 secp256k1_scalar_add(&msg2, &msg, &one);
4365 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4366
4367 random_sign(&sigr, &sigs, &key, &msg, NULL);
4368 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4369 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4370
4371 EC_KEY_free(ec_key);
4372 }
4373
run_ecdsa_openssl(void)4374 void run_ecdsa_openssl(void) {
4375 int i;
4376 for (i = 0; i < 10*count; i++) {
4377 test_ecdsa_openssl();
4378 }
4379 }
4380 #endif
4381
4382 #ifdef ENABLE_MODULE_ECDH
4383 # include "modules/ecdh/tests_impl.h"
4384 #endif
4385
4386 #ifdef ENABLE_MODULE_SCHNORR
4387 # include "modules/schnorr/tests_impl.h"
4388 #endif
4389
4390 #ifdef ENABLE_MODULE_RECOVERY
4391 # include "modules/recovery/tests_impl.h"
4392 #endif
4393
main(int argc,char ** argv)4394 int main(int argc, char **argv) {
4395 unsigned char seed16[16] = {0};
4396 unsigned char run32[32] = {0};
4397 /* find iteration count */
4398 if (argc > 1) {
4399 count = strtol(argv[1], NULL, 0);
4400 }
4401
4402 /* find random seed */
4403 if (argc > 2) {
4404 int pos = 0;
4405 const char* ch = argv[2];
4406 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
4407 unsigned short sh;
4408 if (sscanf(ch, "%2hx", &sh)) {
4409 seed16[pos] = sh;
4410 } else {
4411 break;
4412 }
4413 ch += 2;
4414 pos++;
4415 }
4416 } else {
4417 FILE *frand = fopen("/dev/urandom", "r");
4418 if ((frand == NULL) || !fread(&seed16, sizeof(seed16), 1, frand)) {
4419 uint64_t t = time(NULL) * (uint64_t)1337;
4420 seed16[0] ^= t;
4421 seed16[1] ^= t >> 8;
4422 seed16[2] ^= t >> 16;
4423 seed16[3] ^= t >> 24;
4424 seed16[4] ^= t >> 32;
4425 seed16[5] ^= t >> 40;
4426 seed16[6] ^= t >> 48;
4427 seed16[7] ^= t >> 56;
4428 }
4429 fclose(frand);
4430 }
4431 secp256k1_rand_seed(seed16);
4432
4433 printf("test count = %i\n", count);
4434 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
4435
4436 /* initialize */
4437 run_context_tests();
4438 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
4439 if (secp256k1_rand_bits(1)) {
4440 secp256k1_rand256(run32);
4441 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
4442 }
4443
4444 run_rand_bits();
4445 run_rand_int();
4446
4447 run_sha256_tests();
4448 run_hmac_sha256_tests();
4449 run_rfc6979_hmac_sha256_tests();
4450
4451 #ifndef USE_NUM_NONE
4452 /* num tests */
4453 run_num_smalltests();
4454 #endif
4455
4456 /* scalar tests */
4457 run_scalar_tests();
4458
4459 /* field tests */
4460 run_field_inv();
4461 run_field_inv_var();
4462 run_field_inv_all_var();
4463 run_field_misc();
4464 run_field_convert();
4465 run_sqr();
4466 run_sqrt();
4467
4468 /* group tests */
4469 run_ge();
4470 run_group_decompress();
4471
4472 /* ecmult tests */
4473 run_wnaf();
4474 run_point_times_order();
4475 run_ecmult_chain();
4476 run_ecmult_constants();
4477 run_ecmult_gen_blind();
4478 run_ecmult_const_tests();
4479 run_ec_combine();
4480
4481 /* endomorphism tests */
4482 #ifdef USE_ENDOMORPHISM
4483 run_endomorphism_tests();
4484 #endif
4485
4486 /* EC point parser test */
4487 run_ec_pubkey_parse_test();
4488
4489 /* EC key edge cases */
4490 run_eckey_edge_case_test();
4491
4492 #ifdef ENABLE_MODULE_ECDH
4493 /* ecdh tests */
4494 run_ecdh_tests();
4495 #endif
4496
4497 /* ecdsa tests */
4498 run_random_pubkeys();
4499 run_ecdsa_der_parse();
4500 run_ecdsa_sign_verify();
4501 run_ecdsa_end_to_end();
4502 run_ecdsa_edge_cases();
4503 #ifdef ENABLE_OPENSSL_TESTS
4504 run_ecdsa_openssl();
4505 #endif
4506
4507 #ifdef ENABLE_MODULE_SCHNORR
4508 /* Schnorr tests */
4509 run_schnorr_tests();
4510 #endif
4511
4512 #ifdef ENABLE_MODULE_RECOVERY
4513 /* ECDSA pubkey recovery tests */
4514 run_recovery_tests();
4515 #endif
4516
4517 secp256k1_rand256(run32);
4518 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
4519
4520 /* shutdown */
4521 secp256k1_context_destroy(ctx);
4522
4523 printf("no problems found\n");
4524 return 0;
4525 }
4526