1 /**********************************************************************
2 * Copyright (c) 2013, 2014, 2015 Pieter Wuille, Gregory Maxwell *
3 * Distributed under the MIT software license, see the accompanying *
4 * file COPYING or http://www.opensource.org/licenses/mit-license.php.*
5 **********************************************************************/
6
7 #if defined HAVE_CONFIG_H
8 #include "libsecp256k1-config.h"
9 #endif
10
11 #include <stdio.h>
12 #include <stdlib.h>
13 #include <string.h>
14
15 #include <time.h>
16
17 #include "secp256k1.c"
18 #include "include/secp256k1.h"
19 #include "testrand_impl.h"
20
21 #ifdef ENABLE_OPENSSL_TESTS
22 #include "openssl/bn.h"
23 #include "openssl/ec.h"
24 #include "openssl/ecdsa.h"
25 #include "openssl/obj_mac.h"
26 # if OPENSSL_VERSION_NUMBER < 0x10100000L
ECDSA_SIG_get0(const ECDSA_SIG * sig,const BIGNUM ** pr,const BIGNUM ** ps)27 void ECDSA_SIG_get0(const ECDSA_SIG *sig, const BIGNUM **pr, const BIGNUM **ps) {*pr = sig->r; *ps = sig->s;}
28 # endif
29 #endif
30
31 #include "contrib/lax_der_parsing.c"
32 #include "contrib/lax_der_privatekey_parsing.c"
33
34 #if !defined(VG_CHECK)
35 # if defined(VALGRIND)
36 # include <valgrind/memcheck.h>
37 # define VG_UNDEF(x,y) VALGRIND_MAKE_MEM_UNDEFINED((x),(y))
38 # define VG_CHECK(x,y) VALGRIND_CHECK_MEM_IS_DEFINED((x),(y))
39 # else
40 # define VG_UNDEF(x,y)
41 # define VG_CHECK(x,y)
42 # endif
43 #endif
44
45 static int count = 64;
46 static secp256k1_context *ctx = NULL;
47
counting_illegal_callback_fn(const char * str,void * data)48 static void counting_illegal_callback_fn(const char* str, void* data) {
49 /* Dummy callback function that just counts. */
50 int32_t *p;
51 (void)str;
52 p = data;
53 (*p)++;
54 }
55
uncounting_illegal_callback_fn(const char * str,void * data)56 static void uncounting_illegal_callback_fn(const char* str, void* data) {
57 /* Dummy callback function that just counts (backwards). */
58 int32_t *p;
59 (void)str;
60 p = data;
61 (*p)--;
62 }
63
random_field_element_test(secp256k1_fe * fe)64 void random_field_element_test(secp256k1_fe *fe) {
65 do {
66 unsigned char b32[32];
67 secp256k1_rand256_test(b32);
68 if (secp256k1_fe_set_b32(fe, b32)) {
69 break;
70 }
71 } while(1);
72 }
73
random_field_element_magnitude(secp256k1_fe * fe)74 void random_field_element_magnitude(secp256k1_fe *fe) {
75 secp256k1_fe zero;
76 int n = secp256k1_rand_int(9);
77 secp256k1_fe_normalize(fe);
78 if (n == 0) {
79 return;
80 }
81 secp256k1_fe_clear(&zero);
82 secp256k1_fe_negate(&zero, &zero, 0);
83 secp256k1_fe_mul_int(&zero, n - 1);
84 secp256k1_fe_add(fe, &zero);
85 VERIFY_CHECK(fe->magnitude == n);
86 }
87
random_group_element_test(secp256k1_ge * ge)88 void random_group_element_test(secp256k1_ge *ge) {
89 secp256k1_fe fe;
90 do {
91 random_field_element_test(&fe);
92 if (secp256k1_ge_set_xo_var(ge, &fe, secp256k1_rand_bits(1))) {
93 secp256k1_fe_normalize(&ge->y);
94 break;
95 }
96 } while(1);
97 }
98
random_group_element_jacobian_test(secp256k1_gej * gej,const secp256k1_ge * ge)99 void random_group_element_jacobian_test(secp256k1_gej *gej, const secp256k1_ge *ge) {
100 secp256k1_fe z2, z3;
101 do {
102 random_field_element_test(&gej->z);
103 if (!secp256k1_fe_is_zero(&gej->z)) {
104 break;
105 }
106 } while(1);
107 secp256k1_fe_sqr(&z2, &gej->z);
108 secp256k1_fe_mul(&z3, &z2, &gej->z);
109 secp256k1_fe_mul(&gej->x, &ge->x, &z2);
110 secp256k1_fe_mul(&gej->y, &ge->y, &z3);
111 gej->infinity = ge->infinity;
112 }
113
random_scalar_order_test(secp256k1_scalar * num)114 void random_scalar_order_test(secp256k1_scalar *num) {
115 do {
116 unsigned char b32[32];
117 int overflow = 0;
118 secp256k1_rand256_test(b32);
119 secp256k1_scalar_set_b32(num, b32, &overflow);
120 if (overflow || secp256k1_scalar_is_zero(num)) {
121 continue;
122 }
123 break;
124 } while(1);
125 }
126
random_scalar_order(secp256k1_scalar * num)127 void random_scalar_order(secp256k1_scalar *num) {
128 do {
129 unsigned char b32[32];
130 int overflow = 0;
131 secp256k1_rand256(b32);
132 secp256k1_scalar_set_b32(num, b32, &overflow);
133 if (overflow || secp256k1_scalar_is_zero(num)) {
134 continue;
135 }
136 break;
137 } while(1);
138 }
139
run_context_tests(void)140 void run_context_tests(void) {
141 secp256k1_pubkey pubkey;
142 secp256k1_pubkey zero_pubkey;
143 secp256k1_ecdsa_signature sig;
144 unsigned char ctmp[32];
145 int32_t ecount;
146 int32_t ecount2;
147 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
148 secp256k1_context *sign = secp256k1_context_create(SECP256K1_CONTEXT_SIGN);
149 secp256k1_context *vrfy = secp256k1_context_create(SECP256K1_CONTEXT_VERIFY);
150 secp256k1_context *both = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
151
152 secp256k1_gej pubj;
153 secp256k1_ge pub;
154 secp256k1_scalar msg, key, nonce;
155 secp256k1_scalar sigr, sigs;
156
157 memset(&zero_pubkey, 0, sizeof(zero_pubkey));
158
159 ecount = 0;
160 ecount2 = 10;
161 secp256k1_context_set_illegal_callback(vrfy, counting_illegal_callback_fn, &ecount);
162 secp256k1_context_set_illegal_callback(sign, counting_illegal_callback_fn, &ecount2);
163 secp256k1_context_set_error_callback(sign, counting_illegal_callback_fn, NULL);
164 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
165
166 /*** clone and destroy all of them to make sure cloning was complete ***/
167 {
168 secp256k1_context *ctx_tmp;
169
170 ctx_tmp = none; none = secp256k1_context_clone(none); secp256k1_context_destroy(ctx_tmp);
171 ctx_tmp = sign; sign = secp256k1_context_clone(sign); secp256k1_context_destroy(ctx_tmp);
172 ctx_tmp = vrfy; vrfy = secp256k1_context_clone(vrfy); secp256k1_context_destroy(ctx_tmp);
173 ctx_tmp = both; both = secp256k1_context_clone(both); secp256k1_context_destroy(ctx_tmp);
174 }
175
176 /* Verify that the error callback makes it across the clone. */
177 CHECK(vrfy->error_callback.fn != sign->error_callback.fn);
178 /* And that it resets back to default. */
179 secp256k1_context_set_error_callback(sign, NULL, NULL);
180 CHECK(vrfy->error_callback.fn == sign->error_callback.fn);
181
182 /*** attempt to use them ***/
183 random_scalar_order_test(&msg);
184 random_scalar_order_test(&key);
185 secp256k1_ecmult_gen(&both->ecmult_gen_ctx, &pubj, &key);
186 secp256k1_ge_set_gej(&pub, &pubj);
187
188 /* Verify context-type checking illegal-argument errors. */
189 memset(ctmp, 1, 32);
190 CHECK(secp256k1_ec_pubkey_create(vrfy, &pubkey, ctmp) == 0);
191 CHECK(ecount == 1);
192 VG_UNDEF(&pubkey, sizeof(pubkey));
193 CHECK(secp256k1_ec_pubkey_create(sign, &pubkey, ctmp) == 1);
194 VG_CHECK(&pubkey, sizeof(pubkey));
195 CHECK(secp256k1_ecdsa_sign(vrfy, &sig, ctmp, ctmp, NULL, NULL) == 0);
196 CHECK(ecount == 2);
197 VG_UNDEF(&sig, sizeof(sig));
198 CHECK(secp256k1_ecdsa_sign(sign, &sig, ctmp, ctmp, NULL, NULL) == 1);
199 VG_CHECK(&sig, sizeof(sig));
200 CHECK(ecount2 == 10);
201 CHECK(secp256k1_ecdsa_verify(sign, &sig, ctmp, &pubkey) == 0);
202 CHECK(ecount2 == 11);
203 CHECK(secp256k1_ecdsa_verify(vrfy, &sig, ctmp, &pubkey) == 1);
204 CHECK(ecount == 2);
205 CHECK(secp256k1_ec_pubkey_tweak_add(sign, &pubkey, ctmp) == 0);
206 CHECK(ecount2 == 12);
207 CHECK(secp256k1_ec_pubkey_tweak_add(vrfy, &pubkey, ctmp) == 1);
208 CHECK(ecount == 2);
209 CHECK(secp256k1_ec_pubkey_tweak_mul(sign, &pubkey, ctmp) == 0);
210 CHECK(ecount2 == 13);
211 CHECK(secp256k1_ec_pubkey_negate(vrfy, &pubkey) == 1);
212 CHECK(ecount == 2);
213 CHECK(secp256k1_ec_pubkey_negate(sign, &pubkey) == 1);
214 CHECK(ecount == 2);
215 CHECK(secp256k1_ec_pubkey_negate(sign, NULL) == 0);
216 CHECK(ecount2 == 14);
217 CHECK(secp256k1_ec_pubkey_negate(vrfy, &zero_pubkey) == 0);
218 CHECK(ecount == 3);
219 CHECK(secp256k1_ec_pubkey_tweak_mul(vrfy, &pubkey, ctmp) == 1);
220 CHECK(ecount == 3);
221 CHECK(secp256k1_context_randomize(vrfy, ctmp) == 1);
222 CHECK(ecount == 3);
223 CHECK(secp256k1_context_randomize(vrfy, NULL) == 1);
224 CHECK(ecount == 3);
225 CHECK(secp256k1_context_randomize(sign, ctmp) == 1);
226 CHECK(ecount2 == 14);
227 CHECK(secp256k1_context_randomize(sign, NULL) == 1);
228 CHECK(ecount2 == 14);
229 secp256k1_context_set_illegal_callback(vrfy, NULL, NULL);
230 secp256k1_context_set_illegal_callback(sign, NULL, NULL);
231
232 /* This shouldn't leak memory, due to already-set tests. */
233 secp256k1_ecmult_gen_context_build(&sign->ecmult_gen_ctx, NULL);
234 secp256k1_ecmult_context_build(&vrfy->ecmult_ctx, NULL);
235
236 /* obtain a working nonce */
237 do {
238 random_scalar_order_test(&nonce);
239 } while(!secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
240
241 /* try signing */
242 CHECK(secp256k1_ecdsa_sig_sign(&sign->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
243 CHECK(secp256k1_ecdsa_sig_sign(&both->ecmult_gen_ctx, &sigr, &sigs, &key, &msg, &nonce, NULL));
244
245 /* try verifying */
246 CHECK(secp256k1_ecdsa_sig_verify(&vrfy->ecmult_ctx, &sigr, &sigs, &pub, &msg));
247 CHECK(secp256k1_ecdsa_sig_verify(&both->ecmult_ctx, &sigr, &sigs, &pub, &msg));
248
249 /* cleanup */
250 secp256k1_context_destroy(none);
251 secp256k1_context_destroy(sign);
252 secp256k1_context_destroy(vrfy);
253 secp256k1_context_destroy(both);
254 /* Defined as no-op. */
255 secp256k1_context_destroy(NULL);
256 }
257
run_scratch_tests(void)258 void run_scratch_tests(void) {
259 int32_t ecount = 0;
260 secp256k1_context *none = secp256k1_context_create(SECP256K1_CONTEXT_NONE);
261 secp256k1_scratch_space *scratch;
262
263 /* Test public API */
264 secp256k1_context_set_illegal_callback(none, counting_illegal_callback_fn, &ecount);
265
266 scratch = secp256k1_scratch_space_create(none, 1000);
267 CHECK(scratch != NULL);
268 CHECK(ecount == 0);
269
270 /* Test internal API */
271 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
272 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 1000);
273
274 /* Allocating 500 bytes with no frame fails */
275 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
276 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
277
278 /* ...but pushing a new stack frame does affect the max allocation */
279 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1 == 1));
280 CHECK(secp256k1_scratch_max_allocation(scratch, 1) < 500); /* 500 - ALIGNMENT */
281 CHECK(secp256k1_scratch_alloc(scratch, 500) != NULL);
282 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
283
284 CHECK(secp256k1_scratch_allocate_frame(scratch, 500, 1) == 0);
285
286 /* ...and this effect is undone by popping the frame */
287 secp256k1_scratch_deallocate_frame(scratch);
288 CHECK(secp256k1_scratch_max_allocation(scratch, 0) == 1000);
289 CHECK(secp256k1_scratch_alloc(scratch, 500) == NULL);
290
291 /* cleanup */
292 secp256k1_scratch_space_destroy(scratch);
293 secp256k1_context_destroy(none);
294 }
295
296 /***** HASH TESTS *****/
297
run_sha256_tests(void)298 void run_sha256_tests(void) {
299 static const char *inputs[8] = {
300 "", "abc", "message digest", "secure hash algorithm", "SHA256 is considered to be safe",
301 "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq",
302 "For this sample, this 63-byte string will be used as input data",
303 "This is exactly 64 bytes long, not counting the terminating byte"
304 };
305 static const unsigned char outputs[8][32] = {
306 {0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55},
307 {0xba, 0x78, 0x16, 0xbf, 0x8f, 0x01, 0xcf, 0xea, 0x41, 0x41, 0x40, 0xde, 0x5d, 0xae, 0x22, 0x23, 0xb0, 0x03, 0x61, 0xa3, 0x96, 0x17, 0x7a, 0x9c, 0xb4, 0x10, 0xff, 0x61, 0xf2, 0x00, 0x15, 0xad},
308 {0xf7, 0x84, 0x6f, 0x55, 0xcf, 0x23, 0xe1, 0x4e, 0xeb, 0xea, 0xb5, 0xb4, 0xe1, 0x55, 0x0c, 0xad, 0x5b, 0x50, 0x9e, 0x33, 0x48, 0xfb, 0xc4, 0xef, 0xa3, 0xa1, 0x41, 0x3d, 0x39, 0x3c, 0xb6, 0x50},
309 {0xf3, 0x0c, 0xeb, 0x2b, 0xb2, 0x82, 0x9e, 0x79, 0xe4, 0xca, 0x97, 0x53, 0xd3, 0x5a, 0x8e, 0xcc, 0x00, 0x26, 0x2d, 0x16, 0x4c, 0xc0, 0x77, 0x08, 0x02, 0x95, 0x38, 0x1c, 0xbd, 0x64, 0x3f, 0x0d},
310 {0x68, 0x19, 0xd9, 0x15, 0xc7, 0x3f, 0x4d, 0x1e, 0x77, 0xe4, 0xe1, 0xb5, 0x2d, 0x1f, 0xa0, 0xf9, 0xcf, 0x9b, 0xea, 0xea, 0xd3, 0x93, 0x9f, 0x15, 0x87, 0x4b, 0xd9, 0x88, 0xe2, 0xa2, 0x36, 0x30},
311 {0x24, 0x8d, 0x6a, 0x61, 0xd2, 0x06, 0x38, 0xb8, 0xe5, 0xc0, 0x26, 0x93, 0x0c, 0x3e, 0x60, 0x39, 0xa3, 0x3c, 0xe4, 0x59, 0x64, 0xff, 0x21, 0x67, 0xf6, 0xec, 0xed, 0xd4, 0x19, 0xdb, 0x06, 0xc1},
312 {0xf0, 0x8a, 0x78, 0xcb, 0xba, 0xee, 0x08, 0x2b, 0x05, 0x2a, 0xe0, 0x70, 0x8f, 0x32, 0xfa, 0x1e, 0x50, 0xc5, 0xc4, 0x21, 0xaa, 0x77, 0x2b, 0xa5, 0xdb, 0xb4, 0x06, 0xa2, 0xea, 0x6b, 0xe3, 0x42},
313 {0xab, 0x64, 0xef, 0xf7, 0xe8, 0x8e, 0x2e, 0x46, 0x16, 0x5e, 0x29, 0xf2, 0xbc, 0xe4, 0x18, 0x26, 0xbd, 0x4c, 0x7b, 0x35, 0x52, 0xf6, 0xb3, 0x82, 0xa9, 0xe7, 0xd3, 0xaf, 0x47, 0xc2, 0x45, 0xf8}
314 };
315 int i;
316 for (i = 0; i < 8; i++) {
317 unsigned char out[32];
318 secp256k1_sha256 hasher;
319 secp256k1_sha256_initialize(&hasher);
320 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
321 secp256k1_sha256_finalize(&hasher, out);
322 CHECK(memcmp(out, outputs[i], 32) == 0);
323 if (strlen(inputs[i]) > 0) {
324 int split = secp256k1_rand_int(strlen(inputs[i]));
325 secp256k1_sha256_initialize(&hasher);
326 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
327 secp256k1_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
328 secp256k1_sha256_finalize(&hasher, out);
329 CHECK(memcmp(out, outputs[i], 32) == 0);
330 }
331 }
332 }
333
run_hmac_sha256_tests(void)334 void run_hmac_sha256_tests(void) {
335 static const char *keys[6] = {
336 "\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b\x0b",
337 "\x4a\x65\x66\x65",
338 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
339 "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19",
340 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa",
341 "\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa"
342 };
343 static const char *inputs[6] = {
344 "\x48\x69\x20\x54\x68\x65\x72\x65",
345 "\x77\x68\x61\x74\x20\x64\x6f\x20\x79\x61\x20\x77\x61\x6e\x74\x20\x66\x6f\x72\x20\x6e\x6f\x74\x68\x69\x6e\x67\x3f",
346 "\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd\xdd",
347 "\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd\xcd",
348 "\x54\x65\x73\x74\x20\x55\x73\x69\x6e\x67\x20\x4c\x61\x72\x67\x65\x72\x20\x54\x68\x61\x6e\x20\x42\x6c\x6f\x63\x6b\x2d\x53\x69\x7a\x65\x20\x4b\x65\x79\x20\x2d\x20\x48\x61\x73\x68\x20\x4b\x65\x79\x20\x46\x69\x72\x73\x74",
349 "\x54\x68\x69\x73\x20\x69\x73\x20\x61\x20\x74\x65\x73\x74\x20\x75\x73\x69\x6e\x67\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x6b\x65\x79\x20\x61\x6e\x64\x20\x61\x20\x6c\x61\x72\x67\x65\x72\x20\x74\x68\x61\x6e\x20\x62\x6c\x6f\x63\x6b\x2d\x73\x69\x7a\x65\x20\x64\x61\x74\x61\x2e\x20\x54\x68\x65\x20\x6b\x65\x79\x20\x6e\x65\x65\x64\x73\x20\x74\x6f\x20\x62\x65\x20\x68\x61\x73\x68\x65\x64\x20\x62\x65\x66\x6f\x72\x65\x20\x62\x65\x69\x6e\x67\x20\x75\x73\x65\x64\x20\x62\x79\x20\x74\x68\x65\x20\x48\x4d\x41\x43\x20\x61\x6c\x67\x6f\x72\x69\x74\x68\x6d\x2e"
350 };
351 static const unsigned char outputs[6][32] = {
352 {0xb0, 0x34, 0x4c, 0x61, 0xd8, 0xdb, 0x38, 0x53, 0x5c, 0xa8, 0xaf, 0xce, 0xaf, 0x0b, 0xf1, 0x2b, 0x88, 0x1d, 0xc2, 0x00, 0xc9, 0x83, 0x3d, 0xa7, 0x26, 0xe9, 0x37, 0x6c, 0x2e, 0x32, 0xcf, 0xf7},
353 {0x5b, 0xdc, 0xc1, 0x46, 0xbf, 0x60, 0x75, 0x4e, 0x6a, 0x04, 0x24, 0x26, 0x08, 0x95, 0x75, 0xc7, 0x5a, 0x00, 0x3f, 0x08, 0x9d, 0x27, 0x39, 0x83, 0x9d, 0xec, 0x58, 0xb9, 0x64, 0xec, 0x38, 0x43},
354 {0x77, 0x3e, 0xa9, 0x1e, 0x36, 0x80, 0x0e, 0x46, 0x85, 0x4d, 0xb8, 0xeb, 0xd0, 0x91, 0x81, 0xa7, 0x29, 0x59, 0x09, 0x8b, 0x3e, 0xf8, 0xc1, 0x22, 0xd9, 0x63, 0x55, 0x14, 0xce, 0xd5, 0x65, 0xfe},
355 {0x82, 0x55, 0x8a, 0x38, 0x9a, 0x44, 0x3c, 0x0e, 0xa4, 0xcc, 0x81, 0x98, 0x99, 0xf2, 0x08, 0x3a, 0x85, 0xf0, 0xfa, 0xa3, 0xe5, 0x78, 0xf8, 0x07, 0x7a, 0x2e, 0x3f, 0xf4, 0x67, 0x29, 0x66, 0x5b},
356 {0x60, 0xe4, 0x31, 0x59, 0x1e, 0xe0, 0xb6, 0x7f, 0x0d, 0x8a, 0x26, 0xaa, 0xcb, 0xf5, 0xb7, 0x7f, 0x8e, 0x0b, 0xc6, 0x21, 0x37, 0x28, 0xc5, 0x14, 0x05, 0x46, 0x04, 0x0f, 0x0e, 0xe3, 0x7f, 0x54},
357 {0x9b, 0x09, 0xff, 0xa7, 0x1b, 0x94, 0x2f, 0xcb, 0x27, 0x63, 0x5f, 0xbc, 0xd5, 0xb0, 0xe9, 0x44, 0xbf, 0xdc, 0x63, 0x64, 0x4f, 0x07, 0x13, 0x93, 0x8a, 0x7f, 0x51, 0x53, 0x5c, 0x3a, 0x35, 0xe2}
358 };
359 int i;
360 for (i = 0; i < 6; i++) {
361 secp256k1_hmac_sha256 hasher;
362 unsigned char out[32];
363 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
364 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), strlen(inputs[i]));
365 secp256k1_hmac_sha256_finalize(&hasher, out);
366 CHECK(memcmp(out, outputs[i], 32) == 0);
367 if (strlen(inputs[i]) > 0) {
368 int split = secp256k1_rand_int(strlen(inputs[i]));
369 secp256k1_hmac_sha256_initialize(&hasher, (const unsigned char*)(keys[i]), strlen(keys[i]));
370 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i]), split);
371 secp256k1_hmac_sha256_write(&hasher, (const unsigned char*)(inputs[i] + split), strlen(inputs[i]) - split);
372 secp256k1_hmac_sha256_finalize(&hasher, out);
373 CHECK(memcmp(out, outputs[i], 32) == 0);
374 }
375 }
376 }
377
run_rfc6979_hmac_sha256_tests(void)378 void run_rfc6979_hmac_sha256_tests(void) {
379 static const unsigned char key1[65] = {0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x00, 0x4b, 0xf5, 0x12, 0x2f, 0x34, 0x45, 0x54, 0xc5, 0x3b, 0xde, 0x2e, 0xbb, 0x8c, 0xd2, 0xb7, 0xe3, 0xd1, 0x60, 0x0a, 0xd6, 0x31, 0xc3, 0x85, 0xa5, 0xd7, 0xcc, 0xe2, 0x3c, 0x77, 0x85, 0x45, 0x9a, 0};
380 static const unsigned char out1[3][32] = {
381 {0x4f, 0xe2, 0x95, 0x25, 0xb2, 0x08, 0x68, 0x09, 0x15, 0x9a, 0xcd, 0xf0, 0x50, 0x6e, 0xfb, 0x86, 0xb0, 0xec, 0x93, 0x2c, 0x7b, 0xa4, 0x42, 0x56, 0xab, 0x32, 0x1e, 0x42, 0x1e, 0x67, 0xe9, 0xfb},
382 {0x2b, 0xf0, 0xff, 0xf1, 0xd3, 0xc3, 0x78, 0xa2, 0x2d, 0xc5, 0xde, 0x1d, 0x85, 0x65, 0x22, 0x32, 0x5c, 0x65, 0xb5, 0x04, 0x49, 0x1a, 0x0c, 0xbd, 0x01, 0xcb, 0x8f, 0x3a, 0xa6, 0x7f, 0xfd, 0x4a},
383 {0xf5, 0x28, 0xb4, 0x10, 0xcb, 0x54, 0x1f, 0x77, 0x00, 0x0d, 0x7a, 0xfb, 0x6c, 0x5b, 0x53, 0xc5, 0xc4, 0x71, 0xea, 0xb4, 0x3e, 0x46, 0x6d, 0x9a, 0xc5, 0x19, 0x0c, 0x39, 0xc8, 0x2f, 0xd8, 0x2e}
384 };
385
386 static const unsigned char key2[64] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xe3, 0xb0, 0xc4, 0x42, 0x98, 0xfc, 0x1c, 0x14, 0x9a, 0xfb, 0xf4, 0xc8, 0x99, 0x6f, 0xb9, 0x24, 0x27, 0xae, 0x41, 0xe4, 0x64, 0x9b, 0x93, 0x4c, 0xa4, 0x95, 0x99, 0x1b, 0x78, 0x52, 0xb8, 0x55};
387 static const unsigned char out2[3][32] = {
388 {0x9c, 0x23, 0x6c, 0x16, 0x5b, 0x82, 0xae, 0x0c, 0xd5, 0x90, 0x65, 0x9e, 0x10, 0x0b, 0x6b, 0xab, 0x30, 0x36, 0xe7, 0xba, 0x8b, 0x06, 0x74, 0x9b, 0xaf, 0x69, 0x81, 0xe1, 0x6f, 0x1a, 0x2b, 0x95},
389 {0xdf, 0x47, 0x10, 0x61, 0x62, 0x5b, 0xc0, 0xea, 0x14, 0xb6, 0x82, 0xfe, 0xee, 0x2c, 0x9c, 0x02, 0xf2, 0x35, 0xda, 0x04, 0x20, 0x4c, 0x1d, 0x62, 0xa1, 0x53, 0x6c, 0x6e, 0x17, 0xae, 0xd7, 0xa9},
390 {0x75, 0x97, 0x88, 0x7c, 0xbd, 0x76, 0x32, 0x1f, 0x32, 0xe3, 0x04, 0x40, 0x67, 0x9a, 0x22, 0xcf, 0x7f, 0x8d, 0x9d, 0x2e, 0xac, 0x39, 0x0e, 0x58, 0x1f, 0xea, 0x09, 0x1c, 0xe2, 0x02, 0xba, 0x94}
391 };
392
393 secp256k1_rfc6979_hmac_sha256 rng;
394 unsigned char out[32];
395 int i;
396
397 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 64);
398 for (i = 0; i < 3; i++) {
399 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
400 CHECK(memcmp(out, out1[i], 32) == 0);
401 }
402 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
403
404 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key1, 65);
405 for (i = 0; i < 3; i++) {
406 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
407 CHECK(memcmp(out, out1[i], 32) != 0);
408 }
409 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
410
411 secp256k1_rfc6979_hmac_sha256_initialize(&rng, key2, 64);
412 for (i = 0; i < 3; i++) {
413 secp256k1_rfc6979_hmac_sha256_generate(&rng, out, 32);
414 CHECK(memcmp(out, out2[i], 32) == 0);
415 }
416 secp256k1_rfc6979_hmac_sha256_finalize(&rng);
417 }
418
419 /***** RANDOM TESTS *****/
420
test_rand_bits(int rand32,int bits)421 void test_rand_bits(int rand32, int bits) {
422 /* (1-1/2^B)^rounds[B] < 1/10^9, so rounds is the number of iterations to
423 * get a false negative chance below once in a billion */
424 static const unsigned int rounds[7] = {1, 30, 73, 156, 322, 653, 1316};
425 /* We try multiplying the results with various odd numbers, which shouldn't
426 * influence the uniform distribution modulo a power of 2. */
427 static const uint32_t mults[6] = {1, 3, 21, 289, 0x9999, 0x80402011};
428 /* We only select up to 6 bits from the output to analyse */
429 unsigned int usebits = bits > 6 ? 6 : bits;
430 unsigned int maxshift = bits - usebits;
431 /* For each of the maxshift+1 usebits-bit sequences inside a bits-bit
432 number, track all observed outcomes, one per bit in a uint64_t. */
433 uint64_t x[6][27] = {{0}};
434 unsigned int i, shift, m;
435 /* Multiply the output of all rand calls with the odd number m, which
436 should not change the uniformity of its distribution. */
437 for (i = 0; i < rounds[usebits]; i++) {
438 uint32_t r = (rand32 ? secp256k1_rand32() : secp256k1_rand_bits(bits));
439 CHECK((((uint64_t)r) >> bits) == 0);
440 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
441 uint32_t rm = r * mults[m];
442 for (shift = 0; shift <= maxshift; shift++) {
443 x[m][shift] |= (((uint64_t)1) << ((rm >> shift) & ((1 << usebits) - 1)));
444 }
445 }
446 }
447 for (m = 0; m < sizeof(mults) / sizeof(mults[0]); m++) {
448 for (shift = 0; shift <= maxshift; shift++) {
449 /* Test that the lower usebits bits of x[shift] are 1 */
450 CHECK(((~x[m][shift]) << (64 - (1 << usebits))) == 0);
451 }
452 }
453 }
454
455 /* Subrange must be a whole divisor of range, and at most 64 */
test_rand_int(uint32_t range,uint32_t subrange)456 void test_rand_int(uint32_t range, uint32_t subrange) {
457 /* (1-1/subrange)^rounds < 1/10^9 */
458 int rounds = (subrange * 2073) / 100;
459 int i;
460 uint64_t x = 0;
461 CHECK((range % subrange) == 0);
462 for (i = 0; i < rounds; i++) {
463 uint32_t r = secp256k1_rand_int(range);
464 CHECK(r < range);
465 r = r % subrange;
466 x |= (((uint64_t)1) << r);
467 }
468 /* Test that the lower subrange bits of x are 1. */
469 CHECK(((~x) << (64 - subrange)) == 0);
470 }
471
run_rand_bits(void)472 void run_rand_bits(void) {
473 size_t b;
474 test_rand_bits(1, 32);
475 for (b = 1; b <= 32; b++) {
476 test_rand_bits(0, b);
477 }
478 }
479
run_rand_int(void)480 void run_rand_int(void) {
481 static const uint32_t ms[] = {1, 3, 17, 1000, 13771, 999999, 33554432};
482 static const uint32_t ss[] = {1, 3, 6, 9, 13, 31, 64};
483 unsigned int m, s;
484 for (m = 0; m < sizeof(ms) / sizeof(ms[0]); m++) {
485 for (s = 0; s < sizeof(ss) / sizeof(ss[0]); s++) {
486 test_rand_int(ms[m] * ss[s], ss[s]);
487 }
488 }
489 }
490
491 /***** NUM TESTS *****/
492
493 #ifndef USE_NUM_NONE
random_num_negate(secp256k1_num * num)494 void random_num_negate(secp256k1_num *num) {
495 if (secp256k1_rand_bits(1)) {
496 secp256k1_num_negate(num);
497 }
498 }
499
random_num_order_test(secp256k1_num * num)500 void random_num_order_test(secp256k1_num *num) {
501 secp256k1_scalar sc;
502 random_scalar_order_test(&sc);
503 secp256k1_scalar_get_num(num, &sc);
504 }
505
random_num_order(secp256k1_num * num)506 void random_num_order(secp256k1_num *num) {
507 secp256k1_scalar sc;
508 random_scalar_order(&sc);
509 secp256k1_scalar_get_num(num, &sc);
510 }
511
test_num_negate(void)512 void test_num_negate(void) {
513 secp256k1_num n1;
514 secp256k1_num n2;
515 random_num_order_test(&n1); /* n1 = R */
516 random_num_negate(&n1);
517 secp256k1_num_copy(&n2, &n1); /* n2 = R */
518 secp256k1_num_sub(&n1, &n2, &n1); /* n1 = n2-n1 = 0 */
519 CHECK(secp256k1_num_is_zero(&n1));
520 secp256k1_num_copy(&n1, &n2); /* n1 = R */
521 secp256k1_num_negate(&n1); /* n1 = -R */
522 CHECK(!secp256k1_num_is_zero(&n1));
523 secp256k1_num_add(&n1, &n2, &n1); /* n1 = n2+n1 = 0 */
524 CHECK(secp256k1_num_is_zero(&n1));
525 secp256k1_num_copy(&n1, &n2); /* n1 = R */
526 secp256k1_num_negate(&n1); /* n1 = -R */
527 CHECK(secp256k1_num_is_neg(&n1) != secp256k1_num_is_neg(&n2));
528 secp256k1_num_negate(&n1); /* n1 = R */
529 CHECK(secp256k1_num_eq(&n1, &n2));
530 }
531
test_num_add_sub(void)532 void test_num_add_sub(void) {
533 int i;
534 secp256k1_scalar s;
535 secp256k1_num n1;
536 secp256k1_num n2;
537 secp256k1_num n1p2, n2p1, n1m2, n2m1;
538 random_num_order_test(&n1); /* n1 = R1 */
539 if (secp256k1_rand_bits(1)) {
540 random_num_negate(&n1);
541 }
542 random_num_order_test(&n2); /* n2 = R2 */
543 if (secp256k1_rand_bits(1)) {
544 random_num_negate(&n2);
545 }
546 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = R1 + R2 */
547 secp256k1_num_add(&n2p1, &n2, &n1); /* n2p1 = R2 + R1 */
548 secp256k1_num_sub(&n1m2, &n1, &n2); /* n1m2 = R1 - R2 */
549 secp256k1_num_sub(&n2m1, &n2, &n1); /* n2m1 = R2 - R1 */
550 CHECK(secp256k1_num_eq(&n1p2, &n2p1));
551 CHECK(!secp256k1_num_eq(&n1p2, &n1m2));
552 secp256k1_num_negate(&n2m1); /* n2m1 = -R2 + R1 */
553 CHECK(secp256k1_num_eq(&n2m1, &n1m2));
554 CHECK(!secp256k1_num_eq(&n2m1, &n1));
555 secp256k1_num_add(&n2m1, &n2m1, &n2); /* n2m1 = -R2 + R1 + R2 = R1 */
556 CHECK(secp256k1_num_eq(&n2m1, &n1));
557 CHECK(!secp256k1_num_eq(&n2p1, &n1));
558 secp256k1_num_sub(&n2p1, &n2p1, &n2); /* n2p1 = R2 + R1 - R2 = R1 */
559 CHECK(secp256k1_num_eq(&n2p1, &n1));
560
561 /* check is_one */
562 secp256k1_scalar_set_int(&s, 1);
563 secp256k1_scalar_get_num(&n1, &s);
564 CHECK(secp256k1_num_is_one(&n1));
565 /* check that 2^n + 1 is never 1 */
566 secp256k1_scalar_get_num(&n2, &s);
567 for (i = 0; i < 250; ++i) {
568 secp256k1_num_add(&n1, &n1, &n1); /* n1 *= 2 */
569 secp256k1_num_add(&n1p2, &n1, &n2); /* n1p2 = n1 + 1 */
570 CHECK(!secp256k1_num_is_one(&n1p2));
571 }
572 }
573
test_num_mod(void)574 void test_num_mod(void) {
575 int i;
576 secp256k1_scalar s;
577 secp256k1_num order, n;
578
579 /* check that 0 mod anything is 0 */
580 random_scalar_order_test(&s);
581 secp256k1_scalar_get_num(&order, &s);
582 secp256k1_scalar_set_int(&s, 0);
583 secp256k1_scalar_get_num(&n, &s);
584 secp256k1_num_mod(&n, &order);
585 CHECK(secp256k1_num_is_zero(&n));
586
587 /* check that anything mod 1 is 0 */
588 secp256k1_scalar_set_int(&s, 1);
589 secp256k1_scalar_get_num(&order, &s);
590 secp256k1_scalar_get_num(&n, &s);
591 secp256k1_num_mod(&n, &order);
592 CHECK(secp256k1_num_is_zero(&n));
593
594 /* check that increasing the number past 2^256 does not break this */
595 random_scalar_order_test(&s);
596 secp256k1_scalar_get_num(&n, &s);
597 /* multiply by 2^8, which'll test this case with high probability */
598 for (i = 0; i < 8; ++i) {
599 secp256k1_num_add(&n, &n, &n);
600 }
601 secp256k1_num_mod(&n, &order);
602 CHECK(secp256k1_num_is_zero(&n));
603 }
604
test_num_jacobi(void)605 void test_num_jacobi(void) {
606 secp256k1_scalar sqr;
607 secp256k1_scalar small;
608 secp256k1_scalar five; /* five is not a quadratic residue */
609 secp256k1_num order, n;
610 int i;
611 /* squares mod 5 are 1, 4 */
612 const int jacobi5[10] = { 0, 1, -1, -1, 1, 0, 1, -1, -1, 1 };
613
614 /* check some small values with 5 as the order */
615 secp256k1_scalar_set_int(&five, 5);
616 secp256k1_scalar_get_num(&order, &five);
617 for (i = 0; i < 10; ++i) {
618 secp256k1_scalar_set_int(&small, i);
619 secp256k1_scalar_get_num(&n, &small);
620 CHECK(secp256k1_num_jacobi(&n, &order) == jacobi5[i]);
621 }
622
623 /** test large values with 5 as group order */
624 secp256k1_scalar_get_num(&order, &five);
625 /* we first need a scalar which is not a multiple of 5 */
626 do {
627 secp256k1_num fiven;
628 random_scalar_order_test(&sqr);
629 secp256k1_scalar_get_num(&fiven, &five);
630 secp256k1_scalar_get_num(&n, &sqr);
631 secp256k1_num_mod(&n, &fiven);
632 } while (secp256k1_num_is_zero(&n));
633 /* next force it to be a residue. 2 is a nonresidue mod 5 so we can
634 * just multiply by two, i.e. add the number to itself */
635 if (secp256k1_num_jacobi(&n, &order) == -1) {
636 secp256k1_num_add(&n, &n, &n);
637 }
638
639 /* test residue */
640 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
641 /* test nonresidue */
642 secp256k1_num_add(&n, &n, &n);
643 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
644
645 /** test with secp group order as order */
646 secp256k1_scalar_order_get_num(&order);
647 random_scalar_order_test(&sqr);
648 secp256k1_scalar_sqr(&sqr, &sqr);
649 /* test residue */
650 secp256k1_scalar_get_num(&n, &sqr);
651 CHECK(secp256k1_num_jacobi(&n, &order) == 1);
652 /* test nonresidue */
653 secp256k1_scalar_mul(&sqr, &sqr, &five);
654 secp256k1_scalar_get_num(&n, &sqr);
655 CHECK(secp256k1_num_jacobi(&n, &order) == -1);
656 /* test multiple of the order*/
657 CHECK(secp256k1_num_jacobi(&order, &order) == 0);
658
659 /* check one less than the order */
660 secp256k1_scalar_set_int(&small, 1);
661 secp256k1_scalar_get_num(&n, &small);
662 secp256k1_num_sub(&n, &order, &n);
663 CHECK(secp256k1_num_jacobi(&n, &order) == 1); /* sage confirms this is 1 */
664 }
665
run_num_smalltests(void)666 void run_num_smalltests(void) {
667 int i;
668 for (i = 0; i < 100*count; i++) {
669 test_num_negate();
670 test_num_add_sub();
671 test_num_mod();
672 test_num_jacobi();
673 }
674 }
675 #endif
676
677 /***** SCALAR TESTS *****/
678
scalar_test(void)679 void scalar_test(void) {
680 secp256k1_scalar s;
681 secp256k1_scalar s1;
682 secp256k1_scalar s2;
683 #ifndef USE_NUM_NONE
684 secp256k1_num snum, s1num, s2num;
685 secp256k1_num order, half_order;
686 #endif
687 unsigned char c[32];
688
689 /* Set 's' to a random scalar, with value 'snum'. */
690 random_scalar_order_test(&s);
691
692 /* Set 's1' to a random scalar, with value 's1num'. */
693 random_scalar_order_test(&s1);
694
695 /* Set 's2' to a random scalar, with value 'snum2', and byte array representation 'c'. */
696 random_scalar_order_test(&s2);
697 secp256k1_scalar_get_b32(c, &s2);
698
699 #ifndef USE_NUM_NONE
700 secp256k1_scalar_get_num(&snum, &s);
701 secp256k1_scalar_get_num(&s1num, &s1);
702 secp256k1_scalar_get_num(&s2num, &s2);
703
704 secp256k1_scalar_order_get_num(&order);
705 half_order = order;
706 secp256k1_num_shift(&half_order, 1);
707 #endif
708
709 {
710 int i;
711 /* Test that fetching groups of 4 bits from a scalar and recursing n(i)=16*n(i-1)+p(i) reconstructs it. */
712 secp256k1_scalar n;
713 secp256k1_scalar_set_int(&n, 0);
714 for (i = 0; i < 256; i += 4) {
715 secp256k1_scalar t;
716 int j;
717 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits(&s, 256 - 4 - i, 4));
718 for (j = 0; j < 4; j++) {
719 secp256k1_scalar_add(&n, &n, &n);
720 }
721 secp256k1_scalar_add(&n, &n, &t);
722 }
723 CHECK(secp256k1_scalar_eq(&n, &s));
724 }
725
726 {
727 /* Test that fetching groups of randomly-sized bits from a scalar and recursing n(i)=b*n(i-1)+p(i) reconstructs it. */
728 secp256k1_scalar n;
729 int i = 0;
730 secp256k1_scalar_set_int(&n, 0);
731 while (i < 256) {
732 secp256k1_scalar t;
733 int j;
734 int now = secp256k1_rand_int(15) + 1;
735 if (now + i > 256) {
736 now = 256 - i;
737 }
738 secp256k1_scalar_set_int(&t, secp256k1_scalar_get_bits_var(&s, 256 - now - i, now));
739 for (j = 0; j < now; j++) {
740 secp256k1_scalar_add(&n, &n, &n);
741 }
742 secp256k1_scalar_add(&n, &n, &t);
743 i += now;
744 }
745 CHECK(secp256k1_scalar_eq(&n, &s));
746 }
747
748 #ifndef USE_NUM_NONE
749 {
750 /* Test that adding the scalars together is equal to adding their numbers together modulo the order. */
751 secp256k1_num rnum;
752 secp256k1_num r2num;
753 secp256k1_scalar r;
754 secp256k1_num_add(&rnum, &snum, &s2num);
755 secp256k1_num_mod(&rnum, &order);
756 secp256k1_scalar_add(&r, &s, &s2);
757 secp256k1_scalar_get_num(&r2num, &r);
758 CHECK(secp256k1_num_eq(&rnum, &r2num));
759 }
760
761 {
762 /* Test that multiplying the scalars is equal to multiplying their numbers modulo the order. */
763 secp256k1_scalar r;
764 secp256k1_num r2num;
765 secp256k1_num rnum;
766 secp256k1_num_mul(&rnum, &snum, &s2num);
767 secp256k1_num_mod(&rnum, &order);
768 secp256k1_scalar_mul(&r, &s, &s2);
769 secp256k1_scalar_get_num(&r2num, &r);
770 CHECK(secp256k1_num_eq(&rnum, &r2num));
771 /* The result can only be zero if at least one of the factors was zero. */
772 CHECK(secp256k1_scalar_is_zero(&r) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_zero(&s2)));
773 /* The results can only be equal to one of the factors if that factor was zero, or the other factor was one. */
774 CHECK(secp256k1_num_eq(&rnum, &snum) == (secp256k1_scalar_is_zero(&s) || secp256k1_scalar_is_one(&s2)));
775 CHECK(secp256k1_num_eq(&rnum, &s2num) == (secp256k1_scalar_is_zero(&s2) || secp256k1_scalar_is_one(&s)));
776 }
777
778 {
779 secp256k1_scalar neg;
780 secp256k1_num negnum;
781 secp256k1_num negnum2;
782 /* Check that comparison with zero matches comparison with zero on the number. */
783 CHECK(secp256k1_num_is_zero(&snum) == secp256k1_scalar_is_zero(&s));
784 /* Check that comparison with the half order is equal to testing for high scalar. */
785 CHECK(secp256k1_scalar_is_high(&s) == (secp256k1_num_cmp(&snum, &half_order) > 0));
786 secp256k1_scalar_negate(&neg, &s);
787 secp256k1_num_sub(&negnum, &order, &snum);
788 secp256k1_num_mod(&negnum, &order);
789 /* Check that comparison with the half order is equal to testing for high scalar after negation. */
790 CHECK(secp256k1_scalar_is_high(&neg) == (secp256k1_num_cmp(&negnum, &half_order) > 0));
791 /* Negating should change the high property, unless the value was already zero. */
792 CHECK((secp256k1_scalar_is_high(&s) == secp256k1_scalar_is_high(&neg)) == secp256k1_scalar_is_zero(&s));
793 secp256k1_scalar_get_num(&negnum2, &neg);
794 /* Negating a scalar should be equal to (order - n) mod order on the number. */
795 CHECK(secp256k1_num_eq(&negnum, &negnum2));
796 secp256k1_scalar_add(&neg, &neg, &s);
797 /* Adding a number to its negation should result in zero. */
798 CHECK(secp256k1_scalar_is_zero(&neg));
799 secp256k1_scalar_negate(&neg, &neg);
800 /* Negating zero should still result in zero. */
801 CHECK(secp256k1_scalar_is_zero(&neg));
802 }
803
804 {
805 /* Test secp256k1_scalar_mul_shift_var. */
806 secp256k1_scalar r;
807 secp256k1_num one;
808 secp256k1_num rnum;
809 secp256k1_num rnum2;
810 unsigned char cone[1] = {0x01};
811 unsigned int shift = 256 + secp256k1_rand_int(257);
812 secp256k1_scalar_mul_shift_var(&r, &s1, &s2, shift);
813 secp256k1_num_mul(&rnum, &s1num, &s2num);
814 secp256k1_num_shift(&rnum, shift - 1);
815 secp256k1_num_set_bin(&one, cone, 1);
816 secp256k1_num_add(&rnum, &rnum, &one);
817 secp256k1_num_shift(&rnum, 1);
818 secp256k1_scalar_get_num(&rnum2, &r);
819 CHECK(secp256k1_num_eq(&rnum, &rnum2));
820 }
821
822 {
823 /* test secp256k1_scalar_shr_int */
824 secp256k1_scalar r;
825 int i;
826 random_scalar_order_test(&r);
827 for (i = 0; i < 100; ++i) {
828 int low;
829 int shift = 1 + secp256k1_rand_int(15);
830 int expected = r.d[0] % (1 << shift);
831 low = secp256k1_scalar_shr_int(&r, shift);
832 CHECK(expected == low);
833 }
834 }
835 #endif
836
837 {
838 /* Test that scalar inverses are equal to the inverse of their number modulo the order. */
839 if (!secp256k1_scalar_is_zero(&s)) {
840 secp256k1_scalar inv;
841 #ifndef USE_NUM_NONE
842 secp256k1_num invnum;
843 secp256k1_num invnum2;
844 #endif
845 secp256k1_scalar_inverse(&inv, &s);
846 #ifndef USE_NUM_NONE
847 secp256k1_num_mod_inverse(&invnum, &snum, &order);
848 secp256k1_scalar_get_num(&invnum2, &inv);
849 CHECK(secp256k1_num_eq(&invnum, &invnum2));
850 #endif
851 secp256k1_scalar_mul(&inv, &inv, &s);
852 /* Multiplying a scalar with its inverse must result in one. */
853 CHECK(secp256k1_scalar_is_one(&inv));
854 secp256k1_scalar_inverse(&inv, &inv);
855 /* Inverting one must result in one. */
856 CHECK(secp256k1_scalar_is_one(&inv));
857 #ifndef USE_NUM_NONE
858 secp256k1_scalar_get_num(&invnum, &inv);
859 CHECK(secp256k1_num_is_one(&invnum));
860 #endif
861 }
862 }
863
864 {
865 /* Test commutativity of add. */
866 secp256k1_scalar r1, r2;
867 secp256k1_scalar_add(&r1, &s1, &s2);
868 secp256k1_scalar_add(&r2, &s2, &s1);
869 CHECK(secp256k1_scalar_eq(&r1, &r2));
870 }
871
872 {
873 secp256k1_scalar r1, r2;
874 secp256k1_scalar b;
875 int i;
876 /* Test add_bit. */
877 int bit = secp256k1_rand_bits(8);
878 secp256k1_scalar_set_int(&b, 1);
879 CHECK(secp256k1_scalar_is_one(&b));
880 for (i = 0; i < bit; i++) {
881 secp256k1_scalar_add(&b, &b, &b);
882 }
883 r1 = s1;
884 r2 = s1;
885 if (!secp256k1_scalar_add(&r1, &r1, &b)) {
886 /* No overflow happened. */
887 secp256k1_scalar_cadd_bit(&r2, bit, 1);
888 CHECK(secp256k1_scalar_eq(&r1, &r2));
889 /* cadd is a noop when flag is zero */
890 secp256k1_scalar_cadd_bit(&r2, bit, 0);
891 CHECK(secp256k1_scalar_eq(&r1, &r2));
892 }
893 }
894
895 {
896 /* Test commutativity of mul. */
897 secp256k1_scalar r1, r2;
898 secp256k1_scalar_mul(&r1, &s1, &s2);
899 secp256k1_scalar_mul(&r2, &s2, &s1);
900 CHECK(secp256k1_scalar_eq(&r1, &r2));
901 }
902
903 {
904 /* Test associativity of add. */
905 secp256k1_scalar r1, r2;
906 secp256k1_scalar_add(&r1, &s1, &s2);
907 secp256k1_scalar_add(&r1, &r1, &s);
908 secp256k1_scalar_add(&r2, &s2, &s);
909 secp256k1_scalar_add(&r2, &s1, &r2);
910 CHECK(secp256k1_scalar_eq(&r1, &r2));
911 }
912
913 {
914 /* Test associativity of mul. */
915 secp256k1_scalar r1, r2;
916 secp256k1_scalar_mul(&r1, &s1, &s2);
917 secp256k1_scalar_mul(&r1, &r1, &s);
918 secp256k1_scalar_mul(&r2, &s2, &s);
919 secp256k1_scalar_mul(&r2, &s1, &r2);
920 CHECK(secp256k1_scalar_eq(&r1, &r2));
921 }
922
923 {
924 /* Test distributitivity of mul over add. */
925 secp256k1_scalar r1, r2, t;
926 secp256k1_scalar_add(&r1, &s1, &s2);
927 secp256k1_scalar_mul(&r1, &r1, &s);
928 secp256k1_scalar_mul(&r2, &s1, &s);
929 secp256k1_scalar_mul(&t, &s2, &s);
930 secp256k1_scalar_add(&r2, &r2, &t);
931 CHECK(secp256k1_scalar_eq(&r1, &r2));
932 }
933
934 {
935 /* Test square. */
936 secp256k1_scalar r1, r2;
937 secp256k1_scalar_sqr(&r1, &s1);
938 secp256k1_scalar_mul(&r2, &s1, &s1);
939 CHECK(secp256k1_scalar_eq(&r1, &r2));
940 }
941
942 {
943 /* Test multiplicative identity. */
944 secp256k1_scalar r1, v1;
945 secp256k1_scalar_set_int(&v1,1);
946 secp256k1_scalar_mul(&r1, &s1, &v1);
947 CHECK(secp256k1_scalar_eq(&r1, &s1));
948 }
949
950 {
951 /* Test additive identity. */
952 secp256k1_scalar r1, v0;
953 secp256k1_scalar_set_int(&v0,0);
954 secp256k1_scalar_add(&r1, &s1, &v0);
955 CHECK(secp256k1_scalar_eq(&r1, &s1));
956 }
957
958 {
959 /* Test zero product property. */
960 secp256k1_scalar r1, v0;
961 secp256k1_scalar_set_int(&v0,0);
962 secp256k1_scalar_mul(&r1, &s1, &v0);
963 CHECK(secp256k1_scalar_eq(&r1, &v0));
964 }
965
966 }
967
run_scalar_tests(void)968 void run_scalar_tests(void) {
969 int i;
970 for (i = 0; i < 128 * count; i++) {
971 scalar_test();
972 }
973
974 {
975 /* (-1)+1 should be zero. */
976 secp256k1_scalar s, o;
977 secp256k1_scalar_set_int(&s, 1);
978 CHECK(secp256k1_scalar_is_one(&s));
979 secp256k1_scalar_negate(&o, &s);
980 secp256k1_scalar_add(&o, &o, &s);
981 CHECK(secp256k1_scalar_is_zero(&o));
982 secp256k1_scalar_negate(&o, &o);
983 CHECK(secp256k1_scalar_is_zero(&o));
984 }
985
986 #ifndef USE_NUM_NONE
987 {
988 /* A scalar with value of the curve order should be 0. */
989 secp256k1_num order;
990 secp256k1_scalar zero;
991 unsigned char bin[32];
992 int overflow = 0;
993 secp256k1_scalar_order_get_num(&order);
994 secp256k1_num_get_bin(bin, 32, &order);
995 secp256k1_scalar_set_b32(&zero, bin, &overflow);
996 CHECK(overflow == 1);
997 CHECK(secp256k1_scalar_is_zero(&zero));
998 }
999 #endif
1000
1001 {
1002 /* Does check_overflow check catch all ones? */
1003 static const secp256k1_scalar overflowed = SECP256K1_SCALAR_CONST(
1004 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL,
1005 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL, 0xFFFFFFFFUL
1006 );
1007 CHECK(secp256k1_scalar_check_overflow(&overflowed));
1008 }
1009
1010 {
1011 /* Static test vectors.
1012 * These were reduced from ~10^12 random vectors based on comparison-decision
1013 * and edge-case coverage on 32-bit and 64-bit implementations.
1014 * The responses were generated with Sage 5.9.
1015 */
1016 secp256k1_scalar x;
1017 secp256k1_scalar y;
1018 secp256k1_scalar z;
1019 secp256k1_scalar zz;
1020 secp256k1_scalar one;
1021 secp256k1_scalar r1;
1022 secp256k1_scalar r2;
1023 #if defined(USE_SCALAR_INV_NUM)
1024 secp256k1_scalar zzv;
1025 #endif
1026 int overflow;
1027 unsigned char chal[33][2][32] = {
1028 {{0xff, 0xff, 0x03, 0x07, 0x00, 0x00, 0x00, 0x00,
1029 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1030 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff,
1031 0xff, 0xff, 0x03, 0x00, 0xc0, 0xff, 0xff, 0xff},
1032 {0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0x00,
1033 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8,
1034 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1035 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff}},
1036 {{0xef, 0xff, 0x1f, 0x00, 0x00, 0x00, 0x00, 0x00,
1037 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00,
1038 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1039 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1040 {0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1041 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0,
1042 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1043 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x80, 0xff}},
1044 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1045 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00,
1046 0x80, 0x00, 0x00, 0x80, 0xff, 0x3f, 0x00, 0x00,
1047 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0x00},
1048 {0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff, 0x80,
1049 0xff, 0xff, 0xff, 0xff, 0xff, 0x0f, 0x00, 0xe0,
1050 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f, 0x00, 0x00,
1051 0x00, 0x00, 0x00, 0x00, 0x7f, 0xff, 0xff, 0xff}},
1052 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1053 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1054 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1055 0x00, 0x1e, 0xf8, 0xff, 0xff, 0xff, 0xfd, 0xff},
1056 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f,
1057 0x00, 0x00, 0x00, 0xf8, 0xff, 0x03, 0x00, 0xe0,
1058 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0xf0, 0xff,
1059 0xf3, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00}},
1060 {{0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00,
1061 0x00, 0x1c, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff,
1062 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff, 0x00,
1063 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff},
1064 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00,
1065 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1066 0xff, 0x1f, 0x00, 0x00, 0x80, 0xff, 0xff, 0x3f,
1067 0x00, 0xfe, 0xff, 0xff, 0xff, 0xdf, 0xff, 0xff}},
1068 {{0xff, 0xff, 0xff, 0xff, 0x00, 0x0f, 0xfc, 0x9f,
1069 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1070 0xff, 0x0f, 0xfc, 0xff, 0x7f, 0x00, 0x00, 0x00,
1071 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1072 {0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1073 0x00, 0x00, 0xf8, 0xff, 0x0f, 0xc0, 0xff, 0xff,
1074 0xff, 0x1f, 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff,
1075 0xff, 0xff, 0xff, 0x07, 0x80, 0xff, 0xff, 0xff}},
1076 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00,
1077 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1078 0xf7, 0xff, 0xff, 0xef, 0xff, 0xff, 0xff, 0x00,
1079 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0xf0},
1080 {0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff,
1081 0xff, 0xff, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1082 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff,
1083 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1084 {{0x00, 0xf8, 0xff, 0x03, 0xff, 0xff, 0xff, 0x00,
1085 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1086 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1087 0xff, 0xff, 0x03, 0xc0, 0xff, 0x0f, 0xfc, 0xff},
1088 {0xff, 0xff, 0xff, 0xff, 0xff, 0xe0, 0xff, 0xff,
1089 0xff, 0x01, 0x00, 0x00, 0x00, 0x3f, 0x00, 0xc0,
1090 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1091 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1092 {{0x8f, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1093 0x00, 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff,
1094 0xff, 0x7f, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1095 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1096 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1097 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1100 {{0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1101 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1102 0xff, 0xff, 0x03, 0x00, 0x80, 0x00, 0x00, 0x80,
1103 0xff, 0xff, 0xff, 0x00, 0x00, 0x80, 0xff, 0x7f},
1104 {0xff, 0xcf, 0xff, 0xff, 0x01, 0x00, 0x00, 0x00,
1105 0x00, 0xc0, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff,
1106 0xbf, 0xff, 0x0e, 0x00, 0x00, 0x00, 0x00, 0x00,
1107 0x80, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00}},
1108 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x80, 0xff, 0xff,
1109 0xff, 0xff, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1110 0xff, 0xff, 0xff, 0x00, 0x80, 0x00, 0x00, 0x80,
1111 0xff, 0x01, 0xfc, 0xff, 0x01, 0x00, 0xfe, 0xff},
1112 {0xff, 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00,
1113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0,
1115 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00}},
1116 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1117 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1118 0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1119 0x7f, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1120 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1121 0x00, 0xf8, 0xff, 0x01, 0x00, 0xf0, 0xff, 0xff,
1122 0xe0, 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00,
1123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1124 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1125 0xff, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1127 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff, 0x00},
1128 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00,
1129 0xfc, 0xff, 0xff, 0x3f, 0xf0, 0xff, 0xff, 0x3f,
1130 0x00, 0x00, 0xf8, 0x07, 0x00, 0x00, 0x00, 0xff,
1131 0xff, 0xff, 0xff, 0xff, 0x0f, 0x7e, 0x00, 0x00}},
1132 {{0x00, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1133 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1134 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1135 0xff, 0xff, 0x1f, 0x00, 0x00, 0xfe, 0x07, 0x00},
1136 {0x00, 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff,
1137 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1138 0xff, 0xfb, 0xff, 0x07, 0x00, 0x00, 0x00, 0x00,
1139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60}},
1140 {{0xff, 0x01, 0x00, 0xff, 0xff, 0xff, 0x0f, 0x00,
1141 0x80, 0x7f, 0xfe, 0xff, 0xff, 0xff, 0xff, 0x03,
1142 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1143 0x00, 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1144 {0xff, 0xff, 0x1f, 0x00, 0xf0, 0xff, 0xff, 0xff,
1145 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1146 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1147 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x00, 0x00}},
1148 {{0x80, 0x00, 0x00, 0x00, 0xff, 0xff, 0xff, 0xff,
1149 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1150 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1151 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1152 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1153 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xf1, 0xff,
1154 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x03,
1155 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff}},
1156 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1157 0x7e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1158 0xc0, 0xff, 0xff, 0xcf, 0xff, 0x1f, 0x00, 0x00,
1159 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80},
1160 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1161 0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1162 0xff, 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x7e,
1163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1164 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1165 0x00, 0x00, 0x00, 0xfc, 0xff, 0xff, 0xff, 0xff,
1166 0xff, 0xff, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00,
1167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x7c, 0x00},
1168 {0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1169 0xff, 0xff, 0x7f, 0x00, 0x80, 0x00, 0x00, 0x00,
1170 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1171 0x00, 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff}},
1172 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1173 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1174 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1175 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1176 {0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1177 0xff, 0xff, 0xff, 0xff, 0x3f, 0x00, 0x00, 0x80,
1178 0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xff, 0xff,
1179 0xff, 0x7f, 0xf8, 0xff, 0xff, 0x1f, 0x00, 0xfe}},
1180 {{0xff, 0xff, 0xff, 0x3f, 0xf8, 0xff, 0xff, 0xff,
1181 0xff, 0x03, 0xfe, 0x01, 0x00, 0x00, 0x00, 0x00,
1182 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1183 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07},
1184 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1185 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x80,
1186 0xff, 0xff, 0xff, 0xff, 0x01, 0x80, 0xff, 0xff,
1187 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00}},
1188 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1192 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1193 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1194 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1195 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40}},
1196 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01},
1200 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1204 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1205 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1206 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1207 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1208 {0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1209 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1210 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1211 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1212 {{0xff, 0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0xc0,
1213 0xff, 0x0f, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1214 0x00, 0x00, 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff,
1215 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f},
1216 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01, 0x00,
1217 0xf0, 0xff, 0xff, 0xff, 0xff, 0x07, 0x00, 0x00,
1218 0x00, 0x00, 0x00, 0xfe, 0xff, 0xff, 0xff, 0xff,
1219 0xff, 0xff, 0xff, 0xff, 0x01, 0xff, 0xff, 0xff}},
1220 {{0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1221 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1222 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1223 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1224 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1225 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1226 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1227 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02}},
1228 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1229 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1230 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1231 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1232 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1233 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1234 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1235 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1236 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1237 0x7e, 0x00, 0x00, 0xc0, 0xff, 0xff, 0x07, 0x00,
1238 0x80, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00,
1239 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff},
1240 {0xff, 0x01, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1241 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x80,
1242 0xff, 0xff, 0xff, 0xff, 0xff, 0x03, 0x00, 0x00,
1243 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff}},
1244 {{0xff, 0xff, 0xf0, 0xff, 0xff, 0xff, 0xff, 0x00,
1245 0xf0, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1246 0x00, 0xe0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1247 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff},
1248 {0x00, 0x00, 0x00, 0x00, 0x00, 0xe0, 0xff, 0xff,
1249 0xff, 0xff, 0x3f, 0x00, 0xf8, 0xff, 0xff, 0xff,
1250 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1251 0xff, 0x3f, 0x00, 0x00, 0xc0, 0xf1, 0x7f, 0x00}},
1252 {{0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1253 0x00, 0x00, 0x00, 0xc0, 0xff, 0xff, 0xff, 0xff,
1254 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00, 0x00,
1255 0x80, 0x00, 0x00, 0x80, 0xff, 0xff, 0xff, 0x00},
1256 {0x00, 0xf8, 0xff, 0xff, 0xff, 0xff, 0xff, 0x01,
1257 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1258 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0x80, 0x1f,
1259 0x00, 0x00, 0xfc, 0xff, 0xff, 0x01, 0xff, 0xff}},
1260 {{0x00, 0xfe, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1261 0x80, 0x00, 0x00, 0x80, 0xff, 0x03, 0xe0, 0x01,
1262 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0xfc, 0xff,
1263 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00},
1264 {0xff, 0xff, 0xff, 0xff, 0x00, 0x00, 0x00, 0x00,
1265 0xfe, 0xff, 0xff, 0xf0, 0x07, 0x00, 0x3c, 0x80,
1266 0xff, 0xff, 0xff, 0xff, 0xfc, 0xff, 0xff, 0xff,
1267 0xff, 0xff, 0x07, 0xe0, 0xff, 0x00, 0x00, 0x00}},
1268 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x00,
1269 0xfc, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1270 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, 0xf8,
1271 0x00, 0x00, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80},
1272 {0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1273 0xff, 0xff, 0xff, 0xff, 0xff, 0x0c, 0x80, 0x00,
1274 0x00, 0x00, 0x00, 0xc0, 0x7f, 0xfe, 0xff, 0x1f,
1275 0x00, 0xfe, 0xff, 0x03, 0x00, 0x00, 0xfe, 0xff}},
1276 {{0xff, 0xff, 0x81, 0xff, 0xff, 0xff, 0xff, 0x00,
1277 0x80, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x83,
1278 0xff, 0xff, 0x00, 0x00, 0x80, 0x00, 0x00, 0x80,
1279 0xff, 0xff, 0x7f, 0x00, 0x00, 0x00, 0x00, 0xf0},
1280 {0xff, 0x01, 0x00, 0x00, 0x00, 0x00, 0xf8, 0xff,
1281 0xff, 0xff, 0xff, 0xff, 0xff, 0x1f, 0x00, 0x00,
1282 0xf8, 0x07, 0x00, 0x80, 0xff, 0xff, 0xff, 0xff,
1283 0xff, 0xc7, 0xff, 0xff, 0xe0, 0xff, 0xff, 0xff}},
1284 {{0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1285 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1286 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1287 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03},
1288 {0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1289 0x82, 0xc9, 0xfa, 0xb0, 0x68, 0x04, 0xa0, 0x00,
1290 0xff, 0xff, 0xff, 0xff, 0xff, 0x6f, 0x03, 0xfb,
1291 0xfa, 0x8a, 0x7d, 0xdf, 0x13, 0x86, 0xe2, 0x03}}
1292 };
1293 unsigned char res[33][2][32] = {
1294 {{0x0c, 0x3b, 0x0a, 0xca, 0x8d, 0x1a, 0x2f, 0xb9,
1295 0x8a, 0x7b, 0x53, 0x5a, 0x1f, 0xc5, 0x22, 0xa1,
1296 0x07, 0x2a, 0x48, 0xea, 0x02, 0xeb, 0xb3, 0xd6,
1297 0x20, 0x1e, 0x86, 0xd0, 0x95, 0xf6, 0x92, 0x35},
1298 {0xdc, 0x90, 0x7a, 0x07, 0x2e, 0x1e, 0x44, 0x6d,
1299 0xf8, 0x15, 0x24, 0x5b, 0x5a, 0x96, 0x37, 0x9c,
1300 0x37, 0x7b, 0x0d, 0xac, 0x1b, 0x65, 0x58, 0x49,
1301 0x43, 0xb7, 0x31, 0xbb, 0xa7, 0xf4, 0x97, 0x15}},
1302 {{0xf1, 0xf7, 0x3a, 0x50, 0xe6, 0x10, 0xba, 0x22,
1303 0x43, 0x4d, 0x1f, 0x1f, 0x7c, 0x27, 0xca, 0x9c,
1304 0xb8, 0xb6, 0xa0, 0xfc, 0xd8, 0xc0, 0x05, 0x2f,
1305 0xf7, 0x08, 0xe1, 0x76, 0xdd, 0xd0, 0x80, 0xc8},
1306 {0xe3, 0x80, 0x80, 0xb8, 0xdb, 0xe3, 0xa9, 0x77,
1307 0x00, 0xb0, 0xf5, 0x2e, 0x27, 0xe2, 0x68, 0xc4,
1308 0x88, 0xe8, 0x04, 0xc1, 0x12, 0xbf, 0x78, 0x59,
1309 0xe6, 0xa9, 0x7c, 0xe1, 0x81, 0xdd, 0xb9, 0xd5}},
1310 {{0x96, 0xe2, 0xee, 0x01, 0xa6, 0x80, 0x31, 0xef,
1311 0x5c, 0xd0, 0x19, 0xb4, 0x7d, 0x5f, 0x79, 0xab,
1312 0xa1, 0x97, 0xd3, 0x7e, 0x33, 0xbb, 0x86, 0x55,
1313 0x60, 0x20, 0x10, 0x0d, 0x94, 0x2d, 0x11, 0x7c},
1314 {0xcc, 0xab, 0xe0, 0xe8, 0x98, 0x65, 0x12, 0x96,
1315 0x38, 0x5a, 0x1a, 0xf2, 0x85, 0x23, 0x59, 0x5f,
1316 0xf9, 0xf3, 0xc2, 0x81, 0x70, 0x92, 0x65, 0x12,
1317 0x9c, 0x65, 0x1e, 0x96, 0x00, 0xef, 0xe7, 0x63}},
1318 {{0xac, 0x1e, 0x62, 0xc2, 0x59, 0xfc, 0x4e, 0x5c,
1319 0x83, 0xb0, 0xd0, 0x6f, 0xce, 0x19, 0xf6, 0xbf,
1320 0xa4, 0xb0, 0xe0, 0x53, 0x66, 0x1f, 0xbf, 0xc9,
1321 0x33, 0x47, 0x37, 0xa9, 0x3d, 0x5d, 0xb0, 0x48},
1322 {0x86, 0xb9, 0x2a, 0x7f, 0x8e, 0xa8, 0x60, 0x42,
1323 0x26, 0x6d, 0x6e, 0x1c, 0xa2, 0xec, 0xe0, 0xe5,
1324 0x3e, 0x0a, 0x33, 0xbb, 0x61, 0x4c, 0x9f, 0x3c,
1325 0xd1, 0xdf, 0x49, 0x33, 0xcd, 0x72, 0x78, 0x18}},
1326 {{0xf7, 0xd3, 0xcd, 0x49, 0x5c, 0x13, 0x22, 0xfb,
1327 0x2e, 0xb2, 0x2f, 0x27, 0xf5, 0x8a, 0x5d, 0x74,
1328 0xc1, 0x58, 0xc5, 0xc2, 0x2d, 0x9f, 0x52, 0xc6,
1329 0x63, 0x9f, 0xba, 0x05, 0x76, 0x45, 0x7a, 0x63},
1330 {0x8a, 0xfa, 0x55, 0x4d, 0xdd, 0xa3, 0xb2, 0xc3,
1331 0x44, 0xfd, 0xec, 0x72, 0xde, 0xef, 0xc0, 0x99,
1332 0xf5, 0x9f, 0xe2, 0x52, 0xb4, 0x05, 0x32, 0x58,
1333 0x57, 0xc1, 0x8f, 0xea, 0xc3, 0x24, 0x5b, 0x94}},
1334 {{0x05, 0x83, 0xee, 0xdd, 0x64, 0xf0, 0x14, 0x3b,
1335 0xa0, 0x14, 0x4a, 0x3a, 0x41, 0x82, 0x7c, 0xa7,
1336 0x2c, 0xaa, 0xb1, 0x76, 0xbb, 0x59, 0x64, 0x5f,
1337 0x52, 0xad, 0x25, 0x29, 0x9d, 0x8f, 0x0b, 0xb0},
1338 {0x7e, 0xe3, 0x7c, 0xca, 0xcd, 0x4f, 0xb0, 0x6d,
1339 0x7a, 0xb2, 0x3e, 0xa0, 0x08, 0xb9, 0xa8, 0x2d,
1340 0xc2, 0xf4, 0x99, 0x66, 0xcc, 0xac, 0xd8, 0xb9,
1341 0x72, 0x2a, 0x4a, 0x3e, 0x0f, 0x7b, 0xbf, 0xf4}},
1342 {{0x8c, 0x9c, 0x78, 0x2b, 0x39, 0x61, 0x7e, 0xf7,
1343 0x65, 0x37, 0x66, 0x09, 0x38, 0xb9, 0x6f, 0x70,
1344 0x78, 0x87, 0xff, 0xcf, 0x93, 0xca, 0x85, 0x06,
1345 0x44, 0x84, 0xa7, 0xfe, 0xd3, 0xa4, 0xe3, 0x7e},
1346 {0xa2, 0x56, 0x49, 0x23, 0x54, 0xa5, 0x50, 0xe9,
1347 0x5f, 0xf0, 0x4d, 0xe7, 0xdc, 0x38, 0x32, 0x79,
1348 0x4f, 0x1c, 0xb7, 0xe4, 0xbb, 0xf8, 0xbb, 0x2e,
1349 0x40, 0x41, 0x4b, 0xcc, 0xe3, 0x1e, 0x16, 0x36}},
1350 {{0x0c, 0x1e, 0xd7, 0x09, 0x25, 0x40, 0x97, 0xcb,
1351 0x5c, 0x46, 0xa8, 0xda, 0xef, 0x25, 0xd5, 0xe5,
1352 0x92, 0x4d, 0xcf, 0xa3, 0xc4, 0x5d, 0x35, 0x4a,
1353 0xe4, 0x61, 0x92, 0xf3, 0xbf, 0x0e, 0xcd, 0xbe},
1354 {0xe4, 0xaf, 0x0a, 0xb3, 0x30, 0x8b, 0x9b, 0x48,
1355 0x49, 0x43, 0xc7, 0x64, 0x60, 0x4a, 0x2b, 0x9e,
1356 0x95, 0x5f, 0x56, 0xe8, 0x35, 0xdc, 0xeb, 0xdc,
1357 0xc7, 0xc4, 0xfe, 0x30, 0x40, 0xc7, 0xbf, 0xa4}},
1358 {{0xd4, 0xa0, 0xf5, 0x81, 0x49, 0x6b, 0xb6, 0x8b,
1359 0x0a, 0x69, 0xf9, 0xfe, 0xa8, 0x32, 0xe5, 0xe0,
1360 0xa5, 0xcd, 0x02, 0x53, 0xf9, 0x2c, 0xe3, 0x53,
1361 0x83, 0x36, 0xc6, 0x02, 0xb5, 0xeb, 0x64, 0xb8},
1362 {0x1d, 0x42, 0xb9, 0xf9, 0xe9, 0xe3, 0x93, 0x2c,
1363 0x4c, 0xee, 0x6c, 0x5a, 0x47, 0x9e, 0x62, 0x01,
1364 0x6b, 0x04, 0xfe, 0xa4, 0x30, 0x2b, 0x0d, 0x4f,
1365 0x71, 0x10, 0xd3, 0x55, 0xca, 0xf3, 0x5e, 0x80}},
1366 {{0x77, 0x05, 0xf6, 0x0c, 0x15, 0x9b, 0x45, 0xe7,
1367 0xb9, 0x11, 0xb8, 0xf5, 0xd6, 0xda, 0x73, 0x0c,
1368 0xda, 0x92, 0xea, 0xd0, 0x9d, 0xd0, 0x18, 0x92,
1369 0xce, 0x9a, 0xaa, 0xee, 0x0f, 0xef, 0xde, 0x30},
1370 {0xf1, 0xf1, 0xd6, 0x9b, 0x51, 0xd7, 0x77, 0x62,
1371 0x52, 0x10, 0xb8, 0x7a, 0x84, 0x9d, 0x15, 0x4e,
1372 0x07, 0xdc, 0x1e, 0x75, 0x0d, 0x0c, 0x3b, 0xdb,
1373 0x74, 0x58, 0x62, 0x02, 0x90, 0x54, 0x8b, 0x43}},
1374 {{0xa6, 0xfe, 0x0b, 0x87, 0x80, 0x43, 0x67, 0x25,
1375 0x57, 0x5d, 0xec, 0x40, 0x50, 0x08, 0xd5, 0x5d,
1376 0x43, 0xd7, 0xe0, 0xaa, 0xe0, 0x13, 0xb6, 0xb0,
1377 0xc0, 0xd4, 0xe5, 0x0d, 0x45, 0x83, 0xd6, 0x13},
1378 {0x40, 0x45, 0x0a, 0x92, 0x31, 0xea, 0x8c, 0x60,
1379 0x8c, 0x1f, 0xd8, 0x76, 0x45, 0xb9, 0x29, 0x00,
1380 0x26, 0x32, 0xd8, 0xa6, 0x96, 0x88, 0xe2, 0xc4,
1381 0x8b, 0xdb, 0x7f, 0x17, 0x87, 0xcc, 0xc8, 0xf2}},
1382 {{0xc2, 0x56, 0xe2, 0xb6, 0x1a, 0x81, 0xe7, 0x31,
1383 0x63, 0x2e, 0xbb, 0x0d, 0x2f, 0x81, 0x67, 0xd4,
1384 0x22, 0xe2, 0x38, 0x02, 0x25, 0x97, 0xc7, 0x88,
1385 0x6e, 0xdf, 0xbe, 0x2a, 0xa5, 0x73, 0x63, 0xaa},
1386 {0x50, 0x45, 0xe2, 0xc3, 0xbd, 0x89, 0xfc, 0x57,
1387 0xbd, 0x3c, 0xa3, 0x98, 0x7e, 0x7f, 0x36, 0x38,
1388 0x92, 0x39, 0x1f, 0x0f, 0x81, 0x1a, 0x06, 0x51,
1389 0x1f, 0x8d, 0x6a, 0xff, 0x47, 0x16, 0x06, 0x9c}},
1390 {{0x33, 0x95, 0xa2, 0x6f, 0x27, 0x5f, 0x9c, 0x9c,
1391 0x64, 0x45, 0xcb, 0xd1, 0x3c, 0xee, 0x5e, 0x5f,
1392 0x48, 0xa6, 0xaf, 0xe3, 0x79, 0xcf, 0xb1, 0xe2,
1393 0xbf, 0x55, 0x0e, 0xa2, 0x3b, 0x62, 0xf0, 0xe4},
1394 {0x14, 0xe8, 0x06, 0xe3, 0xbe, 0x7e, 0x67, 0x01,
1395 0xc5, 0x21, 0x67, 0xd8, 0x54, 0xb5, 0x7f, 0xa4,
1396 0xf9, 0x75, 0x70, 0x1c, 0xfd, 0x79, 0xdb, 0x86,
1397 0xad, 0x37, 0x85, 0x83, 0x56, 0x4e, 0xf0, 0xbf}},
1398 {{0xbc, 0xa6, 0xe0, 0x56, 0x4e, 0xef, 0xfa, 0xf5,
1399 0x1d, 0x5d, 0x3f, 0x2a, 0x5b, 0x19, 0xab, 0x51,
1400 0xc5, 0x8b, 0xdd, 0x98, 0x28, 0x35, 0x2f, 0xc3,
1401 0x81, 0x4f, 0x5c, 0xe5, 0x70, 0xb9, 0xeb, 0x62},
1402 {0xc4, 0x6d, 0x26, 0xb0, 0x17, 0x6b, 0xfe, 0x6c,
1403 0x12, 0xf8, 0xe7, 0xc1, 0xf5, 0x2f, 0xfa, 0x91,
1404 0x13, 0x27, 0xbd, 0x73, 0xcc, 0x33, 0x31, 0x1c,
1405 0x39, 0xe3, 0x27, 0x6a, 0x95, 0xcf, 0xc5, 0xfb}},
1406 {{0x30, 0xb2, 0x99, 0x84, 0xf0, 0x18, 0x2a, 0x6e,
1407 0x1e, 0x27, 0xed, 0xa2, 0x29, 0x99, 0x41, 0x56,
1408 0xe8, 0xd4, 0x0d, 0xef, 0x99, 0x9c, 0xf3, 0x58,
1409 0x29, 0x55, 0x1a, 0xc0, 0x68, 0xd6, 0x74, 0xa4},
1410 {0x07, 0x9c, 0xe7, 0xec, 0xf5, 0x36, 0x73, 0x41,
1411 0xa3, 0x1c, 0xe5, 0x93, 0x97, 0x6a, 0xfd, 0xf7,
1412 0x53, 0x18, 0xab, 0xaf, 0xeb, 0x85, 0xbd, 0x92,
1413 0x90, 0xab, 0x3c, 0xbf, 0x30, 0x82, 0xad, 0xf6}},
1414 {{0xc6, 0x87, 0x8a, 0x2a, 0xea, 0xc0, 0xa9, 0xec,
1415 0x6d, 0xd3, 0xdc, 0x32, 0x23, 0xce, 0x62, 0x19,
1416 0xa4, 0x7e, 0xa8, 0xdd, 0x1c, 0x33, 0xae, 0xd3,
1417 0x4f, 0x62, 0x9f, 0x52, 0xe7, 0x65, 0x46, 0xf4},
1418 {0x97, 0x51, 0x27, 0x67, 0x2d, 0xa2, 0x82, 0x87,
1419 0x98, 0xd3, 0xb6, 0x14, 0x7f, 0x51, 0xd3, 0x9a,
1420 0x0b, 0xd0, 0x76, 0x81, 0xb2, 0x4f, 0x58, 0x92,
1421 0xa4, 0x86, 0xa1, 0xa7, 0x09, 0x1d, 0xef, 0x9b}},
1422 {{0xb3, 0x0f, 0x2b, 0x69, 0x0d, 0x06, 0x90, 0x64,
1423 0xbd, 0x43, 0x4c, 0x10, 0xe8, 0x98, 0x1c, 0xa3,
1424 0xe1, 0x68, 0xe9, 0x79, 0x6c, 0x29, 0x51, 0x3f,
1425 0x41, 0xdc, 0xdf, 0x1f, 0xf3, 0x60, 0xbe, 0x33},
1426 {0xa1, 0x5f, 0xf7, 0x1d, 0xb4, 0x3e, 0x9b, 0x3c,
1427 0xe7, 0xbd, 0xb6, 0x06, 0xd5, 0x60, 0x06, 0x6d,
1428 0x50, 0xd2, 0xf4, 0x1a, 0x31, 0x08, 0xf2, 0xea,
1429 0x8e, 0xef, 0x5f, 0x7d, 0xb6, 0xd0, 0xc0, 0x27}},
1430 {{0x62, 0x9a, 0xd9, 0xbb, 0x38, 0x36, 0xce, 0xf7,
1431 0x5d, 0x2f, 0x13, 0xec, 0xc8, 0x2d, 0x02, 0x8a,
1432 0x2e, 0x72, 0xf0, 0xe5, 0x15, 0x9d, 0x72, 0xae,
1433 0xfc, 0xb3, 0x4f, 0x02, 0xea, 0xe1, 0x09, 0xfe},
1434 {0x00, 0x00, 0x00, 0x00, 0xfa, 0x0a, 0x3d, 0xbc,
1435 0xad, 0x16, 0x0c, 0xb6, 0xe7, 0x7c, 0x8b, 0x39,
1436 0x9a, 0x43, 0xbb, 0xe3, 0xc2, 0x55, 0x15, 0x14,
1437 0x75, 0xac, 0x90, 0x9b, 0x7f, 0x9a, 0x92, 0x00}},
1438 {{0x8b, 0xac, 0x70, 0x86, 0x29, 0x8f, 0x00, 0x23,
1439 0x7b, 0x45, 0x30, 0xaa, 0xb8, 0x4c, 0xc7, 0x8d,
1440 0x4e, 0x47, 0x85, 0xc6, 0x19, 0xe3, 0x96, 0xc2,
1441 0x9a, 0xa0, 0x12, 0xed, 0x6f, 0xd7, 0x76, 0x16},
1442 {0x45, 0xaf, 0x7e, 0x33, 0xc7, 0x7f, 0x10, 0x6c,
1443 0x7c, 0x9f, 0x29, 0xc1, 0xa8, 0x7e, 0x15, 0x84,
1444 0xe7, 0x7d, 0xc0, 0x6d, 0xab, 0x71, 0x5d, 0xd0,
1445 0x6b, 0x9f, 0x97, 0xab, 0xcb, 0x51, 0x0c, 0x9f}},
1446 {{0x9e, 0xc3, 0x92, 0xb4, 0x04, 0x9f, 0xc8, 0xbb,
1447 0xdd, 0x9e, 0xc6, 0x05, 0xfd, 0x65, 0xec, 0x94,
1448 0x7f, 0x2c, 0x16, 0xc4, 0x40, 0xac, 0x63, 0x7b,
1449 0x7d, 0xb8, 0x0c, 0xe4, 0x5b, 0xe3, 0xa7, 0x0e},
1450 {0x43, 0xf4, 0x44, 0xe8, 0xcc, 0xc8, 0xd4, 0x54,
1451 0x33, 0x37, 0x50, 0xf2, 0x87, 0x42, 0x2e, 0x00,
1452 0x49, 0x60, 0x62, 0x02, 0xfd, 0x1a, 0x7c, 0xdb,
1453 0x29, 0x6c, 0x6d, 0x54, 0x53, 0x08, 0xd1, 0xc8}},
1454 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1455 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1456 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1457 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1458 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1459 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1460 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1461 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}},
1462 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1465 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00},
1466 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1467 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1468 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1469 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1470 {{0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1471 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1472 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1473 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92},
1474 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1475 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1476 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1477 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1478 {{0x28, 0x56, 0xac, 0x0e, 0x4f, 0x98, 0x09, 0xf0,
1479 0x49, 0xfa, 0x7f, 0x84, 0xac, 0x7e, 0x50, 0x5b,
1480 0x17, 0x43, 0x14, 0x89, 0x9c, 0x53, 0xa8, 0x94,
1481 0x30, 0xf2, 0x11, 0x4d, 0x92, 0x14, 0x27, 0xe8},
1482 {0x39, 0x7a, 0x84, 0x56, 0x79, 0x9d, 0xec, 0x26,
1483 0x2c, 0x53, 0xc1, 0x94, 0xc9, 0x8d, 0x9e, 0x9d,
1484 0x32, 0x1f, 0xdd, 0x84, 0x04, 0xe8, 0xe2, 0x0a,
1485 0x6b, 0xbe, 0xbb, 0x42, 0x40, 0x67, 0x30, 0x6c}},
1486 {{0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1487 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
1488 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
1489 0x40, 0x2d, 0xa1, 0x73, 0x2f, 0xc9, 0xbe, 0xbd},
1490 {0x27, 0x59, 0xc7, 0x35, 0x60, 0x71, 0xa6, 0xf1,
1491 0x79, 0xa5, 0xfd, 0x79, 0x16, 0xf3, 0x41, 0xf0,
1492 0x57, 0xb4, 0x02, 0x97, 0x32, 0xe7, 0xde, 0x59,
1493 0xe2, 0x2d, 0x9b, 0x11, 0xea, 0x2c, 0x35, 0x92}},
1494 {{0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
1495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
1496 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
1497 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40},
1498 {0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1499 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1500 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
1501 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01}},
1502 {{0x1c, 0xc4, 0xf7, 0xda, 0x0f, 0x65, 0xca, 0x39,
1503 0x70, 0x52, 0x92, 0x8e, 0xc3, 0xc8, 0x15, 0xea,
1504 0x7f, 0x10, 0x9e, 0x77, 0x4b, 0x6e, 0x2d, 0xdf,
1505 0xe8, 0x30, 0x9d, 0xda, 0xe8, 0x9a, 0x65, 0xae},
1506 {0x02, 0xb0, 0x16, 0xb1, 0x1d, 0xc8, 0x57, 0x7b,
1507 0xa2, 0x3a, 0xa2, 0xa3, 0x38, 0x5c, 0x8f, 0xeb,
1508 0x66, 0x37, 0x91, 0xa8, 0x5f, 0xef, 0x04, 0xf6,
1509 0x59, 0x75, 0xe1, 0xee, 0x92, 0xf6, 0x0e, 0x30}},
1510 {{0x8d, 0x76, 0x14, 0xa4, 0x14, 0x06, 0x9f, 0x9a,
1511 0xdf, 0x4a, 0x85, 0xa7, 0x6b, 0xbf, 0x29, 0x6f,
1512 0xbc, 0x34, 0x87, 0x5d, 0xeb, 0xbb, 0x2e, 0xa9,
1513 0xc9, 0x1f, 0x58, 0xd6, 0x9a, 0x82, 0xa0, 0x56},
1514 {0xd4, 0xb9, 0xdb, 0x88, 0x1d, 0x04, 0xe9, 0x93,
1515 0x8d, 0x3f, 0x20, 0xd5, 0x86, 0xa8, 0x83, 0x07,
1516 0xdb, 0x09, 0xd8, 0x22, 0x1f, 0x7f, 0xf1, 0x71,
1517 0xc8, 0xe7, 0x5d, 0x47, 0xaf, 0x8b, 0x72, 0xe9}},
1518 {{0x83, 0xb9, 0x39, 0xb2, 0xa4, 0xdf, 0x46, 0x87,
1519 0xc2, 0xb8, 0xf1, 0xe6, 0x4c, 0xd1, 0xe2, 0xa9,
1520 0xe4, 0x70, 0x30, 0x34, 0xbc, 0x52, 0x7c, 0x55,
1521 0xa6, 0xec, 0x80, 0xa4, 0xe5, 0xd2, 0xdc, 0x73},
1522 {0x08, 0xf1, 0x03, 0xcf, 0x16, 0x73, 0xe8, 0x7d,
1523 0xb6, 0x7e, 0x9b, 0xc0, 0xb4, 0xc2, 0xa5, 0x86,
1524 0x02, 0x77, 0xd5, 0x27, 0x86, 0xa5, 0x15, 0xfb,
1525 0xae, 0x9b, 0x8c, 0xa9, 0xf9, 0xf8, 0xa8, 0x4a}},
1526 {{0x8b, 0x00, 0x49, 0xdb, 0xfa, 0xf0, 0x1b, 0xa2,
1527 0xed, 0x8a, 0x9a, 0x7a, 0x36, 0x78, 0x4a, 0xc7,
1528 0xf7, 0xad, 0x39, 0xd0, 0x6c, 0x65, 0x7a, 0x41,
1529 0xce, 0xd6, 0xd6, 0x4c, 0x20, 0x21, 0x6b, 0xc7},
1530 {0xc6, 0xca, 0x78, 0x1d, 0x32, 0x6c, 0x6c, 0x06,
1531 0x91, 0xf2, 0x1a, 0xe8, 0x43, 0x16, 0xea, 0x04,
1532 0x3c, 0x1f, 0x07, 0x85, 0xf7, 0x09, 0x22, 0x08,
1533 0xba, 0x13, 0xfd, 0x78, 0x1e, 0x3f, 0x6f, 0x62}},
1534 {{0x25, 0x9b, 0x7c, 0xb0, 0xac, 0x72, 0x6f, 0xb2,
1535 0xe3, 0x53, 0x84, 0x7a, 0x1a, 0x9a, 0x98, 0x9b,
1536 0x44, 0xd3, 0x59, 0xd0, 0x8e, 0x57, 0x41, 0x40,
1537 0x78, 0xa7, 0x30, 0x2f, 0x4c, 0x9c, 0xb9, 0x68},
1538 {0xb7, 0x75, 0x03, 0x63, 0x61, 0xc2, 0x48, 0x6e,
1539 0x12, 0x3d, 0xbf, 0x4b, 0x27, 0xdf, 0xb1, 0x7a,
1540 0xff, 0x4e, 0x31, 0x07, 0x83, 0xf4, 0x62, 0x5b,
1541 0x19, 0xa5, 0xac, 0xa0, 0x32, 0x58, 0x0d, 0xa7}},
1542 {{0x43, 0x4f, 0x10, 0xa4, 0xca, 0xdb, 0x38, 0x67,
1543 0xfa, 0xae, 0x96, 0xb5, 0x6d, 0x97, 0xff, 0x1f,
1544 0xb6, 0x83, 0x43, 0xd3, 0xa0, 0x2d, 0x70, 0x7a,
1545 0x64, 0x05, 0x4c, 0xa7, 0xc1, 0xa5, 0x21, 0x51},
1546 {0xe4, 0xf1, 0x23, 0x84, 0xe1, 0xb5, 0x9d, 0xf2,
1547 0xb8, 0x73, 0x8b, 0x45, 0x2b, 0x35, 0x46, 0x38,
1548 0x10, 0x2b, 0x50, 0xf8, 0x8b, 0x35, 0xcd, 0x34,
1549 0xc8, 0x0e, 0xf6, 0xdb, 0x09, 0x35, 0xf0, 0xda}},
1550 {{0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1551 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1552 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1553 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5},
1554 {0xdb, 0x21, 0x5c, 0x8d, 0x83, 0x1d, 0xb3, 0x34,
1555 0xc7, 0x0e, 0x43, 0xa1, 0x58, 0x79, 0x67, 0x13,
1556 0x1e, 0x86, 0x5d, 0x89, 0x63, 0xe6, 0x0a, 0x46,
1557 0x5c, 0x02, 0x97, 0x1b, 0x62, 0x43, 0x86, 0xf5}}
1558 };
1559 secp256k1_scalar_set_int(&one, 1);
1560 for (i = 0; i < 33; i++) {
1561 secp256k1_scalar_set_b32(&x, chal[i][0], &overflow);
1562 CHECK(!overflow);
1563 secp256k1_scalar_set_b32(&y, chal[i][1], &overflow);
1564 CHECK(!overflow);
1565 secp256k1_scalar_set_b32(&r1, res[i][0], &overflow);
1566 CHECK(!overflow);
1567 secp256k1_scalar_set_b32(&r2, res[i][1], &overflow);
1568 CHECK(!overflow);
1569 secp256k1_scalar_mul(&z, &x, &y);
1570 CHECK(!secp256k1_scalar_check_overflow(&z));
1571 CHECK(secp256k1_scalar_eq(&r1, &z));
1572 if (!secp256k1_scalar_is_zero(&y)) {
1573 secp256k1_scalar_inverse(&zz, &y);
1574 CHECK(!secp256k1_scalar_check_overflow(&zz));
1575 #if defined(USE_SCALAR_INV_NUM)
1576 secp256k1_scalar_inverse_var(&zzv, &y);
1577 CHECK(secp256k1_scalar_eq(&zzv, &zz));
1578 #endif
1579 secp256k1_scalar_mul(&z, &z, &zz);
1580 CHECK(!secp256k1_scalar_check_overflow(&z));
1581 CHECK(secp256k1_scalar_eq(&x, &z));
1582 secp256k1_scalar_mul(&zz, &zz, &y);
1583 CHECK(!secp256k1_scalar_check_overflow(&zz));
1584 CHECK(secp256k1_scalar_eq(&one, &zz));
1585 }
1586 secp256k1_scalar_mul(&z, &x, &x);
1587 CHECK(!secp256k1_scalar_check_overflow(&z));
1588 secp256k1_scalar_sqr(&zz, &x);
1589 CHECK(!secp256k1_scalar_check_overflow(&zz));
1590 CHECK(secp256k1_scalar_eq(&zz, &z));
1591 CHECK(secp256k1_scalar_eq(&r2, &zz));
1592 }
1593 }
1594 }
1595
1596 /***** FIELD TESTS *****/
1597
random_fe(secp256k1_fe * x)1598 void random_fe(secp256k1_fe *x) {
1599 unsigned char bin[32];
1600 do {
1601 secp256k1_rand256(bin);
1602 if (secp256k1_fe_set_b32(x, bin)) {
1603 return;
1604 }
1605 } while(1);
1606 }
1607
random_fe_test(secp256k1_fe * x)1608 void random_fe_test(secp256k1_fe *x) {
1609 unsigned char bin[32];
1610 do {
1611 secp256k1_rand256_test(bin);
1612 if (secp256k1_fe_set_b32(x, bin)) {
1613 return;
1614 }
1615 } while(1);
1616 }
1617
random_fe_non_zero(secp256k1_fe * nz)1618 void random_fe_non_zero(secp256k1_fe *nz) {
1619 int tries = 10;
1620 while (--tries >= 0) {
1621 random_fe(nz);
1622 secp256k1_fe_normalize(nz);
1623 if (!secp256k1_fe_is_zero(nz)) {
1624 break;
1625 }
1626 }
1627 /* Infinitesimal probability of spurious failure here */
1628 CHECK(tries >= 0);
1629 }
1630
random_fe_non_square(secp256k1_fe * ns)1631 void random_fe_non_square(secp256k1_fe *ns) {
1632 secp256k1_fe r;
1633 random_fe_non_zero(ns);
1634 if (secp256k1_fe_sqrt(&r, ns)) {
1635 secp256k1_fe_negate(ns, ns, 1);
1636 }
1637 }
1638
check_fe_equal(const secp256k1_fe * a,const secp256k1_fe * b)1639 int check_fe_equal(const secp256k1_fe *a, const secp256k1_fe *b) {
1640 secp256k1_fe an = *a;
1641 secp256k1_fe bn = *b;
1642 secp256k1_fe_normalize_weak(&an);
1643 secp256k1_fe_normalize_var(&bn);
1644 return secp256k1_fe_equal_var(&an, &bn);
1645 }
1646
check_fe_inverse(const secp256k1_fe * a,const secp256k1_fe * ai)1647 int check_fe_inverse(const secp256k1_fe *a, const secp256k1_fe *ai) {
1648 secp256k1_fe x;
1649 secp256k1_fe one = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 1);
1650 secp256k1_fe_mul(&x, a, ai);
1651 return check_fe_equal(&x, &one);
1652 }
1653
run_field_convert(void)1654 void run_field_convert(void) {
1655 static const unsigned char b32[32] = {
1656 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
1657 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, 0x18,
1658 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29,
1659 0x33, 0x34, 0x35, 0x36, 0x37, 0x38, 0x39, 0x40
1660 };
1661 static const secp256k1_fe_storage fes = SECP256K1_FE_STORAGE_CONST(
1662 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1663 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1664 );
1665 static const secp256k1_fe fe = SECP256K1_FE_CONST(
1666 0x00010203UL, 0x04050607UL, 0x11121314UL, 0x15161718UL,
1667 0x22232425UL, 0x26272829UL, 0x33343536UL, 0x37383940UL
1668 );
1669 secp256k1_fe fe2;
1670 unsigned char b322[32];
1671 secp256k1_fe_storage fes2;
1672 /* Check conversions to fe. */
1673 CHECK(secp256k1_fe_set_b32(&fe2, b32));
1674 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1675 secp256k1_fe_from_storage(&fe2, &fes);
1676 CHECK(secp256k1_fe_equal_var(&fe, &fe2));
1677 /* Check conversion from fe. */
1678 secp256k1_fe_get_b32(b322, &fe);
1679 CHECK(memcmp(b322, b32, 32) == 0);
1680 secp256k1_fe_to_storage(&fes2, &fe);
1681 CHECK(memcmp(&fes2, &fes, sizeof(fes)) == 0);
1682 }
1683
fe_memcmp(const secp256k1_fe * a,const secp256k1_fe * b)1684 int fe_memcmp(const secp256k1_fe *a, const secp256k1_fe *b) {
1685 secp256k1_fe t = *b;
1686 #ifdef VERIFY
1687 t.magnitude = a->magnitude;
1688 t.normalized = a->normalized;
1689 #endif
1690 return memcmp(a, &t, sizeof(secp256k1_fe));
1691 }
1692
run_field_misc(void)1693 void run_field_misc(void) {
1694 secp256k1_fe x;
1695 secp256k1_fe y;
1696 secp256k1_fe z;
1697 secp256k1_fe q;
1698 secp256k1_fe fe5 = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 5);
1699 int i, j;
1700 for (i = 0; i < 5*count; i++) {
1701 secp256k1_fe_storage xs, ys, zs;
1702 random_fe(&x);
1703 random_fe_non_zero(&y);
1704 /* Test the fe equality and comparison operations. */
1705 CHECK(secp256k1_fe_cmp_var(&x, &x) == 0);
1706 CHECK(secp256k1_fe_equal_var(&x, &x));
1707 z = x;
1708 secp256k1_fe_add(&z,&y);
1709 /* Test fe conditional move; z is not normalized here. */
1710 q = x;
1711 secp256k1_fe_cmov(&x, &z, 0);
1712 VERIFY_CHECK(!x.normalized && x.magnitude == z.magnitude);
1713 secp256k1_fe_cmov(&x, &x, 1);
1714 CHECK(fe_memcmp(&x, &z) != 0);
1715 CHECK(fe_memcmp(&x, &q) == 0);
1716 secp256k1_fe_cmov(&q, &z, 1);
1717 VERIFY_CHECK(!q.normalized && q.magnitude == z.magnitude);
1718 CHECK(fe_memcmp(&q, &z) == 0);
1719 secp256k1_fe_normalize_var(&x);
1720 secp256k1_fe_normalize_var(&z);
1721 CHECK(!secp256k1_fe_equal_var(&x, &z));
1722 secp256k1_fe_normalize_var(&q);
1723 secp256k1_fe_cmov(&q, &z, (i&1));
1724 VERIFY_CHECK(q.normalized && q.magnitude == 1);
1725 for (j = 0; j < 6; j++) {
1726 secp256k1_fe_negate(&z, &z, j+1);
1727 secp256k1_fe_normalize_var(&q);
1728 secp256k1_fe_cmov(&q, &z, (j&1));
1729 VERIFY_CHECK(!q.normalized && q.magnitude == (j+2));
1730 }
1731 secp256k1_fe_normalize_var(&z);
1732 /* Test storage conversion and conditional moves. */
1733 secp256k1_fe_to_storage(&xs, &x);
1734 secp256k1_fe_to_storage(&ys, &y);
1735 secp256k1_fe_to_storage(&zs, &z);
1736 secp256k1_fe_storage_cmov(&zs, &xs, 0);
1737 secp256k1_fe_storage_cmov(&zs, &zs, 1);
1738 CHECK(memcmp(&xs, &zs, sizeof(xs)) != 0);
1739 secp256k1_fe_storage_cmov(&ys, &xs, 1);
1740 CHECK(memcmp(&xs, &ys, sizeof(xs)) == 0);
1741 secp256k1_fe_from_storage(&x, &xs);
1742 secp256k1_fe_from_storage(&y, &ys);
1743 secp256k1_fe_from_storage(&z, &zs);
1744 /* Test that mul_int, mul, and add agree. */
1745 secp256k1_fe_add(&y, &x);
1746 secp256k1_fe_add(&y, &x);
1747 z = x;
1748 secp256k1_fe_mul_int(&z, 3);
1749 CHECK(check_fe_equal(&y, &z));
1750 secp256k1_fe_add(&y, &x);
1751 secp256k1_fe_add(&z, &x);
1752 CHECK(check_fe_equal(&z, &y));
1753 z = x;
1754 secp256k1_fe_mul_int(&z, 5);
1755 secp256k1_fe_mul(&q, &x, &fe5);
1756 CHECK(check_fe_equal(&z, &q));
1757 secp256k1_fe_negate(&x, &x, 1);
1758 secp256k1_fe_add(&z, &x);
1759 secp256k1_fe_add(&q, &x);
1760 CHECK(check_fe_equal(&y, &z));
1761 CHECK(check_fe_equal(&q, &y));
1762 }
1763 }
1764
run_field_inv(void)1765 void run_field_inv(void) {
1766 secp256k1_fe x, xi, xii;
1767 int i;
1768 for (i = 0; i < 10*count; i++) {
1769 random_fe_non_zero(&x);
1770 secp256k1_fe_inv(&xi, &x);
1771 CHECK(check_fe_inverse(&x, &xi));
1772 secp256k1_fe_inv(&xii, &xi);
1773 CHECK(check_fe_equal(&x, &xii));
1774 }
1775 }
1776
run_field_inv_var(void)1777 void run_field_inv_var(void) {
1778 secp256k1_fe x, xi, xii;
1779 int i;
1780 for (i = 0; i < 10*count; i++) {
1781 random_fe_non_zero(&x);
1782 secp256k1_fe_inv_var(&xi, &x);
1783 CHECK(check_fe_inverse(&x, &xi));
1784 secp256k1_fe_inv_var(&xii, &xi);
1785 CHECK(check_fe_equal(&x, &xii));
1786 }
1787 }
1788
run_field_inv_all_var(void)1789 void run_field_inv_all_var(void) {
1790 secp256k1_fe x[16], xi[16], xii[16];
1791 int i;
1792 /* Check it's safe to call for 0 elements */
1793 secp256k1_fe_inv_all_var(xi, x, 0);
1794 for (i = 0; i < count; i++) {
1795 size_t j;
1796 size_t len = secp256k1_rand_int(15) + 1;
1797 for (j = 0; j < len; j++) {
1798 random_fe_non_zero(&x[j]);
1799 }
1800 secp256k1_fe_inv_all_var(xi, x, len);
1801 for (j = 0; j < len; j++) {
1802 CHECK(check_fe_inverse(&x[j], &xi[j]));
1803 }
1804 secp256k1_fe_inv_all_var(xii, xi, len);
1805 for (j = 0; j < len; j++) {
1806 CHECK(check_fe_equal(&x[j], &xii[j]));
1807 }
1808 }
1809 }
1810
run_sqr(void)1811 void run_sqr(void) {
1812 secp256k1_fe x, s;
1813
1814 {
1815 int i;
1816 secp256k1_fe_set_int(&x, 1);
1817 secp256k1_fe_negate(&x, &x, 1);
1818
1819 for (i = 1; i <= 512; ++i) {
1820 secp256k1_fe_mul_int(&x, 2);
1821 secp256k1_fe_normalize(&x);
1822 secp256k1_fe_sqr(&s, &x);
1823 }
1824 }
1825 }
1826
test_sqrt(const secp256k1_fe * a,const secp256k1_fe * k)1827 void test_sqrt(const secp256k1_fe *a, const secp256k1_fe *k) {
1828 secp256k1_fe r1, r2;
1829 int v = secp256k1_fe_sqrt(&r1, a);
1830 CHECK((v == 0) == (k == NULL));
1831
1832 if (k != NULL) {
1833 /* Check that the returned root is +/- the given known answer */
1834 secp256k1_fe_negate(&r2, &r1, 1);
1835 secp256k1_fe_add(&r1, k); secp256k1_fe_add(&r2, k);
1836 secp256k1_fe_normalize(&r1); secp256k1_fe_normalize(&r2);
1837 CHECK(secp256k1_fe_is_zero(&r1) || secp256k1_fe_is_zero(&r2));
1838 }
1839 }
1840
run_sqrt(void)1841 void run_sqrt(void) {
1842 secp256k1_fe ns, x, s, t;
1843 int i;
1844
1845 /* Check sqrt(0) is 0 */
1846 secp256k1_fe_set_int(&x, 0);
1847 secp256k1_fe_sqr(&s, &x);
1848 test_sqrt(&s, &x);
1849
1850 /* Check sqrt of small squares (and their negatives) */
1851 for (i = 1; i <= 100; i++) {
1852 secp256k1_fe_set_int(&x, i);
1853 secp256k1_fe_sqr(&s, &x);
1854 test_sqrt(&s, &x);
1855 secp256k1_fe_negate(&t, &s, 1);
1856 test_sqrt(&t, NULL);
1857 }
1858
1859 /* Consistency checks for large random values */
1860 for (i = 0; i < 10; i++) {
1861 int j;
1862 random_fe_non_square(&ns);
1863 for (j = 0; j < count; j++) {
1864 random_fe(&x);
1865 secp256k1_fe_sqr(&s, &x);
1866 test_sqrt(&s, &x);
1867 secp256k1_fe_negate(&t, &s, 1);
1868 test_sqrt(&t, NULL);
1869 secp256k1_fe_mul(&t, &s, &ns);
1870 test_sqrt(&t, NULL);
1871 }
1872 }
1873 }
1874
1875 /***** GROUP TESTS *****/
1876
ge_equals_ge(const secp256k1_ge * a,const secp256k1_ge * b)1877 void ge_equals_ge(const secp256k1_ge *a, const secp256k1_ge *b) {
1878 CHECK(a->infinity == b->infinity);
1879 if (a->infinity) {
1880 return;
1881 }
1882 CHECK(secp256k1_fe_equal_var(&a->x, &b->x));
1883 CHECK(secp256k1_fe_equal_var(&a->y, &b->y));
1884 }
1885
1886 /* This compares jacobian points including their Z, not just their geometric meaning. */
gej_xyz_equals_gej(const secp256k1_gej * a,const secp256k1_gej * b)1887 int gej_xyz_equals_gej(const secp256k1_gej *a, const secp256k1_gej *b) {
1888 secp256k1_gej a2;
1889 secp256k1_gej b2;
1890 int ret = 1;
1891 ret &= a->infinity == b->infinity;
1892 if (ret && !a->infinity) {
1893 a2 = *a;
1894 b2 = *b;
1895 secp256k1_fe_normalize(&a2.x);
1896 secp256k1_fe_normalize(&a2.y);
1897 secp256k1_fe_normalize(&a2.z);
1898 secp256k1_fe_normalize(&b2.x);
1899 secp256k1_fe_normalize(&b2.y);
1900 secp256k1_fe_normalize(&b2.z);
1901 ret &= secp256k1_fe_cmp_var(&a2.x, &b2.x) == 0;
1902 ret &= secp256k1_fe_cmp_var(&a2.y, &b2.y) == 0;
1903 ret &= secp256k1_fe_cmp_var(&a2.z, &b2.z) == 0;
1904 }
1905 return ret;
1906 }
1907
ge_equals_gej(const secp256k1_ge * a,const secp256k1_gej * b)1908 void ge_equals_gej(const secp256k1_ge *a, const secp256k1_gej *b) {
1909 secp256k1_fe z2s;
1910 secp256k1_fe u1, u2, s1, s2;
1911 CHECK(a->infinity == b->infinity);
1912 if (a->infinity) {
1913 return;
1914 }
1915 /* Check a.x * b.z^2 == b.x && a.y * b.z^3 == b.y, to avoid inverses. */
1916 secp256k1_fe_sqr(&z2s, &b->z);
1917 secp256k1_fe_mul(&u1, &a->x, &z2s);
1918 u2 = b->x; secp256k1_fe_normalize_weak(&u2);
1919 secp256k1_fe_mul(&s1, &a->y, &z2s); secp256k1_fe_mul(&s1, &s1, &b->z);
1920 s2 = b->y; secp256k1_fe_normalize_weak(&s2);
1921 CHECK(secp256k1_fe_equal_var(&u1, &u2));
1922 CHECK(secp256k1_fe_equal_var(&s1, &s2));
1923 }
1924
test_ge(void)1925 void test_ge(void) {
1926 int i, i1;
1927 #ifdef USE_ENDOMORPHISM
1928 int runs = 6;
1929 #else
1930 int runs = 4;
1931 #endif
1932 /* Points: (infinity, p1, p1, -p1, -p1, p2, p2, -p2, -p2, p3, p3, -p3, -p3, p4, p4, -p4, -p4).
1933 * The second in each pair of identical points uses a random Z coordinate in the Jacobian form.
1934 * All magnitudes are randomized.
1935 * All 17*17 combinations of points are added to each other, using all applicable methods.
1936 *
1937 * When the endomorphism code is compiled in, p5 = lambda*p1 and p6 = lambda^2*p1 are added as well.
1938 */
1939 secp256k1_ge *ge = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * (1 + 4 * runs));
1940 secp256k1_gej *gej = (secp256k1_gej *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_gej) * (1 + 4 * runs));
1941 secp256k1_fe *zinv = (secp256k1_fe *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1942 secp256k1_fe zf;
1943 secp256k1_fe zfi2, zfi3;
1944
1945 secp256k1_gej_set_infinity(&gej[0]);
1946 secp256k1_ge_clear(&ge[0]);
1947 secp256k1_ge_set_gej_var(&ge[0], &gej[0]);
1948 for (i = 0; i < runs; i++) {
1949 int j;
1950 secp256k1_ge g;
1951 random_group_element_test(&g);
1952 #ifdef USE_ENDOMORPHISM
1953 if (i >= runs - 2) {
1954 secp256k1_ge_mul_lambda(&g, &ge[1]);
1955 }
1956 if (i >= runs - 1) {
1957 secp256k1_ge_mul_lambda(&g, &g);
1958 }
1959 #endif
1960 ge[1 + 4 * i] = g;
1961 ge[2 + 4 * i] = g;
1962 secp256k1_ge_neg(&ge[3 + 4 * i], &g);
1963 secp256k1_ge_neg(&ge[4 + 4 * i], &g);
1964 secp256k1_gej_set_ge(&gej[1 + 4 * i], &ge[1 + 4 * i]);
1965 random_group_element_jacobian_test(&gej[2 + 4 * i], &ge[2 + 4 * i]);
1966 secp256k1_gej_set_ge(&gej[3 + 4 * i], &ge[3 + 4 * i]);
1967 random_group_element_jacobian_test(&gej[4 + 4 * i], &ge[4 + 4 * i]);
1968 for (j = 0; j < 4; j++) {
1969 random_field_element_magnitude(&ge[1 + j + 4 * i].x);
1970 random_field_element_magnitude(&ge[1 + j + 4 * i].y);
1971 random_field_element_magnitude(&gej[1 + j + 4 * i].x);
1972 random_field_element_magnitude(&gej[1 + j + 4 * i].y);
1973 random_field_element_magnitude(&gej[1 + j + 4 * i].z);
1974 }
1975 }
1976
1977 /* Compute z inverses. */
1978 {
1979 secp256k1_fe *zs = checked_malloc(&ctx->error_callback, sizeof(secp256k1_fe) * (1 + 4 * runs));
1980 for (i = 0; i < 4 * runs + 1; i++) {
1981 if (i == 0) {
1982 /* The point at infinity does not have a meaningful z inverse. Any should do. */
1983 do {
1984 random_field_element_test(&zs[i]);
1985 } while(secp256k1_fe_is_zero(&zs[i]));
1986 } else {
1987 zs[i] = gej[i].z;
1988 }
1989 }
1990 secp256k1_fe_inv_all_var(zinv, zs, 4 * runs + 1);
1991 free(zs);
1992 }
1993
1994 /* Generate random zf, and zfi2 = 1/zf^2, zfi3 = 1/zf^3 */
1995 do {
1996 random_field_element_test(&zf);
1997 } while(secp256k1_fe_is_zero(&zf));
1998 random_field_element_magnitude(&zf);
1999 secp256k1_fe_inv_var(&zfi3, &zf);
2000 secp256k1_fe_sqr(&zfi2, &zfi3);
2001 secp256k1_fe_mul(&zfi3, &zfi3, &zfi2);
2002
2003 for (i1 = 0; i1 < 1 + 4 * runs; i1++) {
2004 int i2;
2005 for (i2 = 0; i2 < 1 + 4 * runs; i2++) {
2006 /* Compute reference result using gej + gej (var). */
2007 secp256k1_gej refj, resj;
2008 secp256k1_ge ref;
2009 secp256k1_fe zr;
2010 secp256k1_gej_add_var(&refj, &gej[i1], &gej[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2011 /* Check Z ratio. */
2012 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&refj)) {
2013 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2014 CHECK(secp256k1_fe_equal_var(&zrz, &refj.z));
2015 }
2016 secp256k1_ge_set_gej_var(&ref, &refj);
2017
2018 /* Test gej + ge with Z ratio result (var). */
2019 secp256k1_gej_add_ge_var(&resj, &gej[i1], &ge[i2], secp256k1_gej_is_infinity(&gej[i1]) ? NULL : &zr);
2020 ge_equals_gej(&ref, &resj);
2021 if (!secp256k1_gej_is_infinity(&gej[i1]) && !secp256k1_gej_is_infinity(&resj)) {
2022 secp256k1_fe zrz; secp256k1_fe_mul(&zrz, &zr, &gej[i1].z);
2023 CHECK(secp256k1_fe_equal_var(&zrz, &resj.z));
2024 }
2025
2026 /* Test gej + ge (var, with additional Z factor). */
2027 {
2028 secp256k1_ge ge2_zfi = ge[i2]; /* the second term with x and y rescaled for z = 1/zf */
2029 secp256k1_fe_mul(&ge2_zfi.x, &ge2_zfi.x, &zfi2);
2030 secp256k1_fe_mul(&ge2_zfi.y, &ge2_zfi.y, &zfi3);
2031 random_field_element_magnitude(&ge2_zfi.x);
2032 random_field_element_magnitude(&ge2_zfi.y);
2033 secp256k1_gej_add_zinv_var(&resj, &gej[i1], &ge2_zfi, &zf);
2034 ge_equals_gej(&ref, &resj);
2035 }
2036
2037 /* Test gej + ge (const). */
2038 if (i2 != 0) {
2039 /* secp256k1_gej_add_ge does not support its second argument being infinity. */
2040 secp256k1_gej_add_ge(&resj, &gej[i1], &ge[i2]);
2041 ge_equals_gej(&ref, &resj);
2042 }
2043
2044 /* Test doubling (var). */
2045 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 == ((i2 + 3)%4)/2)) {
2046 secp256k1_fe zr2;
2047 /* Normal doubling with Z ratio result. */
2048 secp256k1_gej_double_var(&resj, &gej[i1], &zr2);
2049 ge_equals_gej(&ref, &resj);
2050 /* Check Z ratio. */
2051 secp256k1_fe_mul(&zr2, &zr2, &gej[i1].z);
2052 CHECK(secp256k1_fe_equal_var(&zr2, &resj.z));
2053 /* Normal doubling. */
2054 secp256k1_gej_double_var(&resj, &gej[i2], NULL);
2055 ge_equals_gej(&ref, &resj);
2056 }
2057
2058 /* Test adding opposites. */
2059 if ((i1 == 0 && i2 == 0) || ((i1 + 3)/4 == (i2 + 3)/4 && ((i1 + 3)%4)/2 != ((i2 + 3)%4)/2)) {
2060 CHECK(secp256k1_ge_is_infinity(&ref));
2061 }
2062
2063 /* Test adding infinity. */
2064 if (i1 == 0) {
2065 CHECK(secp256k1_ge_is_infinity(&ge[i1]));
2066 CHECK(secp256k1_gej_is_infinity(&gej[i1]));
2067 ge_equals_gej(&ref, &gej[i2]);
2068 }
2069 if (i2 == 0) {
2070 CHECK(secp256k1_ge_is_infinity(&ge[i2]));
2071 CHECK(secp256k1_gej_is_infinity(&gej[i2]));
2072 ge_equals_gej(&ref, &gej[i1]);
2073 }
2074 }
2075 }
2076
2077 /* Test adding all points together in random order equals infinity. */
2078 {
2079 secp256k1_gej sum = SECP256K1_GEJ_CONST_INFINITY;
2080 secp256k1_gej *gej_shuffled = (secp256k1_gej *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_gej));
2081 for (i = 0; i < 4 * runs + 1; i++) {
2082 gej_shuffled[i] = gej[i];
2083 }
2084 for (i = 0; i < 4 * runs + 1; i++) {
2085 int swap = i + secp256k1_rand_int(4 * runs + 1 - i);
2086 if (swap != i) {
2087 secp256k1_gej t = gej_shuffled[i];
2088 gej_shuffled[i] = gej_shuffled[swap];
2089 gej_shuffled[swap] = t;
2090 }
2091 }
2092 for (i = 0; i < 4 * runs + 1; i++) {
2093 secp256k1_gej_add_var(&sum, &sum, &gej_shuffled[i], NULL);
2094 }
2095 CHECK(secp256k1_gej_is_infinity(&sum));
2096 free(gej_shuffled);
2097 }
2098
2099 /* Test batch gej -> ge conversion with and without known z ratios. */
2100 {
2101 secp256k1_fe *zr = (secp256k1_fe *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_fe));
2102 secp256k1_ge *ge_set_all = (secp256k1_ge *)checked_malloc(&ctx->error_callback, (4 * runs + 1) * sizeof(secp256k1_ge));
2103 for (i = 0; i < 4 * runs + 1; i++) {
2104 /* Compute gej[i + 1].z / gez[i].z (with gej[n].z taken to be 1). */
2105 if (i < 4 * runs) {
2106 secp256k1_fe_mul(&zr[i + 1], &zinv[i], &gej[i + 1].z);
2107 }
2108 }
2109 secp256k1_ge_set_all_gej_var(ge_set_all, gej, 4 * runs + 1);
2110 for (i = 0; i < 4 * runs + 1; i++) {
2111 secp256k1_fe s;
2112 random_fe_non_zero(&s);
2113 secp256k1_gej_rescale(&gej[i], &s);
2114 ge_equals_gej(&ge_set_all[i], &gej[i]);
2115 }
2116 free(ge_set_all);
2117 free(zr);
2118 }
2119
2120 /* Test batch gej -> ge conversion with many infinities. */
2121 for (i = 0; i < 4 * runs + 1; i++) {
2122 random_group_element_test(&ge[i]);
2123 /* randomly set half the points to infinitiy */
2124 if(secp256k1_fe_is_odd(&ge[i].x)) {
2125 secp256k1_ge_set_infinity(&ge[i]);
2126 }
2127 secp256k1_gej_set_ge(&gej[i], &ge[i]);
2128 }
2129 /* batch invert */
2130 secp256k1_ge_set_all_gej_var(ge, gej, 4 * runs + 1);
2131 /* check result */
2132 for (i = 0; i < 4 * runs + 1; i++) {
2133 ge_equals_gej(&ge[i], &gej[i]);
2134 }
2135
2136 free(ge);
2137 free(gej);
2138 free(zinv);
2139 }
2140
test_add_neg_y_diff_x(void)2141 void test_add_neg_y_diff_x(void) {
2142 /* The point of this test is to check that we can add two points
2143 * whose y-coordinates are negatives of each other but whose x
2144 * coordinates differ. If the x-coordinates were the same, these
2145 * points would be negatives of each other and their sum is
2146 * infinity. This is cool because it "covers up" any degeneracy
2147 * in the addition algorithm that would cause the xy coordinates
2148 * of the sum to be wrong (since infinity has no xy coordinates).
2149 * HOWEVER, if the x-coordinates are different, infinity is the
2150 * wrong answer, and such degeneracies are exposed. This is the
2151 * root of https://github.com/bitcoin-core/secp256k1/issues/257
2152 * which this test is a regression test for.
2153 *
2154 * These points were generated in sage as
2155 * # secp256k1 params
2156 * F = FiniteField (0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F)
2157 * C = EllipticCurve ([F (0), F (7)])
2158 * G = C.lift_x(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798)
2159 * N = FiniteField(G.order())
2160 *
2161 * # endomorphism values (lambda is 1^{1/3} in N, beta is 1^{1/3} in F)
2162 * x = polygen(N)
2163 * lam = (1 - x^3).roots()[1][0]
2164 *
2165 * # random "bad pair"
2166 * P = C.random_element()
2167 * Q = -int(lam) * P
2168 * print " P: %x %x" % P.xy()
2169 * print " Q: %x %x" % Q.xy()
2170 * print "P + Q: %x %x" % (P + Q).xy()
2171 */
2172 secp256k1_gej aj = SECP256K1_GEJ_CONST(
2173 0x8d24cd95, 0x0a355af1, 0x3c543505, 0x44238d30,
2174 0x0643d79f, 0x05a59614, 0x2f8ec030, 0xd58977cb,
2175 0x001e337a, 0x38093dcd, 0x6c0f386d, 0x0b1293a8,
2176 0x4d72c879, 0xd7681924, 0x44e6d2f3, 0x9190117d
2177 );
2178 secp256k1_gej bj = SECP256K1_GEJ_CONST(
2179 0xc7b74206, 0x1f788cd9, 0xabd0937d, 0x164a0d86,
2180 0x95f6ff75, 0xf19a4ce9, 0xd013bd7b, 0xbf92d2a7,
2181 0xffe1cc85, 0xc7f6c232, 0x93f0c792, 0xf4ed6c57,
2182 0xb28d3786, 0x2897e6db, 0xbb192d0b, 0x6e6feab2
2183 );
2184 secp256k1_gej sumj = SECP256K1_GEJ_CONST(
2185 0x671a63c0, 0x3efdad4c, 0x389a7798, 0x24356027,
2186 0xb3d69010, 0x278625c3, 0x5c86d390, 0x184a8f7a,
2187 0x5f6409c2, 0x2ce01f2b, 0x511fd375, 0x25071d08,
2188 0xda651801, 0x70e95caf, 0x8f0d893c, 0xbed8fbbe
2189 );
2190 secp256k1_ge b;
2191 secp256k1_gej resj;
2192 secp256k1_ge res;
2193 secp256k1_ge_set_gej(&b, &bj);
2194
2195 secp256k1_gej_add_var(&resj, &aj, &bj, NULL);
2196 secp256k1_ge_set_gej(&res, &resj);
2197 ge_equals_gej(&res, &sumj);
2198
2199 secp256k1_gej_add_ge(&resj, &aj, &b);
2200 secp256k1_ge_set_gej(&res, &resj);
2201 ge_equals_gej(&res, &sumj);
2202
2203 secp256k1_gej_add_ge_var(&resj, &aj, &b, NULL);
2204 secp256k1_ge_set_gej(&res, &resj);
2205 ge_equals_gej(&res, &sumj);
2206 }
2207
run_ge(void)2208 void run_ge(void) {
2209 int i;
2210 for (i = 0; i < count * 32; i++) {
2211 test_ge();
2212 }
2213 test_add_neg_y_diff_x();
2214 }
2215
test_ec_combine(void)2216 void test_ec_combine(void) {
2217 secp256k1_scalar sum = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2218 secp256k1_pubkey data[6];
2219 const secp256k1_pubkey* d[6];
2220 secp256k1_pubkey sd;
2221 secp256k1_pubkey sd2;
2222 secp256k1_gej Qj;
2223 secp256k1_ge Q;
2224 int i;
2225 for (i = 1; i <= 6; i++) {
2226 secp256k1_scalar s;
2227 random_scalar_order_test(&s);
2228 secp256k1_scalar_add(&sum, &sum, &s);
2229 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &s);
2230 secp256k1_ge_set_gej(&Q, &Qj);
2231 secp256k1_pubkey_save(&data[i - 1], &Q);
2232 d[i - 1] = &data[i - 1];
2233 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &Qj, &sum);
2234 secp256k1_ge_set_gej(&Q, &Qj);
2235 secp256k1_pubkey_save(&sd, &Q);
2236 CHECK(secp256k1_ec_pubkey_combine(ctx, &sd2, d, i) == 1);
2237 CHECK(memcmp(&sd, &sd2, sizeof(sd)) == 0);
2238 }
2239 }
2240
run_ec_combine(void)2241 void run_ec_combine(void) {
2242 int i;
2243 for (i = 0; i < count * 8; i++) {
2244 test_ec_combine();
2245 }
2246 }
2247
test_group_decompress(const secp256k1_fe * x)2248 void test_group_decompress(const secp256k1_fe* x) {
2249 /* The input itself, normalized. */
2250 secp256k1_fe fex = *x;
2251 secp256k1_fe fez;
2252 /* Results of set_xquad_var, set_xo_var(..., 0), set_xo_var(..., 1). */
2253 secp256k1_ge ge_quad, ge_even, ge_odd;
2254 secp256k1_gej gej_quad;
2255 /* Return values of the above calls. */
2256 int res_quad, res_even, res_odd;
2257
2258 secp256k1_fe_normalize_var(&fex);
2259
2260 res_quad = secp256k1_ge_set_xquad(&ge_quad, &fex);
2261 res_even = secp256k1_ge_set_xo_var(&ge_even, &fex, 0);
2262 res_odd = secp256k1_ge_set_xo_var(&ge_odd, &fex, 1);
2263
2264 CHECK(res_quad == res_even);
2265 CHECK(res_quad == res_odd);
2266
2267 if (res_quad) {
2268 secp256k1_fe_normalize_var(&ge_quad.x);
2269 secp256k1_fe_normalize_var(&ge_odd.x);
2270 secp256k1_fe_normalize_var(&ge_even.x);
2271 secp256k1_fe_normalize_var(&ge_quad.y);
2272 secp256k1_fe_normalize_var(&ge_odd.y);
2273 secp256k1_fe_normalize_var(&ge_even.y);
2274
2275 /* No infinity allowed. */
2276 CHECK(!ge_quad.infinity);
2277 CHECK(!ge_even.infinity);
2278 CHECK(!ge_odd.infinity);
2279
2280 /* Check that the x coordinates check out. */
2281 CHECK(secp256k1_fe_equal_var(&ge_quad.x, x));
2282 CHECK(secp256k1_fe_equal_var(&ge_even.x, x));
2283 CHECK(secp256k1_fe_equal_var(&ge_odd.x, x));
2284
2285 /* Check that the Y coordinate result in ge_quad is a square. */
2286 CHECK(secp256k1_fe_is_quad_var(&ge_quad.y));
2287
2288 /* Check odd/even Y in ge_odd, ge_even. */
2289 CHECK(secp256k1_fe_is_odd(&ge_odd.y));
2290 CHECK(!secp256k1_fe_is_odd(&ge_even.y));
2291
2292 /* Check secp256k1_gej_has_quad_y_var. */
2293 secp256k1_gej_set_ge(&gej_quad, &ge_quad);
2294 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2295 do {
2296 random_fe_test(&fez);
2297 } while (secp256k1_fe_is_zero(&fez));
2298 secp256k1_gej_rescale(&gej_quad, &fez);
2299 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2300 secp256k1_gej_neg(&gej_quad, &gej_quad);
2301 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2302 do {
2303 random_fe_test(&fez);
2304 } while (secp256k1_fe_is_zero(&fez));
2305 secp256k1_gej_rescale(&gej_quad, &fez);
2306 CHECK(!secp256k1_gej_has_quad_y_var(&gej_quad));
2307 secp256k1_gej_neg(&gej_quad, &gej_quad);
2308 CHECK(secp256k1_gej_has_quad_y_var(&gej_quad));
2309 }
2310 }
2311
run_group_decompress(void)2312 void run_group_decompress(void) {
2313 int i;
2314 for (i = 0; i < count * 4; i++) {
2315 secp256k1_fe fe;
2316 random_fe_test(&fe);
2317 test_group_decompress(&fe);
2318 }
2319 }
2320
2321 /***** ECMULT TESTS *****/
2322
run_ecmult_chain(void)2323 void run_ecmult_chain(void) {
2324 /* random starting point A (on the curve) */
2325 secp256k1_gej a = SECP256K1_GEJ_CONST(
2326 0x8b30bbe9, 0xae2a9906, 0x96b22f67, 0x0709dff3,
2327 0x727fd8bc, 0x04d3362c, 0x6c7bf458, 0xe2846004,
2328 0xa357ae91, 0x5c4a6528, 0x1309edf2, 0x0504740f,
2329 0x0eb33439, 0x90216b4f, 0x81063cb6, 0x5f2f7e0f
2330 );
2331 /* two random initial factors xn and gn */
2332 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2333 0x84cc5452, 0xf7fde1ed, 0xb4d38a8c, 0xe9b1b84c,
2334 0xcef31f14, 0x6e569be9, 0x705d357a, 0x42985407
2335 );
2336 secp256k1_scalar gn = SECP256K1_SCALAR_CONST(
2337 0xa1e58d22, 0x553dcd42, 0xb2398062, 0x5d4c57a9,
2338 0x6e9323d4, 0x2b3152e5, 0xca2c3990, 0xedc7c9de
2339 );
2340 /* two small multipliers to be applied to xn and gn in every iteration: */
2341 static const secp256k1_scalar xf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x1337);
2342 static const secp256k1_scalar gf = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0x7113);
2343 /* accumulators with the resulting coefficients to A and G */
2344 secp256k1_scalar ae = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2345 secp256k1_scalar ge = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2346 /* actual points */
2347 secp256k1_gej x;
2348 secp256k1_gej x2;
2349 int i;
2350
2351 /* the point being computed */
2352 x = a;
2353 for (i = 0; i < 200*count; i++) {
2354 /* in each iteration, compute X = xn*X + gn*G; */
2355 secp256k1_ecmult(&ctx->ecmult_ctx, &x, &x, &xn, &gn);
2356 /* also compute ae and ge: the actual accumulated factors for A and G */
2357 /* if X was (ae*A+ge*G), xn*X + gn*G results in (xn*ae*A + (xn*ge+gn)*G) */
2358 secp256k1_scalar_mul(&ae, &ae, &xn);
2359 secp256k1_scalar_mul(&ge, &ge, &xn);
2360 secp256k1_scalar_add(&ge, &ge, &gn);
2361 /* modify xn and gn */
2362 secp256k1_scalar_mul(&xn, &xn, &xf);
2363 secp256k1_scalar_mul(&gn, &gn, &gf);
2364
2365 /* verify */
2366 if (i == 19999) {
2367 /* expected result after 19999 iterations */
2368 secp256k1_gej rp = SECP256K1_GEJ_CONST(
2369 0xD6E96687, 0xF9B10D09, 0x2A6F3543, 0x9D86CEBE,
2370 0xA4535D0D, 0x409F5358, 0x6440BD74, 0xB933E830,
2371 0xB95CBCA2, 0xC77DA786, 0x539BE8FD, 0x53354D2D,
2372 0x3B4F566A, 0xE6580454, 0x07ED6015, 0xEE1B2A88
2373 );
2374
2375 secp256k1_gej_neg(&rp, &rp);
2376 secp256k1_gej_add_var(&rp, &rp, &x, NULL);
2377 CHECK(secp256k1_gej_is_infinity(&rp));
2378 }
2379 }
2380 /* redo the computation, but directly with the resulting ae and ge coefficients: */
2381 secp256k1_ecmult(&ctx->ecmult_ctx, &x2, &a, &ae, &ge);
2382 secp256k1_gej_neg(&x2, &x2);
2383 secp256k1_gej_add_var(&x2, &x2, &x, NULL);
2384 CHECK(secp256k1_gej_is_infinity(&x2));
2385 }
2386
test_point_times_order(const secp256k1_gej * point)2387 void test_point_times_order(const secp256k1_gej *point) {
2388 /* X * (point + G) + (order-X) * (pointer + G) = 0 */
2389 secp256k1_scalar x;
2390 secp256k1_scalar nx;
2391 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2392 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2393 secp256k1_gej res1, res2;
2394 secp256k1_ge res3;
2395 unsigned char pub[65];
2396 size_t psize = 65;
2397 random_scalar_order_test(&x);
2398 secp256k1_scalar_negate(&nx, &x);
2399 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &x, &x); /* calc res1 = x * point + x * G; */
2400 secp256k1_ecmult(&ctx->ecmult_ctx, &res2, point, &nx, &nx); /* calc res2 = (order - x) * point + (order - x) * G; */
2401 secp256k1_gej_add_var(&res1, &res1, &res2, NULL);
2402 CHECK(secp256k1_gej_is_infinity(&res1));
2403 CHECK(secp256k1_gej_is_valid_var(&res1) == 0);
2404 secp256k1_ge_set_gej(&res3, &res1);
2405 CHECK(secp256k1_ge_is_infinity(&res3));
2406 CHECK(secp256k1_ge_is_valid_var(&res3) == 0);
2407 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 0) == 0);
2408 psize = 65;
2409 CHECK(secp256k1_eckey_pubkey_serialize(&res3, pub, &psize, 1) == 0);
2410 /* check zero/one edge cases */
2411 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &zero);
2412 secp256k1_ge_set_gej(&res3, &res1);
2413 CHECK(secp256k1_ge_is_infinity(&res3));
2414 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &one, &zero);
2415 secp256k1_ge_set_gej(&res3, &res1);
2416 ge_equals_gej(&res3, point);
2417 secp256k1_ecmult(&ctx->ecmult_ctx, &res1, point, &zero, &one);
2418 secp256k1_ge_set_gej(&res3, &res1);
2419 ge_equals_ge(&res3, &secp256k1_ge_const_g);
2420 }
2421
run_point_times_order(void)2422 void run_point_times_order(void) {
2423 int i;
2424 secp256k1_fe x = SECP256K1_FE_CONST(0, 0, 0, 0, 0, 0, 0, 2);
2425 static const secp256k1_fe xr = SECP256K1_FE_CONST(
2426 0x7603CB59, 0xB0EF6C63, 0xFE608479, 0x2A0C378C,
2427 0xDB3233A8, 0x0F8A9A09, 0xA877DEAD, 0x31B38C45
2428 );
2429 for (i = 0; i < 500; i++) {
2430 secp256k1_ge p;
2431 if (secp256k1_ge_set_xo_var(&p, &x, 1)) {
2432 secp256k1_gej j;
2433 CHECK(secp256k1_ge_is_valid_var(&p));
2434 secp256k1_gej_set_ge(&j, &p);
2435 CHECK(secp256k1_gej_is_valid_var(&j));
2436 test_point_times_order(&j);
2437 }
2438 secp256k1_fe_sqr(&x, &x);
2439 }
2440 secp256k1_fe_normalize_var(&x);
2441 CHECK(secp256k1_fe_equal_var(&x, &xr));
2442 }
2443
ecmult_const_random_mult(void)2444 void ecmult_const_random_mult(void) {
2445 /* random starting point A (on the curve) */
2446 secp256k1_ge a = SECP256K1_GE_CONST(
2447 0x6d986544, 0x57ff52b8, 0xcf1b8126, 0x5b802a5b,
2448 0xa97f9263, 0xb1e88044, 0x93351325, 0x91bc450a,
2449 0x535c59f7, 0x325e5d2b, 0xc391fbe8, 0x3c12787c,
2450 0x337e4a98, 0xe82a9011, 0x0123ba37, 0xdd769c7d
2451 );
2452 /* random initial factor xn */
2453 secp256k1_scalar xn = SECP256K1_SCALAR_CONST(
2454 0x649d4f77, 0xc4242df7, 0x7f2079c9, 0x14530327,
2455 0xa31b876a, 0xd2d8ce2a, 0x2236d5c6, 0xd7b2029b
2456 );
2457 /* expected xn * A (from sage) */
2458 secp256k1_ge expected_b = SECP256K1_GE_CONST(
2459 0x23773684, 0x4d209dc7, 0x098a786f, 0x20d06fcd,
2460 0x070a38bf, 0xc11ac651, 0x03004319, 0x1e2a8786,
2461 0xed8c3b8e, 0xc06dd57b, 0xd06ea66e, 0x45492b0f,
2462 0xb84e4e1b, 0xfb77e21f, 0x96baae2a, 0x63dec956
2463 );
2464 secp256k1_gej b;
2465 secp256k1_ecmult_const(&b, &a, &xn, 256);
2466
2467 CHECK(secp256k1_ge_is_valid_var(&a));
2468 ge_equals_gej(&expected_b, &b);
2469 }
2470
ecmult_const_commutativity(void)2471 void ecmult_const_commutativity(void) {
2472 secp256k1_scalar a;
2473 secp256k1_scalar b;
2474 secp256k1_gej res1;
2475 secp256k1_gej res2;
2476 secp256k1_ge mid1;
2477 secp256k1_ge mid2;
2478 random_scalar_order_test(&a);
2479 random_scalar_order_test(&b);
2480
2481 secp256k1_ecmult_const(&res1, &secp256k1_ge_const_g, &a, 256);
2482 secp256k1_ecmult_const(&res2, &secp256k1_ge_const_g, &b, 256);
2483 secp256k1_ge_set_gej(&mid1, &res1);
2484 secp256k1_ge_set_gej(&mid2, &res2);
2485 secp256k1_ecmult_const(&res1, &mid1, &b, 256);
2486 secp256k1_ecmult_const(&res2, &mid2, &a, 256);
2487 secp256k1_ge_set_gej(&mid1, &res1);
2488 secp256k1_ge_set_gej(&mid2, &res2);
2489 ge_equals_ge(&mid1, &mid2);
2490 }
2491
ecmult_const_mult_zero_one(void)2492 void ecmult_const_mult_zero_one(void) {
2493 secp256k1_scalar zero = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 0);
2494 secp256k1_scalar one = SECP256K1_SCALAR_CONST(0, 0, 0, 0, 0, 0, 0, 1);
2495 secp256k1_scalar negone;
2496 secp256k1_gej res1;
2497 secp256k1_ge res2;
2498 secp256k1_ge point;
2499 secp256k1_scalar_negate(&negone, &one);
2500
2501 random_group_element_test(&point);
2502 secp256k1_ecmult_const(&res1, &point, &zero, 3);
2503 secp256k1_ge_set_gej(&res2, &res1);
2504 CHECK(secp256k1_ge_is_infinity(&res2));
2505 secp256k1_ecmult_const(&res1, &point, &one, 2);
2506 secp256k1_ge_set_gej(&res2, &res1);
2507 ge_equals_ge(&res2, &point);
2508 secp256k1_ecmult_const(&res1, &point, &negone, 256);
2509 secp256k1_gej_neg(&res1, &res1);
2510 secp256k1_ge_set_gej(&res2, &res1);
2511 ge_equals_ge(&res2, &point);
2512 }
2513
ecmult_const_chain_multiply(void)2514 void ecmult_const_chain_multiply(void) {
2515 /* Check known result (randomly generated test problem from sage) */
2516 const secp256k1_scalar scalar = SECP256K1_SCALAR_CONST(
2517 0x4968d524, 0x2abf9b7a, 0x466abbcf, 0x34b11b6d,
2518 0xcd83d307, 0x827bed62, 0x05fad0ce, 0x18fae63b
2519 );
2520 const secp256k1_gej expected_point = SECP256K1_GEJ_CONST(
2521 0x5494c15d, 0x32099706, 0xc2395f94, 0x348745fd,
2522 0x757ce30e, 0x4e8c90fb, 0xa2bad184, 0xf883c69f,
2523 0x5d195d20, 0xe191bf7f, 0x1be3e55f, 0x56a80196,
2524 0x6071ad01, 0xf1462f66, 0xc997fa94, 0xdb858435
2525 );
2526 secp256k1_gej point;
2527 secp256k1_ge res;
2528 int i;
2529
2530 secp256k1_gej_set_ge(&point, &secp256k1_ge_const_g);
2531 for (i = 0; i < 100; ++i) {
2532 secp256k1_ge tmp;
2533 secp256k1_ge_set_gej(&tmp, &point);
2534 secp256k1_ecmult_const(&point, &tmp, &scalar, 256);
2535 }
2536 secp256k1_ge_set_gej(&res, &point);
2537 ge_equals_gej(&res, &expected_point);
2538 }
2539
run_ecmult_const_tests(void)2540 void run_ecmult_const_tests(void) {
2541 ecmult_const_mult_zero_one();
2542 ecmult_const_random_mult();
2543 ecmult_const_commutativity();
2544 ecmult_const_chain_multiply();
2545 }
2546
2547 typedef struct {
2548 secp256k1_scalar *sc;
2549 secp256k1_ge *pt;
2550 } ecmult_multi_data;
2551
ecmult_multi_callback(secp256k1_scalar * sc,secp256k1_ge * pt,size_t idx,void * cbdata)2552 static int ecmult_multi_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2553 ecmult_multi_data *data = (ecmult_multi_data*) cbdata;
2554 *sc = data->sc[idx];
2555 *pt = data->pt[idx];
2556 return 1;
2557 }
2558
ecmult_multi_false_callback(secp256k1_scalar * sc,secp256k1_ge * pt,size_t idx,void * cbdata)2559 static int ecmult_multi_false_callback(secp256k1_scalar *sc, secp256k1_ge *pt, size_t idx, void *cbdata) {
2560 (void)sc;
2561 (void)pt;
2562 (void)idx;
2563 (void)cbdata;
2564 return 0;
2565 }
2566
test_ecmult_multi(secp256k1_scratch * scratch,secp256k1_ecmult_multi_func ecmult_multi)2567 void test_ecmult_multi(secp256k1_scratch *scratch, secp256k1_ecmult_multi_func ecmult_multi) {
2568 int ncount;
2569 secp256k1_scalar szero;
2570 secp256k1_scalar sc[32];
2571 secp256k1_ge pt[32];
2572 secp256k1_gej r;
2573 secp256k1_gej r2;
2574 ecmult_multi_data data;
2575 secp256k1_scratch *scratch_empty;
2576
2577 data.sc = sc;
2578 data.pt = pt;
2579 secp256k1_scalar_set_int(&szero, 0);
2580
2581 /* No points to multiply */
2582 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, NULL, ecmult_multi_callback, &data, 0));
2583
2584 /* Check 1- and 2-point multiplies against ecmult */
2585 for (ncount = 0; ncount < count; ncount++) {
2586 secp256k1_ge ptg;
2587 secp256k1_gej ptgj;
2588 random_scalar_order(&sc[0]);
2589 random_scalar_order(&sc[1]);
2590
2591 random_group_element_test(&ptg);
2592 secp256k1_gej_set_ge(&ptgj, &ptg);
2593 pt[0] = ptg;
2594 pt[1] = secp256k1_ge_const_g;
2595
2596 /* only G scalar */
2597 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &szero, &sc[0]);
2598 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[0], ecmult_multi_callback, &data, 0));
2599 secp256k1_gej_neg(&r2, &r2);
2600 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2601 CHECK(secp256k1_gej_is_infinity(&r));
2602
2603 /* 1-point */
2604 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &szero);
2605 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 1));
2606 secp256k1_gej_neg(&r2, &r2);
2607 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2608 CHECK(secp256k1_gej_is_infinity(&r));
2609
2610 /* Try to multiply 1 point, but scratch space is empty */
2611 scratch_empty = secp256k1_scratch_create(&ctx->error_callback, 0);
2612 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch_empty, &r, &szero, ecmult_multi_callback, &data, 1));
2613 secp256k1_scratch_destroy(scratch_empty);
2614
2615 /* Try to multiply 1 point, but callback returns false */
2616 CHECK(!ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_false_callback, &data, 1));
2617
2618 /* 2-point */
2619 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2620 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 2));
2621 secp256k1_gej_neg(&r2, &r2);
2622 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2623 CHECK(secp256k1_gej_is_infinity(&r));
2624
2625 /* 2-point with G scalar */
2626 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &ptgj, &sc[0], &sc[1]);
2627 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &sc[1], ecmult_multi_callback, &data, 1));
2628 secp256k1_gej_neg(&r2, &r2);
2629 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2630 CHECK(secp256k1_gej_is_infinity(&r));
2631 }
2632
2633 /* Check infinite outputs of various forms */
2634 for (ncount = 0; ncount < count; ncount++) {
2635 secp256k1_ge ptg;
2636 size_t i, j;
2637 size_t sizes[] = { 2, 10, 32 };
2638
2639 for (j = 0; j < 3; j++) {
2640 for (i = 0; i < 32; i++) {
2641 random_scalar_order(&sc[i]);
2642 secp256k1_ge_set_infinity(&pt[i]);
2643 }
2644 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2645 CHECK(secp256k1_gej_is_infinity(&r));
2646 }
2647
2648 for (j = 0; j < 3; j++) {
2649 for (i = 0; i < 32; i++) {
2650 random_group_element_test(&ptg);
2651 pt[i] = ptg;
2652 secp256k1_scalar_set_int(&sc[i], 0);
2653 }
2654 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2655 CHECK(secp256k1_gej_is_infinity(&r));
2656 }
2657
2658 for (j = 0; j < 3; j++) {
2659 random_group_element_test(&ptg);
2660 for (i = 0; i < 16; i++) {
2661 random_scalar_order(&sc[2*i]);
2662 secp256k1_scalar_negate(&sc[2*i + 1], &sc[2*i]);
2663 pt[2 * i] = ptg;
2664 pt[2 * i + 1] = ptg;
2665 }
2666
2667 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2668 CHECK(secp256k1_gej_is_infinity(&r));
2669
2670 random_scalar_order(&sc[0]);
2671 for (i = 0; i < 16; i++) {
2672 random_group_element_test(&ptg);
2673
2674 sc[2*i] = sc[0];
2675 sc[2*i+1] = sc[0];
2676 pt[2 * i] = ptg;
2677 secp256k1_ge_neg(&pt[2*i+1], &pt[2*i]);
2678 }
2679
2680 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, sizes[j]));
2681 CHECK(secp256k1_gej_is_infinity(&r));
2682 }
2683
2684 random_group_element_test(&ptg);
2685 secp256k1_scalar_set_int(&sc[0], 0);
2686 pt[0] = ptg;
2687 for (i = 1; i < 32; i++) {
2688 pt[i] = ptg;
2689
2690 random_scalar_order(&sc[i]);
2691 secp256k1_scalar_add(&sc[0], &sc[0], &sc[i]);
2692 secp256k1_scalar_negate(&sc[i], &sc[i]);
2693 }
2694
2695 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 32));
2696 CHECK(secp256k1_gej_is_infinity(&r));
2697 }
2698
2699 /* Check random points, constant scalar */
2700 for (ncount = 0; ncount < count; ncount++) {
2701 size_t i;
2702 secp256k1_gej_set_infinity(&r);
2703
2704 random_scalar_order(&sc[0]);
2705 for (i = 0; i < 20; i++) {
2706 secp256k1_ge ptg;
2707 sc[i] = sc[0];
2708 random_group_element_test(&ptg);
2709 pt[i] = ptg;
2710 secp256k1_gej_add_ge_var(&r, &r, &pt[i], NULL);
2711 }
2712
2713 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r, &sc[0], &szero);
2714 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2715 secp256k1_gej_neg(&r2, &r2);
2716 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2717 CHECK(secp256k1_gej_is_infinity(&r));
2718 }
2719
2720 /* Check random scalars, constant point */
2721 for (ncount = 0; ncount < count; ncount++) {
2722 size_t i;
2723 secp256k1_ge ptg;
2724 secp256k1_gej p0j;
2725 secp256k1_scalar rs;
2726 secp256k1_scalar_set_int(&rs, 0);
2727
2728 random_group_element_test(&ptg);
2729 for (i = 0; i < 20; i++) {
2730 random_scalar_order(&sc[i]);
2731 pt[i] = ptg;
2732 secp256k1_scalar_add(&rs, &rs, &sc[i]);
2733 }
2734
2735 secp256k1_gej_set_ge(&p0j, &pt[0]);
2736 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &p0j, &rs, &szero);
2737 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2738 secp256k1_gej_neg(&r2, &r2);
2739 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2740 CHECK(secp256k1_gej_is_infinity(&r));
2741 }
2742
2743 /* Sanity check that zero scalars don't cause problems */
2744 for (ncount = 0; ncount < 20; ncount++) {
2745 random_scalar_order(&sc[ncount]);
2746 random_group_element_test(&pt[ncount]);
2747 }
2748
2749 secp256k1_scalar_clear(&sc[0]);
2750 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 20));
2751 secp256k1_scalar_clear(&sc[1]);
2752 secp256k1_scalar_clear(&sc[2]);
2753 secp256k1_scalar_clear(&sc[3]);
2754 secp256k1_scalar_clear(&sc[4]);
2755 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 6));
2756 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &r, &szero, ecmult_multi_callback, &data, 5));
2757 CHECK(secp256k1_gej_is_infinity(&r));
2758
2759 /* Run through s0*(t0*P) + s1*(t1*P) exhaustively for many small values of s0, s1, t0, t1 */
2760 {
2761 const size_t TOP = 8;
2762 size_t s0i, s1i;
2763 size_t t0i, t1i;
2764 secp256k1_ge ptg;
2765 secp256k1_gej ptgj;
2766
2767 random_group_element_test(&ptg);
2768 secp256k1_gej_set_ge(&ptgj, &ptg);
2769
2770 for(t0i = 0; t0i < TOP; t0i++) {
2771 for(t1i = 0; t1i < TOP; t1i++) {
2772 secp256k1_gej t0p, t1p;
2773 secp256k1_scalar t0, t1;
2774
2775 secp256k1_scalar_set_int(&t0, (t0i + 1) / 2);
2776 secp256k1_scalar_cond_negate(&t0, t0i & 1);
2777 secp256k1_scalar_set_int(&t1, (t1i + 1) / 2);
2778 secp256k1_scalar_cond_negate(&t1, t1i & 1);
2779
2780 secp256k1_ecmult(&ctx->ecmult_ctx, &t0p, &ptgj, &t0, &szero);
2781 secp256k1_ecmult(&ctx->ecmult_ctx, &t1p, &ptgj, &t1, &szero);
2782
2783 for(s0i = 0; s0i < TOP; s0i++) {
2784 for(s1i = 0; s1i < TOP; s1i++) {
2785 secp256k1_scalar tmp1, tmp2;
2786 secp256k1_gej expected, actual;
2787
2788 secp256k1_ge_set_gej(&pt[0], &t0p);
2789 secp256k1_ge_set_gej(&pt[1], &t1p);
2790
2791 secp256k1_scalar_set_int(&sc[0], (s0i + 1) / 2);
2792 secp256k1_scalar_cond_negate(&sc[0], s0i & 1);
2793 secp256k1_scalar_set_int(&sc[1], (s1i + 1) / 2);
2794 secp256k1_scalar_cond_negate(&sc[1], s1i & 1);
2795
2796 secp256k1_scalar_mul(&tmp1, &t0, &sc[0]);
2797 secp256k1_scalar_mul(&tmp2, &t1, &sc[1]);
2798 secp256k1_scalar_add(&tmp1, &tmp1, &tmp2);
2799
2800 secp256k1_ecmult(&ctx->ecmult_ctx, &expected, &ptgj, &tmp1, &szero);
2801 CHECK(ecmult_multi(&ctx->ecmult_ctx, scratch, &actual, &szero, ecmult_multi_callback, &data, 2));
2802 secp256k1_gej_neg(&expected, &expected);
2803 secp256k1_gej_add_var(&actual, &actual, &expected, NULL);
2804 CHECK(secp256k1_gej_is_infinity(&actual));
2805 }
2806 }
2807 }
2808 }
2809 }
2810 }
2811
test_secp256k1_pippenger_bucket_window_inv(void)2812 void test_secp256k1_pippenger_bucket_window_inv(void) {
2813 int i;
2814
2815 CHECK(secp256k1_pippenger_bucket_window_inv(0) == 0);
2816 for(i = 1; i <= PIPPENGER_MAX_BUCKET_WINDOW; i++) {
2817 #ifdef USE_ENDOMORPHISM
2818 /* Bucket_window of 8 is not used with endo */
2819 if (i == 8) {
2820 continue;
2821 }
2822 #endif
2823 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)) == i);
2824 if (i != PIPPENGER_MAX_BUCKET_WINDOW) {
2825 CHECK(secp256k1_pippenger_bucket_window(secp256k1_pippenger_bucket_window_inv(i)+1) > i);
2826 }
2827 }
2828 }
2829
2830 /**
2831 * Probabilistically test the function returning the maximum number of possible points
2832 * for a given scratch space.
2833 */
test_ecmult_multi_pippenger_max_points(void)2834 void test_ecmult_multi_pippenger_max_points(void) {
2835 size_t scratch_size = secp256k1_rand_int(256);
2836 size_t max_size = secp256k1_pippenger_scratch_size(secp256k1_pippenger_bucket_window_inv(PIPPENGER_MAX_BUCKET_WINDOW-1)+512, 12);
2837 secp256k1_scratch *scratch;
2838 size_t n_points_supported;
2839 int bucket_window = 0;
2840
2841 for(; scratch_size < max_size; scratch_size+=256) {
2842 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size);
2843 CHECK(scratch != NULL);
2844 n_points_supported = secp256k1_pippenger_max_points(scratch);
2845 if (n_points_supported == 0) {
2846 secp256k1_scratch_destroy(scratch);
2847 continue;
2848 }
2849 bucket_window = secp256k1_pippenger_bucket_window(n_points_supported);
2850 CHECK(secp256k1_scratch_allocate_frame(scratch, secp256k1_pippenger_scratch_size(n_points_supported, bucket_window), PIPPENGER_SCRATCH_OBJECTS));
2851 secp256k1_scratch_deallocate_frame(scratch);
2852 secp256k1_scratch_destroy(scratch);
2853 }
2854 CHECK(bucket_window == PIPPENGER_MAX_BUCKET_WINDOW);
2855 }
2856
test_ecmult_multi_batch_size_helper(void)2857 void test_ecmult_multi_batch_size_helper(void) {
2858 size_t n_batches, n_batch_points, max_n_batch_points, n;
2859
2860 max_n_batch_points = 0;
2861 n = 1;
2862 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 0);
2863
2864 max_n_batch_points = 1;
2865 n = 0;
2866 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2867 CHECK(n_batches == 0);
2868 CHECK(n_batch_points == 0);
2869
2870 max_n_batch_points = 2;
2871 n = 5;
2872 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2873 CHECK(n_batches == 3);
2874 CHECK(n_batch_points == 2);
2875
2876 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH;
2877 n = ECMULT_MAX_POINTS_PER_BATCH;
2878 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2879 CHECK(n_batches == 1);
2880 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH);
2881
2882 max_n_batch_points = ECMULT_MAX_POINTS_PER_BATCH + 1;
2883 n = ECMULT_MAX_POINTS_PER_BATCH + 1;
2884 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2885 CHECK(n_batches == 2);
2886 CHECK(n_batch_points == ECMULT_MAX_POINTS_PER_BATCH/2 + 1);
2887
2888 max_n_batch_points = 1;
2889 n = SIZE_MAX;
2890 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2891 CHECK(n_batches == SIZE_MAX);
2892 CHECK(n_batch_points == 1);
2893
2894 max_n_batch_points = 2;
2895 n = SIZE_MAX;
2896 CHECK(secp256k1_ecmult_multi_batch_size_helper(&n_batches, &n_batch_points, max_n_batch_points, n) == 1);
2897 CHECK(n_batches == SIZE_MAX/2 + 1);
2898 CHECK(n_batch_points == 2);
2899 }
2900
2901 /**
2902 * Run secp256k1_ecmult_multi_var with num points and a scratch space restricted to
2903 * 1 <= i <= num points.
2904 */
test_ecmult_multi_batching(void)2905 void test_ecmult_multi_batching(void) {
2906 static const int n_points = 2*ECMULT_PIPPENGER_THRESHOLD;
2907 secp256k1_scalar scG;
2908 secp256k1_scalar szero;
2909 secp256k1_scalar *sc = (secp256k1_scalar *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_scalar) * n_points);
2910 secp256k1_ge *pt = (secp256k1_ge *)checked_malloc(&ctx->error_callback, sizeof(secp256k1_ge) * n_points);
2911 secp256k1_gej r;
2912 secp256k1_gej r2;
2913 ecmult_multi_data data;
2914 int i;
2915 secp256k1_scratch *scratch;
2916
2917 secp256k1_gej_set_infinity(&r2);
2918 secp256k1_scalar_set_int(&szero, 0);
2919
2920 /* Get random scalars and group elements and compute result */
2921 random_scalar_order(&scG);
2922 secp256k1_ecmult(&ctx->ecmult_ctx, &r2, &r2, &szero, &scG);
2923 for(i = 0; i < n_points; i++) {
2924 secp256k1_ge ptg;
2925 secp256k1_gej ptgj;
2926 random_group_element_test(&ptg);
2927 secp256k1_gej_set_ge(&ptgj, &ptg);
2928 pt[i] = ptg;
2929 random_scalar_order(&sc[i]);
2930 secp256k1_ecmult(&ctx->ecmult_ctx, &ptgj, &ptgj, &sc[i], NULL);
2931 secp256k1_gej_add_var(&r2, &r2, &ptgj, NULL);
2932 }
2933 data.sc = sc;
2934 data.pt = pt;
2935
2936 /* Test with empty scratch space */
2937 scratch = secp256k1_scratch_create(&ctx->error_callback, 0);
2938 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2939 secp256k1_scratch_destroy(scratch);
2940
2941 /* Test with space for 1 point in pippenger. That's not enough because
2942 * ecmult_multi selects strauss which requires more memory. */
2943 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_pippenger_scratch_size(1, 1) + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2944 CHECK(!secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, 1));
2945 secp256k1_scratch_destroy(scratch);
2946
2947 secp256k1_gej_neg(&r2, &r2);
2948 for(i = 1; i <= n_points; i++) {
2949 if (i > ECMULT_PIPPENGER_THRESHOLD) {
2950 int bucket_window = secp256k1_pippenger_bucket_window(i);
2951 size_t scratch_size = secp256k1_pippenger_scratch_size(i, bucket_window);
2952 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + PIPPENGER_SCRATCH_OBJECTS*ALIGNMENT);
2953 } else {
2954 size_t scratch_size = secp256k1_strauss_scratch_size(i);
2955 scratch = secp256k1_scratch_create(&ctx->error_callback, scratch_size + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2956 }
2957 CHECK(secp256k1_ecmult_multi_var(&ctx->ecmult_ctx, scratch, &r, &scG, ecmult_multi_callback, &data, n_points));
2958 secp256k1_gej_add_var(&r, &r, &r2, NULL);
2959 CHECK(secp256k1_gej_is_infinity(&r));
2960 secp256k1_scratch_destroy(scratch);
2961 }
2962 free(sc);
2963 free(pt);
2964 }
2965
run_ecmult_multi_tests(void)2966 void run_ecmult_multi_tests(void) {
2967 secp256k1_scratch *scratch;
2968
2969 test_secp256k1_pippenger_bucket_window_inv();
2970 test_ecmult_multi_pippenger_max_points();
2971 scratch = secp256k1_scratch_create(&ctx->error_callback, 819200);
2972 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2973 test_ecmult_multi(NULL, secp256k1_ecmult_multi_var);
2974 test_ecmult_multi(scratch, secp256k1_ecmult_pippenger_batch_single);
2975 test_ecmult_multi(scratch, secp256k1_ecmult_strauss_batch_single);
2976 secp256k1_scratch_destroy(scratch);
2977
2978 /* Run test_ecmult_multi with space for exactly one point */
2979 scratch = secp256k1_scratch_create(&ctx->error_callback, secp256k1_strauss_scratch_size(1) + STRAUSS_SCRATCH_OBJECTS*ALIGNMENT);
2980 test_ecmult_multi(scratch, secp256k1_ecmult_multi_var);
2981 secp256k1_scratch_destroy(scratch);
2982
2983 test_ecmult_multi_batch_size_helper();
2984 test_ecmult_multi_batching();
2985 }
2986
test_wnaf(const secp256k1_scalar * number,int w)2987 void test_wnaf(const secp256k1_scalar *number, int w) {
2988 secp256k1_scalar x, two, t;
2989 int wnaf[256];
2990 int zeroes = -1;
2991 int i;
2992 int bits;
2993 secp256k1_scalar_set_int(&x, 0);
2994 secp256k1_scalar_set_int(&two, 2);
2995 bits = secp256k1_ecmult_wnaf(wnaf, 256, number, w);
2996 CHECK(bits <= 256);
2997 for (i = bits-1; i >= 0; i--) {
2998 int v = wnaf[i];
2999 secp256k1_scalar_mul(&x, &x, &two);
3000 if (v) {
3001 CHECK(zeroes == -1 || zeroes >= w-1); /* check that distance between non-zero elements is at least w-1 */
3002 zeroes=0;
3003 CHECK((v & 1) == 1); /* check non-zero elements are odd */
3004 CHECK(v <= (1 << (w-1)) - 1); /* check range below */
3005 CHECK(v >= -(1 << (w-1)) - 1); /* check range above */
3006 } else {
3007 CHECK(zeroes != -1); /* check that no unnecessary zero padding exists */
3008 zeroes++;
3009 }
3010 if (v >= 0) {
3011 secp256k1_scalar_set_int(&t, v);
3012 } else {
3013 secp256k1_scalar_set_int(&t, -v);
3014 secp256k1_scalar_negate(&t, &t);
3015 }
3016 secp256k1_scalar_add(&x, &x, &t);
3017 }
3018 CHECK(secp256k1_scalar_eq(&x, number)); /* check that wnaf represents number */
3019 }
3020
test_constant_wnaf_negate(const secp256k1_scalar * number)3021 void test_constant_wnaf_negate(const secp256k1_scalar *number) {
3022 secp256k1_scalar neg1 = *number;
3023 secp256k1_scalar neg2 = *number;
3024 int sign1 = 1;
3025 int sign2 = 1;
3026
3027 if (!secp256k1_scalar_get_bits(&neg1, 0, 1)) {
3028 secp256k1_scalar_negate(&neg1, &neg1);
3029 sign1 = -1;
3030 }
3031 sign2 = secp256k1_scalar_cond_negate(&neg2, secp256k1_scalar_is_even(&neg2));
3032 CHECK(sign1 == sign2);
3033 CHECK(secp256k1_scalar_eq(&neg1, &neg2));
3034 }
3035
test_constant_wnaf(const secp256k1_scalar * number,int w)3036 void test_constant_wnaf(const secp256k1_scalar *number, int w) {
3037 secp256k1_scalar x, shift;
3038 int wnaf[256] = {0};
3039 int i;
3040 int skew;
3041 int bits = 256;
3042 secp256k1_scalar num = *number;
3043
3044 secp256k1_scalar_set_int(&x, 0);
3045 secp256k1_scalar_set_int(&shift, 1 << w);
3046 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3047 #ifdef USE_ENDOMORPHISM
3048 for (i = 0; i < 16; ++i) {
3049 secp256k1_scalar_shr_int(&num, 8);
3050 }
3051 bits = 128;
3052 #endif
3053 skew = secp256k1_wnaf_const(wnaf, num, w, bits);
3054
3055 for (i = WNAF_SIZE_BITS(bits, w); i >= 0; --i) {
3056 secp256k1_scalar t;
3057 int v = wnaf[i];
3058 CHECK(v != 0); /* check nonzero */
3059 CHECK(v & 1); /* check parity */
3060 CHECK(v > -(1 << w)); /* check range above */
3061 CHECK(v < (1 << w)); /* check range below */
3062
3063 secp256k1_scalar_mul(&x, &x, &shift);
3064 if (v >= 0) {
3065 secp256k1_scalar_set_int(&t, v);
3066 } else {
3067 secp256k1_scalar_set_int(&t, -v);
3068 secp256k1_scalar_negate(&t, &t);
3069 }
3070 secp256k1_scalar_add(&x, &x, &t);
3071 }
3072 /* Skew num because when encoding numbers as odd we use an offset */
3073 secp256k1_scalar_cadd_bit(&num, skew == 2, 1);
3074 CHECK(secp256k1_scalar_eq(&x, &num));
3075 }
3076
test_fixed_wnaf(const secp256k1_scalar * number,int w)3077 void test_fixed_wnaf(const secp256k1_scalar *number, int w) {
3078 secp256k1_scalar x, shift;
3079 int wnaf[256] = {0};
3080 int i;
3081 int skew;
3082 secp256k1_scalar num = *number;
3083
3084 secp256k1_scalar_set_int(&x, 0);
3085 secp256k1_scalar_set_int(&shift, 1 << w);
3086 /* With USE_ENDOMORPHISM on we only consider 128-bit numbers */
3087 #ifdef USE_ENDOMORPHISM
3088 for (i = 0; i < 16; ++i) {
3089 secp256k1_scalar_shr_int(&num, 8);
3090 }
3091 #endif
3092 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3093
3094 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3095 secp256k1_scalar t;
3096 int v = wnaf[i];
3097 CHECK(v == 0 || v & 1); /* check parity */
3098 CHECK(v > -(1 << w)); /* check range above */
3099 CHECK(v < (1 << w)); /* check range below */
3100
3101 secp256k1_scalar_mul(&x, &x, &shift);
3102 if (v >= 0) {
3103 secp256k1_scalar_set_int(&t, v);
3104 } else {
3105 secp256k1_scalar_set_int(&t, -v);
3106 secp256k1_scalar_negate(&t, &t);
3107 }
3108 secp256k1_scalar_add(&x, &x, &t);
3109 }
3110 /* If skew is 1 then add 1 to num */
3111 secp256k1_scalar_cadd_bit(&num, 0, skew == 1);
3112 CHECK(secp256k1_scalar_eq(&x, &num));
3113 }
3114
3115 /* Checks that the first 8 elements of wnaf are equal to wnaf_expected and the
3116 * rest is 0.*/
test_fixed_wnaf_small_helper(int * wnaf,int * wnaf_expected,int w)3117 void test_fixed_wnaf_small_helper(int *wnaf, int *wnaf_expected, int w) {
3118 int i;
3119 for (i = WNAF_SIZE(w)-1; i >= 8; --i) {
3120 CHECK(wnaf[i] == 0);
3121 }
3122 for (i = 7; i >= 0; --i) {
3123 CHECK(wnaf[i] == wnaf_expected[i]);
3124 }
3125 }
3126
test_fixed_wnaf_small(void)3127 void test_fixed_wnaf_small(void) {
3128 int w = 4;
3129 int wnaf[256] = {0};
3130 int i;
3131 int skew;
3132 secp256k1_scalar num;
3133
3134 secp256k1_scalar_set_int(&num, 0);
3135 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3136 for (i = WNAF_SIZE(w)-1; i >= 0; --i) {
3137 int v = wnaf[i];
3138 CHECK(v == 0);
3139 }
3140 CHECK(skew == 0);
3141
3142 secp256k1_scalar_set_int(&num, 1);
3143 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3144 for (i = WNAF_SIZE(w)-1; i >= 1; --i) {
3145 int v = wnaf[i];
3146 CHECK(v == 0);
3147 }
3148 CHECK(wnaf[0] == 1);
3149 CHECK(skew == 0);
3150
3151 {
3152 int wnaf_expected[8] = { 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf, 0xf };
3153 secp256k1_scalar_set_int(&num, 0xffffffff);
3154 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3155 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3156 CHECK(skew == 0);
3157 }
3158 {
3159 int wnaf_expected[8] = { -1, -1, -1, -1, -1, -1, -1, 0xf };
3160 secp256k1_scalar_set_int(&num, 0xeeeeeeee);
3161 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3162 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3163 CHECK(skew == 1);
3164 }
3165 {
3166 int wnaf_expected[8] = { 1, 0, 1, 0, 1, 0, 1, 0 };
3167 secp256k1_scalar_set_int(&num, 0x01010101);
3168 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3169 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3170 CHECK(skew == 0);
3171 }
3172 {
3173 int wnaf_expected[8] = { -0xf, 0, 0xf, -0xf, 0, 0xf, 1, 0 };
3174 secp256k1_scalar_set_int(&num, 0x01ef1ef1);
3175 skew = secp256k1_wnaf_fixed(wnaf, &num, w);
3176 test_fixed_wnaf_small_helper(wnaf, wnaf_expected, w);
3177 CHECK(skew == 0);
3178 }
3179 }
3180
run_wnaf(void)3181 void run_wnaf(void) {
3182 int i;
3183 secp256k1_scalar n = {{0}};
3184
3185 /* Sanity check: 1 and 2 are the smallest odd and even numbers and should
3186 * have easier-to-diagnose failure modes */
3187 n.d[0] = 1;
3188 test_constant_wnaf(&n, 4);
3189 n.d[0] = 2;
3190 test_constant_wnaf(&n, 4);
3191 /* Test 0 */
3192 test_fixed_wnaf_small();
3193 /* Random tests */
3194 for (i = 0; i < count; i++) {
3195 random_scalar_order(&n);
3196 test_wnaf(&n, 4+(i%10));
3197 test_constant_wnaf_negate(&n);
3198 test_constant_wnaf(&n, 4 + (i % 10));
3199 test_fixed_wnaf(&n, 4 + (i % 10));
3200 }
3201 secp256k1_scalar_set_int(&n, 0);
3202 CHECK(secp256k1_scalar_cond_negate(&n, 1) == -1);
3203 CHECK(secp256k1_scalar_is_zero(&n));
3204 CHECK(secp256k1_scalar_cond_negate(&n, 0) == 1);
3205 CHECK(secp256k1_scalar_is_zero(&n));
3206 }
3207
test_ecmult_constants(void)3208 void test_ecmult_constants(void) {
3209 /* Test ecmult_gen() for [0..36) and [order-36..0). */
3210 secp256k1_scalar x;
3211 secp256k1_gej r;
3212 secp256k1_ge ng;
3213 int i;
3214 int j;
3215 secp256k1_ge_neg(&ng, &secp256k1_ge_const_g);
3216 for (i = 0; i < 36; i++ ) {
3217 secp256k1_scalar_set_int(&x, i);
3218 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3219 for (j = 0; j < i; j++) {
3220 if (j == i - 1) {
3221 ge_equals_gej(&secp256k1_ge_const_g, &r);
3222 }
3223 secp256k1_gej_add_ge(&r, &r, &ng);
3224 }
3225 CHECK(secp256k1_gej_is_infinity(&r));
3226 }
3227 for (i = 1; i <= 36; i++ ) {
3228 secp256k1_scalar_set_int(&x, i);
3229 secp256k1_scalar_negate(&x, &x);
3230 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &r, &x);
3231 for (j = 0; j < i; j++) {
3232 if (j == i - 1) {
3233 ge_equals_gej(&ng, &r);
3234 }
3235 secp256k1_gej_add_ge(&r, &r, &secp256k1_ge_const_g);
3236 }
3237 CHECK(secp256k1_gej_is_infinity(&r));
3238 }
3239 }
3240
run_ecmult_constants(void)3241 void run_ecmult_constants(void) {
3242 test_ecmult_constants();
3243 }
3244
test_ecmult_gen_blind(void)3245 void test_ecmult_gen_blind(void) {
3246 /* Test ecmult_gen() blinding and confirm that the blinding changes, the affine points match, and the z's don't match. */
3247 secp256k1_scalar key;
3248 secp256k1_scalar b;
3249 unsigned char seed32[32];
3250 secp256k1_gej pgej;
3251 secp256k1_gej pgej2;
3252 secp256k1_gej i;
3253 secp256k1_ge pge;
3254 random_scalar_order_test(&key);
3255 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej, &key);
3256 secp256k1_rand256(seed32);
3257 b = ctx->ecmult_gen_ctx.blind;
3258 i = ctx->ecmult_gen_ctx.initial;
3259 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, seed32);
3260 CHECK(!secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3261 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pgej2, &key);
3262 CHECK(!gej_xyz_equals_gej(&pgej, &pgej2));
3263 CHECK(!gej_xyz_equals_gej(&i, &ctx->ecmult_gen_ctx.initial));
3264 secp256k1_ge_set_gej(&pge, &pgej);
3265 ge_equals_gej(&pge, &pgej2);
3266 }
3267
test_ecmult_gen_blind_reset(void)3268 void test_ecmult_gen_blind_reset(void) {
3269 /* Test ecmult_gen() blinding reset and confirm that the blinding is consistent. */
3270 secp256k1_scalar b;
3271 secp256k1_gej initial;
3272 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3273 b = ctx->ecmult_gen_ctx.blind;
3274 initial = ctx->ecmult_gen_ctx.initial;
3275 secp256k1_ecmult_gen_blind(&ctx->ecmult_gen_ctx, 0);
3276 CHECK(secp256k1_scalar_eq(&b, &ctx->ecmult_gen_ctx.blind));
3277 CHECK(gej_xyz_equals_gej(&initial, &ctx->ecmult_gen_ctx.initial));
3278 }
3279
run_ecmult_gen_blind(void)3280 void run_ecmult_gen_blind(void) {
3281 int i;
3282 test_ecmult_gen_blind_reset();
3283 for (i = 0; i < 10; i++) {
3284 test_ecmult_gen_blind();
3285 }
3286 }
3287
3288 #ifdef USE_ENDOMORPHISM
3289 /***** ENDOMORPHISH TESTS *****/
test_scalar_split(void)3290 void test_scalar_split(void) {
3291 secp256k1_scalar full;
3292 secp256k1_scalar s1, slam;
3293 const unsigned char zero[32] = {0};
3294 unsigned char tmp[32];
3295
3296 random_scalar_order_test(&full);
3297 secp256k1_scalar_split_lambda(&s1, &slam, &full);
3298
3299 /* check that both are <= 128 bits in size */
3300 if (secp256k1_scalar_is_high(&s1)) {
3301 secp256k1_scalar_negate(&s1, &s1);
3302 }
3303 if (secp256k1_scalar_is_high(&slam)) {
3304 secp256k1_scalar_negate(&slam, &slam);
3305 }
3306
3307 secp256k1_scalar_get_b32(tmp, &s1);
3308 CHECK(memcmp(zero, tmp, 16) == 0);
3309 secp256k1_scalar_get_b32(tmp, &slam);
3310 CHECK(memcmp(zero, tmp, 16) == 0);
3311 }
3312
run_endomorphism_tests(void)3313 void run_endomorphism_tests(void) {
3314 test_scalar_split();
3315 }
3316 #endif
3317
ec_pubkey_parse_pointtest(const unsigned char * input,int xvalid,int yvalid)3318 void ec_pubkey_parse_pointtest(const unsigned char *input, int xvalid, int yvalid) {
3319 unsigned char pubkeyc[65];
3320 secp256k1_pubkey pubkey;
3321 secp256k1_ge ge;
3322 size_t pubkeyclen;
3323 int32_t ecount;
3324 ecount = 0;
3325 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3326 for (pubkeyclen = 3; pubkeyclen <= 65; pubkeyclen++) {
3327 /* Smaller sizes are tested exhaustively elsewhere. */
3328 int32_t i;
3329 memcpy(&pubkeyc[1], input, 64);
3330 VG_UNDEF(&pubkeyc[pubkeyclen], 65 - pubkeyclen);
3331 for (i = 0; i < 256; i++) {
3332 /* Try all type bytes. */
3333 int xpass;
3334 int ypass;
3335 int ysign;
3336 pubkeyc[0] = i;
3337 /* What sign does this point have? */
3338 ysign = (input[63] & 1) + 2;
3339 /* For the current type (i) do we expect parsing to work? Handled all of compressed/uncompressed/hybrid. */
3340 xpass = xvalid && (pubkeyclen == 33) && ((i & 254) == 2);
3341 /* Do we expect a parse and re-serialize as uncompressed to give a matching y? */
3342 ypass = xvalid && yvalid && ((i & 4) == ((pubkeyclen == 65) << 2)) &&
3343 ((i == 4) || ((i & 251) == ysign)) && ((pubkeyclen == 33) || (pubkeyclen == 65));
3344 if (xpass || ypass) {
3345 /* These cases must parse. */
3346 unsigned char pubkeyo[65];
3347 size_t outl;
3348 memset(&pubkey, 0, sizeof(pubkey));
3349 VG_UNDEF(&pubkey, sizeof(pubkey));
3350 ecount = 0;
3351 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
3352 VG_CHECK(&pubkey, sizeof(pubkey));
3353 outl = 65;
3354 VG_UNDEF(pubkeyo, 65);
3355 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3356 VG_CHECK(pubkeyo, outl);
3357 CHECK(outl == 33);
3358 CHECK(memcmp(&pubkeyo[1], &pubkeyc[1], 32) == 0);
3359 CHECK((pubkeyclen != 33) || (pubkeyo[0] == pubkeyc[0]));
3360 if (ypass) {
3361 /* This test isn't always done because we decode with alternative signs, so the y won't match. */
3362 CHECK(pubkeyo[0] == ysign);
3363 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3364 memset(&pubkey, 0, sizeof(pubkey));
3365 VG_UNDEF(&pubkey, sizeof(pubkey));
3366 secp256k1_pubkey_save(&pubkey, &ge);
3367 VG_CHECK(&pubkey, sizeof(pubkey));
3368 outl = 65;
3369 VG_UNDEF(pubkeyo, 65);
3370 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyo, &outl, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3371 VG_CHECK(pubkeyo, outl);
3372 CHECK(outl == 65);
3373 CHECK(pubkeyo[0] == 4);
3374 CHECK(memcmp(&pubkeyo[1], input, 64) == 0);
3375 }
3376 CHECK(ecount == 0);
3377 } else {
3378 /* These cases must fail to parse. */
3379 memset(&pubkey, 0xfe, sizeof(pubkey));
3380 ecount = 0;
3381 VG_UNDEF(&pubkey, sizeof(pubkey));
3382 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 0);
3383 VG_CHECK(&pubkey, sizeof(pubkey));
3384 CHECK(ecount == 0);
3385 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3386 CHECK(ecount == 1);
3387 }
3388 }
3389 }
3390 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3391 }
3392
run_ec_pubkey_parse_test(void)3393 void run_ec_pubkey_parse_test(void) {
3394 #define SECP256K1_EC_PARSE_TEST_NVALID (12)
3395 const unsigned char valid[SECP256K1_EC_PARSE_TEST_NVALID][64] = {
3396 {
3397 /* Point with leading and trailing zeros in x and y serialization. */
3398 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x42, 0x52,
3399 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3400 0x00, 0x00, 0x64, 0xef, 0xa1, 0x7b, 0x77, 0x61, 0xe1, 0xe4, 0x27, 0x06, 0x98, 0x9f, 0xb4, 0x83,
3401 0xb8, 0xd2, 0xd4, 0x9b, 0xf7, 0x8f, 0xae, 0x98, 0x03, 0xf0, 0x99, 0xb8, 0x34, 0xed, 0xeb, 0x00
3402 },
3403 {
3404 /* Point with x equal to a 3rd root of unity.*/
3405 0x7a, 0xe9, 0x6a, 0x2b, 0x65, 0x7c, 0x07, 0x10, 0x6e, 0x64, 0x47, 0x9e, 0xac, 0x34, 0x34, 0xe9,
3406 0x9c, 0xf0, 0x49, 0x75, 0x12, 0xf5, 0x89, 0x95, 0xc1, 0x39, 0x6c, 0x28, 0x71, 0x95, 0x01, 0xee,
3407 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3408 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3409 },
3410 {
3411 /* Point with largest x. (1/2) */
3412 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3413 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3414 0x0e, 0x99, 0x4b, 0x14, 0xea, 0x72, 0xf8, 0xc3, 0xeb, 0x95, 0xc7, 0x1e, 0xf6, 0x92, 0x57, 0x5e,
3415 0x77, 0x50, 0x58, 0x33, 0x2d, 0x7e, 0x52, 0xd0, 0x99, 0x5c, 0xf8, 0x03, 0x88, 0x71, 0xb6, 0x7d,
3416 },
3417 {
3418 /* Point with largest x. (2/2) */
3419 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3420 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2c,
3421 0xf1, 0x66, 0xb4, 0xeb, 0x15, 0x8d, 0x07, 0x3c, 0x14, 0x6a, 0x38, 0xe1, 0x09, 0x6d, 0xa8, 0xa1,
3422 0x88, 0xaf, 0xa7, 0xcc, 0xd2, 0x81, 0xad, 0x2f, 0x66, 0xa3, 0x07, 0xfb, 0x77, 0x8e, 0x45, 0xb2,
3423 },
3424 {
3425 /* Point with smallest x. (1/2) */
3426 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3427 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3428 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3429 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3430 },
3431 {
3432 /* Point with smallest x. (2/2) */
3433 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3434 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3435 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3436 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3437 },
3438 {
3439 /* Point with largest y. (1/3) */
3440 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3441 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3442 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3443 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3444 },
3445 {
3446 /* Point with largest y. (2/3) */
3447 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3448 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3449 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3450 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3451 },
3452 {
3453 /* Point with largest y. (3/3) */
3454 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3455 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3456 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3457 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3458 },
3459 {
3460 /* Point with smallest y. (1/3) */
3461 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3462 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3463 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3464 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3465 },
3466 {
3467 /* Point with smallest y. (2/3) */
3468 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3469 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3470 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3471 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3472 },
3473 {
3474 /* Point with smallest y. (3/3) */
3475 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3476 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3477 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3478 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01
3479 }
3480 };
3481 #define SECP256K1_EC_PARSE_TEST_NXVALID (4)
3482 const unsigned char onlyxvalid[SECP256K1_EC_PARSE_TEST_NXVALID][64] = {
3483 {
3484 /* Valid if y overflow ignored (y = 1 mod p). (1/3) */
3485 0x1f, 0xe1, 0xe5, 0xef, 0x3f, 0xce, 0xb5, 0xc1, 0x35, 0xab, 0x77, 0x41, 0x33, 0x3c, 0xe5, 0xa6,
3486 0xe8, 0x0d, 0x68, 0x16, 0x76, 0x53, 0xf6, 0xb2, 0xb2, 0x4b, 0xcb, 0xcf, 0xaa, 0xaf, 0xf5, 0x07,
3487 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3488 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3489 },
3490 {
3491 /* Valid if y overflow ignored (y = 1 mod p). (2/3) */
3492 0xcb, 0xb0, 0xde, 0xab, 0x12, 0x57, 0x54, 0xf1, 0xfd, 0xb2, 0x03, 0x8b, 0x04, 0x34, 0xed, 0x9c,
3493 0xb3, 0xfb, 0x53, 0xab, 0x73, 0x53, 0x91, 0x12, 0x99, 0x94, 0xa5, 0x35, 0xd9, 0x25, 0xf6, 0x73,
3494 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3495 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3496 },
3497 {
3498 /* Valid if y overflow ignored (y = 1 mod p). (3/3)*/
3499 0x14, 0x6d, 0x3b, 0x65, 0xad, 0xd9, 0xf5, 0x4c, 0xcc, 0xa2, 0x85, 0x33, 0xc8, 0x8e, 0x2c, 0xbc,
3500 0x63, 0xf7, 0x44, 0x3e, 0x16, 0x58, 0x78, 0x3a, 0xb4, 0x1f, 0x8e, 0xf9, 0x7c, 0x2a, 0x10, 0xb5,
3501 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3502 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3503 },
3504 {
3505 /* x on curve, y is from y^2 = x^3 + 8. */
3506 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3507 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3508 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3509 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03
3510 }
3511 };
3512 #define SECP256K1_EC_PARSE_TEST_NINVALID (7)
3513 const unsigned char invalid[SECP256K1_EC_PARSE_TEST_NINVALID][64] = {
3514 {
3515 /* x is third root of -8, y is -1 * (x^3+7); also on the curve for y^2 = x^3 + 9. */
3516 0x0a, 0x2d, 0x2b, 0xa9, 0x35, 0x07, 0xf1, 0xdf, 0x23, 0x37, 0x70, 0xc2, 0xa7, 0x97, 0x96, 0x2c,
3517 0xc6, 0x1f, 0x6d, 0x15, 0xda, 0x14, 0xec, 0xd4, 0x7d, 0x8d, 0x27, 0xae, 0x1c, 0xd5, 0xf8, 0x53,
3518 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3519 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
3520 },
3521 {
3522 /* Valid if x overflow ignored (x = 1 mod p). */
3523 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3524 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3525 0x42, 0x18, 0xf2, 0x0a, 0xe6, 0xc6, 0x46, 0xb3, 0x63, 0xdb, 0x68, 0x60, 0x58, 0x22, 0xfb, 0x14,
3526 0x26, 0x4c, 0xa8, 0xd2, 0x58, 0x7f, 0xdd, 0x6f, 0xbc, 0x75, 0x0d, 0x58, 0x7e, 0x76, 0xa7, 0xee,
3527 },
3528 {
3529 /* Valid if x overflow ignored (x = 1 mod p). */
3530 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3531 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x30,
3532 0xbd, 0xe7, 0x0d, 0xf5, 0x19, 0x39, 0xb9, 0x4c, 0x9c, 0x24, 0x97, 0x9f, 0xa7, 0xdd, 0x04, 0xeb,
3533 0xd9, 0xb3, 0x57, 0x2d, 0xa7, 0x80, 0x22, 0x90, 0x43, 0x8a, 0xf2, 0xa6, 0x81, 0x89, 0x54, 0x41,
3534 },
3535 {
3536 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3537 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3538 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3539 0xf4, 0x84, 0x14, 0x5c, 0xb0, 0x14, 0x9b, 0x82, 0x5d, 0xff, 0x41, 0x2f, 0xa0, 0x52, 0xa8, 0x3f,
3540 0xcb, 0x72, 0xdb, 0x61, 0xd5, 0x6f, 0x37, 0x70, 0xce, 0x06, 0x6b, 0x73, 0x49, 0xa2, 0xaa, 0x28,
3541 },
3542 {
3543 /* x is -1, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 5. */
3544 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3545 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe, 0xff, 0xff, 0xfc, 0x2e,
3546 0x0b, 0x7b, 0xeb, 0xa3, 0x4f, 0xeb, 0x64, 0x7d, 0xa2, 0x00, 0xbe, 0xd0, 0x5f, 0xad, 0x57, 0xc0,
3547 0x34, 0x8d, 0x24, 0x9e, 0x2a, 0x90, 0xc8, 0x8f, 0x31, 0xf9, 0x94, 0x8b, 0xb6, 0x5d, 0x52, 0x07,
3548 },
3549 {
3550 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3551 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3552 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3553 0x8f, 0x53, 0x7e, 0xef, 0xdf, 0xc1, 0x60, 0x6a, 0x07, 0x27, 0xcd, 0x69, 0xb4, 0xa7, 0x33, 0x3d,
3554 0x38, 0xed, 0x44, 0xe3, 0x93, 0x2a, 0x71, 0x79, 0xee, 0xcb, 0x4b, 0x6f, 0xba, 0x93, 0x60, 0xdc,
3555 },
3556 {
3557 /* x is zero, y is the result of the sqrt ladder; also on the curve for y^2 = x^3 - 7. */
3558 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3559 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
3560 0x70, 0xac, 0x81, 0x10, 0x20, 0x3e, 0x9f, 0x95, 0xf8, 0xd8, 0x32, 0x96, 0x4b, 0x58, 0xcc, 0xc2,
3561 0xc7, 0x12, 0xbb, 0x1c, 0x6c, 0xd5, 0x8e, 0x86, 0x11, 0x34, 0xb4, 0x8f, 0x45, 0x6c, 0x9b, 0x53
3562 }
3563 };
3564 const unsigned char pubkeyc[66] = {
3565 /* Serialization of G. */
3566 0x04, 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, 0xCE, 0x87, 0x0B,
3567 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17,
3568 0x98, 0x48, 0x3A, 0xDA, 0x77, 0x26, 0xA3, 0xC4, 0x65, 0x5D, 0xA4, 0xFB, 0xFC, 0x0E, 0x11, 0x08,
3569 0xA8, 0xFD, 0x17, 0xB4, 0x48, 0xA6, 0x85, 0x54, 0x19, 0x9C, 0x47, 0xD0, 0x8F, 0xFB, 0x10, 0xD4,
3570 0xB8, 0x00
3571 };
3572 unsigned char sout[65];
3573 unsigned char shortkey[2];
3574 secp256k1_ge ge;
3575 secp256k1_pubkey pubkey;
3576 size_t len;
3577 int32_t i;
3578 int32_t ecount;
3579 int32_t ecount2;
3580 ecount = 0;
3581 /* Nothing should be reading this far into pubkeyc. */
3582 VG_UNDEF(&pubkeyc[65], 1);
3583 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3584 /* Zero length claimed, fail, zeroize, no illegal arg error. */
3585 memset(&pubkey, 0xfe, sizeof(pubkey));
3586 ecount = 0;
3587 VG_UNDEF(shortkey, 2);
3588 VG_UNDEF(&pubkey, sizeof(pubkey));
3589 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 0) == 0);
3590 VG_CHECK(&pubkey, sizeof(pubkey));
3591 CHECK(ecount == 0);
3592 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3593 CHECK(ecount == 1);
3594 /* Length one claimed, fail, zeroize, no illegal arg error. */
3595 for (i = 0; i < 256 ; i++) {
3596 memset(&pubkey, 0xfe, sizeof(pubkey));
3597 ecount = 0;
3598 shortkey[0] = i;
3599 VG_UNDEF(&shortkey[1], 1);
3600 VG_UNDEF(&pubkey, sizeof(pubkey));
3601 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 1) == 0);
3602 VG_CHECK(&pubkey, sizeof(pubkey));
3603 CHECK(ecount == 0);
3604 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3605 CHECK(ecount == 1);
3606 }
3607 /* Length two claimed, fail, zeroize, no illegal arg error. */
3608 for (i = 0; i < 65536 ; i++) {
3609 memset(&pubkey, 0xfe, sizeof(pubkey));
3610 ecount = 0;
3611 shortkey[0] = i & 255;
3612 shortkey[1] = i >> 8;
3613 VG_UNDEF(&pubkey, sizeof(pubkey));
3614 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, shortkey, 2) == 0);
3615 VG_CHECK(&pubkey, sizeof(pubkey));
3616 CHECK(ecount == 0);
3617 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3618 CHECK(ecount == 1);
3619 }
3620 memset(&pubkey, 0xfe, sizeof(pubkey));
3621 ecount = 0;
3622 VG_UNDEF(&pubkey, sizeof(pubkey));
3623 /* 33 bytes claimed on otherwise valid input starting with 0x04, fail, zeroize output, no illegal arg error. */
3624 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 33) == 0);
3625 VG_CHECK(&pubkey, sizeof(pubkey));
3626 CHECK(ecount == 0);
3627 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3628 CHECK(ecount == 1);
3629 /* NULL pubkey, illegal arg error. Pubkey isn't rewritten before this step, since it's NULL into the parser. */
3630 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, pubkeyc, 65) == 0);
3631 CHECK(ecount == 2);
3632 /* NULL input string. Illegal arg and zeroize output. */
3633 memset(&pubkey, 0xfe, sizeof(pubkey));
3634 ecount = 0;
3635 VG_UNDEF(&pubkey, sizeof(pubkey));
3636 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, NULL, 65) == 0);
3637 VG_CHECK(&pubkey, sizeof(pubkey));
3638 CHECK(ecount == 1);
3639 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3640 CHECK(ecount == 2);
3641 /* 64 bytes claimed on input starting with 0x04, fail, zeroize output, no illegal arg error. */
3642 memset(&pubkey, 0xfe, sizeof(pubkey));
3643 ecount = 0;
3644 VG_UNDEF(&pubkey, sizeof(pubkey));
3645 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 64) == 0);
3646 VG_CHECK(&pubkey, sizeof(pubkey));
3647 CHECK(ecount == 0);
3648 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3649 CHECK(ecount == 1);
3650 /* 66 bytes claimed, fail, zeroize output, no illegal arg error. */
3651 memset(&pubkey, 0xfe, sizeof(pubkey));
3652 ecount = 0;
3653 VG_UNDEF(&pubkey, sizeof(pubkey));
3654 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 66) == 0);
3655 VG_CHECK(&pubkey, sizeof(pubkey));
3656 CHECK(ecount == 0);
3657 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 0);
3658 CHECK(ecount == 1);
3659 /* Valid parse. */
3660 memset(&pubkey, 0, sizeof(pubkey));
3661 ecount = 0;
3662 VG_UNDEF(&pubkey, sizeof(pubkey));
3663 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, 65) == 1);
3664 CHECK(secp256k1_ec_pubkey_parse(secp256k1_context_no_precomp, &pubkey, pubkeyc, 65) == 1);
3665 VG_CHECK(&pubkey, sizeof(pubkey));
3666 CHECK(ecount == 0);
3667 VG_UNDEF(&ge, sizeof(ge));
3668 CHECK(secp256k1_pubkey_load(ctx, &ge, &pubkey) == 1);
3669 VG_CHECK(&ge.x, sizeof(ge.x));
3670 VG_CHECK(&ge.y, sizeof(ge.y));
3671 VG_CHECK(&ge.infinity, sizeof(ge.infinity));
3672 ge_equals_ge(&secp256k1_ge_const_g, &ge);
3673 CHECK(ecount == 0);
3674 /* secp256k1_ec_pubkey_serialize illegal args. */
3675 ecount = 0;
3676 len = 65;
3677 CHECK(secp256k1_ec_pubkey_serialize(ctx, NULL, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3678 CHECK(ecount == 1);
3679 CHECK(len == 0);
3680 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, NULL, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 0);
3681 CHECK(ecount == 2);
3682 len = 65;
3683 VG_UNDEF(sout, 65);
3684 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, NULL, SECP256K1_EC_UNCOMPRESSED) == 0);
3685 VG_CHECK(sout, 65);
3686 CHECK(ecount == 3);
3687 CHECK(len == 0);
3688 len = 65;
3689 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, ~0) == 0);
3690 CHECK(ecount == 4);
3691 CHECK(len == 0);
3692 len = 65;
3693 VG_UNDEF(sout, 65);
3694 CHECK(secp256k1_ec_pubkey_serialize(ctx, sout, &len, &pubkey, SECP256K1_EC_UNCOMPRESSED) == 1);
3695 VG_CHECK(sout, 65);
3696 CHECK(ecount == 4);
3697 CHECK(len == 65);
3698 /* Multiple illegal args. Should still set arg error only once. */
3699 ecount = 0;
3700 ecount2 = 11;
3701 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3702 CHECK(ecount == 1);
3703 /* Does the illegal arg callback actually change the behavior? */
3704 secp256k1_context_set_illegal_callback(ctx, uncounting_illegal_callback_fn, &ecount2);
3705 CHECK(secp256k1_ec_pubkey_parse(ctx, NULL, NULL, 65) == 0);
3706 CHECK(ecount == 1);
3707 CHECK(ecount2 == 10);
3708 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3709 /* Try a bunch of prefabbed points with all possible encodings. */
3710 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NVALID; i++) {
3711 ec_pubkey_parse_pointtest(valid[i], 1, 1);
3712 }
3713 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NXVALID; i++) {
3714 ec_pubkey_parse_pointtest(onlyxvalid[i], 1, 0);
3715 }
3716 for (i = 0; i < SECP256K1_EC_PARSE_TEST_NINVALID; i++) {
3717 ec_pubkey_parse_pointtest(invalid[i], 0, 0);
3718 }
3719 }
3720
run_eckey_edge_case_test(void)3721 void run_eckey_edge_case_test(void) {
3722 const unsigned char orderc[32] = {
3723 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
3724 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
3725 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
3726 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41
3727 };
3728 const unsigned char zeros[sizeof(secp256k1_pubkey)] = {0x00};
3729 unsigned char ctmp[33];
3730 unsigned char ctmp2[33];
3731 secp256k1_pubkey pubkey;
3732 secp256k1_pubkey pubkey2;
3733 secp256k1_pubkey pubkey_one;
3734 secp256k1_pubkey pubkey_negone;
3735 const secp256k1_pubkey *pubkeys[3];
3736 size_t len;
3737 int32_t ecount;
3738 /* Group order is too large, reject. */
3739 CHECK(secp256k1_ec_seckey_verify(ctx, orderc) == 0);
3740 VG_UNDEF(&pubkey, sizeof(pubkey));
3741 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, orderc) == 0);
3742 VG_CHECK(&pubkey, sizeof(pubkey));
3743 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3744 /* Maximum value is too large, reject. */
3745 memset(ctmp, 255, 32);
3746 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3747 memset(&pubkey, 1, sizeof(pubkey));
3748 VG_UNDEF(&pubkey, sizeof(pubkey));
3749 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3750 VG_CHECK(&pubkey, sizeof(pubkey));
3751 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3752 /* Zero is too small, reject. */
3753 memset(ctmp, 0, 32);
3754 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3755 memset(&pubkey, 1, sizeof(pubkey));
3756 VG_UNDEF(&pubkey, sizeof(pubkey));
3757 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3758 VG_CHECK(&pubkey, sizeof(pubkey));
3759 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3760 /* One must be accepted. */
3761 ctmp[31] = 0x01;
3762 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3763 memset(&pubkey, 0, sizeof(pubkey));
3764 VG_UNDEF(&pubkey, sizeof(pubkey));
3765 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3766 VG_CHECK(&pubkey, sizeof(pubkey));
3767 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3768 pubkey_one = pubkey;
3769 /* Group order + 1 is too large, reject. */
3770 memcpy(ctmp, orderc, 32);
3771 ctmp[31] = 0x42;
3772 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 0);
3773 memset(&pubkey, 1, sizeof(pubkey));
3774 VG_UNDEF(&pubkey, sizeof(pubkey));
3775 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 0);
3776 VG_CHECK(&pubkey, sizeof(pubkey));
3777 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3778 /* -1 must be accepted. */
3779 ctmp[31] = 0x40;
3780 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3781 memset(&pubkey, 0, sizeof(pubkey));
3782 VG_UNDEF(&pubkey, sizeof(pubkey));
3783 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, ctmp) == 1);
3784 VG_CHECK(&pubkey, sizeof(pubkey));
3785 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3786 pubkey_negone = pubkey;
3787 /* Tweak of zero leaves the value unchanged. */
3788 memset(ctmp2, 0, 32);
3789 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, ctmp2) == 1);
3790 CHECK(memcmp(orderc, ctmp, 31) == 0 && ctmp[31] == 0x40);
3791 memcpy(&pubkey2, &pubkey, sizeof(pubkey));
3792 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3793 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3794 /* Multiply tweak of zero zeroizes the output. */
3795 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, ctmp2) == 0);
3796 CHECK(memcmp(zeros, ctmp, 32) == 0);
3797 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, ctmp2) == 0);
3798 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3799 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3800 /* Overflowing key tweak zeroizes. */
3801 memcpy(ctmp, orderc, 32);
3802 ctmp[31] = 0x40;
3803 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, orderc) == 0);
3804 CHECK(memcmp(zeros, ctmp, 32) == 0);
3805 memcpy(ctmp, orderc, 32);
3806 ctmp[31] = 0x40;
3807 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, orderc) == 0);
3808 CHECK(memcmp(zeros, ctmp, 32) == 0);
3809 memcpy(ctmp, orderc, 32);
3810 ctmp[31] = 0x40;
3811 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, orderc) == 0);
3812 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3813 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3814 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, orderc) == 0);
3815 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3816 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3817 /* Private key tweaks results in a key of zero. */
3818 ctmp2[31] = 1;
3819 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 0);
3820 CHECK(memcmp(zeros, ctmp2, 32) == 0);
3821 ctmp2[31] = 1;
3822 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3823 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3824 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3825 /* Tweak computation wraps and results in a key of 1. */
3826 ctmp2[31] = 2;
3827 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp2, ctmp) == 1);
3828 CHECK(memcmp(ctmp2, zeros, 31) == 0 && ctmp2[31] == 1);
3829 ctmp2[31] = 2;
3830 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3831 ctmp2[31] = 1;
3832 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, ctmp2) == 1);
3833 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3834 /* Tweak mul * 2 = 1+1. */
3835 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 1);
3836 ctmp2[31] = 2;
3837 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 1);
3838 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
3839 /* Test argument errors. */
3840 ecount = 0;
3841 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
3842 CHECK(ecount == 0);
3843 /* Zeroize pubkey on parse error. */
3844 memset(&pubkey, 0, 32);
3845 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, ctmp2) == 0);
3846 CHECK(ecount == 1);
3847 CHECK(memcmp(&pubkey, zeros, sizeof(pubkey)) == 0);
3848 memcpy(&pubkey, &pubkey2, sizeof(pubkey));
3849 memset(&pubkey2, 0, 32);
3850 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey2, ctmp2) == 0);
3851 CHECK(ecount == 2);
3852 CHECK(memcmp(&pubkey2, zeros, sizeof(pubkey2)) == 0);
3853 /* Plain argument errors. */
3854 ecount = 0;
3855 CHECK(secp256k1_ec_seckey_verify(ctx, ctmp) == 1);
3856 CHECK(ecount == 0);
3857 CHECK(secp256k1_ec_seckey_verify(ctx, NULL) == 0);
3858 CHECK(ecount == 1);
3859 ecount = 0;
3860 memset(ctmp2, 0, 32);
3861 ctmp2[31] = 4;
3862 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, NULL, ctmp2) == 0);
3863 CHECK(ecount == 1);
3864 CHECK(secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, NULL) == 0);
3865 CHECK(ecount == 2);
3866 ecount = 0;
3867 memset(ctmp2, 0, 32);
3868 ctmp2[31] = 4;
3869 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3870 CHECK(ecount == 1);
3871 CHECK(secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, NULL) == 0);
3872 CHECK(ecount == 2);
3873 ecount = 0;
3874 memset(ctmp2, 0, 32);
3875 CHECK(secp256k1_ec_privkey_tweak_add(ctx, NULL, ctmp2) == 0);
3876 CHECK(ecount == 1);
3877 CHECK(secp256k1_ec_privkey_tweak_add(ctx, ctmp, NULL) == 0);
3878 CHECK(ecount == 2);
3879 ecount = 0;
3880 memset(ctmp2, 0, 32);
3881 ctmp2[31] = 1;
3882 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, NULL, ctmp2) == 0);
3883 CHECK(ecount == 1);
3884 CHECK(secp256k1_ec_privkey_tweak_mul(ctx, ctmp, NULL) == 0);
3885 CHECK(ecount == 2);
3886 ecount = 0;
3887 CHECK(secp256k1_ec_pubkey_create(ctx, NULL, ctmp) == 0);
3888 CHECK(ecount == 1);
3889 memset(&pubkey, 1, sizeof(pubkey));
3890 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
3891 CHECK(ecount == 2);
3892 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3893 /* secp256k1_ec_pubkey_combine tests. */
3894 ecount = 0;
3895 pubkeys[0] = &pubkey_one;
3896 VG_UNDEF(&pubkeys[0], sizeof(secp256k1_pubkey *));
3897 VG_UNDEF(&pubkeys[1], sizeof(secp256k1_pubkey *));
3898 VG_UNDEF(&pubkeys[2], sizeof(secp256k1_pubkey *));
3899 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3900 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3901 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 0) == 0);
3902 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3903 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3904 CHECK(ecount == 1);
3905 CHECK(secp256k1_ec_pubkey_combine(ctx, NULL, pubkeys, 1) == 0);
3906 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3907 CHECK(ecount == 2);
3908 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3909 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3910 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, NULL, 1) == 0);
3911 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3912 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3913 CHECK(ecount == 3);
3914 pubkeys[0] = &pubkey_negone;
3915 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3916 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3917 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 1) == 1);
3918 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3919 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3920 CHECK(ecount == 3);
3921 len = 33;
3922 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3923 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_negone, SECP256K1_EC_COMPRESSED) == 1);
3924 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3925 /* Result is infinity. */
3926 pubkeys[0] = &pubkey_one;
3927 pubkeys[1] = &pubkey_negone;
3928 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3929 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3930 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 0);
3931 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3932 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) == 0);
3933 CHECK(ecount == 3);
3934 /* Passes through infinity but comes out one. */
3935 pubkeys[2] = &pubkey_one;
3936 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3937 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3938 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 3) == 1);
3939 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3940 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3941 CHECK(ecount == 3);
3942 len = 33;
3943 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp, &len, &pubkey, SECP256K1_EC_COMPRESSED) == 1);
3944 CHECK(secp256k1_ec_pubkey_serialize(ctx, ctmp2, &len, &pubkey_one, SECP256K1_EC_COMPRESSED) == 1);
3945 CHECK(memcmp(ctmp, ctmp2, 33) == 0);
3946 /* Adds to two. */
3947 pubkeys[1] = &pubkey_one;
3948 memset(&pubkey, 255, sizeof(secp256k1_pubkey));
3949 VG_UNDEF(&pubkey, sizeof(secp256k1_pubkey));
3950 CHECK(secp256k1_ec_pubkey_combine(ctx, &pubkey, pubkeys, 2) == 1);
3951 VG_CHECK(&pubkey, sizeof(secp256k1_pubkey));
3952 CHECK(memcmp(&pubkey, zeros, sizeof(secp256k1_pubkey)) > 0);
3953 CHECK(ecount == 3);
3954 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
3955 }
3956
random_sign(secp256k1_scalar * sigr,secp256k1_scalar * sigs,const secp256k1_scalar * key,const secp256k1_scalar * msg,int * recid)3957 void random_sign(secp256k1_scalar *sigr, secp256k1_scalar *sigs, const secp256k1_scalar *key, const secp256k1_scalar *msg, int *recid) {
3958 secp256k1_scalar nonce;
3959 do {
3960 random_scalar_order_test(&nonce);
3961 } while(!secp256k1_ecdsa_sig_sign(&ctx->ecmult_gen_ctx, sigr, sigs, key, msg, &nonce, recid));
3962 }
3963
test_ecdsa_sign_verify(void)3964 void test_ecdsa_sign_verify(void) {
3965 secp256k1_gej pubj;
3966 secp256k1_ge pub;
3967 secp256k1_scalar one;
3968 secp256k1_scalar msg, key;
3969 secp256k1_scalar sigr, sigs;
3970 int recid;
3971 int getrec;
3972 random_scalar_order_test(&msg);
3973 random_scalar_order_test(&key);
3974 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &pubj, &key);
3975 secp256k1_ge_set_gej(&pub, &pubj);
3976 getrec = secp256k1_rand_bits(1);
3977 random_sign(&sigr, &sigs, &key, &msg, getrec?&recid:NULL);
3978 if (getrec) {
3979 CHECK(recid >= 0 && recid < 4);
3980 }
3981 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3982 secp256k1_scalar_set_int(&one, 1);
3983 secp256k1_scalar_add(&msg, &msg, &one);
3984 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &pub, &msg));
3985 }
3986
run_ecdsa_sign_verify(void)3987 void run_ecdsa_sign_verify(void) {
3988 int i;
3989 for (i = 0; i < 10*count; i++) {
3990 test_ecdsa_sign_verify();
3991 }
3992 }
3993
3994 /** Dummy nonce generation function that just uses a precomputed nonce, and fails if it is not accepted. Use only for testing. */
precomputed_nonce_function(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)3995 static int precomputed_nonce_function(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
3996 (void)msg32;
3997 (void)key32;
3998 (void)algo16;
3999 memcpy(nonce32, data, 32);
4000 return (counter == 0);
4001 }
4002
nonce_function_test_fail(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)4003 static int nonce_function_test_fail(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4004 /* Dummy nonce generator that has a fatal error on the first counter value. */
4005 if (counter == 0) {
4006 return 0;
4007 }
4008 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 1);
4009 }
4010
nonce_function_test_retry(unsigned char * nonce32,const unsigned char * msg32,const unsigned char * key32,const unsigned char * algo16,void * data,unsigned int counter)4011 static int nonce_function_test_retry(unsigned char *nonce32, const unsigned char *msg32, const unsigned char *key32, const unsigned char *algo16, void *data, unsigned int counter) {
4012 /* Dummy nonce generator that produces unacceptable nonces for the first several counter values. */
4013 if (counter < 3) {
4014 memset(nonce32, counter==0 ? 0 : 255, 32);
4015 if (counter == 2) {
4016 nonce32[31]--;
4017 }
4018 return 1;
4019 }
4020 if (counter < 5) {
4021 static const unsigned char order[] = {
4022 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4023 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4024 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4025 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x41
4026 };
4027 memcpy(nonce32, order, 32);
4028 if (counter == 4) {
4029 nonce32[31]++;
4030 }
4031 return 1;
4032 }
4033 /* Retry rate of 6979 is negligible esp. as we only call this in deterministic tests. */
4034 /* If someone does fine a case where it retries for secp256k1, we'd like to know. */
4035 if (counter > 5) {
4036 return 0;
4037 }
4038 return nonce_function_rfc6979(nonce32, msg32, key32, algo16, data, counter - 5);
4039 }
4040
is_empty_signature(const secp256k1_ecdsa_signature * sig)4041 int is_empty_signature(const secp256k1_ecdsa_signature *sig) {
4042 static const unsigned char res[sizeof(secp256k1_ecdsa_signature)] = {0};
4043 return memcmp(sig, res, sizeof(secp256k1_ecdsa_signature)) == 0;
4044 }
4045
test_ecdsa_end_to_end(void)4046 void test_ecdsa_end_to_end(void) {
4047 unsigned char extra[32] = {0x00};
4048 unsigned char privkey[32];
4049 unsigned char message[32];
4050 unsigned char privkey2[32];
4051 secp256k1_ecdsa_signature signature[6];
4052 secp256k1_scalar r, s;
4053 unsigned char sig[74];
4054 size_t siglen = 74;
4055 unsigned char pubkeyc[65];
4056 size_t pubkeyclen = 65;
4057 secp256k1_pubkey pubkey;
4058 secp256k1_pubkey pubkey_tmp;
4059 unsigned char seckey[300];
4060 size_t seckeylen = 300;
4061
4062 /* Generate a random key and message. */
4063 {
4064 secp256k1_scalar msg, key;
4065 random_scalar_order_test(&msg);
4066 random_scalar_order_test(&key);
4067 secp256k1_scalar_get_b32(privkey, &key);
4068 secp256k1_scalar_get_b32(message, &msg);
4069 }
4070
4071 /* Construct and verify corresponding public key. */
4072 CHECK(secp256k1_ec_seckey_verify(ctx, privkey) == 1);
4073 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, privkey) == 1);
4074
4075 /* Verify exporting and importing public key. */
4076 CHECK(secp256k1_ec_pubkey_serialize(ctx, pubkeyc, &pubkeyclen, &pubkey, secp256k1_rand_bits(1) == 1 ? SECP256K1_EC_COMPRESSED : SECP256K1_EC_UNCOMPRESSED));
4077 memset(&pubkey, 0, sizeof(pubkey));
4078 CHECK(secp256k1_ec_pubkey_parse(ctx, &pubkey, pubkeyc, pubkeyclen) == 1);
4079
4080 /* Verify negation changes the key and changes it back */
4081 memcpy(&pubkey_tmp, &pubkey, sizeof(pubkey));
4082 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4083 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) != 0);
4084 CHECK(secp256k1_ec_pubkey_negate(ctx, &pubkey_tmp) == 1);
4085 CHECK(memcmp(&pubkey_tmp, &pubkey, sizeof(pubkey)) == 0);
4086
4087 /* Verify private key import and export. */
4088 CHECK(ec_privkey_export_der(ctx, seckey, &seckeylen, privkey, secp256k1_rand_bits(1) == 1));
4089 CHECK(ec_privkey_import_der(ctx, privkey2, seckey, seckeylen) == 1);
4090 CHECK(memcmp(privkey, privkey2, 32) == 0);
4091
4092 /* Optionally tweak the keys using addition. */
4093 if (secp256k1_rand_int(3) == 0) {
4094 int ret1;
4095 int ret2;
4096 unsigned char rnd[32];
4097 secp256k1_pubkey pubkey2;
4098 secp256k1_rand256_test(rnd);
4099 ret1 = secp256k1_ec_privkey_tweak_add(ctx, privkey, rnd);
4100 ret2 = secp256k1_ec_pubkey_tweak_add(ctx, &pubkey, rnd);
4101 CHECK(ret1 == ret2);
4102 if (ret1 == 0) {
4103 return;
4104 }
4105 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4106 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4107 }
4108
4109 /* Optionally tweak the keys using multiplication. */
4110 if (secp256k1_rand_int(3) == 0) {
4111 int ret1;
4112 int ret2;
4113 unsigned char rnd[32];
4114 secp256k1_pubkey pubkey2;
4115 secp256k1_rand256_test(rnd);
4116 ret1 = secp256k1_ec_privkey_tweak_mul(ctx, privkey, rnd);
4117 ret2 = secp256k1_ec_pubkey_tweak_mul(ctx, &pubkey, rnd);
4118 CHECK(ret1 == ret2);
4119 if (ret1 == 0) {
4120 return;
4121 }
4122 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey2, privkey) == 1);
4123 CHECK(memcmp(&pubkey, &pubkey2, sizeof(pubkey)) == 0);
4124 }
4125
4126 /* Sign. */
4127 CHECK(secp256k1_ecdsa_sign(ctx, &signature[0], message, privkey, NULL, NULL) == 1);
4128 CHECK(secp256k1_ecdsa_sign(ctx, &signature[4], message, privkey, NULL, NULL) == 1);
4129 CHECK(secp256k1_ecdsa_sign(ctx, &signature[1], message, privkey, NULL, extra) == 1);
4130 extra[31] = 1;
4131 CHECK(secp256k1_ecdsa_sign(ctx, &signature[2], message, privkey, NULL, extra) == 1);
4132 extra[31] = 0;
4133 extra[0] = 1;
4134 CHECK(secp256k1_ecdsa_sign(ctx, &signature[3], message, privkey, NULL, extra) == 1);
4135 CHECK(memcmp(&signature[0], &signature[4], sizeof(signature[0])) == 0);
4136 CHECK(memcmp(&signature[0], &signature[1], sizeof(signature[0])) != 0);
4137 CHECK(memcmp(&signature[0], &signature[2], sizeof(signature[0])) != 0);
4138 CHECK(memcmp(&signature[0], &signature[3], sizeof(signature[0])) != 0);
4139 CHECK(memcmp(&signature[1], &signature[2], sizeof(signature[0])) != 0);
4140 CHECK(memcmp(&signature[1], &signature[3], sizeof(signature[0])) != 0);
4141 CHECK(memcmp(&signature[2], &signature[3], sizeof(signature[0])) != 0);
4142 /* Verify. */
4143 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4144 CHECK(secp256k1_ecdsa_verify(ctx, &signature[1], message, &pubkey) == 1);
4145 CHECK(secp256k1_ecdsa_verify(ctx, &signature[2], message, &pubkey) == 1);
4146 CHECK(secp256k1_ecdsa_verify(ctx, &signature[3], message, &pubkey) == 1);
4147 /* Test lower-S form, malleate, verify and fail, test again, malleate again */
4148 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[0]));
4149 secp256k1_ecdsa_signature_load(ctx, &r, &s, &signature[0]);
4150 secp256k1_scalar_negate(&s, &s);
4151 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4152 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 0);
4153 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4154 CHECK(secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4155 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4156 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, &signature[5], &signature[5]));
4157 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4158 secp256k1_scalar_negate(&s, &s);
4159 secp256k1_ecdsa_signature_save(&signature[5], &r, &s);
4160 CHECK(!secp256k1_ecdsa_signature_normalize(ctx, NULL, &signature[5]));
4161 CHECK(secp256k1_ecdsa_verify(ctx, &signature[5], message, &pubkey) == 1);
4162 CHECK(memcmp(&signature[5], &signature[0], 64) == 0);
4163
4164 /* Serialize/parse DER and verify again */
4165 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4166 memset(&signature[0], 0, sizeof(signature[0]));
4167 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 1);
4168 CHECK(secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 1);
4169 /* Serialize/destroy/parse DER and verify again. */
4170 siglen = 74;
4171 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, sig, &siglen, &signature[0]) == 1);
4172 sig[secp256k1_rand_int(siglen)] += 1 + secp256k1_rand_int(255);
4173 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &signature[0], sig, siglen) == 0 ||
4174 secp256k1_ecdsa_verify(ctx, &signature[0], message, &pubkey) == 0);
4175 }
4176
test_random_pubkeys(void)4177 void test_random_pubkeys(void) {
4178 secp256k1_ge elem;
4179 secp256k1_ge elem2;
4180 unsigned char in[65];
4181 /* Generate some randomly sized pubkeys. */
4182 size_t len = secp256k1_rand_bits(2) == 0 ? 65 : 33;
4183 if (secp256k1_rand_bits(2) == 0) {
4184 len = secp256k1_rand_bits(6);
4185 }
4186 if (len == 65) {
4187 in[0] = secp256k1_rand_bits(1) ? 4 : (secp256k1_rand_bits(1) ? 6 : 7);
4188 } else {
4189 in[0] = secp256k1_rand_bits(1) ? 2 : 3;
4190 }
4191 if (secp256k1_rand_bits(3) == 0) {
4192 in[0] = secp256k1_rand_bits(8);
4193 }
4194 if (len > 1) {
4195 secp256k1_rand256(&in[1]);
4196 }
4197 if (len > 33) {
4198 secp256k1_rand256(&in[33]);
4199 }
4200 if (secp256k1_eckey_pubkey_parse(&elem, in, len)) {
4201 unsigned char out[65];
4202 unsigned char firstb;
4203 int res;
4204 size_t size = len;
4205 firstb = in[0];
4206 /* If the pubkey can be parsed, it should round-trip... */
4207 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, len == 33));
4208 CHECK(size == len);
4209 CHECK(memcmp(&in[1], &out[1], len-1) == 0);
4210 /* ... except for the type of hybrid inputs. */
4211 if ((in[0] != 6) && (in[0] != 7)) {
4212 CHECK(in[0] == out[0]);
4213 }
4214 size = 65;
4215 CHECK(secp256k1_eckey_pubkey_serialize(&elem, in, &size, 0));
4216 CHECK(size == 65);
4217 CHECK(secp256k1_eckey_pubkey_parse(&elem2, in, size));
4218 ge_equals_ge(&elem,&elem2);
4219 /* Check that the X9.62 hybrid type is checked. */
4220 in[0] = secp256k1_rand_bits(1) ? 6 : 7;
4221 res = secp256k1_eckey_pubkey_parse(&elem2, in, size);
4222 if (firstb == 2 || firstb == 3) {
4223 if (in[0] == firstb + 4) {
4224 CHECK(res);
4225 } else {
4226 CHECK(!res);
4227 }
4228 }
4229 if (res) {
4230 ge_equals_ge(&elem,&elem2);
4231 CHECK(secp256k1_eckey_pubkey_serialize(&elem, out, &size, 0));
4232 CHECK(memcmp(&in[1], &out[1], 64) == 0);
4233 }
4234 }
4235 }
4236
run_random_pubkeys(void)4237 void run_random_pubkeys(void) {
4238 int i;
4239 for (i = 0; i < 10*count; i++) {
4240 test_random_pubkeys();
4241 }
4242 }
4243
run_ecdsa_end_to_end(void)4244 void run_ecdsa_end_to_end(void) {
4245 int i;
4246 for (i = 0; i < 64*count; i++) {
4247 test_ecdsa_end_to_end();
4248 }
4249 }
4250
test_ecdsa_der_parse(const unsigned char * sig,size_t siglen,int certainly_der,int certainly_not_der)4251 int test_ecdsa_der_parse(const unsigned char *sig, size_t siglen, int certainly_der, int certainly_not_der) {
4252 static const unsigned char zeroes[32] = {0};
4253 #ifdef ENABLE_OPENSSL_TESTS
4254 static const unsigned char max_scalar[32] = {
4255 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4256 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4257 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4258 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x40
4259 };
4260 #endif
4261
4262 int ret = 0;
4263
4264 secp256k1_ecdsa_signature sig_der;
4265 unsigned char roundtrip_der[2048];
4266 unsigned char compact_der[64];
4267 size_t len_der = 2048;
4268 int parsed_der = 0, valid_der = 0, roundtrips_der = 0;
4269
4270 secp256k1_ecdsa_signature sig_der_lax;
4271 unsigned char roundtrip_der_lax[2048];
4272 unsigned char compact_der_lax[64];
4273 size_t len_der_lax = 2048;
4274 int parsed_der_lax = 0, valid_der_lax = 0, roundtrips_der_lax = 0;
4275
4276 #ifdef ENABLE_OPENSSL_TESTS
4277 ECDSA_SIG *sig_openssl;
4278 const BIGNUM *r = NULL, *s = NULL;
4279 const unsigned char *sigptr;
4280 unsigned char roundtrip_openssl[2048];
4281 int len_openssl = 2048;
4282 int parsed_openssl, valid_openssl = 0, roundtrips_openssl = 0;
4283 #endif
4284
4285 parsed_der = secp256k1_ecdsa_signature_parse_der(ctx, &sig_der, sig, siglen);
4286 if (parsed_der) {
4287 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der, &sig_der)) << 0;
4288 valid_der = (memcmp(compact_der, zeroes, 32) != 0) && (memcmp(compact_der + 32, zeroes, 32) != 0);
4289 }
4290 if (valid_der) {
4291 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der, &len_der, &sig_der)) << 1;
4292 roundtrips_der = (len_der == siglen) && memcmp(roundtrip_der, sig, siglen) == 0;
4293 }
4294
4295 parsed_der_lax = ecdsa_signature_parse_der_lax(ctx, &sig_der_lax, sig, siglen);
4296 if (parsed_der_lax) {
4297 ret |= (!secp256k1_ecdsa_signature_serialize_compact(ctx, compact_der_lax, &sig_der_lax)) << 10;
4298 valid_der_lax = (memcmp(compact_der_lax, zeroes, 32) != 0) && (memcmp(compact_der_lax + 32, zeroes, 32) != 0);
4299 }
4300 if (valid_der_lax) {
4301 ret |= (!secp256k1_ecdsa_signature_serialize_der(ctx, roundtrip_der_lax, &len_der_lax, &sig_der_lax)) << 11;
4302 roundtrips_der_lax = (len_der_lax == siglen) && memcmp(roundtrip_der_lax, sig, siglen) == 0;
4303 }
4304
4305 if (certainly_der) {
4306 ret |= (!parsed_der) << 2;
4307 }
4308 if (certainly_not_der) {
4309 ret |= (parsed_der) << 17;
4310 }
4311 if (valid_der) {
4312 ret |= (!roundtrips_der) << 3;
4313 }
4314
4315 if (valid_der) {
4316 ret |= (!roundtrips_der_lax) << 12;
4317 ret |= (len_der != len_der_lax) << 13;
4318 ret |= (memcmp(roundtrip_der_lax, roundtrip_der, len_der) != 0) << 14;
4319 }
4320 ret |= (roundtrips_der != roundtrips_der_lax) << 15;
4321 if (parsed_der) {
4322 ret |= (!parsed_der_lax) << 16;
4323 }
4324
4325 #ifdef ENABLE_OPENSSL_TESTS
4326 sig_openssl = ECDSA_SIG_new();
4327 sigptr = sig;
4328 parsed_openssl = (d2i_ECDSA_SIG(&sig_openssl, &sigptr, siglen) != NULL);
4329 if (parsed_openssl) {
4330 ECDSA_SIG_get0(sig_openssl, &r, &s);
4331 valid_openssl = !BN_is_negative(r) && !BN_is_negative(s) && BN_num_bits(r) > 0 && BN_num_bits(r) <= 256 && BN_num_bits(s) > 0 && BN_num_bits(s) <= 256;
4332 if (valid_openssl) {
4333 unsigned char tmp[32] = {0};
4334 BN_bn2bin(r, tmp + 32 - BN_num_bytes(r));
4335 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4336 }
4337 if (valid_openssl) {
4338 unsigned char tmp[32] = {0};
4339 BN_bn2bin(s, tmp + 32 - BN_num_bytes(s));
4340 valid_openssl = memcmp(tmp, max_scalar, 32) < 0;
4341 }
4342 }
4343 len_openssl = i2d_ECDSA_SIG(sig_openssl, NULL);
4344 if (len_openssl <= 2048) {
4345 unsigned char *ptr = roundtrip_openssl;
4346 CHECK(i2d_ECDSA_SIG(sig_openssl, &ptr) == len_openssl);
4347 roundtrips_openssl = valid_openssl && ((size_t)len_openssl == siglen) && (memcmp(roundtrip_openssl, sig, siglen) == 0);
4348 } else {
4349 len_openssl = 0;
4350 }
4351 ECDSA_SIG_free(sig_openssl);
4352
4353 ret |= (parsed_der && !parsed_openssl) << 4;
4354 ret |= (valid_der && !valid_openssl) << 5;
4355 ret |= (roundtrips_openssl && !parsed_der) << 6;
4356 ret |= (roundtrips_der != roundtrips_openssl) << 7;
4357 if (roundtrips_openssl) {
4358 ret |= (len_der != (size_t)len_openssl) << 8;
4359 ret |= (memcmp(roundtrip_der, roundtrip_openssl, len_der) != 0) << 9;
4360 }
4361 #endif
4362 return ret;
4363 }
4364
assign_big_endian(unsigned char * ptr,size_t ptrlen,uint32_t val)4365 static void assign_big_endian(unsigned char *ptr, size_t ptrlen, uint32_t val) {
4366 size_t i;
4367 for (i = 0; i < ptrlen; i++) {
4368 int shift = ptrlen - 1 - i;
4369 if (shift >= 4) {
4370 ptr[i] = 0;
4371 } else {
4372 ptr[i] = (val >> shift) & 0xFF;
4373 }
4374 }
4375 }
4376
damage_array(unsigned char * sig,size_t * len)4377 static void damage_array(unsigned char *sig, size_t *len) {
4378 int pos;
4379 int action = secp256k1_rand_bits(3);
4380 if (action < 1 && *len > 3) {
4381 /* Delete a byte. */
4382 pos = secp256k1_rand_int(*len);
4383 memmove(sig + pos, sig + pos + 1, *len - pos - 1);
4384 (*len)--;
4385 return;
4386 } else if (action < 2 && *len < 2048) {
4387 /* Insert a byte. */
4388 pos = secp256k1_rand_int(1 + *len);
4389 memmove(sig + pos + 1, sig + pos, *len - pos);
4390 sig[pos] = secp256k1_rand_bits(8);
4391 (*len)++;
4392 return;
4393 } else if (action < 4) {
4394 /* Modify a byte. */
4395 sig[secp256k1_rand_int(*len)] += 1 + secp256k1_rand_int(255);
4396 return;
4397 } else { /* action < 8 */
4398 /* Modify a bit. */
4399 sig[secp256k1_rand_int(*len)] ^= 1 << secp256k1_rand_bits(3);
4400 return;
4401 }
4402 }
4403
random_ber_signature(unsigned char * sig,size_t * len,int * certainly_der,int * certainly_not_der)4404 static void random_ber_signature(unsigned char *sig, size_t *len, int* certainly_der, int* certainly_not_der) {
4405 int der;
4406 int nlow[2], nlen[2], nlenlen[2], nhbit[2], nhbyte[2], nzlen[2];
4407 size_t tlen, elen, glen;
4408 int indet;
4409 int n;
4410
4411 *len = 0;
4412 der = secp256k1_rand_bits(2) == 0;
4413 *certainly_der = der;
4414 *certainly_not_der = 0;
4415 indet = der ? 0 : secp256k1_rand_int(10) == 0;
4416
4417 for (n = 0; n < 2; n++) {
4418 /* We generate two classes of numbers: nlow==1 "low" ones (up to 32 bytes), nlow==0 "high" ones (32 bytes with 129 top bits set, or larger than 32 bytes) */
4419 nlow[n] = der ? 1 : (secp256k1_rand_bits(3) != 0);
4420 /* The length of the number in bytes (the first byte of which will always be nonzero) */
4421 nlen[n] = nlow[n] ? secp256k1_rand_int(33) : 32 + secp256k1_rand_int(200) * secp256k1_rand_int(8) / 8;
4422 CHECK(nlen[n] <= 232);
4423 /* The top bit of the number. */
4424 nhbit[n] = (nlow[n] == 0 && nlen[n] == 32) ? 1 : (nlen[n] == 0 ? 0 : secp256k1_rand_bits(1));
4425 /* The top byte of the number (after the potential hardcoded 16 0xFF characters for "high" 32 bytes numbers) */
4426 nhbyte[n] = nlen[n] == 0 ? 0 : (nhbit[n] ? 128 + secp256k1_rand_bits(7) : 1 + secp256k1_rand_int(127));
4427 /* The number of zero bytes in front of the number (which is 0 or 1 in case of DER, otherwise we extend up to 300 bytes) */
4428 nzlen[n] = der ? ((nlen[n] == 0 || nhbit[n]) ? 1 : 0) : (nlow[n] ? secp256k1_rand_int(3) : secp256k1_rand_int(300 - nlen[n]) * secp256k1_rand_int(8) / 8);
4429 if (nzlen[n] > ((nlen[n] == 0 || nhbit[n]) ? 1 : 0)) {
4430 *certainly_not_der = 1;
4431 }
4432 CHECK(nlen[n] + nzlen[n] <= 300);
4433 /* The length of the length descriptor for the number. 0 means short encoding, anything else is long encoding. */
4434 nlenlen[n] = nlen[n] + nzlen[n] < 128 ? 0 : (nlen[n] + nzlen[n] < 256 ? 1 : 2);
4435 if (!der) {
4436 /* nlenlen[n] max 127 bytes */
4437 int add = secp256k1_rand_int(127 - nlenlen[n]) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4438 nlenlen[n] += add;
4439 if (add != 0) {
4440 *certainly_not_der = 1;
4441 }
4442 }
4443 CHECK(nlen[n] + nzlen[n] + nlenlen[n] <= 427);
4444 }
4445
4446 /* The total length of the data to go, so far */
4447 tlen = 2 + nlenlen[0] + nlen[0] + nzlen[0] + 2 + nlenlen[1] + nlen[1] + nzlen[1];
4448 CHECK(tlen <= 856);
4449
4450 /* The length of the garbage inside the tuple. */
4451 elen = (der || indet) ? 0 : secp256k1_rand_int(980 - tlen) * secp256k1_rand_int(8) / 8;
4452 if (elen != 0) {
4453 *certainly_not_der = 1;
4454 }
4455 tlen += elen;
4456 CHECK(tlen <= 980);
4457
4458 /* The length of the garbage after the end of the tuple. */
4459 glen = der ? 0 : secp256k1_rand_int(990 - tlen) * secp256k1_rand_int(8) / 8;
4460 if (glen != 0) {
4461 *certainly_not_der = 1;
4462 }
4463 CHECK(tlen + glen <= 990);
4464
4465 /* Write the tuple header. */
4466 sig[(*len)++] = 0x30;
4467 if (indet) {
4468 /* Indeterminate length */
4469 sig[(*len)++] = 0x80;
4470 *certainly_not_der = 1;
4471 } else {
4472 int tlenlen = tlen < 128 ? 0 : (tlen < 256 ? 1 : 2);
4473 if (!der) {
4474 int add = secp256k1_rand_int(127 - tlenlen) * secp256k1_rand_int(16) * secp256k1_rand_int(16) / 256;
4475 tlenlen += add;
4476 if (add != 0) {
4477 *certainly_not_der = 1;
4478 }
4479 }
4480 if (tlenlen == 0) {
4481 /* Short length notation */
4482 sig[(*len)++] = tlen;
4483 } else {
4484 /* Long length notation */
4485 sig[(*len)++] = 128 + tlenlen;
4486 assign_big_endian(sig + *len, tlenlen, tlen);
4487 *len += tlenlen;
4488 }
4489 tlen += tlenlen;
4490 }
4491 tlen += 2;
4492 CHECK(tlen + glen <= 1119);
4493
4494 for (n = 0; n < 2; n++) {
4495 /* Write the integer header. */
4496 sig[(*len)++] = 0x02;
4497 if (nlenlen[n] == 0) {
4498 /* Short length notation */
4499 sig[(*len)++] = nlen[n] + nzlen[n];
4500 } else {
4501 /* Long length notation. */
4502 sig[(*len)++] = 128 + nlenlen[n];
4503 assign_big_endian(sig + *len, nlenlen[n], nlen[n] + nzlen[n]);
4504 *len += nlenlen[n];
4505 }
4506 /* Write zero padding */
4507 while (nzlen[n] > 0) {
4508 sig[(*len)++] = 0x00;
4509 nzlen[n]--;
4510 }
4511 if (nlen[n] == 32 && !nlow[n]) {
4512 /* Special extra 16 0xFF bytes in "high" 32-byte numbers */
4513 int i;
4514 for (i = 0; i < 16; i++) {
4515 sig[(*len)++] = 0xFF;
4516 }
4517 nlen[n] -= 16;
4518 }
4519 /* Write first byte of number */
4520 if (nlen[n] > 0) {
4521 sig[(*len)++] = nhbyte[n];
4522 nlen[n]--;
4523 }
4524 /* Generate remaining random bytes of number */
4525 secp256k1_rand_bytes_test(sig + *len, nlen[n]);
4526 *len += nlen[n];
4527 nlen[n] = 0;
4528 }
4529
4530 /* Generate random garbage inside tuple. */
4531 secp256k1_rand_bytes_test(sig + *len, elen);
4532 *len += elen;
4533
4534 /* Generate end-of-contents bytes. */
4535 if (indet) {
4536 sig[(*len)++] = 0;
4537 sig[(*len)++] = 0;
4538 tlen += 2;
4539 }
4540 CHECK(tlen + glen <= 1121);
4541
4542 /* Generate random garbage outside tuple. */
4543 secp256k1_rand_bytes_test(sig + *len, glen);
4544 *len += glen;
4545 tlen += glen;
4546 CHECK(tlen <= 1121);
4547 CHECK(tlen == *len);
4548 }
4549
run_ecdsa_der_parse(void)4550 void run_ecdsa_der_parse(void) {
4551 int i,j;
4552 for (i = 0; i < 200 * count; i++) {
4553 unsigned char buffer[2048];
4554 size_t buflen = 0;
4555 int certainly_der = 0;
4556 int certainly_not_der = 0;
4557 random_ber_signature(buffer, &buflen, &certainly_der, &certainly_not_der);
4558 CHECK(buflen <= 2048);
4559 for (j = 0; j < 16; j++) {
4560 int ret = 0;
4561 if (j > 0) {
4562 damage_array(buffer, &buflen);
4563 /* We don't know anything anymore about the DERness of the result */
4564 certainly_der = 0;
4565 certainly_not_der = 0;
4566 }
4567 ret = test_ecdsa_der_parse(buffer, buflen, certainly_der, certainly_not_der);
4568 if (ret != 0) {
4569 size_t k;
4570 fprintf(stderr, "Failure %x on ", ret);
4571 for (k = 0; k < buflen; k++) {
4572 fprintf(stderr, "%02x ", buffer[k]);
4573 }
4574 fprintf(stderr, "\n");
4575 }
4576 CHECK(ret == 0);
4577 }
4578 }
4579 }
4580
4581 /* Tests several edge cases. */
test_ecdsa_edge_cases(void)4582 void test_ecdsa_edge_cases(void) {
4583 int t;
4584 secp256k1_ecdsa_signature sig;
4585
4586 /* Test the case where ECDSA recomputes a point that is infinity. */
4587 {
4588 secp256k1_gej keyj;
4589 secp256k1_ge key;
4590 secp256k1_scalar msg;
4591 secp256k1_scalar sr, ss;
4592 secp256k1_scalar_set_int(&ss, 1);
4593 secp256k1_scalar_negate(&ss, &ss);
4594 secp256k1_scalar_inverse(&ss, &ss);
4595 secp256k1_scalar_set_int(&sr, 1);
4596 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &keyj, &sr);
4597 secp256k1_ge_set_gej(&key, &keyj);
4598 msg = ss;
4599 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4600 }
4601
4602 /* Verify signature with r of zero fails. */
4603 {
4604 const unsigned char pubkey_mods_zero[33] = {
4605 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4606 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4607 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4608 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4609 0x41
4610 };
4611 secp256k1_ge key;
4612 secp256k1_scalar msg;
4613 secp256k1_scalar sr, ss;
4614 secp256k1_scalar_set_int(&ss, 1);
4615 secp256k1_scalar_set_int(&msg, 0);
4616 secp256k1_scalar_set_int(&sr, 0);
4617 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey_mods_zero, 33));
4618 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4619 }
4620
4621 /* Verify signature with s of zero fails. */
4622 {
4623 const unsigned char pubkey[33] = {
4624 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4625 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4626 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4627 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4628 0x01
4629 };
4630 secp256k1_ge key;
4631 secp256k1_scalar msg;
4632 secp256k1_scalar sr, ss;
4633 secp256k1_scalar_set_int(&ss, 0);
4634 secp256k1_scalar_set_int(&msg, 0);
4635 secp256k1_scalar_set_int(&sr, 1);
4636 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4637 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4638 }
4639
4640 /* Verify signature with message 0 passes. */
4641 {
4642 const unsigned char pubkey[33] = {
4643 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4644 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4645 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4646 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4647 0x02
4648 };
4649 const unsigned char pubkey2[33] = {
4650 0x02, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4651 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4652 0xfe, 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0,
4653 0x3b, 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41,
4654 0x43
4655 };
4656 secp256k1_ge key;
4657 secp256k1_ge key2;
4658 secp256k1_scalar msg;
4659 secp256k1_scalar sr, ss;
4660 secp256k1_scalar_set_int(&ss, 2);
4661 secp256k1_scalar_set_int(&msg, 0);
4662 secp256k1_scalar_set_int(&sr, 2);
4663 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4664 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4665 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4666 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4667 secp256k1_scalar_negate(&ss, &ss);
4668 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4669 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4670 secp256k1_scalar_set_int(&ss, 1);
4671 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4672 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4673 }
4674
4675 /* Verify signature with message 1 passes. */
4676 {
4677 const unsigned char pubkey[33] = {
4678 0x02, 0x14, 0x4e, 0x5a, 0x58, 0xef, 0x5b, 0x22,
4679 0x6f, 0xd2, 0xe2, 0x07, 0x6a, 0x77, 0xcf, 0x05,
4680 0xb4, 0x1d, 0xe7, 0x4a, 0x30, 0x98, 0x27, 0x8c,
4681 0x93, 0xe6, 0xe6, 0x3c, 0x0b, 0xc4, 0x73, 0x76,
4682 0x25
4683 };
4684 const unsigned char pubkey2[33] = {
4685 0x02, 0x8a, 0xd5, 0x37, 0xed, 0x73, 0xd9, 0x40,
4686 0x1d, 0xa0, 0x33, 0xd2, 0xdc, 0xf0, 0xaf, 0xae,
4687 0x34, 0xcf, 0x5f, 0x96, 0x4c, 0x73, 0x28, 0x0f,
4688 0x92, 0xc0, 0xf6, 0x9d, 0xd9, 0xb2, 0x09, 0x10,
4689 0x62
4690 };
4691 const unsigned char csr[32] = {
4692 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4693 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4694 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4695 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xeb
4696 };
4697 secp256k1_ge key;
4698 secp256k1_ge key2;
4699 secp256k1_scalar msg;
4700 secp256k1_scalar sr, ss;
4701 secp256k1_scalar_set_int(&ss, 1);
4702 secp256k1_scalar_set_int(&msg, 1);
4703 secp256k1_scalar_set_b32(&sr, csr, NULL);
4704 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4705 CHECK(secp256k1_eckey_pubkey_parse(&key2, pubkey2, 33));
4706 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4707 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4708 secp256k1_scalar_negate(&ss, &ss);
4709 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4710 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 1);
4711 secp256k1_scalar_set_int(&ss, 2);
4712 secp256k1_scalar_inverse_var(&ss, &ss);
4713 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4714 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key2, &msg) == 0);
4715 }
4716
4717 /* Verify signature with message -1 passes. */
4718 {
4719 const unsigned char pubkey[33] = {
4720 0x03, 0xaf, 0x97, 0xff, 0x7d, 0x3a, 0xf6, 0xa0,
4721 0x02, 0x94, 0xbd, 0x9f, 0x4b, 0x2e, 0xd7, 0x52,
4722 0x28, 0xdb, 0x49, 0x2a, 0x65, 0xcb, 0x1e, 0x27,
4723 0x57, 0x9c, 0xba, 0x74, 0x20, 0xd5, 0x1d, 0x20,
4724 0xf1
4725 };
4726 const unsigned char csr[32] = {
4727 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4728 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4729 0x45, 0x51, 0x23, 0x19, 0x50, 0xb7, 0x5f, 0xc4,
4730 0x40, 0x2d, 0xa1, 0x72, 0x2f, 0xc9, 0xba, 0xee
4731 };
4732 secp256k1_ge key;
4733 secp256k1_scalar msg;
4734 secp256k1_scalar sr, ss;
4735 secp256k1_scalar_set_int(&ss, 1);
4736 secp256k1_scalar_set_int(&msg, 1);
4737 secp256k1_scalar_negate(&msg, &msg);
4738 secp256k1_scalar_set_b32(&sr, csr, NULL);
4739 CHECK(secp256k1_eckey_pubkey_parse(&key, pubkey, 33));
4740 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4741 secp256k1_scalar_negate(&ss, &ss);
4742 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 1);
4743 secp256k1_scalar_set_int(&ss, 3);
4744 secp256k1_scalar_inverse_var(&ss, &ss);
4745 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sr, &ss, &key, &msg) == 0);
4746 }
4747
4748 /* Signature where s would be zero. */
4749 {
4750 secp256k1_pubkey pubkey;
4751 size_t siglen;
4752 int32_t ecount;
4753 unsigned char signature[72];
4754 static const unsigned char nonce[32] = {
4755 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4756 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4757 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4758 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4759 };
4760 static const unsigned char nonce2[32] = {
4761 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,
4762 0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFF,0xFE,
4763 0xBA,0xAE,0xDC,0xE6,0xAF,0x48,0xA0,0x3B,
4764 0xBF,0xD2,0x5E,0x8C,0xD0,0x36,0x41,0x40
4765 };
4766 const unsigned char key[32] = {
4767 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4768 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4769 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
4770 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01,
4771 };
4772 unsigned char msg[32] = {
4773 0x86, 0x41, 0x99, 0x81, 0x06, 0x23, 0x44, 0x53,
4774 0xaa, 0x5f, 0x9d, 0x6a, 0x31, 0x78, 0xf4, 0xf7,
4775 0xb8, 0x12, 0xe0, 0x0b, 0x81, 0x7a, 0x77, 0x62,
4776 0x65, 0xdf, 0xdd, 0x31, 0xb9, 0x3e, 0x29, 0xa9,
4777 };
4778 ecount = 0;
4779 secp256k1_context_set_illegal_callback(ctx, counting_illegal_callback_fn, &ecount);
4780 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 0);
4781 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 0);
4782 msg[31] = 0xaa;
4783 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce) == 1);
4784 CHECK(ecount == 0);
4785 CHECK(secp256k1_ecdsa_sign(ctx, NULL, msg, key, precomputed_nonce_function, nonce2) == 0);
4786 CHECK(ecount == 1);
4787 CHECK(secp256k1_ecdsa_sign(ctx, &sig, NULL, key, precomputed_nonce_function, nonce2) == 0);
4788 CHECK(ecount == 2);
4789 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, NULL, precomputed_nonce_function, nonce2) == 0);
4790 CHECK(ecount == 3);
4791 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, precomputed_nonce_function, nonce2) == 1);
4792 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, key) == 1);
4793 CHECK(secp256k1_ecdsa_verify(ctx, NULL, msg, &pubkey) == 0);
4794 CHECK(ecount == 4);
4795 CHECK(secp256k1_ecdsa_verify(ctx, &sig, NULL, &pubkey) == 0);
4796 CHECK(ecount == 5);
4797 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, NULL) == 0);
4798 CHECK(ecount == 6);
4799 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 1);
4800 CHECK(ecount == 6);
4801 CHECK(secp256k1_ec_pubkey_create(ctx, &pubkey, NULL) == 0);
4802 CHECK(ecount == 7);
4803 /* That pubkeyload fails via an ARGCHECK is a little odd but makes sense because pubkeys are an opaque data type. */
4804 CHECK(secp256k1_ecdsa_verify(ctx, &sig, msg, &pubkey) == 0);
4805 CHECK(ecount == 8);
4806 siglen = 72;
4807 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, NULL, &siglen, &sig) == 0);
4808 CHECK(ecount == 9);
4809 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, NULL, &sig) == 0);
4810 CHECK(ecount == 10);
4811 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, NULL) == 0);
4812 CHECK(ecount == 11);
4813 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 1);
4814 CHECK(ecount == 11);
4815 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, NULL, signature, siglen) == 0);
4816 CHECK(ecount == 12);
4817 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, NULL, siglen) == 0);
4818 CHECK(ecount == 13);
4819 CHECK(secp256k1_ecdsa_signature_parse_der(ctx, &sig, signature, siglen) == 1);
4820 CHECK(ecount == 13);
4821 siglen = 10;
4822 /* Too little room for a signature does not fail via ARGCHECK. */
4823 CHECK(secp256k1_ecdsa_signature_serialize_der(ctx, signature, &siglen, &sig) == 0);
4824 CHECK(ecount == 13);
4825 ecount = 0;
4826 CHECK(secp256k1_ecdsa_signature_normalize(ctx, NULL, NULL) == 0);
4827 CHECK(ecount == 1);
4828 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, NULL, &sig) == 0);
4829 CHECK(ecount == 2);
4830 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, NULL) == 0);
4831 CHECK(ecount == 3);
4832 CHECK(secp256k1_ecdsa_signature_serialize_compact(ctx, signature, &sig) == 1);
4833 CHECK(ecount == 3);
4834 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, NULL, signature) == 0);
4835 CHECK(ecount == 4);
4836 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, NULL) == 0);
4837 CHECK(ecount == 5);
4838 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 1);
4839 CHECK(ecount == 5);
4840 memset(signature, 255, 64);
4841 CHECK(secp256k1_ecdsa_signature_parse_compact(ctx, &sig, signature) == 0);
4842 CHECK(ecount == 5);
4843 secp256k1_context_set_illegal_callback(ctx, NULL, NULL);
4844 }
4845
4846 /* Nonce function corner cases. */
4847 for (t = 0; t < 2; t++) {
4848 static const unsigned char zero[32] = {0x00};
4849 int i;
4850 unsigned char key[32];
4851 unsigned char msg[32];
4852 secp256k1_ecdsa_signature sig2;
4853 secp256k1_scalar sr[512], ss;
4854 const unsigned char *extra;
4855 extra = t == 0 ? NULL : zero;
4856 memset(msg, 0, 32);
4857 msg[31] = 1;
4858 /* High key results in signature failure. */
4859 memset(key, 0xFF, 32);
4860 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4861 CHECK(is_empty_signature(&sig));
4862 /* Zero key results in signature failure. */
4863 memset(key, 0, 32);
4864 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, NULL, extra) == 0);
4865 CHECK(is_empty_signature(&sig));
4866 /* Nonce function failure results in signature failure. */
4867 key[31] = 1;
4868 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_fail, extra) == 0);
4869 CHECK(is_empty_signature(&sig));
4870 /* The retry loop successfully makes its way to the first good value. */
4871 CHECK(secp256k1_ecdsa_sign(ctx, &sig, msg, key, nonce_function_test_retry, extra) == 1);
4872 CHECK(!is_empty_signature(&sig));
4873 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, nonce_function_rfc6979, extra) == 1);
4874 CHECK(!is_empty_signature(&sig2));
4875 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4876 /* The default nonce function is deterministic. */
4877 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4878 CHECK(!is_empty_signature(&sig2));
4879 CHECK(memcmp(&sig, &sig2, sizeof(sig)) == 0);
4880 /* The default nonce function changes output with different messages. */
4881 for(i = 0; i < 256; i++) {
4882 int j;
4883 msg[0] = i;
4884 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4885 CHECK(!is_empty_signature(&sig2));
4886 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4887 for (j = 0; j < i; j++) {
4888 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4889 }
4890 }
4891 msg[0] = 0;
4892 msg[31] = 2;
4893 /* The default nonce function changes output with different keys. */
4894 for(i = 256; i < 512; i++) {
4895 int j;
4896 key[0] = i - 256;
4897 CHECK(secp256k1_ecdsa_sign(ctx, &sig2, msg, key, NULL, extra) == 1);
4898 CHECK(!is_empty_signature(&sig2));
4899 secp256k1_ecdsa_signature_load(ctx, &sr[i], &ss, &sig2);
4900 for (j = 0; j < i; j++) {
4901 CHECK(!secp256k1_scalar_eq(&sr[i], &sr[j]));
4902 }
4903 }
4904 key[0] = 0;
4905 }
4906
4907 {
4908 /* Check that optional nonce arguments do not have equivalent effect. */
4909 const unsigned char zeros[32] = {0};
4910 unsigned char nonce[32];
4911 unsigned char nonce2[32];
4912 unsigned char nonce3[32];
4913 unsigned char nonce4[32];
4914 VG_UNDEF(nonce,32);
4915 VG_UNDEF(nonce2,32);
4916 VG_UNDEF(nonce3,32);
4917 VG_UNDEF(nonce4,32);
4918 CHECK(nonce_function_rfc6979(nonce, zeros, zeros, NULL, NULL, 0) == 1);
4919 VG_CHECK(nonce,32);
4920 CHECK(nonce_function_rfc6979(nonce2, zeros, zeros, zeros, NULL, 0) == 1);
4921 VG_CHECK(nonce2,32);
4922 CHECK(nonce_function_rfc6979(nonce3, zeros, zeros, NULL, (void *)zeros, 0) == 1);
4923 VG_CHECK(nonce3,32);
4924 CHECK(nonce_function_rfc6979(nonce4, zeros, zeros, zeros, (void *)zeros, 0) == 1);
4925 VG_CHECK(nonce4,32);
4926 CHECK(memcmp(nonce, nonce2, 32) != 0);
4927 CHECK(memcmp(nonce, nonce3, 32) != 0);
4928 CHECK(memcmp(nonce, nonce4, 32) != 0);
4929 CHECK(memcmp(nonce2, nonce3, 32) != 0);
4930 CHECK(memcmp(nonce2, nonce4, 32) != 0);
4931 CHECK(memcmp(nonce3, nonce4, 32) != 0);
4932 }
4933
4934
4935 /* Privkey export where pubkey is the point at infinity. */
4936 {
4937 unsigned char privkey[300];
4938 unsigned char seckey[32] = {
4939 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
4940 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfe,
4941 0xba, 0xae, 0xdc, 0xe6, 0xaf, 0x48, 0xa0, 0x3b,
4942 0xbf, 0xd2, 0x5e, 0x8c, 0xd0, 0x36, 0x41, 0x41,
4943 };
4944 size_t outlen = 300;
4945 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 0));
4946 outlen = 300;
4947 CHECK(!ec_privkey_export_der(ctx, privkey, &outlen, seckey, 1));
4948 }
4949 }
4950
run_ecdsa_edge_cases(void)4951 void run_ecdsa_edge_cases(void) {
4952 test_ecdsa_edge_cases();
4953 }
4954
4955 #ifdef ENABLE_OPENSSL_TESTS
get_openssl_key(const unsigned char * key32)4956 EC_KEY *get_openssl_key(const unsigned char *key32) {
4957 unsigned char privkey[300];
4958 size_t privkeylen;
4959 const unsigned char* pbegin = privkey;
4960 int compr = secp256k1_rand_bits(1);
4961 EC_KEY *ec_key = EC_KEY_new_by_curve_name(NID_secp256k1);
4962 CHECK(ec_privkey_export_der(ctx, privkey, &privkeylen, key32, compr));
4963 CHECK(d2i_ECPrivateKey(&ec_key, &pbegin, privkeylen));
4964 CHECK(EC_KEY_check_key(ec_key));
4965 return ec_key;
4966 }
4967
test_ecdsa_openssl(void)4968 void test_ecdsa_openssl(void) {
4969 secp256k1_gej qj;
4970 secp256k1_ge q;
4971 secp256k1_scalar sigr, sigs;
4972 secp256k1_scalar one;
4973 secp256k1_scalar msg2;
4974 secp256k1_scalar key, msg;
4975 EC_KEY *ec_key;
4976 unsigned int sigsize = 80;
4977 size_t secp_sigsize = 80;
4978 unsigned char message[32];
4979 unsigned char signature[80];
4980 unsigned char key32[32];
4981 secp256k1_rand256_test(message);
4982 secp256k1_scalar_set_b32(&msg, message, NULL);
4983 random_scalar_order_test(&key);
4984 secp256k1_scalar_get_b32(key32, &key);
4985 secp256k1_ecmult_gen(&ctx->ecmult_gen_ctx, &qj, &key);
4986 secp256k1_ge_set_gej(&q, &qj);
4987 ec_key = get_openssl_key(key32);
4988 CHECK(ec_key != NULL);
4989 CHECK(ECDSA_sign(0, message, sizeof(message), signature, &sigsize, ec_key));
4990 CHECK(secp256k1_ecdsa_sig_parse(&sigr, &sigs, signature, sigsize));
4991 CHECK(secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg));
4992 secp256k1_scalar_set_int(&one, 1);
4993 secp256k1_scalar_add(&msg2, &msg, &one);
4994 CHECK(!secp256k1_ecdsa_sig_verify(&ctx->ecmult_ctx, &sigr, &sigs, &q, &msg2));
4995
4996 random_sign(&sigr, &sigs, &key, &msg, NULL);
4997 CHECK(secp256k1_ecdsa_sig_serialize(signature, &secp_sigsize, &sigr, &sigs));
4998 CHECK(ECDSA_verify(0, message, sizeof(message), signature, secp_sigsize, ec_key) == 1);
4999
5000 EC_KEY_free(ec_key);
5001 }
5002
run_ecdsa_openssl(void)5003 void run_ecdsa_openssl(void) {
5004 int i;
5005 for (i = 0; i < 10*count; i++) {
5006 test_ecdsa_openssl();
5007 }
5008 }
5009 #endif
5010
5011 #ifdef ENABLE_MODULE_ECDH
5012 # include "modules/ecdh/tests_impl.h"
5013 #endif
5014
5015 #ifdef ENABLE_MODULE_RECOVERY
5016 # include "modules/recovery/tests_impl.h"
5017 #endif
5018
main(int argc,char ** argv)5019 int main(int argc, char **argv) {
5020 unsigned char seed16[16] = {0};
5021 unsigned char run32[32] = {0};
5022 /* find iteration count */
5023 if (argc > 1) {
5024 count = strtol(argv[1], NULL, 0);
5025 }
5026
5027 /* find random seed */
5028 if (argc > 2) {
5029 int pos = 0;
5030 const char* ch = argv[2];
5031 while (pos < 16 && ch[0] != 0 && ch[1] != 0) {
5032 unsigned short sh;
5033 if (sscanf(ch, "%2hx", &sh)) {
5034 seed16[pos] = sh;
5035 } else {
5036 break;
5037 }
5038 ch += 2;
5039 pos++;
5040 }
5041 } else {
5042 FILE *frand = fopen("/dev/urandom", "r");
5043 if ((frand == NULL) || fread(&seed16, 1, sizeof(seed16), frand) != sizeof(seed16)) {
5044 uint64_t t = time(NULL) * (uint64_t)1337;
5045 fprintf(stderr, "WARNING: could not read 16 bytes from /dev/urandom; falling back to insecure PRNG\n");
5046 seed16[0] ^= t;
5047 seed16[1] ^= t >> 8;
5048 seed16[2] ^= t >> 16;
5049 seed16[3] ^= t >> 24;
5050 seed16[4] ^= t >> 32;
5051 seed16[5] ^= t >> 40;
5052 seed16[6] ^= t >> 48;
5053 seed16[7] ^= t >> 56;
5054 }
5055 if (frand) {
5056 fclose(frand);
5057 }
5058 }
5059 secp256k1_rand_seed(seed16);
5060
5061 printf("test count = %i\n", count);
5062 printf("random seed = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", seed16[0], seed16[1], seed16[2], seed16[3], seed16[4], seed16[5], seed16[6], seed16[7], seed16[8], seed16[9], seed16[10], seed16[11], seed16[12], seed16[13], seed16[14], seed16[15]);
5063
5064 /* initialize */
5065 run_context_tests();
5066 run_scratch_tests();
5067 ctx = secp256k1_context_create(SECP256K1_CONTEXT_SIGN | SECP256K1_CONTEXT_VERIFY);
5068 if (secp256k1_rand_bits(1)) {
5069 secp256k1_rand256(run32);
5070 CHECK(secp256k1_context_randomize(ctx, secp256k1_rand_bits(1) ? run32 : NULL));
5071 }
5072
5073 run_rand_bits();
5074 run_rand_int();
5075
5076 run_sha256_tests();
5077 run_hmac_sha256_tests();
5078 run_rfc6979_hmac_sha256_tests();
5079
5080 #ifndef USE_NUM_NONE
5081 /* num tests */
5082 run_num_smalltests();
5083 #endif
5084
5085 /* scalar tests */
5086 run_scalar_tests();
5087
5088 /* field tests */
5089 run_field_inv();
5090 run_field_inv_var();
5091 run_field_inv_all_var();
5092 run_field_misc();
5093 run_field_convert();
5094 run_sqr();
5095 run_sqrt();
5096
5097 /* group tests */
5098 run_ge();
5099 run_group_decompress();
5100
5101 /* ecmult tests */
5102 run_wnaf();
5103 run_point_times_order();
5104 run_ecmult_chain();
5105 run_ecmult_constants();
5106 run_ecmult_gen_blind();
5107 run_ecmult_const_tests();
5108 run_ecmult_multi_tests();
5109 run_ec_combine();
5110
5111 /* endomorphism tests */
5112 #ifdef USE_ENDOMORPHISM
5113 run_endomorphism_tests();
5114 #endif
5115
5116 /* EC point parser test */
5117 run_ec_pubkey_parse_test();
5118
5119 /* EC key edge cases */
5120 run_eckey_edge_case_test();
5121
5122 #ifdef ENABLE_MODULE_ECDH
5123 /* ecdh tests */
5124 run_ecdh_tests();
5125 #endif
5126
5127 /* ecdsa tests */
5128 run_random_pubkeys();
5129 run_ecdsa_der_parse();
5130 run_ecdsa_sign_verify();
5131 run_ecdsa_end_to_end();
5132 run_ecdsa_edge_cases();
5133 #ifdef ENABLE_OPENSSL_TESTS
5134 run_ecdsa_openssl();
5135 #endif
5136
5137 #ifdef ENABLE_MODULE_RECOVERY
5138 /* ECDSA pubkey recovery tests */
5139 run_recovery_tests();
5140 #endif
5141
5142 secp256k1_rand256(run32);
5143 printf("random run = %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x\n", run32[0], run32[1], run32[2], run32[3], run32[4], run32[5], run32[6], run32[7], run32[8], run32[9], run32[10], run32[11], run32[12], run32[13], run32[14], run32[15]);
5144
5145 /* shutdown */
5146 secp256k1_context_destroy(ctx);
5147
5148 printf("no problems found\n");
5149 return 0;
5150 }
5151